Forgot your password?
typodupeerror
Power Science

Three Mile Island Memories 309

Posted by Soulskill
from the if-it-ain't-broke,-send-it-through-congress dept.
theodp writes "Thirty years after the partial nuclear core meltdown at Three Mile Island, Robert Cringely describes the terrible TMI user interface, blaming a confluence of bad design decisions — some made by Congress — for making the accident vastly worse. While computers could be used to monitor the reactor, US law prohibited using computers to directly control nuclear power plants — men would do that. So, when the (one) computer noticed a problem, it would set off audible and visual alarms, and send a problem description to a line printer. Simple, except the computer noticed 700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless. The one visual alarm blinked for days, indicating nothing useful. And the print queue was quickly flooded with 700 error reports followed by thousands of updates and corrections, making it almost instantly hours behind. The operators had to guess at what the problem was."
This discussion has been archived. No new comments can be posted.

Three Mile Island Memories

Comments Filter:
  • Obama's 'new regulatory framework for the 20th century' crowd: Choke on that please.

    • by timeOday (582209)
      So you are advocating unregulated, free-for-all nuclear power? Ha ha, great idea. No doubt the free market will find a nice cheap place to put the nuclear waste, too.
      • Re: (Score:3, Interesting)

        As I tire of pointing out and people never tire of not understanding, lack of regulation does not mean free-for-all, might is right or whatever.

        An unregulated nuclear industry does not mean plants can pour waste in other people's property. Since governments regulate commons they must either take responsibility to ensure they are not destroyed or privatize them to internalize the externalities.

        • Re: (Score:3, Insightful)

          by timeOday (582209)
          Maybe they do understand but don't agree. Privatizing land is no way to protect it from toxic or nuclear waste. Ownership of land is a handy legal contrivance, but let's not take it too far. There is a finite amount of Earth for all the people that have lived, live now, and will ever live. Individuals live relatively briefly and have no right to carelessly dump nuclear waste that will far outlive them, regardless of some piece of paper. Ultimately our right to bury nuclear waste comes from exercising di
      • Re: (Score:3, Interesting)

        by hawk (1151)

        to adapt a suggestion given by a libertarian acquaintance years ago . . .

        Never mind government regulation. Require a half-trillion dollar liability policy. The insurance company will regulate far tighter and more effectively than the government.

        hawk, who isn't advocating this, but finds it an interesting proposal

  • by tomhudson (43916) <barbara.hudson@NOSpAM.barbara-hudson.com> on Saturday April 04, 2009 @12:28PM (#27458667) Journal

    700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless. The one visual alarm blinked for days, indicating nothing useful. And the print queue was quickly flooded with 700 error reports followed by thousands of updates and corrections, making it almost instantly hours behind. The operators had to guess at what the problem was."

    So the problem with Three Mile Island (TMI) was Too Much Information (TMI). But I didn't read the article, as that would have been TMI.

    • by Mashiki (184564)

      So the problem with Three Mile Island (TMI) was Too Much Information (TMI). But I didn't read the article, as that would have been TMI.

      Sounds much closer to a breach of the KISS protocol.

  • by Virak (897071)

    And because of this insignificant little incident that killed nobody, and had little to no effect on the health of people near it, nuclear power, a safe, clean, mature power generation technology, was (and continues to be) drastically set back. It's stuff like this that makes me worried that humanity as a whole will be just too incredibly stupid to make it through this century without killing ourselves in one of many ways.

    • by LWATCDR (28044)

      True and it made a so so movie a smash hit and convinced millions of people that a work of fiction was a documentary.

    • Re: (Score:3, Interesting)

      by Jonner (189691)

      If you read the article, you'd realize it was a very significant wake up call. Death was narrowly avoided because the reactor containment vessel was over-engineered compared to the typical design. The tragedy is that the lesson the public learned was that nuclear power was too dangerous to use at all, when the reality was that it was poorly designed and mismanaged.

      • Death was narrowly avoided because the reactor containment vessel was over-engineered

        Sounds like it was engineered just right. Bean-counters often use "over-engineered" when something is built to withstand the rare but serious malfunctions. Instead, they'd rather things be built to be "good enough" to run fine most of the time. Problem is, a minor issue can become a critical one if you don't build your devices to withstand the rare but serious issues.

        For example, a failover server setup is 100% overbu

        • Re:Ugh. (Score:5, Informative)

          by Pinckney (1098477) on Saturday April 04, 2009 @02:28PM (#27459605)

          Sounds like it was engineered just right. Bean-counters often use "over-engineered" when something is built to withstand the rare but serious malfunctions. Instead, they'd rather things be built to be "good enough" to run fine most of the time. Problem is, a minor issue can become a critical one if you don't build your devices to withstand the rare but serious issues. For example, a failover server setup is 100% overbuilt...until the primary fails.

          But it wasn't engineered this way to secure it against a partial meltdown. It was above average for reactor containment vessels actually in use at that time, and the average containment vessel would have failed. The only reason it was able to withstand it was that it happened to be on the final approach path of a former airforce base, and had originally been engineered to withstand a bomber crashing into it.

    • by aengblom (123492)

      Honestly, I thought Cringely's decision to try and tie TMI to the current financial crisis was a bit of a stretch, but it applies perfectly here. TMI officials took a huge risk [coulda wiped out a bunch of the Northeast] and only avoided catastrophe because of luck (the reactor had a strong than normal containment vessel.)

      Wall Street basically did the same the mortgage boom -- they just lost the bet. Now we're all paying.

      Where both failed was properly planning for what happened when something really went wr

    • And because of this insignificant little incident that killed nobody...a safe, clean, mature power generation technology, was (and continues to be) drastically set back.

      Technology is more than the machine.

      If you don't know what is going on and you are clearly not in control your system has failed - catastrophically.

      The TMI cleanup started in August 1979 and officially ended in December 1993, having cost around US$975 million. From 1985 to 1990 almost 100 tons of radioactive fuel were removed from the si

      • by timeOday (582209)

        A ten year - billion-dollar - clean-up can't be described as insignificant.

        Coincidentally, a billion dollars is almost exactly the value of the oil burned by the US every single day, at $50/barrel.

    • There was a partial core meltdown. That, no matter how you choose to define it, it NOT insignificant.

  • Three-Mile Island (Score:4, Insightful)

    by blind biker (1066130) on Saturday April 04, 2009 @12:38PM (#27458747) Journal

    Never has the gravity of an accident (of any kind) been so exaggerated. Before or after.

    • by Zancarius (414244)

      Never has the gravity of an accident (of any kind) been so exaggerated. Before or after.

      Yes, exactly. Three Mile Island was used for years by the environmentalists to "prove" that nuclear power was unsafe, and effectively consisted of a bomb just waiting to go off. If they wanted a disaster, they should examine Chernobyl.

      Granted, we learned much about what worked--and what didn't--but I should think that Three Mile Island ought to be praised as successful! It averted creating a much worse disaster with cons

  • Like the old saying goes... Never send a man to do a machine's job.
  • While computers could be used to monitor the reactor, US law prohibited using computers to directly control nuclear power plants -- men would do that.

    Given the state of automated control back in those days, that's not really a bad policy. Even today, aircraft autopilots (triply redundant) are not reliable enough so that Boeing requires that pilots must be able to disconnect them and fly manually.

    Granted, UIs have improved immensely since mid 1960's technology. The 700 alarm problem is easily mitigated with modern SCADA systems that can distill such volumes of data and pinpoint a few possible root causes. But I don't think you want you'd want to automate

    • Even today, aircraft autopilots (triply redundant) are not reliable enough so that Boeing requires that pilots must be able to disconnect them and fly manually.

      Rubbish. Pilots are there because people feel safer. And if the fly-by wire systems etc fail, your plane crashes, pilot or no pilot. So you have 2 modes of failure. If the pilot is insisting on flying into the ground and/or software bugs.

      Commercial pilots are trained to work like a machine. I would be just as happy if they weren't there.

      • by DCstewieG (824956)

        Not really knowing anything about the modern capabilities of auto-pilot systems, I'm curious what you think would have happened with the Hudson River incident if there had been no human pilot around.

      • Commercial pilots are trained to work like a machine. I would be just as happy if they weren't there.

        I wouldn't, at least not right now. Any machine^H^H^H^H^Hsoftware doing a job is going to be limited by the imagination of the spec writers and developers, and (for trainable systems) by the situations the trainers thought to put the system through.

        I wonder if anybody's built any machines that would have done as well as this guy? [wikipedia.org] Yeah, there's shitty pilots out there, but I'm still a big fan of having a biological "backup" available to override the machines, because (again, right now) they're still better

      • by RudeIota (1131331)

        Commercial pilots are trained to work like a machine. I would be just as happy if they weren't there.

        ... if you happen to know anyone who can design an autopilot system that can account for nearly as many external/environmental variables as a human being -- I would too.

      • by timeOday (582209)
        I tend to agree but look at the recent splash-landing on the Hudson. Computers beat humans' stick-and-rudder skills hands down, but the decision to glide over to the Hudson (instead of ...what? crash-landing in a crowded city, I guess?) saved everybody. You could try to make the statistical argument that other crashes caused by human error outweigh this, but I don't know what the numbers are.

        Anyways, airline pilots will be the last to go, after military recon pilots, bombers, cargo, and finally fighte

    • If you RTFA you would see the point the author makes of how simple nuclear reactors are in comparison to other much more complex automated processes AT THE TIME. Chemical plants, in his example.

      Now you just can't compare automating flight to a nuclear plant. A plane autopilot is orders of magnitudes more complex.

      I think the question is: do you really DON'T want to automate everything and run the risk of leaving any decision making to a poorly trained or just hungover operator?

      • by PPH (736903)

        Now you just can't compare automating flight to a nuclear plant. A plane autopilot is orders of magnitudes more complex.

        Simpler. Been there, done that. Since the early days of 'two crew' flight decks and the requisite automation (757, 767, 747-400). I've also worked around (but not on) nuclear plants and their designers. The physics of a nuke may be simple, but the number of subsystems, alarms and whatnot in a plant is pretty substantial.

  • ... of safety-critical systems, they do things like shut off the engines on a plane in mid-flight due to a sensor malfunction. Damned if you do, damned if you don't.
  • Jimmy Carter (Score:3, Interesting)

    by bgeer (543504) on Saturday April 04, 2009 @12:48PM (#27458839)

    Our President at the time, Jimmy Carter, was also a micro-manager and a former nuclear engineer:

    U.S. Navy reactor operators, the sort who served under Jimmy Carter in the 1950s,

    Is not and never was a nuclear engineer, much less did he command a nuclear sub. He served as an enlisted man on several diesel-electric subs and started, but did not complete, a Naval class in nuclear engineering. He resigned from the Navy (as a lieutenant) before any nuclear subs were commissioned.

    The FEMA guys were just plain stupid.

    NO U

  • Simple, except the computer noticed 700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless.

    ... and the humans chose to ignore it? How is that the computers fault?

    If the alarm goes off in a nuclear plant, operating procedure should say: Check briefly if the computer is acting up, and then shut the whole frickin' plant down. Why wasn't it done? Let me guess: It costs a whole bunch of money. So, the accident happene

    • by WaXHeLL (452463)

      It's not entirely simple to shut a nuclear plant down... You can't just hit a few keystrokes and the thing turns off.

      And with only one visual alarm, and one audible alarm, you have no clue what is happening.

      • Re: (Score:3, Interesting)

        Don't let Cringely convince you that he actually knows anything about nuclear power plants--those guys had a whole room full of alarms, gauges, meters, etc., giving them a lot of info about the whole plant.

        Shutting down the reactor could probably have been done by the operator within a couple of seconds by flipping a switch. IIRC, though, the automatic safety system shut it down at the beginning of the incident because it detected a situation that warranted it.

      • The emergency shutdown is that simple. It can take a while to get it back on line again however (days, weeks or even longer depending on how many of the emergency shutdown systems are fired) and cost a pretty penny.
      • by DrBuzzo (913503)

        It's not entirely simple to shut a nuclear plant down... You can't just hit a few keystrokes and the thing turns off.

        And with only one visual alarm, and one audible alarm, you have no clue what is happening.

        Actually it's much easier than a few keystrokes. Of course, this was before PC's were so common in a control room anyway, but it's as simple as this: Drop the control rods and the reaction stops.

        No complex procedure needed. No keystrokes. It's called "SCRAM" and it can be done very simply in an emergency.

        Also, there's not just one big alarm. It doesn't work that way. The problem in TMI was they had plenty of gauges and meters but none told them the information they needed to know: The verified

        • same shit happened in chernobyl - lack of useful information (and of course knowingly stupid design).

    • Re: (Score:3, Informative)

      by jonbryce (703250)

      A nuclear plant isn't like a gas plant where you can turn off the tap.

      If you have a nuclear reaction that is going out of control, then you have to get it in control. Shutting the plant down would mean you don't have the ability to use things like the control rods to do this.

      • Re: (Score:3, Informative)

        by Bigjeff5 (1143585)

        If you think you can just "turn off the tap" at a gas plant, you are sorely mistaken. Pressures start to build when you do that, so if you block the gas off in one section, it will build in another. You've got a lot of systems to kill before you can turn off the gas - the source must go first, then at about the same time pumps pushing the gas along (these may be in the same spot, which makes that easier), then you can kill any processing systems along the way, and then you can close the tap.

        If you DO have

    • Simple, except the computer noticed 700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless.

      ... and the humans chose to ignore it? How is that the computers fault?

      Yeah I don't quite get that bit either. And they *did* have an entire room full of monitoring equipment, not just a solitary line printer, so I'm not sure the computer's involvement is as big as Cringlely's making it out to be.

      If the alarm goes off in a nuclear plant, operating procedure should say: Check briefly if the computer is acting up, and then shut the whole frickin' plant down. Why wasn't it done? Let me guess: It costs a whole bunch of money. So, the accident happened due to greed.

      Well, no--the reactor was shut down automatically by the control systems at the outset of the incident. If I recall correctly, they were at near full power when some event caused a main turbine trip and then a reactor shutdown. Because of the sudden removal of steam load, and becau

    • by DrBuzzo (913503)

      If the alarm goes off in a nuclear plant, operating procedure should say: Check briefly if the computer is acting up, and then shut the whole frickin' plant down. Why wasn't it done? Let me guess: It costs a whole bunch of money. So, the accident happened due to greed.

      You have absolutely no idea what you're talking about. "Oh yeah, must be that damn money hungry greed of those damn fat cats who ruin everything."

      The plant WAS SHUT DOWN, Jesus get a clue, genius. The term for an impromptu or emergency shutdown is SCRAM. The control rods drop, fission stops, the reactor is shut down. That's exactly what happened.

      After shutting down the reactor, the fuel rods still are hot, having the residual heat from the reaction. Add to this the heat from the rapid decay of

    • Yea yea, greed causes everything bad. You and the other selfless people living in their mom's basements should be given the wheels of the world.
  • Bleh (Score:5, Interesting)

    by NewbieProgrammerMan (558327) on Saturday April 04, 2009 @12:54PM (#27458877)

    U.S. Navy reactor operators, the sort who served under Jimmy Carter in the 1950s, were selected primarily for their temperament. ... their Navy job--as at TMI--was to follow the manual. All knowledge was inside the book. So knowing the book was everything. Unfortunately knowing the book isn't the same as knowing the reactor. So knowing the book was everything. Unfortunately knowing the book isn't the same as knowing the reactor.

    No. Just fucking no. There's a significant (and necessary) emphasis on following procedures and getting the books out for any planned change to the plant to make sure you're doing things right. But Cringely makes it sound like nuclear operators are just slightly trained mouth-breathers that only know how to look things up in the book and do what it tells them. I can't speak for the civilian training, but the Navy does NOT do things that way.

    When something goes wrong, they depend on you having enough internalized knowledge about the plant, its controls, and its indicator systems to work out what's going on and (if necessary) do something about it. Once you've got stuff at least marginally under control, *then* you get the books out to check the applicable procedures to make sure you haven't forgotten something, and to figure out how to recover from whatever happened without causing any more problems.

    The Navy puts a lot of effort put into making sure their operators know how and why things work the way they do. They would never have got to the 21st century with the track record they have if all they did was train people to look at the book.

    • No mod points but your comment is insightful. I have worked with 3 ex nuclear sub people, one an engineer officer in the USN, one ditto in the RN, and one seaman officer. They were all trained to the Nth degree to do all the right things automatically, but had enough theory to be able to analyse and develop solutions to novel problems. Ships do not run, and wars are not won, by blind adherence to operating procedures.
  • This is just plain bad design, and not Congress' fault.

    If this alarming system--with the same crappy design--had been "directly connected" to the controls, god knows what would have happened.

    • by DrBuzzo (913503)

      This is just plain bad design, and not Congress' fault.

      If this alarming system--with the same crappy design--had been "directly connected" to the controls, god knows what would have happened.

      No. No. No. The "Alarm system" was connected to the controls, it forced a shutdown. Look, the way this system works is that it is based on the assumption that any error should, when in doubt, trigger a shutdown. it's known as automatic SCRAM. The system is based on a negative condition assumption. In other words, all systems must afirm operation or by default it shuts down.

      An automated shutdown was initiated at TMI. That's not the problem. It is what happened after that. The operators fal

  • by burnin1965 (535071) on Saturday April 04, 2009 @01:11PM (#27459015) Homepage

    Chemical plants were better designed than nuclear power plants in part because Congress did not legislate how the chemical industry designed their plants. But more importantly most chemical firms of that era had CEO's with engineering degrees. They had respect for the technology and the risk of misusing it. But that doesn't make the chemical industry blameless. With the off-shoring of manufacturing a lot of chemical production is now being done in places where there is little respect for the dangers of technology. The chemical industry's TMI was Bhopal. There will be more Bhopal's coming because those companies are now being managed by bean counters, not engineers.

    I wasn't there so I can't say Cringely is wrong about the government regulation of nuclear power, however, I have worked in the semiconductor industry which utilizes some of the deadliest chemicals known to man and their are mandated regulations from various government agencies, EPA, OSHA, etc., that result in the controls, interlocks, and containment systems used to make the industry safe. I'm also pretty sure that the issue in Bhopal was more a lack of regulation than a lack of respect for the dangers. There should have been powerful laws and inspectors to shut down the plant before it killed thousands.

    Where we both do agree is on the belief that we can expect more Bhopal and economic melt down events due to bean counter management. Over the past 20 years I've noticed a managerial shift towards a focus on cutting costs and less of a focus on the technology and science behind the manufactured products. In the past two years I've engaged in heated debates with peers and managers over the purpose and focus of engineering resources. Its seems that decision makers are forgetting that the core of a technology based manufacturing corporation is the technology not the cutting of fixed costs by reducing head count, wages, service contracts, etc. Accounting and business management are tools to support the core skills, they are not the core themselves. When accounting and business management undermines the ability of a technology based business to develop and manufacture the core technology of their business you can expect a gradual degradation of the business until it is no longer viable.

  • "Computers! Error! Component Failure! Congress! Unpredicatble! etc, etc, etc. Excuses, excuses.

    How hard can it be to monitor the temperature of a nuclear reactor? Apparently, this task is somehow beyond the competence of nuclear plant supervisors for some obscure reason. Blaming regulation is beside the point. A first year undergraduate engineering student would be able to build a reliable temperature monitor.

    • A first year undergraduate engineering student would be able to build a reliable temperature monitor.

      Right. Because there are so many combinations of materials that can withstand temperatures in the thousands of degrees F and the intense neutron flux in a commercial reactor core for any prolonged period. Core status is measured by the temperature of the water entering and leaving the core - the core power can be calculated by how much the water heats up. Safety limits are usually given in terms of power, because the behavior has to be calculated.

    • I'm sorry, you have not the slightest idea what you are talking about. I can assure you that a first year student in engineering would not have the least idea where to start in monitoring temperatures - you need multiple locations - inside a reactor.

      You sir - how good are you on thermocouple alloys that don't mind neutrons and containments which can withstand not only neutrons but variable corrosive conditions at high temperatures? It's not just a matter of sticking a stainless steel jacketed thermocouple i

  • Uh, I think the guy is needlessly cynical. I know a lot of Navy guys that run our nukes and, they do know them inside and out.

  • by DrBuzzo (913503) on Saturday April 04, 2009 @01:29PM (#27459153) Homepage
    This has been called the worst accident in US history. A complete failure of control, whereby the operators were lacking the most important information and had zero situational awareness. The result being a loss of coolant causing the core of the reactor to essentially remain uncooled and exposed, resulting in complete breakdown of the fuel cladding and partial melting of the fuel with loss of fuel integrity.

    The result: One severely damaged reactor vessel, zero deaths, zero injuries, zero homes or businesses destroyed, zero acres of land rendered uninhabitable or severely damaged, zero property claims to the surrounding communities.


    And yet, this is remembered as demonstrating how *unsafe* nuclear energy is.

    If only "disasters" involving coal mines, hydroelectric dams, oil and gas storage facilities and other energy sources could be so merciful.
    • by WidescreenFreak (830043) on Saturday April 04, 2009 @02:36PM (#27459643) Homepage Journal
      God, I wish I had mod points for you.

      I live about 15 miles away from TMI and I have for 20 years. I've never felt unsafe or felt like I was in danger. People seems to enjoy comparing TMI to being a potential Chernobyl, but there's simply no way that the two can even be compared.

      On the other hand, head up to Centralia, PA where the whole town has been demolished because of a fire that has been running through the ignition of a natural, coal vein. A fire ignited some coal, and now the whole town has been abandoned, homes have been razed, there are very few buildings to speak of, there are dangerous leaks of carbon monoxide and other lethal gases, the ground has swelled and cracked from the heat, and this fire is expected to last 250 years.

      Now ... how much nuclear power is involved with Centralia? Ummmm.... NONE! A natural resource (accidentally ignited by humans) has destroyed a town completely. Personally, I put Centralia on a higher level of "disaster" than I do TMI.
  • In both cases (Chernobyl and TMI) procedure was violated or nonexistent for what the operators were trying to do. In Chernobyl's case, operational procedure was violated in several instances to conduct a test for which no procedure existed. In TMIs case, procedure was violated in tagging out pumps leading to a problem in which there was no procedure for diagnosis.

    Neither plant would have been "inherently" unsafe or dangerous if operated within their design envelopes under established procedure. Once the hum

    • RBMK was inherently unsafe - a SCRAM operation may never ever produce a reactor explosion and this is what happened. also, the reactor was operated within the original design envelope (i read the original manual). after the explosion the manual was heavily rewritten.

      • A point about SCRAM on the RBMK - the initial insertion of the SCRAM caused an increase in reactivity - a very bad thing when the reactor had a positive void coefficient and a low delayed neutron fraction at the end of core life.
      • Exactly right, this reactor type is inherently dangerous, and moreover, you can't overcome something inherently dangerous with procedure.

      • by Suzuran (163234)

        But Chernobyl DIDN'T scram.
        They pushed the button for it, but when they did, the reactor was too far gone. The rod channels had warped, and the rods didn't go all the way in - only their graphite tips.

        If they hadn't overheated it to the point of warping the rod channels, the rods would have gone all the way in and the reactor would have scrammed successfully.

        Otherwise, even with the heavy rewriting of the manual, the design would still be unsafe, and they wouldn't still be operating today.

  • I'm not surprised at all that the Three Mile Island breakdown was ultimately caused by government. Legislation tends to have unforeseen effects like this. I'm sure the builders would've loved to put in computer control and this tragedy would've never happened. When, when will we learn, when?

    Government, get out of the way.

Did you know that for the price of a 280-Z you can buy two Z-80's? -- P.J. Plauger

Working...