Three Mile Island Memories 309
theodp writes "Thirty years after the partial nuclear core meltdown at Three Mile Island, Robert Cringely describes the terrible TMI user interface, blaming a confluence of bad design decisions — some made by Congress — for making the accident vastly worse. While computers could be used to monitor the reactor, US law prohibited using computers to directly control nuclear power plants — men would do that. So, when the (one) computer noticed a problem, it would set off audible and visual alarms, and send a problem description to a line printer. Simple, except the computer noticed 700 things wrong in the first few minutes of the TMI accident, causing the one audible alarm to ring continuously until it was shut off as useless. The one visual alarm blinked for days, indicating nothing useful. And the print queue was quickly flooded with 700 error reports followed by thousands of updates and corrections, making it almost instantly hours behind. The operators had to guess at what the problem was."
Re:So, the computer notices things are wrong ... (Score:3, Informative)
A nuclear plant isn't like a gas plant where you can turn off the tap.
If you have a nuclear reaction that is going out of control, then you have to get it in control. Shutting the plant down would mean you don't have the ability to use things like the control rods to do this.
Re:Ugh. (Score:5, Informative)
Sounds like it was engineered just right. Bean-counters often use "over-engineered" when something is built to withstand the rare but serious malfunctions. Instead, they'd rather things be built to be "good enough" to run fine most of the time. Problem is, a minor issue can become a critical one if you don't build your devices to withstand the rare but serious issues. For example, a failover server setup is 100% overbuilt...until the primary fails.
But it wasn't engineered this way to secure it against a partial meltdown. It was above average for reactor containment vessels actually in use at that time, and the average containment vessel would have failed. The only reason it was able to withstand it was that it happened to be on the final approach path of a former airforce base, and had originally been engineered to withstand a bomber crashing into it.
"had little to no effect on the health of people" (Score:2, Informative)
My sister went to school there, and after two and a half semesters there she was diagnosed with thyroid cancer.
Lets rewind... The morning of the accident people reported a metallic taste in the air. Turns out that of the gas released, radioactive iodine accounted for an estimated "8 - 12% of the total gases released, implying a minimum of 1 million iodine curies". See: TMI Accident [wikipedia.org].
I don't believe that people were not harmed by the radioactive release. In fact, stating that it "had little to no effect on the health of people" is a lie. Any arguments based on that lie are faulty.
I am for nuclear power, and I agree that letting bean counters manage a project like that is the wrong way. I'm in agreement with all of the other people here who think that engineers should be listened to. They are the ones with the knowledge after all...
Re:Job's got it right.... (Score:5, Informative)
See, See. UI is important!!!!
I'm a nuclear engineer and I think the use of the term UI for the control room is somewhat 'simplistic'. I personally think a major issue was over design in a certain area (redundant alarms), and lack of safety systems that would prevent the core from melting even with a LOCA in place. It was two hours after the shutdown when the fuel melting began at TMI-2. This was a scenario where the operators couldn't understand what was happening. Now from an operator's perspective (who sits in the operator room) you're not looking at a "UI" in the traditional CS sense. Here is an image of a control room: http://www.ornl.gov/info/ornlreview/v38_1_05/images/a11_controls_full.jpg [ornl.gov] The events leading up to the disaster started on the secondary side (non-core) leading to a LOCA (Loss of Coolant Accident). For those unfamiliar with the term "secondary side". The secondary side of a Nuclear Power Plant is similar to that of any power generating plant, meaning the secondary side does not contain the reactor core.
Re:So, the computer notices things are wrong ... (Score:3, Informative)
If you think you can just "turn off the tap" at a gas plant, you are sorely mistaken. Pressures start to build when you do that, so if you block the gas off in one section, it will build in another. You've got a lot of systems to kill before you can turn off the gas - the source must go first, then at about the same time pumps pushing the gas along (these may be in the same spot, which makes that easier), then you can kill any processing systems along the way, and then you can close the tap.
If you DO have to close the tap first (a pipe failure that is leaking gas, for example) you've got to get a relief valve open and start burning your excess until you can get the gas re-routed or the rest of the plant shut down. If you don't, the plant goes bye-bye big-boom style. Where I work I'm about 1/4-1/2 mile from a flow station, and we're still in the blast radius of a catastrophic failure.
Whereas, as others have pointed out, nuclear power plants do in fact have a 1-button shutoff mechanism that kills the reaction immediately. Then containment is a cinch, if costly.
The problem was the alarm system + the reporting system was poorly designed, and the errors were of such magnituted that it actually looked like less of a problem than it was, and the operators had no way to confirm what the problem was. In a nutshell.
Add to that the fact that, since re-starting one of these systems from a cold start (which is what pushing the little red button to cease the reaction would mean) costs millions of dollars, SOP is to try everything you can to fix the problem FIRST, and then, as an absolute last resort, you kill the reaction (or shut down the gas plant, it's the same reasoning). So if the alarm looks like a malfunction in the alarm system, and not in the process, they are certainly not going to shut down the system until the alarm is fixed or they verify the malfunction in the process.
My question is, where was the redundant alarm system? Shouldn't that be a no-brainer for something with the damage potential of a nuclear plant? I mean, it might not have helped finding the problem, but it might have prompted the decision to shut down much sooner if BOTH alarm systems go out at exactly the same time.
Mind you, this is based entirely on the comments in this thread and the article summary so some of this may have been covered already. Naturally I would never RTFA.
Re:I, for one, welcome our new regulator overlords (Score:3, Informative)
You are aware, of course, that under american and british law, this results in unlimited shareholder liability, aren't you?
Or are you just parroting ignorant claims about how corporate law and liability works.
AFAIK, there has *never* been a time or an anglo-american jurisdiction in which a corporation inadequately capitalized for the business which is entering does not leave its shareholders liable.
But then, I'm just an attorney.
hawk, esq., not offering this as legal advice. If you need that, pay for it, rather than relying on the ignorance posted on slashdot