Was SL-1 an accident?
July 22, 2015 2:07 PM Subscribe
On January 3rd, 1961, three men died when the US Army's SL-1 experimental nuclear reactor melted down. It was the first fatal reactor incident in the US. But was it an accident? Or murder?
What I found fascinating was the description of how the explosion occurred (or was precipitated). I want illustrations.
The guy moved a fuel rod about 2 feet instead of 4 inches and there was an instantaneous explosion? How? Both how does that cause an explosion AND how do you design a thing where that can happen (especially since the rods had been known to stick)?
I really want to know more about this.
posted by Seamus at 2:49 PM on July 22, 2015 [2 favorites]
The guy moved a fuel rod about 2 feet instead of 4 inches and there was an instantaneous explosion? How? Both how does that cause an explosion AND how do you design a thing where that can happen (especially since the rods had been known to stick)?
I really want to know more about this.
posted by Seamus at 2:49 PM on July 22, 2015 [2 favorites]
Unbelievable that they were working with essentially a nonexistent safety margin. And according to the article, they were aware of that fact.
posted by Salvor Hardin at 2:56 PM on July 22, 2015
posted by Salvor Hardin at 2:56 PM on July 22, 2015
Having discussed it as a way to destroy the reactor in case of Soviet invasion . . .
So they all knew how to blow it up.
It's a good thing they didn't start using those things all over the place.
posted by Seamus at 3:02 PM on July 22, 2015
So they all knew how to blow it up.
It's a good thing they didn't start using those things all over the place.
posted by Seamus at 3:02 PM on July 22, 2015
The guy moved a fuel rod about 2 feet instead of 4 inches and there was an instantaneous explosion? How? Both how does that cause an explosion AND how do you design a thing where that can happen (especially since the rods had been known to stick)?
the reactor was in a configuration where pulling one rod out too far would cause it to make power. The rod got pulled out WAY too far, and the nuclear reaction reached a point (prompt critical) where there was no action able to be taken that would have been fast enough to turn it back around. The runaway reaction then turned all or most of the water used to cool the reactor into highly pressurized steam, which was the actual cause of the explosion.
I think It was designed this way because it had to be really small and light to be able to be airlifted.
posted by ArgentCorvid at 3:05 PM on July 22, 2015 [8 favorites]
the reactor was in a configuration where pulling one rod out too far would cause it to make power. The rod got pulled out WAY too far, and the nuclear reaction reached a point (prompt critical) where there was no action able to be taken that would have been fast enough to turn it back around. The runaway reaction then turned all or most of the water used to cool the reactor into highly pressurized steam, which was the actual cause of the explosion.
I think It was designed this way because it had to be really small and light to be able to be airlifted.
posted by ArgentCorvid at 3:05 PM on July 22, 2015 [8 favorites]
> Unbelievable that they were working with essentially a nonexistent safety margin.
This article has an interesting angle that I worry is mostly motivated by the "wait, really?" reaction prompted by these kinds of realizations, rather than any really compelling evidence. It just seems inconceivable that we'd be operating a nuclear reactor with so little precautions in place; intentional murder-suicide almost seems like a preferable cause. When I used to teach a class on engineering disasters we'd talk about SL-1 from exactly this angle, as a way to get into redundancy, backup safety systems, user-proof designs, etc...
The "standard" story of SL-1 is that there was no hard upper stop in place on that control rod, so it was possible for it to get stuck, then an operator to pull too hard trying to free it and accidentally overshoot -- any accident like this is going to be fatal before the operator even knows they've been harmed, see eg Wikipedia's list of Criticality accidents, especially the "demon core" that got more than one researcher at Los Alamos -- note that, for example, in the event that killed Louis Slotin, he was holding two hemispheres apart, by hand, with a screwdriver. Then he slipped. Considering that as a starting point I don't find the safety equipment (or lack thereof) at SL-1 all that surprising.
posted by range at 3:08 PM on July 22, 2015 [22 favorites]
This article has an interesting angle that I worry is mostly motivated by the "wait, really?" reaction prompted by these kinds of realizations, rather than any really compelling evidence. It just seems inconceivable that we'd be operating a nuclear reactor with so little precautions in place; intentional murder-suicide almost seems like a preferable cause. When I used to teach a class on engineering disasters we'd talk about SL-1 from exactly this angle, as a way to get into redundancy, backup safety systems, user-proof designs, etc...
The "standard" story of SL-1 is that there was no hard upper stop in place on that control rod, so it was possible for it to get stuck, then an operator to pull too hard trying to free it and accidentally overshoot -- any accident like this is going to be fatal before the operator even knows they've been harmed, see eg Wikipedia's list of Criticality accidents, especially the "demon core" that got more than one researcher at Los Alamos -- note that, for example, in the event that killed Louis Slotin, he was holding two hemispheres apart, by hand, with a screwdriver. Then he slipped. Considering that as a starting point I don't find the safety equipment (or lack thereof) at SL-1 all that surprising.
posted by range at 3:08 PM on July 22, 2015 [22 favorites]
When I was in high school my physics teacher took my class on a field trip out to the desert to visit the INEL. I remember him telling us this story.
My brother works out there now and likes to tell me that he works in Sector 7G.
posted by bstreep at 3:09 PM on July 22, 2015 [1 favorite]
My brother works out there now and likes to tell me that he works in Sector 7G.
posted by bstreep at 3:09 PM on July 22, 2015 [1 favorite]
There is a video the gov't made about the incident.
Haven't watched it yet.
https://archive.org/details/gov.ntis.A13886VNB1
posted by Seamus at 3:11 PM on July 22, 2015
Haven't watched it yet.
https://archive.org/details/gov.ntis.A13886VNB1
posted by Seamus at 3:11 PM on July 22, 2015
Fun fact, "Was it an accident - or MURDER?" is the only allowed exception to Betteridge's law.
posted by jason_steakums at 3:12 PM on July 22, 2015 [11 favorites]
posted by jason_steakums at 3:12 PM on July 22, 2015 [11 favorites]
The Jackson Hole nickname for Idaho Falls is Idiot Flats, just so you know.
posted by Oyéah at 3:21 PM on July 22, 2015 [1 favorite]
posted by Oyéah at 3:21 PM on July 22, 2015 [1 favorite]
The government committed murder whenever it decided to build an operational reactor with control rods that could be totally removed by hand.
posted by Avenger at 3:41 PM on July 22, 2015
posted by Avenger at 3:41 PM on July 22, 2015
Fun fact, "Was it an accident - or MURDER?" is the only allowed exception to Betteridge's law.
Allowed exception? Or *purportedly* "allowed"?
posted by weston at 3:50 PM on July 22, 2015 [4 favorites]
Allowed exception? Or *purportedly* "allowed"?
posted by weston at 3:50 PM on July 22, 2015 [4 favorites]
Fun fact, "Was it an accident - or MURDER?" is the only allowed exception to Betteridge's law.No.
Allowed exception? Or *purportedly* "allowed"?
posted by sjswitzer at 3:56 PM on July 22, 2015 [3 favorites]
The SL-1 criticality incident is documented in this endlessly interesting collection of investigations of criticality events from the DOE, on page 97.
"The energy acquired by the water was sufficient to lift the entire reactor vessel some 9 feet before it fell back to its normal position."
It has a bunch of the big Soviet accidents, too.
posted by the Real Dan at 4:26 PM on July 22, 2015 [5 favorites]
"The energy acquired by the water was sufficient to lift the entire reactor vessel some 9 feet before it fell back to its normal position."
It has a bunch of the big Soviet accidents, too.
posted by the Real Dan at 4:26 PM on July 22, 2015 [5 favorites]
The government committed murder whenever it decided to build an operational reactor with control rods that could be totally removed by hand.
I have little doubt that the risk was identified & then some manager or VP somewhere was found to sign off & accept that risk on behalf of the company. Because if you accept the risk you can't be blamed if the risk event actually occurs.
posted by scalefree at 5:10 PM on July 22, 2015 [1 favorite]
I have little doubt that the risk was identified & then some manager or VP somewhere was found to sign off & accept that risk on behalf of the company. Because if you accept the risk you can't be blamed if the risk event actually occurs.
posted by scalefree at 5:10 PM on July 22, 2015 [1 favorite]
For more death via close contact with radioactive materials, see Tickling the Dragon’s Tail: The Story of the “Demon Core”. (Previously)
posted by larrybob at 5:13 PM on July 22, 2015 [1 favorite]
posted by larrybob at 5:13 PM on July 22, 2015 [1 favorite]
The list of nuclear accidents on Wikipedia is fun reading. There's a lot of horrible manual accidents. The one I remember best is poor Louis Slotin
posted by Nelson at 5:32 PM on July 22, 2015 [3 favorites]
Slotin lowered the upper hemisphere onto the larger lower one, his thumb lodged in a hole in the top. In his other hand was a screwdriver, which he wedged between the two halves to keep them from touching as he attempted to bring the plutonium to a critical state. The men held their breath. And then the screwdriver slipped. The two halves met, and the assembly went supercritical. Slotin stopped the chain reaction by knocking the sphere apart. But in less than a millisecond, deadly gamma and neutron radiation had burst from the assembly. The blue glow lighted the room as the air become momentarily ionized.The victims were repurposed into an early medical experiment into the lethal effects of massive radiation exposure. "The doctors knew the next two weeks would provide them a unique opportunity."
posted by Nelson at 5:32 PM on July 22, 2015 [3 favorites]
The guy moved a fuel rod about 2 feet instead of 4 inches and there was an instantaneous explosion? How? Both how does that cause an explosion AND how do you design a thing where that can happen (especially since the rods had been known to stick)?
When the nucleus of a fissionable atom in the reactor fuel, usually Uranium-235, absorbs a neutron, it will fission, releasing energy and one of more new neutrons. These neutrons may also be absorbed by a U-235 nucleus, causing it to fission as well, releasing more neutrons. These neutrons in turn can induce other nuclei to fission as well.
This is the kind of chain reaction that powers nuclear reactors and weapons.
In a reactor you want to be able to control the speed of this chain reaction. To do this there are the control rods that are inserted through the fuel assembly. These control rods contain materials that absorb a lot of neutrons without themselves fissioning.
Inserting these control rods slows the reaction down because there are less neutrons available to cause the fuel to fission. Removing them speeds it up, in some configurations, removing a rod too far speeds it up A LOT.
posted by Djinh at 5:58 PM on July 22, 2015 [4 favorites]
When the nucleus of a fissionable atom in the reactor fuel, usually Uranium-235, absorbs a neutron, it will fission, releasing energy and one of more new neutrons. These neutrons may also be absorbed by a U-235 nucleus, causing it to fission as well, releasing more neutrons. These neutrons in turn can induce other nuclei to fission as well.
This is the kind of chain reaction that powers nuclear reactors and weapons.
In a reactor you want to be able to control the speed of this chain reaction. To do this there are the control rods that are inserted through the fuel assembly. These control rods contain materials that absorb a lot of neutrons without themselves fissioning.
Inserting these control rods slows the reaction down because there are less neutrons available to cause the fuel to fission. Removing them speeds it up, in some configurations, removing a rod too far speeds it up A LOT.
posted by Djinh at 5:58 PM on July 22, 2015 [4 favorites]
Nelson: I remember that on the Blue a while back, which is where I learned about it. Also, didn't he videotape his slow death from radiation, which was then shown to scare people into being safe?
posted by persona au gratin at 6:51 PM on July 22, 2015
posted by persona au gratin at 6:51 PM on July 22, 2015
Both how does that cause an explosion AND how do you design a thing where that can happen (especially since the rods had been known to stick)?
Normally, the SL-1 reactor was "single rod safe" -- one rod could be completely removed and the reactor would remain under control. However, the reactor was under maintenance, didn't have all the fuel assemblies in place, and didn't have the normal load of water in place. This left it less stable, and it was no longer single rod safe. The theory of this post was that the guy who pulled the rod *knew* it wasn't and did that intentionally as a murder-suicide, the conventional explanation is that he didn't, that the rod stuck, he pulled too hard to free it, and when he did it the reactor went prompt critical.
This is also why the rods were disengaged from the normal mechanisms and were being reattached, the reactor was being brought back to normal operation. A not often talked about design flaw was that you had to lift the rod up to attach them to the control mechanism, rather than having a control mechanism with enough travel to reach a rod that was fully seated in a hole -- if that was the case, you wouldn't have had someone pulling up on the rod like that, and even in the degraded not-single-rod-safe case here, this accident doesn't happen.
Unfortunatly, the way we often learn about how not to do these things is by doing them wrong. This is true in most things -- the number of people we killed learning how to do steam power is staggering, ditto electrical power, ditto airplanes.
posted by eriko at 6:53 PM on July 22, 2015 [14 favorites]
Normally, the SL-1 reactor was "single rod safe" -- one rod could be completely removed and the reactor would remain under control. However, the reactor was under maintenance, didn't have all the fuel assemblies in place, and didn't have the normal load of water in place. This left it less stable, and it was no longer single rod safe. The theory of this post was that the guy who pulled the rod *knew* it wasn't and did that intentionally as a murder-suicide, the conventional explanation is that he didn't, that the rod stuck, he pulled too hard to free it, and when he did it the reactor went prompt critical.
This is also why the rods were disengaged from the normal mechanisms and were being reattached, the reactor was being brought back to normal operation. A not often talked about design flaw was that you had to lift the rod up to attach them to the control mechanism, rather than having a control mechanism with enough travel to reach a rod that was fully seated in a hole -- if that was the case, you wouldn't have had someone pulling up on the rod like that, and even in the degraded not-single-rod-safe case here, this accident doesn't happen.
Unfortunatly, the way we often learn about how not to do these things is by doing them wrong. This is true in most things -- the number of people we killed learning how to do steam power is staggering, ditto electrical power, ditto airplanes.
posted by eriko at 6:53 PM on July 22, 2015 [14 favorites]
The startup rate is related not only to the amount of reactivity you add (by withdrawing control rods), but also by the reactivity addition rate. Withdrawing a rod quickly will cause a much higher power increase than withdrawing it the same distance slowly. So pulling hard on a sticky rod is a terrible idea, because when it breaks free it's likely to travel farther than you meant, but also much more quickly.
There were design problems with SL-1, but even so, proper operator training and oversight should have prevented this. I refuel submarine reactors, and we sometimes do things that have reactor safety implications. No way would we have a couple of junior operators doing risky reactor servicing operations on a backshift without engineering and management oversight. And the key word is always "stop." We've stopped work, kicked everyone out of the house, notified engineering and management, and had engineers evaluate the effect of an operator letting a chainfall go a couple of clicks in the wrong direction before. Encountering resistance when none was expected? Oh hell no. They were either not trained very well, or under some inappropriate pressure to just get the job done. Sure, the design didn't help either.
posted by ctmf at 7:22 PM on July 22, 2015 [11 favorites]
There were design problems with SL-1, but even so, proper operator training and oversight should have prevented this. I refuel submarine reactors, and we sometimes do things that have reactor safety implications. No way would we have a couple of junior operators doing risky reactor servicing operations on a backshift without engineering and management oversight. And the key word is always "stop." We've stopped work, kicked everyone out of the house, notified engineering and management, and had engineers evaluate the effect of an operator letting a chainfall go a couple of clicks in the wrong direction before. Encountering resistance when none was expected? Oh hell no. They were either not trained very well, or under some inappropriate pressure to just get the job done. Sure, the design didn't help either.
posted by ctmf at 7:22 PM on July 22, 2015 [11 favorites]
CTMF (or anyone else that knows about this sort of stuff) is there any reactor design that is actually fail safe, that the worst thing which can happen is that it shuts down?
posted by Joe in Australia at 7:26 PM on July 22, 2015
posted by Joe in Australia at 7:26 PM on July 22, 2015
I'm not a designer. I remember reading things about different designs like the pebble bed reactor that need fewer active safety systems, but I don't know much about them. The thing about that though, is that they mean during operation. Pressurized water reactors are pretty inherently safe during operation too. I have a hard time imagining any energy generation system, not just nuclear, where it's absolutely impossible to be stupid during non-routine maintenance-type ops.
The nice thing is that even though they fucking blew up a reactor, nobody from the general public was significantly harmed. Nuclear's got an amazingly good record in that sense (not to minimize the obvious notable exceptions.)
posted by ctmf at 7:45 PM on July 22, 2015 [3 favorites]
The nice thing is that even though they fucking blew up a reactor, nobody from the general public was significantly harmed. Nuclear's got an amazingly good record in that sense (not to minimize the obvious notable exceptions.)
posted by ctmf at 7:45 PM on July 22, 2015 [3 favorites]
CANDU reactors incorporate a number of passive safety features, but the Gen IV proposals are even better, and pebble bed reactors are potentially self-regulating in breakdown, but the success of the nuclear-is-always-evil-forever-and-ever meme in Western culture means we'll be going back to coal and fracked natural gas for backup to our renewables instead of building a whole generation of plants that could, in concert with renewables, kill off our monstrous carbon emitters in a decade instead of some time in the future.
posted by sonascope at 7:45 PM on July 22, 2015 [12 favorites]
posted by sonascope at 7:45 PM on July 22, 2015 [12 favorites]
Joe in Australia, there are so many failure states for nuclear reactors that a completely fail-safe design isn't an option. Fail-safe, even in 3rd generation reactors, is only for certain common conditions.
posted by infinitewindow at 7:51 PM on July 22, 2015 [1 favorite]
posted by infinitewindow at 7:51 PM on July 22, 2015 [1 favorite]
Idaho National Lab has a pdf copy of Proving the Principle on their publications page (scroll to bottom). It's super-interesting, all the chapters, and it covers SL-1.
I also like Chapter 14, the BORAX experiments where they tried to break the reactors.
posted by ctmf at 7:52 PM on July 22, 2015 [1 favorite]
I also like Chapter 14, the BORAX experiments where they tried to break the reactors.
posted by ctmf at 7:52 PM on July 22, 2015 [1 favorite]
I love it when a post happens to land in a poster's area of expertise.
posted by indubitable at 7:54 PM on July 22, 2015 [4 favorites]
posted by indubitable at 7:54 PM on July 22, 2015 [4 favorites]
Something that would interesting to investigate would be the difference in safety culture in the Army Nuclear Power Program versus what was built in the Navy under Admiral Rickover (and consequently became the model for PWR reactors in civilian service), as the Navy's record for nuclear reactor safety is still unblemished after all these years thanks largely to the original design spec for operating nuclear power in naval vessels.
posted by sonascope at 7:59 PM on July 22, 2015 [1 favorite]
posted by sonascope at 7:59 PM on July 22, 2015 [1 favorite]
sonascope: absolutely. I think more than anything else, Rickover's principles deserve more credit than any particular plant design. I have a beat-up copy of this speech pinned to my bulletin board at work and refer to it often. I'm not unusual in that.
It costs us a crap ton of money and headache to follow his principles in the short-run, but the bad things it prevents would cost a hell of a lot more.
posted by ctmf at 8:07 PM on July 22, 2015 [6 favorites]
It costs us a crap ton of money and headache to follow his principles in the short-run, but the bad things it prevents would cost a hell of a lot more.
posted by ctmf at 8:07 PM on July 22, 2015 [6 favorites]
supercritical vs. prompt critical
When uranium or similar nuclear fuels undergo fission, they release neutrons that cause other atoms to fission, etc in a chain reaction. If enough neutrons are produced to sustain or increase the rate of reaction, then it is supercritical.
But only about 99.x% of the neutrons come directly from U-235 fission. These are the prompt neutrons. The remaining small % of neutrons are from the radioactive decay of the fission products. These are called delayed neutrons. The amount of delay depends on the half-life of the particular intermediate decay product, but ranges from milliseconds to minutes.
This distinction between prompt neutrons and delayed neutrons explains the difference between prompt critical and slower supercritical reactions. A prompt critical reaction escalates extremely quickly because it can be sustained with just the prompt neutrons. A non-prompt supercritical reaction is much slower because it requires some of those delayed neutrons.
I learned this all just a couple days ago and it helped my understanding of certain things, like how power stations can manipulate the control rods fast enough to control a nuclear reaction. They do it by staying in that narrow <1% band of supercritical-but-not-prompt-critical fission, where decay half-lifes give them enough time to react.
posted by ryanrs at 9:47 PM on July 22, 2015 [2 favorites]
When uranium or similar nuclear fuels undergo fission, they release neutrons that cause other atoms to fission, etc in a chain reaction. If enough neutrons are produced to sustain or increase the rate of reaction, then it is supercritical.
But only about 99.x% of the neutrons come directly from U-235 fission. These are the prompt neutrons. The remaining small % of neutrons are from the radioactive decay of the fission products. These are called delayed neutrons. The amount of delay depends on the half-life of the particular intermediate decay product, but ranges from milliseconds to minutes.
This distinction between prompt neutrons and delayed neutrons explains the difference between prompt critical and slower supercritical reactions. A prompt critical reaction escalates extremely quickly because it can be sustained with just the prompt neutrons. A non-prompt supercritical reaction is much slower because it requires some of those delayed neutrons.
I learned this all just a couple days ago and it helped my understanding of certain things, like how power stations can manipulate the control rods fast enough to control a nuclear reaction. They do it by staying in that narrow <1% band of supercritical-but-not-prompt-critical fission, where decay half-lifes give them enough time to react.
posted by ryanrs at 9:47 PM on July 22, 2015 [2 favorites]
I've been reading the relevant chapters (15 and 16) of the book on the Idaho National Engineering and Environmental Laboratory. They don't discuss any possible motive or go into much theorising about the cause of the incident.
One thing I found interesting was, apparently the rods were beneath the floor: I think the person pulling them would have stood above the rods and pulled them upwards. Most of the action would then come from the large muscles in the back and legs, not the finer muscles of the arm. The rods themselves weren't cylinders; they had an X-shaped cross-section, which was prone to sticking. I can easily imagine that a stuck rod would cause the operator to give a heave, and exert too much force.
posted by Joe in Australia at 1:39 AM on July 23, 2015 [1 favorite]
One thing I found interesting was, apparently the rods were beneath the floor: I think the person pulling them would have stood above the rods and pulled them upwards. Most of the action would then come from the large muscles in the back and legs, not the finer muscles of the arm. The rods themselves weren't cylinders; they had an X-shaped cross-section, which was prone to sticking. I can easily imagine that a stuck rod would cause the operator to give a heave, and exert too much force.
posted by Joe in Australia at 1:39 AM on July 23, 2015 [1 favorite]
Speaking of Admiral Rickover and control rods, he had General Electric design and build a reactor that had no control rods. The story is that he believed that a certain defense contractor was overcharging for the control devices that raised and lowered rods. When he complained, the contractor's response was, you'll pay for 'em, 'cause you don't have a reactor without 'em. Rickover went, Oh, really? The result was S7G, the "rodless wonder," and price of the control mechanisms came down.
posted by ogooglebar at 1:45 AM on July 23, 2015 [5 favorites]
posted by ogooglebar at 1:45 AM on July 23, 2015 [5 favorites]
Encountering resistance when none was expected? Oh hell no. They were either not trained very well, or under some inappropriate pressure to just get the job done. Sure, the design didn't help either.
The reason you were trained that way? SL-1. Amongst others, of course, but SL-1 is a big one. "Yes, encountering resistance when you weren't expecting it *is a stop and think moment*, not a *pull harder* moment.
It's also what has led the Navy to its relatively constrained set of reactor designs -- those are the ones they understand the best. They've looked at things like molten salt and molten metal cooled reactors, which offered much superior power density, attractive as *hell* in a submarine, but they don't reach the safety levels that the Navy demands, and so, they're not in a Navy boat.
IIRC, though, the Navy does use highly enriched uranium fuel, which is more dangerous, because that's much easier to go prompt critical. However, they also use PWR, with the right fuel spacing, a PWR is going to have a negative temperature and void coefficient, making them very stable. Which is exactly what the Navy likes, which is why the use PWRs.
CTMF (or anyone else that knows about this sort of stuff) is there any reactor design that is actually fail safe, that the worst thing which can happen is that it shuts down?
Actually, that's *exactly* what SL-1 did. It had the worst case accident -- a completely power excursion, boiled off the coolant, which left it unmoderated, and the reaction shut down. If it wasn't stable, the reaction would have continued and it would have been a much worse accident. The only reason the three men there were killed is that they were literally standing on top of the reactor when it happened. Far worse is something like the RMBKs at Chernyobl, which when they lost control, went prompt critical and stayed that way until the core disassembled.
The ultimate goal is a reactor that cannot go prompt critical *at all*, and that's the goal of the Generation 3, 3+ and 4 design reactions.
posted by eriko at 3:09 AM on July 23, 2015 [8 favorites]
The reason you were trained that way? SL-1. Amongst others, of course, but SL-1 is a big one. "Yes, encountering resistance when you weren't expecting it *is a stop and think moment*, not a *pull harder* moment.
It's also what has led the Navy to its relatively constrained set of reactor designs -- those are the ones they understand the best. They've looked at things like molten salt and molten metal cooled reactors, which offered much superior power density, attractive as *hell* in a submarine, but they don't reach the safety levels that the Navy demands, and so, they're not in a Navy boat.
IIRC, though, the Navy does use highly enriched uranium fuel, which is more dangerous, because that's much easier to go prompt critical. However, they also use PWR, with the right fuel spacing, a PWR is going to have a negative temperature and void coefficient, making them very stable. Which is exactly what the Navy likes, which is why the use PWRs.
CTMF (or anyone else that knows about this sort of stuff) is there any reactor design that is actually fail safe, that the worst thing which can happen is that it shuts down?
Actually, that's *exactly* what SL-1 did. It had the worst case accident -- a completely power excursion, boiled off the coolant, which left it unmoderated, and the reaction shut down. If it wasn't stable, the reaction would have continued and it would have been a much worse accident. The only reason the three men there were killed is that they were literally standing on top of the reactor when it happened. Far worse is something like the RMBKs at Chernyobl, which when they lost control, went prompt critical and stayed that way until the core disassembled.
The ultimate goal is a reactor that cannot go prompt critical *at all*, and that's the goal of the Generation 3, 3+ and 4 design reactions.
posted by eriko at 3:09 AM on July 23, 2015 [8 favorites]
The only reason the three men there were killed is that they were literally standing on top of the reactor when it happened.
Good point. Also, both this event and Chernobyl happened when people were deliberately messing around with the system to see what would happen. It sounds as if SL-1 taught US nuclear workers to exhaustively play out the potential consequences of deviating from procedures; I wish the Soviets had adopted the same attitude.
posted by Joe in Australia at 3:38 AM on July 23, 2015
Good point. Also, both this event and Chernobyl happened when people were deliberately messing around with the system to see what would happen. It sounds as if SL-1 taught US nuclear workers to exhaustively play out the potential consequences of deviating from procedures; I wish the Soviets had adopted the same attitude.
posted by Joe in Australia at 3:38 AM on July 23, 2015
> The reason you were trained that way? SL-1.
I think this is a hugely important and unappreciated factor in how safety, and engineering in general, has improved over time. To reiterate what eriko also said earlier, we have frequently gotten better only after really, horribly screwing up in ways that seem insane in retrospect. Hopefully this isn't too much of a digression but here are just a couple examples of "standard" modern design practice --
* Build with steel, not iron -- countless train disasters (list)
* Design reviews -- Robert Stockton designed the gun that exploded but was also the overseer, fundraiser, captain of the ship, and ultimately could not be overruled or his work reviewed in any meaningful way. The explosion killed the secretary of state, secretary of the navy, and three other people; only luck saved President Tyler.
This list goes on and on and on -- you can trace many, many parts of a standard modern engineering workflow back to some terrible accident that you're trying to avoid repeating.
posted by range at 4:32 AM on July 23, 2015 [6 favorites]
I think this is a hugely important and unappreciated factor in how safety, and engineering in general, has improved over time. To reiterate what eriko also said earlier, we have frequently gotten better only after really, horribly screwing up in ways that seem insane in retrospect. Hopefully this isn't too much of a digression but here are just a couple examples of "standard" modern design practice --
* Build with steel, not iron -- countless train disasters (list)
* Design reviews -- Robert Stockton designed the gun that exploded but was also the overseer, fundraiser, captain of the ship, and ultimately could not be overruled or his work reviewed in any meaningful way. The explosion killed the secretary of state, secretary of the navy, and three other people; only luck saved President Tyler.
This list goes on and on and on -- you can trace many, many parts of a standard modern engineering workflow back to some terrible accident that you're trying to avoid repeating.
posted by range at 4:32 AM on July 23, 2015 [6 favorites]
I wish the Soviets had adopted the same attitude.
To be fair, Chernobyl 4 also went haywire when it was operating way out of normal spec -- in particular, it was running at low power and had built up a bunch of reaction poisons, to counter that, they'd pulled the control rods way out to sustain the reactor at the low power it was running at. This left the reactor in a very dangerous state -- if it got away from them, they were basically running with their normal throttles wide open.
When they tried to shut it down, the control rods had basically a spacer at the tip. That meant when they first went in, they actually acted to increase the rate a bit -- and increased it just enough to burn off the reactor poisons. The reactor lept to full power and beyond, the rods weren't in, the heat rapidly expanded the fuel and jammed the rods, and they were fucked beyond repair -- in microseconds. The reactor design itself had a positive void coefficient, without a moderator, the reactor rate increased, so without the rods or a moderator, it just generated more power, and it ran away. It only stopped when the energy generated literally blew the core apart.*
If they'd left the thing running at either 4GW thermal or 0GW thermal, they'd have been fine, but they were playing with low power tests and rundown tests and other such edge cases that were not well understood and it killed them.
* This, by the way, is why nuclear reactors cannot become nuclear bombs. The normal response to a prompt critical reaction is for the critical mass to separate itself. The trick to a nuclear bomb is you have to jam it together *really quite firmly* so that it will hold itself together for quite a long time while, in a quite literal sense, a nuclear bomb is trying to blow it apart. Note how criticality accidents tend to limit to about 1017 fissions before they stop.
The first nuclear bombs didn't do a very good job of this and only used a tiny fraction of their fissionable mass in the reaction. The rest of it was scatted. Modern multistage and boosted devices use that to trigger a fusion reaction -- small for boosted, large for multistage -- the neutrons from that fission some or all of the fissionables and they get much bigger explosions.
posted by eriko at 4:32 AM on July 23, 2015 [9 favorites]
To be fair, Chernobyl 4 also went haywire when it was operating way out of normal spec -- in particular, it was running at low power and had built up a bunch of reaction poisons, to counter that, they'd pulled the control rods way out to sustain the reactor at the low power it was running at. This left the reactor in a very dangerous state -- if it got away from them, they were basically running with their normal throttles wide open.
When they tried to shut it down, the control rods had basically a spacer at the tip. That meant when they first went in, they actually acted to increase the rate a bit -- and increased it just enough to burn off the reactor poisons. The reactor lept to full power and beyond, the rods weren't in, the heat rapidly expanded the fuel and jammed the rods, and they were fucked beyond repair -- in microseconds. The reactor design itself had a positive void coefficient, without a moderator, the reactor rate increased, so without the rods or a moderator, it just generated more power, and it ran away. It only stopped when the energy generated literally blew the core apart.*
If they'd left the thing running at either 4GW thermal or 0GW thermal, they'd have been fine, but they were playing with low power tests and rundown tests and other such edge cases that were not well understood and it killed them.
* This, by the way, is why nuclear reactors cannot become nuclear bombs. The normal response to a prompt critical reaction is for the critical mass to separate itself. The trick to a nuclear bomb is you have to jam it together *really quite firmly* so that it will hold itself together for quite a long time while, in a quite literal sense, a nuclear bomb is trying to blow it apart. Note how criticality accidents tend to limit to about 1017 fissions before they stop.
The first nuclear bombs didn't do a very good job of this and only used a tiny fraction of their fissionable mass in the reaction. The rest of it was scatted. Modern multistage and boosted devices use that to trigger a fusion reaction -- small for boosted, large for multistage -- the neutrons from that fission some or all of the fissionables and they get much bigger explosions.
posted by eriko at 4:32 AM on July 23, 2015 [9 favorites]
I wish I had the fiscal fortitude to open a private CANDU/Pebble-bed reactor and sell both the electricity and the Cobalt-60.
Or shit, just make a Thorium based hot salt reactor, and nothing approaches anything near critical mass. But then you don't get to sell that useful as hell Co60 to local docs. They have to buy it from foreign countries, Argentina IIRC.
posted by Sphinx at 6:11 AM on July 23, 2015
Or shit, just make a Thorium based hot salt reactor, and nothing approaches anything near critical mass. But then you don't get to sell that useful as hell Co60 to local docs. They have to buy it from foreign countries, Argentina IIRC.
posted by Sphinx at 6:11 AM on July 23, 2015
Something that would interesting to investigate would be the difference in safety culture in the Army Nuclear Power Program versus what was built in the Navy under Admiral Rickover
I've read that very book: Atomic America: How a Deadly Explosion and a Feared Admiral Changed the Course of Nuclear History. I came away from it with the view that Rickover would have been an utter bastard to have in your chain of command, but that the results of his approach speak for themselves in terms of the USN's impressive record regarding reactor safety.
posted by Major Clanger at 6:34 AM on July 23, 2015 [1 favorite]
I've read that very book: Atomic America: How a Deadly Explosion and a Feared Admiral Changed the Course of Nuclear History. I came away from it with the view that Rickover would have been an utter bastard to have in your chain of command, but that the results of his approach speak for themselves in terms of the USN's impressive record regarding reactor safety.
posted by Major Clanger at 6:34 AM on July 23, 2015 [1 favorite]
The reason you were trained that way? SL-1.
Yeah, it's hard to criticize knowing what we know now, something that happened in the early '60s. It annoys me though that I've been hearing about this for 30 years and everyone jumps right on the design exclusively as the problem, when the training program, management, and work control have just as much their share of the blame. The designers were new to this, too. Anyone could have mitigated that if they didn't like it by making them use a geared chainfall so they couldn't move it too fast, and put a chain stop on the fall at the maximum height.
Maybe it's just my "what is *my* contribution in the problem" self-flagellating attitude, another big Rickover principle.
posted by ctmf at 7:40 AM on July 23, 2015 [2 favorites]
Yeah, it's hard to criticize knowing what we know now, something that happened in the early '60s. It annoys me though that I've been hearing about this for 30 years and everyone jumps right on the design exclusively as the problem, when the training program, management, and work control have just as much their share of the blame. The designers were new to this, too. Anyone could have mitigated that if they didn't like it by making them use a geared chainfall so they couldn't move it too fast, and put a chain stop on the fall at the maximum height.
Maybe it's just my "what is *my* contribution in the problem" self-flagellating attitude, another big Rickover principle.
posted by ctmf at 7:40 AM on July 23, 2015 [2 favorites]
Maybe it's just my "what is *my* contribution in the problem" self-flagellating attitude, another big Rickover principle.
One of Rickover's big principle wins was understanding that if you let people admit mistakes and get better, they would. So, letting people own up to them and get better made them better.
In the Apollo era NASA days, this was the way things worked too. After a simulation run, everyone would gather and the SIMSUP would walk them through what they did, and at the moment someone realized they'd screw up, they'd just say "And I did that, that was a mistake." And they'd look at what led them to that mistake, to see if someone had made a mistake earlier that sent them down the path that led to the final mistake that "killed" the astronauts. They "killed" a whole bunch of astronauts in simulations. LOTS of them. That's why we've killed so few in actual spaceflght -- and still, we've killed them when we ignore the lessons we've learned from this.
Clarifying something that I had to finish up quick because I had to get on a plane. I wrote "Note how criticality accidents tend to limit to about 1017 fissions before they stop." That's for criticality accidents that are near one critical mass that run for a short time, what they call "around a buck" accidents. A "dollar" is a unit in reactivity, it's the difference between a just critical mass and a prompt critical mass, so "around a buck" is a mass that's big enough to go prompt critical, but just barely. The accidents that go above this number of fissions either involve much larger masses of fissionables, or have very long time scales -- the Japanese accident was only briefly prompt critical, but was critical for 20 hours before they brought it subcritical and ended up with a total in the 1019 fissions because of that.
Most prompt critical accidents are prompt critical for only very short time, because the energy release moves enough of the fissionable mass away to make the assembly not prompt critical, and often, not critical at all. Process accidents, where the fissionables are in liquid form, are almost always like this -- the liquid boils and squirts out whatever pipe it came in from. Occasionally, though, you get one that stays critical, like that Japanese accident, or worse, something holds it together for a bit and it stays prompt critical, like the BORAX-1 reactor, which went from 1.4MW to, well, about 190MW before the core finally broke apart. Then the steam explosion blew the entire reactor apart. When you're two order of magnitude above your rated power, something has gone very wrong indeed. Ask Chernobyl.
But to give you how idea how fast this happened? The core went prompt critical, ran away, dumped 4.7x1018 fissions into the coolant, then broke apart *before* the steam was able to fracture the reactor vessel.
The good news is that these sorts of accidents have gotten very rare indeed. We understand why they happen, and as long as you follow a few actually simple rules -- don't let too much of the stuff in one place, keep it in long thin things, not short squat things, and DO NOT TAKE SHORTCUTS when working with it -- you can handle it safely. But in the early days, we didn't fully understand that, and people got hurt and killed.
But really, the two biggest factors were using the wrong container (too big and/or wrong shape) and taking shortcuts. But then again, in the absolutely *huge* litany of industrial accidents, how many times have those two factors been in play?
posted by eriko at 8:46 AM on July 23, 2015 [5 favorites]
One of Rickover's big principle wins was understanding that if you let people admit mistakes and get better, they would. So, letting people own up to them and get better made them better.
In the Apollo era NASA days, this was the way things worked too. After a simulation run, everyone would gather and the SIMSUP would walk them through what they did, and at the moment someone realized they'd screw up, they'd just say "And I did that, that was a mistake." And they'd look at what led them to that mistake, to see if someone had made a mistake earlier that sent them down the path that led to the final mistake that "killed" the astronauts. They "killed" a whole bunch of astronauts in simulations. LOTS of them. That's why we've killed so few in actual spaceflght -- and still, we've killed them when we ignore the lessons we've learned from this.
Clarifying something that I had to finish up quick because I had to get on a plane. I wrote "Note how criticality accidents tend to limit to about 1017 fissions before they stop." That's for criticality accidents that are near one critical mass that run for a short time, what they call "around a buck" accidents. A "dollar" is a unit in reactivity, it's the difference between a just critical mass and a prompt critical mass, so "around a buck" is a mass that's big enough to go prompt critical, but just barely. The accidents that go above this number of fissions either involve much larger masses of fissionables, or have very long time scales -- the Japanese accident was only briefly prompt critical, but was critical for 20 hours before they brought it subcritical and ended up with a total in the 1019 fissions because of that.
Most prompt critical accidents are prompt critical for only very short time, because the energy release moves enough of the fissionable mass away to make the assembly not prompt critical, and often, not critical at all. Process accidents, where the fissionables are in liquid form, are almost always like this -- the liquid boils and squirts out whatever pipe it came in from. Occasionally, though, you get one that stays critical, like that Japanese accident, or worse, something holds it together for a bit and it stays prompt critical, like the BORAX-1 reactor, which went from 1.4MW to, well, about 190MW before the core finally broke apart. Then the steam explosion blew the entire reactor apart. When you're two order of magnitude above your rated power, something has gone very wrong indeed. Ask Chernobyl.
But to give you how idea how fast this happened? The core went prompt critical, ran away, dumped 4.7x1018 fissions into the coolant, then broke apart *before* the steam was able to fracture the reactor vessel.
The good news is that these sorts of accidents have gotten very rare indeed. We understand why they happen, and as long as you follow a few actually simple rules -- don't let too much of the stuff in one place, keep it in long thin things, not short squat things, and DO NOT TAKE SHORTCUTS when working with it -- you can handle it safely. But in the early days, we didn't fully understand that, and people got hurt and killed.
But really, the two biggest factors were using the wrong container (too big and/or wrong shape) and taking shortcuts. But then again, in the absolutely *huge* litany of industrial accidents, how many times have those two factors been in play?
posted by eriko at 8:46 AM on July 23, 2015 [5 favorites]
we'll be going back to coal and fracked natural gas for backup to our renewables instead of building a whole generation of plants
Are you saying that in the next 100 years your uranium investments will be underwater, along with the NYSE? (My main source of solace these days is puns)
posted by RobotVoodooPower at 9:34 AM on July 23, 2015
Are you saying that in the next 100 years your uranium investments will be underwater, along with the NYSE? (My main source of solace these days is puns)
posted by RobotVoodooPower at 9:34 AM on July 23, 2015
Did anyone else read the title of the post in the voice of Jack Klugman?
posted by Splunge at 9:37 AM on July 23, 2015
posted by Splunge at 9:37 AM on July 23, 2015
I skimmed briefly and didn't see that anyone had linked this great book, so: Atomic Accidents. Fantastic read, and it covers the way different nuclear plants are configured, how their designs changed as people learned from their accidents, and some of the time, how nothing changed and the same accidents happened multiple times.
posted by fiercecupcake at 10:20 AM on July 23, 2015 [1 favorite]
posted by fiercecupcake at 10:20 AM on July 23, 2015 [1 favorite]
But really, the two biggest factors were using the wrong container (too big and/or wrong shape) and taking shortcuts
Oh man, yes, this. You will quickly learn in the above book what shapes and sizes of container will predictably lead to Very Bad Things.
posted by fiercecupcake at 10:21 AM on July 23, 2015
Oh man, yes, this. You will quickly learn in the above book what shapes and sizes of container will predictably lead to Very Bad Things.
posted by fiercecupcake at 10:21 AM on July 23, 2015
Seconding fiercecupcake's recommendation of Atomic Accidents. It's a fascinating read, especially when you get into the accidents of some of the early, exotic reactors like the liquid-metal cooled (!) S1G.
posted by ensign_ricky at 4:11 PM on July 23, 2015
posted by ensign_ricky at 4:11 PM on July 23, 2015
Huh. Hell of a way to manage a murder. Historic, certainly.
Idaho National Lab previously. It looks like the link in that post to "Proving the Principle" is currently dead, though. Looks like ctmf has the new link above.
posted by rmd1023 at 6:41 PM on July 25, 2015
Idaho National Lab previously. It looks like the link in that post to "Proving the Principle" is currently dead, though. Looks like ctmf has the new link above.
posted by rmd1023 at 6:41 PM on July 25, 2015
I do wonder if back when the SL-1 was being built, there was a lot less awareness of safety engineering, but maybe also a lot of organizational ignorance at lower levels - perhaps even willful ignorance at higher levels - about the actual risks involved with nuclear materials.
I mean, dead is dead, but were they telling these guys that it's kind of like working with conventional explosives, or were they telling them that a mistake is something that will turn your corpse into toxic material that will be deadly for thousands of years? This is the era when Disney made "Our Friend the Atom", after all.
posted by rmd1023 at 7:04 PM on July 25, 2015
I mean, dead is dead, but were they telling these guys that it's kind of like working with conventional explosives, or were they telling them that a mistake is something that will turn your corpse into toxic material that will be deadly for thousands of years? This is the era when Disney made "Our Friend the Atom", after all.
posted by rmd1023 at 7:04 PM on July 25, 2015
« Older British Movietone Archive and Associated Press... | “always surprised people are surprised that people... Newer »
This thread has been archived and is closed to new comments
posted by ogooglebar at 2:41 PM on July 22, 2015 [3 favorites]