Index Home About Blog
Newsgroups: comp.risks
X-issue: 3.80
From: decvax!utzoo!henry@ucbvax.Berkeley.EDU (Henry Spencer)
Date: Tue, 14 Oct 86 17:56:36 edt
To: ucbvax!CSL.SRI.COM!RISKS
Subject: US Navy reactors

  >     A co-worker of mine who has worked in both the Navy and civilian
  > nuclear programs tells me that Navy reactor systems are designed to keep
  > humans in the loop. The only thing the automated systems can do without
  > a person is 'scram' or shut down the reactor...  Thus, the
  > system can't very easily spring surprises on the operators.

A probable contributing factor here is that the US Navy's submarine people
do not trust automation at all in crucial roles.  For example, US subs have
no autopilots, even though they spend most of their time at constant speed
and depth.  They are "flown" manually at all times.  This is not so much a
matter of keeping the operators alert and informed as it is a matter of
complete distrust of complexity and automation in submarines.  This is a
significant constraint on submarine design, in fact.  Modern subs generally
have a fairly symmetrical set of vertical and horizontal fins at the tail.
Looked at from behind, it's a cross shape.  There would be advantages to
using an X shape instead, just shifting the whole cluster 45 degrees:  this
would permit grounding the sub on the bottom without damage to the bottom
fin, and would permit docking against a straight dock without worries about
banging one of the horizontal fins against the dock.  The US Navy does not
think highly of the idea, because it would require a mixing box of some kind
(which could be purely mechanical!) to turn the horizontal and vertical
control inputs into rudder/elevator motion.  That's how deep the distrust of
complexity runs.  I'm not surprised that they have manually- controlled
reactors.

The USN also has an outstanding reactor safety record -- no big accidents,
no serious radiation releases -- with a stable of reactors comparable in
numbers (although not in output) to the entire US nuclear-power industry.
They are very fussy about materials, assembly, and operator training.

				Henry Spencer @ U of Toronto Zoology
				{allegra,ihnp4,decvax,pyramid}!utzoo!henry

   [Intriguing.  I have frequently heard it said -- by Nancy Leveson and
    others -- that the nuclear power technology is so sensitive that they
    feel they cannot afford to use computers!  PGN]


From: decvax!utzoo!henry@ucbvax.Berkeley.EDU (Henry Spencer)
Date: Mon, 20 Oct 86 22:00:42 edt
To: ucbvax!CSL.SRI.COM!RISKS
Subject:  Re: US Navy reactors

Brint Cooper suggests that the USN's excellent reactor safety record might
stem from their deep distrust of automatic equipment.  Personally, I think
the connection is indirect.  It's not at all obvious that manually-run
reactors are safer than partly-automated ones.  Humans are better at coping
with unforeseen situations, *if* they truly understand the equipment they
are controlling.  If they're just being used as organic servomechanisms,
then they are less reliable than automatic equipment, which does not get
tired or bored (when things are going well) or frightened or tense (when
they aren't).  I suspect the USN reactor technicians have a pretty good
understanding of their hardware, given the general atmosphere of great care
surrounding USN reactors.  However, servomechanisms are probably still
safer when the problems have, in fact, been foreseen accurately.  This is
likely to be the case for the majority of problems.

The indirect connection I see is the obvious one:  distrust breeds caution.
Whether or not manually-operated reactors are safer than semiautomated ones,
*any* equipment clearly is going to be safer when elaborate care is taken
in materials, assembly, testing, crew training, and maintenance.  A high-
quality reactor run by carefully-trained humans is clearly safer than a
slipshod one run by rusty machinery.

Eugene Miya notes that there is some doubt about the reactor being blameless
in the loss of the Thresher.  True; I should have noted that.

Steve Woods notes:

> There is another factor to consider here, redundancy [cross-training] ...
> ... these are WARSHIPS, they need to be able to function even
> after suffering SEVERE damage and heavy casualties...

While I tend to agree that cross-training is a good idea, it's actually
not clear that the USN has thought this one through, for submarines in
particular.  It's not obvious to me that there is any likelihood of severe
damage and heavy casualties in a nuclear sub without catastrophic hull
damage as well.  Nuclear subs generally do not have internal pressure
bulkheads, as I recall, because there isn't enough buoyancy reserve for
the sub to survive with a flooded section anyway.  This means that a
serious hull breach is quickly fatal.

				Henry Spencer @ U of Toronto Zoology
				{allegra,ihnp4,decvax,pyramid}!utzoo!henry


Index Home About Blog