Comment by _wire_

Comment by _wire_ 10 months ago

0 replies

View on Hacker News

The cause of the Chernobyl power facility disaster was caused by running a test to determine how long power could be maintained with turbine run-down to cool the reactor during an accident under blackout conditions.

The reactor control systems are powered by the reactor itself, but this isn't considered a liability, because once started, such a device is not intended to be stopped; shutdowns are large costly affairs intended to occur rarely for refueling. The reaction is regarded as a force of nature like a running river. But the reactor can be operated in high vs. low power modes. Notably, as a system, the device is most hazardous when transitioning between power modes, especially towards low power mode.

It was expected that in certain emergencies, reactor power would be lowered to the point where steam generator turbine inertia is intended to work like a battery of reserve power used to cool the reactor, but knowing precisely how well this works requires verification. To conduct tests the operators intentionally drove the reactor towards the edge of its low power operational limits, overriding safety protocols and subsystems to create the preconditions of the experiment. Disaster ensued eve when the operators feared they had lowered power to much to the brink of an expensive non-routine shutdown so they goosed it, creating a feedback loop into over power. Operators made a last ditch attempt to control the crisis using the emergency core shutdown system, a mechanism of last resort, but a poorly handled design edge case resulted in the shutdown mechanism to create an enormous power surge which caused the core cooling system to explode: A 3 giga-watt thermal core spiked to 30 giga-watt thermal and the lid blew off, so to speak.

The disaster was directly caused by testing of facilities to handle a theoretical emergency, and would have been avoided if the testing was not performed.

But beyond this, the test protocol required driving the machine into a hazardous state, leading to the operators' accidental discovery of tripwire for a catastrophic failure mode that, although it had been a matter of conjecture in contingency planning, was regarded as so unlikely by planners that needed retrofitting of the emergency shutdown system was deferred. "Off" is the least-desired operational state of the reactor, so making an expensive effort to address a conjecture with a hazard of the systems most unlikely mode of operation was not a high priority.

There's a vague parallel between the Chernobyl disaster and the Pan-Am, KLM airport disaster at Tenerife, where a constellation of exceptional conditions led to a collision of two fully loaded 747s. The ostensible cause was an off-by-one error by an arriving flight crew member in the counting taxi-ways, bringing his plane into the path of the other during the others take-off, and the other assuming that a routine but ambiguous figure of speech on the part of control meant clearance to take off, when actually it just meant control's acknowledgment of the departing captain's statement of readiness to proceed with take off.

And Titanic will not be forgotten.

In these disasters, everybody was fully engaged and driving into mayhem with everything running according to plan, but under an unlikely confluence of conditions.

Philosophically, a proper plan depends on equality between the conditions of the plan and the execution of events, but paradoxically there's only one place for true equality in the entire universe: in concept. So all plans are at best provisional. This observation could lead to more wonder about the contours of probability gradients in systems designs.