Nuclear Reactors & Blackout

Nuclear Reactors & Blackout

[Robert C. Leif]

According to the US press, the reactors in New York State and other areas
had to be shut down because there was a risk of an incident if the auxiliary
power from the rest of the grid was lost. This approach to hazard analysis
should be named Fail-For-Sure.

Since France and other countries obtain much of their power from nuclear
reactors, it is worthwhile to inquire what if anything they have done to
eliminate Fail-For-Sure? And obviously, does the use of Ada help in
eliminating Fail-For-Sure?

Bob Leif
Robert C. Leif, Ph.D.
Email rleif@rleif.com

Re: Nuclear Reactors & Blackout

[Alexander Kopilovitch]

Robert C. Leif wrote:

> According to the US press, the reactors in New York State and other areas
> had to be shut down because there was a risk of an incident if the auxiliary
> power from the rest of the grid was lost.

Well, not exacly shut down, but nuclear plants should be detached from the
damaged part of the power network as quickly as possible. Not because of lack
of auxiliary power, but because jumps of the power are very dangerous for this
type of electrical plants. So, it was proper and actually necessary action in
this situation.

> This approach to hazard analysis should be named Fail-For-Sure.

Well, this was not "hazard analysis", it was mandatory emergency action.
I think that that you statement is not just ignorant, but also arrogant.
If I were a terrorist I would dream you become director of a nuclear plant.
You may be good inventor and good scientist, but remember, that Chernobyl
story began when scientist (physist, but without significant experience
with real working nuclear plants) was assigned to a commanding position.
He invented his owm method and procedure for testing. The result of that
testing immediately became (in)famous worldwide.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Nuclear Reactors & Blackout

[John R. Strohm]

"Alexander Kopilovitch" <aek@vib.usr.pu.ru> wrote in message
news:e2e5731a.0308151726.371b895f@posting.google.com...
> Robert C. Leif wrote:
>
> > According to the US press, the reactors in New York State and other
areas
> > had to be shut down because there was a risk of an incident if the
auxiliary
> > power from the rest of the grid was lost.
>
> Well, not exacly shut down, but nuclear plants should be detached from the
> damaged part of the power network as quickly as possible. Not because of
lack
> of auxiliary power, but because jumps of the power are very dangerous for
this
> type of electrical plants. So, it was proper and actually necessary action
in
> this situation.
>
> > This approach to hazard analysis should be named Fail-For-Sure.
>
> Well, this was not "hazard analysis", it was mandatory emergency action.
> I think that that you statement is not just ignorant, but also arrogant.
> If I were a terrorist I would dream you become director of a nuclear
plant.
> You may be good inventor and good scientist, but remember, that Chernobyl
> story began when scientist (physist, but without significant experience
> with real working nuclear plants) was assigned to a commanding position.
> He invented his owm method and procedure for testing. The result of that
> testing immediately became (in)famous worldwide.

Alexander, with all due respect, this is an oversimplification.

Part of the problem is that the people who designed the Chernobyl reactor
had absolutely impeccable Party credentials, but did not know beans about
reactor safety.  They designed a reactor with a positive void coefficient of
reactivity, which creates a built-in thermal runaway hazard, and thermal
runaway is EXACTLY what happened at Chernobyl.

The Chernobyl design is illegal in the United States of America, for damned
good reason.  Ed Teller, who wrote the law, figured that life would be
simpler for everyone if reactors were simply not capable of thermal runaway
at all.  So all U.S. reactors are required to be designed with a negative
void coefficient of reactivity.

The U.S. has yet to experience anything even remotely resembling a Chernobyl
accident.

If you want more information, do a search on "void coefficent".  Here are a
couple of starters:
http://www.nrc.gov/reading-rm/basic-ref/glossary/void-coefficient-of-reactiv
ity.html
http://www.world-nuclear.org/info/chernobyl/voidcoef.htm

Re: Nuclear Reactors & Blackout

[Preben Randhol]

Robert C. Leif wrote:
> According to the US press, the reactors in New York State and other areas
> had to be shut down because there was a risk of an incident if the auxiliary
> power from the rest of the grid was lost. This approach to hazard analysis
> should be named Fail-For-Sure.

I read that it was the irregularity on the power grid which caused them
to shut down to protect themselves?

> Since France and other countries obtain much of their power from nuclear
> reactors, it is worthwhile to inquire what if anything they have done to
> eliminate Fail-For-Sure? And obviously, does the use of Ada help in
> eliminating Fail-For-Sure?

Sorry, don't know. But I thought this wasn't to do with software rather
hardware and the elements? I think it is a general upgrade of the grid
(and it's infrastructure) that is needed?

In Norway we only have hydroelectricity (well except
for the electricity we have to import during winter). The agecy for the
electricity in Norway said a blackout with the same magnitude (relative
to the size of the country and population of course) couldn't happen as
the grid was more desentralised. 

I'm more worried about east Europe nuclear plants and their
maintainance. And of course the heap of rusting Russian nuclear submarines
up in north Russia close to over border.

Preben
-- 
�I think fish is nice, but then I think that rain is wet.
 So who am I to judge.�
                 - The Hitch Hiker's Guide to the Galaxy (radioplay)

Re: Nuclear Reactors & Blackout

[Dmytry Lavrov]

It's possible that blackout caused by software bug?(or it's surely by
poor hardware devlopment?)
Strange,but in europe and russia there is no so big blackouts(my friend
had 360v in wallplugs,but it was locally caused by mistake with cables
;-).

About Nuclear Plant:
Whats,nuclear plant aren't connected with special buffer device and
there is really some tanger for plant????????

I'm more worry about another things:
If medical software are as buggy as USA power network(if not more
buggest)i.e. one patient die on one system per 10 years,one per 3 day if
we have 1000 patients,it's really bad.
Medical soft are sometimes coded in C++(there was "first man killed by
hackes " story in 1999 (or 2000?). How many patients killed by
programmer...or more precisely,by manager that choose C++ for it)

Re: Nuclear Reactors & Blackout

[Ludovic Brenta]

According to the press here in Europe, it is perfectly possible that a
similar blackout, of similar magnitude, occur here.  The cause is not
related to software (i.e. a blackout could occur even with 100%
perfect software).  A blackout would be the result of a number of
factors.

1) Electricity cannot be stored (d'oh!) and therefore, there are
   dispatchers that are on watch 24 hours a day to match supply and
   demand.  These dispatchers are usually country-wide.  Their job is
   to ensure that the production of power is exactly balanced by the
   consumption, and that all electricity produced is properly carried
   over the grid.

2) The high-voltage lines in the grid have limited capacity; they
   overheat if too many ampers go through them (d'oh!). There are
   "fuses" that protect these lines against overheating.

3) All power stations in Europe are interconnected; they are all on
   the same high-voltage grid.  This is done so that if one power
   station fails for one reason or another, other power stations can
   supply more power to make up for it.  One third of Europe's power
   is from nuclear plants, but that's irrelevant.

Thus, if there is a big surge in demand for electricity, some lines in
the grid will shut themselves off in order not to melt down (I mean
the *lines*, not the *power plants*).  The other lines in the grid
will then have to carry the extra power.  They, in turn, run an
increased risk of exceeding their nominal capacity, and may also shut
themselves down.

It would appear that the blackouts in the US were caused by such a
surge in demand (hint: air conditioning devices throughout the US
account for 30% of all electric power consumption).  This was combined
with the fact that the demand in electric power has increased by 30%
in the last 10 years.  And this was further combined with the fact
that very little investment has been made, over the last 10 years, to
increase either the supply capacity of power plants, or the bandwidth
of the grid.  Basically, it's like a giant fuse went off because of
too much demand on the whole system.

I've heard that one power plant went off-line, and that that started
the whole process of quickly overloading the lines from all other
power plants.  Given the situation, I don't think that this is very
important.  I think other blackouts could, indeed *will* happen,
whether or not a power plant goes offline in the future.  It may very
well happen that one day there is just too much demand and too little
supply.  This has happened before in California, albeit to a lesser
scale.

-- 
Ludovic Brenta.

Re: Nuclear Reactors & Blackout

[Robert I. Eachus]

Robert C. Leif wrote:
> According to the US press, the reactors in New York State and other areas
> had to be shut down because there was a risk of an incident if the auxiliary
> power from the rest of the grid was lost. This approach to hazard analysis
> should be named Fail-For-Sure.

Yes and no.  The real problem is that the Northeast power grid is a 
collection of separately designed power plants, distribution lines, and 
substations.  It is an emergent property of this system that under high 
load conditions, it becomes an amplifier.  The next transient in the 
system, even if it comes from outside the grid, will get amplified to 
the danger point for connected power stations and even substations. 
These will then blow fuses to protect the equipment from meltdown. 
(Even though the generator casings will probably contain all that once 
rotating, now-molten copper, the generator will be so much scrap.)

For nuclear power plants, the threatened meltdown is of the generators, 
not of the steam supply system.  But once there is no external load, the 
reactor has to be shut down to reduce the amount of heat generated to 
something the cooling system can handle with no generator load.

Couldn't the breakers just interrupt the power for a few milliseconds? 
No, that won't work.  All the firecrackers going off create more 
transients to be amplified by the power grid, and everything disconnects 
from it.  (If you have ever heard one of these breakers blow, it doesn't 
sound like a firecracker.  More like a tank firing a supersonic main gun 
round.)  Eventually, after a few seconds, the reactor could reconnect, 
but by then there is no load connected to the grid anywhere.  The grid 
then has to be reconnected to an "island" with both one or more 
generating stations and a large load.  Then individual substations and 
generating stations can be reconnected in a co-ordinated fashion keeping 
the load balanced with the available power.  It is this balancing act 
that took most of the day that it took to restore power.

The only way to avoid this problem is to keep sufficient "reserve" 
capacity on-line to avoid the instability.  For decades this number has 
been known to be 15%.  But when the Federal government got into the 
power "deregulation" business, they decided that that guideline was too 
conservative.  Guess what, it isn't.  It may be that, with computers in 
charge, 12% is manageable.  In a few months we will probably know what 
the numbers were for New York State.  The problem of course is that a 
10% margin for the grid as a whole can result in some areas with 
negative reserve.  When such an area gets large enough--read New York 
City and suburbs, the local amplification effects can overwhelm the 
balancing effect of reserve capacity elsewhere.

The solution, of course, is to treat the grid as a whole as a system, 
and manage it to keep these areas of amplification from developing.  But 
try and explain to the environmental extremists that those old coal 
burning plants in NYC have to be kept on line in these conditions.  They 
don't actually need to be generating much, if any, power.  It is the 
reserve capacity in terms of generators idling on-line that is needed.

For example, this has never been a problem in Philadelphia, because of 
Conowingo Dam http://www.fieldtrip.com/md/0a457501.htm just a few miles 
down Route 1 from the city.  The dam is used more as a peak load 
facility than base load.  But the fact that it is so close to the city, 
and almost never run at full capacity, keeps the area relatively safe 
from the type of disruption that hit NYC.

I say relatively safe, because when NYC goes, it puts a lot of stress on 
all the surrounding power grids.  In 1965, one area in Northeast 
Philadelphia did lose power for about twenty minutes.  It was too far 
from the moderating influence of Conowingo which is south of the city. 
Incidently, part of the moderating influence of Conowingo is that it is 
ancient, and the generators and turbines are overbuilt by modern 
standards.  So there is all that rotating inertia on-line.

--
                                                 Robert I. Eachus

"As far as I'm concerned, war always means failure." -- Jacques Chirac, 
President of France
"As far as France is concerned, you're right." -- Rush Limbaugh

Re: Nuclear Reactors & Blackout

[Wes Groleau]

> I read that it was the irregularity on the power grid which caused them
> to shut down to protect themselves?

Each section should disconnect from the grid
if the grid threatens to demand from them
more power than they can provide safely.  If they
are a net consumer, and the grid stops providing,
they must shut down if their local demand would
exceed capacity dangerously.

The news reports made it sound like the automation
to implement the above failed.  But who can believe
news reports?  One dingbat for the longest time kept
glibly informing us of the (correct) geographic spread
of the outage and that (not even close) it affected
eleven million people.

How can anyone educated enough to be trusted with a
mike not notice that eleven million is absurd for just
New York, Ottawa, Toronto, and Cleveland alone?

Re: Nuclear Reactors & Blackout

[Robert I. Eachus]

Wes Groleau wrote:
> 

> Each section should disconnect from the grid
> if the grid threatens to demand from them
> more power than they can provide safely.  If they
> are a net consumer, and the grid stops providing,
> they must shut down if their local demand would
> exceed capacity dangerously.

No that worked, and the grid fractured into multiple parts.  I was just 
looking at a map of the pieces. (Whoops! Actually for the 1965 blackout: 
http://www.cmpco.com/about/system/blackout.html) Once that happened, as 
you point out, areas that were net consumers of electricity--at the 
moment when it happened were SOL.  This probably did not apply to the 
PJD interconnect (Pennsylvania, New Jersey, and Maryland) because they 
tend to keep most of Conowingo Dam on-line idling to deal with peaking 
problems.  There are probably other regional interconnects that do the 
same.  Conowingo only generates 512 Megawatts, but its generators are 
significantly overbuilt by modern standards and can handle a short 
overload in the multi-gigawatt range.  It had to in the 1965 blackout. 
Before the surges in the interconnects south of New York were balanced 
out, Conowingo exceeded three gigawatts out AND two gigawatts in, but 
each of those peaks was on the order of three or four cycles (1/15th to 
1/20th of a second).

Here is a half decent story on what happened. 
http://www.washingtonpost.com/ac2/wp-dyn/A63438-2003Aug15?language=printer 
  The current thinking is that the trigger was a plant in Michigan.  But 
the important point is that the Lake Erie loop can act as an amplifier 
for transients when heavily loaded.  (Power normally flows east both 
north and south of the lake.  But transients cause phase shifts, and if 
the shifts north and south of the lake are out of synchronization, a lot 
of power flows in a circle.  During the blackout, it flowed first one 
way, then reversed direction...



-- 
"As far as I'm concerned, war always means failure." -- Jacques Chirac, 
President of France
"As far as France is concerned, you're right." -- Rush Limbaugh

RE: Nuclear Reactors & Blackout

[Robert C. Leif]

I instigated one of the few medical software projects in Ada
(www.newportinstruments.com Ada_Med section see the last paper, 
 
"The development of software in the Ada language for a midrange hematology
analyzer"). Much to my joy, the software was completed before the hardware.
Having been in this industry, I should note that the greatest virtue of the
use of Ada is it results in the resignations of the C++ hackers.

I am starting a new instrument in Ada. The C++ code that I have received
from the vendors should NEVER be used in a medical device. The commercial
software for controller board for my servomotor has the interesting feature
that the board can apply the full 10 volts to the servo-amplifier at
startup. This results in the rotor reaching top speed, ca. 3,000 rpm, with a
9 kilogram rotor with no simple means to slowly decelerate it. This is
enough to make one a true believer in Ada!

Bob Leif

Robert C. Leif, Ph.D.
Email rleif@rleif.com

-----Original Message-----
From: Dmytry Lavrov [mailto:m31415@mail.ru] 
Sent: Saturday, August 16, 2003 7:10 AM
To: comp.lang.ada@ada.eu.org
Subject: Re: Nuclear Reactors & Blackout

It's possible that blackout caused by software bug?(or it's surely by
poor hardware devlopment?)
Strange,but in europe and russia there is no so big blackouts(my friend
had 360v in wallplugs,but it was locally caused by mistake with cables
;-).

About Nuclear Plant:
Whats,nuclear plant aren't connected with special buffer device and
there is really some tanger for plant????????

I'm more worry about another things:
If medical software are as buggy as USA power network(if not more
buggest)i.e. one patient die on one system per 10 years,one per 3 day if
we have 1000 patients,it's really bad.
Medical soft are sometimes coded in C++(there was "first man killed by
hackes " story in 1999 (or 2000?). How many patients killed by
programmer...or more precisely,by manager that choose C++ for it)

Re: Nuclear Reactors & Blackout

[Alexander Kopilovitch]

John R. Strohm wrote:

> > Chernobyl
> > story began when scientist (physist, but without significant experience
> > with real working nuclear plants) was assigned to a commanding position.
> > He invented his owm method and procedure for testing. The result of that
> > testing immediately became (in)famous worldwide.

> ... this is an oversimplification.

Well, I'd not call that oversimplification, because I did not say (and did not
intend to say) that that single person was THE cause. As usual in catastrophes
there was several significant factors, and that "testing" was detonator only.
But that or likewise detonator was necessary for waiting catastrophe to happen
actually. And I did not intend to describe Chernobyl here or compare against
it, I simply pointed out that detailed knowledge and experience are significant
for making strong technical judgement, and provided example, which shows that
even scientific professionalism in one constituent domain may be not enough
for making such judgements about very complex critical systems.

>Part of the problem is that the people who designed the Chernobyl reactor
>had absolutely impeccable Party credentials, but did not know beans about
>reactor safety.  They designed a reactor with a positive void coefficient of
>reactivity, which creates a built-in thermal runaway hazard, and thermal
>runaway is EXACTLY what happened at Chernobyl.

Well, I heard about this. I did not try to learn those things myself, but I
have no grounds for not believing this theory. I lost interest for the reactor
side of that story when I saw the drawing - the plan of the plant's main building
(where all 4 reactors were located) - so much I was impressed with that
industrial architecture, it was something unbelievable for common sense.

The events overall around that story showed me that there was omnipresent
sense of relaxation around that doomed plant. You surely overestimate the role
of vulnerable reactor's design in that actual catastrophe. Yes, probably it
may be seen as the one of main factors, but no more.

You probably heard about the Soviet Union's rigid administrative system, so
you should wonder how it may happen that they in Chernobyl and Kiev did not
report to Moscow about the catastrophe. It was another nuclear power plant
(near Smolensk, several hundreds kilometers away), who discovered excess level
of radiation, checked themselves thoroughly, found nothing, and then alerted
Moscow.

Well, there were many other things in this story, perhaps worth of telling,
but then we'll go too far off-topic, so I will not continue this way.

> The Chernobyl design is illegal in the United States of America, for damned
> good reason.  Ed Teller, who wrote the law, figured that life would be
> simpler for everyone if reactors were simply not capable of thermal runaway
> at all.  So all U.S. reactors are required to be designed with a negative
> void coefficient of reactivity.

All that may be true, but I want to point on only one thing: that vulnerability
of reactor was far from enough for a catastrophe, at least in the *working*
general Soviet environment. It was only a potential for a catastrophe.

> The U.S. has yet to experience anything even remotely resembling a Chernobyl
> accident.

I think that no country except former Soviet Union has that precious experience.

> If you want more information, do a search on "void coefficent".  Here are a
> couple of starters:
> http://www.nrc.gov/reading-rm/basic-ref/glossary/void-coefficient-of-reactivity.html
> http://www.world-nuclear.org/info/chernobyl/voidcoef.htm

Thanks, perhaps some day (or night -:) I'll look there.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Nuclear Reactors & Blackout

[Alexander Kopilovitch]

Robert I. Eachus wrote:

> The only way to avoid this problem is to keep sufficient "reserve" 
> capacity on-line to avoid the instability.  For decades this number has 
> been known to be 15%.  But when the Federal government got into the 
> power "deregulation" business, they decided that that guideline was too 
> c onservative.  Guess what, it isn't.

This is just what I fear may happen in Russia in near future. The whole
Russian electricity system is united now, and the main chief is a political
heavyweight, well-known in Russia as the commander of mass privatization in
1991; and he is now fighting for somehow similar "deregulation" of the national
electricity system. The effect may be true catastrophic, and then (if actually
happens) may even have serious political consequences - initially internal,
but then worldwide, even USA will be worried enough if things will go this way.



Alexander Kopilovitch                      aek@vib.usr.pu.ru
Saint-Petersburg
Russia

Re: Nuclear Reactors & Blackout

[Hyman Rosen]

Robert C. Leif wrote:
> that the board can apply the full 10 volts to the servo-amplifier at
> startup. This results in the rotor reaching top speed, ca. 3,000 rpm, with a
> 9 kilogram rotor with no simple means to slowly decelerate it. This is
> enough to make one a true believer in Ada!

So the board can do this because the software has a coding error?
The program is doing something illegal that allows this to happen?

Re: Nuclear Reactors & Blackout

[Dmytry Lavrov]

Ludovic Brenta wrote:
> 
> According to the press here in Europe, it is perfectly possible that a
> similar blackout, of similar magnitude, occur here.  The cause is not
> related to software (i.e. a blackout could occur even with 100%
> perfect software).  A blackout would be the result of a number of
> factors.
> 
> 1) Electricity cannot be stored (d'oh!) and therefore, there are
>    dispatchers that are on watch 24 hours a day to match supply and
>    demand.  These dispatchers are usually country-wide.  Their job is
>    to ensure that the production of power is exactly balanced by the
>    consumption, and that all electricity produced is properly carried
>    over the grid.
> 
> 2) The high-voltage lines in the grid have limited capacity; they
>    overheat if too many ampers go through them (d'oh!). There are
>    "fuses" that protect these lines against overheating.
> 
> 3) All power stations in Europe are interconnected; they are all on
>    the same high-voltage grid.  This is done so that if one power
>    station fails for one reason or another, other power stations can
>    supply more power to make up for it.  One third of Europe's power
>    is from nuclear plants, but that's irrelevant.
> 
> Thus, if there is a big surge in demand for electricity, some lines in
> the grid will shut themselves off in order not to melt down (I mean
> the *lines*, not the *power plants*).  The other lines in the grid
> will then have to carry the extra power.  They, in turn, run an
> increased risk of exceeding their nominal capacity, and may also shut
> themselves down.
> 
> It would appear that the blackouts in the US were caused by such a
> surge in demand (hint: air conditioning devices throughout the US
> account for 30% of all electric power consumption).  This was combined
> with the fact that the demand in electric power has increased by 30%
> in the last 10 years.  And this was further combined with the fact
> that very little investment has been made, over the last 10 years, to
> increase either the supply capacity of power plants, or the bandwidth
> of the grid.  Basically, it's like a giant fuse went off because of
> too much demand on the whole system.
> 
> I've heard that one power plant went off-line, and that that started
> the whole process of quickly overloading the lines from all other
> power plants.  Given the situation, I don't think that this is very
> important.  I think other blackouts could, indeed *will* happen,
> whether or not a power plant goes offline in the future.  It may very
> well happen that one day there is just too much demand and too little
> supply.  This has happened before in California, albeit to a lesser
> scale.
> 
> --
> Ludovic Brenta.

Heh,if net are overloaded,SUPPLIES are diconnected???
Why not disconnect some towns to save network (as in xUSSR "-)??
What's , USA network are so simple and  based on plants connected in
parallel ,works as one plant,and towns in parallel,works as one
consumer? If so,it's simply idiotism.

There is so simple to make non-buggy (by overloading) network:
let's each supply provides energy for nearest towns(let's call it
"sector"),and maximal power of towns = power of supply.When supply
aren't 100% used,some energy are transmitted to other regions.If supply
are overloaded by local towns,it's only consumes energy from another
plants.There are buffers between sectors that newer overlod plants,only
transmits as many energy as sector aren't uses.  And if one sector are
overloaded,when it's overloaded more than can get from another
sectors,some non-critical pards of the sector are disconnected,and other
sectors aren't overloaded. In Russia,there are as many short circuits a
year,and we should have blackouts every week if network work same way as
in USA.

I don't sure that it's blackout caused only by overloading

Another reason why USA shutdown may caused:
Storing problems(load-not-in-phase problems):
It's AC lines!
And in AC line,if one connected a 1000W light bulb,power transmitted in
cables are 1000VA.
If one connected 1000W motor,or transformer/computer/etc,power in cables
may be far highter than 1000VA.
For example,if i will connect capacitor to the wall plug,power
consumed=0;and power of generator/substation needed<>0,and current in
cable<>0.I can blow fuses without consumtion of energy.
Main problem that energy ARE stored,but for short time.

Synchronisation/phase problems:
And how AC lines are synchronised?
If they are 100% in phase,there is no current in lines(cable have
inductance!).

So,to transmit energy,they should be not-in-phase.
But if they are TOO not in phase,there are BIG overloading of lines.

Another synchronisation problem:
many PulsedPowerSupply are used(ex. in your computer).There are standard
for freqency of osscilator in PPS.And,if they all will be
synchorinised,it's will be VERY bad.(i don't sure if it's possible).

All these problems may cause global blackout with "help" from software
bugs.


I have read book about it,but i fogot how to write author's
name..Haily,Heily,,sorry for my poor english,

accordinly to this book,it's caused by heroic idiotic managers(good guys
in this book) that are overloading plants and lowering voltage in
network until AUTOMATIC SAFETY system  stop these idiots!

Dmytry Lavrov.

RE: Nuclear Reactors & Blackout

[Robert C. Leif]

I believe that this would be considered a gross design error. I suspect that
it is software.
Bob Leif

Robert C. Leif, Ph.D.
Email rleif@rleif.com

-----Original Message-----
From: Hyman Rosen [mailto:hyrosen@mail.com] 
Sent: Sunday, August 17, 2003 12:23 AM
To: comp.lang.ada@ada.eu.org
Subject: Re: Nuclear Reactors & Blackout

Robert C. Leif wrote:
> that the board can apply the full 10 volts to the servo-amplifier at
> startup. This results in the rotor reaching top speed, ca. 3,000 rpm, with
a
> 9 kilogram rotor with no simple means to slowly decelerate it. This is
> enough to make one a true believer in Ada!

So the board can do this because the software has a coding error?
The program is doing something illegal that allows this to happen?

Re: Nuclear Reactors & Blackout

[Hyman Rosen]

Robert C. Leif wrote:
> I believe that this would be considered a gross design error.
 > I suspect that it is software.

But then why would a gross design error make you a believer
in Ada? I could understand that if the C++ code was erroneous
you would belive that using Ada would prevent those problems
from occurring, but why would Ada prevent the board from applying
10 volts to a servo-amplifier at startup?

RE: Nuclear Reactors & Blackout

[Robert C. Leif]

Since Ada is readable, design errors become more apparent. I should also
note that, the average C lovers' mentality neither favors clarity nor the
highest levels of safety.

Bob Leif
Robert C. Leif, Ph.D.
Email rleif@rleif.com
-----Original Message-----
From: Hyman Rosen [mailto:hyrosen@mail.com] 
Sent: Monday, August 18, 2003 7:42 AM
To: comp.lang.ada@ada.eu.org
Subject: Re: Nuclear Reactors & Blackout

Robert C. Leif wrote:
> I believe that this would be considered a gross design error.
 > I suspect that it is software.

But then why would a gross design error make you a believer
in Ada? I could understand that if the C++ code was erroneous
you would belive that using Ada would prevent those problems
from occurring, but why would Ada prevent the board from applying
10 volts to a servo-amplifier at startup?

Re: Nuclear Reactors & Blackout

[Robert I. Eachus]

Dmytry Lavrov wrote:

> Heh,if net are overloaded,SUPPLIES are diconnected???
> Why not disconnect some towns to save network (as in xUSSR "-)??
> What's , USA network are so simple and  based on plants connected in
> parallel ,works as one plant,and towns in parallel,works as one
> consumer? If so,it's simply idiotism.
> 
> There is so simple to make non-buggy (by overloading) network:
> let's each supply provides energy for nearest towns(let's call it
> "sector"),and maximal power of towns = power of supply.When supply
> aren't 100% used,some energy are transmitted to other regions.If supply
> are overloaded by local towns,it's only consumes energy from another
> plants.There are buffers between sectors that newer overlod plants,only
> transmits as many energy as sector aren't uses.  And if one sector are
> overloaded,when it's overloaded more than can get from another
> sectors,some non-critical pards of the sector are disconnected,and other
> sectors aren't overloaded. In Russia,there are as many short circuits a
> year,and we should have blackouts every week if network work same way as
> in USA.

I hate to say it, but simple, straightforward, and unworkable.  The 
problem is best described as the distributed properties of the network. 
  All of the interactions between generating stations and power 
consumers occur at transmission line speeds. (Which are significantly 
slower that the speed of light in a vacuum, but not enough to help. 
Call it 1/2 to 3/4 c depending on the type of line.)  When you detect an 
overload at a generator, even if you could break a circut and shed some 
local load, the overload "in the pipe" of the transmission line may be 
enough to burn out the generator.

Of course, if you have studied, or worked with, high voltage power 
transmission, you know that breaking the circut and making it stick is a 
non-trivial operation. In the 1965 blackout, NYC was drawing 3 Gigawatts 
from the TVA.  This was being distributed over the PJM interconnect, but 
they needed to be able to break the circut if something like this 
happens.  Imagine a twenty foot high circular tank about 4 feet in 
diameter filled with oil and with baffles and a blowout panel on top. 
(The baffles are designed to catch as much oil as possible while letting 
the gasses and plasma out.)  Through this tank bottom to top pass four 
1/2" by 3" copper bars arranged in a square.  Fill the tank with oil, 
and suspend a 1/2 pound block of C4 in the center of the hollow square, 
about 5 feet from the bottom.  That is your basic 1 Gigawatt breaker. 
(Actually rated at 5,000 amps load at 330 KV.)  There were three of 
these sitting near the border between Pennsylvania and New York State.

One of the power engineering magazines had a picture of one being 
tested, and about a year later, a picture of the actual devices firing. 
  (No big trick, they had a TV camera showing these breakers in the PJM 
interconnect control room, and a movie camera triggered when the arming 
circut blew the breakers.)  I may have told this story before, but I 
lost a bet with my father over the day the blackout would happen, my 
brother was in the pool as well, but we had all picked days that week 
over a month before.  I won't go into all of the details, but ConEd had 
two big nuclear plants down for refueling, a judge had some coal fired 
plants owned by the Transit Authority shut down for pollution reasons, 
and it was the week after daylight savings ended.

So think of the power from Naigra Falls flowing through transmission 
lines to NYC as an express train.  Throwing any breaker along the way 
converts it into a runaway train that is going to destroy whatever it 
dead-ends into.  You have to have something to sacrifice at the end of 
the line, and deadending into houses or most commercial loads is going 
to cause disasters. You have to have some breakers like the ones I 
described above that can take the load and terminate it.  The arcing 
lasted for milliseconds, and the total energy quenched was over 100 
times the explosive energy of the C4.  PJM shed load at Conowingo and 
elsewhere until the TVA could back off what they were delivering, and so 
there were no major power failures south of Trenton, NJ.

The instantaneous demand from New York when those breakers went was 3 
million amps.  (Yes, that is an instantaneous demand equivalent to 
several hundred nuclear power plants.  The problem as I said was that 
the Lake Erie Loop can become an amplifier.  The pulse that flowed down 
the line became a peak followed by a trough that reversed voltage.) As 
long as you refuse to run interconnects in or near amplifying states, 
the normal procedures are fine.  But once you have an actively 
amplifying network you are up the creek.

Right now they are looking at three transmission lines in Ohio that shut 
down a couple of hours before the main event as the trigger.  My bet is 
that they will find that those failures set the stage, and the next 
sneeze, even bringing one of those lines back into operation, caused the 
actual event.  The Lake Erie Loop mentioned above consists of 
transmission lines both above and below Lake Erie, and yes, they do form 
a loop.  The direction of power transmission in this loop reversed just 
before the blackout...

-- 
                                        Robert I. Eachus

"As far as I'm concerned, war always means failure." -- Jacques Chirac, 
President of France
"As far as France is concerned, you're right." -- Rush Limbaugh

Re: Nuclear Reactors & Blackout

[Hyman Rosen]

Robert C. Leif wrote:
> Since Ada is readable, design errors become more apparent.

As we remember from the Ariane 5 discussion, design issues are not
always apparent from reading the code.


> I should also note that, the average C lovers' mentality neither
 > favors clarity nor the highest levels of safety.

*Shrug*
Well, you would say that, wouldn't you?

RE: Nuclear Reactors & Blackout

[Lionel.DRAGHI]

| -----Message d'origine-----
| De: Hyman Rosen [mailto:hyrosen@mail.com]
...
| 
| Robert C. Leif wrote:
| > Since Ada is readable, design errors become more apparent.
| 
| As we remember from the Ariane 5 discussion, design issues are not
| always apparent from reading the code.
| 
Obviously, no programming langage can express directly all design decisions
(and even less architecture decisions).
But, as Robert said, since Ada is more readable (and more powerful), it
capture more of those decisions than other programming langages.

-- 
Lionel Draghi