- Pub. Date:
Related collections and offers
About the Author
Read an Excerpt
The Nuclear Enterprise
High-Consequence Accidents: How to Enhance Safety and Minimize Risks in Nuclear Weapons and Reactors
By George P. Shultz, Sidney D. Drell
Hoover Institution PressCopyright © 2012 Board of Trustees of the Leland Stanford Junior University
All rights reserved.
Designing and Building Nuclear Weapons to Meet High Safety Standards
SIDNEY D. DRELL
Appendix: Technical Issues of a Nuclear Test Ban
Nuclear Weapon System Safety
Enhanced Nuclear Detonation Safety
Insensitive High Explosive
Reliability of the Nuclear Weapon Stockpile
A Nondevice Component
Reliability Assessment of the Stockpile
The safety record of the United States nuclear weapons enterprise is quite remarkable. We have built, deployed, exercised, and dismantled roughly 70,000 warheads and about 10,000 launchers. During the sixty-plus years since 1950 there have been a number of accidents, including thirty-two acknowledged "Broken Arrow" accidental events leading to losses, disappearances or crashes that involved U.S. nuclear weapons and delivery systems, and could have resulted in serious consequences (see Table 1A.1 in appendix on page 39). The fact that not one single nuclear warhead has directly caused a casualty is quite an achievement. That achievement required a lot of hard work and reflects on the determination of principled people to do the right thing, often against organizational resistance. The next paper will discuss several of the "close-call" safety incidents and the effort led by its author to remedy the problems that caused them. His role is a lesson for all involved in such activities in which failures in safety can lead to devastating consequences.
In thinking about questions of safety in such very high-consequence operations, and what it takes to achieve an excellent safety record, I give highest priority to four criteria. They are, in no particular order:
1. Set the priorities in the proper order.
2. Bring to bear the best available analytical tools to analyze and understand the risks and consequences of failure.
3. Enforce rigorous discipline and accountability at each step in the process.
4. "Red Team" the activities — that is, perform critical reviews by independent technical experts, including exercising systems to the point of failure — with good communication channels up and down the line between management and engineers.
All four of these criteria are critically important.
1. Set the priorities in the proper order.
The nuclear enterprise did not automatically start that way. Initially we did not fully appreciate the impact and the amount of radioactive fallout generated in nuclear explosions above ground in the atmosphere. Based on what was known at the time, the bombs dropped on Hiroshima and Nagasaki in 1945 were detonated at altitudes between 1,500 and 2,000 feet. The military motivation for those detonation altitudes was to maximize the distance away from the aim point at which over-pressures of approximately two to three pounds per square inch would be generated to cause significant structural damage. Such altitudes were high enough to prevent the fireballs from reaching the ground where they would have dug up extensive amounts of debris, mixed with radioactive fission fragments, which would have caused considerably more radiation sickness casualties.
However, during the years following the war, the United States conducted about 200 nuclear weapons tests above ground at the Nevada Test Site (plus about 130 in the Pacific Ocean) that created fallout. This ended with the negotiation of the Limited Test Ban Treaty (LTBT) in 1963, which forbade any nuclear yield testing except underground. In fact, the U.S. Atomic Energy Commission (AEC) found itself with conflicting responsibilities: to create an arsenal of nuclear weapons for the United States against a growing Soviet threat that included nuclear weapons, and at the same time to ensure public safety from the effects of radioactive fallout. The same conundrum faced the AEC with regard to civilian nuclear power generation. It was charged with promoting civilian nuclear power and also with protecting the public.
When it became widely known that these tests were responsible for introducing significant amounts of harmful radioactive elements into the food chain (including iodine and cesium in particular), a strong public reaction resulted. This practice ended with the LTBT in 1963, but its legacy still persists today and challenges the credibility of the U.S. government and, indeed, of many governments in protecting citizens' safety from the effects of nuclear accidents. The nuclear concerns were greatly enhanced by the Castle Bravo test of a U.S. thermonuclear weapon in 1954 at the Bikini Atoll in the Marshall Islands. Its yield of 15 megatons was more than twice the anticipated value, and so was the fallout that was driven in an unintended direction by the change in the wind pattern, causing casualties among the civilian population more than 100 miles downwind.
To summarize, setting the priorities means insisting that the burden of proof rests on proving that the system is safe, rather than being satisfied with lack of evidence that it is unsafe. It was exceedingly difficult to implement such a priority for the stockpile in the chilling environment of the Cold War and within a process that evolved gradually through those years, starting in the 1950s. Modernization and improvement programs for the weapons gave priority to meeting military requirements, such as achieving maximum yield-to-weight ratios for warheads and maximum payloads and ranges for missiles. Safety was, in general, not viewed with quite the same urgency. Moreover, in the earlier years we knew much less and had few analytical tools and limited capabilities for simulation. Fortunately, the priority of safety struggled to the fore in the nuclear weapons enterprise during the 1970s and 1980s, spurred on by the determined commitment of a small cadre of courageous leaders in the weapons labs and enabled by the development of more powerful analytic tools providing critical data.
We are still today working our way through safety challenges that were made more difficult by design decisions before the end of the Cold War that gave higher priority to military requirements. Safety issues for military systems in other nuclear weapon states, which we do not control and about which we are not fully apprised, are of concern in considering the future of the nuclear enterprise. As we were recently reminded all too clearly by the reactor incidents at Fukushima, new initiatives in civilian nuclear power around the world are also cause for concern.
2. Bring to bear the best available analytical tools to analyze and understand the risks and consequences of failure.
This requires performing experiments and acquiring data which provide a basis for understanding how to design weapons that meet attainable goals that we set for limits on the probability of an unintended or accidental detonation and on the maximum acceptable explosive energy released in such an accident.
Modern nuclear weapons in the U.S. arsenal have an array of several thousand technically sophisticated components. Figure 1.1 illustrates what I am talking about. The picture shows an array of the components of one of the bombs designed to be carried on the B-52 and B-2 bombers in our strategic force as well as on a number of aircraft in NATO. It is necessary to understand the warhead electrical system, along with the nuclear package containing the high explosive and the nuclear material, well enough so that a probabilistic risk analysis can be made.
It is widely alleged, and I am aware of no contradictory assertion, that the standard for the maximum acceptable nuclear yield in an unintended detonation was originally set in the 1960s when it was decided to deploy nuclear bombs aboard the U.S. Navy's aircraft carriers. A Navy captain, upon learning that nuclear weapons were to be loaded aboard the carriers in a compartment in proximity to the engineering operations center, asked himself: What if one of the weapons unintentionally or accidentally detonated? How large a nuclear yield would endanger the continued operation of the ship if one of the detonators were triggered by an accident? Detonation of the fifty or so pounds of high explosives could cause serious but acceptable damage to the bulkhead. But the new danger posed by a nuclear bomb is the release of radioactivity once a fission chain reaction is initiated. Given realistic conditions — i.e., the proximity of the weapons storage room to the engineering operations center and the limited radiation shielding of the floors and bulkhead between them — the flux of neutrons produced during the fission would present the greatest hazard.
The captain calculated that, if the fission chain continued long enough to produce an energy equivalent to four or more pounds of TNT, the flux of neutrons into the engineering operations center would approach or exceed the threshold for causing immediate incapacitation of the members of the crew in the room. As a result, the ship would be essentially dead in the water. Fission neutrons are emitted typically with one to two MeV (megavolt) energy, and cannot readily be absorbed by iron or steel walls less than a foot thick. (The large flux of gamma rays emitted during the fission chain is more readily absorbed.) This was accepted as a sensible and practical criterion to design to. As a result, nuclear weapons were designed to ensure that the fission chain will terminate quite prematurely. More precisely stated, the criterion is to not initiate more than about 10 fissions following an accident that triggers a detonator at any one point and that ignites the high explosive in the bomb.
Having established the criterion for safety in terms of its consequences — no nuclear energy release exceeding the equivalent of four pounds of TNT — it is also necessary to set a goal for a limit on the acceptable risk of failure in meeting this standard. Once that standard is set, the challenge is to do the experiments and get the data upon which to base a probabilistic risk assessment.
The standards set by the DOE and DoD can be summarized as follows:
1. The probability of a premature nuclear detonation due to warhead component malfunctions in the absence of any input signal, except for specified monitoring and control ones, shall not exceed:
a. 1 in 109 per warhead lifetime, for normal storage and operational environments
b. 1 in 106 per warhead exposure to abnormal environments prior to receipt of a pre-arm or launch signal, such as a lightning bolt, or due to an accident
It was also specified that this safety shall be inherent in the nuclear system design.
2. The probability of achieving a nuclear yield greater than four pounds TNT equivalent shall not exceed 1 in 106 in the event of an accident that could create two nuclear detonation risks:
a. The high explosive is insulted and detonates at one point, or
b. The firing set is activated because of faults in the electrical system.
These numbers were judged to be achievable in practice. The important question of confidence in achieving them is discussed in Stubbs's paper.
Thirty-five very low-yield experiments were authorized by President Eisenhower and performed "down hole" at Los Alamos during the 1958–1961 moratorium with the Soviet Union on nuclear testing. They were designed to slowly creep up to producing no more than several ounces of TNT equivalent yield. What we learned from these measurements helped to identify the so-called one-point safety problems associated with some of the nuclear weapons systems of that time. The need for remedial action was demonstrated and, following the end of that moratorium, those issues began to be addressed systematically. Further confidence in being able to achieve these standards for one-point detonation has been gained from a continuing program of experiments and, in particular, advanced simulations with supercomputers doing high-fidelity calculations on the weapons in the current stockpile. This is an ongoing, very important part of the stockpile stewardship program, including the weapons Life Extension Program that the United States now relies on in the absence of underground test explosions.
To meet the severe criteria for risk limitation set by the DoD and DOE, extensive experimentation and design work has been done at the three national weapons laboratories: Los Alamos, Lawrence Livermore, and Sandia. The Sandia National Laboratory focused primarily on designing and validating the performance of the thousands of parts that are outside the physics package in order to assure the safety of the weapons' electrical system (see Figure 1.1). The idea was to enclose the weapon's primary — i.e., the fission stage that releases the energy necessary to ignite the secondary, or fusion stage, of a modern thermonuclear weapon (H bomb) — together with the detonation firing apparatus in a sealed container that could withstand severe insults such as fire and crushing. The enclosure contains no source of electrical energy. Access to the container is allowed only through two specially designed, physically stout, and thermally tolerant pulse-pattern-operated switches, the so-called strong links.
The firing apparatus is designed to become inoperable before the container or its two strong links (which must transmit the electrical energy to detonate the warhead) fail in the event of an accident or warhead component malfunction that leads to a modest thermal excursion from the normal. This is accomplished by co-locating a weak link component which can be shown to predictably fail prior to the barrier or strong links losing their integrity in the event of catastrophically severe environments which would eventually breach the exclusion region barrier to the warhead or the strong links.
The two strong links are in series and are of different designs, in order to minimize the risk of common-mode failures. One strong link is operated by human intent. It is designed to receive a pattern of several dozen short and long pulses in order to close and allow an arming signal to pass. If it receives a wrong signal in the event of an accident, or due to hostile action, it will lock up the system and no arming signal can be transmitted.
The second strong link must receive unique pre-programmed features of the designated trajectory of the weapon system during delivery to the target; for example, a pattern of pre-programmed accelerations, whether delivered by missile or aircraft. Otherwise it too will lock up. Extensive testing is performed to establish a one-in-a-thousand failure rate over long periods of time for each of these two strong links, and since they operate independently in series, it is believed that this meets the 1 in 10 criterion. This technology is called ENDS (enhanced nuclear detonation safety). Confidence in meeting this standard is continually evaluated. There have been bumps along the way and troubling resistance in the enterprise to fixing or removing the systems that failed to meet the officially adopted safety goals, as Robert Peurifoy recounts in his paper in chapter 2.
Beyond the two safety issues I have described in which an accident or a system failure could result in the release of nuclear energy — i.e., one-point safety and the electric detonation system — there are other significant safety issues that I will touch on very briefly. One has to do with the choice of the high explosive that initiates the fission chain reaction by squeezing the plutonium to criticality. The second one has to do with the choice of the missile propellant.
Excerpted from The Nuclear Enterprise by George P. Shultz, Sidney D. Drell. Copyright © 2012 Board of Trustees of the Leland Stanford Junior University. Excerpted by permission of Hoover Institution Press.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
List of Figures and Tables,
Introduction BY SIDNEY D. DRELL, GEORGE P. SHULTZ, AND STEVEN P. ANDREASEN,
Session I Safety Issues — Nuclear Weapons,
1 Designing and Building Nuclear Weapons to Meet High Safety Standards BY SIDNEY D. DRELL,
2 A Personal Account of Steps Toward Achieving Safer Nuclear Weapons in the U.S. Arsenal BY ROBERT L. PEURIFOY,
3 The Interplay Between Civilian and Military Nuclear Risk Assessment, and Sobering Lessons from Fukushima and the Space Shuttle BY CHRISTOPHER STUBBS,
4 Long-Range Effects of Nuclear Disasters BY RAYMOND JEANLOZ,
5 Naval Nuclear Power as a Model for Civilian Applications BY DREW DEWALT,
Session II Nuclear Reactor Safety,
6 Lessons Learned of "Lessons Learned": Evolution in Nuclear Power Safety and Operations BY EDWARD BLANDFORD AND MICHAEL MAY,
7 Nuclear Technology Development: Evolution or Gamble? BY PER F. PETERSON AND REGIS A. MATZIE,
8 The Spent Fuel Problem BY ROBERT J. BUDNITZ,
9 International Issues Related to Nuclear Energy BY WILLIAM F. MARTIN AND BURTON RICHTER,
10 Fukushima and the Future of Nuclear Power in China and India BY JEREMY CARL,
Session III Economic and Regulatory Issues,
11 The Capture Theory of Regulation BY GARY S. BECKER,
12 The Federal Regulatory Process as a Constraint on Regulatory Capture BY JOHN F. COGAN,
13 A Comparison of Government Regulation of Risk in the Financial Services and Nuclear Power Industries BY JOHN B. TAYLOR AND FRANK A. WOLAK,
14 Discussion Notes on the Economics of Nuclear Energy BY MICHAEL J. BOSKIN,
Session IV Media and Public Policy,
15 Media and Public Policy BY JIM HOAGLAND,
16 The Nuclear Credibility Gap: Three Crises BY DAVID E. HOFFMAN,
About the Authors,