SATAN’s Code: The Early Years of Accident Models

The IBM 650 circa 1950s

When the first mass-produced computers hit the stage in the 1950s, nuclear engineers saw the opportunity to use them to help run accident scenarios. It was a good idea that took decades to become reality and the computer limitations created early uncertainty about reactor safety.

In 1954, Westinghouse experts put together a homemade digital computer that read punch tape. With a practiced ear, you could tell from the computer sounds which program was being run.

In 1959, Battelle Memorial Institute developed an early Loss-of-Coolant-Accident model for a heavy-water plutonium reactor. The program was run on an IBM-650/653, the first mass production computer ever developed. The 650 weighed more than a 1955 Cadillac Deville, had vacuum tubes, and used a punch-card reader. Even if it had the memory and someone willing to load the 50 million cards, it would take six months to boot up Microsoft Windows 7.

Fortunately, Battelle’s code was a mere 166 cards. It calculated the behavior of just one fuel rod (modern reactors have thousands of rods) and took minutes to produce one data point.

For the sake of speedier results, gross simplifications were made. For example, an ideal accident code would have broken a reactor cooling system into many small volumes and done extensive calculations on each one to accurately simulate the complex conditions that existed throughout the reactor core and piping. But to run it on mid-1960s computers could take days. As a result, Westinghouse’s FLASH code used just three volumes to represent the whole reactor system.

At least they had computers. Neither the Idaho National Labs, a center for accident-code development, nor the Atomic Energy Commission had them. INL relied on weekend visits to the University of Utah. At the AEC, engineer Norm Lauben begged time from the National Bureau of Standards. Norm drove to the Bureau’s headquarters in Gaithersburg, Md., in the morning to submit his job on the 12,000-line RELAP-3 code, and returned after lunch to pick up the results.

Engineers were confident that the codes would prove reactor designs were overly conservative. Their optimism proved unfounded.

When Westinghouse proudly unveiled its 70-volume SATAN code in 1970, AEC staffers discovered errors in the code indicating that the company’s Emergency Core Cooling System might fail in an accident. The problems of the SATAN code helped lead to a major rulemaking hearing in 1972 on the adequacy of both emergency cooling system designs and accident codes. Those hearings revealed just how embarrassingly uncertain and rudimentary the early codes were about what happened during an accident.

The AEC and later the NRC had to make a huge investment in creating more robust – and accurate – codes. Additional research that produced the RELAP-5 Code is still used today as an industry standard worldwide.

Tom Wellock
NRC Historian

Access Authorization Regulations Lead to Arrest

generic power plant site mapAn illegal immigrant from Mexico was recently arrested after using an invalid Arizona identification card to enter the Palo Verde Nuclear Generating Station. Power plant security officers reported the suspicious ID to the Maricopa County Sheriff’s Office, which promptly made an arrest.

The man, a contract worker, did not have access to the most secure areas of the plant. He was arrested on felony charges — criminal trespass on a commercial nuclear generating station.

The incident underscores the NRC’s access authorization regulations, which are designed to make sure only the most trustworthy and reliable individuals gain access to vital safety areas of a nuclear power plant.

As with many industries and facilities, contract companies are used for projects and basic maintenance such as concrete work. In the case of the Palo Verde plant, the individual was doing work just inside an area known as the owner-controlled area (OCA), which houses no vital safety areas, information or systems. The area requires a valid ID issued by a state or government, and a legitimate reason for entering the OCA, such as previously approved work.

The worker had no access to the most secure areas of the plant with what is called the “protected area.” This area is only accessible by badged personnel, who have undergone stringent screening and background checks, or by individuals being escorted by approved plant personnel.

The site can be thought of as a series of rings representing areas with varying degrees of security checks and measures. The reactor, turbine building, and other safety related equipment, for example, are housed in the highly secured and heavily guarded inner-most ring with access controls, intrusion detection and strategically placed observation towers.

It is the responsibility of the nuclear power plants licensed by the NRC to vet individuals and approve their access to the plant — including those working under contract through other companies. The NRC will be taking a look at the Arizona Public Service Company’s actions related to the arrest of the contract worker to make sure our regulations were followed. The good news is that the system worked to identify someone who didn’t belong and the appropriate law enforcement action was taken.

Lara Uselding
Region IV Public Affairs Officer