I went on a trip to Tucson over the holidays and toured the last Titan II missile silo. A brief history: from 1963-1982 these missiles were part of the cold war “peace through deterrance” and “assured mutual destruction.” In essence, they provided one reason not to attack the US: even were we destroyed, these missiles would still launch to destroy the Soviet Union.
Politics aside, the control room and interfaces for these missiles were fascinating from a human factors perspective. Gauges, buttons, and rotary inputs reside where we now would expect screens and keyboards. I reflected on this while there: though you need a button for each function, at least the interface never changes.
I snapped the picture below as an example of users improving a system. It appears they are trying to reduce their memory demands by listing on labels the upper and lower boundaries of these controls. It reminded me of the draft beer handles added to the levers in a nuclear power plant (as discussed by Don Norman in “The Design of Everyday Things.“)
A little more history: The Titan sites do not have a perfect safety record. With 54 sites operating for almost 40 years, there were 4 recorded accidents, all where lives were lost and one early fire where 53 people died. Fortunately, none of these accidents resulted in a nuclear explosion, not even in one where the nuclear piece of the missile was blown out of the silo. This site provides a list and engineering analysis of the accidents, and I would be interested in a human factors analysis.
In the accident that ejected the nuclear warhead, the commonly reported story says the explosion occurred when the missile was being serviced and a repairman dropped a heavy tool on the fuel tank. This implies the explosion was instant, however it actually occurred over 8 hours later, as the fuel exited the breech. The best description I could find comes from a newspaper, the Arkansas Leader:
The missile was housed in a silo within a silo that consisted of eight levels. Maintenance crews were working on level two when the accident happened. Attached to the hydraulic standing platforms was a rubberized boot that flipped over between the missile and the platform to prevent anything from falling through if dropped.
The day missile 374-7 exploded, the boot didn’t keep the socket from falling. At 6:30 p.m., maintenance crews entered the silo to begin work after being delayed due to various unrelated equipment malfunctions. The eight- and three-quarter-pound socket fell, hit the standing platform and bounced toward the missile.
The boot had become too pliable through the years, and the socket fell 70 feet down the silo, hit the thrust mount and bounced into the side of the stage one fuel tank. The 100,000-gallon fuel tank emptied into the bottom of the silo. The fuels interacted and generated heat, which in turn increased the pressure on the tanks. At 8 p.m., the wing made the decision to evacuate the control center.
“When we did that, we had no readings and no way of telling what was going on out there,” Gray said. “We lost all readings,” Gray added.
Many attempts were made to get into the control center to see the readings, according to Gray. At 3 a.m., two people, Living-ston and Sgt. Jack Kennedy, made it into the complex. “When they made it in and had to back out because the fuel was so concentrated they couldn’t see, there was some controversy on who told them to turn on exhaust fan 105,” Gray said.
What that did, according to Gray, was pull the heavy concentration of fuel into the equipment area with all the electrical pumps.
“And automatically, boom!” Gray said. “The fire flashed back into the silo, which already had tremendous heat in there, and when the fire flashed back, the stage one oxidizer tank that was already very, very high in pressure, erupted.”
Within one hour of the accident, Gray found the nuclear warhead intact. “It was cracked, but it pegged out on the radio-activity scanner,” Gray said.
Lessons learned from this accident brought about security improvements near nuclear weapons. Security measures to prevent accidents include: all workers wearing a belt with lanyards to attach tools to, a cloth on the platform to reduce the chance of tools bouncing off the platform if they do fall and a renovation of the platforms.
One of our tour guides had actually been stationed at the silo. He was a great guide and a living piece of history. Consistent with what you might expect, he said the hardest times to keep the missile running and protected were the down times, hours of vigilance and inactivity.
Last, I also photographed some of the operation manuals at the museum. Apologies for the fuzziness of these pictures, and I’ll re-type the best bits:
7. Key Run Up procedure, if required. (figure 3-26C)….Performed
Reference SACR 100-24, Volume VI to determine if key run up is required.
Step 8 can only be performed when SYNC indicator is lighted in NORM modes or TRACK/TRSHD indicators are lighted in SPCL modes.
8. DEMODULATOR CONTROL PRINT MODE thumbwheel switch ….. TEST
Observe printout on teleprinter. Printout is continuous series of characters RY’s or 64’s if transmitter site is transmitting idle message, or normal message traffic.
9. DEMODULATOR CONTROL PRINT MODE thumbwheel switch …Set as directed
*PVD must be continuously monitored visually or aurally.
*The PVD may be monitored by either a team in the silo or a crew member in the control center utilizing the wire type maintenance net.
For entry into launch duct level one, the PFC will be positioned outside of the opened level two launch duct access door, with sufficient probes to reach in the launch duct unless the PVD is required on level one of the launch duct for a sniff check.
Generally, I notice a large number of if/then/or/only types of commands.
I have only one last thing to say: the fact that Tucson, AZ, Damascus, AK and Wichita, KS are still around is a testament to the power of training and practice over our human frailties.