As far as I can tell, there’s nothing new in the flurry of recent press coverage about the near-detonation of an H-bomb near Goldsboro, North Carolina after a B-52 broke apart in flight on January 24, 1961. But declassified documents draw press coverage, so I am grateful to Eric Schlosser for unearthing a memo about this event while researching his new book, Command and Control.
To bolster deterrence and to counter a bolt-out-of-the-blue Soviet attack, the Pentagon flew B-52s carrying nuclear weapons on airborne alert, around the clock.
Goldsboro wasn’t an isolated incident. In January 1966, another B-52 carrying nuclear weapons went down along the coast of Spain after colliding with a tanker. After yet another B-52 crash in Greenland in January 1968, the Pentagon finally stopped this practice – seven years after the Goldsboro near-miss.
Back then, US nuclear weapons had problematic safety and arming devices. The author of the declassified memo about the Goldsboro accident, Parker F. Jones of the Sandia National Laboratories, noted that three of the four “fail safe” devices failed on the MK39 Mod 2 bomb, and that, “One simple, dynamo-technology, low voltage switch stood between the United States and a major catastrophe.” This particular switch was itself error-prone. The bomb’s yield was probably in the two-to-four megaton range. Check out Alex Wellerstein’s post about Goldsboro and his NUKEMAP to see the weapon effects from Goldsboro to Richmond that were narrowly avoided.
For more blog posts about nuclear accidents and incidents, see Vasili Alexandrovich Arkipov (2/4/10), Organizations, Accidents, and Nuclear Weapons (8/10/10), and Broken Arrows (12/26/11). After studying crisis behavior and near misses, my powers of analysis come up short in explaining how we humans have managed (so far) to avoid mushroom clouds since 1945. I have concluded, as the Goldsboro case study suggests, that divine intervention and plain dumb luck help explain humankind’s good fortune.
Ghosts are in the machine. Reliance on the machine to work properly at all times and to never be accident- and incident-prone is most unwise. It is also unwise to rely on divine intervention and plain dumb luck to avoid mushroom clouds.
These passages come at the end of my impressionistic account of the Bomb, Better Safe than Sorry (2009):
The quite human instinct of being safe rather than sorry repeatedly worked at cross purposes. Safety led to an excess of caution, and an excess of caution led to excessive nuclear arsenals… The human factor invites Murphy’s Law, but it also has helped to prevent numerous close calls from resulting in mushroom clouds…
Nuclear history is laden with irony, and more ironies – perhaps deadly, perhaps not – lie ahead. Safe passage during the first nuclear age required steadfastness, good fortune, learning from mistakes, and, above all, wisdom. Safe passage during the second nuclear age will require more of the same.
A more recent set of musings, in the Stimson Center’s Anti-satellite Weapons, Deterrence and Sino-American Space Relations (2013), landed here:
Immediately below the meta-level that defines success[ful nuclear deterrence] lie conditions for its potential failure. During crises, when nuclear-capable forces are readied for use, the possibilities for inadvertent use, breakdowns in command and control, and accidental use grow. Because diversified use options distribute weak points within the edifice of deterrence as it grows, crisis and deterrence stability grow shakier as a result. These dynamics were present during the Cold War superpower competition, and they are present on a far smaller scale in the crisis-prone relations between India and Pakistan.
Murphy’s Law isn’t quite done with us quite yet. Many nuclear weapons, high states of alert, and movement during crises add up to the potential for something to go badly wrong in the future.
According to the information at Wellerstein’s site, there were 30 incidents in which the ready-safe switch was “operated inadvertently.” Could this be a count of human error incidents, rather than an “error-prone” switch? One might argue that the switch was not designed well enough to prevent incidents of inadvertent operation, but if a human intentionally operated the switch when he wasn’t supposed to (perhaps as part of an exercise), that could happen even if the switch had a more complicated sequence of required steps to operate it.
In any case, compared with all the unit-hours where the switch was not operated, 30 incidents suggests a low (no, not low enough, but low) probability that it would have been operated in this incident.
Of greater concern is that the breakup of the plane might have resulted in a short-circuit operating the switch. That would be substantially likely if operating the switch was only a matter of energizing a single wire with no code sequence involved. But to have designed it that way would seem unforgivably negligent. It would be less likely, and could have been made very unlikely, if there were multiple wires or a required sequence.
Anybody know about this?
Wellerstein notes that “a nuclear state wants a weapon that always goes off exactly when you tell it to, and never goes off any other time.” I am even more worried about weapons that are supposed to always decide by themselves to “go off” at the “right” time.
Re: “Of greater concern is that the breakup of the plane might have resulted in a short-circuit operating the switch. That would be substantially likely if operating the switch was only a matter of energizing a single wire with no code sequence involved. But to have designed it that way would seem unforgivably negligent.”
At the time of the accident, a single wire with no code sequence was exactly how the system operated. A simple short-circuit while the bomber was breaking up in mid-air could have armed the bombs, and at least one of them might subsequently have detonated. See http://cryptome.org/2013/09/h-bomb-safety-switch.pdf
…And especially worry about nuclear weapons that not only decide for themselves, but argue the point:
http://youtu.be/qjGRySVyTDk
When you combine the Broken Arrows with revelations about the Cuban Missile Crisis, the Yom Kippur War and the Dead Hand, it is indeed astounding that we’re still around to have this conversation.
I had seen the “Goldsboro Revisited” document; it asserts that “If a short to an “arm” line had occurred in a mid-air breakup, a postulate that seems credible…” the ready-safe switch could have been operated.
However, it does not say that there was a single wire with no code sequence. I see reason to doubt this, which is why I raised the question.
The image of the ready-safe switch posted at Wellerstein’s site (where I also raised this question) shows clearly that it is constructed as a rotating drum with at least 2 “S” (safe) positions and probably no more than 1 “A” position (armed). A motor of some kind must advance the drum from one position to the next. I see no reason why the motor would be designed to go in two directions so that it could advance to “A” from either of two redundant “S” positions. Therefore the most reasonable interpretation of this evidence seems to be that the switch was designed to advance through a series of “safe” positions before getting to the “armed” position.
Since a continuous motor would not give positive control of the drum position, it is most likely that the motor was operated by pulses, with a required on-off sequence for each step.
The switch may also have been wired to return a signal back to the cockpit to operate an indicator.
The image shows a substantial number of wires, probably associated with multiple positions of a rotary switch, or as redundant safeties, or both. In any case, not a single wire.
The number of pulse-steps needed to operate the switch may have been as little as one, but in that case, the only reason I can think of to have two “S” positions is that a second pulse would return it to safe. It seems likely that there are actually more than two “S” positions, the others being obscured in the image. If so, the most reasonable interpretation is that a prescribed number of pulses (like, 9) was required to take the switch to the A position, and one additional pulse would return it to S.
If this interpretation is correct–and note that it is just a reasonable interpretation, informed by general knowledge of this kind of technology–then the “short” that would have been required to arm the bomb would have needed to generate just the right number of pulses. This is also a ‘credible postulate’ but even less likely.
It seems to me that the (apparently unknown to us) author of the document in question was trying to argue, quite rightly, for the need for greater safety. He may have been omitting details that did not serve his purpose.
In any case, the evidence in the image does not seem to be consistent with the one-wire, no-sequence hypothesis.
Do you have specific knowledge of this? Does anyone here?
Here’s what Schlosser says on the subject (pp. 246-7): “The T-249 control box and ready/safe switch, installed in every one of SAC’s bombers, had already raised concerns at Sandia. The switch required a low-voltage signal of brief duration to operate — and that kind of signal could easily be provided by a stray wire or a short circuit, as a B-52 full of electronic equipment disintegrated midair. A year after the North Carolina accident, a SAC ground crew removed four Mark 28 bombs from a B-47 bomber and noticed that all of the weapons were armed. But the seal on the ready/safe switch in the cockpit was intact, and the knob hadn’t been turned to GROUND or AIR. The bombs had not been armed by the crew. A seven-month investigation by Sandia found that a tiny metal nut had come off a screw inside the plane and lodged against an unused radar-heating circuit. The nut had created a new electrical pathway, allowing current to reach an arming line — and bypass the ready/safe switch. A similar glitch on the B-52 that crashed near Goldsboro would have caused a 4-megaton thermonuclear explosion.”
More from Schlosser (p. 320) relevant to Mark’s important questions: “Bob Peurifoy felt uneasy that a simple, low-voltage signal, lasting a few seconds, was still being used to arm hydrogen bombs. That kind of signal dated back to the days of Thomas Edison — and it could come from a lot of places as a B-52 fell apart. It could come from a short circuit during an otherwise uneventful flight. Peurifoy thought that a more complicated signal — a unique series of electrical pulses — could prevent a bomb from being armed accidentally. Transmitted between the ready/safe switch in the cockpit and the nuclear weapon in the bomb bay, it would operate much like a secret code, alternating long and short pulses in a pattern that fate, bad luck, or even Mother Nature couldn’t randomly generate.”
Thanks, Bill. The passages are suggestive, but I’m still having doubts, if only because it sounds so… unbelievable.
The story widely reported is that some n-1 out of n safeties failed in the Goldsboro incident, with different accounts giving different values of n. But from what I can tell it seems that actually the arming switch was the only safety in case of a midair breakup (which would likely pull the mechanical arming pins, and did so in this case).
That is, the arming switch seems to have been the only safety that would not normally be expected to operate in case of an accidental drop from altitude. For that to have been operable by a single pulse… seems just too incredibly careless.
I’m still not seeing the explanation for there being at least two “S” positions on the switch (as is apparent in the image), unless a second pulse would have returned the switch to “S”.
Does Schlosser say what his sources are for all these details?
A very different take is given here: http://nuclearweaponsaccidents.blogspot.com/2013/03/goldsboro-19-steps-away-from-detonation.html
which is the Blogger site of Michael H. Maggelet, USAF retired. Mr. Maggelet claims that there were at least 3 safeties, but after studying the details I have more questions than answers, both about his account and the ones pieced together by Schlosser.
There are certainly unanswered questions. Schlosser’s passages suggest that it was an uncoded electrical “signal”, but also that the signal needed to last “a few seconds”. Why the duration? Perhaps the current powered a small motor that executed some sort of mechanical change (physically closing a switch?) within the bomb. And maybe the “safe” setting, possibly operating through a separate wire, reversed that operation. Just a couple of uninformed guesses on my part.
Here’s what Schlosser says about sources:
“246 The T-249 control box and ready/safe switch … had already raised concerns at Sandia: Interviews with [Sandia engineer and nuclear weapon safety advocate Bob] Puerifoy and [William L.] Stevens [first head of Sandia’s safety department]. Some of the limitations of the T-249, known as the Aircraft Monitor and Control Box, had been addressed two years earlier in “A Survey of Nuclear Weapon Safety Problems,” pp. 19-23. [February 1959, SECRET/RESTRICTED DATA/declassified]
“247 all of the weapons were armed: Stevens interview. See also Stevens, “Origins and Evolution of S2C at Sandia,” p. 60. [September 2001, OFFICIAL USE ONLY]
“247 A seven-month investigation by Sandia: See ibid.”
The passage on page 320 is not specifically footnoted; presumably it is based on the author’s interviews with Peurifoy.
I am trying to assess the odds of this particular type of accident – a nuclear weapon going boom without any human ordering it to go boom. The event, so far, has never happened, but conceivably could happen.
If 3 of 4 independent safety devices failed in the Goldsboro incident, the chance that all would fail is approximately (3/4)^4 = 32%. In general, if there are n safety switches and n-1 fail, the chance that all would fail is approximately ((n-1)/n)^n. When n=2, this chance is 25%. When n=3, this chance is 30%. When n=10, this chance is 35%.
If instead the switches are part of a rotating drum, with 4 safety settings and 1 armed setting, and if 3 pulses are received rotating the drum to the last safety setting (requiring only one more pulse to get to the armed setting), the chances of getting 4 pulses instead of 3 pulses might be describable as a Poisson process. To simplify the calculations, I will assume that 6 pulses were possible, with each possible pulse having a 50% chance of rotating the drum one notch. Under these assumptions, a binomial distribution tells us there is (1+6+15+20)/64 = 66% chance of 0-3 pulses, so the bomb is never armed. There is 15/64 = 23% chance of exactly 4 pulses, so the bomb is armed and remains armed. There is (6+1)/64 = 11% chance of 5 or 6 pulses, so the bomb is briefly armed and then disarmed.
Also of interest is what happens when the bomb is armed. From what I read above, the armed bomb does not automatically detonate. What further event needs to happen for the armed bomb to detonate? What is the likelihood that this further event would occur, so as to bring about an unplanned detonation?
@Jonah,
“What further event needs to happen for the armed bomb to detonate?”
American bombs use something called an “Environmental Sensing Device”. This measures things that the warhead/bomb could only do when acting when the device is supposed to go off. So in the case of a free-fall bomb (the thing one drops from an aircraft), it would need to measure that it was “at altitude”, and that it is no longer attached to the aircraft and is now in free-fall. The idea is that you can’t fake the signals by dropping it off the back of a truck (or leaving it on the truck and driving to a city), so any thief that managed to get the PAL codes would still be unable to set off the nuke. Well, that’s the idea anyway. When the aircraft broke up, all of the appropriate ESD signals would have gone off in the way that the designers would have wanted.
There was a type of deadman switch in the B-52 (called “Special Weapons Emergency Separation System”) that was intended to detonate the bombs in the event that the aircraft was shot down over the Soviet Union (or the crew was disabled for any reason). This switch would not have been armed over the US.
The more you learn about how these things work, and how the safety mechanisms work, the more scarey this incident is.
Perrow wrote a book titled Normal Accidents. His premise is that there is an irreducible minimum risk for every technology and that some accidents would occur normally. For really bad accidents, all the little failures need to line up like a slot machine. Getting 1 or 2 cherries = nothing. Getting a few more cherries yields a small accident. Getting all the cherries in a row yields the spectacular catastrophes. Union Carbide had a couple of accidents with plants that made methyl isocyanate. The accident in WV only had a few cherries line up – and no one was injured. But all the cherries lined up in Bhopal.
One option that fits with Mark’s motorized drum mechanism but would be susceptible to problematic momentary shorts during aircraft breakup would be a low voltage pulse that advances the drum – a pulse of the correct time advances it to Arm from Safe, but a longer time pulse (e.g. a constant short circuit) continues to advance the drum back to Safe again. One could see afterwards that the switch had been actuated, in the case of continuous accidental operation via short circuit. As an engineer it would be crazy to me to design a switch this way. But no more crazy than some other proposed mechanisms that may well have been the actual ones. And it is compatible with Schlosser’s description.
After reviewing information on the various links from this webpage, I have come to different conclusions. I am withdrawing the two sets of probability estimates I posted above, because they are irrelevant to the actual accident at Goldsboro.
My first set of estimates presumes there are several similar safety devices, and that all but one failed. In actuality, there were several different safety devices, only two of which were relevant to the accident, one of which failed. The “irrelevant” safety devices were those designed to assure that the bomb was dropped from an airplane at high altitude (as opposed to, say, falling from a truck or being driven to a city).
The first relevant failure occurred “because of the way it was tossed from the aircraft, which removed a horizontally-positioned arming pin. That is, an arming pin was supposed to be in a position that it couldn’t be removed accidentally, but the particulars of how violently the aircraft broke up as it crashed were what armed the bomb in question.” See http://blog.nuclearsecrecy.com/2013/09/27/final-switch-goldsboro-1961/
The one relevant safety device success was due to the pre-arming ready-safe switch. There is no evidence that this device failed even partially, so my second set of estimates regarding pulses turning a rotary drum to the armed position are also irrelevant.
According to the Sandia video clip on Nuclear Secrecy, there were “30-some” incidents where the switch had been operated inadvertently. Since I presume there were more than 3,000 nuclear bomber flights, this is less than 1% chance that the switch would have been inadvertently armed prior to the accident on this particular flight, but if it had been the bomb would have detonated.
In addition, there was clear concern this type of accident could have caused an electrical discharge that might arm the device. According to the Sandia video, all that was needed was a “28-volt signal.” Defense secretary McNamara was concerned that “by the slightest margin of chance, literally the failure of two wires to cross, a nuclear explosion was averted.” This accident-caused risk would add to the probability of a nuclear detonation. By how much, I cannot say, because the design of this device appears to be classified information, even though the device was improved and the old design is presumably no longer in use. (See Sandia video.)
Quite frankly, I see no good reason why information on any of the safety devices (both current and obsolete) needs to be classified. If these weapons really are as safe as the nuclear elite says they are, why can’t outsiders be allowed to verify this soothing claim?
Here’s a thought: why is it that when such clear evidence is available that neither Mk 39 bomb was in any danger of exploding, has the hysterical article of doom gone global, seemingly without being challenged?
Here is an excerpt which I think should have been easy enough for any reasonably diligent journalist to find:
“Contact fuses for U.S. atomic bombs were developed starting in 1951 and they have often been employed as last-ditch backups to other types of warhead fuses.64 These fuses are also known as “salvage” fuses in that they can “salvage” the bomb and cause it to explode when all other fuses fail. These fuses must function after withstanding extreme deceleration forces and delivery vehicle deformation.65
64 AF ATOMIC ENERGY PROGRAM, Vol. IV, p. 89.
65 Rosengren, RDA-TR-122100-001-Rev. 1, p. 102.
http://www.ibiblio.org/bomb/hansen.html”
Again, Mssrs. O&M are in lock-step with Sandia and Mr. Hansen on this: they indicate quite plainly that the nose crystals were both present and “crushed.”
O&M: bang on as usual with impeccable facts.
So, if all the other fuzes failed and the bomb still didn’t go bang (conventionally or otherwise) the bomb obviously was neither armed as a viable nuclear weapon, nor had it run through all the other fuzing processes.
As O&M state:
“How close was the Goldsboro bomb to producing a nuclear explosion? Not at all.”
QED.
The reason I threw up my hands on this is that if one relies on the snippets of testimony and even declassified docs that are available publicly, one has to factor in that any of this evidence might actually be wrong, or at least partly wrong. Even the “authoritative” declassified docs and the testimony of people involved may be wrong in details. This is a case where it is really the details that matter.
I find it very hard to believe that nobody ever thought about the possibility of an accidental release, whether from a mid-air breakup (something you expect to happen in an actual war, and also from time to time in peace) or any other cause. It would pull the arming pins, the barometric switches would operate as in a normal drop, and the impact fuzes would operate. If the only safety was then a single “ready-safe” or “arming” switch, and if all that was required to operate that switch was a single pulse of the bomber’s standard 28V supply, then I think heads should definitely have rolled at Sandia, SAC and elsewhere.
My best guess is that the arming switch, or at least one of them if in fact there were two (which I don’t believe is clear from the evidence presented by Maggelet), the “30-odd incidents” of inadvertent “operation” of the switch may have often involved human error and may not always have resulted in actually arming the bomb.
The switch we have been shown is clearly a rotary switch with more than two positions and it probably required either a series of on-off cycles or being operated for a certain length of time as a motor advanced it to the armed position, and not a longer time or a longer sequence of pulses which would return it to a safe position. This would have been enough to make it unlikely that the bomb would be armed at the moment of an accidental drop, though not nearly unlikely enough for our comfort.
The statement that an accidental short could have resulted in a nuclear explosion would then be correct, but somewhat misleading. We should remember that political battles are fought on the inside as well as outside.
Worzel, Could you clarify your argument a bit?
You refer to salvage fuses that can salvage the bomb and cause it to explode when all other fuses fail. This appears to be an extra detonation device, not a safety device.
You next indicate that the nose crystals were both present and crushed. I assume you believe this means the salvage fuses were destroyed by impact with the ground? Does the crushing of the salvage fuses cause detonation or prevent detonation?
By O&M do you mean the blog post here by Maggelet and Oskins? http://nuclearweaponsaccidents.blogspot.com/2013/03/goldsboro-19-steps-away-from-detonation.html
I don’t follow this logic: “So, if all the other fuzes failed and the bomb still didn’t go bang (conventionally or otherwise) the bomb obviously was neither armed as a viable nuclear weapon, nor had it run through all the other fuzing processes.”
To the contrary, your Hanson source clearly states: “During the breakup of the airframe, three of four arming safety devices on one bomb were actuated, including arming wires pulled out, the pulse generator actuated, the explosive actuator fired, a timer run down, all contacts of the differential pressure switch closed, and the low and high voltage thermal batteries actuated. The arm-safe remained in a “safe” position and the rotary safing switch was not operated. The X-unit was not charged, nor was tritium injected into the pit. These actions resulted in the bomb’s warhead going through all of its arming sequence, including 100-foot diameter retardation parachute deployment, activation of internal timing mechanisms, development of high voltage in the firing system, etc. However, since the fourth arming device — the pilot’s arm/safe switch — was not activated, the warhead did not complete its arming sequence.”
The question at issue here is not, did the bomb detonate? Everyone agrees it did not. Rather, the issues are these: Could the last safety feature have failed, if conditions had been similar but slightly different? How likely is it that the last safety feature might have failed, resulting in a nuclear detonation?
Hi Jonah,
Yes, it’s a bit involved this, but in essence, it is important to distinguish between the terms “arming” and “fuzing” and indeed “arming the fuzing system.” The terms “armed” and “arming” are often used quite liberally and it can cloud the process (frankly, I believe that the whole Goldsboro furore relies upon just this.)
It was not standard operating procedure for the B-52 to arm nuclear weapons on take-off or landing (as this aircraft was attempting) nor were weapons armed over US territory. The weapons would only be armed (i.e. to become viable nuclear weapons, capable of a fission explosion) unless a go-code was given and, even then, the arming of the bombs required multiple, sequential and deliberate operations to be carried out by more than one crew member. It is simply inconceivable that the bombs would have left the aircraft as viable nuclear weapons.
That being said, it looks like all but one of the fuzing mechanisms (designed to make the weapon go bang at the right time, in the right place) did go through their processes. Now, the nose crystals/impact trigger/salvage fuse was fired, but nothing happened, as you correctly say. Neither a conventional explosion of the TNT charge or a fission explosion occurred, which demonstrates that the bombs had not been set up to explode either as air-burst or ground burst.
The elements which you describe (such as the Bisch PULSE Generator) belong to the fuzing processes, not the armoing processes. If you look at O&M’s document, you will see that these elements are all listed under “fuzing.”
The worst thing that could happened would have been a detonation of the conventional charge. This didn’t happen either.
I hope that’s a little clearer. I’m no expert, but O&M’s facts all stack up: their conclusion appears sound and it was borne out by events.
Hi Jonah,
Sorry, I rushed that a bit but, yeah, O&M is the same as Oskins & Maggalet in the link provided.
Also: “The question at issue here is not, did the bomb detonate? Everyone agrees it did not.” Well, actually, Brodie of Sandia and others get this horribly wrong and state that the conventional explosives detonated. I can’t think of a more fundamental factual error.
There are two responses as i reply to this important post, but I only see one….?? Is there a ghost poster? It’s almost time for that Halloween roundup. Schroedinger’s cat must have several lives.
Eve:
It’s a ping-back.
MK
There is actually a Nuclear Weapon that is still missing off the coast of Georgia.
http://io9.com/5906826/when-we-lost-an-unexploded-nuclear-bomb-off-the-coast-of-georgia
Harold Agnew, head of atomic laboratory, dies at 92
http://www.washingtonpost.com/national/harold-agnew-head-of-atomic-laboratory-dies-at-92/2013/10/02/b4bb81cc-2ba4-11e3-97a3-ff2758228523_story.html
By Elaine Woo, Published: October 2
Harold Agnew, a leading figure of the nuclear age who helped design the first atomic bomb as a member of the Manhattan Project, led efforts after World War II to make the weapons more secure and championed the development of nuclear power, died Sept. 29 at his home in Solana Beach, Calif. He was 92.
http://www.timesofisrael.com/dayan-pushed-pm-meir-to-consider-using-nuclear-weapons-in-1973/
Former government aide says the defense minister, badly shaken on day two of the Yom Kippur War, suggested the ultimate option… and Meir told him to ‘forget it’
—Is this leak related to the current Iran / Israel nuclear tension, or not?
this from the Pakistan:
Posted Date: 4th October, 2013 Last updated at 14:40 PST
Pakistan is not in any arms race: PM
Nawaz Sharif says Pakistan’s strategic capability will continue to follow its policy of credible minimum deterrence.
Prime Minister Muhammad Nawaz Sharif has said that Pakistan is not in any arms race and wants peace in the region.
The Prime Minister said this during his visit of National Command Center of National Command Authority and a weapons storage site on Friday. He said Pakistan’s Strategic capability will continue to follow its policy of credible minimum deterrence.
Nawaz Sharif commended the skills’ expertise’ professionalism and dedication of individuals as well as the organizations involved in the development of the NCC and the requisite support systems.
The Prime Minister was also given a demonstration of the state-of-art connectivity of countrywide strategic assets which is an exclusive network ensuring effective control over the strategic assets by the NCA.
The Prime Minister later visited a technical site where he was briefed by Commander Army Strategic Force Command. He expressed complete satisfaction over the safe’ secure and foolproof security architecture in place for the physical safety and security of Pakistan’s strategic assets.
http://online.wsj.com/article/SB10001424052702304441404579123593924760138.html
Iran is preparing a package of proposals to halt production of near-weapons-grade nuclear fuel, a key demand of the U.S. and other global powers, according to officials briefed on diplomacy ahead of talks in Geneva next week.
Tehran in return will request that the U.S. and European Union begin scaling back sanctions that have left it largely frozen out of the international financial system and isolated its oil industry, the officials said.
—This is a complicated question. Eisenhower must have been told about Goldsboro, and whatever was written is probably still classified, after all these years.
—I’ve read that the CIA spent the entire Nixon administration telling Nixon what he wanted to hear about Vietnam, to ensure funding. So, agencies will lie to Presidents.
—Yet, if the conclusion about Goldsboro was “no danger of accidental detoantion, Mr. President,” would that still be locked in a safe? Just declassify the final two pages of the conclusion, and Eisenhower’s “Wow, I’m glad my fears were unfounded” memo, and that would end speculation about Goldsboro, would not it?
—Or will someone say “it is a lot more complicated than that, Bradley, so they cannot declassify the information, even fifty eyars later.”
The weapons involved at Goldsboro, Thule, Yuba City, etc., were in no danger of detonating. While many critics and well meaning individuals continue to harp on the “one switch” mantra, let’s take a look at what was required for the Mk 39 Mod 2 to produce a nuclear yield. All info is declassified and from DOD and DOE sources.
First and foremost, there is no safety switch in the cockpit. The device is known as the DCU-47 and it’s part of the Aircraft Monitoring and Control equipment (AMAC). Since we’re discussing Goldsboro, I’ll go into some detail and refute some myths also.
AMAC for the B-52 at Goldsboro (actually near Faro, NC) consisted of the DCU-47 and the T-249. The DCU-47 was located near the pilot’s seat and was a toggle operated switch designed to provide power on demand to the T-249. It was safety wired and sealed to prevent inadvertent activation and to detect tampering (per SAC regs). During the bomb run, the pilot would break the seal and open the cover, and toggle a switch for the forward or aft bomb. He had to keep the switch toggled during the entirety of the bomb run, otherwise power would be removed from the T-249 and the weapons would automatically safe.
The T-249 was located in the lower flight deck of the B-52 at the bomb/nav or weaponeer station. During pre-flight or in flight, the T-249 was used to monitor the safe status of the bomb (or safe the bomb, if required). The T-249 could not be used by itself to arm the bombs- that could only be done with the consent of the pilot using the DCU-47. It too was safety wired and sealed to prevent inadvertent operation and to detect tampering.
On a side note, I see mention of the SWESS system occasionally, it was nothing more than an emergency jettison system with mechanical and electrical interlocks which gave the crew the means to emergency jettison the bombs if necessary. It did not “automatically” drop weapons if the crew was disabled or other nonsense.
The Mk 39 Mod 2 had three safety switches, not one as is commonly stated. These consisted of the MC-772 Ready/Safe Switch which was visible through the bomb case and a glass window, the MC-788 Electrical Arming/Safing Switch in the bomb’s electronics cartridge, and the MC-732 Trajectory Arm Switch in the bomb tail subassembly.
The primary means of safing the bomb was through the AMAC controllers and MC-772, which was designed to be electrically rotated to “arm” by aircrew intent following a nineteen step checklist. The bombs internal thermal batteries could not be used to rotate the MC-772. Only aircraft power of 28 volts/3 amps for three continuous seconds, applied via the DCU-47 and T-249 and a special aircraft/bomb cable could pre-arm the weapons before drop. The MC-788 Electronic Arming/Safing Switch in the cartridge could only be operated via the MC-772.
During Goldsboro, the low voltage and high voltage thermal batteries (HVTB) activated after the pulse plugs were removed- that would also happen if the bomb accidentally fell during a ground accident (failure of the U-2 sling during loading, for example). The LVTB’s would activate, however no current could reach the X-unit due to the fact that the MC-772 and MC-788 were in the safe position, and the MC-732 did not sense a pressure change.
Since the bombs were torn from their U-2 racks during the Goldsboro accident, the pullouts were extracted and the LVTB and pulse generators activated. The MC-772, MC-788, and MC-732 prevented any current from reaching the X-unit (which could not be charged).
During the entire sequence of events, the MC-772 and MC-788 prevented any current from the LVTB, pulse generators, HVTB, closing of the baro’s and timers, and piezo’s from reaching the X-unit. Thus, the X-unit could not be placed into a condition to charge the saturable core transformers and the cold cathode tube spark gaps.
The low voltage current from the nose impact switches (piezo’s) could not bypass the R/S switches, and was insufficient to fire the bomb (since the X-unit was not charged).
The detonator bridge wires required very high voltage for initation, and this could only be supplied from the X-unit (with the high degree of precision and simultaneity required for implosion). There were numerous other steps required to place the Mk 39 into a condition to produce a nuclear yield, and without the charging of the X-unit that could not take place. The nuclear system was also one point safe, as shown by the impact of bomb 2 with no HE detonation.
As for claims that “stray voltage” could have resulted in armed bombs during breakup, that’s rather dubious given the complexity of the electrical system of the aircraft and bomb pullout cable. It was a neoprene covered cable (may have been shielded) with numerous pins and contacts, and was torn from the bomb during breakup. Could the cable have been sheared and voltage passed through the correct few pins for an adequate time period to rotate the MC-772? Highly unlikely.
There were several ground incidents during the Cold War where assembly crew smashed cables during weapons assembly, loads crews smashed connectors during loading, and testers failed. When aircraft power was applied, this resulted in activation of the LVTB or stepping of the R/S switch. It should be noted that the R/S is easily safed by manually rotating it to “safe” using a screw driver or pushing a detent (it cannot be manually armed, which would result in breaking contacts in the switch, safing the weapon). Some of the early weapons I worked on, the B43 and the B57, were “antiques” by today’s nuclear safety standards. Never lost a moment of sleep worrying about their safety.
Hi Michael,
What fascinates me about this story is how the myth has spread to the near exclusion of any possible rational alternative(obviously “nuke nearly evaporates NC” is a far more interesting story than “nuke doesn’t detonate, as designed.)
I have to admit that, while you write with the authority of someone with considerable expertise in the subject, it is very difficult to find other sources to corroborate your conclusion. Even though much of what has been repeated ad nauseam in the media is based on apparently flawed and contradictory information, the sheer volume of stories which repeat the received “wisdom” is almost overwhelming.
I wonder what this says about the relationship between the demands of the mass media and constraints of rational analysis?
—I think you are forgetting something, that I, as a fan of 1950s Monster Movies have not forgotten. The U.S. Airforce was supposed to be someone you could trust: it was not supposed to have the ability to make a Castle Bravo disaster, on U.S. soil. But it did create a Castle Bravo disaster, in the Pacific.
—The press might deserve the criticism you give it. But the public, in 1961, was being asked to *trust* the government with the things, and it messed up at Castle Bravo.
—By the time the country was through with Vietnam, it was through with trusting large institutions, especially military ones.
—That is why the incident is seen as a near-apocalypse. They public went from fear of “them” in the early 1950s, to fear of “Us” in the early 1970s, and the U.S. Airforce is “Us.”
Dear Worzel Gummidge:
I love your handle.
I can’t come up with corroboration for my hypothesis of divine intervention as one reason for the absence of mushroom clouds since 1945. I intend to do further investigations on this research in due course.
Best wishes, and plz continue to contribute,
Michael
Michael, Thank you for the detailed description of the inner workings of the bomb involved in the Goldsboro accident. You indicate there were three safety switches, the MC-772 Ready/Safe Switch, the MC-788 Electrical Arming/Safing Switch, and the MC-732 Trajectory Arm Switch.
You indicate that the MC-788 could only be operated via the MC-772. The MC-722, in turn, was operated, under the two-man rule, only by the pilot and a physically separated crew member jointly cooperating to arm the device. This suggests that, while physically separate, the M-788 A/S Switch does not function independently of the M-772 R/S Switch. That is, if the M-772 is armed for whatever reasons (e.g., deliberate or inadvertent arming, mechanical or electrical malfunction, poor design, or sabotage) then the M-788 will also be armed. Correct?
You indicated the MC-732 Trajectory Arm Switch can sense pressure change – would this be air pressure? Is it a safety circuit (irrelevant for the Goldsboro accident) that determines whether the bomb was dropped from a high altitude, rather than falling off a truck or being driven to a city?
Wellerstein’s web page, http://blog.nuclearsecrecy.com/2013/09/27/final-switch-goldsboro-1961/ contains a picture and a video clip from Sandia National Laboratory that show a pre-arming ready-safe switch. Are these pictures an accurate rendering of the MC-772 Ready/Safe Switch?
Based solely on these pictures and Schlosser’s accounts, Mark Gubrud, Bill Robinson, and Otto (all posted above) provide various hypotheses about the R/S Switch. Can you provide any further description of how this device functioned? Are there any declassified blueprints or working models of this device?
The Sandia video on Wellerstein’s web page also provided a picture of an improved R/S Switch. This picture is captioned with “Reverse Running of SA 1007/1258(?) motors” and “Remove Insulating Film”. Do you know whether or how the captioned items improved safety on the R/S Switch?
The Sandia video also mentioned “30-some incidents where the ready-safe switch was operated inadvertently”. Do you have information or opinion as to how or why these incidents occurred?
Sorry for all these questions. I simply wish to nail down the facts, so that people’s opinions can revolve more closely about the facts, rather than fears and fantasies.
http://www.imdb.com/title/tt0045546/
–1953: monster Awakened by Atomic test in the arctic attacks New York.
http://crashlanden.files.wordpress.com/2011/01/beastfrom-43.png
“Look, it is carrying a copy of “the Eighteenth Brumaire of Napoleon” by Karl Marx!”
https://lh4.googleusercontent.com/-huVgzkwrvrE/TYeBISe314I/AAAAAAAACXw/imOmDcpx7iQ/s1600/beast_fathoms_nyc.jpg
Jonah,
No problem addressing your questions. First some background info. I’m retired Air Force and worked on nuclear weapons as a team member and team chief from ’80 to ’95. My co-author, Jim Oskins, joined the AF in 1955 as a nuclear specialist (maintaining and loading nuclear capsules). He then cross trained to the electronics field when sealed pit weapons were fielded, maintaining the electronic components of the weapons including the cartridge (fuze deck) which contained the baro’s, timers, R/S switch, etc. In the early ’60’s, the AF Specialty Codes were combined to become “Nuclear Weapons Specialist”.
So, with that, I’ll try to answer your questions-
Q- “That is, if the M-772 is armed for whatever reasons (e.g., deliberate or inadvertent arming, mechanical or electrical malfunction, poor design, or sabotage) then the M-788 will also be armed. Correct?”
A- No. The MC-788 is the last switch to rotate to the arm position, since it actually is the final safety to prevent charging of the X-unit. It cannot rotate until the MC-772 was rotated to “arm”, and input signals were received from the trajectory arm, baro’s, and timers.
Q- “You indicated the MC-732 Trajectory Arm Switch can sense pressure change – would this be air pressure? Is it a safety circuit (irrelevant for the Goldsboro accident) that determines whether the bomb was dropped from a high altitude, rather than falling off a truck or being driven to a city?”
A- The MC-732 Trajectory Arm Switch operated off differential pressure, where a fence or projection separated two holes to sense air pressure (by air speed). Once a continuous pressure was met (at least 300 mph), a bellows would close completing the circuit. There isn’t much more on the MC-732 out there, am continuing the search.
Q- Wellerstein’s web page, http://blog.nuclearsecrecy.com/2013/09/27/final-switch-goldsboro-1961/ contains a picture and a video clip from Sandia National Laboratory that show a pre-arming ready-safe switch. Are these pictures an accurate rendering of the MC-772 Ready/Safe Switch?
A- Yes, that’s the MC-772, although it’s a pretty poor representation since it’s a cutaway display piece and doesn’t appear to have any potting material in it. I have a pic of very poor quality of the one recovered at Goldsboro in its housing, will post to my blog in the coming days.
Q- Can you provide any further description of how this device functioned? Are there any declassified blueprints or working models of this device?
A- It’s an electrically operated solenoid, designed to rotate when 28v/3a was applied for three continuous seconds through the Aircraft Control and Monitoring equipment. It could be manually safed, but not manually armed (detents in the switch would break, rendering it safe). The device was very likely designed and tested by Sandia Corporation, as most fusing components for our weapons are. I haven’t found too much info on the MC-772, other than what I wrote above. Sandia Corporation tested every component extensively- electrically, shake tests, humidity, corrosion, etc. You could probably FOIA documentation, drawings, etc, for it, but be prepared to wait a long time.
Q- “The Sandia video on Wellerstein’s web page also provided a picture of an improved R/S Switch. This picture is captioned with “Reverse Running of SA 1007/1258(?) motors” and “Remove Insulating Film”. Do you know whether or how the captioned items improved safety on the R/S Switch?”
A- The latter switch type was used on several weapons I worked on in the field. I haven’t seen an MC-772 up close, but anyone who goes to the atomic museum in Albuquerque or any place with a 39 on display should be able to see it on the right aft portion of the tail subassembly.
Q- “The Sandia video also mentioned “30-some incidents where the ready-safe switch was operated inadvertently”. Do you have information or opinion as to how or why these incidents occurred?”
A- Certainly, they ranged from inadvertent operation of AMAC equipment by the aircrew (a reportable incident) to crushed cables during loading (load crew error). When power was applied, the switch rotated to arm and a low voltage thermal battery sometimes activated. Due to the number of other safety devices, no electrical current reached the X-unit (or it was so low as to not present a hazard). The weapon detonators required very high voltage to ignite the exploding bridge wires, and current from the LVTB or crushed nose crystals was insufficient to cause any damage (we used low voltage continuity testers to check continuity in the batteries, fuze deck, R/S switch, det cables, etc.). Some of the weapons also had removeable plugs or batteries which interrupted power to the X-unit. Also, given the hundreds of thousands of times US weapons were electrically monitored during the Cold War, 30 incidents is extremely low. Some R/S switches were in the “ready” position, which may have been due to failure of the display face and not the solenoid itself (through rough handling). I’ll research the incidents and post to my blog.
Michael Maggelet, Thank you for your well-researched answers to these questions.
Speaking strictly as a lay person, it appears unlikely that any of these bombs would have detonated simply by accident. More qualified experts will have to judge whether accidental detonation was virtually impossible or merely unlikely.
Since I am not an engineer and would have little ability to understand blueprints, I will let others attempt the FOIA requests, if they so choose. In my opinion, it should be possible to release safety information without endangering national security.
Mr. Maggelet:
Thank you for your valuable research and first-hand knowledge. If I understand what you are saying correctly, it indicates that the story as told by Eric Schlosser, based on the “Goldsboro Revisited” memo written in 1969 by “Parker F Jones, the supervisor of the nuclear weapons safety department at Sandia” is essentially correct.
That is, as the memo says, “If a short to an “arm” line occurred in a mid-air breakup, a postulate that seems credible, the Mk 39 Mod 2 bomb could have given a nuclear burst.”
You indicate that such a short would need to last for at least 3 seconds, which you consider “Highly unlikely.” I may agree that it would be unlikely, but perhaps not unlikely enough, given the consequences.
It is still not clear whether applying 28V for longer than 3 seconds would have returned the MC-772 Arm/Safe Switch, as it is referred to in the declassified table you provided, to a safe position. If not, the risk was even greater, since a short of arbitrary duration would be less unlikely than one of just 3 seconds.
Referring again to that same table, the designation “MC-732” does not appear, but “MC-832 Differential Pressure Switch” does. It is reported that for the first bomb — the one which reputedly came close to detonating — this switch was found with “All Contacts Closed.” I take this to mean it operated as intended during the fall.
You write that the MC-788 Rotary Safing Switch “is the last switch to rotate to the arm position, since it actually is the final safety to prevent charging of the X-unit. It cannot rotate until the MC-772 was rotated to “arm”, and input signals were received from the trajectory arm, baro’s, and timers.”
However, if an accidental drop (e.g. due to a mid-air breakup) were to occur with the MC-772 in the “Armed” position, then it seems that the MC-788 would normally have received all the other inputs in the course of its fall.
Referring again to the declassified table, we do not see anything described as “trajectory arm,” but that presumably is the MC-832 Differential Pressure Switch — which apparently closed in the case of the first bomb. We also don’t see anything described as a “baro” but if there were additional barometric switches, they would have operated as in a normal drop. We do see that the timer for the first bomb has “run down” although there appears to be an additional word or two blacked out.
In any case, I see no reason why all conditions for charging the X unit and detonating the bomb would not have been met if the MC-772 had been in the Armed position when the bomb was released during the breakup. We are then down to the question of how unlikely that may have been.
Again, I agree that it seems unlikely, but not unlikely enough. A 14 meter tsunami at Fukushima was also unlikely. Risk is defined as the product of probability and consequences. A 4 Mt ground burst at Goldsboro would have killed 10,000s and displaced millions.
It seems to me that you have basically confirmed what Jones wrote in 1969 and Schlosser made public, and I have been saying I found hard to believe.
Jonah,
It’s hard to visualize these components unless you’ve seen and worked on them. I haven’t seen inside of a Mk 39 in 33 years (films in tech school), but pic’s showing components in the tail section are similar to other weapons of the era. Why SNL or the AF doesn’t release more quality sanitized pics of the Goldsboro accident scene or the Mk 39 is beyond me. Our FOIA request for 28 pics taken of the Goldsboro accident was denied (they said they don’t exist- yeah right!).
Correction, the Mk 39’s R/S Switch is located on the left side near the field break near the tail (standing at the back looking forward).
Link to photo of bomb 2 in the hole at Faro, North Carolina (actual location of the accident). You can see some of the components on the alignment plate (aft case of warhead still in ground). The baro’s were located inside the tail section being lifted.
http://www.sonicbomb.com/files/articles/goldsboro/2.jpg
Mark Gubrud,
The MC-732 Trajectory Arming Switch is not listed in the table, nor is the MC-665 Baro Switch, reasons unknown.
Photo’s of the MC-732 are shown in the Explosive Ordnance Disposal recovery op, and the status of it and the MC-665 are not listed in the fusing table. The MC-832 is another baro switch used on the Mk 39 Mod 2 (the tail section contains the MC-665 and MC-832).
“Broken Arrow, Volume I” contains the official USAF aircraft accident report, along with the declassified EOD render safe and AEC observer’s reports, pp. 148-172.