There was a long list of engineering failures at Fukushima. The idea with airplanes is not "design this component so it cannot fail" but "design the system so it can tolerate component failure". Fukushima had a list of failures it could not tolerate.
You mentioned one, the vulnerability of the backup power to the seawall being overtopped. The generators could have been put on a raised platform. There were others:
1. the hydrogen was vented into an enclosed space
2. no way to add water to the cooling system with a gravity fed device
3. critical machinery should not be located in the reactor core building
4. no way to bring in electric power from elsewhere
The problem with fault tolerance is that it allows the normalization of deviance, since something is always failing, but it's okay because there is always a backup (until there isn't).
The bigger issue with nuclear power is that we can trust humans to keep up the level of effort to keep it working without a fault for a few decades, maybe centuries if we're lucky, but there's no way you can operate a plant for a millennia without a catastrophic accident, but accidents take much more than a thousand years to clean up. So it's all totally imbalanced unless you just assume we'll have fusion in fifty years, so nothing matters. But I don't think we can assume that anymore.
> The problem with fault tolerance is that it allows
We do that with airplanes. Think about it - you're flying at 30,000 feet, 500 mph, 50 degrees below zero, no land in sight over the North Atlantic, in a tin balloon loaded to the gills with fuel and two flaming engines.
The machines are designed to tolerate fault, but the FAA is designed to not let you take off unless you do a checklist that proves all the engines are working, not just the one you need for a crippled landing. So the system as a whole requires that the FAA not give in to the pressure from industry to sign off on less fault tolerance. It's a difficult issue for systemantics.
With wing mounted engines on two-engine airliners, there is physically no way to take off on one from other than a dry lake bed. The thrust from the operating engine will introduce more yaw on the airplane than the rudder, nosewheel steering, and wheel brakes can counteract.
Even tail mounted engines (with a shorter coupling arm to the centerline) will typically have a Vmcg (roughly, speed at which lateral control on the ground is lost with one engine inoperative) that will preclude takeoff on one (physically, not by regulations) from available runways.
Really? You know of examples of passenger planes taking off with only one engine turning? Or of any twin engine airplane doing this deliberately (other than a test flight or desperate emergency, like the volcano is gonna blow any moment).
i was lalking about the situation of planes taking off in barely flyable/safe situations that would not be allowed by modern faa regulations, which it think is larger point that was being argued, not debating about the single engine or propeller case
Airplanes are highly standardized. Dozens and hundreds of essentially the same model are built. A few of them are built specifically to test in various ways and even crash and burn, and make sure they behave reasonably in such situations.
Civilian nuclear reactors are mostly built by a handful, rarely by a dozen. This makes learning from past mistakes and taking preventative measures across the fleet hard.
I think France has partly solved it exactly by having a small number of standardized reactors, and a number of nuclear plants which can be run in a reasonably uniform way.
Not really. Every one coming off the line is different. They are constantly being improved. Every part on the airplane is carefully tracked, from manufacturing lot to which airplane each is installed on. Everything is designed by engineers, not custom made on the spot by a mechanic.
Yes, French nuclear powerplants were standardized and built in batches ("séries", in French).
This does not magically creates conditions for a perfect design and building process. See for example https://theecologist.org/2016/sep/29/sizewell-b-and-27-other...
Planes aren't perfectly safe (my brother was killed when SR111 crashed in 1998 after failures).
Anyone preferring not being exposed to a plane crash can abstain to travel in planes. Anyone preferring not being exposed to nuclear reactors boo-boos and hot waste has no real way to do so.
The failure points aren't always the aspects engineered by anyone related to airplane manufacture. Swiss Air 111 may have come down due to a fault/failure in wiring for its add-on entertainment system.
Not just tolerance of failure. Also strict incident investigations and reporting requirements, including for "near misses"; also a strong safety culture made possible by strong unions and strict seniority-based promotion rules; also...
Pilots can't get ahead by cutting corners, and (to a somewhat lesser extent) it's hard for maintenance people to be pressurised to sign off on unsafe work.
Indeed, but also no incentive for bypassing safety checks that are redundant most of the time (which is how you get the normalisation of deviance that eventually leads to catastrophe). Sometimes that's the right tradeoff.
All metrics are gameable. I think I once saw a study that suggested that every metric applied to professionals ended up having a net negative effect on actual productivity - by and large people understand their job and want to do it well, and while a metric may incentivise the few that don't, it also ends up distracting the majority.
I think we need to look at what France is doing. They seem to have a good safety culture as a society, 90% of their power is nuclear and has been for decades they’ve never had a serious accident. Other examples, they have also never had a serious high speed train accident. They seem to be able to build these things considerably cheaper than we are able to in Britain and way cheaper than you can in America. They are a first world country with equivalent living conditions to the UK so unlike comparisons with China where many people blame poor working conditions and under regulation for cheapness, you can’t make the same argument against France. By the way I don’t know if that’s true about regulations in China (who does) but it is an argument that many people make that is a lot more easily refuted by just comparing with France instead.
Complex systems should be assumed to run in a partially broken state. Accidents are more things getting broken quicker than failsafes and operators can react to.
That’s not to say I like nuclear power - IMHO opportunity cost is too high. I could build, operate and decommission a renewable solar or wind plant in the time it takes to plan a new nuclear plant.
Part of the reason why some fault tolerance measures were neglected was because discussing backup plans was seen as a sign of weakness and were leveraged often by oppositions.
“You sound like you’re looking forward for some disaster coming with those plans” worked in Japan in those times. Still do to some extent.
I'm going to need some of evidence of this claim, because it seems quite a bit counter to the timeline I'm familiar with.
Opposition to nuclear's safety did not start until well after construction had started on the US's reactors. And for nearly all US reactors, the utilities had already realized that they had over-ordered nuclear reactors in the 1970s, and that there were far too many construction delays and cost-overruns for nuclear to be cost effective.
This is detailed in a 1985 Forbes cover article, Nuclear Foibles, which is not anti-nuclear, but is withering about the mismanagement of nuclear in the US. Here's the only reprint I have found, which has a weird rant about Gore at the top that can be ignored:
The idea that designs from the early 1970s refused to plan for failure because of some theoretical opposition, when there was basically no opposition to our greatest period of building nuclear reactors, doesn't make much sense to me.
Sorry I was trying to discuss Japanese climate but my writing wasn’t best. As for the evidences, it’s hard to find a well compiled list but Fukushima did have a number of safety issues unaddressed for reasons other than budgetary causes.
Off-site center for disaster control built 5km(3mi) off site, effectively on-site, all backup generators being at basement levels, and recently discovered issue of emergency vent lines terminating inside the containment building comes to mind.
> The idea with airplanes is not "design this component so it cannot fail" but "design the system so it can tolerate component failure".
that's not true. yes a lot of systems on airplanes are redundant but also there are plenty of you die if this breaks so we build it N times stronger than we can imagine it every happening... also, teach pilots not to do things that would bring that to be more possible. on a helicopter they have a single jesus nut that if it breaks the rotor is gone.
In rock climbing as well there is redundancy where there can be but some things are built strong to the point where under most foreseeable conditions the component will not break. (the most common dynamic ropes for lead climbing twins and half ropes aside, belay device, belay loop, belay carabiner, harness are all built for worst case without redundancy.)
> there are plenty of you die if this breaks so we build it N times stronger than we can imagine it every happening
That's simply not true. Every component is redundant. Nothing is built "N" times stronger. The safety factor is 50% stronger than the maximum anticipated load.
(I worked for 3 years at Boeing designing flight critical systems for the 757.)
is the jesus nut redundant? is the jackscrew nut for the elevator redundant?(one famously stripped and caused inverted flight for 30 min to try and save it but eventually crashed into the ocean)... they improved the design from that but it's still one mechanism and one screw. there are simply no completely reliable planes and helicopters without some form of single point reliability being required.
> is the jackscrew nut for the elevator redundant?
Yes. (It's for the stabilizer, not the elevator.) First off, the jackscrew is hollow and has a rod running through the center to keep it together if it cracks through. Secondly, the nut rides on steel balls in grooves. If the nut cracks and all the balls fall out, there are solid ice scrapers attached to the nut at each end that fit in the grooves, but don't contact them under normal operation. The ice scrapers peel any ice off the grooves so it doesn't jam the nut. But the scrapers are also strong enough to hold the nut in place if the balls fall out.
This is on the 757. I don't know the setup on the McDonnell-Douglas bird that crashed due to nut failure, except it's a much older design. I don't know if it had the ice scrapers on it, for example.
BTW, the jackscrew is made by Saginaw Gear. It's made from the finest steel forging money can buy, and Saginaw has been making them for a long time and knows what they're doing.
After the first trim gearbox assembly arrived, Boeing's test group had the job of applying the ultimate load, 150%, to it to see if it would buckle, crack, or bend. The test guys told me they were going to bust it. They put a big old steel I-Beam pinned at one end and my poor little jackscrew gearbox pinned at the other end. A hydraulic ram was applied to the I-beam, and the test guy cranked up the pressure.
The I-beam bent into a bow.
HAHAHAHAHAHAHAHAHHAHAHAAA I love Saginaw Gear.
> there are simply no completely reliable planes and helicopters without some form of single point reliability being required.
Helicopters, you're right. They won't survive losing a blade. Planes, you're incorrect.
P.S. My very first assignment at Boeing was to determine the size of that jackscrew needed to carry the load. I panicked, and went to my lead engineer. He laughed, and said "you know how to do column buckling calculations, right?" I said yes, and he said go to it.
After 3 years of working on the gearbox I knew everything there was to know about it, including all the failure modes anyone could think of. I was also fortunate to have a couple of Boeing's best engineers mentoring me.
It's tolerant of random failure of individual components, yes, but the entire spar could fail under an overload condition. For this failure mode, the only way to ensure a suitably low failure rate is by setting an appropriate safety factor.
Redundancy protects against some failure modes (e.g. unrevealed fatigue cracking) but not overload, which is a common-mode failure that doesn't care about redundancy if the load is high enough. It becomes a matter of "probability of exceedance".
Electrical/mechanical systems are different and can usually be separated/segregated etc, but there is only one structure.
There was a famous crash where the pilot flew through some wake turbulence and caused the tail to fall off by improper rudder inputs. at a certain point there is only one of something.
And it seems likely that with enough operating plant, there always will be engineering failures. Aeroppanes sometimes fail catastrophically too of course.
Do they? I can't really recall an instance of catastrophic airplane failure over the last decade outside of 737 MAX certification / regulatory capture issues
I also think the amount of airplanes that exist is higher than the amount of nuclear reactors we'd need for it to be a strong power source, and I also suspect that airplanes face slightly more volatile conditions
It's a key example, and is the same failure mode nuclear power has.
Nuclear power could be engineered to be at least as safe as (most) commercial flight.
But it won't be - and this is absolutely predictable. Because of politics and money.
There is no answer to this, except to fix politics and money and make them as safe as commercial flight.
That's a whole different scale of problem to fixing climate change.
IMO this isn't a utopian fantasy, it's absolutely critical for species survival. But it doesn't look as if we're going to be starting the process any time soon.
Exporting the same problems to Mars or upload space or wherever won't solve them either.
Right, fair question. I read "engineering failures" above, so I want to highlight that this isn't so much an engineering failure as it is a capitalistic failure driven by incestuous relationships in US aerospace.
I do totally agree this is a real risk for any domain, especially energy which has so much money flowing, but I just don't think "engineering" is actually the issue which these things fail under
We don't have any technical defense against institutional failure. In some places and times there are cultural defenses, but those are often seen to erode.
The best defense is not to need any. There is much less need to defend against institutional failure in the case of renewables, because the technical failures to guard against have limited impact, well constrained in cost, time and space.
Honestly, I’m not well educated on Chernobyl’s mode of failure or political incentive structures. I’d probably agree with your implication that if procedures can’t be followed consistently/successfully than that is exactly an engineering failure, but as I said I do not know this circumstance
Well sure. But while extremely rare is fine for aeroplanes, it's less clear that it's fine for nuclear reactors. So far we've been lucky that none of the big incidents have affected a major metropolitan area.
I'm not completely anti-nuclear. But it seems clear to me that it should be seen as a stepping-stone technology on the way to a renewables + storage future rather than a long-term solution.
You mentioned one, the vulnerability of the backup power to the seawall being overtopped. The generators could have been put on a raised platform. There were others:
1. the hydrogen was vented into an enclosed space
2. no way to add water to the cooling system with a gravity fed device
3. critical machinery should not be located in the reactor core building
4. no way to bring in electric power from elsewhere