A diatribe on design -- engineering designin this case -- and why I am
annoyed every time the design profession stands back and says, we could have
done it better.
It is extremely difficult to design for the rare event, very extremely
difficult to design for the barely imaginable event, and not possible to
design for the completel unexpected event.
I have been involved in the risk assessment of nuclear power plants (years
ago, after 3-mile island, but when the US thought it was still building
them). The engineers do an extremely through analysis. The plants I looked
at consiered pipe ruptures, pump failures, bombs, airplanes hitting the
buildings, including the reactor buildings, earthquakes, and on and on and
on. Everything had backups. If the probability of a pump failing ss 1/1000,
then if there is an independent backup pump, in theory the chance that both
will fail is 1/million.
In Japan, where the plants are very similar to American ones, there was a
backup electrical generator (probably also a second backup), batteries, and
then a way of connecting other sources of power into the system.
The danger of overheating when cooling fails is so well known that there are
multiple redundant systems.
------
I won't even speak of the design of the control rooms, which is usualy where
the weakneses lie, but that is another story and as far as has been stated
so far, not relevant to the japanese issue.
-----
One problem that is realy difficult to adddress is unexpected issues. In
this case, the Tsunami was far greater than anyone had ever dreamed. Yes,
there was a sea wall, but it wan't high or strong enough. But the tsunami
was considered rare (although possible) and that is why they built the wall:
the wall was supposed to contain it. The earthquake caused the reactor to
shut down (precisely as planned.) However, the reactor supplies the electric
power for the plant, so the generators kicked in. Oops, the tsunami swept in
and swamped the generators, swept away the large stockpile of extra fuel,
and flooded the switching room. The batteries kicked in as designed, but
they were only designed to last about 8 hours, which had been deterrmined to
be more time than was needed to bring in an extra source of power. That was
true, except that in this case, because the switching room was flooded, they
couldn't hook up the extra power.
In the accident field, this is called a "common cause" failure, and it is
the most difficult to predict. One single cause knocked out all the
backups. A number of major accidents in numerous endeavors have been
attributed to this problem, where so-called independent systems all failed
at the same time because of a single underlying cause. (Once, all the
control wires for the independent backup systems went through the same hole
in the wall, so when there was a fire, they all were detroyed. Or there was
a DC-10 incident in which a loss of pressure incident destroyed the part of
the airplane where the pipes for three redundant hydraulic systems were
placed.
Now, in retrospect, there are lots of thingsthat could have been designed
into the system to prevent the esclating problems. But in retrospect,
everything is obvious. After all, we know what hapened, so we can think of a
dozen ways to have helped.
Beforehand, nothing is obvious. One of my favorite scientific papers is
entitled hindsight =/ (not equal to) foresight. That paper is cited in
Design of Everyday Things, which means this has been known this for over two
decades. It won't stop designers from saying they could have done better or
enquiry commissions for blaming the engineering desingers.
I sympathize with the japanese.
====
I am also rather annoyed at the design profession, a profession that largely
lacks any technical background, neither engineering nor social sciences
(yes, with notable exceptions), thinking that somehow or other design can
cure all of the world's ailments: hunger, war, poverty, medical care, and
now, the extreme difficulties in japan.
These are really difficult problems, involving a lot of guesses, a lot of
unknowns, designing something that has to last for half a century, and
designing it to withstand all sort of known dangers and failures, and then
being blamed for not considering the unknown ones.
What is the lesson to be learned here? Humility. nature always trumps
technology.
Yes, we must do careful studying of the incident to make sure this one can
never hapen again. (See Petroski's many books on this topic -- engineering
advances through its failures.)
Of course the next major event will be some new, unexpected combination of
issues. And people will beblamed for not forseeing them.
Don
Don Norman
Nielsen Norman Group
KAIST (Daejeon, S. Korea)
[log in to unmask] www.jnd.org
http://www.core77.com/blog/columns/
Latest book: "Living with Complexity <http://www.jnd.org/books.html#608>"
|