Brittle Power- PARTS 1-3 (+Notes) - Natural Capitalism Solutions

178National Energy Securitypredicted, for example, a failure rate of one per ten thousand missions in thefourth-stage Apollo engine, but the actual rate was about four per hundred.This was not because the analysts were not clever or did not try hard to thinkof all possible failures; it is because it was simply beyond human ingenuity tothink of all possible failures modes. Likewise, about twenty percent of theApollo ground test failures and over thirty-five percent of the in-flight failureswere of types not considered credible until they happened. 4 (Using the samemethods which had failed to foresee so many aerospace failures, theRasmussen Report a decade later did not predict as credible the accidentswhich still later occurred at Browns Ferry and Three Mile Island.)The sheer number of possibilities that must be examined makes suchanalyses intractable. To make it possible to obtain any answer at all, the analystsmust severely truncate their work. They must decide to neglect as“insignificant” a very large number of failure modes that they do not havetime to study in detail. Unfortunately, even though each of those failures maybe unlikely by itself, there are so many of them that they can be collectively veryimportant—they may even be the main source of failures. Thus in space rocketsas in reactors, most serious failures actually follow one or another of theseunexamined, “insignificant” sequences of events.Another reason such analyses omit many actual causes of failure is that theyassume complete knowledge of what the system is and how it works. Design or fabricationerrors which have not yet been discovered cannot be taken intoaccount. Yet such errors caused a large fraction of the test failures in the Atlasmissile program, about half the safety recalls of seven million U.S. cars in 1973,and a significant fraction of reactor mishaps. A recent review of thirty-two majoraccidents in reactors, aircraft, ships, trains and so forth noted pervasive gaps inknowledge about what the failure modes were; how important and likely eachone was; how serious its consequences would be; what could cause it; whatphysical phenomena could occur during the failure; and how it could interactwith operating and maintenance errors, the random failure of several componentsat once, and external events. 5 Thus both gaps in knowledge about how acomplex system works and lack of ability to foresee every way it can fail requirethat precautions against failure be general enough to prevent failure modes thatcannot be specifically identified in advance. Such precautions must embodyresilience in the design philosophy, not merely reliability in the design details.As highly improbable failures in all kinds of engineered systems illustrateevery year, every kind of large-scale failure which is physically possible willoccur sooner or later. As time passes, various combinations of circumstanceswill occur until one fatal to the system happens to turn up. So many “vanishinglyimprobable” failures are possible that one or another of them is quite