As a counterpoint, zero defect policies could be be harmful. If everyone must take a test and score 100% or otherwise end their career, shenanigans happen.
> As a counterpoint, zero defect policies could be be harmful. If everyone must take a test and score 100% or otherwise end their career, shenanigans happen.
It's not a counterpoint, it's a consideration when designing the system. Taking this into account, the system must still function 100% of the time. If what you describe did happen, than the cause of failure would shift somewhat from the officers to the designers, but the system still failed (however, one must question the judgment and character of anyone who cheats on a nuclear weapons launch qualification test, no matter how hard it is).
If your system requires 100% perfection from all of its subcomponents, it is a shitty, fragile system. Robust systems can be made of parts with known failure rates.
This this this. I really see this as the core of my job, career even. Build reliable systems out of unreliable parts. Hardware fails, software has bugs, people have bad days. Yet we still make insanely reliable stuff.
Until you actually launch the missile, it should be ok to do nothing.
People will invariably fuck up. The system needs affordences to handle those inevitablys. Ideally a drunk commander shouldn't matter, matter much anyway.
Accidentally launching a missile is pretty hard and I'm confident that we have enough safeguards against that. I'm not so sure we have enough safeguards against terrorists stealing nuclear weapons (or the essential components for making one). You only need somebody with motive and motivation, and a mistake by pair of truck drivers. It's fairly hard to make a reliable system out of that failure mode.
A friend worked with that kind of transportation in the 80s. At the time it wasn't 2 truck drivers. Perhaps 30 people with lead and follow cars. Iirc, most were us martials, everyone was armed. the trailer was a rolling fortress. Security was probably much better in the Cold War. My friend had a story about a truck hitting some ice, and tipping over. They had prepared for many contingencys and had it handled in a few hours. The only person who noticed something was up was another truck driver who stopped to help. He was confused that the trailer didn't tear itself apart, but didn't make a bid deal out of it.
Not cheap. But likely pretty reliable.
Perhaps without the Russian villains the system has atrophied. Stories like that make me think it can work, but perhaps require a bit more wherewithal to maintain it.
The Wiki entry[0] for the secure trucks reads like some kind of Tom Clancy fiction. They allegedly have automated weapons systems that will kill attackers even after all defenders become casualties.
It's such a complex network of systems and people and policies; all of which is constantly in flux. All of which has to yield a perfect result, every time. You can argue about robust systems, but the reality is that these systems are far from robust.
Look at what happened when the USSR collapsed for god's sake! We're still cleaning that up.
Very much this: A system should be designed with the mindframe that the user won't be at 100%. Especially this, weirdly - because in a time of crisis, folks might not be at 100% even though they should be.
Its why some things just won't work unless put together just right - to account for people's mistakes. It'd make sense for a submarine to refuse to dive if the seals aren't sealed, for example. I'd think there would be something that could be applied even for this.
That sounds very good, but now here are your real-world constraints.
You have a network of detection systems which you give you (optimistically) 15-40 minutes of warning before everything and everyone you've ever known and cared about ends. In that time you have to make the decision to launch a counter-attack. Your decision needs to be something which can be rapidly acted upon, but also needs to be something that absolutely cannot be interfered with by any adversary launching the first strike. If you delay, your ability to counterattack will be forever lost. If you're wrong, you'll be setting off Armageddon.
Perimetr, the Russian system, is one solution. The USSR decided not to go for launch on warning. Their plan is that, when things get tense, they activate Perimeter. This is sometimes called "The Dead Hand". If the system was enabled, detected nuclear explosions, and there was no way to communicate with higher authority, it would automatically release weapons control to some lower level of authority. Even then, it's not auto launch; there are people in bunkers somewhere who have to make that decision.
Part of the rationale is that this didn't give the leadership of the USSR direct launch authority. They could enable the system, but that didn't cause a launch. It took H-bombs on Moscow plus an enabled system to do that. This provided a safeguard against the leadership going nuts.
In theory sure, but point me to the long-term practice of making it actually work. In practice, nuclear weapons have been subject to obvious and critical fuck-ups.
You also have a problem with precision. A test with a 100% pass threshold is a really poor estimator of an underlying failure rate; at best it can bound it, but you really do care about the precise underlying odds of failure.
It's not a counterpoint, it's a consideration when designing the system. Taking this into account, the system must still function 100% of the time. If what you describe did happen, than the cause of failure would shift somewhat from the officers to the designers, but the system still failed (however, one must question the judgment and character of anyone who cheats on a nuclear weapons launch qualification test, no matter how hard it is).