Or not having your plant destroyed by the biggest Tsunami in recorded Japanese history, much larger than the size they planned for when they built the plant.
Or upgrading the seawall to the size mandated after scientists found out that Tsunamis of that size could actually happen, despite having no historical record of them. One of the reasons TEPCO was culpable.
A sister plant of the Fukushima plant actually survived a slightly higher crest and was even used as a shelter for Tsunami victims, because one engineer had insisted on the sea wall being higher.
German plants for example, despite facing no immediate Tsunami risks, have bunkered and distributed backup generators as well as mandatory hydrogen recombinators. Any German plant at the same location would have survived largely unscathed.
A larger seawall can still fail. Better to put the generators on a platform. Simple and cheap.
Another backup would have been a pipe leading away from the reactor, where one can, from a short distance, pump water into it and it would cool the reactor.
After SL-1 we realized that that we needed to allow a reactor to fully shut down even with the most important control rod stuck in a fully withdrawn position.
I used to work at Boeing on airliner design. The guiding principle is "what happens when X fails" and design for that. It is not "design so X cannot fail", as we do not know how to design things that cannot fail. For Fukushima, it is "what happens if the seawall fails", not "the seawall cannot fail".
Airliners are safe not because critical parts cannot fail, but because there is a backup plan for every critical part.
Venting explosive gas into the building seems like a complete failure to do a proper failure analysis.
>at Boeing on airliner design. The guiding principle is "what happens when X fails"...Airliners are safe not because critical parts cannot fail, but because there is a backup plan for every critical part.
And yet creating a culture that is vigilant and consistently applies due diligence is hard. To that point: Boeing identified the 737-Max MCAS as 'hazardous' in their analysis. Putting aside that 'catastrophic' was the more appropriate rating, they still did not appropriately design their system when that system failed. (By their own processes, 'hazardous' meant it should not be designed with single-point hardware failures)* That implies it is as much a human/cultural issue as a technical one.
* before any claims that the system was designed just fine because the pilots could have avoided the issue with the appropriate actions, those are administrative hazard mitigations which are generally considered less desirable than hardware fixes, especially when engineering mitigations are already installed but not used. Removing the hazard >> engineering controls >> administrative controls >> PPE. To the GPP point, hindsight is easy, managing risk, people, and processes is hard.
Check the previous note I left above with the * on why that is considered a poor mitigation.
Administrative procedures are bad mitigations in general but especially bad when a) it’s a safety critical issue and b) the hardware for an engineering mitigation is already installed. That’s like saying death could have been avoided if people would have just packed parachutes (PPE). Maybe true, but bad hazard mitigation.
I do understand your point, and the MCAS system needed improvement.
But still, dealing with runaway stabilizer trim is a basic thing every pilot needs to know. 1 crew did it, and proceeded normally and safely. Two other crews did not follow emergency procedures, and paid the ultimate price. After the first crash, Boeing sent around an Emergency Airworthiness Directive reiterating the procedure. The Egypt Air crew did not follow the procedure.
The reason the stab trim cutoff switch is prominent on the center console is because it is a very important switch.
I've also talked to 737 pilots and another who emailed me about it and confirmed that they considered those crashes as pilot error.
Nevertheless, I agree that the MCAS system was deficient.
Or not having your plant destroyed by the biggest Tsunami in recorded Japanese history, much larger than the size they planned for when they built the plant.
Or upgrading the seawall to the size mandated after scientists found out that Tsunamis of that size could actually happen, despite having no historical record of them. One of the reasons TEPCO was culpable.
A sister plant of the Fukushima plant actually survived a slightly higher crest and was even used as a shelter for Tsunami victims, because one engineer had insisted on the sea wall being higher.
German plants for example, despite facing no immediate Tsunami risks, have bunkered and distributed backup generators as well as mandatory hydrogen recombinators. Any German plant at the same location would have survived largely unscathed.