[SystemSafety] The bomb again

Nancy Leveson leveson.nancy8 at gmail.com
Wed Oct 2 23:07:12 CEST 2013


John,

Whether atomic weapons are a deterrent is a legitimate and important
question to consider. But it is a different question from what is the risk
of unintended detonation. The latter can be used in the political science
discussion of deterrence, but I don't think deterrence figures in the basic
analysis of the risk of accidental detonation in terms of the engineering
techniques being used. That is all I am saying.

There are engineering protections against a disgruntled military technician
setting it off on purpose -- this is not something that engineers ignore.
Again, we need to consider the actual engineered design to determine
whether this is possible (outside of a Hollywood movie) or whether the
protection is adequate. Otherwise, we are engaged in uninformed
speculation.

I would be interested in a discussion here about the adequacy of the
engineering techniques being employed. They seem pretty strong to me, but I
may be wrong. Surprisingly, they are pretty well known. Safety is not
predicated on secrecy of the safety engineering approach. But pulling
probabilistic numbers out of the ether is not useful. To be useful, such
numbers must be based on the detailed design of the system. I suppose they
could be based on historical evidence, but I find those much less
compelling because we have limited experience.

Nancy


On Wed, Oct 2, 2013 at 4:41 PM, John Downer <johndowner2 at gmail.com> wrote:

> I don't have access to Nancy's book just now (I'm in an airport), although
> I will certainly take a look.
>
> In the broader sense though, It seems to me that if we restrict
> discussions of the atomic bomb to engineering specificities then we
> essentially give up the right to speak. I doubt that anybody on this list
> has access to the level of engineering detail about the current generation
> atomic weapons to speak meaningfully about the intricacies of their
> designs, (and I expect that anyone who did have access wouldn't be allowed
> to comment, except to give the kinds of reassurances that that
> bomb-authorities have given since the 1950s).
>
> More importantly, I think we miss something very significant if we only
> speak about design specificities. We live in a probabilistic world. If I
> remember correctly, the bomb described in the Guardian article had four
> redundant safety mechanisms, three of which failed and one of which almost
> failed. Any engineering analysis, I imagine, would have found that it was
> 'impossible' for it to detonate accidentally. But 'impossible' in this
> context always means something like "it would take an absolutely incredible
> confluence of failures for this thing to fail," which brings us back to
> probabilism. (Which is to say, I agree with Andrew's earlier observations
> about confidence.)
>
> Also, to focus exclusively on design, I think, is to forget that these are
> *socio*-technical systems, the safety of which is necessarily subject to
> (notoriously capricious and unquantifiable) human actions on all sorts of
> levels. It would be a shame to build the 'perfectly safe' bomb, only to
> have some disgruntled military technician with an evil cradling to set it
> off on purpose. It is important we consider our technologies in this
> broader light.
>
> I should point out that formerly top-secret DoD-sponsored studies have
> come to identical conclusions. Both about the need to understand the bomb's
> risks probabilistically, and about the way human concerns undermine any
> technical reassurances. (See, eg: Schlosser 2013: 190-5).
>
> To say that all non-design based discussions of the bomb are simply
> expressions of political views is misleading. It is certainly not
> impossible to argue that there is a credible risk of an accident with the
> bomb, but it is preferable to the risk of being nuked because we were
> unable to deter. People I respect believe this. I happen not to but I agree
> that this list might not be the place for such discussions. I apologize if
> it seemed like I was pushing a 'cause'.
>
>
>
>
> On Oct 2, 2013, at 1:41 PM, Nancy Leveson <leveson.nancy8 at gmail.com>
> wrote:
>
> This discussion would be a lot more useful if, as engineers, we commented
> on the actual design of the protection against accidental detonation of
> atomic bombs and whether that design is or is not flawed. I tried to bring
> it up earlier -- it is described in my Safeware book, pages 428-431. As far
> as I can determine, there is no way that a crash of an aircraft can lead to
> the detonation of a nuclear bomb. In the two crashes we know about, there
> was no detonation. Note that the detonation mechanism is kept in an
> inoperable state and there must be multiple indications of intent to
> detonate as well as the random generation of a unique signal (which has
> purposely defined to be of such information complexity that it will not be
> randomly generated in any credible environment).
>
> I certainly can be wrong and welcome *engineering" arguments about whether
> the protection scheme used is adequate, but not probabilistic statements
> that are not founded on the specific design of the device or are based on
> political views that have little to do with engineering.
>
> Nancy
>
>
> On Wed, Oct 2, 2013 at 9:43 AM, Matthew Squair <mattsquair at gmail.com>wrote:
>
>> John,
>>
>> The current US requirement for nuclear weapons safety during a crash is a
>> probabilty of one in a million of a premature nuclear detonation. I guess
>> that doesn't really qualify as 'practically nonexistent'.
>>
>> That being said, the nuclear weapons safety community has spent an awful
>> lot of time and money thinking about safety in the wake of such accidents
>> as Goldsboro, see their 3I principles for example, and I believe there
>> are broader architectural lessons that can be learned and transferred to
>> other domains.
>>
>> See the references in my post for further details.
>>
>>
>> http://criticaluncertainties.com/2010/03/21/lessons-from-nuclear-weapons-safety/
>>
>> Regards,
>>
>>
>> On Wednesday, 2 October 2013, John Downer wrote:
>>
>>>  Further to earlier discussions on the safety of the bomb (and courtesy
>>> of my former colleague Anne Harrington):
>>>
>>> From the Guardian: "US nearly detonated atomic bomb over North Carolina
>>> – secret document"
>>>
>>> "A secret document, published in declassified form for the first time by
>>> the Guardian today, reveals that the US Air Force came dramatically close
>>> to detonating an atom bomb over North Carolina that would have been 260
>>> times more powerful than the device that devastated Hiroshima.
>>>
>>> The document, obtained by the investigative journalist Eric Schlosser
>>> under the Freedom of Information Act, gives the first conclusive evidence
>>> that the US was narrowly spared a disaster of monumental proportions when
>>> two Mark 39 hydrogen bombs were accidentally dropped over Goldsboro, North
>>> Carolina on 23 January 1961. The bombs fell to earth after a B-52 bomber
>>> broke up in mid-air, and one of the devices behaved precisely as a nuclear
>>> weapon was designed to behave in warfare: its parachute opened, its trigger
>>> mechanisms engaged, and only one low-voltage switch prevented untold
>>> carnage."
>>>
>>>
>>> http://www.theguardian.com/world/2013/sep/20/usaf-atomic-bomb-north-carolina-1961
>>>
>>>
>>> For context, here's the official government assessment from 1960: "Stay
>>> Safe, Stay Strong: The Facts about Nuclear Weapons"
>>> http://archive.org/details/StaySafe1960
>>>
>>> My favorite bit is at minute 20:00:
>>>
>>> So how safe is a nuclear bomber coming in for a crash landing?
>>> "...the possibility of an accidental nuclear explosion is so small as to
>>> be practically nonexistent...you and your family may live in peace, free
>>> from the fear of nuclear accidents"
>>>
>>>
>>>
>>>
>>> ---------
>>>   Dr. John Downer
>>> SPAIS; University of Bristol.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> *Matthew Squair*
>> MIEAust CPEng
>>
>> Mob: +61 488770655
>> Email: MattSquair at gmail.com
>> Website: www.criticaluncertainties.com<http://criticaluncertainties.com/>
>>
>>
>>
>> _______________________________________________
>> The System Safety Mailing List
>> systemsafety at TechFak.Uni-Bielefeld.DE
>>
>>
>
>
> --
> Prof. Nancy Leveson
> Aeronautics and Astronautics and Engineering Systems
> MIT, Room 33-334
> 77 Massachusetts Ave.
> Cambridge, MA 02142
>
> Telephone: 617-258-0505
> Email: leveson at mit.edu
> URL: http://sunnyday.mit.edu
>  _______________________________________________
> The System Safety Mailing List
> systemsafety at TechFak.Uni-Bielefeld.DE
>
>
>


-- 
Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson at mit.edu
URL: http://sunnyday.mit.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20131002/7d65f7e7/attachment.html>


More information about the systemsafety mailing list