Re: [SystemSafety] The bomb again

From: Nancy Leveson < >
Date: Wed, 2 Oct 2013 17:07:12 -0400


John,

Whether atomic weapons are a deterrent is a legitimate and important question to consider. But it is a different question from what is the risk of unintended detonation. The latter can be used in the political science discussion of deterrence, but I don't think deterrence figures in the basic analysis of the risk of accidental detonation in terms of the engineering techniques being used. That is all I am saying.

There are engineering protections against a disgruntled military technician setting it off on purpose -- this is not something that engineers ignore. Again, we need to consider the actual engineered design to determine whether this is possible (outside of a Hollywood movie) or whether the protection is adequate. Otherwise, we are engaged in uninformed speculation.

I would be interested in a discussion here about the adequacy of the engineering techniques being employed. They seem pretty strong to me, but I may be wrong. Surprisingly, they are pretty well known. Safety is not predicated on secrecy of the safety engineering approach. But pulling probabilistic numbers out of the ether is not useful. To be useful, such numbers must be based on the detailed design of the system. I suppose they could be based on historical evidence, but I find those much less compelling because we have limited experience.

Nancy

On Wed, Oct 2, 2013 at 4:41 PM, John Downer <johndowner2_at_xxxxxx

> I don't have access to Nancy's book just now (I'm in an airport), although
> I will certainly take a look.
>
> In the broader sense though, It seems to me that if we restrict
> discussions of the atomic bomb to engineering specificities then we
> essentially give up the right to speak. I doubt that anybody on this list
> has access to the level of engineering detail about the current generation
> atomic weapons to speak meaningfully about the intricacies of their
> designs, (and I expect that anyone who did have access wouldn't be allowed
> to comment, except to give the kinds of reassurances that that
> bomb-authorities have given since the 1950s).
>
> More importantly, I think we miss something very significant if we only
> speak about design specificities. We live in a probabilistic world. If I
> remember correctly, the bomb described in the Guardian article had four
> redundant safety mechanisms, three of which failed and one of which almost
> failed. Any engineering analysis, I imagine, would have found that it was
> 'impossible' for it to detonate accidentally. But 'impossible' in this
> context always means something like "it would take an absolutely incredible
> confluence of failures for this thing to fail," which brings us back to
> probabilism. (Which is to say, I agree with Andrew's earlier observations
> about confidence.)
>
> Also, to focus exclusively on design, I think, is to forget that these are
> *socio*-technical systems, the safety of which is necessarily subject to
> (notoriously capricious and unquantifiable) human actions on all sorts of
> levels. It would be a shame to build the 'perfectly safe' bomb, only to
> have some disgruntled military technician with an evil cradling to set it
> off on purpose. It is important we consider our technologies in this
> broader light.
>
> I should point out that formerly top-secret DoD-sponsored studies have
> come to identical conclusions. Both about the need to understand the bomb's
> risks probabilistically, and about the way human concerns undermine any
> technical reassurances. (See, eg: Schlosser 2013: 190-5).
>
> To say that all non-design based discussions of the bomb are simply
> expressions of political views is misleading. It is certainly not
> impossible to argue that there is a credible risk of an accident with the
> bomb, but it is preferable to the risk of being nuked because we were
> unable to deter. People I respect believe this. I happen not to but I agree
> that this list might not be the place for such discussions. I apologize if
> it seemed like I was pushing a 'cause'.
>
>
>
>
> On Oct 2, 2013, at 1:41 PM, Nancy Leveson <leveson.nancy8_at_xxxxxx > wrote:
>
> This discussion would be a lot more useful if, as engineers, we commented
> on the actual design of the protection against accidental detonation of
> atomic bombs and whether that design is or is not flawed. I tried to bring
> it up earlier -- it is described in my Safeware book, pages 428-431. As far
> as I can determine, there is no way that a crash of an aircraft can lead to
> the detonation of a nuclear bomb. In the two crashes we know about, there
> was no detonation. Note that the detonation mechanism is kept in an
> inoperable state and there must be multiple indications of intent to
> detonate as well as the random generation of a unique signal (which has
> purposely defined to be of such information complexity that it will not be
> randomly generated in any credible environment).
>
> I certainly can be wrong and welcome *engineering" arguments about whether
> the protection scheme used is adequate, but not probabilistic statements
> that are not founded on the specific design of the device or are based on
> political views that have little to do with engineering.
>
> Nancy
>
>
> On Wed, Oct 2, 2013 at 9:43 AM, Matthew Squair <mattsquair_at_xxxxxx >
>> John,
>>
>> The current US requirement for nuclear weapons safety during a crash is a
>> probabilty of one in a million of a premature nuclear detonation. I guess
>> that doesn't really qualify as 'practically nonexistent'.
>>
>> That being said, the nuclear weapons safety community has spent an awful
>> lot of time and money thinking about safety in the wake of such accidents
>> as Goldsboro, see their 3I principles for example, and I believe there
>> are broader architectural lessons that can be learned and transferred to
>> other domains.
>>
>> See the references in my post for further details.
>>
>>
>> http://criticaluncertainties.com/2010/03/21/lessons-from-nuclear-weapons-safety/
>>
>> Regards,
>>
>>
>> On Wednesday, 2 October 2013, John Downer wrote:
>>
>>> Further to earlier discussions on the safety of the bomb (and courtesy
>>> of my former colleague Anne Harrington):
>>>
>>> From the Guardian: "US nearly detonated atomic bomb over North Carolina
>>> secret document"
>>>
>>> "A secret document, published in declassified form for the first time by
>>> the Guardian today, reveals that the US Air Force came dramatically close
>>> to detonating an atom bomb over North Carolina that would have been 260
>>> times more powerful than the device that devastated Hiroshima.
>>>
>>> The document, obtained by the investigative journalist Eric Schlosser
>>> under the Freedom of Information Act, gives the first conclusive evidence
>>> that the US was narrowly spared a disaster of monumental proportions when
>>> two Mark 39 hydrogen bombs were accidentally dropped over Goldsboro, North
>>> Carolina on 23 January 1961. The bombs fell to earth after a B-52 bomber
>>> broke up in mid-air, and one of the devices behaved precisely as a nuclear
>>> weapon was designed to behave in warfare: its parachute opened, its trigger
>>> mechanisms engaged, and only one low-voltage switch prevented untold
>>> carnage."
>>>
>>>
>>> http://www.theguardian.com/world/2013/sep/20/usaf-atomic-bomb-north-carolina-1961
>>>
>>>
>>> For context, here's the official government assessment from 1960: "Stay
>>> Safe, Stay Strong: The Facts about Nuclear Weapons"
>>> http://archive.org/details/StaySafe1960
>>>
>>> My favorite bit is at minute 20:00:
>>>
>>> So how safe is a nuclear bomber coming in for a crash landing?
>>> "...the possibility of an accidental nuclear explosion is so small as to
>>> be practically nonexistent...you and your family may live in peace, free
>>> from the fear of nuclear accidents"
>>>
>>>
>>>
>>>
>>> ---------
>>> Dr. John Downer
>>> SPAIS; University of Bristol.
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>
>> --
>> *Matthew Squair*
>> MIEAust CPEng
>>
>> Mob: +61 488770655
>> Email: MattSquair_at_xxxxxx >> Website: www.criticaluncertainties.com<http://criticaluncertainties.com/>
>>
>>
>>
>> _______________________________________________
>> The System Safety Mailing List
>> systemsafety_at_xxxxxx >>
>>
>
>
> --
> Prof. Nancy Leveson
> Aeronautics and Astronautics and Engineering Systems
> MIT, Room 33-334
> 77 Massachusetts Ave.
> Cambridge, MA 02142
>
> Telephone: 617-258-0505
> Email: leveson_at_xxxxxx > URL: http://sunnyday.mit.edu
> _______________________________________________
> The System Safety Mailing List
> systemsafety_at_xxxxxx >
>
>

-- 
Prof. Nancy Leveson
Aeronautics and Astronautics and Engineering Systems
MIT, Room 33-334
77 Massachusetts Ave.
Cambridge, MA 02142

Telephone: 617-258-0505
Email: leveson_at_xxxxxx
URL: http://sunnyday.mit.edu



_______________________________________________ The System Safety Mailing List systemsafety_at_xxxxxx
Received on Wed Oct 02 2013 - 23:07:22 CEST

This archive was generated by hypermail 2.3.0 : Sun Apr 21 2019 - 02:17:05 CEST