Designs

Disclaimer: especially here, the opinions presented are fully subjective, you have been warned!
.

Control

A strong safety policy has been implemented, right! Is the situation as safe as it could be? It depends… On the design of the machines used. The best policy will remain weak if the machines are hazardous. It should be part of the policy to use safe machines, or redesign them until they are safe. In practice, strategic constraints can lead an organization to choose a suboptimal solution and compensate for it by superstrong procedures, supersafe precautions, and it works most of the time. But we know human nature, how often we make mistakes. Somewhere a Lufthansa study states that professional pilots make one mistake every hour… What happens when control is totally lost?

This is where inherent or passive safety comes into play. A design, machine or procedure with that feature will make it even without anyone to control, or if the control means (like electricity) are lost. Such a design, machine or procedure will stop in the best case, or go on at a slow, safe pace, leaving time for repair or intervention until the problem is solved. The opposite of inherent safety, when everything gets worse upon control loss, can be called failure by design.

Stability

Usually a stable process favors safety, because it will stay in a reasonable configuration when control is lost. It is intuive so far, a stable process is sturdy, an unstable one is unsafe. Stability helps weak and slow humans keep up or takes over when humans are away. For instance, airplanes have a stabilizer, the small horizontal wings on the tail to keep balance in flight around the pitch axis, otherwise they would tumble at once.

On the contrary, an unstable process diverges when control is lost. However, instability can be managed to some extent (bicycle). You can try and keep a vertical ruler balanced on your finger: the longer the ruler, the easier it becomes. A computer is quicker and can create “artificial stability”. The crucial criterion is thus the instability rate. But in any case, some intelligence must keep balance for the outcome to stay acceptable.

Counterexample

Now you may be surprised, but most nuclear plants operating around the world in 2020 are unstable… Their control loops, procedures, back-up devices, the staff and its training are really efficient, almost always. The collective memory recalls yet three main accidents, Harrisburg (Three Mile Island) in 1979, Chernobyl in 1986 and Fukushima in 2011. For some reason, at some point, the controllers lost their means of action and the nuclear reactions went on until the fuel was spread enough to stop the process. You can not fight against the laws of physics. More issues here.

Example

Such massive failures can be avoided, as other passively safe designs exist. The Molten Salt Reactor (MSR) shown in the panel above includes a crucial device: the freeze plug. The idea is that a hot fluid circulates in the whole circuit. As long as the plug is actively freezed, the reactor operates as planned. When control or electricity or any critical function is lost, the plug melts, the fluid is dumped into tanks below, cools down and the nuclear reactions stop immediately. The system failure (normal error) has been foreseen in the design and mitigated. More proposals here.

Choice

From a safety engineering point of view, most classical nuclear plants operating today and more generally systems requiring some human controller to “stay awake” at all times are therefore accidents waiting to happen. With regard to technologies that involve hazards, to keep on with confidence in human staff when it is critical works well enough, to some extent. But in the long term, accidents happened and will happen again with absolute certainty, unless the passive or inherent safety principle is understood and eventually applied.