The Abnormal Distribution

The Guardian yesterday wrote an encomium to the UK government’s Chief Scientific Advisor Prof. Sir John Beddington (I hope they don’t mind that I quote in full):

Politics may not be the enemy of scientific method, but they are hardly intimate friends. Science inches along by experiment, evidence and testing (and retesting); politics is often about bold moves executed on personal judgment. So the chief scientific adviser to the government has his or her work cut out. But John Beddington, who has held the post since 2008 and retires this month, has trodden a thin line with grace. Three crises broke on his watch – the Icelandic volcano eruptions, Fukushima and ash dieback disease – and in each he showed a useful caution: compare the political hysteria over Fukushima in Germany with the calm that prevailed here. Mr Beddington has also been an advocate for science, by spearheading the push to install a chief scientist in each Whitehall department. And in raising the alarm about “a perfect storm” of rising population, falling energy resources and food shortages, he did the right and brave thing.

Concerning what he said on Fukushima, I wrote to the ProcEng list on 16.03.2011:

………. (BBC tweet at 1431): “The UK Government’s Chief Scientific Officer, Prof John Beddington, has sought to allay fears of radiation exposure. He told a press conference at the UK embassy in Tokyo: “What I would really re-emphasise is that this is very problematic for the area and the immediate vicinity and one has to have concerns for the people working there. Beyond that 20 or 30 kilometres, it’s really not an issue for health,” he says. The full and very interesting transcript is available on the embassy’s website.”
The key phrase, for those not familiar with British modes of writing, lie in the phrase “very interesting”. I infer that the BBC thinks Beddington['s comment is contentious]. …..

The Guardian cites three well-known events. The Icelandic volcano eruption and the ash-dieback event pose/posed no threat to human life and very little to general human well-being as broadly construed. The British air traffic service provider reaction to the Icelandic volcano eruptions was exemplary, in particular in face of the engineering uncertainty and the pressure from the airlines.

However, the Fukushima event involved some considerable danger to people. He got that wrong, contrary to what The Guardian suggests. At the time he was making his soothing statement above, the Japanese government itself, extremely concerned about the lack of reliable information on the accident it was receiving from TEPCO, was discussing plans to evacuate Tokyo. And not even TEPCO had an accurate idea of how dangerous the circumstances were. The event at Fukushima, as we now know, could have been very much worse than it was and is, and, even though we were spared the very worst, it still could be worse than we think. Sir John, a population biologist and not a safety engineer, was inadvertently misleading his audience on a matter concerning danger.

That is, of course, one of the disadvantages of the job, when one must make public pronouncements on matters on which one is not especially expert. But I wonder why he had not received better advice?

Moving on, it is hard to leave this particular comment of The Guardian alone:

compare the political hysteria over Fukushima in Germany with the calm that prevailed here

The Guardian calling the German reaction “political hysteria” is just silly. There is considerable and long-standing political opposition to nuclear power here in Germany, including a permanent platform from a major party who has been in government, namely the Green Party. Chancellor Merkel simply adopted the Green Party platform, whereas her party had previously been “for” continued use and further building of nuclear power stations. That is normal democratic, opportunistic, representative politics. Considering that the building and use of nuclear power stations involves large amounts of taxpayers’ money being paid to private corporations – in Germany’s case, to assure them a “reasonable profit” to which they claim they have a legal right – there is a moral obligation for politicians to pay significant attention to what ordinary people think on the matter, and some evidence that, apart from the Green Party, they had not been doing so. (A more detailed comment from TheRealPM is on the Guardian page.)

Lest we forget, nobody, not even Germany, has solved the problem of what to do with the waste. It’s fifty years and counting. Someone will have to think of something soon.

The International Electrotechnical Commission, IEC, is currently preparing an international standard to be known as IEC 62740 Root Cause Analysis. I prepared some material for potential inclusion in the standards document but as of writing it appears it will not be used. I think it is quite useful, so I make it hereby available.

The paper on the RVS WWW-site, Root Cause Analysis: Terms and Definitions, Accimaps, MES, SOL and WBA, consists of

• a vocabulary I put together defining the terms I think are needed to talk effectively about root-causal analysis, based on the International Electrotechnical Vocabulary, IEC 60050, which all international electrotechnical standards are required to use. I am not completely happy with a variety of the definitions of fundamental concepts in the IEV. I make my discontent clear through notes which I have added to the IEV definitions. Other concepts are new, and not (yet) in the IEV. Readers might like to compare with the vocabulary which I prepared in 2008 for system safety uder the auspices of Causalis Limited, Definitions for Safety Engineering.
• Brief introductions to the root cause analysis methods for accidents, Accimaps (from Jens Rasmussen, successfully applied by Andrew Hopkins and now the Australian Transport Safety Board in Australia), Multilevel Event Sequencing (MES, from Ludwig Benner, Jr. formerly of the US National Transportation Safety Board), Safety through Organisational Learning (SOL, from Babette Fahlbruch and SOL-VE GmbH, used in the German and Swiss nuclear industries), and Why-Because Analysis (WBA, originated by me and developed by colleagues at Uni Bielefeld RVS and Causalis Limited, used by two divisions of Siemens and now the German Railways DB, as well as Causalis for its accident analyses for clients). Each method description includes pictures, so readers get an idea of the presentation of results, a short section on process – what one does, and a section on strengths and limitations.

I think it would be a good think to have similar descriptions for all methods in current industrial use for root cause analysis of significant incidents. My personal list of such methods stands currently as follows:

• Accimaps (in the document)
• Barrier Analysis. BA is really an a priori method favored in the process industries, but also used post hoc to determine which barriers failed and why. Typified in Reason’s “Swiss Cheese” diagram.
• Causes-Tree Method (CTM). Widespread and, I am told, sometimes legally required in France for accident analysis.
• Events and Causal Factors (ECF) Analysis and Diagrams. ECF is dealt with extensively in Chris Johnson’s Failure in Safety-Critical Systems: A Handbook of Accident and Incident Reporting
• Fault Tree Analysis (FTA). I had considered FTA primarily an ab-initio risk-analysis method at system design, but Nancy Leveson tells me she has seen more root cause analysis performed with the help of fault trees, sometimes put together after an incident rather than pre-existing, than with any other technique.
• Fishbone or Ishikawa Diagrams. These are minimally a method, more a presentation technique, and not one I find particularly helpful. More applicable in industrial quality control than in significant-incident analysis, I would think.
• Multilevel Event Sequencing (MES, and its associated technique STEP), in the document
• The Reason Model of human operational analysis, involving human error in operations, classification such as skill-based, rule-based and knowledge-based operations (SRK), the notion of latent errors, or misdesign of operations allowing mishap sequences to occur normally, the “Swiss Cheese” model.
• Safety through Organisational Learning (SOL, with its associated toolset SOL-VE), in the document.
• STAMP and its associated methods, Leveson’s feedback-control-system model of critical-operational control, applied to the Rasmussen-Svedung hierarchy of operational, organisational and institutional context, dealt with extensively on Nancy Leveson’s WWW site
• TRIPOD, a method developed over many years by oil companies in cooperation with Jim Reason’s group, and in wide use in the oil industry
• Why-Because Analysis (WBA), in the document.

Besides these, there are special methods for root cause analysis of incidents involving human operations; maybe one can call these “human factors root cause analysis” methods. Amongst these are:

• Connectionism Assessment of Human Reliability, CAHR, from Oliver Sträter’s group at Kassel, which has been used in analysing marine accidents and incidents.
• Human Information-Processing Models. These originated with Peter Lindsay and Don Norman, include methods sometime used by NASA’s human factors research group (NASA Ames, at Moffett Field in California). Our PARDIA classification is such a model.
• Human Factors Analysis and Classification System (HFACS).
• Management Oversight and Risk Tree (MORT), developed by William Johnson for the US Nuclear Regulatory Commission and widely used in the US nuclear industry.
• The SHEL model (note that the referenced page spells it mistakenly with two “l”s).
• Shorrock and Kirwan’s TRACEr model for identifying and classifying cognitive error in air traffic management and control operations. For example, see this paper.

There are other promising methods which I could include, but I don’t know how much industrial “traction” they yet have. If readers could let me know of other worthwhile methods which have found some foothold in industry, I would be grateful. I would be even more grateful for descriptions of methods similar to those that are already in the document! Authorship will of course be acknowledged in the usual manner.

A bit of intellectual biography, prompted by a couple of days’ free time leading me to a paper written 27 years ago by a pal, which I have just read. I say a little of what’s in the paper, to encourage others to read it. And then I comment on a couple of disappointing aspects of the WWW, and of academic work here in Bielefeld.

I am reading a collection of papers on The Law of Non-Contradiction, edited by Priest, Beall and Armor-Garb (Oxford University Press, 2004, reprinted 2011), for a seminar I offer on the subject of paraconsistent logics. Amongst them is a paper by Vann McGee, an MIT logician and philosopher, on Frank Ramsey’s Dialethism. Dialethism is the position that there are logically incompatible assertions that are true. In this case, says McGee, “…sometimes Ramsey is willing to count each of two classically logically incompatible theories as true”.

I am interested in such phenomena because I am interested in reasoning in general, and have been induced by a Bielefeld student, Daniel Milne, who has been following such matters for some time, to become interested in reasoning about and reasoning in stories – fiction. For, one could say, one of the ways in which much fiction works is to induce us to reason about situations invented by the author, who may well not be constrained in general by the “laws” of reasoning applying to the physical world. One can imagine a story in which, while I am sitting listening to you present a paper on dialethism in my seminar, you are simultaneously off waterboarding a tax collector. You cannot be in two different places at once physically, but in a story you can be so without the story appearing to be incoherent. But other stories are incoherent – think of Finnegan’s Wake. How to mark a difference?

Further, many stories involve people and objects which are not real, which are invented. Do these people and objects “exist” in some way? If so, then certainly not in the way in which you or I exist, for we are “real”, “actual”, or however you might like to describe us, and the invented entities not – they don’t have an address or an ID card or pay radio licence fees and nobody is going to go looking for them to insist they sign up for any of these. But we can’t just say “anything goes”, that we can reason about such invented entities any way we like. What about that superficial referring phrase itself, “invented entities”? Does it refer? In one sense, obviously it does: you know exactly what I am talking about, because I told you: things invented by people to occur in stories they write. In Fregean logic, modern formal logic, or on Russell’s interpretation of putatively-referring terms, however, the term doesn’t refer. But singular or plural terms in “classical” formal logic (that is, the post-Frege traditional complete formulations of propositional and predicate logic) must refer. What, then, does this term do and how does it do it? And what logic, if definitely not classical as just noted, is involved in reasoning concerning it? Say, in helping to explain what this very paragraph means?

I was in grad school at Berkeley with Vann McGee, who entered a year later than I did – or was it two years? We were in the Group in Logic and Metholodology of Science, started by Tarski and having 15 or so graduate students pursuing PhDs, and about four times that many faculty members, some of whom we never saw, such as the game theorist John Harsanyi, who was to win a Nobel Prize. Vann entered at the same time, I think, as Shaughan Lavine, a loquacious logician interested in physics – at that time Shaughan wanted to solve the riddle of the intellectual incoherence of quantum mechanics, but thought it would take decades and thus the enterprise couldn’t really start until one had tenure, so he considered it wise to pick lower-hanging fruit for PhD and pre-tenure work. Shaughan left Berkeley after a couple of years because he didn’t see how it was actually possible to get a PhD degree in the Group in the environment prevailing in the 1970′s. He worked as an editor for the Physical Review, and came back at the end of the decade to work on a technical problem in mathematical model theory which he thought he could crack in a couple of years (in fact, it took him eight more years, underlining the accuracy of his earlier observation).

I was very interested in mathematical logic. In fact, I came to Berkeley being most interested in the Scott semantics for the lambda calculus, but I found nobody else there interested in them, except a young Japanese scholar, Reiji Nakajima, working with a temporary faculty member in the Computer Science Department who was applying it to programming languages with recursive constructs, so I thought. My interest in computation was theoretical – Turing machines, recursive functions and the like, and I came from a university which had a research group in programming languages, but no department doing work in computing science – the Oxford Computing Laboratory was largely for people who wanted to solve applied-math problems numerically and I was utterly uninterested in those at the time (things would change!). I classified the Berkeley Computer Science Department in that shoebox – one of the many and varied intellectual mistakes I have made in my career, and this one took me a decade to correct.

Even then, I think I was equally or more interested in questions in philosophical logic than in set theory or model theory, but there were more people doing the hard math and I didn’t think you could get a job doing philosophical logic. Further, the math seemed “hard” and the philosophical logic “soft”. The math was hard – it proved too hard for me in the end. But I was worried about career prospects in philosophical logic. I knew some physicists in the mid-1970′s who had told me that at that time there was just one tenure-track academic job in theoretical physics offered in the whole of the US. I thought philosophical logic was going the same way. So rather than follow my inclinations away from math, I went into it even more – I even taught myself and taught others numerical analysis (at both the undergrad and grad levels) because I thought I’d have more chance of a job doing something related to what I enjoyed. I didn’t realise that the South Bay was about to explode into Silicon Valley and help logic become one of the largest applications of mathematics after calculus and numerical algebra and analysis. But the varied non-logic mathematical skills I learned have proved invaluable to me; I don’t regret at all the time spent developing them.

Back to Vann. Vann was quiet in classes and conversation, but his observations and conjectures were pertinent and incisive when he made them and he was obviously both very clever and very able. As well as giving us the impression of being quite other-worldly. None of us at that time in the mid-1970′s knew how to get out of Berkeley with our PhD degree (indeed, the university itself was to recognise the fact that too many clever graduate students were often having too much demanded of them, and was to initiate change), but Vann gave me the impression of not caring about it that much, as long as he could carry on thinking about technical matters in measurement theory and conditionals and all those problems ignored by the logicians in the Math Department. He finished in 1985, having written not only a thesis on Truth and Necessity in Partially Interpreted Languages, but also having done work in the Theory of Measurement (one of Ernie’s Adams’s interests, as well as one of Pat Suppes’, down the road at Stanford) and in the Logic of Conditionals (the major Adams theme along with Probability Logic). Some of his work on conditionals was published the year he was awarded his PhD, in the Journal of Philosophy, a – some say the – leading journal.

I just read the paper, after 27 years. Which is part of what prompted this note.

Me, I’d gone “applied”, having taught math and computer science at two California State Universities, San Francisco and then Hayward to try to support myself while working on my degree in the copious free time left to me on a full teaching schedule at a teaching university. I managed to reprove a result of Humberstone in algebraic logic without realising it, as Johan van Benthem noted when I explained my result. My resolution to “stop reading and get down to working!” had been taken two papers too soon . “It shows what you can do!” said Johan helpfully, but it didn’t seem any consolation at the time after that couple of years’ work. I got my first real break in mid-1984, with a temporary job in SRI’s Computer Science Lab. That helped me write half a thesis on eliminating quantifiers in naive set theories, but that effort ended some months later when my job ran out. The second break was at my next job, at the Kestrel Institute starting in late 1985, where I was put to work on devising a computational system for reasoning about time. Cordell Green pointed me at James Allan’s work on intervals in interpretation of reasoning about time in natural languages, and I recognised a Relation Algebra, which is something I knew something about in algebraic logic, and about which my pal Roger Maddux knew much more. We got some significant new mathematical results (largely his) as well as data structures and algorithms (largely mine, some implemented). I had a book contract with MIT Press Bradford Books together with Pat Hayes (which remains to this day unrequited), submitted my thesis and was awarded my PhD degree in 1987. My code, written in the now defunct language REFINE, which was very modular and mostly declarative, persuaded me of the value of declarative languages with strong typing and rigorous modularity. I spent six months writing code to perform calendrical calculations according to my data structure (to computer scientists a “model”, but not to logicians), for the Project Manager part of the Knowledge-Based Software Assistant project of the USAF. I gave the code along with API to the integrator of the KBSA-PM. She spotted one error (a boundary value) inside a couple of hours of testing – and then the code ran seamlessly for demo at AAAI in 1986 and in the KBSA-PM delivered to the Air Force, for the next ?few years? as far as I know. In the last twenty-five years, we have not gone forward much in industrial programming languages. All the issues I was able to avoid seamlessly by using REFINE still occur all the time in the industrial systems I am acquainted with.

Shaughan finished a year later, in 1988. He had solved a major technical problem in admissible model theory and was successful in his job search at the very time that philosophical logic was suffering the fate of physics a decade earlier – I think he got the one tenure-track job in philosophical logic available at the end of the 1980′s. He was at Stanford – although I was in Palo Alto at my job most days in the week, I never met up with him there – and then went to Columbia, where he wrote his book Understanding the Infinite (Harvard University Press, 1994, reprinted 1998). I haven’t seen Shaughan for twenty years, nor Vann for thirty.

Man, what a paper that is which Vann published in 1985! A Counterexample to Modus Ponens. Tim Williamson in The Philosophy of Philosophy (Blackwell, 2007) calls Vann a “distinguished logician” while explaining one of these results (see for example, this citation).

Let A and B be things you assert (sentences, say, or propositions or statements, if you believe in those and can say what they are). “Assert” means something like “claim to be true”. Modus Ponendo Ponens is the inference rule whereby, from an assertion of A and an assertion that if A then B, you may infer B.

According to the Stanford Encyclopedia of Philosophy, Aristotle discussed a forerunner of Modus Ponens called Theophrastus, whereby from the premises if something is F, it is G and x is F one may infer x is G. Modus Ponens concerns general assertions, whereas Theophrastus is concerned with objects having properties or characteristics, and properly belongs to the logic of predicates rather than to propositional logic.

So, what is an inference rule? What are doing when you “infer”? One common explanation, the “classical” explanation (although “classical” here means largely the 150-year-old Fregean tradition) is that asserting A and A implies B or if A then B means you are taking these sentences to be true. Inference then means that you take the third sentence B also to be true on the basis of the truth of the first two. The rule is said to “preserve truth”. A rule of inference which preserves truth is said to be valid.

There are two main ways of formulating the logic of whole sentences, propositional logic. One is to give a set of axioms – a collection of logical truths (sentences guaranteed to be true just in virtue of their form, such as A implies A, or (A and B) implies B) and just two inference rules: Substitution and Modus Ponens. Substitution says you may replace any schematic letter, such as “A” in the two logical truths just given, by any sentence whatever. This is truth-preserving, because the logical truths are so because of their form, not their content, so no matter what “A” is, something of the form “A implies A” will be true. That “no matter what” phrase is another way of expressing Substitution. No one queries Substitution; it is one of the basic mechanisms of logic as truth/assertability according to form and not content. It looks to be significant for this century-and-a-half-long conception of logic that Modus Ponens may not be truth-preserving when “if…then….” is used in natural-language reasoning! The other way of formulating logic consists of giving no axioms, but plenty of rules of inference, indeed some (“introduction” rules and “elimination” rules) for each logical constant. Modus ponens is the “introduction rule” for the conditional in this formulation. So either way Modus Ponens is key. (The first type of system is popularly ascribed to the German mathematician David Hilbert, the second to the German logician Gerhard Gentzen.)

In fact, when “implies” is taken to be what is called the “material conditional”, Modus Ponens is truth-preserving, as Vann points out. The material conditional is the intepretation of “implies” whereby “A implies B” is taken to be equivalent to saying “either Not-A or B”. One interpretation of logic, one explanation of the meaning, takes the “logical constants” in propositional logic, the connectives “and”, “or”, “implies” and “not” to be purely functions of the truth or falsity of the sentences they combine. This, along with the claim that every sentence whatever either is true or is false, constitute the basis of what is called classical propositional logic (that is, the common propositional logic since Frege).

It is easy to see that, when “implies” is the material conditional, Modus Ponens is truth-preserving, as follows. You assert A. A is taken to be true. You assert A implies B, that is, either Not-A or B. So this is taken to be true. But you have taken A to be true, so it follows that you cannot take Not-A to be true as well, for you would be contradicting yourself (the so-called Law of Non-Contradiction is another foundational principle of classical logic, but exactly what it means can be questioned – see the more than 240 different variations pointed out by Patrick Grim’s article in the eponymous op. cit.). If the “Not-A” part of the true either Not-A or B isn’t true, then it must be the “B” part that is true. That shows that Modus Ponens is truth-preserving, because B is exactly what Modus Ponens infers from the first two sentences.

People using formal logic in mathematics generally take “implies” to mean the material conditional when they are using logic or talking about it. And they take this to be settled. But they also infer, as a professional activity: they prove theorems from other mathematical “facts” (theorems). It is prima facie apparent that inference of this sort may well not be the same kind of activity as when, looking out from my room, I see your shadow on the street and infer that the sun is shining. For that is defeasible – somebody may have turned a searchlight on you on a cloudy day. Whereas mathematical theorems are not usually taken to be defeasible in the same way – they taken to be wrong only if their author has made a technical mistake in reasoning, not if the phenomenon they assert is valid but otherwise explained.

When Vann points out apparent counterexamples to Modus Ponens, he is noting that there are conditionals, “if…then…”-statements, in the language we use, and if one is trying to formulate truth-preserving inferences using those notions of implication, then formal Modus Ponens doesn’t preserve truth.

On the face of it, he’s right. “On the face of it” means that the arguments he uses are formally of the Modus Ponens form (except for a couple of minor typographical differences which are assumed to be contingently grammatical and not substantial). The question is how to explain the phenomenon. Vann suggests it is crucial that the “B” part of his counterexamples is itself a conditional. That is, there is an “if ….. then….” as the “then”-part of an “if….then…..”; known as “nested conditionals”.

There is a substantial amount of work on the logic of conditionals. They seem to be quite tricky, so it is really not surprising that phenomena such as Vann identified have remained unnoticed for so long. Ernie Adams wrote an influential eponymous book on the logic of conditionals, published in 1975. David Lewis addressed it in a number of seminal papers as well as a book, Counterfactuals (Havard U.P./Blackwell’s 1973, reissued Blackwell’s 2001). Jonathan Bennet has an extensive survey of some 380 substantial pages (A Philosophical Guide to Conditionals, Clarendon Press, Oxford, 2003). One locus classicus is a set of papers edited by Frank Jackson (Conditionals, Oxford University Press 1991, unfortunately out of print).

Vann considers also the interpretation of if A then if B then C as if A and B then C and vice versa (he calls this the “law of exportation”, the “law of importation” being the interpretation of the second as the first), and notes that, if these laws are correct interpretations of conditionals, the difficulty is “basic”: that you are stuck with taking “if … then …” to be the material conditional (which it can’t be, because if so there would be no counterexamples to Modus Ponens) or the logically most powerful conditional called “strict implication”, whereby “if A then B” is true only if in every possible world in which A is true, B is also true. Which wouldn’t seem right: “if I have my brown jacket on, then my grey jacket is at the cleaner’s” tells you something about my clothing habits in this world in which we actually live, and tells you nothing about another world, odd but possible, in which I have a pathological hatred specifically of wearing grey jackets and would never do so, even if there were fifty in my closet and I only had my brown one otherwise.

That is a powerful and surprising result.

He goes further, in showing that Robert Stalnaker’s account of a certain kind of conditionals called subjunctive or counterfactual conditionals (conditionals in which the antecedent, the part following the “if” and before the “then” are not actually true but hypothetical) is “inaccurate” (Stalnacker’s account is in A Theory of Conditionals, in Studies in Logical Theory, American Philosophical Quarterly, Monograph 2, 1968, reprinted in Jackson op. cit.). He means wrong, if the law of exportation holds. This is also a significant result, for at the time the Stalnaker and closely-related Lewis semantics for counterfactual conditionals were held to be the best accounts. (They are still the best available for many purposes. Forty years on, we use the Lewis semantics for counterfactual conditionals in my technique for causal analysis of accidents, Why-Because Analysis, where it works very well in the context of complex engineered sociotechnical systems.) The issues with counterfactual conditionals in particular were, I believe, first raised by Nelson Goodman in a paper The Problem of Counterfactual Conditionals, Journal of Philosophy XLIV(5), February 27, 1947, available through JSTOR to those with access. It is also reprinted as Chapter 1 of his book Fact, Fiction and Forecast (Harvard University Press, 1984).

There is much, much more in this short paper. I am so glad I read it finally.

On to my second theme, somewhat distressing. As I have written before, I thought in the mid-1990′s that the advent of the World-Wide Web would render the business models of traditional academic publishing obsolete. That hasn’t happened, to my regret as well as sometimes to my annoyance. But the WWW has led to on-line discussions, and there are various software available to format ongoing discussions of any and all subjects on the WWW. Instead of searching out a bunch of like-minded people to meet to discuss raising blue goldfinches, you can find them right there in the blue-goldfinch forum! What a wonderful enrichment of our lives.

I looked for discussion of Vann’s paper. I only found two discussions in forums on the first few pages of the Google search. The second entry in the Google search for the paper was a discussion on TalkRational: A Republic of Free Thought. A “moderator” brings up McGee’s paper in 2010, a quarter-century after publication. Kudos for drawing attention to it, one might think, but consider hisher comment:
“

(1) I think that the most obvious problem with McGee’s argument is that he equivocating between two radically different ways of construing the relevant statements. Are there any other problems with the argument that you see?
(2)Is Vann McGee retarded? Seriously, is there any reason whatsoever why his argument should be persuasive?

which is partly personally abusive. Heshe says in a later note:

McGee has basically become a rock star in philosophical logic because of this argument, too. It’s a pretty tragic statement on the condition of contemporary philosophy.

The discussion goes downhill from there, quite steeply. Most people seem to want to deprecate McGee personally, as the moderator implictly does.

Such a combination of incomprehension and abuse is unfortunately rife on WWW forums. It doesn’t seem to happen to anything like the same extent on subscription-only e-mailing lists. This is one area in which e-mail seems to serve a function which the WWW does not, contrary to what one might have anticipated. I regret, and am frustrated by, the low standard of such forum discussion. Recall that this is a discussion which appears high on the Google list responding to the query “vann mcgee modus ponens”.

I wish for a different world, a world in which papers and arguments can be presented and discussed on the WWW the way they are presented and discussed in colloquia, conferences and the better journals. We are unfortunately a long way from that.

On to my third theme.

The first PhD to graduate whom I advised in Bielefeld was Thorsten Scherer. Thorsten built a mobile robot to perform lab assays automatically. I became his advisor after his original advisor left Bielefeld and Thorsten didn’t want to follow. His robot worked in a biotechnology lab. It drew samples from a large (industrial-scale) fermenter, which was producing cells, took them to and installed them in a centrifuge, started the centrifuge, removed them when it stopped and took the results to and installed them in an assay machine. These devices were distributed around the lab. Thorsten had developed the robot to such a degree of reliability that it worked at night when nobody was around. It only spilled stuff one time, near the beginning of development.

I was very impressed by this piece of system engineering. Thorsten had put together algorithms – recognition, motion and control algorithms – some of which he had gleaned from the literature and many of which he had devised himself and had integrated them in a piece of hardware which performed its chosen task to a demonstrated high level of reliability (achieving the task as wished) and safety (avoiding spills, collisions, breakages).

Readers will appreciate that most academic contraptions of this sort are “proof of concept”, that is, their devisers can get it to do what it is supposed to do some of the time, at least once or twice. Adding dependability to such “proof of concept” devices comes out to around ten times as much work, as an industrial rule of thumb. It is very frustrating to those of us who work in the area that, with some notable exceptions, dependability issues are largely ignored in academic computer science, for they are not intellectually trivial. Most of us end up spending far more time talking with industrial engineers than we do with fellow academics.

I thought this superb work, and proposed Thorsten for a summa cum laude designation. So did his second thesis reviewer, his ex-boss. But it was vetoed by the Chair of his committee (as thesis advisor, I could not be Chair) on the basis that he had taken too long – seven years, I think.

Another example. I had an Indonesian scholar in my group, I Made Wiryana. Made’s thesis was on what I would call practical requirements engineering in culturally very different situations from those in the West. Indonesia has many different cultures, information technology is helpful and very much needed, but some ways we have of engineering these systems just don’t fit local cultures there, which are many and varied. Made devised a means of performing dynamic adjustments to sociotechnical system requirements through causal analysis of cultural issues that came up during initial system development and prototyping. Again, unlike most academic work, this was serious “grown-up” engineering. The examples in his thesis included designing and implementing the system to run the blog of the Indonesian president, whom he had personally advised, and designing and implementing the warning-message function associated with the tsunami early-warning system installed with international help after the 2004 December tsunami.

Again, I thought this work worthy of a summa cum laude designation, as indeed Made’s committee decided. But before the defence, I had a brief chat with one of my colleagues, multiple times Dean of our faculty, known for his very effective fund-raising, and now Rector of my university, who opined strongly that it was inappropriate to consider awarding a summa cum laude to someone who had “taken too long” (Made had been working with my group about a decade).

To my mind, the quality of a PhD lies solely in its achievement. Both of these scholars had achieved way beyond what most German PhDs in computer science achieve, in that they had devised and implemented systems with demonstrated dependability. As I noted, that simply takes longer. Made had to work with a number of organisations, including government, to get his results. Anyone setting a clock ticking on government work anywhere is liable to run out of clock batteries.

Why am I saying this here? By means of contrast. Vann took ten or eleven years to get his PhD. Shaughan took 13, as did I. Was ten years worth that one seminal paper of Vann, let alone a PhD? In my view yes, most certainly! Read it, and I bet you’ll agree. But in Germany he would have “taken too long”………

Just over a decade ago, in July 2002, there was a catastrophic mid-air collision of a Russian passenger aircraft heading westwards and a freighter aircraft of DHL heading northward, near the town of Überlingen on Lake Constance (Bodensee) in Southern Germany near the Swiss border. I wrote a paper on it about a month later, ACAS and the South German Midair, RVS Technical Note RVS-Occ-02-02, on 12 August 2002, in which I suggested that there were issues concerning the verification of the algorithms used in TCAS, as well as the assumptions about cockpit decision-making upon which the successful use of TCAS depends.

In May 2004 the final report of the investigating body, the German BFU, was published. It is 114pp long in english, without the appendices. There are mistakes in it, one of which I had already anticipated in my August 2002 note. I then wrote a paper based on my 2002 note, which accompanied an Invited Talk I gave at the Ninth Australian Workshop on Safety-Related Programmable Systems in Brisbane, Australia, in 2004, Causal Analysis of the ACAS/TCAS Sociotechnical System. This paper is also available on the Publications page of the RVS WWW site.

Neale Fulton, a colleague at the state research agency CSIRO in Canberra, who has been working on algorithms for proximity/collision avoidance for some years, recently told me of a paper by Peter Brooker, in the journal Safety Science 46(10), December 2008, entitled The Überlingen Accident: Macro-Level Safety Lessons, which refers to my work. That’s four years ago. Brooker apparently says some things about my work.

I haven’t seen the paper. Gone seem to be the old courtesies by which one forwarded a copy of an academic paper to a colleague whose work was discussed. Our library used to subscribe to the journal, until 2002, but I suppose it became too expensive. It is certainly expensive now: the publisher Elsevier wishes to charge me (or my library) €31.50 for this paper of about 15 pages. As I have said before, I don’t agree with the current commercial politics of many academic publishing houses. Not all authors do as I do to ensure that some version of a published paper appears for free on a WWW site under the auspices of the taxpayer-funded organisations who pay me a salary for this work. I hope Professor Brooker will understand me seasonally donating to charity the €31.50 I have saved by not buying his paper.

Brooker says some odd things about my work. Also, in 2008 the TCAS standard was amended. So it seems time to revisit those considerations.

There is now a TCAS II Minimal Operational Performance Standard RTCA/DO-185B. There is an FAA Technical Standard Order (TSO) TSOC119c, and an EASA TSO ETSO-C119c, corresponding to TCAS II Version 7.1, as it is now called, which includes two changes, detailed in Change Proposals CP112E and CP115, as in this Honeywell white paper. CP112E is directly relevant to the Überlingen accident, as below.

There are three main points which I wish to address again.

First, I pointed out in my 2004/5 paper (Section 3) that use of TCAS played a direct causal role in the accident. To phrase it technically, the use of TCAS was a necessary causal factor in the collision. I proved this by means of the Counterfactual Test. However, amongst the probable causes which the BFU report lays out, this factor is missing. That is a logical mistake.

I still encounter many technical people in aviation who refuse to accept this observation. I fail to understand why the proof is not routinely accepted. Instead, few seem to want to say in public that use of TCAS was a necessary causal factor in the accident. Maybe politics and wishful thinking triumph over logic once again?

Second, my Issue 4.1 of the paper concerns the fact that the Reversal RA mechanism apparently did not operate as it should have. I labelled this a requirements problem. The design of the kit did not operate in the way the requirement intended. People have waffled about this too, but here is the BFU report telling us that the failure to issue a Reversal RA was a necessary causal factor of the collision according to the Counterfactual Test:

A Eurocontrol specialist team has analysed the accident based on three TCAS simulations. Three different data sources and two different analysing tools for TCAS II were used. It is the BFU’s opinion that the following important insights can be drawn from the Eurocontrol study:
The analysis confirmed that the TA’s and RA’s in both airplanes were triggered according to the design of the CAS-logic
The simulation and the analysis of the alert sequence showed that the initial RA’s would have ensured a safe vertical separation of both airplanes if both crews had followed the instructions accurately.
Moreover, Eurocontrol conducted a further analysis how TCAS II would have reacted in this case with the modification CP 112 which had already been developed prior to the accident. According to the results provided, TCAS would have generated a Reversal RA after the initial RA which would have led to a sufficient vertical separation of both aircraft if the Boeing B757-200 [the DHL freighter] crew would have reacted according to the Reversal RA.

Despite this clear statement, this necessary causal factor did not appear amongst the causes in Section 3 of the BFU report.

In fact, it was known to Eurocontrol in 2000 that Reversal RAs did not function as desired. In engineering-scientific parlance, the design of TCAS did not fulfil its requirements specification. Eurocontrol filed a change notice with the committee, CP 112, to get this fixed. Two years later, there occurred the Überlingen collision. Two years after the problem was first openly acknowledged. Then there were other near-misses, detailed in the Eurocontrol SIRE+ project. Finally, in 2008, RTCA accepted the amended CP 112+ as well as another Change Proposal, resulting in TCAS II Version 7.1 (some issues are detailed in the document Decision criteria for regulatory measures on TCAS II version 7.1 by Stéphan Chabert & Hervé Drévillon).

The anomaly was known in 2000. A major accident in which it was a causal factor occurred 2002. The change was made in 2008. I think it is a scandal that it took so long to remedy this anomaly and that so many were killed on the way.

Third, Issue 4.5 of my paper concerned the cognitive state of the operators (the crews) and the decisions they took. I used an analysis method which I called the Rational Cognitive Model (RCM). Intuitively, it works like this. Suppose the operators were replaced by perfect robots with the same cognitive information and programmed with the TCAS operator procedures, as well as algorithms to make decisions according to the information and procedures. What would the robots do? I pointed out that the robots piloting the Russian aircraft might well have chosen to descend, as the Russian crew did, and for which they have been roundly criticised by all and sundry.

I have subsequently looked at various sociotechnical interactions using RCM. A number of them are analysed in Verbal Communication Protocols in Safety-Critical System Operations, a chapter in the Handbook of Technical Communication, Mouton-de Gruyter, 2012. I have also analysed road accidents, including multiple-vehicle pile-ups on motorways in fog, in The Assurance of Cyber-Physical Systems: Auffahr Accidents and Rational Cognitive Model Checking, which was supposed to be a chapter of a book. I applied RCMs subsequently to same-direction road traffic conflicts (as a bicycle rider, and not necessarily a slow one, I have plenty of experience to draw on). The paper is not yet available.

Ten years on, it is instructive to see how far we have come. I suggested that TCAS be verified using Rational Cognitive Model Checking (RCM-checking). RCM-checking consists in enumerating all the configurations which can occur and determine that the desired operator behaviour under decision-making gives the right outcome. I exhibited in my 2002 note and 2004 paper, and again explicitly in the 2012 Handbook chapter, a situation in which this “right outcome” cannot be assured, namely the Überlingen situation. The 2012 Handbook-chapter formalism makes clear this is (small) finite-state-machine calculation, well within the ability of existing model checkers.

However, verifying a specific scenario for correctness or anomaly is clearly easier than running through all possible scenarios to check. Could current automated model-checkers check and verify all such states for a given system such as TCAS? I put this question to John Rushby, who has applied model checking in similar situations. Say, his paper from 2002 on Mode Confusion and other automation surprises), of which I saw the original contribution in Liege in 1999. John has been at it three years longer than I, although I did have a go at Ev Palmer’s “Oops” example also using WBA and PARDIA in 1995-6. The latest version of John’s work with Ellen Bass, Karen Reigh and Elsa Gunter is from 2011. John suggested that checking large numbers of RCMs (say, more than 50 or so different scenarios) might well be difficult with current model checkers.

I am disappointed at the meagre take-up of these model-checking approaches to algorithms involving cooperative operator behavior. The technical material involved is not so very hard – every digital engineer nowadays has to deal with FSMs. Maybe a problem lies in that people still do not consider operator procedures subject to the same kinds of verification as other algorithms. Maybe this will change as more and more robots come “on-line” to replace humans in various activities. The safety of their interactions is surely governed by the international standard for functional safety of E/E/PE systems, IEC 61508, although for industrial fixed-base robots a new international standard is being developed. IEC 61508 requires assurance measures; maybe this will prompt interest in verification.

There are apparently still intellectual hurdles to overcome. One seems to lie in persuading people that sociotechnical procedures can be verified in the rigorous way it is (sometimes) done in informatics. Another is apparently to persuade them that this would yield any advantage. Which brings me to Brooker’s paper. Neale sent me an excerpt. Brooker takes exception to what I suggested should be done, namely
1.Check and fix the Reversal RA misfit so that design fulfils requirement.
2.Check the interaction between ACAS and Reduced Vertical Separation Minima (RVSM) more thoroughly
3.Determine precisely in which circumstances ACAS algorithms are correct, and where they fall short.
4.Deconflict requirements and advice to pilots on use of ACAS.
5.Causally analyse the operator interactions using Rational Cognitive Models and decision theory.
6.Analyse carefully what happens when one actor has a false model of system state.

Brooker’s comment on all this: “some of Ladkin’s recommendations may not be very wise”.

Huh?

Brooker explains how he comes to this conclusion by means of an analogy. He discusses in a couple of paragraphs a situation in Ancient Rome, whereby bricks would fall off buildings onto or near passers-by. Apparently wives would push their husbands out of the way. He discusses some decision-theoretic aspects of, well, pushing one’s husband out of the way (as opposed, one might think, to pushing him under).

No arguments for relevance of this situation to that of ACAS are proffered.

So I have to look for clues around and about. Brooker says: “Ladkin says that it ‘‘should be precisely determined in which circumstances ACAS algorithms are correct and in which circumstances they fail.” But the first task is precisely what has been done under ICAO’s auspices for decades (Carpenter, 2004)”. I take it from this suggestion that Brooker has little idea of what is involved in verifying algorithms, as that term is understood in informatics. And I take it he is not familiar with my work, despite citing me, or that of Rushby.

I recommend that people take a look at Fulton’s work on collision-avoidance to see what such algorithm verification might look like. And, for those who are unfamiliar with it, at Rushby’s and my work to see some ways of verifying procedures involving operator decisions.

As I indicated, I think that the poor TCAS/ACAS engineering standards which were causally involved in the deaths of 70-odd people ten years ago are a scandal, as is the fact that it took a further six years for them to start to be fixed. We are on the way to developing techniques which can be used to avoid such poor engineering in the future. I think that work should be encouraged. I don’t see any point in denigrating that endeavor through facile commentary.

Something more mundane, but likely as least as relevant to many readers as yet another post on Hazard Analysis. Also, I have been struggling with the composition of a technical post on TCAS for a while so a bit of whimsy might be in order.

I have suffered off and on from gastric ailments for a number of decades, having been first affected by persistent gastritis from just before I went to college until when I started graduate school (many people experience this the other way around ). And then again for a while in my late thirties. It amazes me about my bodily comfort and general health that it takes me so long to discover simple, obvious things. Such as, in the case I will relate, close on four decades. Standard medical advice with regard to gastritis is “cut out tea and coffee and alcohol until you feel better”. There’s a big part missing, especially about how to avoid the next bout. See below.

Some of it might have to do with upbringing. My mother nearly died of a cerebral hemmorhage when I was young. She woke up at night with a blinding headache, so my Dad said, and vomited every ten minutes. He “tried to cope” and finally took her to hospital in the car (we had no telephone) when he “couldn’t cope any longer”. Point one, which took me many years to understand: one inclines to “cope” when ill, but love, care and “coping” is sometimes less helpful than cold recognition and action. All emergency medical personnel know it, because they experience it daily, but we are all susceptible to the phenomenon nevertheless. Last year a close friend inadvertently poisoned herself, and it took hours of misery, dutifully attended by family at home, for her to realise she needed immediate medical help – and she’s a nurse!

Mental note to oneself. It’s about time to take a CPR and first aid course. I just read in The Guardian that 80% of people in Britain who suffer cardiac arrest outside of a hospital die of it, whereas the figure for that subgroup who are administered CPR by a passer-by until the ambulance gets there is only 35%. Besides, I can’t convert my FAA pilot’s licence to a German one until I take one.

So, returning now to tummies. A subject about which worry increases with age. But I want to talk about the insides, not the outsides.

I noticed a significant change in my gastric comfort when I first came to Germany for six months a couple of decades ago as a visiting academic in Hamburg. Certainly not because of German food but I think because I didn’t use a car for six months, as compared with using it multiple times daily in California. I carried on not using a car in Switzerland, where I went next, and started cooking every night because I just couldn’t get in restaurants the stuff I liked to eat (if you want a disappointing gastronomic experience, try Chinese in Berne. Or, even worse, Mexican. If you’re Bernois/Bärner I doubt you will be offended by this observation, am I right?). I felt even better. I thought, there must be something more to this lifestyle-and-stomach stuff than “you feel better when you run or cycle more”, which was the limited extent of my personal wisdom before this experience.

Turns out there are people who suggest that the digestive system is a non-conscious but very complex cognitive system. One’s brain/mind reacts to lifestyle changes very obviously – too much “stress” (whatever that is) and one’s mood and demeanor changes, as does one’s cognitive uptake. We pay attention to our brains because of the phenomenon of consciousness, and it may well be that we don’t pay attention to what our stomachs are doing because they don’t “tell” us in the same way in which our mind does. But, so the thinking goes, the digestive system is equally as important as the brain for well-being. It’s a hypothesis worth considering.

There are simple things one can do to find out about basic stomach state. My lady friend above, the nurse, is full of helpful info. For example, you can buy litmus paper strips to measure the acidity of your sputum. You stick one on your tongue for a couple minutes and read it. It turns out I have very acid sputum, which correlates with an unusually acid stomach (it doesn’t test for personality ). I tested every few days for a while, until I thought I could pretty much guess my stomach acid level intuitively from how I was feeling.

What to do about it is equally simple. Foodstuffs are classified as basic, acid or neutral, and if you know that, then in times of more-acidic stomach one can simply avoid the acidic ingredients and eat more basic ones. So, for example, I love limes, used to put them in my tea as well as fruit juice, and on cut fruit to keep it from oxidising in the fridge as well as for flavor. I also love caramelised shallots, and garlic, indeed I used to use fair amounts of garlic with almost every meal. All acid. Bread is acidic; potatoes are basic. Cheese is acidic (I think), butter is neutral. And so on.

In recent times, I have cut out the limes and the garlic except for occasionally, and reduced the onions. It works. I can indeed moderate my stomach acid through diet. Trivial chemistry, but it never fails to astonish me how ignorant I can be of such things until others point it out. There are increasingly fancy medicines one can get to treat acidic stomach, of course, but why medicate when diet does it? As I said, it took me four decades to find out. Duuuhh.

If I’d cut out the evening glasses of wine I’m sure it would be even better, but then what would be the point of evenings?

I chair a group of specialists (electrical engineers, safety analysts, others) mandated by the German electrical-engineering standardisation organisation DKE to undertake a risk analysis of the process of recharging electric road vehicles.

We have been working now for close on one and a half years, on conductive charging, and have a document under internal review purporting to offer a high-level risk analysis of recharging using so-called “Mode 3”, in which a charging station permanently attached to the ground or to a structure is used. This mode offers charging-service providers and equipment providers the widest scope to ensure safety of the charging process, because anything considered necessary to assure an appropriate degree of safety (“safety functions” in the lingo of IEC 61508) can be built in to the box.

Other modes are Mode 2, in which a “box” with appropriate circuitry and safety mechanisms is built into the cable used for charging a vehicle, while the cable itself plugs straight in to building circuitry; and Mode 1, in which a charging cable is attached at one end to the vehicle and at the other to building circuitry, without any intermediating electrics or electronics.

The Renault Twizy car has a cable in front allowing Mode 1 charging (also Mode 3) through a normal “SchuKo” plug (“SchuKo” is short for “Schutz-Kontakt”, which means “contact-protected”, the usual kind of household plug through which current cannot flow until the person handling the plug is physically separated from live parts).

Inductive charging is somewhat further in the future.

The method we are using is a mix of OHA and HazOp. The OHA part is to consider the entire connected chain as a system, consisting of objects (subsystems)

• grid supply
• fixed charging column with connection to grid
• charging column/charging cable interface (plugset)
• charging cable
• charging cable/ vehicle interface
• vehicle

and to define the properties of and relations between these objects which we consider relevant to safety properties. We use the HazOp guideword process to extend the set of properties to consider and to guide us to possible hazard situations. We associated each hazard specifically with one of the subsystems involved in it.

We then used event trees to estimate the severity (worst-possible outcome) of each hazard. We were concerned with outcomes “electric shock” (to a person) and “fire”. We consider electric shock to a person to be at worst immediately deadly, and fire less so because a person has a certain possibility in general to extricate himherself from a fire situation. We evaluated each hazard as to whether it was unforeseeable, theoretically possible, or plausible.

There are a number of memes concerning this task which I think would like to introduce into discussion amongst safety specialists. I would like to ask for any of your thoughts on the following memes. I would like to share some thoughts transparently with colleagues, and wish to give appropriate credit for contributions, so I would be grateful if you would indicate whether your name, with or without your affiliation, may be associated with your view or whether you wish your comment to be anonymous. My email address is ladkin”AT”rvs”DOT”uni-bielefeld”DOT”de.

Meme 1. Electric vehicles are no different from other devices, for example lawnmowers, in the business of being attached to the grid. The same issues arise with electric vehicles as with lawnmowers: no more nor less.

PBL: I strongly don’t agree with this assertion. Electric road vehicles store large amounts of power in batteries; lawn mowers don’t. This power could theoretically, through malfunction, be discharged into the circuit to which it is connected: lawnmowers cannot do this. This power could also intentionally be available to power building circuits; lawn mowers cannot offer this.

Meme 2. Any risks resulting in electric shock or fire resulting from charging an electric vehicle on a household or building circuit are already known, and have been for decades.

PBL: I have not seen a proof of this assertion. Surely, to prove this assertion it is necessary to perform a risk analysis? Before ours, to my knowledge, one has not been performed.

Meme 3. Any risks resulting in electric shock or fire resulting from charging an electric vehicle on a household or building circuit are fully covered by an adequate set of electrical standards.

PBL: I have not seen a proof of this assertion. Surely, to prove this assertion it is necessary to perform a risk analysis and to see explicitly that all purported risks are already covered in the existing standards?

Meme 4. The term “risk analysis” gives lay people who might buy them the impression that there are risks associated with electric vehicles and so the term should be avoided at all costs.

PBL: There are obviously risks associated with any road vehicles including electric ones. The term “risk analysis” is a technical term denoting a specific kind of analysis which is required by IEC Safety Guide 51 to be required to be performed in any standard which concerns safety of equipment. I do not agree with avoiding precise, universal technical terms because they might in some way “scare” lay people. I suggest, instead, explaining what the technical term means and that such analysis is part of defined best-practice.

Meme 5. Any risks associated with the electric vehicle are covered by the requirements of ISO 26262 (governing the functional safety of road vehicle E/E/PE systems). Any risks associated with the charging system are covered by the requirements of IEC 61508 (governing functional safety of E/E/PE systems). Therefore any risks of charging such vehicles are fully covered.

PBL: There are two mistakes here.

First is to argue from the Premisses that (a) the risks involving in using System A are known, and (b) the risks involved in using System B are known, to the Conclusion (c) that the risks in using A-composed-with-B are known. Counterexamples abound.

Second is to think that IEC 61508 (indeed ISO 26262) works like, say, an electrical-safety standard: that if you do this-and-this everything will be alright. IEC 61508 specifies how care is to be taken, and what analyses are to be done, in designing and operating safety-related E/E/PE kit. It does not, and cannot, guarantee any specific outcome (such as freedom from accidents); whereas standards in electrical safety are intended to guarantee freedom from electric shock.

Meme 6: There are no risks associated with maintaining and operating electric road vehicles that are not also associated with maintaining and operating gasoline-powered road vehicles.

PBL. This is obviously not true.

For example. the possibility of a dangerous electric shock from an electric road vehicle is obviously different from the possibiity of a dangerous electric shock from a gasoline-powered road vehicle.

A second example: gasoline-powered cars are refueled on separate spaces set aside for this very purpose from the road, called gas stations or petrol stations, and behavior on or around them is controlled. Dangerous accidents with speeding vehicles are unlikely. Whereas “refueling” electric road vehicles is proposed while the vehicle is parked on the public road – indeed we have two such recharging points in Bielefeld. Vehicles parked on the public road are more susceptible to involvement in higher-speed collisions with their ensuing damage.

A third example: damaged electric road vehicles have been known to burst into flames many days or weeks later. Luckily, known instances have been test cars at storage sites.

A fourth example: batteries in some electric road vehicles are susceptible to thermal runaway. Much smaller batteries in most gasoline-powered vehicles are not.

Meme 7: The risks associated with maintaining and operating electric road vehicles are equivalent to those associated with maintaining and operating gasoline-powered road vehicles.

PBL: The word “equivalent” here has an unclear meaning. Suppose it is to be given a precise meaning (say, chances of death or serious injury). Then surely a risk analysis, of which a risk analysis of recharging electric road vehicles is part, must be performed in order to be able to draw such a conclusion.

Meme 8: A risk analysis without listing the possible causes of the hazards is not helpful.

PBL: There may be many and varied causes of a hazard. For example, damaged electronics which lead to a later disadvantageous effect on behavior. How could electronics be damaged in such a way? There are quite a lot of examples in the literature. Maybe Kevin Driscoll’s slide show Murphy Was An Optimist, Version 19 of which is at http://www.rvs.uni-bielefeld.de/publications/DriscollMurphyv19.pdf , is a good place to start. What one really wants to do as the result of a risk analysis is to reduce the risk. One way of doing that may well be mitigated the hazard by hindering the most deleterious consequences given that it has occurred. Given the variety of damage that might be caused to electronics, maybe in ways we haven’t thought of yet, indeed, given that it is an uncompleted major project of one of the leading researchers in the field, listing all the specific causes and the damage that ensues seems to me less helpful for the task of risk-assessing recharging operations than abstracting and considering what might result from any situation in which there is “damaged electronics whose behavior is different from that required and expected”.

Meme 9: These issues are concerned with electrical safety. Functional safety has no role to play.

PBL: As these technical terms are defined, electrical safety is part of functional safety for E/E/PE equipment.

Acknowledgement: Thank you to Bernd Sieker for commentary and critique.

Here is a letter I just sent to the editor of a prestigious journal. I follow it with some links to the general debate about scientific publishing and publishers’ business models.

Dear Editor,

On 8/2/12 4:22 AM, SCP Editorial Office wrote:
> Ms. Ref. No.: SCICO-D-12-xxxxxxxxxxxxxx
> Title: XXXXXXXXXXXXXXXXXXXXXXXXXXX
> Science of Computer Programming
>
> Dear Prof Peter Ladkin,
>
> On May 12, 2012, I sent you the abstract below, which has been
> submitted for consideration for publication in Science of Computer
> Programming. I would be most grateful if you could find the time to
> read the paper and comment on its suitability for publication.

Yes, you did. Here is my view.

SCP is a premier journal in theoretical computer science. Unfortunately, my university had to cancel its subscription a number of years ago because of the expense, with only two groups (mine and one other in the faculty) consulting it regularly.

You are asking me to work for free for a journal which our university library can’t afford. What are you offering in return for my work? Maybe a free subscription for a couple of years?

As you know, the business model (including profit margin) and dominance of the publisher of SCP (and another company) in the field of scientific publishing has been a matter of international concern for some time. The British government has recently announced plans to reject such models in all cases in which research is publicly funded.

Besides the cost, the business model includes that authors transfer essentially all rights to their own work to the publisher. In 2011, I engaged with the other company twice in negotiations to retain my right to publish two invited talks on my WWW site, and include one in a book I am preparing. One of these negotiations was successful, the other not; the paper was not included in the conference proceedings.

I do think the progress of science depends on work being made widely available to all scientists, and such restrictive practices hinder that. The work whose retention I could not negotiate is widely disseminated within the German standards body and the IEC, where it is serving to help negotiate the next revision of the E/E/PE functional safety standard IEC 61508. Had I signed my rights away, this would not have been possible.

I have strong objections both to the price which SCP charges in an environment in which the publisher makes considerable profit but my university cannot afford to subscribe, thus hindering the availability of the work in SCP to us, and to the transfer of publishing rights from author to publisher without consideration of availability issues.

For these reasons, I am somewhat reluctant to work for you for free without a counter offer which gives my university something we want. Besides which, I doubt whether I have the time at the moment.

I do know the work. A shorter version was submitted to the SAFECOMP conference this year, and I reviewed it as a member of the programming committee. I think it is very likely you will end up accepting it for publication.

> Please let me know whether you are able to carry out the review
> by logging onto the system at

I am letting you know by sending you email, which for me is a far preferable communication medium. I much prefer a system whereby I am sent the paper by email by a real person and submit my review by return email. I have pages of notebook full of login names and passwords for various WWW-based systems I was asked to use or wanted to use, and this collection was growing too fast. I am aware of all the mental algorithms people suggest for managing such collections. But this device has become a very unsatisfactory system of authentication, to the point at which personal email is a better system in most respects (for example, you have a number of ways to ensure, if you wish, that the person writing this email is really me, whereas since you sent me your email in plaintext, I bet there is a half dozen script kiddies around the world that now know how to log in to your system as me; our university backbone net was first demonstrably compromised over a decade ago). Besides, the software behind such WWW-based systems is often painful to negotiate.

I do hope you appreciate my concerns about the situation with some scientific publishers, even if you do not agree with them. I have laid them out, because I am not alone with these concerns, as the situation in Britain has shown, and I and others would like to see your publisher make different arrangements which enhance the availability of scientific work.

Regards,

PBL

I think there is a crisis in scientific publishing. It was highlighted by the columnist George Monbiot in The Guardian last year as well as by Professor em. David Colquhoun in his blog Improbable Science, which is archived by the British Library. There are some interesting studies of the economics of scientific publishing by Professor Ted Bergstrom of UCSB, who has a “journal pricing” page and has also has made available a study by financial services company Morgan Stanley’s European division. Some measures to change this situation were recently reported by The Guardian newspaper , concerning general British government plans for publishing publicly-funded research following a report by Professor Dame Janet Finch, as well as imminent measures for publishing work funded by the UK Department for International Development.

I am not the only person declining to participate in SCP’s publisher’s business model. There are some 12,000+ more.

I note that there are some universal concerns, such as subscription or individual-article costs, the profit made by commercial publishers mostly at public expense, including the effort provided for free by authors and reviewers, and the availability of the result, but that different branches of intellectual endeavor have their own unique concerns, such as in the area of safety-critical systems the difficulties working industrial engineers encounter in having their companies sign the existing publishing contracts on offer. Thus my colleagues at SCSC Newcastle were unable to publish all invited papers this year in the proceedings volume of their Safety-Critical Systems Symposium 2012. This has got to change. Not being able to publish papers by working industrial engineers is an unacceptable situation.

In Risks-26.86, Tobin Macginnis pointed to a Japanese documentary on the continuing dangers of SFP4, via Dave Farber’s IP list and PGN’s redaction. In Risks-26.87, Dan Yurman claimed in response that

this nonsense has been thoroughly debunked by a special post at the blog of the American Nuclear Society

as well as

Scare the socks off people propaganda is never a substitute for engineering reality. You might just as well try to build railroads on snow drifts

He linked to the post, by a former navy nuclear technician Will Davis. When you look at the post, please do note the URL: “spent-fuel-at-fukushima-not-dangerous“. What guff! Of course it’s dangerous. The actual written headline is more benign: “Spent fuel at Fukushima Daiichi safer than asserted“.

Yurman’s claim of “propaganda” got my goat, for his post itself seemed to me to be little more than that. I sent PGN and Yurman a message saying so. Yurman responded that

No one on the [ANS Fukushima commentary] team is interested in propaganda. The article went through two rounds of fact checking.

I replied that I thought he (and Davis) were ignorant of basic safety engineering techniques and suggested

* he [and colleagues at ANS] perform a hazard analysis, followed by

* enumerating the worst-case outcome from each hazard identified, and

* giving some kind of assessment of the chance that that worst-case outcome will be realised

Yurman replied that he was sorry to see that I had “chosen to make emotional insults over engaging in dialog“.

Such reactions are why I prefer to avoid such “dialog”. Yurman had publicly asserted that people worried about the worst-case outcome of an SFP4 structural failure were engaging in “propaganda”. When I suggest he was ignorant of system safety techniques and might like to try a hazard and risk analysis, he takes that as an insult. It is rather a statement of fact, followed by a sensible suggestion. He is right about the emotion, though – I strongly believe that people who comment in public on matters of engineering detail should both possess and use the appropriate engineering knowledge, and I didn’t think either Yurman or Davis were exhibiting it.

The steps above are recommended by ISO/IEC Guide 51: Safety aspects – Guidelines for their inclusion in standards, 1999. Guide 51 says that a hazard analysis should be performed, followed by an assessment of the risk, and a step to introduce measures for risk reduction (mainly avoidance and mitigation of the risk). I regard an assessment of the worst-case outcome of a hazard as part of such a risk assessment, as do most system safety engineers (for example, it is built in to the definition of “risk” in Leveson’s book Safeware, Addison-Wesley 1995) and sociologists concerned with technological risk (see, for example, Lee Clarke’s book Worst Cases, University of Chicago Press, 2005).

So, this approach is standard in system safety engineering and I think Yurman is ignorant of it. He is by no means the only one. Had the operator Tepco performed such an analysis of the tsunami risk before March 2011, rather than, say, peremptorily dismissing the concerns of a tsumani expert at a meeting at the regulator two years before, we would likely not be discussing an accident at all and the prospects for the future of nuclear power would still seem rosy. Indeed, Tepco had no need to perform such an analysis: it had been done for them. Dave Lockbaum of the UCS had pointed out the dangers of station blackout through flooding the basement equipment of BWRs as early as 1992, and this specific danger, of essential equipment being rendered susceptible to flooding, resulting in a station blackout, was also written out explicitly in Charles Perrow’s book The Next Catastrophe, Princeton University Press, 2005. (Perrow was maybe wrong; it wasn’t the next catastrophe, it was the next-but-one, if you count Deepwater Horizon as a catastrophe).

Davis argues in the ANS article that

there’s no basis to assertions of shaky buildings, or a structurally failed 1F-4 plant, or the chance of zircalloy cladding fire, or billowing of the released material to the entire earth

and recommends

Realistic, practical analysis, performed by personnel on site (TEPCO/NISA), nuclear professionals here in the United States with decades of experience in both theory and practice, and official peer-reviewed studies and documents (e.g., NUREG /CR-4982)

Yes, there is nothing like an appeal to authority to sound authoritative. Keep in mind former Prime Minister Naoto Kan’s recent comments, reported by Martin Fackler in the New York Times on May 28, about the difficulties he had getting reliable information and advice from the operator Tepco in the days of emergency just after the accident, and his conclusion that these characteristics are so entrenched in the power companies and their support structure (the “nuclear village” as he called it) that Japan cannot safely run nuclear power operations. Consider also that Tepco manifestly missed the tsunami risk for 46 years. One can well wonder at the wisdom of taking Tepco at its word. As for those US “nuclear professionals” and “official peer-reviewed studies and documents“, how many of those people have actually performed an on-site inspection of the SFP4 structural modifications, followed by an analysis and assessment? As far as I know, only the operator and its contractors know the details of the structural modifications.

Davis thinks there is “no basis to assertions of….shaky buildings“. I would feel more comfortable if the operator’s design and execution of the structural modifications (including the ad-hoc cooling system) had been assessed by a qualified independent third-party and the results made publicly available. That “independent” bit appears, from recent history, particularly hard to achieve. Tepco claims, according to Davis, that the structural mods have been simulated in design-basis earthquake conditions. One wonders as usual about the assumptions made for the simulation, which obviously include how strong earthquakes behave; our current knowledge of such matters is not particularly reliable. There is also some reason to question whether the plant even adequately withstood the Tohoku quake itself, which is claimed to be within “design basis”.

Davis oddly suggests that “there is no basis for assertions of… billowing of the released material to the entire earth“. In fact, most radioactive material released to the atmosphere becomes circumglobal, as would be apparent to anyone who has looked at such distributions.

Enough of the background chatter. Let’s actually do what I suggested system safety engineers do, from the relative safety of our armchairs thousands of miles away. It’s not hard – it’ll fit into a couple of hundred words.

1. What is the hazard we are concerned with at SFP4? There are actually two.

a. Permanent loss of coolant and thus fuel-rod cover at SFP4 because of a leak or cooling-system failure;

b. Collapse of the SFP4 structure.

2. How could this happen? The structure could be compromised or collapse by itself, people having mistakenly assessed its stability. Or a major earthquake could compromise it.

3. What would be the outcome?

Concerning a: The fuel rods would heat up. The fuel itself is contained in a zirconium cladding, which is under internal pressure from gas (some is intentional; some more gas may have been produced as a result of the high temperatures attained during the cooling emergency in the early weeks of the accident). Zirconium begins to corrode at temperatures of around 100°C, which as far as I can tell are quite likely to be obtained if there is no coolant. After a while, the cladding would be compromised and the hot radioactive material in the fuel rods would be exposed to the atmosphere.

Concerning b: Fuel elements, which are some 4m long and not intended to be dropped from a height, could be damaged through impact if parts of SFP4 collapsed (recall SFP4 is many stories in the air) and could well break open, again exposing the radioactive fuel to the atmosphere.

Exposing this fuel directly to the atmosphere would result in radioactive material being released into the air. How much is released is anyone’s guess – it depends on how many rods are compromised. Once that process starts, it is going to be very difficult to get anyone near enough to it to be able to hinder its progression.

Those are the conclusions that Davis and Yurman would come to if they were able and willing to perform basic system safety analyses of the sort we teach to our undergraduates.

Can things that look like hard facts and indeed are hard facts be socially constructed? Sure. But many people, indeed quite a few scientists, think not. I remember being quite surprised a decade and a half ago when I realized how many facts were indeed socially constructed. It is more obvious that social facts such as crimes and torts are socially constructed. Certain behavior is deemed to constitute a crime, and that is a construction; we (rather; our lawmakers) do it all the time. But facts about existing types of crime can also be socially constructed, and I find that much more problematic. What particularly concerns me here is the casual interpretation of existing categories of crime or tort on internet behavior.

I remember first realising how true it is that hard facts can be socially constructed by reading John Searle’s brilliant book The Construction of Social Reality. There are lots of facts about money. Money is just as real as my house. But it is purely a social construction. That doesn’t mean that “all truths are relative to the truthsayer”, as people such as the late Richard Rorty notoriously claimed. Many psychologists one encounters like to speak of what is “true for you” or “true for him”, but many of them still intuitively know they can be flattened by the bus they hadn’t seen when they try to cross the road and don’t look first, whatever they might think their truth consists in. Still, there is real meat, not just relative meat, in the debate between “realists” and “relativists”. Robert Nozick wrote a fine book, Invariances, on it in 2002, in which he argues truth is relative and tries to show to what. A decade ago, even I made my own minor contribution to the debate around the Sokal hoax and the Bricmont-Sokal review of some sociological thinking about science. But all that is not really my point here.

Before I get to that point, let me make a relevant plug. I recently read Harry Collins’ lastest book, Gravity’s Ghost, which has a brilliant example of a social construction in science. Collins is notorious among some scientists (and some scientific philosophers, I think) for claiming that much of science is a social construction. No, say the scientists, it is about reality and fact (whatever those are, add the philosophers). Harry has studied the gravitational-wave community, the people trying to detect them, for many years, and far from playing one of those “truth-is-what-you-want-it-to-be” sociologists, he looks to have gone native. And he tells a great story. The book reads like a novel, and is quite short. If you want to know how “big science” is done, it is hard to think of a more entertaining introduction. The book also has one of the finest introductions I have read to the difficulties of statistical reasoning as a guide to reality, with insights I cannot recall having read elsewhere. I probably don’t agree with all of it, but I enjoyed reading it and wasn’t in critical mode as I did so.

One of the major problems, perhaps the major problem after that of money, in gravity-wave science, is knowing when you have seen something. Collins has a wonderful account of how a phenomenon was reified by vote. And the vote wasn’t unanimous! (Buy the book! Read it! End of Plug!)

I talk here about a social construction which worries me. Crimes and torts are being constructed out of Internet activity. I don’t mean here crimes and torts as traditionally conceived, which may be committed in ways enabled by internet technology. The Economist once argued against constructing specific internet crimes out of activities which are already proscribed, but which are enabled in different ways by new technology (in the 1990′s; I am sorry that I no longer have the reference). As a classical liberal in my political thinking, I am very wary of the invention of new crimes specific to the internet, or reinterpreting old categories of proscribed behavior in inventive new ways to cover internet activity.

When working in California in the 1980′s, I felt the consequences of the Morris Internet Worm. Robert Tappan Morris Jr. was widely vilified for having released the worm, and eventually convicted of a crime. I felt at the time that that was desperately all wrong. There is no doubt that it was a watershed moment. Companies and organisations were installing and selling actefacts that I felt were not completely fit for purpose. Specifically, large public companies were selling proprietary versions of the Unix operating system, with the Sendmail program compiled with the debug flag set, thus allowing a back door into root privilege on their customers’ computers. I felt that was simply negligent. That was just one example of people being unwise, arguably negligent, and enabling possible damage to innocent others. I was concerned that such things were becoming a major problem on the internet in those days (I long consider this to have been decisively proved!).

What is one going to do about it? Since such habits constitute force majeur, any action must be political – you must bring it inconveniently to people’s attention, because they will ignore you, as they had been doing for years, if you just say “I don’t think this is a good idea” and leave it at that. But inconvenience too many people, and some of them are likely to try to criminalise your activity; force majeur again. It’s a dilemma; there is a fine line.

We now know well the competing philosophies. One (mine) says that Morris was performing what was, at that time, for that act, a legitimate public service. The public needs to be shown how bad things are, once, to start serious public debate and hopefully rectify the situation. That did not turn out to be the majority view. The majority view added up the collective resources spent on combating the worm (stupidly or intelligently, all of it equal), puts it in dollar terms (or equivalent measure) and says to Morris “that is the damage you have caused“. And that is the view that prevails nowadays. That is the view proposed by the U.S. Department of Defence, which has added up all the resources it claimed were compromised by Gary McKinnon’s hack into and through their WWW sites. The fact that they were apparently using insecure software for a site that, by their own arguments, was essential for US national security is apparently no longer considered a significant and culpable act of negligence. I feel strongly that such unfortunate events as the McKinnon hacking episode and attempted extradition would not be happening had we collectively chosen the other reaction to Morris’s escapade some twenty-odd years ago; holding the owners of frangible systems more responsible for the effects of that frangibility.

Which is why I am exercised by what I take to be the invention of a tort. An article by Lauren Weinstein in today’s Risks 26.78 points to an interesting article by a Business-School computer scientist, Panos Ipeirotis, written a year ago, on a scheme for making money from internet advertising.

Someone set up a bunch of domains with benign names to host invisible ads which were then automatically clicked. The ads were of the pay-per-click variety, and the assessment was only made on the “host” site. However, as far as I understand it, the money went elsewhere.

What puzzles me, indeed slightly disturbs me, is that Ipeirotis and Weinstein describe this as “fraud”, and I presume the WSJ, which picked up on the story, does too. Yes, things that are happening and actions that are being taken are not what they seem, for example, an ad on a 0×0 frame cannot be “seen” by any human, the “click” on it is automatic, and a frame that is loaded is not necessarily the same frame that a cursory scan of the source code might lead you to think it was. But all of these things are commonplace in Internet commerce as it is currently practiced.

I wrote down what I think fraud is. Maybe readers would like to try it for themselves before reading below what I wrote, or what others wrote. I wrote

Fraud is a category of human behavior in which one party is led to believe something which is untrue or misleading by a second party, and is thereby led to engage in a valuable-goods or financial transaction whose nature is not in fact what the first party believes it to be; and where the second party benefits and the first party suffers deprivation.

I then looked it up in James’ Introduction to English Law, which is a standard short reference. It is part of the law of contract. There is something called a “representation”, which is a statement, in this case about goods or material involved in a potential transaction. An untrue representation is called a “misrepresentation”. The tort of “fraud” (or “deceit”) is committed when

a person makes a false representation of fact, knowing it to be false, or without believing it to be true, or recklessly, careless whether it be true or false. The false representation must , further, be made with the intention that it is to be acted upon by the party deceived, and if his claim is to succeed this person must prove that he actually did act upon it to his detriment. (Italics in original omitted)

So I got it more or less right, except that the second party does not need to benefit. A few moments thought shows why.

Now, I am sure that the notion of fraud has been extended to electronic actions, such as those made by automated trading devices, in various ways. But it seems to me that a notion of “misrepresentation” would be key to characterising something as fraud. Advertising is rife with misleading representation, but that misreprentation has to do with perceived content, and there is a lot of law based around that. According to the definition in James’, above, a null representation, such as that shown in a 0×0 frame, would not count as a misrepresentation, for it is not untrue; and it is not untrue for it simply is not!

If something is commonplace, such as pop-under windows and suchlike, or dummy frames such as those with size 0×0, then it is surely not clear in what way there is a misrepresentation (in this technical sense). Saying nothing (or putting an ad in a 0×0 frame) even when you know something, does not constitute fraud: caveat emptor. And whether you are paid for “clicks” surely depends on what the contract says it pays for, and I doubt it says that only clicks are paid for which are made by a bona fide human sitting at a keyboard or tapping on hisher iPhone with intent to view. And in a world in which people pay real money for virtual artefacts on games such as Second Life, it is hard to rely on one’s moral intuition to determine when paying money for something or nothing is “OK” and when it is “not OK”.

If we don’t like what this person is doing, and we collectively decide to proscribe it, then let’s approach our lawmakers and persuade them to do so. Let us not put new whines in old torts.

The British Royal Academy of Engineering, an institution whose membership is nominated and elected only, is conducting a study on the engineering and societal impacts of space weather and has issued a call for evidence. I sent the following note on Sunday 25th March to policyAT[theRoyalAcademyOfEngineering] with a copy to the Office of Nuclear Regulation.

Dear Sirs and Mesdames,

You are performing a study of the effects of solar storms on UK infrastructure and asked for evidence to be submitted to this e-mail address by mid-April. I am hereby responding to that call.

Many nuclear power plants are dependent upon continuing supplies of electricity to support not only normal but emergency operations. Cooling systems, including emergency cooling systems, in most plants are dependent on continual (and continually reliable) supplies of electricity for control, and in some cases also operation.

The station blackout at the Fukushima Daiichi plant a year ago focused some attention (ours as well) on the vulnerability of such plants to design and operational assumptions which, in my view, a thorough hazard analysis of the modern variety would and should have made apparent.

Electricity supply to essential functions at nuclear power plants is provided “in depth”, that is, by redundant systems. The BWRs with Mark 1 containment at Fukushima Daiichi obtained power first self-generated, then from external grid supply, then from on-site diesel generators, finally from batteries. The self-generated power was lost upon shutdown, a response to the Tohoku earthquake, which also took out the external grid supply. Nearly an hour later, the diesel generators were flooded by the tsunami and the only electricity supply available became the batteries, which were scoped to supply for 8 hours. The physical requirement in that situation, though, was for far longer than that and the result (of that as well as other damage) was meltdown. I observe that, until recently, the requirement for battery power supply in “station blackout” conditions in some US power stations was only 4 hours. The US Nuclear Regulatory Commission has recently reconsidered that requirement.

One salient engineering phenomenon is that the satisfactory operation of many of these systems was predicated on independent failure of systems. For example severe ground movement and flooding seem to have been taken as independent events by the designers and builders, as far as we know. Whereas at Fukushima Daiichi those events had a common cause, namely the Tohoku earthquake. We see this phenomenon, an assumption of independence vitiated by common-cause events, time and again in engineering.

I understand that a recent solar storm in 1989 took out the grid power supply in Quebec for about nine hours http://en.wikipedia.org/wiki/March_1989_geomagnetic_storm . So it is possible for the consequences of a solar storm to exceed the “design basis” requirement for emergency-system operation at at many nuclear power plants of the BWR design (I understand well that the UK has no plants of similar design; I use this simply as an example of how design assumptions and physical reality may not always connect well).

However, I know of no current public study of the effect of a solar storm (coronal mass ejection, CME) on US nuclear power plants, although recent articles in the New York Times by journalist Matthew Wald have detailed some current thinking and practical exercises to install emergency power generators: http://green.blogs.nytimes.com/2012/03/19/a-speed-record-on-the-power-grid/

A Fellow of your institution, Martyn Thomas, has given talks recently on the possible consequences of solar storms on some engineered systems. I am in regular contact with Martyn. He gave a talk at the Workshop I organised last August on the Fukushima Daiichi accident, and has recently given a talk at the Safety-Critical Systems Symposium in Bristol in February 2012, which was filmed by the IET at http://scpro.streamuk.com/uk/player/Default.aspx?wid=12667&ptid=32&t=0 When Martyn asked during his talk who explicitly considered Carrington-type events in their hazard analyses, I was apparently the only person to respond positively. (I chair a standardisation committee in Germany which is performing a hazard analysis of charging electric road vehicles; we explicitly consider solar storms.) That suggests to me that awareness of the consequences of severe solar storms on UK infrastructure is not very high amongst even safety engineers. I would hope that your study could help remedy that.

The issues with hazard analysis and mitigation concerning complex safety-critical systems such as nuclear power plants are not trivial, and this is not the place to list them. But the most salient characteristic which came to light in our work is that the assumptions about what can happen which constitute what the US calls the “design basis” for these plants can be obscure, sometimes outmoded, and, as at Fukushima Daiichi, inappropriate. (It is particularly noteworthy that the vulnerability of the diesel emergency generation to flooding had been pointed out explicitly, most notably by the sociologist Charles Perrow in his 2007 book “The Next Catastrophe”. The possibility of station blackout of BWR designs due to flooding was not exactly an obscure phenomenon. How did the engineers miss that? We don’t know yet, although we have some hints. The answer will be given in my view by sociologists, not by the engineers themselves.)

I looked in the material on the WWW site of the Office of Nuclear Regulation for mention and consideration of solar storms, and found just one document from the Cabot Institute at Bristol University: http://www.hse.gov.uk/nuclear/fukushima/submissions/226920.pdf So the ONR is aware of the potential for such storms, but consequences of such storms are not considered at all in the vulnerability analysis which ONR performed at the request of the government in 2011: http://www.hse.gov.uk/nuclear/fukushima/final-report.pdf

I do think it essential that a careful analysis of the effect of severe solar storms on the safety and emergency infrastructure of nuclear power plants be performed. I think special attention should be paid to the general engineering problem of considering the issue of common-cause failures of kit whose design assumptions include independent failure.

I am moderately sure that you (and the ONR) will be aware of many of these issues already. I hope you understand, though, my desire to ensure that they are considered and hence this note.

Sincerely,

PBL

For those interested in analyses of the Fukushima Daiichi accident, I have a paper on it with clickable links (unlike the version in the Proceedings). I gratefully acknowledge the agreement of the Proceedings publisher, Springer-Verlag, for me to include the paper on our WWW site and note that the final publication from Springer is available at www.springerlink.com in the book Achieving Systems Safety, edited by Chris Dale and Tom Anderson. A video of the accompanying talk is also on IET.tv