How Safe Is Safe Enough? To Engineers, It Depends

April 5, 2011

Joe Palca

No one likes things to break. We don't like holes to appear in airplane cabins unexpectedly; we don't like bridges to collapse; we don't like radioactivity to leak from nuclear power plants. But engineers have to design things to certain specifications, and they have to grapple with the question of how safe is safe enough.

When humans first started building things, determining whether they would work as planned was mostly a matter of trial and error. Build a bridge, drive a chariot across it, and see if it collapsed.

"And it really wasn't until the Renaissance, until Galileo, that there was what we could today call a rational approach to design through calculation," says Henry Petroski, a professor of engineering at Duke University.

He says computers and mathematical models now can predict how a bridge will behave under different conditions. But he says if you ask engineers to build a safe bridge or a safe nuclear plant, they ask you what you mean by that.

"The definition of safe is not strictly an engineering term; it's a societal term," he says. "Does it mean absolutely no loss of life? Does it mean absolutely no contamination with radiation? What exactly does safe mean?"

Once you settle that question, engineers still face the problem of deciding how to achieve whatever level of safety they are aiming for.

Michael Corradini, a professor of nuclear engineering at the University of Wisconsin, says first, engineers design for normal operating conditions. "Then with any engineering design, anything at all, you say, 'That's fine, that's what it operates on. But what if something happens that it experiences some unusual conditions?' "

So for example, let's says you're designing a bridge for a place where gale force winds and heavy snows are virtually unheard of.

"You still design for it so that the bridge safely performs its function," Corradini says. "Or if it fails, it fails gently, so there are no catastrophic effects." In other words, the bridge doesn't collapse.

Engineering For All Conditions

But what about other kinds of safety threats? How well will a bridge do if terrorists try to blow it up? What happens if operators in a nuclear power plant control room suddenly get sick? What if a meteorite falls on the plant?

Corradini says nuclear power plant designers try to think of everything.

"They have a listing of all the things they think can go wrong and how they can go wrong, and some sort of ordered list of which is more likely than others," he says.

And the possibility of a meteorite isn't a joke: "It's there somewhere — it's just a very low probability," Corradini says.

But sometimes, when you set out to build a nuclear power plant, you don't know exactly what the likelihood of a particular calamity might be.

"When we plan something, we always make assumptions," says Yotaro Hatamura, an emeritus professor of engineering at the University of Tokyo. He says engineers sometimes don't pay enough attention to history in making their assumptions.

Hatamura favors what he calls "backward thinking" — looking at a previous step in the process to see if it worked properly. For example: The reactor core might survive an earthquake, but what about the pumps that provide cooling water to the reactor? Or what about the backup generators that provide emergency power to the pumps? Or what about the fuel supply for the emergency generators?

He says accidents happen when engineers don't constantly test and revise the assumptions they've made about all the things that a nuclear plant needs to operate. Hatamura says it's not always easy to look back and admit to problems that you should have thought of in the first place.

"We don't see what we don't want to see. We don't want to think about scary things," he says. "That's just human nature." Copyright 2011 National Public Radio. To see more, visit http://www.npr.org/.