The official predicated catastrophic failure rate for the Shuttle has been about 3% per launch from the time that the design was finalized. Various upgrades to improve safety haven't changed this number, since the "unknown unknowns" the dominant failure mode.
This failure rate, of course, was close to what we observed in experience.
What's funny about this is they were planning about 50 launches a year at the beginning, which, if they believed their own numbers, would have mean the loss of a vehicle and crew every year, and the complete destruction (or replacement?) of the Shuttle fleet on the time scale of five years or so.
The first failure (much like Three Mile Island) could be dismissed as a fluke, a problem which could be fixed. The second failure (like Fukushima) represented a typical failur e mode -- there was a lot of hand-wringing over the ceramic tiles on the first few shuttle flights, and after a few flights without a disaster, NASA assumed there was nothing to worry about, and that was wrong. The shuttle program was ended because there's no way to make the ceramic tiles safe.
Now, Fukushima is an extreme case of a failure -- it was probably the worst built nuclear power plant in the most dangerous location, but it represents the most likely LWR failure mode: not a stuck valve or simple operator error, but a major catastrophe that prevents cooling of the core and spent fuel. Unlike the shuttle, we can make that a lot less likely.
it was probably the worst built nuclear power plant in the most dangerous location
I was going to dispute this based on things I’ve heard about Russian reactor operations, but apparently they’re generally placed well away from natural hazards. Since you seem to pay attention to the issue, which do you consider the riskiest reactors now?
It's really quite an accomplishment that Canada's developed an exportable technology, but they aren't as safe as the LWR reactors that most countries use. One problem is that the piping is much more complicated than other reactors, so the possibility of springing a leak is much higher. CANDU reactors also have a positive void reactivity coefficient, which means that they're much more dependent on electronics to prevent power excursions. They also produce and leak tritium at a much higher rate -- it's not clear that this is a real problem, but it's very detectable. The economics of running on natural uranium aren't so good now that gas centrifuges can refine uranium more efficiently than the old gas diffusion plants.
Nobody will argue that a CANDU reactor properly operated will produce weapons-grade plutonium, but a country that's able to build CANDU reactors domestically could construct CANDU derivatives which would be useful for proliferation.
I wouldn't say that BWR reactors are categorically unsafe, but looking at the operating history, I think PWR reactors have a better record, even leaving Fukushima out. I don't know if BWR reactors or derivatives like the ESBWR have a future at this point. The Mark I BWR at the Fukushima site lacked many of the safety upgrades that have been made at other countries... Regulators in the US were aware of the problem that blew the roof off several of the reactors in the 1980s and took steps to prevent that step in the accident progression -- and don't kid yourself it wasn't significant, because a collapsed building is a dangerous environment that makes it hard to work around the reactor, particularly when you want to get in and get out fast to minimize your radiation dose.
I'd really like to see small PWR reactors with natural convection like mPower from B&W and the NuScale reactor. I think these can be very safe and also, being factory constructed, control the cost escalation that scares utilities away from investing in nuclear. I'd also like to see a realistic plan for fuel management -- we don't know the whole story at Fukushima yet, but spent fuel was part of the problem, and having a plan that's better than stacking it up at reactor sites is important.
Very interesting. I trained at a student reactor (TRIGA) but that was a while ago we didn’t learn that much about real-world considerations. I remember being told that CANDU happened to be near price parity with LWR in general, but that this was basically a coincidence and would change someday.
Do you have any remarks on “generation IV” reactors like VHTR and MSR? I’m particularly curious about PBR – seems like a cute idea with some possibly showstopping bugs.
Right now there's no real answer for disposal of carbide (VHTR/PBR) or fluoride (MSR) fuels. Geological disposal and reprocessing are credible for today oxide fuels, but not for these. A fuel damage incident happened at the Oak Ridge MSR about 30 years after it was shut down -- radiolysis caused the production of F gas, which in turn caused the production of UF6, which migrated out of the drain tanks into carbon traps. There were no serious consequences, but enough U233 was involved that there could have been a criticality accident.
There is a grassroots thorium movement behind the MSR these days -- they're a bunch of smart, wonderful, and idealistic people but they're running against a headwind. The U.S. government is not interested in radical innovation in the nuclear space because it may open up new paths to proliferation. I think the most credible MSR concept is Moir and Teller's idea of having clusters of reactors built in huge underground bunkers. Small, modular reactors are exciting, but I find it hard to believe that online reprocessing would be practical for something small that isn't being watched over by a team of specialists.
Prehaps I'm a dinosaur but I till think FBRs on the plutonium cycle may have a market in the long term. It would take a long time for this to replace the LWR because of the slow rate Pu gets generated, but the amounts of Pu available in spent fuel would be sufficient to open up new markets for small modular reactors that are highly proliferation resistant. (A sodium fire probably kills you if you try to open it up, and then there's so much Pu240 you'll never make a bomb of it)
> The shuttle program was ended because there's no way to make the ceramic tiles safe.
Well... You could go the Buran route and put the engines on the booster. Then you could put the shuttle on the top of the booster and keep it safe from falling foam, with the added benefit of having some extra cargo space.
The VAB would have to go through some refurbishing.
There's a lot of great technology from the Shuttle, such as the avionics and the engines, that could be worth reusing. A lot of research work was done on Shuttle derivatives in the 1980's, but nobody was interested in making the investment to retrofit the VAB and the launchpad.
That, of course, is one of the great challenges of making improved launch vehicles. You ~might~ be able to lower the operations cost by investing in research and a new design, but the cost of the research is guaranteed to be high.
Falling foam is the threat to the tiles that everyone is thinking of (because it's happened), but it's not the only thing that can damage them. The tiles also have the big problem that they're expensive to maintain.
There are many alternative concepts for heat protection for re-entry, but there's no interest in making expensive research investments in something that could fail. Manned spaceflight is going back to 60's era ablators because we know they work.
To be sincere, the idea of sending a 737-sized reusable spacecraft to LEO when it usually lands empty is not practical.
You could send the the payload up on non-reusable vehicles and, after a couple trips, send a reentry vehicle to bring down anything that still can be reused.
Actually, if you restrict yourself to a hypothetical "need to build something Shuttle like using available technology" universe then you can get something safer fairly easily. Buran, for example, was considerably safer for a few reasons, but we could make something even safer.
First, ditch the SRBs, they are a severe safety hazard (they led to one Shuttle disaster, for example) because they are segmented, they can't be throttled, they can't be turned off, etc. That leaves you with a thrust problem though, due to the low thrust of LOX/LH2 engines. So, second, replace LOX/LH2 with LOX/Kerosene. Now you have plenty of thrust, now you don't have to deal with super-cryogenic fluids, now you don't have to eke out every possible mass ratio boost on the ET because both LOX and Kerosene are fairly dense. Now you can ditch the foam insulation, and ice formation is slightly less of a problem.
Third, take the engines off the orbiter and put them on the booster (ET). Now you've created a vehicle, like Energia, which you can launch non-Orbiter cargo with. Realistically you haven't made things more expensive by throwing away expensive high performance engines every trip because it takes so long to inspect, refurbish, and re-install the SSMEs on the orbiter anyway that it's a wash money-wise, and probably for the best time-wise. On the plus side now the orbiter doesn't have to support the thrust of giant engines so its frame can be made lighter. Also, it doesn't have to bring those engines back down to Earth, so it can be yet lighter again.
Fourth, snip the wings off the orbiter. Turns out the military didn't really need a several hundred mile cross-range landing flight capability on the orbiter because the super-hypothetical mission that was designed for never turned out to be even remotely practical. So, smaller wings mean less mass and, again, a lighter frame. Now you've reduced the orbiter mass by a crap-ton and gotten rid of the huge amount of super vulnerable leading-edges on the wings. Now you can use a less sophisticated thermal shielding system on the orbiter (since it's lighter, smaller, and barely has wings at all), you don't need the carbon-carbon composite wing leading-edge bits, you don't need the vulnerable ceramic tiles that need to be meticulously inspected after every flight.
Now you have a vehicle that is much simpler and safer and yet does essentially everything that the old Shuttle system actually did in practice.
Granted, if you were designing something from a clean sheet at this point you would never end up with anything even remotely resembling the Shuttle.
"Only realistic flight schedules should be proposed—schedules that have a reasonable chance of being met. If in this way the government would not support NASA, then so be it. NASA owes it to the citizens from whom it asks support to be frank, honest, and informative, so that these citizens can make the wisest decisions for the use of their limited resources. For a successful technology, reality must take precedence over public relations, for Nature cannot be fooled."
There is not enough room in the memory of the main line computers
for all the programs of ascent, descent, and payload programs in
flight, so the memory is loaded about four time from tapes, by the
astronauts.
There are perpetual requests for changes as new payloads and new demands
and modifications are suggested by the users. Changes are expensive because
they require extensive testing. The proper way to save money is to curtail
the number of requested changes, not the quality of testing for each.
It must have been great to be the software team when this report hit. It's the only part of the engineering Feynman thinks is really good:
"To summarize then, the computer software checking system and attitude is of the highest quality."
And this is a good example of Conway's Law too, that software grows to resemble its organization. You can imagine that the software team at NASA during this time was the very bleeding edge of software - it was a somewhat new field, and they were doing the most dangerous stuff. I bet they recruited bright people, and those people's only assumption was that failure was not an option. They were probably used to their software failing all the time - they planend for the worst, and expected the worst, and had no preconceptions about their own abilities.
Compare that to the hardware side of things, probably filled with old-school aviation engineers who had been around the world a few times. The managers making the 1 in 100 calculations were probably hardware guys in the past too, because there weren't too many 45 year old programmers when this report came out.
And so they go in, with experience that says airplanes don't crash very much, and a space shuttle is just a big airplane. Cue the bureaucrats with their deadlines and budgets, and mix that with the arrogance of once-technical aviation engineer managers, and a 3% failure rate still sounds pretty rosy.
"When playing Russian roulette the fact that the first shot got off safely is little comfort for the next."
Love the quote, and something to bear in mind when evaluating less drastic forms of hazard. Anyone care to comment on Tufte's take on the graphics used by the Thiokol engineers? See
This failure rate, of course, was close to what we observed in experience.
What's funny about this is they were planning about 50 launches a year at the beginning, which, if they believed their own numbers, would have mean the loss of a vehicle and crew every year, and the complete destruction (or replacement?) of the Shuttle fleet on the time scale of five years or so.
The first failure (much like Three Mile Island) could be dismissed as a fluke, a problem which could be fixed. The second failure (like Fukushima) represented a typical failur e mode -- there was a lot of hand-wringing over the ceramic tiles on the first few shuttle flights, and after a few flights without a disaster, NASA assumed there was nothing to worry about, and that was wrong. The shuttle program was ended because there's no way to make the ceramic tiles safe.
Now, Fukushima is an extreme case of a failure -- it was probably the worst built nuclear power plant in the most dangerous location, but it represents the most likely LWR failure mode: not a stuck valve or simple operator error, but a major catastrophe that prevents cooling of the core and spent fuel. Unlike the shuttle, we can make that a lot less likely.