The Problems Of Fail-safes and Redundancy

When discussing nuclear safety we are often told by the nuclear industry that they have ‘fail-safes’ , ‘built in redundancy’ etc that make their reactors ‘safe’. In this post I shall explore some of these claims. It will, hopefully, not bring up any surprises for people involved in nuclear safety but will hopefully be useful to others.

The Failure of Fail-safe

A fail-safe design is one in which if a component fails then it does so in a way that minimises the harm done. However, what this often means is that it fails ‘safe’ in what the designers believe is the most probable way. At Fukushima Daiichi 1 something called the ‘isolation condenser’ shutdown because it was thought that the most probable scenario was a pipe break1 – this was the ‘fail-safe’ action. However, during the accident at the plant this effectively left the reactor with no cooling. The fail-safe action therefore resulted in fail-extremely-unsafe. If it had been designed to ‘fail-safe’ by not shutting down then it would fail dangerously if there was a pipe break. For something to be truly ‘fail-safe’ it must fail to a safe condition in all circumstances. This problem of fail-safe has also been discussed elsewhere2.


I will use a rather simple model to explain the problems with ‘redundancy’. The basic idea of redundancy is that you have more than one component able to do the same task. Let us say you have a valve that controls the flow of water in or out of the reactor. We also assume that there is no ‘fail-safe’ position as discussed above. Sometimes we need the water to flow and other times we need water to stop flowing.


The valve is not 100% reliable and could fail. So what we could do is have two valves – if the first fails to shut then we can use the second to stop the flow.


However, we have now created a problem. What happens if we want to water to flow but one of the valves has failed when it has shut. In fact since we now have two valves that could fail we have doubled the probability that they will fail shut.

We could get round this by adding a completely separate pipe.


So now if we cannot get water through the first pipe because a valve is stuck then we can get it through the second pipe.

However, we have now increased the number of valves to four and the number of pipes to two. Valves can leak so we now have four times the probability of a valve leak than we did with one valve. We have also increased the probability of a broken pipe by two.

Worse still is that if the blue box on the right is some important engineering feature such a reactor pressure vessel we have now doubled the number of holes in it for the pipes go through. Such penetrations of the reactor pressure vessel greatly increases the probability of  a leak of failure of the reactor pressure vessel.

Although redundancy can be a valuable safety feature it always comes at a cost of additional complexity and more components that can fail. At some point adding yet more redundancy actually decreases safety rather than increasing it.

1 Lessons Learned from the Fukushima Nuclear Accident for Improving Safety of U.S. Nuclear Plants, The National Academies, (

2 Passive safety: staying on track, Nuclear Engineering International, 25 September 2014 (


2 Responses to “The Problems Of Fail-safes and Redundancy”

  • Peter Smith says:

    You are so right, I understand all you are saying as a retired senior engineer from the nuclear industry, who is now an anti-nuclear activist. However, you will not change the mind set of a deluded megalomaniacs who is driven by a massive desire for power that is coming from very deep in their destructive psyche.
    The paradigm change can only take place by giving our energy and support to decentralised clean, safe Renewables. This will weaken and undermine their destructive power base by destabilising their central control structures. Just like the massive energy of the ‘mighty atom’ they feed off, their power base will then gradually disintegrate and decay. Look around it is already happening.

  • Pete says:

    Re-reading Perrow’s analysis of the Three Mile Accident (Normal Accident: Living with high risk technologies) I noted an example of how a ‘fail-safe’ did not work. One of the causes of the accident was operators ‘cutting back’ on the High Pressure Injection during certain situations. After the accident procedures where change so that operators did not do this. However, later it was found that this caused other problems and so the guidance was changed back to something very similar to the pre-accident one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha: * Time limit is exhausted. Please reload CAPTCHA.