My Home Page with Links to My Other
Book Reviews
The Limits of Safety
by Scott D. Sagan
When Scott D. Sagan began writing The
Limits of Safety, he was confident in superpower control of nuclear weapons.
He was less confident after finishing the book. He is less confident now.
Sagan explores spirals of the
unexpected. When it comes to nuclear wars, all it takes is one series of
errors. During the Cuban missile crises, a guard in Minnesota saw a saboteur
and shot the saboteur. Sabotage alarms were activated at other bases, but at an
air force base in Wisconsin, the wrong alarm went off--the alarm signaling all out
nuclear war. Scrambled planes were stopped by an officer who drove his car on
the runway. (They could also have been called back once they were in the air.)
The so-called saboteur was a bear. Looking at the history of U.S. nuclear forces
Sagan was shocked at the number of near misses and cover-ups.
He argues that in the United States,
and probably Russia, overconfidence reigns in the nuclear weapons system. The lack
of prior inadvertent nuclear wars has produced unwarranted complacency. The
Department of Defense claimed in 1980 that "there is no chance" that
ambiguous computer info could lead to war.
Yet Sagan cites numerous examples of
gross safety errors.
The bear incident was minor. In 1963 a
bomber pilot accidentally turned on one of two switches to arm a nuclear weapon.
Fearing punishment for his mistake, he deliberately flipped the second switch
to arm the weapon in the hope that he could plausibly convince his superiors
that a saboteur had armed the weapons. U.S. aircraft have inadvertently dropped
several unarmed nuclear weapons.
In 1962 the crew of a B-52 made a
navigational error and was within 300 miles of Soviet airspace when it was discovered
by Americans and ordered to change course.
During the Cuban missile crises, a
test ICBM was launched without higher permission. JFK put it this way:
"There is always some son-of-a-bitch who doesn't get the word."
Nor are these events limited to 30 or
40 years ago.
Numerous mistakes have occurred in the
past two decades. In 1995 (after this book was printed) the Soviets mistook a
Norwegian weather rocket for an incoming ICBM.
Sagan examines two competing theories on safety—the normal accidents theory and the high reliability theory. The high reliability theory posits that systems can be made safe by using redundant systems, emphasizing safety throughout an organization, decentralizing authority so that those closest to a problem can make flexible decisions, and having highly disciplined, well trained members learn through simulation and trial-and-error. Nations use the high reliability theory to manage their nuclear weapons.
To give an example of a redundant system. If you are prone to locking your keys in your car, a redundant system would keep a spare in your wallet and another spare hidden under the car. Redundant systems are not as safe as they appear. Locks jam. Keys get lost or not put back after use. Magnetic key holders fall off. When there are thousands of parts there are huge multitudes of potential incidents. What people think are miniscule odds are actually much higher.
The normal accidents theory challenges
the high reliability view. It claims that accidents eventually happen. Decentralization
that allows flexibility also allows decentralized individuals to do vile
things. Decentralization is good in business. It may be an acceptable cost of decentralization for a business if someone swindles $15,000, but in a nuclear system nuclear war is not an acceptable cost.
Great training and discipline do not
make individuals 100 predictable. Individuals with serious psychological or character
flaws can not all be weeded out. Numerous elite members of the armed forces
have committed bizarre murders and suicides in the past.
Simulation and trial-and-error have
biases, especially in high cost, authoritarian environments. Errors get covered
up. Scape goats take all the blame when poorly designed systems are also at
fault. History gets reconstructed to serve the interests of the organization.
Unpredicted or dangerous situations are difficult to train for.
Trial-and-error is important for
humans, but with nuclear weapons one catastrophic error is a sample of one too many.
Learning is difficult in tight,
disciplined organizations. Politics, secrecy, cover-ups and threatened egos
impede learning. Sagan recounts an incident with a cover-up: A Delta
airliner strayed to within 100 feet of a Continental 747. A Delta pilot said,
"Nobody knows about it except us, you idiots." The Continental pilot answered,
"I have passengers pounding on the door, and crying, and they saw the
whole thing out the windows."
When industrial accidents occur, big
wigs hunt for operator errors until they find them or invent them. Individuals
and isolated institutions have goals that are at odds with the goals of those
they allegedly serve.
Redundancy often fails because it
creates large amounts of complexity and encourages people to take unjustified
risks in the belief that they have plenty of redundancy to save them. The
Chernobyl disaster occurred because of a test of a safety system. If someone had asked a Soviet expert in 1985 whether the sequence of events leading to Chernobyl could ever happen, he might have laughed. The operators at Chernobyl violated four rules that were all necessary for the disaster to happen. The Fermi nuclear reactor in Michigan nearly melted down in 1966 because of a failed safety device.
Sagan reports mostly on narrow escapes
in America. There may have been worse calls elsewhere, espicially in nations with dictator controlled medai. Russia is poor. Nuclear weapons are spreading to even poorer
nations. Where money is tight, low safety is the rule. The nuclear weapons program
found in Iraq after the Gulf War featured designs that would have detonated if
they fell off a desk.
The high reliability view, Sagan
writes, sees the glass as 99 percent full. The normal accidents theorists see
it as one percent empty--and when it comes to nuclear war, one percent is at
least a thousand times too high.
The high reliability theory is fine in
the right situations—low probability accidents that can cause only a handful of
deaths.
Sagan argues that humans do not learn
much from constant success, yet there is something that could be more
dangerous: "the resourcefulness with which committed individuals and
organizations can turn the experience of failure into the memory of
success." The history of weapons accidents has been written largely by those
who wish to down-play mistakes. Sagan writes that the burden of proof rests
with the managers of nuclear weapons and their safety record is not as good as
it appears.
Many believe that a world with several
nuclear powers is a stable world. Sagan argues that this view is wrong. Nuclear danger is proportional to the number of weapons and the number of nations that have them. Wars are
not always started by national leaders who act in what they think is their
self-interest. Wars are sometimes started by accidents and by individuals lower
in the hierarchy. Sagan recounts several of these wars. Leaders often have "self-interest" that has little to do with survival. Some love destruction. Some want a place in history, no matter how infamous. Some want revenge for real or perceived slights. Some think murdering others is a good way to get to heaven. The list of evil motives that conflict with self-interest is huge. Others argue for total nuclear disarmament, but Sagan makes the points that nuclear weapons are too small to be accurately verified and that if a conventional war broke out advanced nations could quickly build nuclear weapons.
The Limits of Safety recommends more studies of past problems and more independent reviews of nuclear safety. It supports greater sharing of the details of safety problems among superpowers, .
"[U]nanticipated interactions
tend to occur in high technology production systems in which many feed-back loops
exist, and in which dangerous components are in close proximity to one
another... tightly coupled systems tend to have plans for very rapid reactions."
He therefore recommends that aircraft carrying nuclear weapons never fly above
national warning systems. Nuclear warheads and missile testing facilities
should be separated. Warning radar and ICBMs should not be on the same sites.
Radio controlled devices that would destroy missiles in flight and limited ballistic
missile defenses to destroy accidental launches are also excellent ideas offered by Sagan.
Military forces face the "always/never" problem. Always be ready. Never make a major mistake. Fortunately, this book has few mistakes. Highly recommended.
—Book review article by J.T. Fournier.
My Home Page with Links to My Other Book Reviews