This section introduces three accident cases in the order of seriousness they caused. The first case is about a popular consumer product, a bicycle; the second is about a collision of a commuter train; and the third, an extremely complicated system, a nuclear power plant (NPP). The bicycle affected social sustainability, and for each single bike accident, an economic impact to the rider. In case of the train, a much larger damage was made to the society with not only injuries to the passengers, but also economic damage in terms of inconvenience to the passengers for a few days. The NPP accident posed a large threat to the sustainability of societies, the economy, and the environment.
3.1. A Bicycle Recall Case
First is a case where the manufacturer had to recall its product, a bicycle. A bicycle offers a simple and handy means of transportation without any operating cost other than maybe the fatigue in the feet and legs of the rider. Many consumers in Japan now choose electrically assisted bicycles to lessen the fatigue, in which case the convenience comes with the electricity cost for charging the batteries.
In 2003, one of major Japanese bicycle manufacturers introduced a device to lock the rotation of the steering shaft when the rider engages the lock on the rear wheel. The mechanism was named “single action double lock”, so it would stand out in the market. The rival companies also had steering shaft locks, however, the users had to engage them separately from the actions of rear wheel locking; in other words, they were double action double locks.
Figure 2 shows locations of the two locks, and separate photographs of the actual locks. When the rider parks the bicycle and engages the rear wheel lock, the action pushes a cable connected to the steering shaft lock that also locks the steering shaft rotation.
The rear wheel lock disables the rear wheel rotation upon parking the bicycle to prevent theft. The steering shaft lock, developed recently, offers two features. One prevents the bike from toppling over when the rider parks it on a sloped surface. The other popular feature for parents of small children is that it keeps the bike stable when they are lifting a child into the child seat.
The single action double lock mechanism has parts shown in
Figure 3 [
7]. A housing case holds the steering shaft lock parts in position. A window shows the lock status. The upper left photo in
Figure 2 shows this case. It is the gray box with a black indicator window.
Figure 4 shows the mechanism of the single action double lock. The left figure is when the shaft is unlocked, and the right figure is when it is locked. The movements 1 through 4 take place simultaneously; these numbers are for easier visualization of the mechanism.
Figure 5 shows the DRG for this locking system. The arcs from FEs connect to the PEs all in a one-to-one manner. Thus, the design is uncoupled in AD. Equation (3) shows the AD design equation.
The above discussion is about how the “single action double lock” activates when parking. A rather more important function of a bike, however, is to ride it.
Figure 6 is the DRG for the function of riding a bike. The figure does not have the detail of the braking system that has a number of parts, nor the detail of the locking system.
The locking system is not shown in
Figure 6. To show it, one can add the function of “keep double lock engaged when parked” with the mechanism of the “single action double lock”, or combining
Figure 6 and
Figure 7 will give a complete picture.
Figure 7 shows the “single action double lock” mechanism when the rider is riding the bicycle. This time, the rear wheel lock has to be disengaged and the steering shaft free to rotate. All parts in the DRG change their functions from those in
Figure 5 including the higher level sub-functions to the overall function of “Keep double locks disengaged”. One exception is the “Shaft lock case”, with the function of “Position steering shaft lock parts”.
With the knowledge that the “single action double lock” was responsible for the recall, we examine the system closely in the riding mode. Upon design, the designer overlooked that the “Bar press tab” affected the “Lock bar spring” function of “Keep compressed state” shown with the broken red line segment across the functional and physical spaces. It needed proper alignment with the notch on the locking bar where the two pieces met.
The locking bar for engagement and retraction from a steering shaft pinion gap is made by the balance among the torsion spring, lock bar spring, and the pushing rod force. When the steering shaft is free, the pushing rod retracts (stays down in
Figure 4), and the torsion spring applies counterclockwise (CCW) torque to the rotating cylinder. The CCW bar pressing tab force applied to the locking bar here overcomes the lock bar spring force, and the locking bar is pulled out from the steering shaft pinion gap, allowing free rotation of the steering shaft.
When the user parks the bike and engages the lock, the pushing rod pushes the pushing force receiver up, and gives clockwise (CW) torque to the rotating cylinder. This CW torque is stronger that the torsion spring torque, and the CCW block pressing tab force on the locking bar is removed. The lock bar spring then pushes the locking bar into a pinion gap on the steering shaft pinion, and the steering shaft is locked.
The locking bar in riding mode has the function of retracting itself from the pinion gap it engaged when the user locked the bike. The torsion spring, in the meantime, has to constantly keep its CCW torsional spring force on the rotating cylinder so that the bar pressing tab keeps the locking bar out of a pinion gap.
The direct cause of the recall was the shaft lock case. Possibly owing to insufficient strength, the case cracked and lost its function to hold the steering lock parts in place. The Ministry of Economy, Trade, and Industry (METI) of the Japanese government released news [
8] with photographs of normal and cracked cases.
Figure 8 is the illustration in the news release.
A cracked case causes the parts that it holds inside to lose tight positioning and the bar press tab can easily lose contact against the locking bar. Then, the torsion spring force fails to reach the locking bar and the bar spring pushes the locking bar into a pinion gap. This caused the steering handle to lock while the user was riding the bike. This unexpected failure caused the rider to fall on the road with the bike.
The recall involved about 3.4 million bicycles, and there had been six serious injury cases at the time of the 24 June 2019, METI press release [
7]. Consumer Affairs Agency (CAA) of the Government of Japan reported a year later that the accident count during April 2019 to March 2020 amounted to 42 cases, and 11 during April to 18 August 2020 [
9].
3.2. Kanazawa Seaside Line Runaway Train
The second incident we report is an automated train accident that took place on 1 June 2019, at 20:15. The passenger train on Kanazawa Seaside Line started in the wrong direction at Shin Sugita station and collided with the bumping post. Among the 25 passengers onboard, the accident injured 17 including 12 with serious injuries [
10].
Kanazawa Seaside Line is an automated guided transit (AGT) with a total track length of 10.8 km. The rubber tires on the cars keep the rides smooth compared with conventional steel wheels on steel tracks. The line connects Shin Sugita at its north end, about 45 km south from Tokyo Station, and Kanazawa Hakkei at the south end. The line has 14 stations including the two end stations. The line runs along the port area south of Yokohama and carries commuters to port businesses and travelers visiting parks. The accident train had five cars, Car-1 to Car-5 from south to north, with 94 seats for passengers.
Figure 9 shows a sketch of Car-5. No seats are available for a driver nor a conductor because the train carries no operator and operators remotely control the train from the train central control station at Namiki Central station, 3.5 km south on the line from Shin Sugita.
To support operators in the central control station at Namiki Central station, the train line system has several automatic control systems, among which we explain two major systems: automatic train operation (ATO) and automatic train control (ATC).
Figure 10 shows these controllers.
Figure 10 shows the five-car train except, Cars 3 and 4 are cut out from the illustration. The figure shows the controllers in the state of moving the train northbound, i.e., the proper travel just before the train reached Shin Sugita station. The single-line red arrows in the figure are control lines and, for this northbound travel, lines 195E and 195G and Control Line R were energized.
ATO consists of a ground controller at the control station, a station ground controller at each station, an onboard controller for communication with the station ground controller, and another onboard train controller. The ground controller commands departure, on-time running, and stopping the trains at preset positions. The ground and onboard communication controllers exchange ground commands and train status information. The onboard controller is responsible for starting, stopping, and regulating the speed of the train by sending signals to the motors and brakes.
ATC is in use with regular trains with operators. They consist of multiple ground units along the track and an onboard ATC on each train. The onboard unit detects the speed limit from a ground unit with an antenna mounted at the head of the leading car as it passes a ground unit and compares it to the motor speed and controls the speed or stops the train if necessary.
Shin Sugita station is the terminal stop at the north end of the line and the northbound train arriving at Shin Sugita station, once it completely stops, reverses its direction to head south. The train, however, at departure, started in the northbound direction and collided with the bumping post. The bumping post was about 24.5 m away from the leading end of Car-5 when the train started moving. The train started with full acceleration and its onboard controller had the train direction registered as southbound, thus no brake engaged until Car-5′s coupler hit the bumping post.
Before the accident when the incoming northbound train stopped at its terminal station Shin Sugita, all the ATO controllers operated normally as follows (angle brackets show corresponding control lines in
Figure 11):
Ground ATO: “Switch direction to south and keep stopped”
Ground station ATO: “Switch direction to south and keep stopped”
Onboard station ATO: “Leading car” signal to Car-1 Relay<194E>
Car-1 Relay: “Leading car” signal to Leading car unit in Car-1
Leading car unit in Car-1: “Leading car set” signal back to onboard station ATO<194G>
Leading car unit in Car-1: Signal “southbound” to onboard ATO <194G>
Leading car unit in Car-1: Signal “southbound” to ATC <194G>
Onboard ATO: Motor Stop signal to Brake and Motor controllers
The leading car unit in Car-1 also had the function of sending the southbound signal to the three motor controllers in cars 1, 3, and 5 by energizing Control Line F that branched out to the three motor controllers.
Figure 11 shows the controller communication. The accident investigation found that Control Line F was cut when the train, in its previous travel, was heading south at around the mid-point of the entire Kanazawa Seaside Line.
Control Line F was bundled with a number of other cables, as shown in
Figure 12. The bundle was scratching against the end wall angle plate, and Control Line F happened to settle at the bottom of the bundle. The edges of this angle plate were cut with a laser cutter, and their mass production left the cut corners sharp without any filing. The through hole on the floor had a plastic fitting on top so cables in the bundle would not scratch against the metal rim of the hole. The designer overlooked that the heavy bundle, although suspended in mid-air, would sag and scratch against the end wall angle plate.
Control line F, when engaged, energizes to a control voltage of DC100 V commonly used for trains. When the coating of the line was cut deep enough, this high voltage must have caused an electric spark between line F and the angle plate electrically at ground level. Observation after the accident found the upstream side of the control line, closer to the DC100 V source, dangling, and the downstream side welded onto the stainless-steel angle plate. Later analysis revealed the weld to contain stainless-steel copper alloy, meaning the spark temperature exceeded the stainless-steel melting point of 1400 °C.
When the line failed during the train’s southbound travel, nothing unusual happened because the motor controllers were designed to hold direction commands in memory. When the train reversed its direction at the south end of Kanazawa Hakkei station, the failure again went unnoticed because, there, the Control Line R turned ON and the train successfully reversed its direction to head north (
Figure 10).
At the north end of Shin Sugita station, however, the high-level controllers passed the “Reverse direction” command from the Ground ATO to Ground Station ATO, Onboard Station ATO, Car-1 Relay, Leading Car Unit in Car-1, Onboard ATO, and ATC. This signal was then passed back to Onboard Station ATO as a sign of the command being completed.
The location of the Control Line F cut was upstream of where it branched out to the motor controllers on cars 1, 3, and 5, thus none of the three motor controllers received the command signal to reverse the motor direction and just kept the last registered direction of northbound.
When it was the departure time of 20:15, the Onboard ATO sent out its Power ON signal to the three motor controllers to activate the motors. This was when the motor controller looked up its memory, which had registered northbound when Control Line R was energized at the other end, Kanazawa Hakkei station. This fail-safe function to memorize direction is necessary to engage the brakes upon emergency so the motor controller knows which direction to apply reversing torque to the induction motors.
The motors accelerated, heading north.
Figure 11 shows the train high level control system with registered direction of southbound, contrary to the direction memorized in the motor controllers.
Figure 13 shows the train upon the wrong departure to its collision with the bumping post. When the train system started, it did not detect that it took off in the wrong direction. ATC, registered with southbound direction, detected its active antenna in Car-1 above the ATC loop coil for departure, a normal expectation for heading south. The train kept accelerating until the coupler of Car-5 hit the bumping post. When Car-5 collided with the bumping post, ATC antenna in Car-1 reached the south end of the loop coil for collision avoidance. This loop coil was there for the ATC antenna in Car-5 of incoming trains to detect overrun. The ATC system was not designed for trains starting off in the wrong direction, but, by a lucky coincidence, ATC engaged full brake.
When the train hit the bumping post, it had gained a velocity of about 25 km/h. The bumping post was designed to stop a train at a speed of 10 km/h with the train’s braking force. Fortunately, the train ATC engaged the brake upon reaching the bumping post; however, at a speed of 25 km/h, the bumping post, after exhausting its full 1 m damping stroke, turned into a sudden wall for the train. The ATC brake and the 1 m damping stroke of the bumping post lessened the severity of the accident to some extent.
Figure 14 shows the DRG of the train control system in setting off the train in the southbound direction. The failure that caused the accident started from Control Line F failure in the physical space. The “Memorize direction” function of the motor controller needed the “Control Line F” to be properly working.
Figure 14 shows this reliance with the broken red line segment. The failure propagated into the functional space to disable the overall functional requirement of “Depart Train Southbound”.
Equation (4) is the design equation for the function of departing the train in the southbound direction. Although the number of DPs is smaller than that of FRs, this does not necessarily mean that the design is coupled. The inequality comes from mapping multiple functions to high level DPs of controllers. The X in square brackets [X] is the interference the designer overlooked, i.e., the reliance of the memory function on Control Line F.
This Control Line F in the other mode of northbound travel had the function of staying at zero, thus the cut of the line did not make a difference to the overall functional requirement in that mode.
3.3. Fukushima-1 NPP Unit 1 Accident
The 2011 “Off the Pacific coast of Tohoku Earthquake” occurred on 11 March 2011. The quake invoked tsunami waves that, about an hour later, attacked the Fukushima Daiichi Nuclear Power Plant (Fukushima-1 NPP). The wave heights surpassed elevations for which Fukushima-1 NPP was designed. Seawater entered the basements of all Fukushima-1 NPP units 1 through 6. Most of the switchboards for units 1 to 4 were in the basement. The four units entered the state of station blackout. Station blackout means a loss of all AC power [
11]. Units 1 and 2 lost all their DC power.
Units 1, 2, and 3 were running at the time and all the three units succeeded in fully inserting all their control rods upon the earthquake. Unit 4 was in scheduled maintenance, so it was fully shutdown at the time. The other three units entered shutdown mode as well, thus all main steam lines and feedwater lines had their isolation valves fully closed. Reactors of units 1, 2, and 3 entered the state of core isolation. Core isolation means the core, where nuclear reaction generates heat, is isolated without active water flow around it. Although nuclear reaction had stopped, the fuel kept generating a fraction of the full power called decay heat.
Decay heat, for example, for Unit 1 was 6.4% of full power (1380 MW thermal) upon shutdown [
12], and it gradually decreased with time. Without removing the heat, however, decay heat continues to boil the water inside and lowers the water level. Once the water level drops below the top of fuel bundles, fuel will begin to melt. The time left for Unit-1 to regain its lost core cooling function was 78 min after station blackout [
12].
The oldest of all units, Unit 1, started operation in March of 1971. It had two identical and independent isolation condenser (IC) systems, System A and System B, designed to remove decay heat at times of core isolations.
Figure 15 shows System A at core isolation.
IC is a simple condenser with a cooling water filled condensing chamber. Its piping connects to the reactor pressure vessel at a high elevation filled with steam. The IC piping routes the reactor steam to the IC chamber where the steam condenses to water inside the IC piping. The piping then exits the IC chamber and connects to the recirculation piping, and the condensed water eventually returns to the reactor pressure vessel at a low elevation filled with water. This IC piping has four isolation valves: Vac1 and Vac4 in
Figure 15 are two AC valves inside the pressure containment vessel and Vdc2 and Vdc3 are two DC valves outside. When in core isolation mode, Vac1, Vac4, and Vdc2 are fully open, and the operator operates Vdc3 on and off to keep the pressure vessel drop moderate to avoid damage to the pressure vessel and its components from a sudden temperature drop.
Figure 16 is the DRG for the IC system in core isolation.
There was another safety feature with this IC system to prevent radiation leakage to the outside. The IC piping had a pressure sensor on it, and when the sensor detects a sudden drop in piping pressure, the controller assumes that a crack generated on the piping. Such a crack will cause the radioactive steam to escape into the condensing chamber and, as the steam outlet from the chamber simply discharges out to the atmosphere, that will lead to radiation leakage to the outside.
This IC shutdown mode closes all four IC isolation valves. This pressure sensor had DC power for its operation and, when the DC power is lost, the sensor loses its means of detecting cracks in the IC piping and the fail-safe design shuts down the IC function, by closing all four valves Vac1, Vdc2, Vdc3, and Vac4, in order to avoid possible radiation leakage to the outside.
Figure 17 shows the DRG of this safety feature of IC shutdown.
Figure 17a is a typical DRG that a designer would draw. Note that the diagram is missing DC power to the pressure sensor, as well as the higher DC and AC powers to drive the valves. It was difficult for the designer to identify that the four valves’ “Close and stop IC steam/water routing” function were dependent on the pressure sensor’s “DC power”.
Figure 17b shows this dependence with a broken red line segment. The function of “Stop radiation from leaking when pipe cracks” needed “DC power” to the pressure sensor to be working properly; when the DC power was lost, the function activated improperly.
Equation (5) is the corresponding design equation for the DRG in
Figure 17b. The design has fewer FRs than DPs. In fact, the four valves are redundant [
4], and the IC flow is stopped when any one of them is closed. Nuclear plants often have such redundancy to meet functional requirements even if a structural element fails. The interference the designer overlooked is shown with the element X in square brackets [X] in Equation (5).
Evidence of this IC system failure upon the tsunami attack revealed the sequence of what happened. The pressure sensor lost its DC power first and the system commanded isolation valve closure to all four IC isolation valves.
The operator, without means of checking the valve statuses, kept operating the switch for Vdc3 valve on and off on IC System A. The operator went through the trouble of going outside to see if steam was coming out from the two steam outlets on the reactor building wall. What the operator saw was a weak rise of steam from the two holes, which was not convincing of whether or not the IC system was working. What probably happened was that the four valves, as they were closing, lost their driving power before full closure. If the IC system was in full operation, a large amount of steam would burst out from the exhaust holes with a thunder-like noise. Fukushima-1 had only tested its IC systems at the time of startup and had never tested them during the 40 years of operation. Thus, after 40 years, operators with no experience in IC activation was placed in charge of operating the emergency system.
The silent IC system caused the uncovering of the Unit 1 core and its melting. The melting process generated hydrogen gas, which leaked into the reactor building. The light-weight hydrogen gas gathered at the reactor building top floor and, a day after the station blackout, it exploded, blowing away the walls of the top floor.