The notion of self-driving cars has been around in science fiction for at least 60 years. Now Google is leading the charge to make autonomous vehicles the typical mode of transport. Taking control out of human hands, the thinking goes, will make driving safer. Question is, will tomorrow’s computer chauffeurs really be infallible?
Google has a small fleet of self-driving cars on the road in Silicon Valley — the California information technology hub. Some employees use them to commute to work. The cars are easily identifiable by their roof-mounted spinning turrets. These contraptions house the Lidar system – essentially, laser radar. The system creates a 360-degree map of the car’s surroundings. Google says its driverless cars have collectively gone more than 800,000km without crashing.
Proponents of self-driving cars point out there are about 32,000 traffic deaths per year in the U.S., or one every 15 minutes. That is almost three times the rate of deaths from guns. Perhaps computer-controlled cars, with faster reaction times and consistent algorithmic decisions, would substantially lower the accident rate, use less fuel and move more people faster.
But perhaps not. Hardware and software systems are extremely complex. There will always be software bugs, hardware failures, inaccurate maps, improper maintenance and unforeseen situations no algorithm can handle.
Toyota on trial
Already, modern vehicles have as many lines of software code as an Airbus passenger jet. Computers run everything from a car’s windshield wipers to its acceleration and braking systems.
Lawsuits and studies have shown these computers are not risk-free.
A trial in the U.S. state of Oklahoma last October marked a milestone in the controversy over Toyota-brand cars and unintended acceleration. The case involved the crash of a Toyota Camry in 2007; one woman died, another was injured.
A 10-month study by the National Highway Traffic Safety Administration and NASA had concluded, in February 2011, that there were no electronic flaws in Toyota cars that would open the throttle enough to cause unintended acceleration. The Oklahoma court, however, heard testimony that digital systems could not be ruled out as a factor in that Camry accident.
Software experts had been given access to Toyota Motor’s top-secret source code for controlling the electronic throttle. The lead expert, Michael Barr, testified and delivered an 800-page report that said the code was defective.
Barr testified he had demonstrated a driver could lose control of the accelerator due to a software glitch that is not reliably detected by any fail-safe backup system. He described how, as proper practice, software that controls potentially life-threatening devices must have built-in redundancies — yet these redundancies were absent.
Each hardware supplier writes its own software to control the devices it is contracted to produce – the braking system, the engine throttle control, etc. This leads to complex coupling between software modules, increasing the likelihood of errors. Plus, Toyota did not possess the code for some of the software.
Beware of hackers
The Oklahoma jury found Toyota liable — the first such verdict against the company. While the automaker said it strongly disagreed, it reached a confidential settlement to avoid punitive damages.
Software bugs are not the only threat. In 2010, researchers from the University of Washington and the University of California, San Diego, demonstrated how cars’ electronic control units are vulnerable to hackers. It was the first experimental study of the real security risks with modern vehicles.
Using their own software, called CarShark, the researchers ran lab and road tests and found it is possible to hack into almost any ECU. They put a laptop in a car, connected it to the vehicle’s computer system via a standard interface normally used for entertainment systems and other aftermarket add-ins, and controlled the computer with WiFi.
With the car traveling at up to 65kph, the researchers were able to honk the horn, kill the engine, prevent a restart, blast out the heat and stop the driver from braking. The potential for a mass attack is obvious; a virus could even be installed to completely erase evidence.
What are the takeaways?
Toyota’s case shows it should be a principle of civil law that, when a technological failure inflicts damage, the vendor and independent parties must place all known diagnostic information into the public domain. This would assist us in learning from mistakes and reducing the risks to society.
The hacking study should put Google and Silicon Valley, always full of sturm und drang, on notice: There are risks that must be considered above the hype. Rebooting a computerized car at 65kph is not a viable option.
We don’t have the jetpacks or flying cars promised to us in the 1950s, but Google is pushing to make self-driving cars a reality. Given that today’s modern vehicles have as many lines of software code as an Airbus passenger jet, are we really safe letting a car take over the road for us? But what are the consequences and what are the risks of tomorrow’s computer chauffeurs?
Following the Fukushima disaster, most of Japan’s 50 nuclear power plants (NPPs) are closed down. After routine closures for planned maintenance outages, the government restricted the restart of plants until they could successfully pass “stress tests”, which were subsequently replaced by new safety criteria, issued this July by the new Nuclear Regulatory Authority (NRA). Some restarts are blocked because the NRA is concerned about the proximity of NPPs to active faults. The NRA’s definition of what constitutes an active fault and how it intends to apply new draft regulations on ground stability is critical here. Also at issue is the best way to deal with the hazards of low likelihood events in a society that, in the wake of the March 2011 Tohoku earthquake and tsunami, had a rude awakening with respect to its assessment of, and preparedness for, natural hazards. In this article, we explore the nature of this problem and how geoscientists and engineers are responding to what seems likely to be a ballooning problem in Japan, affecting the future of its major energy infrastructure. We look specifically at the case of the Tsuruga NPP on the eastern, Japan Sea coast of central Honshu.
Tsuruga is an historic port lying at the head of the large, sheltered anchorage of Tsuruga Bay. Two major nuclear complexes are located on the mountainous peninsula that forms the western side of the Bay. One of these, the Tsuruga NPP, has two reactor units, including the oldest functional nuclear power station in the country. They lie in a deep valley that extends southeastwards to form an embayment on the peninsula – Urasoko Bay (Figure 1). The eastern side of the valley and Urasoko Bay are the scarp slope of a major active fault – the Urasoko Fault, with a mapped length of about 10 km, but possibly extending further, south across Tsuruga Bay and northwards into the Japan Sea. The evidence suggests that this fault has moved repeatedly in the late Pleistocene, with a recurrence interval of about 4000 years. The foundations of both NPP reactors lie only about 200 m to the west of the fault. The Urasoko Fault was not considered to be active when the NPP was sited in the 1970s, but it has appeared on sequential updates of Japan’s active fault map since 1991, as either ‘active’ or ‘possibly active’. The impact on plant safety of the Urasoko fault was evaluated during the seismic re-evaluation (back-check exercise) mandated by the then regulator, NISA, in the period from 2007-2010.
However, it is not the Urasoko Fault that has been causing problems over the last year for Japan Atomic Power Company (JAPC), the operators of Tsuruga NPP. An inspection by experts commissioned by the NRA concluded that a bedrock fault (the ‘D-fault’) that was already known to lie in the granitic rocks that lay directly beneath the base mat of the Unit 2 reactor might be connected to the Urasoko fault and might move in sympathy with it – and should consequently be defined as ‘active’. According to NRA’s regulations, an active fault beneath critical facilities means that they should not be operated. In fact, this type of criterion is intended to avoid such a situation arising when a new NPP is sited. Here, NRA was considering ‘back-check’ regulation to an old facility, with Tsuruga now being only one of several NPPs and other nuclear facilities in Japan that are threatened with closure as a consequence: the Ohi, Higashidori and Tomari NPPs, and the JNFL reprocessing plant at Rokkasho-mura.
The definition of what is meant by ‘active’ thus becomes critical. The question also arises of what the appropriate response should be to ensure plant safety in the situation where nearby active faulting is found to occur – is it to close and vacate a site, or is it to assess the risk and consider how it could be mitigated, before taking a decision? JAPC and other NPP operators are currently struggling to avoid closure, with the decision hanging on the simple black andwhite criterion of whether an ‘active’ fault is present below their facility or not.
Many countries have definitions of ‘active fault’ that have been established for various civil engineering purposes and which vary significantly. Japan’s NRA uses a definition based on palaeoseismological evidence of movement during the late Pleistocene – approximately the last 120,000-130,000 years. Where there is no evidence to determine whether movement has occurred or not over this period, investigators should look for evidence over the last 400,000 years. The meaning and application of the latter requirement with respect to the period judged to indicate activity has not yet been clarified.
Faced with the assertion by NRA’s expert geoscientists that the D-fault should be defined as active, JAPC embarked on a major programme of trenching around the Tsuruga site to gather palaeoseismological evidence and determine whether it really was ‘active’ or not. The evaluation work was completed in mid-2013. JAPC spent the equivalent of several millions of USD in excavating deep trenches (Figure 1), some of which required massive support as they encroached on the scarp slope of the Urasoko fault and eventually exposed both it and several outcrops of the D-fault in the granitic basement formations. Work focussed on identifying the stratigraphy and characterising the chronology of the overlying Quaternary sediment layers – a mixture of terrestrial and estuarine sediments draped over the basement rocks. A total of nine layers were discovered and it was possible to get clear evidence of the periodic movement history of the Urasoko fault itself. The critical dating evidence has proved to be the ability to correlate tephra layers and distributed tephra phenocryst fragments in these layers. Regional tephra correlations with sediments from distal terrestrial, lake and marine boreholes was essential to understanding the movement history of the faults that had been found. Consequently much of the detailed argument developed by JAPC’s scientific team has been based on geochemical similarities of tephra phenocrysts, palynology and a limited amount of 14-C dating.
The trenching work exposed more fault structures than were known about from the original foundation works of the NPP. The NRA experts considered that one of these, the K-fault, was also active and could extend beneath reactor Unit 2. The key evidence for the age of last movement of both the D and the K faults came from several deep exposures in the trenches that allowed plotting of the extent of upward fault penetration into the sediment layers. By seeing which layers had been penetrated and the geometry of the penetrations it was possible to conclude when the latest movement had occurred. For both features, it was clear that there was no evidence for movement in the last 120 – 130,000 years. Indeed, the D-fault, which had been known about since Unit 2 was under construction, appeared to be considerably older than this, and the K-fault was seen to trend towards a termination well before it approached Unit 2.
At the end of the investigations, an independent team of geoscientists assessed the evidence and concluded[ref]‘International Review of the 2nd JAPC Report (July 2013) on Fracturing at the Tsuruga Nuclear Power Plant’: http://www.japc.co.jp/english/index.html
[/ref] that JAPC was correct in saying that there was no evidence of active structures below the reactor units. A recommendation was made to both JAPC and the NRA to open a constructive dialogue to consider how to build on the evidence and decide how best to manage decisions on the future of the Tsuruga site.
The independent experts were also very clear that the issue should not be a simple black- and-white, guilty or not-guilty, matter of whether features close to a NPP are ‘active’ or not. Certainly, for situations like Tsuruga, proximity to a known major active fault means that seismic hazard has to be taken very seriously. Indeed, all NPPs, including Tsuruga, undergo routine seismic hazard analysis to evaluate the impact of ground motion on structures, systems, and components (fragility analysis), with peak ground acceleration being used as the measure for classic probabilistic seismic hazard analysis (PSHA). This had been re- evaluated recently for Tsuruga as part of the national ‘back-check’ exercise on NPPs, taking account not only of the Urasoko fault, but also of several other major active faults in the region. It is interesting to note that the international standard approach of probabilistic risk analysis, used almost universally for NPPs worldwide, is one of the very few areas where Japan’s science and engineering community use probabilistic techniques and PSHA is the only part of PRA that is recognised by Japan’s nuclear regulators.
However, the assertions that JAPC has had to counter concerning the presence of smaller faults in the vicinity suggest that the classical PSHA needs to be extended in circumstances where a facility lies so close to known active features. Given that every case is unlikely to be as clear-cut as Tsuruga and that, even there, and despite the findings on the D and K-faults, it is possible that there might be secondary fault displacement in the damage zone of the Urasko fault during some future movement episodes, seismic hazard analysis could usefully be extended to include an assessment of the possibility of and impacts of fault displacement beneath the facilities. Even though the features mapped beneath Tsuruga appear inactive using NRA’s definition, a probabilistic fault displacement hazard analysis (PFDHA) has been suggested to explore ‘what if’ scenarios where features like the D-fault do move, incorporating expert, evidence-based judgements on the likelihood of movement and possible magnitudes of displacement. Using information from combined fragility analyses and PFDHA, it will be possible to make sensible, risk-informed decisions about how to manage those of Japan’s nuclear power facilities that are currently under threat of permanent closure owing the supposed active fault issues.
Neil Chapman (MCM Switzerland), Kelvin Berryman (GNS Science, New Zealand), Woody Epstein (Lloyd’s Register, Japan) and Hideki Kawamura (Obayashi Corporation, Japan).
Figure 1: The Tsuruga NPP, looking to the north-west, with Urasoko Bay in the foreground and the Japan Sea in the background. The upthrown side of the active Urasoko Fault forms the prominent scarp to the right of the complex and the yellow-brown excavation to the top of the picture indicates the scale of one of the trenches used to expose the Urasoko fault and the ‘D’ and ‘K’ faults. The No. 2 reactor, under which the ‘D’ fault passes, is the large, octagonal building to the left-centre of the site.
From March, 2013 to October, 2013, Woody and Neil Chapman lead a team of independent earth science and risk specialists to investigate the active fault issues at the Tsuruga nuclear power plant, operated by the Japan Atomic Power Company (JAPC) and the Higashidori nuclear power plant, operated by the Tohoku Electric Power Company (Tohoku EPCo). Both nuclear power plants are in Japan.
Our article in the EoS, Transactions American Geophysical Union (publisher: John Wiley & Sons, Inc) appeared on January 28, 2014. This article only reviews our work at the Tsuruga NPP.
Our investigation confirms that at the Tsuruga NPP, the Japan Atomic Power Company has provided adequate, clear, and convincing evidence that the fractures of concern to the Japan Nuclear Regulation Agency are not ‘active faults’ and have not moved at the site during at least the last 120,000 to 130,000 years.
Similarly, at the Higashidori NPP, there is absolutely no positive evidence that there are active faults traversing the Higashidori NPP site.
We thus consider that the presence of an ‘active fault’ at both plants has been resolved and is not a basis for action by the NRA. We urge the NRA and the utilities to enter into a dialog based on scientific evidence.
A new year is upon us, and Woody looks to the future. It’s been four years since magnitude-7.0 earthquake struck Haiti, and only 10 days since a magnitude-6.4 earthquake occurred about 40km north of Puerto Rico. Both areas have notable seismic activity, but both were caught unprepared. How at-risk is Japan for another massive earthquake? How accurate are our estimates? Are we prepared?
We use cookies to personalize content and ads, to provide social media features, and to analyze our traffic. We also share information about your use of our site with our social media, advertising, and analytics partners.
A new year is upon us, and Woody looks to the future. It’s been four years since magnitude-7.0 earthquake struck Haiti, and only 10 days since a magnitude-6.4 earthquake occurred about 40km north of Puerto Rico. Both areas have notable seismic activity, but both were caught unprepared. How at-risk is Japan for another massive earthquake? How accurate are our estimates? Are we prepared?