The problem is when the backup system is not independent of the primary, so one failure takes out the other. When I read about the step-by-step domino sequence of failures in the plant, the design was clearly deficient.

The erroneous thinking was "the tsunami wall cannot fail". The correct thinking is "what happens when the tsunami wall is breached? what happens to the plant? how can the plant withstand that?"

For example, the most obvious thing is to harden the backup diesel generators against flooding. This would not have been difficult nor expensive. Another solution would have been to have those generators located at some distance from the plant, so they could be repaired without irradiating the workers, and so a disaster at one would be less likely to affect the other.

Another obviously poor design was to have the emergency hydrogen venting go into an enclosed space, where it can build up and explode, rather than venting it outside.

I don't know what your background is but, based on your post, I am assuming it is not in civil or mechanical engineering. Please excuse me if I'm wrong.

The design of this power plant probably went like most designs in civil engineering where extreme design loadings were defined (500-year quake, 100-year flood, etc.) and the plant was designed to meet the loads that would be imposed by the most critical event. For a critical piece of infrastructure these loading conditions are quite stringent. While these loadings drive the design at one end, budget drives the design at the other. Most civil projects tend to be just safe enough and not more. This leads to the realm of acceptable risk/failure. The tsunami wall failing under a 1000-year quake is an acceptable failure. The backup systems were most likely designed for progressively lower degrees of acceptable failure. At some point though it becomes too costly to over-design.

Was hardening the backup generators against flooding "not difficult nor expensive"? I can't tell you that, I didn't design it. Based on the fact that they weren't hardened, I would say that it probably was difficult or expensive.

Would placing the backup generators off site be a better idea than having them on site? Possibly. Possibly not. Every meter you move the generators away from the plant is another meter's worth of risk. How many redundant transmission lines do you need for a generator a mile away? How many redundant generators do you need now that you have the added risk of possibly losing a generator's transmission lines?

Contrary to common belief, public works projects do not have an infinite budget. On top of this, working with municipalities generally results in ridiculous amounts of regulations regarding pricing, reviews, and permitting. While this maintains a minimum standard for designs, it also drives all designs down to that minimum standard. It is simply too costly to continually design for more and more unlikely events.

Users of this site should be well familiar with this based on the number of Internet Explorer compatability comments I've read lately.

My background is I am an ME and I worked on designing flight critical systems on airliners. I had the philosophy of designing to survive failure hammered into me, and when I see the Fukishima plants, all the red flags go up in my head.

For example, let's assume the wing spar fails. Junior engineer says "but the spar can't fail! We designed it to handle any predicted load!". Senior engineer says "Wrong answer. Anything can fail. How will you design the airplane to survive a wing spar failure?" (The solution usually is to have dual wing spars.)

This question is repeated for every single system and part in the airplane. Failure scenarios are also played out to ensure that failure of one part or system will not have a "zipper" effect of breaking other critical systems.

With Fukishima, I clearly see "the sea wall cannot fail, so we won't even bother to investigate if we can make failure of the wall survivable."

As it turned out, it would have been survivable if only the backup generators hadn't failed due to flooding. Hardening those generators (one way) is to simply put them in a concrete box. It's hard to believe that would have been that expensive. Videos of the tsunami showed a lot of masonry structures withstanding it.

> How many redundant transmission lines do you need for a generator a mile away?

Good question. The general rule is to have an independent backup system for every critical system. That has made flying around the world in an airliner safer than driving yourself to the post office.