The key point is to allow the reactor to cool for 24 hours or so in a maximally controlled environment - grid power, with backup diesel generators and full tanks for fuel. Once you're through the first 24 hours, the thermal load of decay heat is almost an order of magnitude lower, and much easier to handle.

It is also undesirable to expose the plant to grid transients. Short circuits on the grid, can cause severe mechanical disturbances to the alternator and turbomachinery. In a nuke plant, the LP turbines are typically very large, low speed machines with huge blades. These are susceptible to shock loadings due to their high moment of inertia. In fact, in nuke plant turbines, grid transients are one of the most important factors in determining fatigue life of the turbine assembly.

More over, there is a degree of thermo-hydraulic coupling between the turbine and reactor (or at least the steam generators) - these pressure and heat transients are also a contributor to fatigue life of the primary coolant circuit.

That's not quite correct. There was no some damage to the emergency cooling systems, but it wasn't catastrophic.

At unit 1, the emergency isolation (condenser) cooling system (UPS powered) were manually turned off about 20-30 minutes after the earthquake, because they didn't want to "cold shock" the reactor, and switched instead to alternate methods of cooling (which required AC power). In the confusion that followed loss of AC power, they relied on staff to run outside and check the emergency cooling vents for steam. Staff were not familiar with the volume of steam which should flow from the isolation cooling system (should completely engulf the plant in thick cloud) and reported "faint steam" which was presumed to be due to operation of the isolation cooling system - but was, in fact, residual heat in the vent stacks, as they cooled following shutdown of the isolation condensers. Unit 1 likely suffered total core meltdown within 3-4 hours of the earthquake.

At plants 2 and 3, the emergency cooling system failed after the UPS systems powering the control systems depleted their batteries - a period of about 9 hours after the earthquake. Partial meltdown likely occurred within a few hours of core cooling loss. The extent of core damage is much lower than occurred in unit 1 because the first few hours are when decay heat is highest, and therefore severity of meltdown drops dramatically once through this period.

Fire pumps were brought in to inject water into the reactors at units 2 and 3. In this case, the water pooled in a tank and never reached the reactor. This was not due to a valve fault. The plan to inject water using fire pumps was an ad hoc plan, and the assumption was that the tank was connected to the injection line via a "positive displacement" pump (which would act as an obstruction to flow when unpowered), in fact, the pump was an impeller pump, through which the water could flow with ease. Even if this had worked, this was too late anyway, meltdown would have been near complete by the time the pumps were brought on site, and connections made.

The main lessons learned were: Don't turn off safety systems during an emergency Make sure staff are able to recognise the correct operation of safety systems Ensure that plans for the emergency provision of cooling water are pre-prepared, validated and well rehearsed. Ensure that emergency portable pumps are available near (but not too near) to site, and that their performance has been validated as acceptable Ensure adequate redundancy of hydrogen-oxygen catalytic recombiners Don't forget about the fuel pools.

You raise an interesting point that the interaction of various sensor assist systems can be erratic

In your example, your description cannot be technically correct, although I am not denying that it introduces a degree of instability that would not otherwise exist. Traction control does not, and cannot, apply the brakes. It also does not assume you are or are not in a spin, only that one wheel has lost grip. More advanced systems, e.g. ESC, do detect spin, but they do it with a yaw rate sensor, so it is directly measured, not assumed. The normal operation of traction control is to detect one of the drive wheels spinning faster than the other wheels, and when activated it reduces engine torque (through triggering fuel cut, ignition retard, and/or electronic throttle closure).

One of the things that OEMs found after integrating systems like traction control, stability control, ABS, etc. was that at the boundaries of slip/acceleration/yaw between the systems and normal operation, there were discontinuities in the vehicle dynamics. So, that if you were accelerating, and a drive wheel slipped, there would be a sudden, dramatic reduction in engine torque; or in the event of an impending spin, there would be a dramatic braking of the inside wheel, which could lead to an overcorrection.

Over the last 5 years, the OEMs have realised this, and they have been working very hard to smooth the discontinuities that these systems create. There are all sorts of marketing words for this, e.g. Toyota have "Vehicle dynamics integrated management". All this means is that the sensitivity and power of these systems has been carefully matched to the car and each other, to avoid sudden shocks.

You have made my point (which admittedly I didn't make very clearly). What is useful is a knowledge of anatomy, and knowing what the potential problems are, and careful examination of the raw data of the CT scan. A skilled doctor would have specifically looked for the optic nerve in relation to the tumor. For whatever reason, this was not detected, or not communicated appropriately, resulting in a delayed treatment.

Complex 3D rendering or printing, while it looks impressive, generally isn't all that useful for making the diagnosis - the raw (or minimally processed) data tends to show the anatomical relations most clearly. The raw volumetric data shows everything; a 3D rendering depends upon some sort of thresholding, and the 3D projection necessarily results in occlusion and obscuration of objects. The thing about 3D rendering is that it is immediately recognisable by the lay person, or doctors without specific training in interpretation of CT, whereas the appearance of the anatomy is rather alien to most people when presented as cross-sectional raw data.

As for treating tumors, I'm afraid you're wrong about that. Watch and wait is very important for tumours around the eye and base of skull, because the anatomy here is so complex and fragile that the whole tumor may not be removable, or may be removable only at significant cost (loss of vision, facial disfigurement, risk of infections due to bone holes, etc.) For this reason, if a tumour is only causing minor symptoms, and there is good reason to suspect a benign tumor (i.e. not cancer liable to spread elsewhere in the body), there are often good reasons to delay surgery, until such time as the symptoms resulting from side effects of surgery are likely to be less than the symptoms from the tumor.

Can someone explain why in the example race condition code given, the theoretical minimum count is 2, and not n_iters?.

3D visualisation is pretty standard on medical imaging software, but it's not really that useful for most situations. The issue here appears to have been the missed diagnosis of optic nerve compression by the tumor. As it is, a 3D rending/print of a CT scan won't help with that, as both the nerve and tumor will have similar appearances and very low background contrast to normal tissues. Where 3D rendering or printing of CT is useful is for examining the bone. It sounds like the 3D printing is an interesting factoid tacked onto a story about a misdiagnosis which was corrected after the patient/relatives asked for a 2nd opinion. This, of course, assumes that the diagnosis was wrong in the first place. "Watch and wait" is often far preferable to surgery for slow growing tumours in awkward places.

Most national regulators require that any safety-critical computer systems in nuclear facilities are formally proven correct. Due to the difficulty in producing absolutely bug-free code, and proving that you have done so, a lot of systems continue to rely on pure analog control.

For example, nuclear-grade UPS systems typically offer a feature such as the following: "Digital logic free. 100% analog control with fully verified behavior. No need for expensive and time consuming software verification"

Similar validation is available for nuclear grade diesel generators and their control systems.

Similar design principles are often applied to the reactor instrumentation, although reactor control is usually digital and verified to the highest level. That typically means no inputs to the system, except the core sensors and core controls. The software uses only a minimal subset of language and OS features - e.g. no memory allocation, no dynamic linking or binding, etc. Calibration and model data must be built into code using a validated code generator and then statically linked into the binary, all memory must be statically allocated at compile time, etc.

The risk is whether less critical systems may be at risk - SCADA and similar systems may be in use for alternator controls, or in switchyard controls. The risk is that grid power to the plant could be interrupted, forcing the plant onto generator power. Or perhaps, other plant might be degraded - non-critical water pumps or plant controls, could mean that under degraded conditions, the plant has less tolerance to a reactor accident.

Realistically, unless you have schematics which detail the control systems in use, it is not possible to determine the severity of a particular attack. Further the interaction between different plant systems may be difficult to predict.

Even if the only realistic target for a cyber attack is the switchyard, that is still highly disruptive and degrades the safety margin of the plant by removing grid power as an energy source.

As a reviewer, I would have rejected the paper because I don't see where either of the references given are cited in the text. However, they would get a point for being up-to-date in citing RFC2821 rather than RFC 821.

Which is exactly why the "establishment" has been trying to ban it.

No, really! The Republican party had the opposition of "teaching of higher-order thinking skills, critical thinking skills and similar programs" in schools written in their platform document as one of their policy aims.

Wash post

Why would FTDI have to ensure their driver doesn't break chips that aren't theirs? There's no agreement, licensing, or goodwill. The problem is that this was not accidental. The FTDI anti-clone code in the driver is very sophisticated and actually performs a "preimage" cryptographic attack, to ensure that the clone chip doesn't detect the invalid configuration and auto-reset to factory defaults. Deliberately and with premeditation setting out to "damage" (which in legal terms includes temporary malfunction or impaired function) hardware is not legal without a court order or similar legal basis. The 2nd issue, is that of ensuring that they do not inconvenience wholly innocent parties. They failed at this. The FTDI anti-clone code will also deactivate genuine FTDI chips which have been configured with an external configuration memory in certain circumstances. This has been reported by a company which build development boards with numerous FTDI chips in different configurations; they found that the chip with an external EEPROM would get corrupted by new driver, even though the components were obtained from an authorized distributor.

However, a lot of manufacture is contracted out. If you're buying 10 or 20 chips for internal R&D you'll likely get genuine ones.

However, when you find a contract manufacturer and ask them to make 100,000. You require an XYZ, Inc. ABC123 chip and ask the manufacturing contractor to source it. Unbeknown to you, they obtain a counterfeit source. The chip is virtually identical externally, and functionally very similar, so that your product passes validation testing.

You as the device designer and seller may have no idea that you have fake chips on your device. Perhaps, your RMA rate is higher than you expected due to chip failures, or perhaps you are getting a lot of bug reports from the field which are not reproducible on your prototypes, but are on production devices.

This isn't the first time a USB->UART vendor has taken vigilante action against fakes. The vendor Prolific had major problems with low-quality, buggy and slow fake chips, causing major support headaches for customers and themselves. I believe they ended up discontinuing their main product and replacing it with an incompatible version, while poisoning the drivers so that they would BSOD/Kernel panic if they detected a fake chip.

Yes. A company called Supereal is selling enormous volumes of "FTDI" chips into the Chinese market. The chips are labelled with the FTDI name and logo and during the USB negotiation, they announce themselves using the FTDI vendor unique ID, in order to use the ubiquitous and flexible FTDI driver (rather than require any development work for their own driver).

See http://zeptobars.ru/en/read/FT... for an example of a fake chip - labelled FTDI on the outside, but supereal on the silicon.

The problem is that the fake chips are buggy and slow compared to the genuine article, causing headaches for USB peripheral designers and support and reputation headaches for FTDI. There is a huge market for USB UART chips, and it is quite competitive, but few of the products on the market are actually as reliable, fast and robust as you would expect them to be. The FTDI FT232RL is one of the best in terms of reliability and has the best drivers, while also providing some handy bonus functionality.

It appears that FTDI have reverse engineered the fake chips and found that they can be reprogrammed. When their driver detects a fake chip, it uses the internal configuration commands to erase the EEPROM memory containing the Vendor Unique ID. With this EEPROM blanked, the chip is unable to complete the device detection process in the OS's USB stack.

The aim was not to find the "best network", but the "best network without redundancy".

The point was that most networks are designed with redundancy in mind, but not all networks require that degree of reliability. For those networks where reliability is not necessary, it would be helpful to know what the lowest cost configurations are.