Wave and tidal, seem to have catastrophic problems with cost so far. So far, no one has managed to demonstrate a scalable wave device. Many consortia have developed wave devices of various designs, but prototypes have proven usatisfactory. They tend to be of small scale and complex, and prototypes have had serious reliability problems and require extensive maintenance, making them unscaleable.
Tidal projects have been examined on a variety of scales. A number of large scale projects such as a variety of designs of barrage across the Severn or Mersey estuaries have been assessed. The problem has been cost and environmental damage (and the cost of environmental mitigation, which can double or triple the cost of energy); estuaries hold extremely large biodiversity which can be quite sensitive to disturbance. Several Severn barrage projects have been proposed with a range of sizes between 300 and 8,600 MW, with expected energy costs (based on a 120 year asset life) of between £150-350/MWh. Mersey schemes have been costed in the region of £900-1200/MWh after environmental mitigation. There has also been some assessment of small scale tidal lagoon projects, where barriers are built around small coastal bays converting them to lagoons, rather than estuaries. Proponents have suggested that in optimal locations, they may be able to achieve a cost of around £170-200/MWh.
So far, wind seems to be by far the most successful modality. Additionally, offshore has been remarkably successful as experience has been gained, and the CFD subsidy method has satisfied investors. There are a number of more ambitious offshore wind projects in the planning stages, but the capital costs may be higher, as the water is deeper and seabed more difficult. Additionally, there are potential connection difficulties, a number of the new sites under consideration are sufficiently far offshore than an AC electrical connection is not feasible. The problem is that the capital costs of offshore HVDC is substantial, with estimated
capital costs for the inverters alone (excluding cable) in the region of £1/W; this is a similar magnitude to the capital cost of the turbines themselves!
The key subsidy for the Hinkley Point C project is the contract for difference (CFD) which assures a stable level of revenue provided that the plant performs. The CFD, designed to provide an inflation linked "fixed" price for energy sold, is the exact same model as has been used for renewable generation in the UK for the last decade or so. The idea is that any "low carbon" energy source can utilise the same financial and legislative framework. (With some complications because "renewable" energy is exempt from state aid restrictions under EU law, whereas nuclear energy is not). The CFD is valued so as to provide an agreed level of earnings (after interest, tax, depreciation and amortization) which is typically around 10% per annum if the project were to be delivered as planned. This framework has proved highly successful for the deployment of wind, solar and biomass, as well as other projects which are classed as "low-carbon energy" such as development of district heating systems, combined heat-and-power schemes, etc.
The CFD provides, for a specified duration, a known revenue per unit production. The CFD is inflation linked, but is also linked to O&M costs and financial risks to capital costs, so factors such as a change in finance rates for debt, tax rates, as well as change in staffing, maintenance, waste disposal/decommissioning or fuel costs for whatever reason, would trigger a CFD revaluation.
While the CFD is designed to transfer macroeconomic risks to the government, it is designed to retain project risks with the project owner. The CFD has a fixed duration of operation, which will start at the scheduled date of plant commissioning. Late delivery of the project effectively shortens the duration of the CFD. There is also an option for the government to unilaterally withdraw from the CFD, in the event that the project delivery is very late (7 years).
However, having developed this framework, the UK government did agree to take on some of the project financial risk, by agreeing to underwrite loans given to EDF in relation to the project. This would protect investors from an EDF bankruptcy, although as a French state-owned company, an insolvency would seem somewhat unlikely, as I would expect the French government to step in.
That said, even the loan guarantees have a get-out clause. In the event that the plant under construction in France at Flamanville is not successfully commissioned by 2020, then the loan guarantees are void. There is a real risk that this clause may be triggered: Flamanville is in a precarious state; Areva, the plant vendor decided to bring fabrication of the reactor pressure vessel in house, instead of subcontracting it out. Whereas the external contractor (Japan Steel Works) had already produced a good quality RPV for a Finnish plant, Areva had experienced delays in upgrading their forge to do the work, and had not validated their forging process by destructive testing of a prototype prior to fabricating the RPV. Only after the RPV had been installed, and the rest of the plant built around it, was a prototype destructively tested, and found not to be of acceptable quality.
I don't know what the current auto security tech is, but proper PKI was shunned for a long time. Possibly for reasons of key battery life, or silicon IP costs.
I wouldn't be surprised if current systems are using techniques like HMAC, where both the car and the key use a pre-shared key. In this case, the factory keeps a copy of the database matching VINs to private keys. This allows a dealer or authorized locksmith to either order a new pre-programmed key from the factory, or possibly request the key for field programming a new key. Of course, if that database gets compromised....
If a proper PKI system was used, then it would be possible to program the car to a new fob, by having the fob transmit its public key to the car, and having the car add it to the authorization database.
Agreed. "Organization" and "Prioritization" are two things, that my experience with EHRs has taught me, are two things that they just cannot do to any meaningful extent.
I recall the pain when we tried to migrate our data on an imaging system (PACS) which has a robust, fully standardized protocol for data exchange. With EHRs, things are much more complex, because most packages on the market use proprietary data formats, and while they can export or message across standard interfaces (e.g. HL7) there will often be loss of data, or a change in data presentation (a common one is loss of text formatting or loss of images embedded in text - e.g. rich text storage is quite common, but the data communication/migration interfaces may not support anything beyond straight ASCII text)
Even with our PACS migration, there was a problem, because annotations to the images were stored in a proprietary format, and were not preserved when the data was exported. "Oh. You want the image annotations? OK. We estimate that will take 5 days and 2 developers for development, testing and deployment of the script @ $5k per day per developer".
Things got better from there. "So, how are you going to get the data off the hard drives? The data is held in a proprietary format, and under the terms of the software licence, you will not be permitted to use or develop any software which uses this format once your licence expires. You are reminded that reverse engineering of the file format is strictly prohibited. We can provide a chargeable service for you. We estimate this will take 12 days of development and consultancy @ $5k per day. We will procure (at your expense) a suitable SAN and windows server. We will deploy a script which will convert our files into an industry standard form, and copy them to the new SAN. Please note that this will be performed at our facility. We will require you to ship the servers and SANs containing your data to our workshop at least 12 working days before your software licence expires. Once the transfer is complete, the new servers will be shipped back to your premises."
In the end, we found a specialist consulting firm that was able to extract the data (sans annotations) over the standard interface (by taking over the IP address and credentials of one of the CT scanners which was not used overnight) and trickling the data out overnight at rate not fast enough to trip the "intrusion detection system" (more like bulk data copy detection system) on the servers.
I can still recall the account manager's face when I told him that we would not be needing his $200k data migration service.
The issue is WHY is there price gouging. Is it because companies are deliberately charging 10,000% more than the normal market rate for no reason other than the desire to profit from a crisis? Or is it because the market has changed, and the only way these companies can remain viable is to charge 10,000% of typical market value for 1% of the time?
The problem is that conventional electricity generation plant is capital intensive and it has significant fixed (staffing and maintenance) and variable running (fuel and maintenance) costs. Because of the variable costs, these plants are sensitive to market pricing, which itself is sensitive to demand. Because of the fixed costs and cost of capital, the pricing power of these plants is dependent upon the number of hours on which they run. A plant which runs 90% of the time amortises its fixed costs over more energy, and hence requires a lower market price to remain viable.
One of the issues in the Australian market (and other markets) is that renewable generation is given privileged access to the electricity market. Renewable generators are protected by price support and guaranteed demand rules, which ensure that these generators receive a minimum price, even if the market price is lower, and energy purchasers must purchase all renewable energy before they are permitted to purchase any conventional energy.
Because renewable energy is variable, this changes the pricing dynamics. For much of the time, market pricing is depressed, undercutting conventional energy generators. As a result, these energy producers must amortise their fixed costs over a lower number of generating hours. In many cases, the operating hours are so few, that plants may be placed into deep storage, and destaffed. The problem now is how do you reactivate these plants in an emergency? How long does it take to get enough staff to bring the plant back into operational condition? Where do you find sufficient skilled contractors at 48 hours notice, and how much do these staff cost? How many hours do you expect to operate under emergency conditions, and what price do you need to charge to pay your contractors who are billing at emergency rates?
The failure in the Australian market is a failure of government. The government sets the market rules, and those rules are that power generators can only charge for energy sold. A potential solution, and one which has been adopted by other countries, is to split pricing into a per unit energy charge, and a per hour availability charge - both of which are auctioned separately. In such a scenario, the transmission operator bids for availability, and these fees ensure that power plants remain staffed, maintained and in a responsive state. The energy charges are charged as they are now. Advisers to the Aus government specifically advised this policy to avoid the current problem of conventional plants being decommissioned. They didn't listen. The plants have now been decommissioned or mothballed and are now not available to respond to a power emergency.
Helium has a very low latent heat of vaporization. As a result, an uncompensated heat flux of 1 W into the cryostat will boil off about 15 litres of helium per hour.
With most MRI magnets only holding a spare inventory of under 300 litres, there would be a significant risk of quench if power could not be restored within 24 hours or so.
For this reason, backup generator power for the chillers is strongly recommended for MRI systems, even if generator power is not provisioned for the operation of the scanner itself (up to 150kW for the RF and gradient amplifiers, with extremely rapid load rise times and as these are precision electronic systems, the generator needs to be able to maintain adequate voltage regulation under this very difficult load). This is the case at my hospital. We have 4 MRI scanners, but we only sufficient generator provision for the chillers, and not for the scanners themselves.
EM shielding is still essential, and nothing has really developed to change this. The signals are incredibly weak, and extensive RF shielding is required. To give an example, an incandescent light bulb in the scanner room which is reaching end-of-life can produce so much RF from micro-arcs on the failing filament that it can completely swamp the signal.
Capital cost is still very high, typically in the region of $1.5 million for a 1.5T machine, and $2.5-3 million for a 3T machine. Capital costs for the more capable machines are going up due to various developments - e.g. parallel receiver channels (up to 256 channels in the latest machines), parallel transmit channels with higher pulse powers (currently 2x 40 kW RF power amps and transmit antennas, but systems with 4 or 8 transmit channels are in development). Not to mention that there is a push towards larger dimension magnets, which substantially increase the capital cost.
There has also been considerable development in new algorithms for faster imaging, by using incomplete or overlapped imaging acquisitions, which requires extremely complex mathematical processing. CT scanners went through this development a few years ago to improve quality and reduce radiation dose, and image reconstruction went from a 1 ms task running in software, to a 250 ms task running on a 20U rack packed with $250k+ of GPUs. It is likely that the next generation of MRI scanners will use similar compute hardware.
All MRI scanners made in the last 5 years are zero-helium loss, so should not require any top-up of helium. However, they do need heavy chillers to recondense the helium - chillers with cooling powers of up to 1 W are now routinely used, which bring with them energy costs of around $20-30k per year. Many manufacturers also offer helium-free magnets (essentially the magnet coils are bonded to a giant copper/aluminium thermal mass, which is bonded to a cryochiller), these are substantially more expensive in capital cost, and energy cost, and much less tolerant to power failure. However, for areas where helium fills are impractical or too expensive, then these are a viable option.
The defective application in this example is a electronic records system. It allows the doctors/nurses/technicians to enter medical data during a procedure, collects X-ray image metadata from the imaging equipment and combines with the doctors notes for transmission to a medical records system, etc.
The other issue is that Windows 7 and 8 would install updates if you shutdown/restarted when there were updates pending installation.
In windows 10, shutdowns are actually elided into hibernation. This means that if you turn your PC off at night or when you go out, with windows 10, you no longer get updates installed when you are not using the computer. Instead, the updates require you to actively initiate a reboot interactively - in other words, you can only install updates when you are actively using the computer.
Traditional refrigerants like R-12 (dichlorodifluoromethane) have massive ozone destruction capability, 1st generation replacements like R-134a (1,1,1,2-tetrafluorethane) has minimal ozone destruction capability but very high global warming potential (thousands of times more potent than CO2, gram for gram), 2nd generation replacements like R-1234yf (2,3,3,3-tetrafluorpropene) while having no ozone destruction capability and minimal global warming potential suffer from being highly flammable, increasing the risk of leaks.
The advantage of CO2 is that it is neither flammable, ozone damaging, high GWP, nor significantly toxicity. The disadvantage is that substantial re-designs of refrigeration systems are required to use it, as well as some changes to operation/maintenance.
The transition from R-12 to R-134a, is near drop-in, with only minimal redesign required for optimal performance. To switch to R-1234yf, the re-design required is relatively modest (pressures are higher, so a different pump is needed), but otherwise the principles and basic system architecture are the same. With CO2, you are dealing with transcritical fluids, and this requires a significant architectural change to the refrigerant circuit (as there is no condensation of the refrigerant, so no liquid refrigerant in the circuit).
The standard is that a TRIMmed LBA should read as all zeros. This is so as to permit the use of TRIM in RAID arrays while preserving parity consistency.
If the OS needs to TRIM an entire RAID stripe, it fires off a TRIM command to the data drives, and calculates parity for null data, and writes that to the parity drive.
Even this interpretation is misleading. What actually occurred was that total renewable electrical energy generated in Scotland exceeded half of electrical energy consumed.
Scotland does not have indigenous demand sufficient to consume its electricity generation; about 35% of its electricity generation is exported to England. About 2% of electricity demand is imported from England during periods of low wind generation.
100GBase-ZR achieves its 120 Gbps line rate by using a complex modulation scheme to encode 3 bits per symbol. 2 bits are transmitted using QPSK and 1 bit is transmitted by choosing either horizontal or vertical polarization.
The issue with long-haul transmission is that you only have a limited bandwidth available which works with optical amplifiers and avoids the water "dip". It's common to use DWDM techniques to cram multiple individual streams onto a single fiber. This yields just under 100 usable channels of 50 GHz bandwidth. The advantage of Juniper's proprietary "100GBase-ZR" protocol is that it needs only just over 40 GHz of bandwidth, so fits into a single channel.
The technology described in the article is about a new type of VCSEL laser diode. These have been widely used as transmission elements, but have traditionally had limited on-off bandwidth, hence early 10 Gbps transceivers often used much more expensive lasers such as Fabry-Perot lasers, and devices operating on 25 Gbps lanes have resorted to the even more expensive Mach-Zender optical modulators. VCSELs are easy to fabricate and cheap, hence if a simple On-Off modulation is sufficient then they are ideal (not to mention that carrier-switched modulation is easy to demodulate, unlike the nightmare which is DP-QPSK). The disdvantage with OOK is that the bandwidth equals the symbol rate, so 50 Gbps OOK would not fit into a single 50 GHz channel with guard bands, and would require a larger channel allocation on a trunk fiber.
But that wouldn't really achieve much. The main feature of Slysoft's solution, was not the software itself (which is certainly impressive) but the fact that they would update the software with new encryption keys every few weeks, often within days of a new encryption key being used.
AACS has a huge inventory of keys which can be used. Slysoft had managed to find an exploit in either a hardware or software player, which allowed them to extract the key when a newly released disc requested a previously unknown key ID.
Considering that the whole purpose of touch ID on the affected devices is to enable "apple pay", and apple pay works by storing a private key with authority to authorize payments from your bank account into the secure enclave. To make a payment, you re-verify fingerprint, which authorizes the secure enclave to sign a transaction message.
Because the finger print sensor is intended to communicate with the secure enclave, it is a potential avenue for attack; replay attack, fuzzing attacks on the secure enclave software, power/time cryptanalytic attacks, etc. Given the high value of the keys stored in the secure enclave, the latest version of the OS software is designed to fail even to boot if it detects a failure of pairing.
Earlier versions of the OS software would run with a mis-paired sensor, but apple pay would fail to work. The latest software update recognises that hardware attacks on the secure enclave might be possible, and pro-actively locks down the entire device if it detects a potential tamper attempt.
I agree. Think of it this way, Apple are trying to push Apple pay which makes use of the system security provided by the fingerprint scanner (the private keys for apple pay are split between the fingerprint scanner chip and the crypto engine chip on the motherboard, so that compromising one chip doesn't reveal the whole key).
At present, the OS will disable apple pay when it finds that the finger print scanner fails to negotiate key exchange correctly; this potentially ends up with a tech support call to apple, or a social media posting saying, "why does my apple pay keep screwing up?".
Now consider what happens when there are a large number of field-repaired phones with knock-off fingerprint scanners. They appear to work fine, but some features are broken in subtle ways. The customer is confused; they may not relate it to the repair they had done; it creates an impression of an unreliable product and an expensive customer support nightmare. Clearly, apple want to stop this before it becomes endemic.
With the OS doing a full power-on self test on the security infrastructure, such a fault would be detected at the first reboot after the damage occurred, or after a repair using an incorrect part was performed. The security failure can now be easily attributed to the damage/repair, even by users of social media and journalists. This ensures that repairers don't perform half-assed repair jobs which can lead to incomplete or faulty operation (on what is marketed as a premium product).
I guess that in that region, the legislation doesn't allow the utility to charge the customer the capital costs of new capacity.
In the UK, the utility can charge the customer the capital costs of a network upgrade (on a pro-rata basis - e.g. if a network provider chooses to replace a 10 MW transformer with a 20 MW transformer in order to service a new 5 MW customer, then they can bill the customer for 50% of the capital costs prior to agreeing the connection).
We had this issue recently at the hospital where I work. The hospital had a single (non-redundant) 2 MW supply, which was at breaking point (in fact it did break), to the point that in Summer the buildings manager turned off all the AC campus, except that necessary to prevent overheating of critical care areas. Even then, it was necessary to curtail use of big power hogs like CT and MRI scanners.
The hospital wanted an upgrade to 4 MW, but also wanted dual redundancy. They ended up having to pay for 6 MW of network upgrades (2 MW upgrade + 4 MW of redundant network provision).
GPS is not a particularly stable frequency reference over the short term due to atmospheric distortions and various other noise sources. However, over the long-term it is outstanding.
The normal process is to use a very high quality short-term stable oscillator, e.g. a temperature controlled quartz crystal oscillator - but discipline it to the long-term stable GPS signal. Over periods of hours to days, the quartz oscillator can drift in frequency due to aging, shifts in environmental factors which affect the regulated temperature, etc. By averaging the deviation of the local oscillator from the GPS reference over a suitable period, and gradually tuning the local oscillator to null that error, you can get a frequency with the short-term stability of top-quality quartz, with the long-term stability of GPS.
A similar principle is used with atomic clocks - the atomic reference is used to discipline a good quality quartz oscillator. However, the long term stability of rubidium clocks is several orders of magnitude worse than GPS, hence it is common to find many capable of being disciplined by GPS, or an alternative very high stability atomic source (such as a caesium clock, or hydrogen maser).
Indeed, the £92.50/MWh is certainly fairly generous, but in reality, even new-build CCGT is expected to have a levelised cost of energy in the UK in the region of £70-80/MWh depending on assumptions about load factor and price of gas/carbon taxation.
That said, the contract for difference method of subsidy has the advantage that there is no up-front cost for the taxpayer; the taxpayer only pays based upon performance. The CfD expiry date is scheduled 35 years from the date of expected start of commercial operation. In the event of construction delays, such as the clusterfucks in Finland and France, then the expiry date should remain fixed.
The advantage over this method over things such as direct cash subsidies or loan guarantees, is that the taxpayer is protected from all construction and engineering risk.
In addition, the government is trying to change the CfD arrangement for new low-carbon build. Up to now, the agreement has been a fixed price tariff - £155/MWh for offshore wind, and £100/MWh for onshore wind. From this year, the CfDs are awarded on a competitive basis, so construction firms bid at auction for the CfD, and the lowest strike price gets the CfD.
I fully expect that for any additional nuclear build, there may be an element of competition in the application process, particularly as there are several consortia who have expressed a strong interest.
The company did have a lockout procedure and a "permit to work" procedure. The problem was that there were two different companies working on the same site and they failed to have a proper protocol when one needed the other to disconnect power.
The facility had a single power feed, and the routine maintenance and supervision of the electrical system in the building was outsourced to a building management company. The provision of a second supply and associated switching system was being performed by a specialist electrical contractor.
The time came to disconnect connect the IT loads from the incumbent single-feed switchboard to the dual-feed switchboard during a period of scheduled downtime. The building management contractor issued a "permit to work" to a cable jointer to disconnect a sub-switchboard from the main supply and connect it to the new dual-feed switchboard; the permit certified that the main supply had been turned off and locked out, and would only be unlocked upon return of the permit.
The original plan had been to connect the IT loads first, then connect power to the new switchboard. However, because of a specification error when procuring the switchboard, it had been modified on-site, and following modification required live tested prior to connection of any IT equipment. As a result, it had already been connected to both the existing supply (under the management of the facilities management company), and also to the new supply (which had not yet been handed over, and remained under the control of the installing contractor), before any outgoing cables were connected.
While the building management company had disconnected the building's main supply and locked it off prior to issuing the permit to work on the switchboard, they had failed to contact the contractor handling the 2nd supply and failed to ensure that the 2nd supply was also locked out. As a result, when the cable jointer set to work, the switchboard was still energised by the 2nd supply. Although the connections that the jointer was working on were dead and isolated by a switch in the switchboard, as the switchboard was open, he accidentally contacted the busbars fed from the 2nd supply and was electrocuted.
Emergency core cooling, formally known as the passive residual heat removal system (PRHR) is provided by a gravity pumped heat exchanger which transmits heat from the reactor coolant into a 1 million litre refuelling water tank in the containment building. To initiate passive cooling, there are 2 parallel valves which hold the circuit closed, each capable of providing 100% of necessary flow. The valves are dual-activated (DC electrical and pneumatic). They fail open under spring tension in the event of failure of the control signal.
In the event that both PRHR valves fail to open, then the reactor circuit will be vented into the containment building (simulating a pipe break). This will cause the reactor circuit to lose coolant and trigger the emergency cold coolant injection systems. A series of gas-charged hydraulic accumulator tanks discharge in sequence into the reactor to ensure it remains full of water, while steam is allowed to vent through pressure relief valves. Each stage of coolant injection has two fully independent dual redundant trains, with the key valves being dual redundant, dual-activated and fail-open within each train. This culminates with valves connecting the reactor coolant system and the refuelling tank together opening, providing 1 million litres of additional coolant capacity.
After about 24 hours (or sooner in the event of a large pipe break) coolant injection is complete, the reactor is fully de-pressurised and the circuit is fully open to the containment building. The refuelling tank will have been drained, either through a pipe break (or manually) and the water will completely submerge the reactor and its associated piping. The decay heat from the core can then escape via the reactor vessel walls and pipes into the water flooding the containment.
The core injection systems are sufficiently powerful that clean rupture of a 25 mm diameter pipe will not result water level dropping below the top of the core at any time. In the event of a large pipe break (e.g. a clean rupture of a 350 mm PRHR pipe), then temporary uncovering of the reactor core is possible, and this may result in overheating and damage to the fuel, however, because of the very high capacity of the coolant pressurizer and coolant injection tanks/accumulators, and temperature rise is brief and below the level at which the fuel rod cladding is expected to fail or produce hydrogen. As is conventional for nuclear pipework, the pipes are built in such a way that they are intended to leak long before rupture, so a clean rupture would be a rare event.
The AP1000 has a number of on-site and internal reserve water tanks, holding close to 1 million gallons of demineralized water.
The plant has several electric pumps capable of transferring water from the bulk tanks to the containment cooling system, which could be connected to portable generators in a serious emergency. The plant also has multiple connection ports for portable pumps allowing water to be transferred into the containment cooling system from the bulk tanks or from fire engines/water tankers.
As the containment cooling tanks are at atmospheric pressure, only low pressure pumps are required, unlike at Fukushima where emergency response teams were trying to use pumps to inject water into the reactors at dozens of atmospheres of pressure.
The AP1000 has 72 hours of decay heat removal capability in the event of total loss of onsite power. If no action is taken to replenish cooling water, then decay heat would cause overheating and overpressure of the containment building and require venting of the containment building to the atmosphere. Radioactivity release from such venting is likely to be low unless meltdown or fuel damage has already occurred. Due to the large inventory of water within the containment building, decay heat is unlikely to result in meltdown for many days following the exhaustion of the containment cooling water.
In order to ensure integrity of the containment, additional cold water would need to be pumped into the containment building roof tank within 72 hours. This could be by restoration of the electrical supply, use of diesel powered water pumps held on site, use of portable water pumps held near site, or by use of fire pumps.
The ESBWR which is the main competitor to the AP1000, meets the Gen3+ requirement of 72 hours of decay heat removal without operator intervention. Like the AP1000, no diesel or grid power is necessary to meet this requirement. Like the AP1000, the ESBWR has 2(N+1) redundant UPS systems with 72 hours of battery autonomy for shutdown control and monitoring equipment. However, the ESBWR has a 7 day reserve of cold water for containment cooling. In the event of operator inaction, the UPS batteries will deplete after approximately 72 hours, but passive containment cooling will continue for up to 7 days before water tanks would need to be replenished.
Except we're not talking about complex security models such as role-based access, split encryption keys, external audits and pen-tests.
This is the most basic level of security:
Failure to validate user input, and the continued use of dynamic SQL statements rather than prepared statements - something which is a trivial code modification.
Storing customers bank/credit card details in the web-facing application database (as opposed to communicating them to a payment application/processor or separate internal system) - something which is just totally inept design
Beyond that, it is clear that they don't make use of good development practice. A quick look at the source for their web site shows stuff like inline CSS, comments all over the place, IFRAMES, etc. All that sort of stuff indicates that they don't have adequate code standards, they are unlikely to be using a version control system, and they have no idea what an XSS vulnerability is.
Finally, it is obvious that the communication between their IT department and CEO is sorely lacking. This is the 3rd time they have been hacked and suffered a major data breach. It is clear that they learned nothing the first 2 occasions. The CEO made a public media statement saying that she did not know if customer details, passwords or banking details were stored in an encrypted form, and did not know how long it would take to find out (it's hard to believe that the CEO could not have asked the CTO, or that the CTO wouldn't know, or be able to find out). Moreover, the advice to customers given via the media has also been incorrect (e.g. Q: How do I know if an e-mail purporting to be from talk talk is genuine? Check the "from" address shown in your e-mail software. If it is genuine it would be a talktalk address.)
Slashdot Mirror
Wave and tidal, seem to have catastrophic problems with cost so far. So far, no one has managed to demonstrate a scalable wave device. Many consortia have developed wave devices of various designs, but prototypes have proven usatisfactory. They tend to be of small scale and complex, and prototypes have had serious reliability problems and require extensive maintenance, making them unscaleable.
Tidal projects have been examined on a variety of scales. A number of large scale projects such as a variety of designs of barrage across the Severn or Mersey estuaries have been assessed. The problem has been cost and environmental damage (and the cost of environmental mitigation, which can double or triple the cost of energy); estuaries hold extremely large biodiversity which can be quite sensitive to disturbance. Several Severn barrage projects have been proposed with a range of sizes between 300 and 8,600 MW, with expected energy costs (based on a 120 year asset life) of between £150-350/MWh. Mersey schemes have been costed in the region of £900-1200/MWh after environmental mitigation. There has also been some assessment of small scale tidal lagoon projects, where barriers are built around small coastal bays converting them to lagoons, rather than estuaries. Proponents have suggested that in optimal locations, they may be able to achieve a cost of around £170-200/MWh.
So far, wind seems to be by far the most successful modality. Additionally, offshore has been remarkably successful as experience has been gained, and the CFD subsidy method has satisfied investors. There are a number of more ambitious offshore wind projects in the planning stages, but the capital costs may be higher, as the water is deeper and seabed more difficult. Additionally, there are potential connection difficulties, a number of the new sites under consideration are sufficiently far offshore than an AC electrical connection is not feasible. The problem is that the capital costs of offshore HVDC is substantial, with estimated capital costs for the inverters alone (excluding cable) in the region of £1/W; this is a similar magnitude to the capital cost of the turbines themselves!
The key subsidy for the Hinkley Point C project is the contract for difference (CFD) which assures a stable level of revenue provided that the plant performs. The CFD, designed to provide an inflation linked "fixed" price for energy sold, is the exact same model as has been used for renewable generation in the UK for the last decade or so. The idea is that any "low carbon" energy source can utilise the same financial and legislative framework. (With some complications because "renewable" energy is exempt from state aid restrictions under EU law, whereas nuclear energy is not). The CFD is valued so as to provide an agreed level of earnings (after interest, tax, depreciation and amortization) which is typically around 10% per annum if the project were to be delivered as planned. This framework has proved highly successful for the deployment of wind, solar and biomass, as well as other projects which are classed as "low-carbon energy" such as development of district heating systems, combined heat-and-power schemes, etc.
The CFD provides, for a specified duration, a known revenue per unit production. The CFD is inflation linked, but is also linked to O&M costs and financial risks to capital costs, so factors such as a change in finance rates for debt, tax rates, as well as change in staffing, maintenance, waste disposal/decommissioning or fuel costs for whatever reason, would trigger a CFD revaluation.
While the CFD is designed to transfer macroeconomic risks to the government, it is designed to retain project risks with the project owner. The CFD has a fixed duration of operation, which will start at the scheduled date of plant commissioning. Late delivery of the project effectively shortens the duration of the CFD. There is also an option for the government to unilaterally withdraw from the CFD, in the event that the project delivery is very late (7 years).
However, having developed this framework, the UK government did agree to take on some of the project financial risk, by agreeing to underwrite loans given to EDF in relation to the project. This would protect investors from an EDF bankruptcy, although as a French state-owned company, an insolvency would seem somewhat unlikely, as I would expect the French government to step in.
That said, even the loan guarantees have a get-out clause. In the event that the plant under construction in France at Flamanville is not successfully commissioned by 2020, then the loan guarantees are void. There is a real risk that this clause may be triggered: Flamanville is in a precarious state; Areva, the plant vendor decided to bring fabrication of the reactor pressure vessel in house, instead of subcontracting it out. Whereas the external contractor (Japan Steel Works) had already produced a good quality RPV for a Finnish plant, Areva had experienced delays in upgrading their forge to do the work, and had not validated their forging process by destructive testing of a prototype prior to fabricating the RPV. Only after the RPV had been installed, and the rest of the plant built around it, was a prototype destructively tested, and found not to be of acceptable quality.
I don't know what the current auto security tech is, but proper PKI was shunned for a long time. Possibly for reasons of key battery life, or silicon IP costs.
I wouldn't be surprised if current systems are using techniques like HMAC, where both the car and the key use a pre-shared key. In this case, the factory keeps a copy of the database matching VINs to private keys. This allows a dealer or authorized locksmith to either order a new pre-programmed key from the factory, or possibly request the key for field programming a new key. Of course, if that database gets compromised....
If a proper PKI system was used, then it would be possible to program the car to a new fob, by having the fob transmit its public key to the car, and having the car add it to the authorization database.
Agreed. "Organization" and "Prioritization" are two things, that my experience with EHRs has taught me, are two things that they just cannot do to any meaningful extent.
I recall the pain when we tried to migrate our data on an imaging system (PACS) which has a robust, fully standardized protocol for data exchange. With EHRs, things are much more complex, because most packages on the market use proprietary data formats, and while they can export or message across standard interfaces (e.g. HL7) there will often be loss of data, or a change in data presentation (a common one is loss of text formatting or loss of images embedded in text - e.g. rich text storage is quite common, but the data communication/migration interfaces may not support anything beyond straight ASCII text)
Even with our PACS migration, there was a problem, because annotations to the images were stored in a proprietary format, and were not preserved when the data was exported. "Oh. You want the image annotations? OK. We estimate that will take 5 days and 2 developers for development, testing and deployment of the script @ $5k per day per developer".
Things got better from there. "So, how are you going to get the data off the hard drives? The data is held in a proprietary format, and under the terms of the software licence, you will not be permitted to use or develop any software which uses this format once your licence expires. You are reminded that reverse engineering of the file format is strictly prohibited. We can provide a chargeable service for you. We estimate this will take 12 days of development and consultancy @ $5k per day. We will procure (at your expense) a suitable SAN and windows server. We will deploy a script which will convert our files into an industry standard form, and copy them to the new SAN. Please note that this will be performed at our facility. We will require you to ship the servers and SANs containing your data to our workshop at least 12 working days before your software licence expires. Once the transfer is complete, the new servers will be shipped back to your premises."
In the end, we found a specialist consulting firm that was able to extract the data (sans annotations) over the standard interface (by taking over the IP address and credentials of one of the CT scanners which was not used overnight) and trickling the data out overnight at rate not fast enough to trip the "intrusion detection system" (more like bulk data copy detection system) on the servers.
I can still recall the account manager's face when I told him that we would not be needing his $200k data migration service.
The issue is WHY is there price gouging. Is it because companies are deliberately charging 10,000% more than the normal market rate for no reason other than the desire to profit from a crisis? Or is it because the market has changed, and the only way these companies can remain viable is to charge 10,000% of typical market value for 1% of the time?
The problem is that conventional electricity generation plant is capital intensive and it has significant fixed (staffing and maintenance) and variable running (fuel and maintenance) costs. Because of the variable costs, these plants are sensitive to market pricing, which itself is sensitive to demand. Because of the fixed costs and cost of capital, the pricing power of these plants is dependent upon the number of hours on which they run. A plant which runs 90% of the time amortises its fixed costs over more energy, and hence requires a lower market price to remain viable.
One of the issues in the Australian market (and other markets) is that renewable generation is given privileged access to the electricity market. Renewable generators are protected by price support and guaranteed demand rules, which ensure that these generators receive a minimum price, even if the market price is lower, and energy purchasers must purchase all renewable energy before they are permitted to purchase any conventional energy.
Because renewable energy is variable, this changes the pricing dynamics. For much of the time, market pricing is depressed, undercutting conventional energy generators. As a result, these energy producers must amortise their fixed costs over a lower number of generating hours. In many cases, the operating hours are so few, that plants may be placed into deep storage, and destaffed. The problem now is how do you reactivate these plants in an emergency? How long does it take to get enough staff to bring the plant back into operational condition? Where do you find sufficient skilled contractors at 48 hours notice, and how much do these staff cost? How many hours do you expect to operate under emergency conditions, and what price do you need to charge to pay your contractors who are billing at emergency rates?
The failure in the Australian market is a failure of government. The government sets the market rules, and those rules are that power generators can only charge for energy sold. A potential solution, and one which has been adopted by other countries, is to split pricing into a per unit energy charge, and a per hour availability charge - both of which are auctioned separately. In such a scenario, the transmission operator bids for availability, and these fees ensure that power plants remain staffed, maintained and in a responsive state. The energy charges are charged as they are now. Advisers to the Aus government specifically advised this policy to avoid the current problem of conventional plants being decommissioned. They didn't listen. The plants have now been decommissioned or mothballed and are now not available to respond to a power emergency.
Helium has a very low latent heat of vaporization. As a result, an uncompensated heat flux of 1 W into the cryostat will boil off about 15 litres of helium per hour.
With most MRI magnets only holding a spare inventory of under 300 litres, there would be a significant risk of quench if power could not be restored within 24 hours or so.
For this reason, backup generator power for the chillers is strongly recommended for MRI systems, even if generator power is not provisioned for the operation of the scanner itself (up to 150kW for the RF and gradient amplifiers, with extremely rapid load rise times and as these are precision electronic systems, the generator needs to be able to maintain adequate voltage regulation under this very difficult load). This is the case at my hospital. We have 4 MRI scanners, but we only sufficient generator provision for the chillers, and not for the scanners themselves.
EM shielding is still essential, and nothing has really developed to change this. The signals are incredibly weak, and extensive RF shielding is required. To give an example, an incandescent light bulb in the scanner room which is reaching end-of-life can produce so much RF from micro-arcs on the failing filament that it can completely swamp the signal.
Capital cost is still very high, typically in the region of $1.5 million for a 1.5T machine, and $2.5-3 million for a 3T machine. Capital costs for the more capable machines are going up due to various developments - e.g. parallel receiver channels (up to 256 channels in the latest machines), parallel transmit channels with higher pulse powers (currently 2x 40 kW RF power amps and transmit antennas, but systems with 4 or 8 transmit channels are in development). Not to mention that there is a push towards larger dimension magnets, which substantially increase the capital cost.
There has also been considerable development in new algorithms for faster imaging, by using incomplete or overlapped imaging acquisitions, which requires extremely complex mathematical processing. CT scanners went through this development a few years ago to improve quality and reduce radiation dose, and image reconstruction went from a 1 ms task running in software, to a 250 ms task running on a 20U rack packed with $250k+ of GPUs. It is likely that the next generation of MRI scanners will use similar compute hardware.
All MRI scanners made in the last 5 years are zero-helium loss, so should not require any top-up of helium. However, they do need heavy chillers to recondense the helium - chillers with cooling powers of up to 1 W are now routinely used, which bring with them energy costs of around $20-30k per year. Many manufacturers also offer helium-free magnets (essentially the magnet coils are bonded to a giant copper/aluminium thermal mass, which is bonded to a cryochiller), these are substantially more expensive in capital cost, and energy cost, and much less tolerant to power failure. However, for areas where helium fills are impractical or too expensive, then these are a viable option.
The defective application in this example is a electronic records system. It allows the doctors/nurses/technicians to enter medical data during a procedure, collects X-ray image metadata from the imaging equipment and combines with the doctors notes for transmission to a medical records system, etc.
The other issue is that Windows 7 and 8 would install updates if you shutdown/restarted when there were updates pending installation.
In windows 10, shutdowns are actually elided into hibernation. This means that if you turn your PC off at night or when you go out, with windows 10, you no longer get updates installed when you are not using the computer. Instead, the updates require you to actively initiate a reboot interactively - in other words, you can only install updates when you are actively using the computer.
Traditional refrigerants like R-12 (dichlorodifluoromethane) have massive ozone destruction capability, 1st generation replacements like R-134a (1,1,1,2-tetrafluorethane) has minimal ozone destruction capability but very high global warming potential (thousands of times more potent than CO2, gram for gram), 2nd generation replacements like R-1234yf (2,3,3,3-tetrafluorpropene) while having no ozone destruction capability and minimal global warming potential suffer from being highly flammable, increasing the risk of leaks.
The advantage of CO2 is that it is neither flammable, ozone damaging, high GWP, nor significantly toxicity. The disadvantage is that substantial re-designs of refrigeration systems are required to use it, as well as some changes to operation/maintenance.
The transition from R-12 to R-134a, is near drop-in, with only minimal redesign required for optimal performance. To switch to R-1234yf, the re-design required is relatively modest (pressures are higher, so a different pump is needed), but otherwise the principles and basic system architecture are the same. With CO2, you are dealing with transcritical fluids, and this requires a significant architectural change to the refrigerant circuit (as there is no condensation of the refrigerant, so no liquid refrigerant in the circuit).
The standard is that a TRIMmed LBA should read as all zeros. This is so as to permit the use of TRIM in RAID arrays while preserving parity consistency.
If the OS needs to TRIM an entire RAID stripe, it fires off a TRIM command to the data drives, and calculates parity for null data, and writes that to the parity drive.
Even this interpretation is misleading. What actually occurred was that total renewable electrical energy generated in Scotland exceeded half of electrical energy consumed.
Scotland does not have indigenous demand sufficient to consume its electricity generation; about 35% of its electricity generation is exported to England. About 2% of electricity demand is imported from England during periods of low wind generation.
100GBase-ZR achieves its 120 Gbps line rate by using a complex modulation scheme to encode 3 bits per symbol. 2 bits are transmitted using QPSK and 1 bit is transmitted by choosing either horizontal or vertical polarization.
The issue with long-haul transmission is that you only have a limited bandwidth available which works with optical amplifiers and avoids the water "dip". It's common to use DWDM techniques to cram multiple individual streams onto a single fiber. This yields just under 100 usable channels of 50 GHz bandwidth. The advantage of Juniper's proprietary "100GBase-ZR" protocol is that it needs only just over 40 GHz of bandwidth, so fits into a single channel.
The technology described in the article is about a new type of VCSEL laser diode. These have been widely used as transmission elements, but have traditionally had limited on-off bandwidth, hence early 10 Gbps transceivers often used much more expensive lasers such as Fabry-Perot lasers, and devices operating on 25 Gbps lanes have resorted to the even more expensive Mach-Zender optical modulators. VCSELs are easy to fabricate and cheap, hence if a simple On-Off modulation is sufficient then they are ideal (not to mention that carrier-switched modulation is easy to demodulate, unlike the nightmare which is DP-QPSK). The disdvantage with OOK is that the bandwidth equals the symbol rate, so 50 Gbps OOK would not fit into a single 50 GHz channel with guard bands, and would require a larger channel allocation on a trunk fiber.
But that wouldn't really achieve much. The main feature of Slysoft's solution, was not the software itself (which is certainly impressive) but the fact that they would update the software with new encryption keys every few weeks, often within days of a new encryption key being used.
AACS has a huge inventory of keys which can be used. Slysoft had managed to find an exploit in either a hardware or software player, which allowed them to extract the key when a newly released disc requested a previously unknown key ID.
Considering that the whole purpose of touch ID on the affected devices is to enable "apple pay", and apple pay works by storing a private key with authority to authorize payments from your bank account into the secure enclave. To make a payment, you re-verify fingerprint, which authorizes the secure enclave to sign a transaction message.
Because the finger print sensor is intended to communicate with the secure enclave, it is a potential avenue for attack; replay attack, fuzzing attacks on the secure enclave software, power/time cryptanalytic attacks, etc. Given the high value of the keys stored in the secure enclave, the latest version of the OS software is designed to fail even to boot if it detects a failure of pairing.
Earlier versions of the OS software would run with a mis-paired sensor, but apple pay would fail to work. The latest software update recognises that hardware attacks on the secure enclave might be possible, and pro-actively locks down the entire device if it detects a potential tamper attempt.
I agree. Think of it this way, Apple are trying to push Apple pay which makes use of the system security provided by the fingerprint scanner (the private keys for apple pay are split between the fingerprint scanner chip and the crypto engine chip on the motherboard, so that compromising one chip doesn't reveal the whole key).
At present, the OS will disable apple pay when it finds that the finger print scanner fails to negotiate key exchange correctly; this potentially ends up with a tech support call to apple, or a social media posting saying, "why does my apple pay keep screwing up?".
Now consider what happens when there are a large number of field-repaired phones with knock-off fingerprint scanners. They appear to work fine, but some features are broken in subtle ways. The customer is confused; they may not relate it to the repair they had done; it creates an impression of an unreliable product and an expensive customer support nightmare. Clearly, apple want to stop this before it becomes endemic.
With the OS doing a full power-on self test on the security infrastructure, such a fault would be detected at the first reboot after the damage occurred, or after a repair using an incorrect part was performed. The security failure can now be easily attributed to the damage/repair, even by users of social media and journalists. This ensures that repairers don't perform half-assed repair jobs which can lead to incomplete or faulty operation (on what is marketed as a premium product).
The detection was always present, but the aftermarket sensor exploited a security vuln in the bus protocol.
That vuln was patched in the latest firmware update.
I guess that in that region, the legislation doesn't allow the utility to charge the customer the capital costs of new capacity. In the UK, the utility can charge the customer the capital costs of a network upgrade (on a pro-rata basis - e.g. if a network provider chooses to replace a 10 MW transformer with a 20 MW transformer in order to service a new 5 MW customer, then they can bill the customer for 50% of the capital costs prior to agreeing the connection).
We had this issue recently at the hospital where I work. The hospital had a single (non-redundant) 2 MW supply, which was at breaking point (in fact it did break), to the point that in Summer the buildings manager turned off all the AC campus, except that necessary to prevent overheating of critical care areas. Even then, it was necessary to curtail use of big power hogs like CT and MRI scanners.
The hospital wanted an upgrade to 4 MW, but also wanted dual redundancy. They ended up having to pay for 6 MW of network upgrades (2 MW upgrade + 4 MW of redundant network provision).
GPS is not a particularly stable frequency reference over the short term due to atmospheric distortions and various other noise sources. However, over the long-term it is outstanding.
The normal process is to use a very high quality short-term stable oscillator, e.g. a temperature controlled quartz crystal oscillator - but discipline it to the long-term stable GPS signal. Over periods of hours to days, the quartz oscillator can drift in frequency due to aging, shifts in environmental factors which affect the regulated temperature, etc. By averaging the deviation of the local oscillator from the GPS reference over a suitable period, and gradually tuning the local oscillator to null that error, you can get a frequency with the short-term stability of top-quality quartz, with the long-term stability of GPS.
A similar principle is used with atomic clocks - the atomic reference is used to discipline a good quality quartz oscillator. However, the long term stability of rubidium clocks is several orders of magnitude worse than GPS, hence it is common to find many capable of being disciplined by GPS, or an alternative very high stability atomic source (such as a caesium clock, or hydrogen maser).
Indeed, the £92.50/MWh is certainly fairly generous, but in reality, even new-build CCGT is expected to have a levelised cost of energy in the UK in the region of £70-80/MWh depending on assumptions about load factor and price of gas/carbon taxation.
That said, the contract for difference method of subsidy has the advantage that there is no up-front cost for the taxpayer; the taxpayer only pays based upon performance. The CfD expiry date is scheduled 35 years from the date of expected start of commercial operation. In the event of construction delays, such as the clusterfucks in Finland and France, then the expiry date should remain fixed.
The advantage over this method over things such as direct cash subsidies or loan guarantees, is that the taxpayer is protected from all construction and engineering risk.
In addition, the government is trying to change the CfD arrangement for new low-carbon build. Up to now, the agreement has been a fixed price tariff - £155/MWh for offshore wind, and £100/MWh for onshore wind. From this year, the CfDs are awarded on a competitive basis, so construction firms bid at auction for the CfD, and the lowest strike price gets the CfD.
I fully expect that for any additional nuclear build, there may be an element of competition in the application process, particularly as there are several consortia who have expressed a strong interest.
The company did have a lockout procedure and a "permit to work" procedure. The problem was that there were two different companies working on the same site and they failed to have a proper protocol when one needed the other to disconnect power.
The facility had a single power feed, and the routine maintenance and supervision of the electrical system in the building was outsourced to a building management company. The provision of a second supply and associated switching system was being performed by a specialist electrical contractor.
The time came to disconnect connect the IT loads from the incumbent single-feed switchboard to the dual-feed switchboard during a period of scheduled downtime. The building management contractor issued a "permit to work" to a cable jointer to disconnect a sub-switchboard from the main supply and connect it to the new dual-feed switchboard; the permit certified that the main supply had been turned off and locked out, and would only be unlocked upon return of the permit.
The original plan had been to connect the IT loads first, then connect power to the new switchboard. However, because of a specification error when procuring the switchboard, it had been modified on-site, and following modification required live tested prior to connection of any IT equipment. As a result, it had already been connected to both the existing supply (under the management of the facilities management company), and also to the new supply (which had not yet been handed over, and remained under the control of the installing contractor), before any outgoing cables were connected.
While the building management company had disconnected the building's main supply and locked it off prior to issuing the permit to work on the switchboard, they had failed to contact the contractor handling the 2nd supply and failed to ensure that the 2nd supply was also locked out. As a result, when the cable jointer set to work, the switchboard was still energised by the 2nd supply. Although the connections that the jointer was working on were dead and isolated by a switch in the switchboard, as the switchboard was open, he accidentally contacted the busbars fed from the 2nd supply and was electrocuted.
Emergency core cooling, formally known as the passive residual heat removal system (PRHR) is provided by a gravity pumped heat exchanger which transmits heat from the reactor coolant into a 1 million litre refuelling water tank in the containment building. To initiate passive cooling, there are 2 parallel valves which hold the circuit closed, each capable of providing 100% of necessary flow. The valves are dual-activated (DC electrical and pneumatic). They fail open under spring tension in the event of failure of the control signal.
In the event that both PRHR valves fail to open, then the reactor circuit will be vented into the containment building (simulating a pipe break). This will cause the reactor circuit to lose coolant and trigger the emergency cold coolant injection systems. A series of gas-charged hydraulic accumulator tanks discharge in sequence into the reactor to ensure it remains full of water, while steam is allowed to vent through pressure relief valves. Each stage of coolant injection has two fully independent dual redundant trains, with the key valves being dual redundant, dual-activated and fail-open within each train. This culminates with valves connecting the reactor coolant system and the refuelling tank together opening, providing 1 million litres of additional coolant capacity.
After about 24 hours (or sooner in the event of a large pipe break) coolant injection is complete, the reactor is fully de-pressurised and the circuit is fully open to the containment building. The refuelling tank will have been drained, either through a pipe break (or manually) and the water will completely submerge the reactor and its associated piping. The decay heat from the core can then escape via the reactor vessel walls and pipes into the water flooding the containment.
The core injection systems are sufficiently powerful that clean rupture of a 25 mm diameter pipe will not result water level dropping below the top of the core at any time. In the event of a large pipe break (e.g. a clean rupture of a 350 mm PRHR pipe), then temporary uncovering of the reactor core is possible, and this may result in overheating and damage to the fuel, however, because of the very high capacity of the coolant pressurizer and coolant injection tanks/accumulators, and temperature rise is brief and below the level at which the fuel rod cladding is expected to fail or produce hydrogen. As is conventional for nuclear pipework, the pipes are built in such a way that they are intended to leak long before rupture, so a clean rupture would be a rare event.
The AP1000 has a number of on-site and internal reserve water tanks, holding close to 1 million gallons of demineralized water.
The plant has several electric pumps capable of transferring water from the bulk tanks to the containment cooling system, which could be connected to portable generators in a serious emergency. The plant also has multiple connection ports for portable pumps allowing water to be transferred into the containment cooling system from the bulk tanks or from fire engines/water tankers.
As the containment cooling tanks are at atmospheric pressure, only low pressure pumps are required, unlike at Fukushima where emergency response teams were trying to use pumps to inject water into the reactors at dozens of atmospheres of pressure.
The AP1000 has 72 hours of decay heat removal capability in the event of total loss of onsite power. If no action is taken to replenish cooling water, then decay heat would cause overheating and overpressure of the containment building and require venting of the containment building to the atmosphere. Radioactivity release from such venting is likely to be low unless meltdown or fuel damage has already occurred. Due to the large inventory of water within the containment building, decay heat is unlikely to result in meltdown for many days following the exhaustion of the containment cooling water.
In order to ensure integrity of the containment, additional cold water would need to be pumped into the containment building roof tank within 72 hours. This could be by restoration of the electrical supply, use of diesel powered water pumps held on site, use of portable water pumps held near site, or by use of fire pumps.
The ESBWR which is the main competitor to the AP1000, meets the Gen3+ requirement of 72 hours of decay heat removal without operator intervention. Like the AP1000, no diesel or grid power is necessary to meet this requirement. Like the AP1000, the ESBWR has 2(N+1) redundant UPS systems with 72 hours of battery autonomy for shutdown control and monitoring equipment. However, the ESBWR has a 7 day reserve of cold water for containment cooling. In the event of operator inaction, the UPS batteries will deplete after approximately 72 hours, but passive containment cooling will continue for up to 7 days before water tanks would need to be replenished.
Except we're not talking about complex security models such as role-based access, split encryption keys, external audits and pen-tests.
This is the most basic level of security: Failure to validate user input, and the continued use of dynamic SQL statements rather than prepared statements - something which is a trivial code modification.
Storing customers bank/credit card details in the web-facing application database (as opposed to communicating them to a payment application/processor or separate internal system) - something which is just totally inept design
Beyond that, it is clear that they don't make use of good development practice. A quick look at the source for their web site shows stuff like inline CSS, comments all over the place, IFRAMES, etc. All that sort of stuff indicates that they don't have adequate code standards, they are unlikely to be using a version control system, and they have no idea what an XSS vulnerability is.
Finally, it is obvious that the communication between their IT department and CEO is sorely lacking. This is the 3rd time they have been hacked and suffered a major data breach. It is clear that they learned nothing the first 2 occasions. The CEO made a public media statement saying that she did not know if customer details, passwords or banking details were stored in an encrypted form, and did not know how long it would take to find out (it's hard to believe that the CEO could not have asked the CTO, or that the CTO wouldn't know, or be able to find out). Moreover, the advice to customers given via the media has also been incorrect (e.g. Q: How do I know if an e-mail purporting to be from talk talk is genuine? Check the "from" address shown in your e-mail software. If it is genuine it would be a talktalk address.)