There is a category of robot deployment where the standard safety analysis does not apply. Not because the risks are lower, but because the fundamental assumption of most robot safety work — that a human can intervene when things go wrong — is false.

Inside the containment vessels of the Fukushima Daiichi nuclear plant, at the bottom of deep ocean trenches, and in low Earth orbit, robots operate in environments where human rescue is impossible. If the robot fails, it stays where it failed. Its mission ends. And in some cases, its carcass becomes a new obstacle for the next robot sent to do the same job.

These are the environments where embodied AI failure is not a recoverable event. It is permanent.

Fukushima: two hours to live

On March 11, 2011, a magnitude 9.0 earthquake and subsequent tsunami caused three reactor meltdowns at the Fukushima Daiichi Nuclear Power Plant. The resulting nuclear disaster created the most hostile environment for robot operation on Earth: the interior of the containment vessels where molten nuclear fuel (corium) had settled, surrounded by radiation fields exceeding 500 sieverts per hour — a dose that would kill a human in minutes and degrades electronics in hours.

In March 2017, TEPCO (Tokyo Electric Power Company) deployed a robot named Scorpion, developed by Toshiba, into the Unit 2 containment vessel. The robot’s mission was to locate and assess the corium — the melted fuel that had burned through the reactor pressure vessel and collected at the bottom of the primary containment. Understanding the location and condition of this material is essential for eventual decommissioning, a process expected to take 30 to 40 years [1].

Scorpion was designed for the environment: a compact, articulated robot that could navigate through a narrow access pipe and then unfold to traverse the metal grating inside the containment vessel. Its operational plan called for a 10-hour survey mission.

It lasted approximately two hours.

The radiation inside the containment vessel was measured at an estimated 650 sieverts per hour — higher than pre-deployment models predicted. The robot’s camera began to degrade almost immediately, producing increasingly noisy and distorted images. The tracks that provided locomotion on the metal grating became fouled by accumulated debris — material that had not been visible in prior remote camera surveys. The control cable, which provided power and communication (wireless was impossible through the steel and concrete containment structure), became snagged [1][2].

Approximately two hours into the mission, operators lost the ability to control the robot. Scorpion was abandoned in place, inside the containment vessel, joining the growing collection of robot carcasses that litter the interior of the damaged reactors. It was not the first robot lost inside Fukushima — multiple previous reconnaissance and sampling robots had been similarly disabled or abandoned across all three damaged units.

The corium was not fully mapped. The decommissioning timeline did not change. Another robot would have to be designed, built, and deployed to try again.

The deep ocean: implosion at depth

The ocean presents a different class of extreme environment. At the bottom of deep ocean trenches, pressures exceed 1,000 atmospheres. Temperatures near hydrothermal vents can exceed 400 degrees Celsius. There is no light. Communication is limited to acoustic signals that travel slowly and degrade unpredictably. And the nearest human assistance is, at minimum, several hours of ascent away.

May 2014, Kermadec Trench. The Nereus, a hybrid remotely operated vehicle (HROV) built by the Woods Hole Oceanographic Institution, was conducting research at a depth of approximately 9,990 meters in the Kermadec Trench north of New Zealand. The vehicle imploded. Pieces of debris floated to the surface, confirming the loss. Nereus was one of only a handful of vehicles ever built capable of reaching full ocean depth, and its loss represented years of engineering and millions of dollars in investment. The cause was assessed as a catastrophic failure of the vehicle’s pressure housing — the environment literally crushed the robot [3].

March 2014, Cayman Islands. An autonomous underwater vehicle (AUV) being operated by researchers from the University of Delaware became wedged in a submarine limestone cave system. Strong and unpredictable currents pushed the vehicle into a crevice from which it could not extract itself. The AUV’s autonomous navigation algorithms were designed for open-water operations and lacked the capability to handle the complex, confined geometry of a cave environment where currents could change direction and intensity within meters [4].

In both cases, the failure was permanent. Nereus was destroyed. The cave-wedged AUV was not recovered. There was no repair, no reboot, no second attempt with the same hardware.

Low Earth orbit: punctured by invisible debris

The International Space Station orbits Earth at approximately 400 kilometers altitude, traveling at 7.7 kilometers per second. At that velocity, even small objects carry enormous kinetic energy. A paint fleck can pit a window. A bolt can puncture a hull.

May 2021, ISS. The Canadian Space Agency’s Canadarm2 — a 17-meter robotic arm used to grapple visiting spacecraft, move equipment, and support spacewalks — was struck by a piece of orbital debris. The impact punched a hole clean through one of the arm’s thermal blanket-wrapped boom sections. Post-impact assessment confirmed the breach but determined that the arm’s overall structural integrity and functionality were not critically compromised. Canadarm2 continued operating [5].

The incident was, in one sense, a success story: the arm survived. But it illustrates the environment. Canadarm2 cannot dodge debris because the debris is often too small to track and too fast to evade. The arm has no self-repair capability. If the impact had struck a joint actuator, a data cable, or a critical structural member rather than a boom section, the arm’s operational capability could have been permanently degraded — and replacing a 17-meter robotic arm in orbit is not a straightforward maintenance task.

The orbital debris environment is worsening. As of 2025, there are an estimated 36,500 tracked objects larger than 10 centimeters in orbit, over a million objects between 1 and 10 centimeters, and over 130 million objects between 1 millimeter and 1 centimeter. Each one is traveling at orbital velocity. For robotic systems operating on the exterior of the ISS — including Canadarm2, the Dextre manipulator, and various experiment platforms — this is not a risk that can be engineered away. It is a statistical certainty that impacts will occur. The only question is where and how severe.

The common pattern

These incidents span three domains — nuclear, ocean, space — but they share a structural pattern that is relevant to embodied AI safety analysis:

1. The environment degrades the robot faster than the robot can complete its mission. Scorpion’s cameras failed in two hours inside a containment vessel designed for a 10-hour survey. Nereus imploded at depth. Canadarm2 was punctured by debris it could not detect. In each case, the environment was actively destroying the robot during operation. The race between mission completion and hardware degradation is the defining characteristic of extreme-environment robotics.

2. Pre-deployment models underestimate environmental hostility. Scorpion’s designers estimated radiation levels based on remote measurements and physical models. The actual radiation was significantly higher. The Cayman AUV’s navigation algorithms were designed for open water, not cave currents. In extreme environments, the gap between the model and reality is often discovered only when the robot enters the environment and begins to fail.

3. No recovery is possible. This is the feature that distinguishes extreme environments from all other deployment contexts. When a warehouse robot breaks down, a technician fixes it. When a surgical robot malfunctions, the surgeon takes over. When Scorpion fails inside a nuclear containment vessel, it becomes permanent debris in an area that humans cannot enter for decades. The failure is not an incident to be investigated and corrected. It is a geological-timescale addition to the problem.

4. Each failed robot complicates the next attempt. Scorpion’s carcass and control cable are now additional obstacles inside the containment vessel. The next robot must navigate not only the original debris field but also the remains of previous failed robots. In the Fukushima context, the accumulation of abandoned robots has been explicitly noted as a complicating factor for subsequent missions. Failure begets difficulty.

What this means for embodied AI safety

Extreme-environment robotics is sometimes treated as a niche concern — specialized applications with specialized solutions, not relevant to the broader embodied AI safety discourse. This is wrong, for two reasons.

First, extreme environments are where robots are most needed and most likely to fail. The entire justification for sending robots into nuclear containment vessels, deep ocean trenches, and space is that humans cannot go there. But the same conditions that make these environments too dangerous for humans also make them too dangerous for robots. The environments that most need robot capability are the environments that most aggressively destroy robot capability.

Second, the extreme-environment failure mode — unrecoverable loss — is migrating into less extreme contexts. As autonomous systems are deployed in remote mining operations, underwater pipeline inspection, wildfire reconnaissance, and deep-space exploration, the assumption that a human can intervene when the robot fails becomes increasingly fictional. A drone surveying an active wildfire cannot be recovered if it fails. An autonomous underwater inspection vehicle at 3,000 meters depth is effectively in an extreme environment. The boundary between “extreme” and “normal” deployment is not a bright line.

The Fukushima robots teach us that environments can exceed our models. The ocean robots teach us that hardware has limits that software cannot overcome. The space robots teach us that some threats are invisible and unavoidable. In all cases, the lesson is the same: when no one is coming to help, the robot must be designed for the assumption that every failure is final.

And right now, robot design has not fully internalized that assumption.

References

  1. McCurry, Justin. “Fukushima nuclear reactor cleanup falters as robot fails.” The Guardian, March 2017. https://www.theguardian.com/environment/2017/mar/02/fukushima-nuclear-cleanup-falters-robot-japan
  2. TEPCO. “Unit 2 Primary Containment Vessel Internal Investigation.” Tokyo Electric Power Company, 2017.
  3. “Loss of Nereus hybrid remotely operated vehicle.” Woods Hole Oceanographic Institution, 2014. https://www.whoi.edu/press-room/news-release/nereus-lost/
  4. “Autonomous underwater vehicle operations in challenging environments.” University of Delaware College of Earth, Ocean, and Environment, 2014.
  5. “Canadarm2 struck by orbital debris.” Canadian Space Agency / NASA, May 2021. https://www.space.com/space-station-robot-arm-orbital-debris-damage

This analysis is part of the Failure-First Embodied AI research program, which studies how embodied AI systems fail — because failure is not an edge case, it is the primary object of study.