Discussing Perrow Chapters 1 and 2 Presented by Gus Scheidt Friday the Thirteenth September 2002 Nuclear Power as a High Risk System And the Accident at Three Mile Island
Three Mile Island • Nuclear Plant near Harrisburg, Pennsylvania • March 28, 1979 -- Unit 2 near meltdown • U.S. most serious nuclear accident to date (1984) • Presented "to convey... the interconnectedness of the system, and the occasion for baffling interactions."
TMI: Summary of Events • (Failure) condensate polisher system, part of secondary cooling system, leaked some water • (ASD) Feedwater pumps shut down • (ASD) Turbines stopped • (ASD) Emergency feedwater pumps started • **Normally, problem would have been solved, but...
TMI: Summary of Events • (Failure) Valves in Emergency Feedwater system left closed by maintenance • (Operator Error?) No one noticed the indicator signaling that the valves were closed • (ASD) Reactor Scrammed • (ASD) PORV (Pilot-Operated Relief Valve) briefly opened
TMI: Summary of Events • (Failure) PORV failed to close • (Failure) PORV indicator malfunctioned; operators thought PORV had closed • NOTE: We are now only 13 seconds into the accident
TMI: Summary of Events • (ASD) Two reactor coolant pumps started • Steam bubbles that resulted from loss of pressure caused false readings • Pressure readings in core dropped sharply • (ASD) HPI (High Pressure Injection) turned on • (Operator Error?) After 2 minutes, operators cut back HPI
TMI as a System Failure • Pieces of TMI accident occur elsewhere in the industry; just not all at once • Reactor (new/complex) engineered by one company; system for drawing off heat (old/unsophisticated) by another • Tolerance for some components frighteningly small • Technology was new; process not well understood
TMI as a System Failure • Parts of the reactor are interdependent • But not in direct operational sequence • ** The situation was incomprehensible to the operators working during the accident • So much known about failures of TMI Unit 2 only because of the accident • Why is this called a "Normal" Accident?
Nuclear Power as a High Risk System We have not given nuclear power enough time to disclose its disastrous potential We don't have enough experience to make a reasonable assessment of the risks
Tools for Examining High-Risk Systems Operating Experience The Construction Problem Safer Designs? "Defense in Depth" Trivial Events in Nontrivial Systems Learning from Our Mistakes Fermi The Fuel Cycle as a System
Operating Experience Varying sizes and types of plants Different manufacturers with different designs Little industry learning time Slow maturation of the industry
The Construction Problem Lack of NRC engineers on site "The builders can't pour concrete" Intimidation of federal inspectors Falsified safety inspection documents Diablo Canyon -- Wrong diagrams
Safer Designs? Government push for nuclear power adoption There are other designs, but not significantly less complex, interactive, tightly coupled We likely will not see safer designs in the near future Under-utilization of current reactors 10+ years to design/build new facility
"Defense in Depth" Containment buildings Semi-Remote locations ECCS (Emergency Core Cooling System) Helpful, but the possibility of accidents that evade these defenses exist
Trivial Events in Nontrivial Systems Everyday failures are significant if we add catastrophic potential Shirt trips breaker -> scram Complex plumbing -> radioactive water to drinking systems Dropped light bulb -> scram, almost cracked vessel & meltdown Faulty indicator -> 9 feet of river water in containment building
Learning from Our Mistakes We Don't Nuclear Safety Reports dozens of accidents, many near meltdown, to show how an “excellent safety record... has been maintained” “Two-thirds of the problems... are strikingly similar to ones previously reported.”
Fermi A safety device (piece of metal) dislodged by the coolant and blocked the flow of the coolant Illustrates some of the principles in the book Problem originated with a safety device Poor design and negligent construction No clear procedure to follow Those attached to high-risk systems can be uncommonly cheerful about failures
The Fuel Cycle as a System Mining uranium ore Processing ore into fuel Burning it in reactors Disposing the many kinds of waste All involve serious hazards
Conclusion Design, construction, and operating problems do not, in themselves, cause system accidents Rather, it is the potential of unexpected interactions of small failures that make the system prone to accident
Discussion How do software systems, or software components of systems, compare to TMI? How does TMI compare to Guam? Given Guam and TMI, can we hypothesize some failure paradigms?