Normal Accident at Three Mile Island
(picture by American Nuclear Agency)
Understanding Normal Accidents in Complex Systems
Despite efforts to prevent accidents through training, equipment improvements, and design modifications, certainaccidents are inherent to complex and tightly coupled systems and cannot be entirely prevented. Such accidents are especially problematic in high-risk systems like nuclear power plants.
These so-called normal accidents have four keycharacteristics:
1. signals which provide warnings only in retrospect, making prevention difficult,
2. multiple failures,
3. operator errors, and
4. negative synergy.
Reluctance to Acknowledge Normal Accidents
Beside unique ‘Acts of God’ and accidents with a single, identifiable failure, accidents stemming from risks that can bequantified can be distinguished. The last category - calculatedrisk accidents -, despite being potentially manageable, oftenface resistance due to various organizational interests and concerns about interrupting services. Managing normalaccidents in complex systems is challenging, particularly in the context of nuclear power. System owners and operators are reluctant to acknowledge the possibility of normal accidentsdue to liability concerns.
A Loss of Coolant Accident at Three Mile Island
One of the organization’s members at Three Mile Island dismissively responded to concerns about an engineering memo, leading to confusion about the seriousness of certainissues. Operators at TMI did not follow the High-PressureInjection system instructions during the accident, making thesituation worse. Warnings and communications within theorganization were insufficient, and there was a failure toprioritize crucial safety information. Equipment failuresduring the TMI accident included the malfunctioning of a pilot-operated relief valve and issues with computer printouts, instrumentation, and safety systems. These equipment failureswere not unique to TMI and had occurred at other plants as well. In the TMI incident, operator errors also played a role, e.g. valves were left in the wrong position, but this could notbe solely attributed to operator deficiencies. Judgment errorsmade by operators were challenging to analyze, as they oftenbecame apparent only in hindsight. The context in which these judgments were made, the lack of information, and organizational routines played a role in these errors.
Dealing with warnings and reports in complex systems like nuclear plants is challenging, because operators cannot easilyprocess and act on numerous reports and instructions. Whiletightly coupled systems encourage normal accidents, looselycoupled systems muffle warnings. Even with tightercommunication, the immense complexity of the nuclearindustry could overwhelm the system. Recognizing and responding to unprecedented or highly unlikely events is difficult, as such events are often deemed inconceivable and, therefore, not believed or acted upon until after they occur. Operator errors, equipment failures, and organizationalshortcomings – all present in the TMI example - are part of thenormal challenges faced by complex industrial systems.
Challenges and complexities of dealing with nuclearaccidents
It's often challenging to determine the type of nuclear accident one is facing, and the right course of action may not beimmediately clear. New instructions and procedures tend topromote a more conservative approach, sometimes at the risk of overreacting rather than accurately assessing the situation.Operators may misinterpret data, readings, and signals duringan accident, which can lead to incorrect decisions and actions. This can include misinterpreting temperature indicators and other key data.
Information about core damage and other critical events maynot be communicated promptly to key personnel, delaying theresponse to the accident. The decision to vent radioactivegases during the accident was made under uncertainty and with a lack of trust in backup safety systems, leading tosignificant consequences. The complexity of nuclear systems makes it difficult to train operators adequately for all possiblescenarios, especially for accidents that are not "design-based." Normal accidents, which involve multiple failures and unexpected interactions, are challenging to prepare for.
Normal accidents often involve the synergistic effects of multiple failures, which are difficult to predict, prepare for, or prevent. While safety measures can reduce the risk of sometypes of nuclear accidents, they cannot completely eliminatethe risk of normal accidents. So, risk management in nuclearpower should focus on making the risk tolerable rather thanattempting to eliminate it entirely. Alternative, low-risk energy sources, such as conservation, solar energy, and decentralized systems, should be considered as viablealternatives to nuclear power, where the potential for normalaccidents is much lower.
Ref.
Perrow, C. (1981), Normal Accident at Three Mile Island, in: Society 18, pages 17–26 (July 1981).