It is almost inevitable that some combinations of minor failures will eventually amount to something catastrophic
The Three Mile Island accident of 1979 was the most significant accident in the history of the American commercial nuclear power generating industry.
The Three Mile Island accident of 1979 was the most significant accident in the history of the American commercial nuclear power generating industry.
There were no deaths or injuries to plant workers or members of the nearby community which can be attributed to the accident.
Public reaction to the event was probably influenced by at least three factors: first, the release (a few weeks before the accident) of a popular movie called The China Syndrome, concerning an accident at a nuclear reactor; secondly, what was felt to be a lack of official information in the initial phases of the accident; and lastly, many of the statements made by political and social activists long opposed to nuclear power.
Whatever the sources of the local fear and outrage, public reaction to the event is judged by some epidemiologists to have induced stresses in the local population that could have caused adverse health effects.
The accident began on Wednesday, March 28, 1979, and ultimately resulted in a partial core meltdown in Unit 2 of the nuclear power plant (a pressurized water reactor) of the Three Mile Island Nuclear Generating Station in Dauphin County, Pennsylvania near Harrisburg.
***
The conclusion of the President's commission that investigated the Three Mile Island accident was that it was the result of human error, particularly on the part of the plant's operators.
The trouble started with a blockage in what is called the plant's polisher-a kind of giant water filter.
Polisher problems were not unusual, or particularly serious.
But in this case the blockage caused moisture to leak into the plant's air system, inadvertently tripping two valves and shutting down the flow of cold water into the plant's steam generator.
As it happens, Three Mile Island had a backup cooling system for precisely this situation. But on that particular day, for reasons that no one really knows, the valves for the backup system weren't open.
They had been closed, and an indicator in the control room showing they were closed was blocked by a repair tag hanging from a switch above it. That left the reactor dependent on another backup system, a special sort of relief valve.
But, as luck would have it, the relief valve wasn't working properly that day, either. It stuck open when it was supposed to close, and, to make matters even worse, a gauge in the control room which should have told the operators that the relief valve wasn't working was itself not working.
By the time engineers realized what was happening, the reactor had come dangerously close to a meltdown.
Here, in other words, was a major accident caused by five discrete events.
There is no way the engineers in the control room could have known about any of them.
No glaring errors or spectacularly bad decisions were made that exacerbated those events. And all the malfunctions-the blocked polisher, the shut valves, the obscured indicator, the faulty relief valve, and the broken gauge-were in themselves so trivial that individually they would have created no more than a nuisance.
What caused the accident was the way minor events unexpectedly interacted to create a major problem.
***
This kind of disaster is what the Yale University sociologist Charles Perrow has famously called a "normal accident." By "normal" Perrow does not mean that it is frequent; he means that it is the kind of accident one can expect in the normal functioning of a technologically complex operation.
Modern systems, Perrow argues, are made up of thousands of parts, all of which interrelate in ways that are impossible to anticipate.
Given that complexity, he says, it is almost inevitable that some combinations of minor failures will eventually amount to something catastrophic.
In a classic 1984 treatise on accidents, Perrow takes examples of well-known plane crashes, oil spills, chemical-plant explosions, and nuclear-weapons mishaps and shows how many of them are best understood as "normal."
***
Perrow’s observations raise an interesting challenge for the pracitce of risk management.
Is it posssible that there is a type of event that we can expect with absolute certainty as to its occurence if not the timing.
In Perrow’s wordings – a normal accident.
If there is such a beast then doesn’t that challenge our underlying assumptions about the likelihood of a risk event eventuating or more precisely the process by which we currently identify which events should be classified as subject to normal accident or not.
The accident began on Wednesday, March 28, 1979, and ultimately resulted in a partial core meltdown in Unit 2 of the nuclear power plant (a pressurized water reactor) of the Three Mile Island Nuclear Generating Station in Dauphin County, Pennsylvania near Harrisburg.
***
The conclusion of the President's commission that investigated the Three Mile Island accident was that it was the result of human error, particularly on the part of the plant's operators.
The trouble started with a blockage in what is called the plant's polisher-a kind of giant water filter.
Polisher problems were not unusual, or particularly serious.
But in this case the blockage caused moisture to leak into the plant's air system, inadvertently tripping two valves and shutting down the flow of cold water into the plant's steam generator.
As it happens, Three Mile Island had a backup cooling system for precisely this situation. But on that particular day, for reasons that no one really knows, the valves for the backup system weren't open.
They had been closed, and an indicator in the control room showing they were closed was blocked by a repair tag hanging from a switch above it. That left the reactor dependent on another backup system, a special sort of relief valve.
But, as luck would have it, the relief valve wasn't working properly that day, either. It stuck open when it was supposed to close, and, to make matters even worse, a gauge in the control room which should have told the operators that the relief valve wasn't working was itself not working.
By the time engineers realized what was happening, the reactor had come dangerously close to a meltdown.
Here, in other words, was a major accident caused by five discrete events.
There is no way the engineers in the control room could have known about any of them.
No glaring errors or spectacularly bad decisions were made that exacerbated those events. And all the malfunctions-the blocked polisher, the shut valves, the obscured indicator, the faulty relief valve, and the broken gauge-were in themselves so trivial that individually they would have created no more than a nuisance.
What caused the accident was the way minor events unexpectedly interacted to create a major problem.
***
This kind of disaster is what the Yale University sociologist Charles Perrow has famously called a "normal accident." By "normal" Perrow does not mean that it is frequent; he means that it is the kind of accident one can expect in the normal functioning of a technologically complex operation.
Modern systems, Perrow argues, are made up of thousands of parts, all of which interrelate in ways that are impossible to anticipate.
Given that complexity, he says, it is almost inevitable that some combinations of minor failures will eventually amount to something catastrophic.
In a classic 1984 treatise on accidents, Perrow takes examples of well-known plane crashes, oil spills, chemical-plant explosions, and nuclear-weapons mishaps and shows how many of them are best understood as "normal."
***
Perrow’s observations raise an interesting challenge for the pracitce of risk management.
Is it posssible that there is a type of event that we can expect with absolute certainty as to its occurence if not the timing.
In Perrow’s wordings – a normal accident.
If there is such a beast then doesn’t that challenge our underlying assumptions about the likelihood of a risk event eventuating or more precisely the process by which we currently identify which events should be classified as subject to normal accident or not.
0 comments:
Post a Comment