At the time of the incidence, the control room was full of
alarms, yet the operators did not understand the source of the
alarmsIn an incidence during the operation of the Davis-Besse 1 nuclear plant in Sept. 24, 1977, the operators were not aware of the fact that a critical valve, the PORV, was stuck open ( details ). They became aware of it after a while, and subsequently they solved the problem.
Following this and other similar incidences, the manufacturer added a sensor for testing the state of this valve, and a special indicator, to show the state of the PORV in the control room. . They added it to all the plant in their production line, including the TMI plant.
Unfortunately, this indicator was not reliable. In the TMI accident, the PORV was stuck open, and the operators relied on it, and consequently they did not investigate the valve state in depth ( Perrow, 1984 ).
The additional components are required to alert about component failure (sensors, algorithms, displays, sound alarms) are not only costly, but also risky, because they are liable to fail, providing opportunities for new kinds of incidences (as was the case with the PORV failure in the TMI accident).
Safety indicators are liable to fail, and it is important to notify the operators when this happens. It is important to distinguish between the case of component failure and that of indicator failure. The guide recommends adding secondary indication of failure for each of the primary indicators, and provides tips for adding the secondary indicators without adding to the system complexity, by coding. Typically, when the indicator fails, it does not send signals to the control unit. Therefore, a most effective way to detect faults in the indicators is by designing the indicators such that they always send signals about the component state, whether it functions properly or not.
At the time of the incidence, the control room was full of
alarms, yet the operators did not understand the source of the
alarms
The problem was with the hardware faults, the valves, which were latent. Other, indirect
alarms, did not provide the information about the source
for the alarms.
The guide proposes that alarms are specified for all potential hazard, in a way that the operators can recognize the risky
situation in time.
The best way to identify the source for an
alarm is by dedicated sensors. The sensor that generate the
alarm is thus associated with the
source.
Adding sensors to the design increases the system complexity, which might become more fault-prone.
The operators become used to relying on the alarms, and might not check for the possibility of misleading alarms (also called "automation
addiction").
Guidelines about the quality of alarms
Updated on 21 Apr 2016.