Guidelines for reliability assurance The hazards triggering this accidence were due to hardware failure, namely, two valves that were stuck open. The common practice to prevent this kind of fault is by choosing components of high reliability.
Guidelines for reliability assurance
Not always we can find components of high reliability. This is especially true about the PORV
state indicator, which had to work in high temperatures. This implies that we should focus on early detection of faults.
The guide proposes adding resilience features for indicating hardware fault, Apparently, such indicators were not added to all the valves. In particular, it was not added to the valve that controlled the entry of water to the instrument air line.
Guidelines for handling secondary risks
The additional components required to
alert about
component failure (sensors, algorithms, displays, sound alarms) are not only
costly, but also risky, because they are liable to fail, providing opportunities
for new kinds of incidences (as was the case with the PORV failure in the TMI
accident).
Guidelines about reducing the system complexity
Detecting faults in the fault indicators
Fault indicators are liable to fail, and it is
important to notify the operators when this happens. It is important to
distinguish between the case of
component failure and that of indicator failure.
The guide recommends adding
secondary indication of failure for each of the
primary indicators, and provides tips for adding the
secondary indicators
without adding to the system complexity, by coding. Typically, when the
indicator fails, it does not send signals to the control unit. Therefore, a most
effective way to detect faults in the indicators is by designing the indicators
such that they always send signals about the component state, whether it
functions properly or not.
Guidelines about detecting faults in the fault indicators
Initially, the system was not designed to alarm on exceptional states of all valve. Following a similar incidence at the Davis Besse II installation, a sensor and an indication were added to the design of the PORV. However, the indication was not reliable, leading to the wrong perception of the system situation.
Guidelines for
alarm generation
Escalation was prevented by several means, including backup cooling pumps and opening of the PORV in response to the high pressure.
The guide recommends on intervention by the supervision unit, which may change the control from the primary station to the recovery station. This is not demonstrated in this case study.
This case study does not demonstrate any method or guidelines for Recovery facilitation.
The guide recommends on intervention by the supervision unit, which may change the control from the primary station to the recovery station. This is not demonstrated in this case study.
Based on the reading of the pressure, which seemed to be normal, the operator turned off the auxiliary pump. This was the proper action, should the pressure reading indicate about the real situation. I turns out that because of the misleading indication, instead of recovery, the situation escalated.
The guide recommends on intervention by the supervision unit, which may change the control from the recovery station to the rescue station. This is not demonstrated in this case study.
Updated on 25 Jun 2016.