This dilemma is about comparing secondary risks, with the original risks (those involved in operating the original system, before adding the resilience features).
Secondary risks are rare compared with original risks, but their hazards are higher.
Choosing between design alternatives
Any solution to a safety problem is liable to
introduce new safety problems. For example, if the design includes a means to
indicate failure in a
system component, then the
system is liable to fail
because the operators did not notice the indication, or due to
failure in the
indication.
In the incidence of the Davis-Besse-1 nuclear reactor in 1977, after moments of confusion, the operators realized that the PORV was stuck open, and overcame the hazard. Following this and other similar incidences, the manufacturer added a special indicator, for show the state of the PORV in the control room. Unfortunately, this indicator was not reliable. In the TMI accident, the PORV was stuck open, and the operators relied on it, and consequently they did not investigate the valve state in depth ( Perrow, 1984 ).
It is a major design concern and challenge to identify the risks imposed by resilience features, and to evaluate the marginal resilience level obtained.
Adding sensors to the design increases the
system
complexity, which might become more fault-prone.
The
operators become used to relying on the
alarms, and might not check for the possibility of misleading
alarms (also called
hazard indicators should be tested regularly, to verify that they can generate
alarms when needed .
Updated on 25 Mar 2017.