Secondary risks are rare compared with original risks, but their costs might be higher.
Choosing between design alternatives
Any solution to a safety problem is liable to
introduce new safety problems. For example, if the design includes a means to
indicate
failure in a
system component, then the
system is liable to fail
either because the operators did not notice the
indication, or due to
failure in the
indication.
Following an incidence in the operation of Davis Besse II nuclear power plant, the manufacturer added an indicator to the PORV to inform the operators about being stuck open. In the TMI installation, the PORV was equipped with this indicator, and the operators relied on it. However, in the famous TMI incidence, this indicator failed to provide the indication. Because the operators relied on it, they failed to notice that the PORV was stuck open.
It is a major design concern and challenge to identify the risks imposed by resilience features, and to evaluate the marginal resilience level obtained.
Adding sensors to the design increases the
system
complexity, which might become more fault-prone.
The
operators become used to relying on the
alarms, and might not check for the possibility of misleading
alarms (also called "
automation addiction").
hazard
indicators should be tested regularly, to verify that they can generate
alarms when needed .
Updated on 26 Feb 2017.