Typically, safety-critical features have backup features, designed to operate automatically in case of failure. Assume that in a nuclear power plant a backup pump has been closed for a maintenance procedure, and that the operators forgot to reopen it after finishing the maintenance procedure. Assume further that few days later, the primary pump stops working. Because the backup pump is closed, the core of the plant overheats and melts.
This sequence of events is typical of many actual incidences. For example, exactly this sequence was the trigger of the famous Three Miles Island (TMI) accident in 1979, which had a profound effect on the nuclear community worldwide.
For the discussion, assume that both the primary pump and the backup pump are attached with sensors designed to inform about the pump state. The question is if and how could procedural exception handling possibly prevent such incidences? Because it is procedural, we need to examine two procedures: one of tracing changes in the primary pump and the other of tracing changes in the backup pump.
Case one: the procedure triggered by the sensor of the primary pump detects that the backup pump is closed, and generates an exception message. The problem is that it takes only few seconds for the core to overheat. By the time the operators receive the message, the core has already melted down.
Case two: the procedure triggered by the sensor of the backup pump detects that the primary pump is operational. The problem is that the system design did not prohibit closing the backup pump, and the programmers did not provide a warning about it to the operators, because they assumed that temporarily closing the pump may be legitimate, and because they did not think of possible operator’s failure to reopen it afterwards.
Procedural exception handlers might fail to detect other failure modes occurring in the TMI accident, including those due to problems of sensor reliability or to misleading measurements.
Updated on 04 Jun 2017.