Three Mile Island What Happened What Worked What

Three Mile Island What Happened, What Worked, What Didn’t MIS 524 1

AGENDA q The Situation, Events q Analysis of Events q Lessons for IT Security MIS 524 2

The Situation Three Mile Island Nuclear Power Plant Pennsylvania Pittsburgh Harrisburg Philadelphia 12 0 M ile MIS 524 s 3

The Reactor Relief Valve Steam Generators Reactor Secondary feedwater cycle Main Feedwater Cycle MIS 524 4

The Events 1. Secondary feedwater cycle was partially closed off for maint’c. 2. Main feedwater pump failed 3. Pressure built up from reactor heat 4. Relief valve stuck OPEN, draining lines 5. However, indicator of high pressure was used to measure water volume 6. Operators assumed too high volume, shut off rest of main feedwater supply 7. Result was exposed reactor core, no cooling Relief Valve Nasty stuff, fortunately not a lot of it. Steam Generators Reactor Main Feedwater Cycle MIS 524 5

Analysis q Poor maintenance procedures q Operators not trained in emergency procedures q Operators use one item of info as indicator of a loosely related state q “Common-Fault” failure made annunciator board useless q No PR procedures in place q Civil institutions were not ready q Quick analysis hindered by common fault failure MIS 524 6

Common Fault Failures Effects MIS 524 Many things go wrong; it is not apparent that there is a common fault; some of the symptoms may have other, more reasonable causes, crippling diagnosis 7

Implications for IS Security q Maintenance procedures need to be well documented q Operators should be trained in emergency procedures q Operators need to know full set of indicators q “Common-Fault” failure is likely q PR procedures must be in place q Civil institutions must be made ready q Analysis must be helped by simulation of fault failures MIS 524 8