The most obvious lessons are protective equipment should not be isolated and basic safety rules

should be clearly stated and should not be ignored. In addition, as the consequences of breaking
the rules were so serious, the plant should have been designed so that the rules could not be
ignored, that is, so that the automatic trip could not be isolated, so that at least thirty control rods
had to be left in the core and so that the plant could not remain on line if the output was reduced
below 20%. The Russian designers seem to have assumed that instructions would always be
clearly stated and obeyed and that therefore there was no need for them to install protective
equipment to prevent unsafe methods of operation. They assumed that those who issue and
enforce operating rules and those who are supposed to follow them would be more reliable than
automatic equipment, but they were not. (This is not a universal rule. Sometimes operators are
more reliable than automatic equipment, but not in this case.) Russians have a reputation for rule-
based behaviour and for referring every detail to higher authority so it is at first sight surprising
that the procedures at Chernobyl were so slipshod. The operating staff seem to have had
contradictory instructions: to carry out the tests as quickly and effectively as possible and to follow
normal operating procedures. They may have assumed that the instruction to carry out the
experiment overrode the normal procedures. In the process industries managers have often had
to argue with research workers who wanted to carry out exper iments on the plant but did not
want to be bound by the normal safety instructions. Safety instructions should be followed at all
times unless an exception has been authorised at the appropriate level after a systematic
consideration of the hazards. In addition, managers who talk a lot about output or efficiency or
getting things done, without any mention of safety, inevitably leave operators with the impression
that safety is less impor tant. Managers should remember, when giving instructions, that what
you don’t say is as important as what you do say. It seems that the local managers and perhaps
the operators had been departing from the rules, or from good operating practice, for some time.
Everything had to be referred to the top so it was necessary to break the rules in order to get
anything done. Regular audits, if there had been any, would have picked up the fact that rules
and good practice were not being followed but perhaps those at the top preferred not to know so
that they would not be responsible. Holloway13 cites an incident at another Russian nuclear
power station when the director told the deputy premier respon sible for energy production that
the plant would not be ready on time as equipment was delivered late. The minister exploded,
‘Who gave you the right, comrade, to set your own deadlines in place of the government’s?’ In
this sort of climate people say nothing or tell lies. The Russians have no independent inspection
service similar to the UK Nuclear Installations Inspectorate. The early reports on Chernobyl did
not make it clear at what level the decisions to operate at low rate, withdraw most of the control
rods and switch off the trip were taken but we now know that the deputy chief engineer was
present throughout the experiment16. It is clear, however, that when the normal procedures were
suspended the operators had insuf ficient understanding of the process to be able to replace
rule-based behaviour by skill-based behaviour. At Three Mile Island, when an unforeseen fault
occurred, the operators were similarly unable to cope. Rule-based behaviour is appropriate when
straightforward tasks have to be performed but process plants do not come into this category. (In
theory, if rule-based behaviour is all that is needed a computer can be used instead of a person.)
On process plants we should never rely solely on rule-based behaviour as circumstances may
arise, in fact probably will arise, which were not foreseen by those who wrote the rules. Note also
that knowledge-based behaviour requires motivation as well as knowl edge. The operators may
not have understood why it was so important to operate above 20% output or why so many control
rods should have been lowered. Like many operators, they may have relied more on process feel
than theoretical knowledge and felt confident of their ability to control the reactor under all
circumstances. On process plants protective equipment sometimes has to be isolated, for
example, if it goes out-of-order or if the plant is operating under abnormal conditions – a low flow
trip may have to be isolated during start-up, for example – but they should be isolated only after
authorisa tion at an appropriate level and the fact that the trip is isolated should be signalled in
some way, for example, by a light on the panel (see Section 2.5). If possible the trip should reset
itself after a period of time. When the potential consequences of a hazard are serious, as in a
nuclear power station, isolation of a trip should be impossible. High reliability is then essential and
it can be achieved by redundancy. Similarly, it is neither necessary nor possible to install
protective equipment to prevent operators breaking every safety rule but certain modes of
operation may have such serious consequences that it should be impossible to adopt them.