The accident at Three Mile Island Unit 2 (TMI-2) on March 28, 1979, remains the most significant event in the history of U.S. commercial nuclear power. It unfolded over a tense 16-hour period, leading to a partial meltdown of the reactor core and forcing fundamental changes in how the nuclear industry approaches safety, operations, and regulation. The lessons derived from TMI-2 extend well beyond nuclear engineering, offering enduring principles for any high-risk technological system. This expanded case study examines the accident’s chronology, root causes, technical and human failures, and the sweeping reforms it catalyzed.

Background: Nuclear Power in the Late 1970s

In 1979, the United States operated about 70 commercial nuclear reactors, with many more under construction. The industry had grown rapidly since the mid-1960s, driven by the promise of cheap, reliable, and clean electricity. The Three Mile Island Nuclear Generating Station, located on the Susquehanna River near Harrisburg, Pennsylvania, consisted of two pressurized water reactors (PWRs) designed by Babcock & Wilcox. Unit 1 had been operating since 1974; Unit 2 began commercial operation in December 1978, just three months before the accident.

The prevailing safety philosophy relied on defense-in-depth: multiple barriers and redundant systems to prevent or contain radioactive releases. However, operator training and human-factors engineering had not kept pace with the complexity of these systems. The accident would expose critical gaps between design assumptions and real-world operational behavior.

Chronology of the Accident

Initial Failure: Loss of Feedwater

At 4:00 a.m. on March 28, 1979, a series of events began in the secondary (non-radioactive) side of the TMI-2 plant. A maintenance crew was cleaning a blockage in the condensate polishing system, a set of filters used to purify water returning from the turbine condenser. Moisture entered the plant’s instrument air system, causing several valves to malfunction, including the feedwater pumps’ main control valves. The feedwater pumps automatically tripped (shut down) as a result.

The loss of feedwater meant that the steam generators could no longer remove heat from the reactor coolant. The turbine automatically tripped, and the reactor itself scrammed (shut down) seconds later. Control rods inserted into the core to stop the nuclear chain reaction, but the fuel still produced significant decay heat—about 6-7% of full power immediately after shutdown, gradually decreasing over hours and days.

Stuck-Open Relief Valve

When the reactor lost normal heat removal, pressure in the primary coolant system began to rise. The pilot-operated relief valve (PORV) on the pressurizer opened automatically to relieve excess pressure, as designed. However, when pressure dropped back to normal, the PORV failed to close. It remained stuck open, allowing high-temperature, high-pressure coolant to escape from the primary system into the reactor coolant drain tank and then, when that overflowed, onto the containment building floor.

The control room indicators gave conflicting signals. A light on the panel showed that the electrical signal to close the valve had been sent, but there was no direct indication of the valve's actual position. Operators incorrectly believed the valve had closed because the light turned off. A separate temperature indication on the drain line would have shown rising temperatures from the escaping coolant, but this indicator was not prominently displayed and was likely missed during the initial chaos.

Operator Misinterpretation and Core Damage

In the minutes that followed, the reactor coolant system continued to discharge water. The pressurizer level, which normally indicates the water inventory in the system, rose to an abnormally high reading. This occurred because steam formed in the core and pressurized the system, pushing water into the pressurizer. Operators were trained to maintain pressurizer level—they believed a high level meant too much water, so they reduced emergency feedwater flow and eventually shut off the high-pressure injection (HPI) pumps.

This was the critical mistake. The rising pressurizer level was a misleading symptom; the reactor was actually losing coolant mass. By reducing HPI flow, operators allowed the core to become uncovered. Without adequate cooling, the fuel rods overheated, their zirconium cladding reacted with steam to produce hydrogen gas, and the fuel pellets melted. Over the next several hours, about half of the reactor core melted, and some molten material collected at the bottom of the reactor vessel. Fortunately, the vessel itself remained intact, preventing a more catastrophic release of radioactive material.

Instrumentation designed to detect core temperature was not available to operators in real time. In-core thermocouples were not connected to the control room display. The plant’s safety analysis had not anticipated that operators would fail to recognize a small-break loss-of-coolant accident (LOCA).

Hydrogen Bubble and Containment Isolation

During the core uncovery and melting, the zirconium-steam reaction generated hydrogen gas. A hydrogen explosion occurred inside the containment building around 2:00 p.m., four hours after the initial event. The explosion registered on seismic instruments but did not breach the containment structure. Later, a hydrogen bubble was detected inside the reactor vessel itself, raising fears of a possible explosion that could rupture the primary loop. Extensive analysis, including experimental tests at other facilities, eventually showed that the bubble contained insufficient oxygen to be explosive.

By the end of the first day, the plant was stabilized. Emergency core cooling systems were eventually restarted, and the core was brought under control. However, the public release of small amounts of radioactive gases, together with confusing official statements and media reports, created widespread panic. Pennsylvania Governor Richard Thornburgh recommended an evacuation of pregnant women and preschool children within a five-mile radius, and about 140,000 people voluntarily left the area.

Root Causes: A Systems Engineering Failure

Equipment Design and Reliability

The stuck-open PORV was a known reliability issue. Babcock & Wilcox had experienced similar failures at other plants, but the industry had not implemented corrective actions. The valve's failure mode (stuck open) combined with the lack of a positive position indicator was a fundamental design flaw. The temperature indication on the downstream drain line that could have alerted operators to the open valve was not displayed effectively in the control room.

Pressurizer level indicators were designed for normal operation, not for diagnosing LOCAs. The level gauge was located in a position that made it easy for operators to misinterpret during a transient. The entire instrumentation and control philosophy prioritized preventing unintended overpressure rather than detecting small leaks.

Human Factors and Training Deficiencies

Operator training at TMI-2 and throughout the industry in 1979 focused primarily on normal operations and large-break LOCAs. Small-break LOCAs were considered less probable and received less emphasis. Simulators did not replicate the specific transient signature of a stuck-open PORV. Operators were not trained to recognize the symptoms of small coolant leaks or to understand that rising pressurizer level could indicate a loss of coolant mass (due to void formation in the core).

The control room layout itself contributed to confusion. Alarms crowded the panels; during the first 10 minutes of the event, operators faced an avalanche of alarms, many of which were irrelevant. The alarm system had no prioritization, making it difficult to identify the most critical information. Key indicators, such as the drain line temperature, were located on the back of the control board, out of the normal line of sight.

Organizational and Safety Culture Issues

Before TMI-2, the nuclear industry had not developed a robust safety culture. There was a tendency to assume that safety systems would perform as designed and that operators would follow procedures correctly. Root cause analysis was rarely performed on minor incidents. Regulatory oversight was fragmented, with the Atomic Energy Commission’s regulatory functions transferred to the new Nuclear Regulatory Commission (NRC) in 1975, but the shift in culture was still in its infancy.

The accident investigation, led by the President’s Commission on the Accident at Three Mile Island (the Kemeny Commission), concluded that the fundamental problem was “people-related” rather than equipment-related. The commission stated: “We are convinced that an accident like Three Mile Island was eventually inevitable.”

Engineering Lessons Learned

Redundancy and Diversity in Safety Systems

While TMI-2 had redundant safety injection systems, the operators’ decision to throttle them made the redundancy meaningless. The lesson was that redundancy must be paired with clear procedures and operator understanding. Additionally, the accident demonstrated that diverse means of detecting critical parameters—such as multiple independent ways to measure coolant inventory—are essential.

Human-Centered Control Room Design

After TMI-2, the industry invested heavily in control room improvements. Distinguishable alarm systems with priority annunciation and suppression of non-essential alarms became standard. The addition of direct indication for critical valve positions (such as PORV status) and the use of safety parameter display systems (SPDS) allowed operators to quickly see the plant’s overall safety state. The NRC mandated detailed human factors reviews for all licensed plants.

Realistic Operator Training and Simulators

The most direct outcome was the creation of the Institute of Nuclear Power Operations (INPO) in 1979, which established industry-wide training standards. INPO developed accredited training programs that use full-scope simulators capable of simulating a wide range of transients, including small-break LOCAs and instrument failures. Operators now undergo regular requalification exams and participate in realistic emergency drills. The concept of “crew resource management” (similar to aviation) was introduced, emphasizing communication, decision-making, and teamwork in the control room.

Defense-in-Depth Confirmation and Containment Performance

TMI-2 validated the containment building as a final barrier. Despite a severe core melt and hydrogen explosion, the containment structure held, and the vast majority of radioactive material remained inside. Safety analysis after the accident showed that the containment building’s design pressure was not exceeded and that no significant radiological release occurred off-site. This reinforced the importance of containment integrity and led to re-examination of containment performance for beyond-design-basis accidents.

Severe Accident Management Guidelines

Before TMI-2, the industry assumed that core melt accidents were so unlikely that specific procedures were not needed. After the accident, utilities developed severe accident management guidelines (SAMGs) to deal with scenarios involving degraded cores, hydrogen generation, and containment challenges. These guidelines are now required for all U.S. nuclear plants.

Regulatory and Industry Overhaul

Creation of INPO

The nuclear power industry, recognizing that public trust required fundamental change, established INPO in 1979. INPO is a non-profit organization that sets performance standards, conducts independent evaluations, and shares operating experience among member utilities. It is not a regulatory body, but its evaluations are rigorous and can influence a utility’s standing and ability to purchase insurance. INPO’s formation represented a shift from purely external regulation to a combination of internal industry-led excellence programs and NRC oversight.

NRC Reforms

The NRC acted quickly after TMI-2. It imposed a series of “TMI action plans” covering more than 150 items. Key regulatory changes included:

  • Requiring systematic evaluation of small-break LOCAs for all reactor designs.
  • Mandating upgraded instrumentation (e.g., reactor vessel level indication) for PWRs.
  • Implementing emergency planning requirements, including radiological emergency response plans and drills for all plants.
  • Strengthening the reactor oversight process with more frequent inspections and performance indicators.
  • Establishing the Accident Sequence Precursor program to systematically review operational events for risk significance.

International Impact

The accident also prompted international cooperation. The International Atomic Energy Agency (IAEA) strengthened its safety standards and established the Incident Reporting System (IRS) to share lessons across countries. Many nations enhanced their own regulatory frameworks and required severe accident mitigation measures.

Legacy of Three Mile Island

Public Perception and the Nuclear Industry’s Decline

Three Mile Island dealt a severe blow to public confidence in nuclear power in the United States. Although no deaths or injuries resulted, the confusion and conflicting information during the emergency generated intense fear. The accident effectively halted the growth of the U.S. nuclear industry. No new nuclear plant orders were placed after 1978, and many planned plants were canceled. The NRC’s fact sheet notes that the accident ended the rapid expansion of nuclear energy in the country.

Advances in Safety Technology

Modern reactor designs, such as the AP1000 and the European Pressurized Reactor, incorporate lessons from TMI-2. These designs include passive safety systems (relying on gravity, natural circulation, and compressed gas instead of active pumps), simplified instrumentation, digital control systems with human-factors optimization, and containment features to handle hydrogen produced during severe accidents. The World Nuclear Association emphasizes that TMI-2 was a catalyst for these innovations.

New Reactor Designs and the Lesson of Transparency

Beyond hardware, the accident taught the importance of transparent, clear, and timely communication during emergencies. The initial misinformation during the TMI incident damaged public trust. Today, nuclear plant operators are required to have emergency notification systems and public information programs. The NRC maintains a comprehensive emergency preparedness framework that includes coordination with state and local authorities.

Conclusion: Enduring Relevance

Forty-five years later, the Three Mile Island accident continues to inform engineering practice, not just in nuclear power but across all high-hazard industries. It demonstrated that safety cannot be guaranteed by hardware alone; organizational culture, operator training, and system-level thinking are equally critical. The event led to a fundamental shift from a deterministic view of safety (assuming every failure can be prevented) to a probabilistic safety assessment approach that acknowledges the possibility of severe accidents and prepares for them. Every nuclear plant today operates under stricter standards, better training, and more robust oversight because of what happened at TMI-2. The lessons remain essential reading for any engineer or manager responsible for complex, safety-critical systems. For further reading, the NRC’s historical summary and the World Nuclear Association’s analysis provide additional depth.