1.More multiple failures than you believe possible, because latent errors accumulate
2. Operators cannot fully understand system because errors in implementation, measurement system, warning systems. Also complex, hard to predict interactions
3.Tendency to blame operators afterwards (60-80%), but they must operate with missing, wrong information
4.The systems are never all working fully properly: bad warning lights, sensors out, things in repair
5.Emergency Systems are often flawed. At 3 Mile Island, 2 valves left in the wrong position; parts of a redundant system used only in an emergency. Facility running under normal operation masks errors in error handling
Charles Perrow, Normal Accidents: Living with High Risk Technologies, Perseus Books, 1990