Join
Search

Single Failures and Nuclear Operator Training

Bookmark and Share

Fission Stories #163

The nuclear reactor safety philosophy in the United States relies heavily on defense-in-depth. Basically, if one widget is needed for safety, at least two are provided. It’s not just a splendid notion—it’s the law.

Nuclear power plants designs are supposed to be single-failure proof. “Single failure” is defined within NRC’s regulations as:

“A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.”

“Multiple failures resulting from a single occurrence” covers a failed power supply (such as an emergency diesel generator) causing all equipment supplied by it to also fail, as well as water jetting from the broken end of a pipe (a passive component) wetting the electric motor of a nearby pump causing it to fail.

The Role of Nuclear Operators

Nuclear power plants are designed to essentially be on auto-pilot for the first ten minutes of an accident. In other words, sensors must detect off-normal plant conditions and automatically activate standby emergency equipment as needed. During that initial period, the control room operators’ main tasks are to monitor conditions and verify that automated responses take place as expected. After that initial period, the control room operators take a more active role in mitigating accidents.

Proper defense-in-depth extends protections against single failures to operator actions (and inactions). After all, it makes little sense to install two emergency diesel generators in case one fails if an operator turns off the surviving generator because it is too noisy or other lame excuse.

The American Nuclear Society issued its standard ANSI/ANS-58-9-1981, “Single Failure Criteria for Light Water Reactor Safety-Related Fluid Systems,” in February 1981. This industry standard defined operator error as:

 “An operator error is a single incorrect or omitted action by a human operator attempting to perform a safety-related manipulation.”

This standard links operator error and the single failure criterion in NRC’s regulations in paragraph 3.7 which stated, “The designer shall consider an operator error as a potential single active failure.”

So What?

The NRC issues two types of licenses for reactor operators and senior reactor operators. The NRC only issues licenses to individuals who have successfully passed three tests:

    1. a written examination,
    2. questions asked by an examiner of the candidate during a tour of the plant and control room, and
    3. performance of tasks on a control room simulator.

The single failure criterion applied to operator licensing might imply that candidates must score 99% on the tests. After all, lower scores suggest that licensed operators might make more errors than the plant’s design can tolerate.

Wrong!

Over the past decade, the average score by candidates for NRC reactor operator licenses never exceeded 90%:

(click to enlarge)

Scores for Reactor Operator licenses (click to enlarge)

Here’s where defense-in-depth can step in. The reactor operators are supervised by senior reactor operators. Maybe the senior reactor operators scored 99% or better.

Wrong!

(click to enlarge)

Scores for Senior Reactor Operator licenses (click to enlarge)

Over the past decade, the average score by all candidates for NRC senior reactor operators never exceeded 90%.

Actually, the candidates cleared the NRC’s bar with comfortable margin. The NRC only requires a passing grade of 80 percent. Thus, the NRC thinks it’s okay if a control room operator, when asked what this nuclear widget does, has an 80% chance of knowing the answer.

Not to worry—candidates to become certified as NRC inspectors only need to score 70% on their exams.

Our Takeaway

The licensed control room operators at the nation’s nuclear plants are conscientious, skilled, and dedicated. Skimming through the types of questions they are asked for BWR and PWR licenses suggests how much effort goes into getting an 80 or more on the tests.

It would be unrealistic to require scores of 99% or higher. Doing so would not increase the capability of the operators—it would dumb down the tests towards the “who’s buried in Grant’s tomb” variety.

So, the problem is not with the process used by the NRC to license control room operators or with the people it is producing.

Instead, the problem is with reactor designs that set traps to snare capable individuals. The operators are scoring about 90% on tests they have spent most of the prior year preparing to take. Their performance facing unscheduled accidents they have not studied in-depth, and dealing with significantly higher stress levels than encountered in a quiet classroom, is more likely to drop than to soar.

It is folly for the NRC to license reactor designs that can withstand a single operator error when licensing operators routinely missing up to 20% of the questions.

The operators are doing their best—they must be given designs that allow their best to succeed. Reactor designs need not be made “idiot proof”—licensed operators are far from idiots. But reactor designs should be made that do not require that operators become engineers, instrument and control technicians, chemists, and many other skilled workers all rolled into one. Unless of course, plant owners begin paying their operators for wearing so many hats.

The NRC might also experiment with upping its game for its own inspectors. Requiring candidates for operators licenses to score 80% or better when candidates for NRC inspector certifications need only get 7 out of 10 right seems too much of the “do as I say, not as I do” thing.

 

“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.

Posted in: fission stories, Nuclear Power Safety Tags: , , ,

About the author: Mr. Lochbaum received a BS in Nuclear Engineering from the University of Tennessee in 1979 and worked as a nuclear engineer in nuclear power plants for 17 years. In 1992, he and a colleague identified a safety problem in a plant where they were working. When their concerns were ignored by the plant manager, the utility, and the Nuclear Regulatory Commission (NRC), they took the issue to Congress. The problem was eventually corrected at the original plant and at plants across the country. Lochbaum joined UCS in 1996 to work on nuclear power safety. He spent a year in 2009-10 working at the NRC Training Center in Tennessee. Areas of expertise: Nuclear power safety, nuclear technology and plant design, regulatory oversight, plant license renewal and decommissioning

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

  • Mark Heinicke

    Very enlightening, and troubling. But I can’t quite place this particular aspect in the broader framework of “defense-in-depth”. What specific weaknesses in power plant design could be corrected without building a whole new reactor? If they exist, is the NRC dragging its feet on this?