Disaster by Design/ Safety by Intent #44
Disaster by Design
Imagine that you have an extremely important appointment scheduled early tomorrow morning. To ensure that you get to the appointment on time, you might apply DIBs—Diverse Independent Barriers.
You want to set an alarm as a barrier against oversleeping. You could rely on multiple clock radios plugged into wall outlets for protection against one malfunctioning unit causing you to oversleep.
For diversity, you set some of the clock radios to sound a buzzer alarm and set the other clock radios to play a radio station. And being a diversity aficionado, you select a variety of music and talk radio stations to protect against a single station’s failure.
But a power outage could still disable all these multiple alarms. Multiple clock radios provide redundancy, because any one going off at the proper time helps get you moving towards the appointment. But they have limited diversity because they are vulnerable to the same common cause failure.
To enhance diversity, you opt instead to set alarms on a clock radio, wind-up alarm clock, and battery-powered cell phone and also arrange to have a reliable friend call at your desired wake-up time. No single power outage will defeat all your diverse alarm systems.
But another common cause failure could still be your downfall—time conventions. You intend to set the alarms for 7 am, but mistakenly set each to go off at 7pm. And your friend lives in a different time zone and could call you at 7 am her time instead of 7 am your time.
To enhance independence, you set some of the alarms and have family members set the remaining alarms to lessen the chances that all fall into the am/pm trap. And you pick a friend in an earlier time zone who may call you at 6 am your time which is 7 am her time.
So, DIBs get you up on time and you head out the door well-refreshed, well-dressed, well-fed, and well-ready for your important meeting only to find that your car won’t start due to a dead battery.
Had you mirrored the DIBs applied to waking up with DIBs for your transportation needs, you could turn to a bicycle, cab, bus, rickshaw, or horse and get to the meeting on time.
Safety by Intent
Fortunately, imagination is not needed to see how DIBs enhance nuclear power plant safety.
Consider the DIBs against inadequate core cooling in boiling water reactors. If normal cooling water supplied via the feedwater system is lost or insufficient, an array of alternative makeup methods are installed—control rod drive (CRD) pump, reactor core isolation cooling (RCIC) pump, high pressure coolant injection (HPCI) pump, core spray pumps, and residual heat removal (RHR) pumps.
For diversity, the RCIC and HPCI pumps are powered by steam-driven turbines while the CRD, core spray, and RHR pumps have electric motors.
To enhance diversity, the CRD, core spray, and RHR pumps can receive electricity either from the offsite power grid or from the onsite emergency diesel generators. And the valves and turbine controls for the RCIC and HPCI pumps can receive electricity from either the offsite power grid, the onsite emergency diesel generators, or from onsite banks of batteries.
To enhance independence, the CRD, RCIC and HPCI pumps normally transfer water from the condensate storage tank (a large metal tank located outside the reactor building) to the reactor vessel while the RHR and core spray pumps normally transfer makeup water from the suppression pool inside the reactor building. The RCIC, HPCI, RHR and core spray pumps can transfer water to the reactor vessel from either source.
These reactor vessel makeup DIBS are but a very small fraction of the DIBs in nuclear power plants to protect against releases of radioactivity to the environment and other adverse consequences. And DIBs are not just hardware. For example, proposed modifications to the plant and revisions to operating procedures get reviewed and checked by many individuals with different backgrounds for the purpose of ensuring desired outcomes are achieved without unintended consequences.
The DIBs go a long way to reducing the chances of and consequences from a nuclear power plant accident. The next post in the Disaster by Design/Safety by Intent series will describe how probabilistic risk analyses consider the reliability of DIBs—individually and then collectively—as a tool in managing nuclear power’s risks.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.