Disaster by Design/ Safety by Intent #50
Safety by Intent
The Nuclear Regulatory Commission (NRC) identified a disturbing trend in the mid-80s—the number of safety problems caused by inadequate maintenance was increasing. In some cases, ineffective practices during routine maintenance such as replacing worn-out gaskets or lubricating rotating machinery resulted in equipment that had been operating satisfactorily breaking down soon afterwards.
For example, the NRC was receiving an increasing number of Licensee Event Reports (LERs) from plant owners about safety problems caused by inadequate maintenance. The NRC already had a regulation requiring owners to find and fix safety problems in a timely and effective manner, but the trends showed the regulation alone was not properly managing the risk.
The NRC advised plant owners about ineffective maintenance practices and their adverse safety consequences. But the NRC went beyond merely warning and whining about the troubling safety trend—it developed a new regulation and associated guidance intended to provide greater assurance that maintenance performed on safety equipment does not compromise safety margins. In other words, if it ain’t broke, don’t break it was the NRC’s goal for maintenance activities.
The NRC undertook a public rulemaking process that culminated in the NRC issuing Section 50.65, “Requirements for Monitoring the Effectiveness of Maintenance at Nuclear Power Plants,” to 10 CFR Part 50 on July 10, 1991. This new regulation, commonly called the Maintenance Rule, did not require new maintenance methods or alter the frequency of preventative maintenance tasks. Instead, it required plant owners to develop programs that periodically evaluated the effectiveness of their existing maintenance activities to help assure that safety equipment remains able to perform safety functions.
The nuclear industry developed a standard procedure, NUMARC 93-01, outlining a monitoring program for maintenance activities to comply with the Maintenance Rule. The NRC formally endorsed this industry standard. Plant owners had the option of implementing their own means of complying with the Maintenance Rule, but they would shoulder the burden of convincing the NRC their methods were as good as or better than the ones in NUMARC 93-01 that the agency had formally reviewed and accepted.
The Maintenance Rule is the best thing the NRC has done during my nearly 40-year career in the nuclear power industry. The NRC identified an adverse trend indicating that maintenance efforts and the existing regulation governing them were not successfully achieving the desired outcomes. Rather than waiting for the adverse trend to grow to epidemic proportions, the NRC took steps to halt the decline and restore performance levels.
Particularly commendable was the NRC’s solution. It would have been easy and intuitive for the NRC to merely spotlight the maintenance problems it had identified and the existing regulation that was being violated too often. But there were already plenty of NRC and industry spotlights on this problem such that another spotlight would have been wasted candle-power. Something different was needed.
The NRC’s solution involved requiring owners to develop monitoring programs that would connect the dots already being revealed by the existing spotlights to provide the proper context—are these broken widgets reflective of systemic problems or merely coincidental? Or, to quote my colleague Paul Gunter at Beyond Nuclear, “Is it a needle in a haystack or a haystack of needles?”
The monitoring programs required by the Maintenance Rule enable plant owners and the NRC to make better informed decisions about the effectiveness of maintenance activities and, more importantly, about the reliability of the safety equipment being maintained.
The Maintenance Rule requires all safety equipment to be included within the monitoring program’s scope. This provision avoids the all-too-tempting trap of tunnel-vision that focuses attention on a recent problem area and allows the next emerging problem area to remain undetected until it grows larger than necessary.
The Maintenance Rule also requires a process to focus necessary resources on today’s problems so as to prevent them from becoming tomorrow’s disaster. The periodic monitoring detects ineffective maintenance results at an early stage enabling both the impaired widgets and the defective maintenance practices to be remedied before they cause harm.
Disaster by Design
Somewhat like slot machine jackpots, nuclear plant accidents require three things to line up: (1) an initiating event such as a loss of offsite power or earthquake, (2) design deficiency such as an under-sized motor or safety system actuating circuit that needs power to function, and (3) worker mistake(s) like a control room operator not taking compensatory actions in time or a maintenance worker miscalibrating the setpoints for automatic initiation of emergency equipment.
The Maintenance Rule helps keep that third wheel from appearing too often. Combined with other NRC efforts keeping the other two wheels equally shy, the Maintenance Rule guards against nuclear jackpots.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.