Disaster by Design/Safety by Intent #54
Safety by Intent
Robin Morgan wrote that “Knowledge is power. Information is power.”
Among many lessons learned from the March 1979 core meltdown at Three Mile Island was the need to collect, assess, and disseminate relevant operating experience in a timely manner. In other words, nuclear information has the power to promote nuclear safety, but only when that information is shared so as to replicate good practices and eradicate bad ones. Both the Nuclear Regulatory Commission (NRC) and the nuclear industry undertook parallel efforts after Three Mile Island to improve operating experience efforts.
NRC’s Information Sharing
The centerpiece of the NRC’s operating experience efforts is its generic communications program. The NRC instituted this program before the Three Mile Island accident, but took steps following the accident to expand the program and to shorten the time between events and advisories. The NRC also lowered the threshold used to screen the information to share more operating experience with plant owners.
The NRC has issued thousands of generic communications since the Three Mile Island accident. Bulletins and Generic Letters typically alert owners to a potential problem and require them to either confirm their facilities are not vulnerable or implement measures to reduce vulnerabilities. Regulatory Issue Summaries and Information Notices typically apprise owners about operating experience but do not require that the owners take specific actions in response.
Examples illustrating these various generic communications are:
- Bulletin 2003-01, “Potential Impact of Debris Blockage on Emergency Sump Recirculation at Pressurized Water Reactors,” warned owners that a rupture inside containment of a pipe filled with steam or water could generate large amounts of debris as the high pressure fluid jetting from the broken pipe ends scoured coatings off equipment, insulation off piping, and even paint off walls. Water could carry this debris down into the concrete pit (called the sump) in the containment’s basement. The plants are designed to respond to the loss of cooling water inventory via the broken pipe using emergency pumps that transfer makeup water from external storage tanks. Before the tanks empty, the designs swap-over the pumps to get water from the containment sumps instead. The bulletin required owners to take steps as necessary to reduce the amount of debris and enhance the resistance of containment sumps to debris accumulation.
- Generic Letter 2007-01, “Inaccessible or Underground Power Cable Failures that Disable Accident Mitigation Systems or Cause Plant Transients,” warned owners about a rash of unexpected failures of electrical cables. Many of the electrical cables had been qualified for 40 years of service, but failed before the end of their qualified lifetimes due to submergence in water. Several of the failed cables had been routed through underground metal conduits and buried concrete trenches. Groundwater or rainwater leaked into the conduits and trenches, subjecting the cable insulation to more rapid deterioration than anticipated. The generic letter required owners to provide the NRC with details about past cable failures of this nature at their facilities and to describe the inspection and testing programs used to protect against future cable failures.
- Information Notice 2009-25, “Small Arms Firing Range Safety Issues,” warned owners about problems experienced at some plants with firing ranges used by security force personnel for weapons and tactics training. A “room clearing” exercise at one facility in May 2009 had security members shoot at “bad guy” targets. Some targets had been placed improperly with the result that some bullets escaped the firing range and hit buildings inside the security fence surrounding the plant. A similar event in December 2005 at another facility resulted in a worker inside the security fence being struck in the leg by an errant bullet.
- Information Notice 2011-13, “Control Rod Blade Cracking Resulting in Reduced Design Lifetime,” warned owners of boiling water reactors about experience at a foreign nuclear plant. Workers discovered severe degradation of the control rods caused by irradiation-assisted stress-corrosion cracking. The control rods contain boron, a material that acts like neutron glue to govern, or even interrupt, the nuclear chain reaction rate within the reactor core. The control rods had a design lifetime based on calculations for how long it would take for their boron contends to be used up. The cracking allowed some of the boron to leach from the control rods. The information notice alerted owners of the fact that the vendor recommended imposing a limit of 54 to 60% of the boron depletion lifetime to account for the potential leaching effect.
- Regulatory Issue Summary 2015-11, “Protective Action Recommendations for Members of the Public on Bodies of Water,” reminded owners of their obligations under Appendix E, “Emergency Planning and Preparedness for Production and Utilization Facilities,” to 10 CFR Part 50. Specifically, the regulatory issue summary reinforced the NRC’s expectation that owners’ emergency plan measures account for all affected members of the public whether on land or on water.
- Regulatory Issue Summary 2014-12, “Decommissioning Fund Status Report Calculations—Update to Low-Level Waste Burial Charge Information,” informed owners that they could use data in Revision15 of NUREG-1307, “Report on Waste Burial Charges: Changes in Decommissioning Waste Disposal Costs at Low-Level Waste Burial Facilities,” in preparing periodic funding status reports required by 10 CFR 50.75(f). Owners are required to estimate the cost of decommissioning their facilities based on (1) labor rates, (2) energy costs, and (3) low-level waste disposal costs. The U.S. Department of Labor periodically publishes data on labor and energy costs that owners can use. The regulatory information summary identified a source of low-level waste disposal cost data acceptable to the NRC.
Nuclear Industry’s Information Sharing
The nuclear industry formed the Institute for Nuclear Power Operations (INPO) in December 1979 as part of its responses to the Three Mile Island accident. Information sharing is one of several functions performed by INPO to support the nuclear industry.
Like the NRC’s information sharing efforts, INPO collects information about problems encountered at one plant and shares it with other owners. Unlike the NRC’s efforts, INPO also collects information about solutions and successes enjoyed at one plant and shares them as good practices with other owners, too. It is as important to know how to do something right as it is to know how to do it wrong. (I am unable cite any specific INPO reports on operating experience because they are deemed top secret materials, nearly as tightly controlled as the launch codes for U.S. nuclear weapons and the original recipe for Kentucky Fried Chicken.)
INPO’s Equipment Performance Information Exchange (EPIX) program collects information on component failures. A few years ago, researchers at the Idaho National Laboratory used the EPIX database entries from 1998 to 2007 to examine emergency diesel generator (EDG) reliability.
The decade of data provided the researchers with insights such as what EDG components resulted in failures to start (FTS). The usual suspect was I&C—instrumentation and controls or the control circuits. The researchers also examined failure modes and rates for the EDGs supplied by various manufacturers to the nuclear industry.
The EPIX database also provides inputs to the probabilistic risk assessments (PRAs) developed by the owners for their plants. The PRAs estimate the likelihoods that emergency systems successfully perform their safety role to protect workers and the public during postulated accidents. The EPIX database allows PRA developers to specify performance data (e.g, failure to operate upon demand, malfunction during operation, etc.) for the individual components that must function for the emergency systems to do their thing. Because the EPIX database contains information spanning the entire fleet of operating reactors, it provides a more statistically significant foundation for equipment reliability forecasts than can be derived from even lots of valves at a single reactor.
If Information is Power, Information Sharing is Powerful Protection
The operating experience efforts by the NRC and the nuclear industry share information about equipment malfunctions and worker miscues. Sharing allows all owners to benefit from each individual owner’s lessons rather than postponing that benefit until after learning the lesson the harder way.
It is commendable that the operating experience efforts seek to reduce the recurrence of malfunctions and miscues even from those that did not result in serious consequences. Doing so increases the reliability of each barrier in the defense-in-depth approach to nuclear safety, making it less and less likely that all the barriers will fail someday and result in a nuclear accident.
Disaster by Design
The NRC’s generic communications cited above illustrate the challenge to successful operating experience programs. Each generic communication describes several malfunctions or miscues. There are very, very few “first time” operating experience reports. Instead, there are countless sequels to prior reports and innumerable updated collections of past faux pas. The challenge is in making steps taken today in response to an operating experience report durable enough to remain effective next year and next decade. An associated challenge involves ensuing that the “fix” for today’s operating experience report does not undermine the “fix” to last year’s operating experience report.
Information is power. But information sharing is not absolute power. Information sharing must be complemented by adequate training regimes, effective configuration control programs, and all the other niceties of proper management oversight. The safety chain is only as strong as its weakest link. Successful operating experience programs can help avoid links being unduly weakened.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.