Years ago, the Nuclear Regulatory Commission (NRC) asked its senior managers what percentage of a nuclear plant’s activities (e.g., tests, inspections, maintenance task, and reactor power change evolutions) do NRC inspectors witness or otherwise evaluate each year. The answer was 5%. It means that NRC does not assess 95% of the tests, inspections, and other activities at nuclear plants. Thus, it takes the NRC two decades to inspect an entire nuclear plant, assuming no overlaps year to year.
The NRC is not placing a spotlight on safety – it’s using a strobe light.
To be sure, the NRC seeks to maximize the value of its sneak peeks. Its inspectors observe far more maintenance tasks on emergency diesel generators than of light bulbs being replaced. But the NRC’s limited-scope audits cannot independently verify that every task is performed properly and safely.
Instead, the NRC’s audits are really intended to ascertain whether the plant owner is doing its job to monitor the plant more extensively and fix problems it finds. And NRC’s regulations explicitly require that plant owners take specific steps to quickly find and remedy problems at the plant. So if the plant is doing its job the NRC inspectors should not find any problems in its spot checks.
The basic concept in nuclear power plant safety employs defense-in-depth and multiple barriers. This approach is applied to both equipment and human performance. On the equipment side, it is embodied in primary emergency pumps with fully redundant backups, normal power supplies and two layers of backups, and so on. On the human performance side, the NRC’s regulations described below provide multiple barriers between a worker’s error and a safety problem.
- Workers performing tasks related to nuclear safety must be qualified and trained for those tasks (10 CFR §50.120, Training and qualification of nuclear power plant personnel). Control room operators and their supervisors must meet more stringent requirements – they must be formally licensed by the NRC (10 CFR Part 55, Operators’ Licenses).
- Workers must perform tasks using written procedures and instructions reviewed and approved by management (10 CFR 50, Appendix B, Criterion V, Instructions, Procedures, and Drawings). Certain steps must be independently verified as being completed correctly by a second qualified and trained worker before moving to the next step. And completed task procedures are promptly reviewed by qualified and trained supervisors to ensure all applicable steps were completed correctly.
- Workers performing tasks step-by-step per approved procedures are backed up by formal inspection and testing programs (10 CFR 50 Appendix B, Criteria X, Inspection, and XI, Test Control). In other words, after workers complete maintenance tasks on an emergency pump per approved procedures and after supervisors have confirmed that the pump was properly maintained, the pump is tested to provide additional assurance that is functioning before being placed back in service.
- As a further backup, other qualified and trained workers must audit tasks to see if the expected and desired outcomes were achieved (10 CFR 50, Appendix B, Criterion XVIII, Audits).
Each of these regulatory requirements serves as a barrier preventing problems like flawed engineering calculations, mis-calibrated instruments, improperly diagnosed test results, mis-positioned control switches, or inadequately lubricated motor bearings. Had ANY of these barriers worked, the problems would have been avoided, or found and fixed.
The external audits performed by the NRC inspectors do not seek to independently verify that all calculations are correct, all instruments are calibrated correctly, all tests are properly performed with their results correctly assessed, all switches are properly positioned, and all motor bearings are adequately lubricated. That responsibility lies exclusively on the plant owner’s shoulders under the regulations. Instead, the NRC’s audits seek to determine how well the owner is meeting that responsibility.
When an NRC inspector finds an engineering calculation error or an improperly maintained component, he or she has actually identified two things – the particular problem AND the failure of ALL the mandated barriers intended to prevent that problem. Had the personnel qualifications, or formal procedures, or supervisory reviews, or tests and inspections, or internal audits – any one of these barriers – worked, the NRC inspector would have not found the problem. The NRC inspector’s finding demonstrated unequivocally that all the barriers failed.
Because each NRC inspector finding has two components, two fixes are warranted. First, the calculation error or improperly maintained component must be corrected. In addition, the holes in all the barriers that enabled the problem to occur and remain undetected until the NRC inspector found it must also be corrected.
If the NRC inspected all or nearly all the tasks at a nuclear plant each year, fixing the holes in the barriers would not be so important. After all, safety problems weaving through the holes would be found by the NRC and fixed if that were the case.
But NRC inspectors only look at a very small subset of tasks at a nuclear plant – perhaps as few as 1 in 20. All things being equal, each safety problem identified by NRC inspectors represents 19 safety problems undetected in the areas not examined by the NRC. To put it in context, consider the number of NRC inspector findings in 2011:
The NRC assigns colors to its findings, green being the least serious and red the most serious. There’s also a lower threshold where findings of even lesser significance are not even assigned a color. Last year, NRC inspectors racked up 846 green findings in their limited scope audits. Based on the 5% audit scope, this suggests they might have found 16,074 other green findings had they examined everything.
It is imperative that NRC inspectors’ findings result not only in fixes to the specific problems found, but also to the holes in the human performance barriers. Those barriers are mandated by NRC’s regulations, so evidence of multiple violations (recall that had just one of the many barriers worked, the NRC inspectors would find nothing) cannot be ignored. The holes must be patched in order to prevent future problems and to do something about the thousands of problems not found by NRC inspectors.
What if the holes are not patched? Very few of the workers’ tasks at a nuclear plant are one-time efforts. The vast majority are periodically repeated, like the quarterly testing of an emergency pump or the annual maintenance of a safety valve. If an NRC inspector found a valve that had been improperly maintained and the valve’s problem is remedied without the holes in the barrier also being fixed, the same problem could recur when workers perform maintenance on the valve next year. And the NRC may not catch it for many years using their strobe light.
The NRC can and must do better. There may be safety in numbers, but not in these numbers.