Disaster by Design/ Safety by Intent #49
Safety by Intent
In recent years, Japan’s health ministry initiated a study in response to an estimate that nearly 14,000 people die annually in bathtubs, almost three times the number of people killed each year in traffic accidents in the country.
More recently, the Center for Disease Control and Prevention issued a warning because over a dozen people have died since 2000 working on bathtubs—due to exposure to methylene chloride, a solvent used to clean tubs being refinished.
This commentary addresses figurative rather than literal bathtub safety.
Bathtub Curve of Failure Rates
The bathtub curve (Fig. 1) plots the chance of failure over time. Failure rates are initially high due to factors including material imperfections, faulty assembly, and mis-use of a new widget. Failure rates later begin rising due to wear-out.
The accidents at SL-1, Fermi Unit 1, Browns Ferry, Three Mile Island, and Chernobyl all happened during the early years of projected decades-long operating lifetimes. In other words, these events occurred during the break-in phase of the nuclear bathtub curve.
All nuclear power reactors operating in the United States today are heading towards, if not already within the wear-out region of the bathtub curve.
Nuclear Plant Aging
Nuclear power reactors are not carved from a stone quarry or made from a uniform mix poured into a mold. They are built from thousands of parts—pipe, cable, valves, motors, dampers, switches, relays, gauges, breakers, tanks, bolts, and more. Like an automobile, some parts are expected to last for the reactors’ lifetime while other parts wear out and require periodic replacement.
The Operating Experience Branch within the Nuclear Regulatory Commission (NRC) issued an Operating Experience Smart Sample report in August 2010 discussing two reactor trips and nearly 30 NRC inspector findings during the prior five years caused by age-related failures of components that had been in place longer than the service lifetime recommended by the manufacturer. The report referenced NRC inspection procedures on maintenance, corrective actions, and component design bases that include preventative maintenance aspects.
The NRC’s Operating Experience Branch followed up with a study issued in 2014 on its assessment of failures reported to the NRC by plant owners or identified by NRC’s inspectors between the years 2007 and 2011. The owners’ reports and the inspectors’ findings documented failures of components important to safety; failures of components with little to no safety significance were excluded from this assessment.
Component Failures
One of the Operating Experience Branch’s findings was that more than 75 percent of the component failures attributed to aging degradation had been in service longer than the service lifetime recommended by the manufacturer. The study characterized leaving components in operation longer than their recommended service lifetimes as “run-to-failure.”
If nothing else, it was clear that the NRC and the nuclear industry were not on the same page regarding service lifetimes recommended by manufacturers. How did the NRC seek to get everyone onto the same page? By issuing five more pages.
In May 2016, the NRC published in the Federal Register for public comment a draft five-page Regulatory Issue Summary (RIS) on the time period that safety components can be installed. The draft RIS did not forbid components from remaining in place past the vendor-recommended service lifetimes. Instead, it pointed to several existing regulations that conveyed the NRC’s requirement that owners have formal evaluations in place before components can remain in place longer.
For example, if an owner had a performance monitoring program that periodically assessed the function of components against end-of-life criteria, those components could remain in service as long as the periodic assessments demonstrated their acceptability.
In lieu of periodic monitoring, an owner could complete a formal evaluation of components concluding similar components in similar applications demonstrated acceptable reliability for periods longer than the service lifetime recommended by the manufacturer.
What the draft RIS, and the existing regulations it cited, tries to avoid are safety components with uncertain reliability. The vendor-recommended service lifetime provides some assurance that components will perform reliably during that period. The draft RIS points out that components can remain in place longer than that period, provided another formal assessment takes over the reliability assurance role.
Requiring safety components to be replaced within the vendor-recommended service lifetime imposes an unfair economic burden on plant owners—properly maintained equipment could remain adequately functional for longer periods.
Allowing safety components to remain in place past the vendor-recommended service lifetime until they wear out and break imposes an unacceptable burden on the public—improperly maintained equipment could fail when needed to prevent or mitigate an accident.
The NRC achieved the proper balance between economics and safety in the draft RIS. The formal assessments supplementing the vendor-recommended service lifetimes allow owners to avoid costly replacement of functional equipment while still allowing the public to avoid costly repercussions from worn-out safety equipment.
Disaster by Design
The left-hand portion of the bathtub curve, often called the break-in phase, is populated with reactors that broke in that region. Fortunately, the right-hand portion of the curve, called the wear-out phase, has not been so populated—yet. The NRC seeks to prevent failures of aging safety components from contributing to the next nuclear reactor accident.
The nuclear industry is under pressure to cut costs. Leaving safety equipment in service until it breaks is indeed cheaper than monitoring to ensure adequate safety margins are maintained or replacing worn-out equipment before it breaks. But saving pennies today invites disaster dollars tomorrow—and Fukushima is a costly reminder that sometimes disaster accepts the invitation.
—–
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.