Fission Stories #163
The nuclear reactor safety philosophy in the United States relies heavily on defense-in-depth. Basically, if one widget is needed for safety, at least two are provided. It’s not just a splendid notion—it’s the law.
Nuclear power plants designs are supposed to be single-failure proof. “Single failure” is defined within NRC’s regulations as:
“A single failure means an occurrence which results in the loss of capability of a component to perform its intended safety functions. Multiple failures resulting from a single occurrence are considered to be a single failure. Fluid and electric systems are considered to be designed against an assumed single failure if neither (1) a single failure of any active component (assuming passive components function properly) nor (2) a single failure of a passive component (assuming active components function properly), results in a loss of the capability of the system to perform its safety functions.”
“Multiple failures resulting from a single occurrence” covers a failed power supply (such as an emergency diesel generator) causing all equipment supplied by it to also fail, as well as water jetting from the broken end of a pipe (a passive component) wetting the electric motor of a nearby pump causing it to fail.
The Role of Nuclear Operators
Nuclear power plants are designed to essentially be on auto-pilot for the first ten minutes of an accident. In other words, sensors must detect off-normal plant conditions and automatically activate standby emergency equipment as needed. During that initial period, the control room operators’ main tasks are to monitor conditions and verify that automated responses take place as expected. After that initial period, the control room operators take a more active role in mitigating accidents.
Proper defense-in-depth extends protections against single failures to operator actions (and inactions). After all, it makes little sense to install two emergency diesel generators in case one fails if an operator turns off the surviving generator because it is too noisy or other lame excuse.
The American Nuclear Society issued its standard ANSI/ANS-58-9-1981, “Single Failure Criteria for Light Water Reactor Safety-Related Fluid Systems,” in February 1981. This industry standard defined operator error as:
“An operator error is a single incorrect or omitted action by a human operator attempting to perform a safety-related manipulation.”
This standard links operator error and the single failure criterion in NRC’s regulations in paragraph 3.7 which stated, “The designer shall consider an operator error as a potential single active failure.”
So What?
The NRC issues two types of licenses for reactor operators and senior reactor operators. The NRC only issues licenses to individuals who have successfully passed three tests:
- a written examination,
- questions asked by an examiner of the candidate during a tour of the plant and control room, and
- performance of tasks on a control room simulator.
The single failure criterion applied to operator licensing might imply that candidates must score 99% on the tests. After all, lower scores suggest that licensed operators might make more errors than the plant’s design can tolerate.
Wrong!
Over the past decade, the average score by candidates for NRC reactor operator licenses never exceeded 90%:
Here’s where defense-in-depth can step in. The reactor operators are supervised by senior reactor operators. Maybe the senior reactor operators scored 99% or better.
Wrong!
Over the past decade, the average score by all candidates for NRC senior reactor operators never exceeded 90%.
Actually, the candidates cleared the NRC’s bar with comfortable margin. The NRC only requires a passing grade of 80 percent. Thus, the NRC thinks it’s okay if a control room operator, when asked what this nuclear widget does, has an 80% chance of knowing the answer.
Not to worry—candidates to become certified as NRC inspectors only need to score 70% on their exams.
Our Takeaway
The licensed control room operators at the nation’s nuclear plants are conscientious, skilled, and dedicated. Skimming through the types of questions they are asked for BWR and PWR licenses suggests how much effort goes into getting an 80 or more on the tests.
It would be unrealistic to require scores of 99% or higher. Doing so would not increase the capability of the operators—it would dumb down the tests towards the “who’s buried in Grant’s tomb” variety.
So, the problem is not with the process used by the NRC to license control room operators or with the people it is producing.
Instead, the problem is with reactor designs that set traps to snare capable individuals. The operators are scoring about 90% on tests they have spent most of the prior year preparing to take. Their performance facing unscheduled accidents they have not studied in-depth, and dealing with significantly higher stress levels than encountered in a quiet classroom, is more likely to drop than to soar.
It is folly for the NRC to license reactor designs that can withstand a single operator error when licensing operators routinely missing up to 20% of the questions.
The operators are doing their best—they must be given designs that allow their best to succeed. Reactor designs need not be made “idiot proof”—licensed operators are far from idiots. But reactor designs should be made that do not require that operators become engineers, instrument and control technicians, chemists, and many other skilled workers all rolled into one. Unless of course, plant owners begin paying their operators for wearing so many hats.
The NRC might also experiment with upping its game for its own inspectors. Requiring candidates for operators licenses to score 80% or better when candidates for NRC inspector certifications need only get 7 out of 10 right seems too much of the “do as I say, not as I do” thing.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.