The European Network on Operational Experience Feedback (OEF) for nuclear power plants, or European Clearinghouse, was established at the Joint Research Centre by several European nuclear safety regulators to collaborate on operational experience.
A comprehensive study into feedback on operation during outages is currently in preparation at the European Clearinghouse, with the support of the French and German regulators.
While reactor power is much lower than in normal operation, shutdown has specific risk factors:
- The technical specifications allow for more safety equipment to be unavailable because of repair, preventive maintenance or testing. Even if safety equipment is available, sometimes only manual start-up is possible.
- The vessel and containment may be open during some phases. In some accident sequences there is a higher risk than in full power mode due to the lack of the second and third safety barriers.
- The coolant inventory (in the primary and eventually in the secondary circuits) may be reduced.
Even if an accident sequence develops more slowly than in normal operation due to the reduced reactor power and decay heat, the contribution of low power and shutdown to overall risk has been a longstanding concern.
Furthermore, instrument readings may be disabled, or be unreliable or misleading; there are changes in the reactor coolant system configuration; many technical specifications are not applicable; emergency procedures are not configuration-specific; and many annunciators in control rooms are in alarmed status. All this requires actions that are both more frequent and more challenging for plant staff.
The increase in the number of activities (operational, maintenance, testing, upgrades, etc) during refuelling outages means that far more people are working at the site. That includes external contractors, who are not as familiar with the plant systems and procedures as the regular staff. Consequently, deficiencies in outage planning and co-ordination have a stronger impact on safety than in power operation.
Study scope and methodology
The sources of operating experience for the study are the IAEA International Reporting System (IRS) database, the Licensee Event Reports of the US NRC, the operational experience database of IRSN (France) and the operational experience database of GRS (Germany). Together, these databases contain tens of thousands of events reported by nuclear plants worldwide.
A first screening identified about 650 events relevant for shutdown states, covering a period of the last 20 years (in the case of IRS and German databases) or the last 10 years (in the case of the French and US sources). All these event reports were fully reviewed and classified into families, the criteria being: plant state activity most closely related to the event; means of detection; equipment or function affected; direct cause; root cause; and consequences.
Some of the events had causes or contributing factors related to the planning of the outage, and to how the different teams at the site co-ordinate their efforts to carry out a large number of activities in a short period of time.
Given the heterogeneity of the sources used (the databases have no common reporting criteria or format), no attempt has been made to draw statistical results. Instead, the study has focused on qualitative analysis of the material, establishing the lessons learned and issuing recommendations useful for licensees and regulatory bodies.
Recommendations
The outage schedule should accurately take into account the overall workload on operators in the main control room during start-up and during preparatory activities. Sufficient time should be allocated for operators to carry out all the necessary activities and verifications.
While all outage schedule phases are usually very tight and loaded, it is during start-up and during preparation for start-up that event reports most often cite the excessive workload of the main control room operators, or name the planning pressure placed on the operators, as root causes or contributors. Two specific scenarios may aggravate the problem. One is when an unplanned outage occurs close to the end of the fuel cycle, with a subsequent restart. In that case, the moderator coefficient may be positive for certain temperature ranges, enhancing the nuclear heating of the coolant during start-up and reducing the time available for the operator to follow start-up procedures. The other scenario occurs whenever the plant management takes advantage of a refuelling outage to carry out design modifications. These usually require additional requalification activities, making planning changes and delays more likely. In general, any schedule change seeking to reduce the total outage time should be carefully analysed.
The outage schedule should avoid planning concurrent activities involving changes in valve alignments when those valves are part of the reactor coolant pressure boundary.
The chances of misunderstandings between the teams carrying out different tasks are significant, especially when they belong to different departments (e.g. mechanical and electrical). Very often, the result of the misunderstanding is that someone believes that the valve they are working on is not part of the reactor coolant pressure boundary, when it actually is. If the valve is then operated, and the reactor coolant begins to drain, there is a chance that the leak remains unnoticed for some time.
The outage schedule should take into account whether staff really need to be present in the main control room. Activities should be programmed so the number of staff present in the control room is below a certain threshold, especially if testing or maintenance activities related to critical equipment or safety systems are in progress.
One report specifically cites a "noisy and crowded" control room as a contributor for the event. Too many people in the control room may hinder verbal communications, cause distraction and increase stress on operators.
Work practices and routines should make a very clear distinction between a fully completed test or maintenance procedure and one that is not fully completed. Once an activity is completed, it should not be reopened unless a new work order has been issued, and a new procedure is available.
Often in an event the final alignment check of systems (electrical, I&C or mechanical) subject to maintenance or test is postponed because it would interfere with other tests. The system is consciously left inoperable for some time. But as the main objective of the task has been achieved (the system functions have successfully been tested or the repairs are complete), staff may refer to the task as "completed" and the potential for misunderstandings arises, especially when the information on the status of the system is not accurately relayed to the next shift.
Work orders should not be released by the control room until all requisites to proceed with the work are met. Releasing a work order associated with a fixed time window and requiring the outage contractors to call the main control room to confirm permission to proceed should be discouraged.
Given the intensity of concurrent activities during an outage, this practice forces the control room staff to react as they receive constant requests to proceed from different outage contractors. Releasing the work order only when conditions to proceed with the work are met would place the control room operators in a better position, avoiding unnecessary phone calls and distractions.
The responsibilities and scope of work for every organisation and contractor participating in any complex activity should be accurately defined and communicated.
During outage periods the complexity of operations or tests frequently call for the participation of numerous contractors, manufacturers and technical organisations external to the plant staff. Misunderstandings stemming from an incomplete or unclear definition of the responsibilities assigned to each organisation involved has been a cause or a contributing factor in several events.
Regardless of any external pressure to bring the power plant back into operation after a refuelling outage, the operators in the control room should remain responsible for the operational decisions at all times.
In some cases excessive pressure on plant staff to complete the outage has been reported. In one case, a temporary power shortage in the region put the plant operator under pressure to return the plant to operation. As a result, technical specifications governing the conditions for transitions between reactor modes were violated, when some control rods were withdrawn from the reactor when the containment was still open.
Conclusions
The risk posed by shutdown states has been widely recognised as significant, and needing special attention. Particularly significant are issues related to the complexity of outage planning and to human factors in co-ordinating multiple concurrent activities.
Analysis of 650 events reported in the last 10-20 years has led to recommendations to help address these risks. They can now be used by the industry for outage preparation.
About the tpauthors
Miguel Peinador and Samir El Kanbi, Institute for Energy and Transport, Joint Research Centre, European Commission
Jean-Luc Stephan, Institut de Radioprotection et de Sûreté Nucléaire (IRSN), France
Johannes Martens Gesellschaft für Anlagen-und-Reaktorsicherheit (GRS), Germany