ML19207A594
| ML19207A594 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 04/20/1979 |
| From: | Saxe R North Carolina State University, RALEIGH, NC |
| To: | Hendrie J NRC COMMISSION (OCM) |
| Shared Package | |
| ML19207A592 | List: |
| References | |
| NUDOCS 7908210181 | |
| Download: ML19207A594 (2) | |
Text
_
NORTH CAROLINA STATE UNIVERSITY AT RALEIGI-I SCIIOOL OF ENGINEERING DEPARTMENT OF NUCLFAR Encinsrmanc Box 5636 ZaF 27650 J
W g
April 20, 1979 Dr. J. M. Hendrie, Chairman Nuclear Regulatory Commission Washington, D. C.
Dear Dr. Hendrie:
Several years ago, I presented a propocal to the Atomic Energy Com-mission regarding a way to assist the human element in the control room of a nuclear power plant.
(The method suggested is now completely outdated and may be ignored.)-
This proposal was rejected as being unnecessary on the basis that the operators are able to control the plant quite well.
I promised at that time that, on the first occasion of a serious accident caused by human error, I would write and remind the AEC of this.
I am fulfilling this promise to you, the successor of the AEC.
It is my understanding that, in essence, the Three-Mile Island accident was caused by the auxiliary feedwater system's being valved shut. This con-dition, I gather, had been so for some time--two weeks?--in violation of all logic.
I wish to suggest to you the following:
In many accidents, there are two distinct phases:
- 1) a situation is created where an accident is " waiting to happen".
This can occur by an undec. :ted hardirare failure, by a design deficiency, or by human error.
- 2) cn acident sequence is initiated.
In the case of 2) above, the nuclear industry
- has been at pains to in-stall redundant safety systems to reduce and contain the results of the accident.
At Three-Mile Island, these systems apparently behaved satisfactorily and the public was protected.
However, although it is obviously desirable to treat the potential acci-dent in phase 1) above so as to eliminate phase 2), less attention appears to have been so devoted.
Instead, reliance has apparently been placed on human operators--the most unpredictable, non-linear devices associated with any control system. There is ample evidence to establish that humans, faced
- I use this to include all aspects -industrial, regulatory, etc.
s 7908210)$l
- 3.., o, c...a.,., s w e n.,,...,,m u,3,,,...,,,,,,,,,,~,-
4c.n..,
s...
n.,..
WWe.5k
~
2-with a rt utine set of operations over an extended period, may be relied upon to behave in undesirable ways from time to time.
I contend that under these long-term, routine conditions, humans must be replaced or augmented by machines; machines, if properly constructed, do
/
not forget, do not become bored and may be readily checked for correct operation.
In the nuclear fieJd, we have made great use of the calculational, " number-crunching ability of computers to predict reactor syo.em behavior under a wide r
range of conditit'.s and to calculate, in detail, the progress of an hypothetical accident.
However, we seem to have made little use of the unforgetting, logical capabilities of the computer. Such use could, for example, have pointed out clearly the " illegality" of the valving-off at Three-Mile Island long before the accident occurred.
The availability of small, cheap, reliable mini-computers makes it, in my opinion, imperative to install a system at each power plant. Such a system could, for example, keep a check ccntinually on system state, could signal immediately any situation which could set up an " accident waiting to happen",
could readily list all possible consequences consequent on a range of other happenings, could immediately display, for the operator's benefit, the relevant sections of the operating procedure and could, if so desired, take remedial action if the warning of a violatica goes unheeded. An even more desirable arrangement would be that, before any change in the system is made, the computer is consulted, whereuron it displays the conditions under which this change is "legsl" and warns of cert-in other conditions wnich would a) made the suggested change undesirable and b) make the suggested change dangerous.
This suggestion is a D,rm of computer control, against which the AEC set its face several years ago, 'aspite considerable success by, for example, the Canadians.
It dif f ers, however, from direct ccmputer control in that the computer is used more in an advisory, aide-memoire role.
in principle, the implementation of such a scheme presents little diffi-culty, especially as adequate expertise is available at, for example, ORNL.
I submit that failure 'o consider such a scheme seriously could be taken to imply that the industry is less concerned with preventing accidents than with containing the resul.ts of accidents " permitted to happen".
I should be pleased to discuss this furthec if you wish.
Yours siner ly, 4/
R. F. Ss se Prefessor of Nuclear Engineering Consultant, Oak Ridge Nar'.onal Laboratory Conseiller Permanente, Centre d' Etudes Nucleaires, Cadarache, France kd37.Cdb
'33tsSAir