Text

White Paper Perspective on an Independent Shift Technical Advisor Dennis C. Bley This white paper is related to the ACRS letter report, NuScale Topical ReportControl Room Staffing Plan and presents no differences of opinion with respect to the conclusions of that report. It does not represent a position of the Committee, but my own opinion. I agree with the Committees conclusion that elimination of the shift technical advisor (STA)for the operating practices, control room design, and the nuclear power plant system described in the topical reportis acceptable. However, this is narrow agreement that applies only to the systems and practices anticipated for the NuScale plant.

Following the accident at Three Mile Island (TMI), the STA position was established to provide engineering expertise on shift to ensure someone with an understanding of nuclear engineering would be available to advise the operating crew should unexpected conditions develop. It was later decided that as soon as a plants senior reactor operator (SRO) qualifications were updated to include a bachelors degree in science or engineering [or achievement of a professional engineer license (PE)], the position of STA and SRO could be combined. All nuclear power plants in the United States continue to include an STA, with a bachelors degree or PE, in every operating crew. At some plants, the same person can serve as both STA and SRO. In addition to observation of crew response to plant events, the STA follows the crew steps in monitoring critical safety functions, providing an independent check that critical parameters are trending in the expected direction.

In the years since the TMI accident, there have been extensive industry-led upgrades to the qualifications of shift managers and SROs. Procedures have been extensively revised to be symptom-based and to guide operators through the diagnostic process. All plants now have simulators with software that closely replicates calculated plant response to upsets of all types.

The procedures have been thoroughly exercised to confirm that they actually work under a wide range of operating conditions. The training drills run on the simulators moved from the stylized accidents in the design basis accident safety analyses (limited to single failures in safety systems) to more realistic scenarios often taken from a plants probabilistic risk assessment that include multiple failures and are designed to challenge operator response. In short, we are much better prepared to survive a wide range of possible accidents than we were 40 years ago.

The NuScale main control room design evolved through extensive testing of alternative approaches, and the development team involved human factors experts who suggested unique approaches for observing/controlling multiple modules. The team also included experienced operators, forcing a practicality of the human-system interface (HSI) that is unique and is effective, as demonstrated by our observations and reinforced by the NuScale testing program.

The Commission has not objected to the recent staff SECY-21-0039 that suggests the STA for NuScale could be eliminated even if the SRO did not have a degree or PE license. The staff wrote that this was acceptable for NuScale because of the depth of the training program and unique features of the HSI and plant design that allow operators to understand plant conditions and know how to respond to upset conditions. The training program proposed for NuScale includes math, physics, thermodynamics, transient and accident analysis, and component design topics, as well as training on mitigating core damage.

The staff presents solid arguments in their safety evaluation for elimination of the STA for the NuScale plant, as delineated in the topical report, because of the design of the HSI and plant.

The staff arguments addressed the issues of education and workload very well; however, they do not address independent observation and the second verification of critical safety parameters. I agree with the staffs safety evaluation and the Committees conclusions, because of the simplicity of manual initiation of reactor trip and passive cooling, combined with related training. That training emphasizes that, should operations on a module become confused or burdensome, the operator will trip the module and place it into the passive cooling mode. They then can focus on the remaining operating modules. This eliminates a major source of distraction, the kind of problem when independent observation is most valuable.

For plants lacking similar levels of education for SROs (especially in thermodynamics and accident analysis), the kind of highly functional HSI developed for NuScale, the simplicity of removing a distressed module from further consideration, and training that emphasizes that removal, independent observation remains a valuable tool for breaking mindset. I am not alone in this concern. In added comments to the ACRS letter of August 14, 1984, addressing the final Commission policy statement on engineering expertise, Member Jesse Ebersole wrote: I am in disagreement with the option to combine the functions of the [licensed senior operator] SO and the STA in one individualTo quickly focus on the end effects possible with the combined arrangementeven if the SROs have been given engineering training[it] is rather clear that third party diverse perspectiveswould have prevented [some] accident[s]. Also, NUREG-0578 states that When assigned as shift technical advisor, these personnel are to have no duties or responsibilities for manipulation of controls or command of operations.

This white paper is intended to draw attention to one aspect of the practice of including an STA in an operating crew. That is the role of independent observation and oversight as an advisor to the SRO in charge. I have become convinced of the value of an independent set of eyes because of a number of observations over the past 50 years. In my first role with respect to nuclear power plants, I served in our nuclear Navy. During those years, I read many incident reports from other ships and observed operations in all of my ships reactors and power plants.

A recurrent theme was that, when senior officers not participating in actual operations were overseeing the action, they often provided hints to the on-shift operators that allowed those people to bring an escalating event to a close. (When they jumped in, took over, and relieved the watch, things often fell apart.) For commercial plants, I have observed actual operations and training drills, and interviewed watch supervisors and trainers. To support human reliability analyses and the development of those methods, I have studied many post-event/post-accident reports that lead me to similar conclusions. Consideration of details of real-world events can help us understand how situations can become more complicated than anticipated in our emergency procedures and trainingcomplicated in ways that make independent oversight very helpful.

Occasionally, in challenging events, a new person entering and surveying the control room will ask the key question that breaks the crews mindset. However, we cannot expect that looking at event reports will allow us to say, See, an independent set of eyes would have brought this event to a benign conclusion. Instead, we find common elements among events that become challenging. One common factor is variability: very few transients follow exactly the expected path towards mitigation. In most transients, unexpected complications associated with the equipment failure at hand, unassociated latent equipment failures, or unplanned human actions affect the focus of the crew. The most comprehensive information on serious events and accidents has been the NRCs Augmented Inspection Team (AIT) and Incident Inspection Team (IIT) reports, as well as licensees in-house reports. The events analyzed in the ATHEANA methodology report Appendix A and the AIT report on the Robinson fire suggests a short list of common elements: deviation from the expected scenario, mismatches, surprises (extreme or unusual conditions), pre-existing conditions (latent failures), misleading or wrong information from instruments, multiple hardware failures, operational transitions in progress, and similarity to other scenarios (especially to scenarios emphasized in simulator training). By mismatches, I mean mismatches between the event and operator expectations (perhaps because of training),

between procedures and the actual situation, between time required under the particular accident conditions and the time expected from simulator exercises, between competing system requirements, and between parameter indication developed by algorithm and actual plant conditions.

As an example, the H. B. Robinson fire of 2010 involved almost all those common elements.

There were seven pre-existing conditions that influenced the event and the operators perception. Extreme and unusual conditions: the fault evolution among the electrical buses was complex and essentially impossible to diagnose during the initial seconds of the event; the resulting electrical lineup was odd and unexpected. Deviation from the expected scenario and similarity to other scenarios: simulator training on reactor coolant pump trip from low power that often led to safety injection was cited by operators as the reason they did not recognize an excessive cooldown condition. Multiple hardware failures: the electrical transient caused many components to fail, and more were failed because of pre-existing conditions. Mismatches: the effect of resetting the 86 relay was not as expected (the training department had promulgated wrong information).

The concepts related to independent observation have been studied by industrial psychologists, human factors researchers, and experienced operations experts and they have raised similar concerns. One directly relevant research project was sponsored at the Halden Project. At the 2015 Regulatory Information Conference, Mr. Andreas Bye reported on what they found to be surprising results. His presentation was based on work described in NUREG/IA-0137, where the location of the STA during an event appeared to have significant impact on his ability to identify problems in ongoing actions by the operators. Halden performed a follow-up study focused on the way the STA observed events and interacted with the remainder of the crew1.

They ran experiments looking at three configurations: (1) the STA sharing a desk with the SRO, (2) the STA sitting at an adjacent desk to the SRO with her own instrument displays, and (3) the STA located in a separate room with displays. The report, HWR-1298, included a section on existing research into the well-known group process called groupthink. This is a process that can lead to Blindness to potentially negative outcomesLack of creativityIgnoring important information; Inability to see other solutions; Not looking for things that might not yet be known to the groupOverconfidence in decisions; Resistance to new information or ideas (Cherry 2020 and Kirwan 1994). These observations helped set up the research questions driving the experiments. Here is a summary of the conclusions of the study: groupthink was observed under conditions (1) and (2) above, but not under condition (3) with the STA located in a separate room. The STA performed his role of independent observer better under condition (3).

When the STA is in the control room, he is often used by the SRO as an extra operator. The crews preferred having the STA in the control room to help, but this was shown to weaken his role as an independent advisor.

Staff arguments in the NuScale Topical Report safety evaluation, including the fact that there will be a second SRO on shift, solve the workload and education issues but they do not address groupthink. During our meetings, the staff dismissed the importance of the Halden conclusion 1 Kaarstad, M., E. Nystad, R. McDonald, and G. McCullough, HWR-1298, Physical Location of Shift Technical Advisor in Nuclear Power Plant ScenariosImpact on Performance? OECD Halden Reactor Project, December 2020, (ML21078A464).

because, although groupthink was observed, no adverse consequences occurred. This is really a matter of luck. Groupthink often leads to unfortunate consequences, and the fact that it did not this time cannot be taken as an indication of a benign nature. This line of argument brings to mind the Presidents commission on the Challenger accident. In previous flights, the O-ring that leaked and led to the explosion had been found partially eroded, but managers and engineers argued that, because it had not completely failed, there was remaining safety margin.

In his rebuttal, Richard Feynman pointed out that the O-ring had failed to meet its design requirements and should have been improved before further flights.

Improvements in procedures, training, and especially simulator training have reduced the likelihood of significant events and accidents across the industry. Events in operating plants show that, although less likely, such events continue to occur and that independent oversight the eyes of a knowledgeable expert who is not actively engaged in the actioncan help. That person does not need to be called the STA and could be someone in the technical support center. As stated in the 1989 policy statement: The STA has proven to be a worthwhile addition to the operating staff by providing an independent engineering and accident assessment capability, and we support continuation of this position [Emphasis added.]

Caution is needed in addressing future requests to eliminate the STA. It should not be a foregone conclusion that the independent STA is not needed at any plant.

REFERENCES 1.

U. S. Nuclear Regulatory Commission, Safety Evaluation for NuScale Power, LLC, Topical Report TR-0420-69456, NuScale Control Room Staffing Plan, February 11, 2021 (ML21012A363).

2.

NuScale Power, LLC, Topical Report TR-0420-69456, NuScale Control Room Staffing Plan, Revision 1, December 17, 2021 (ML20352A473).

3.

U. S. Nuclear Regulatory Commission, NUREG-0737, Clarification of TMI Action Plan Requirements, November 30, 1980 (ML051400209).

4.

U. S. Nuclear Regulatory Commission, Commission Policy Statement on Engineering Expertise on Shift, 50 Federal Register (FR) 43621, October 28, 1985.

5.

Advisory Committee on Reactor Safeguards, ACRS Comments on the Final Policy Statement on Engineering Expertise on Shift Regarding the Dual-Role (SO/STA)

Position, August 14, 1984 (ML20094P592).

6.

U.S. Nuclear Regulatory Commission Policy Statement, Education for Senior Reactor Operators and Shift Supervisors at Nuclear Power Plants; 54 FR 33639, August 15, 1989.

7.

U.S. Nuclear Regulatory Commission, staff draft white paper prepared and released to support ongoing public discussions, Risk-Informed and Performance-Based Human-System Considerations for Advanced Reactors, March 31, 2021 (ML21069A003).

8.

J. W. Stetkar, Memorandum of Appreciation for ACRS Visit to NuScale July 21-22, 2015, July 30, 2015 (ML15211A447).

9.

P. Riccardella, Memorandum of Appreciation for ACRS Visit to NuScale July 23-25, 2019, August 5, 2019 (ML19226A381).

10. U. S. Nuclear Regulatory Commission, SECY-21-0039 Elimination of the Shift Technical Advisor for the NuScale Design, April 5, 2021 (ML21060A823).

11. U. S. Nuclear Regulatory Commission, Safety Evaluation for NuScale Power, LLC, Topical Report TR-0420-69456, NuScale Control Room Staffing Plan, February 11, 2021 (ML21012A363).

12. U. S. Nuclear Regulatory Commission, NUREG-0578, TMI-2 Lessons Learned Task Force Status Report and Short-Term Recommendations, July 1979 (ML090060030).

13. U. S. Nuclear Regulatory Commission, NUREG-1624, Rev. 1, Technical Basis and Implementation Guidelines for A Technique for Human Event Analysis (ATHEANA)

Appendix A Representations of Selected Operational Events from an ATHEANA Perspective, May 2000 (ML003719212).

14. U. S. Nuclear Regulatory Commission Region II, Augmented Inspection Team Report 05000261/201009, H.B. Robinson Steam Electric Plant, July 2, 2010 (ML101830101).

15. U. S. Nuclear Regulatory Commission, Management Directive 8.3, NRC Incident Investigation Program, DT-17-158, June 25, 2014 (ML18073A200).

16. Bye, Andreas, Halden Reactor Project Experiments on Extreme Scenarios: Results and Insights on Training, Risk Assessment, Crew Organization and Design, Session W13 Operating Crew Performance During Extreme Scenarios: Lessons from Experiments and User Perspectives, 27th Annual Regulatory Information Conference, U. S. Nuclear Regulatory Commission, 2015.

17. U. S. Nuclear Regulatory Commission, NUREG/IA-0137, A Study of Control Room Staffing Levels for Advanced Reactors, November 2000 (ML003774060).

18. Cherry, K., What is Groupthink? 2020. https://www.verywellmind.com/what-is-groupthink-2795213#what-is-groupthink

19. Kirwan, B., A Guide to Practical Human Reliability Assessment, London: Taylor &

Francis, 1994.

20. Report of the Presidential Commission on the Space Shuttle Challenger Accident, Appendix F Personal Observations on Reliability of Shuttle (a minority report by Prof.

Richard P. Feynman, a member of the Commission), 1986.