Alcohol

The word ‘control’ comes up all the time in the context of VSM and the NPP environment. It should be recognized as having different meanings and these differences have different effects in the case of operating NPPs, for example the management is in control of the plant and so are the automatic controls. The control-room staff is also in control; in their case it covers plant operations. One needs to understand these differences and differentiate between them.

The NPP consists of a number of separate parts, such as the reactor, steam generators, etc, as has been covered in earlier chapters. In addition, it needs control and protection systems which ensure that the plant personnel can change power and respond to accidents in an automatic manner. In addition, the power plant personnel perform tasks to help run the plant

85 the plant is controlled by the management, who job is to direct operations to run the plant economically and safely.

There are other important organizations, such as the NRC, INPO, etc, which factor into the running of the plant. Each of these organizations play an important part in the control of the plant. This section tries to clarify what each of the control systems are, how they function and the part they play in running the plant.

The plant and the various organizations, which consist of plant managers, plant personnel and outside organizations, as well as systems like the reactor protection system are all important and form a system that should be considered, as a whole, in the analysis process. The word ‘control’ is associated with each of them in some manner, but there are differences in meaning and are modeled differently. In the case of management, control relates to the act of directing of personnel and making decisions related to the whole operation. The impact of management control actions are often delayed in time and their consequences often seen much later. This is even truer of outside organizations, such as regulators and governments.

Time is an important influence on both analysis of developing situations and the actions that need to be taken. If management and the organization are prepared for an accident

situation that is developing, then time may not be a big constraint. However, if the

organization is not prepared, then the time available for analysis and taking actions may be insufficient and the ability of the organization to prevent or terminate the accident could be severely compromised.

Management is responsible for both the economics of the plant and its safe operation. For the control room personnel it is the exercise of monitoring the plant and taking manual actions in response to changes in plant state or responding to instructions from electric grid management. Each aspect covered can be associated with the word control, but the meaning of control is different in its interpretation. The reactor control relates to the automatic control system that continuously monitors the plant state and automatically adjusts the reactor control rods or other parameters to increase or decrease power. The actions of the operators tend to match that of the automatic control systems, but there are differences in the characteristics of these two ‘control’ processes. The automatic control system is a deterministic system, see Figure 4.3, once it is set up it responses in an identical manner to a given stimulus, Figure 4.1.

86

Figure 4.1 Typical Controller Response to a Set Point Change However operator control is probabilistic, as results from plant simulators have shown, (Spurgin, 1990). Also the source of errors/failures for these two control methods is derived from different sources. In the case of the automatic control, it is related to the reliability of the hardware and software, whereas the human error cause can have both random and systematic sources. These sources can be traced mainly to management and designers.

Figure 4.2 Typical Time Reliability Curve showing Operator Response Probability

A word of explanation about Figure 4.2, the Time Reliability Curve (TRC) represents the probability of any crew taking an action in response to a stimulus, such as an accident. Any crew’s action should fall onto the curve, including the possibility of causing an error. So the probability of a crew taking an action increases with time. In a set of crews responding to an accident, some crews act early, crew A and others, such as crew B respond later. If the available time in a specific accident by which the crew must act is in excess of 100 seconds then in this case the majority of crews would have acted and taken the correct action in time

87 Transient without Trip (ATWS) event, in which the crews are expected to respond quickly. This fast response is achieved by understanding how the transient can be terminated. This includes an understanding of the indications related to the accident and what actions must be taken to terminate the accident. Additionally, the crews must be informed of the

indications and actions via procedures and then trained on a simulator to carry out these steps quickly and accurately.

In other cases, the TRC is likely to cover many minutes. In assessing the possibility of acceptable of operators taking correct actions, designers use a time window by when the crews should act to prevent damage to plant or equipment. So provided the crews act correctly before the time taken exceeds the time window, it is then acceptable. In the case of the automatic control schemes the time taken is usually much tighter, the time taken to bring the plant to a safe state is usually as quickly as possible within constrains on rates of change in power, pressure or temperature or limits in the deviation of a given parameter, like nuclear power not to exceed say 105% power.

The crews’ actions are guided by procedures, which fall into the following categories: normal, abnormal and emergency. The categories relate to operating the plant in normal conditions, such load increases and decreases, normal start-up and shut-down, abnormal conditions when something off normal occurs and leads to the plant problems, such as small leak, which has to be detected and acted upon, but the plant is not in an accident. However, when the plant gets into a severe condition, it is in an accident situation and the emergency procedures have be used. The crew responds by following the procedures starting with tripping the reactor, and initiate operation of safety systems, such as fluid injection systems to keep the core covered, cooled, etc. It should be pointed out for a correctly designed safety protection system, these actions will be taken automatically and the operators act as a protection shield if the safety systems fail to act properly. Simulators are used to prepare the crews for all manner of circumstances, such as if the safety systems fail to act correctly in the presence of equipment failures or human errors. The crews during training sessions are exposed to different accident scenarios, covering even multi-failure scenarios based upon the unavailability of dynamic units, such as of pumps and valves, failure of passive components, such as feed lines, various human errors and for different disturbances, including the effects of flooding of equipment.

The understanding of the different meaning of control is important in establishing the safety of the NPPs, and what’s important and expected of all personnel is to be safety conscious.

88 singular most important consideration in control is the impact of the control activities of the top management since they can influence the resistance of organizations to the propagation of accidents and in responding to accidents.

Importantly, the management is tasked with the job of balancing safety and economics. It appears that these two aspects are closely connected. It appears that you cannot run an inexpensive NPP operation that is highly reliable and safe. Inherently, an NPP is an

expensive power plant to operate when compared with a gas-fired fossil plant. The NPP is a much more sophisticated plant with multiple pieces of equipment that need to be carefully maintained and there are redundant equipments for many functions to ensure plant safety when challenged by some internal or external disturbance. The case of the gas fired power plant safety is not great requirement, since the effect of an accident to the plant has a very minimal influence on the public.