The operator’s role in nuclear safety is outlined and the concept of “safety functions” introduced. Safety functions are a group of actions that prevent core melt or minimize radiation releases to the general public. They can be used to provide a hierarchy of practical plant protection that an operator should use. Researchers have said that an accident identical to that at Three Mile Island (TMI) is not going to happen again. The next serious threat to safety will be different from the TMI sequence. To concentrate designs, management, and operational improvement on the specific sequence at TMI is therefore unwise. The plant safety evaluation uses four inputs in predicting the results of an event: the event initiator, the plant design, the initial plant conditions and setup, and the operator actions. If any of these inputs are not as assumed in the evaluation, confidence that the consequences will be as predicted is reduced. Based on the safety evaluation, the operator has three roles in assuring that the consequences of an event will be no worse than the predicted acceptable results:

  1. Maintain plant setup in readiness to properly respond.
  2. Operate the plant in a manner such that fewer, milder events minimize the frequency and the severity of adverse events.
  3. Monitor the plant to verify that the safety functions are accomplished.
The operator needs a systematic approach to mitigating the consequences of an event. The concept of safety functions introduces this systematic approach and presents a hierarchy of protection. If the operator has difficulty identifying an event for any reason, the systematic safety function approach allows accomplishing the overall path of mitigating consequences. Ten functions designed to protect against core melt, preserve containment integrity, prevent indirect release of radioactivity, and maintain vital auxiliaries needed to support the other safety functions are identified. Nuclear power plants are designed so that there are two or more ways that can potentially be used to accomplish safety functions. In general, the effectiveness of a particular success path for accomplishing a safety function depends on what systems are operable and on whether or not the process variables are within the design range of the particular system or subsystems that will be used.