UCS Blog - All Things Nuclear (Nuclear Power Safety)

The NRC and Nuclear Safety Culture: Do As I Say, Not As I Do

Many times over the past 20 years the Nuclear Regulatory Commission (NRC) has intervened when evidence strongly suggested a nuclear power plant had nuclear safety culture problems. The evidence used by the NRC to trigger its interventions was readily available to the plant owners, but the owners had downplayed or rationalized away the evidence until the NRC forced them to face reality.

The evidence used by the NRC to detect these nuclear safety culture problems included work force surveys indicating a sizeable portion of workers reluctant to raise safety concerns and allegations received by NRC from workers about reprisals and harassment they experienced after raising safety concerns.

Ample evidence strongly suggests that the NRC itself has nuclear safety culture problems. The NRC’s Office of the Inspector General (OIG) has surveyed the safety culture and climate within the NRC every three years for the past two decades. The latest survey was conducted during 2015 and released in March 2016. Figure 1 from the OIG’s 2015 survey along with data from the annual Federal Employee Viewpoint Surveys and other sources show safety culture problems as bad as—it not considerably worse—than the worst safety culture problems identified at Millstone, Davis-Besse, and yes, even the TVA reactors.

FIg. 1 (Source: Nuclear Regulatory Commission Office of the Inspector General)

After the OIG’s 2009 survey of the NRC’s safety culture and climate, UCS submitted a request under the Freedom of Information Act for all records related to the actions taken by the agency in response to the survey. We obtained many records which described very few actions. And regardless of the number of actions, the OIG’s 2015 survey showed that the NRC’s safety culture was worse than in 2009 (see the last column on the right in Figure 1).

Why would the NRC take steps to remedy safety culture problems at nuclear plants yet have taken no steps to remedy its own safety culture problems? The answer is the same as to the question of why the plant owners failed to take steps to correct safety culture problems before the NRC intervened—they did not perceive the problems to exist. Likewise, Figure 2 shows that the NRC’s senior management does not perceive safety culture within the agency to need remediation.

Fig. 2 (Source: Nuclear Regulatory Commission Office of the Inspector General)

The OIG employs a consultant to conduct the triennial safety culture surveys. I attended a briefing several years ago by the consultant on the survey results. The consultant reported surveying many other federal agencies and large private corporations. The consultant pointed out that the gap between results by senior management and by the overall workforce was wider at NRC than at any other federal or private entity it had surveyed.

Just as plant owners failed to correct the problem they could not see, NRC senior management cannot fix the agency’s “invisible” safety culture problems. The NRC intervened to enable owners to see, and then fix, their safety culture problems. Someone needs to intervene to help NRC senior management see the agency’s safety culture problems so they can take the corrective measures they have often compelled plant owners to take.

UCS recently issued a report on the NRC’s safety culture problems and its history of inducing safety culture fixes at nuclear plants. And The Bulletin posted my commentary about the NRC safety culture report.

If I found a lamp washed up on a beach and rubbed it to release a genie who granted me three wishes, my first wish would be for irradiated fuel to be transferred from dangerous, overcrowded spent fuel pools into more safe and secure dry storage as soon as practical. But my second wish would be for the NRC to undertake the reforms needed to achieve and sustain a positive nuclear safety culture at the agency. My third wish would be for a thousand additional wishes, so don’t worry that I squandered my first two.

Kudos to NRC for Lessons-Learned Review at Columbia Fuel Fabrication Facility

Disaster by Design/Safety by Intent #63

Safety by Intent

Westinghouse Electric Corporation notified the Nuclear Regulatory Commission (NRC) on July 14, 2016, that workers at its Columbia Fuel Fabrication Facility (CFFF) in South Carolina found significant accumulation of uranium in a ventilation system. The amount of enriched uranium exceeded limits established at the facility as protection against inadvertent criticality.

The uranium accumulated in process vent scrubber S-1030 shown towards the upper left side of Figure 1.

Fig. 1 (Source: Nuclear Regulatory Commission)

The NRC dispatched an Augmented Inspection Team (AIT) to the site to investigate the causes and corrective actions for the event. The NRC sends Special Inspection Teams and Augmented Inspection Teams to investigate discoveries like the one reported at CFFF that have the potential for increasing the risk of an accident.

The AIT concluded in its report dated October 26, 2016, that “Westinghouse failed to provide adequate levels of oversight, enforcement, and accountability to the organizations directly involved with configuration management, operations, and maintenance of the wet ventilation systems.” Specifically, Westinghouse had assumed that only minute quantities of uranium could collect in that portion of the ventilation system and took no actions to either validate or confirm that key assumption.

To this point, both Westinghouse and NRC followed established practices. Upon discovery a condition above the reporting threshold, Westinghouse notified the NRC. Upon receiving notification from Westinghouse about a condition above its normal response threshold, the NRC dispatched an Augmented Inspection Team.

The NRC’s Extra Effort

The NRC did not stop with its AIT probe into whatever problems Westinghouse had that resulted in the event at CFFF. Two days after issuing the AIT report, the NRC chartered a team to examine lessons the agency could learn from the event. This second team was not tasked with supplemental Westinghouse bashing. That had been the AIT’s role. The lessons-learned team was tasked with assessing whether the NRC could make changes in its efforts so as to lessen the likelihood events like the CFFF would recur. Specifically, the lessons learned team was asked to evaluate the NRC’s license review process, inspection program, operating experience program, organization of oversight groups, and knowledge management programs.

It is commendable that the NRC undertook this introspective review. The review would either confirm that the agency is effective applying its resources or recommend ways to reallocate resources for increased effectiveness.

The NRC’s Extra Safety Gains

The AIT verified that Westinghouse had taken or would be taking appropriate corrective actions to lessen the likelihood of recurrence of this problem at its CFFF. The lessons-learned task force identified steps the NRC could take in all five focus areas to lessen the likelihood that such an event could recur at any NRC-licensed fuel cycle facility.

The team concluded that the NRC’s license review process and its inspection program allocated resources based on perceived risk significance. In other words, items with high and moderate risk significance received more attention than items having low risk consequences. The team did not find this triage system unacceptable. It is imperative to properly focus limited resources. But the team did make recommendations on ways NRC’s reviewers and inspectors could verify that items deemed low risk truly have low risk.

The team characterized the agency’s operating experience and knowledge management programs as being more supplemental than integral parts of business. Some of the NRC staff interviewed by the team used the programs extensively; other staffers were aware of the programs but had not used them. The team made several recommendations intended to integrate the operating experience and knowledge management programs into day-to-day work practices. For example, the team recommended training on using the operating experience database to lower the height and shorten the duration of the learning curve needed for users to become proficient with this tool.

The NRC’s Safety Backstop

In theory, NRC’s reviewers and inspectors should find no safety problems. NRC’s licensees—the owners of nuclear power plants and fuel cycle facilities—are responsible under the law for complying with regulations intended to manage risk to workers and the public.

In practice, NRC’s reviewers and inspectors could, and do, find safety problems. Not because NRC’s licensees are deliberately violating safety regulations, but compliance is a dynamic challenge.

By undertaking the lessons learned review of the CFFF event, the NRC makes its safety backstop more robust and reliable. The recommendations made by the team will, when implemented, improve the effectiveness of NRC’s reviewers and inspectors. The NRC’s reviewers and inspectors were already good, but the agency’s efforts to make them better result in making workers and the public safer.

It may not be the ultimate win-win situation, but it’s got to be among the top ten.

—–

UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Nuclear Safety Performance at Pilgrim

The Nuclear Regulatory Commission (NRC) held a public meeting on Tuesday, January 31, 2017, in Plymouth, Massachusetts. A large crowd of over 300 individuals (perhaps thousands more by White House math) attended, including me. Elected officials in Massachusetts—the attorney general, the governor, the entire US Congressional delegation, and state senators and representatives—had requested the meeting. Many of these officials, or their representatives, attended the meeting.

The elected officials asked the NRC to conduct a public meeting to discuss the contents of an email from the leader of an NRC inspection team at Pilgrim to others within the agency regarding the results from the first week’s efforts. An NRC staffer forwarded this email to others within the agency, and inadvertently to Diane Turco of the Cape Downwinders, a local organization. The contents of the leaked email generated considerable attention.

Unique NRC Meeting
During my nearly two decades at UCS, I have attended dozens, perhaps hundreds (maybe even millions by White House accounting) of NRC meetings. The Plymouth meeting was unique. It was the only NRC meeting I’ve attended to discuss an email.

And it was the only NRC meeting I’ve attended where public speaking slots were chosen by raffle. In all prior meetings, members of the public raised their hands to be called upon by the NRC staff, queued behind a microphone in the room in order to speak, or added their names to a list to speak in the order specified by the sign-up sheet. At this meeting, the NRC used a raffle system. I received Ticket #4 (see Figure 1), giving me an opportunity to “win” a chance to speak for up to 3 minutes (or 180 seconds, whichever came first) during the meeting.

Fig. 1 (Source: Nuclear Regulatory Commission)

Fig. 2 (Source: Nuclear Regulatory Commission)

My ticket, along with at least 74 other tickets, was placed into a fishbowl. Brett Klukan, an attorney in NRC Region I, drew tickets from the bowl to establish the speaker order. Because the fishbowl was clear glass, Brett gazed at the ceiling to avoid charges of cherry-picking preferred ticket numbers (see Figure 2). Brett then wrote the number drawn on a whiteboard without showing the number to anyone else, somewhat offsetting the averted gaze tactic since he could have jotted down any number he wished.Unique NRC Discussion

Brett Klukan opened the meeting by introducing the NRC panelists and covering some ground rules for the meeting. The ground rules included a decorum standard—any audience member disrupting the meeting three times would be asked to leave. If the individual did not leave voluntarily, Brett explained that law enforcement officers (and there were numerous uniformed officers in the room and in the hallway outside) would escort the person from the room.

Brett then turned the meeting over to the NRC panel of Dan Dorman, the Regional Administrator for NRC’s Region I, Bill Dean, the NRC’s Director of the Office of Nuclear Reactor Regulation, Raymond Lorson, the Director of the Division of Reactor Safety in Region I, and Don Jackson, the leader of the NRC inspection team at Pilgrim and author of the email.

Don went through the leaked email, which he had written, updating the audience on each issue and supplementing the email with results from the team’s efforts since that initial week. I had expected the NRC to talk about what systems, components, and administrative processes the inspection team examined, but anticipated the NRC would not discuss results until the team’s report was approved and publicly released. But Don candidly provided the results, too. More than once, Don explained that the team identified an apparent violation of NRC’s regulations—in fact, he stated that 10 to 15 potential violations had been identified.

After the NRC panel finished their remarks, the meeting moved to comments and questions from the public. I was the third member of the audience to speak to the NRC. Figure 3 shows Brett Klukan at the podium to the left, the NRC panel in the center, and several members of the audience turning to look at the speaker standing at the microphone located towards the back of the room out of view to the far right.

Fig. 3 (Source: Nuclear Regulatory Commission)

I asked the NRC four questions. After I posed the four questions, the NRC panel answered. My questions and the NRC’s answers:

UCS Question #1

The NRC’s 20-member inspection team covered a lot of ground, but still examined a small fraction of the safety systems at Pilgrim. Based on the large number of safety violations in the small sample the team examined, what assurance can the NRC provide about the state of the majority of safety systems the team did not examine?

NRC Answer: The NRC’s reactor oversight process (ROP) features periodic inspections of safety systems at Pilgrim with the team inspection being supplemental to those activities. If there were problems in those other safety systems, the periodic inspections would reveal them.

UCS Response: Don Jackson described his team identifying 10 to 15 apparent violations of federal safety regulations in the small sample of safety systems they examined—violations that apparently were NOT revealed previously by the ROP’s periodic inspection efforts. Those routine inspection efforts failed to identify violations among the small sample, strongly suggesting that the routine inspection efforts also fail to find violations in the larger sample.

UCS Question #2

Don Jackson explained that the text in his email about the staff at Pilgrim appearing overwhelmed or shocked referred to their reaction to the arrival of the NRC’s 20-member inspection team. Does the NRC believe that this staff might also be overwhelmed or shocked in response to an accident?

NRC Answer: Don Jackson explained that his email comments referred primarily to the plant’s support staff (e.g, engineers, maintenance workers, etc.) rather than about the control room operators. Don said that his assessment of the operators at Pilgrim during their duties in the control room and during exercises on the control room simulator gave him complete confidence that the operators would be able to successfully respond to an accident.

UCS Response: Even if Don’s assessment is correct (and the operators losing control of the reactor during a routine startup causing it to automatically shut down to avoid fuel damage, the operators mis-operating numerous safety components following Winter Storm Juno and the operators not receiving proper training on the use of the high pressure coolant injection system leaves room for doubt), it is incomplete. The response to an accident involves considerably more than the handful of operators on duty at the time. NRC’s regulations require dozens of other plant workers to staff the Technical Support Center, the Operations Support Center, and the Emergency Operations Facility. The work force freaking out because 20 NRC inspectors arrive on site—by an appointment made weeks in advance—suggests that work force could be equally stressed out responding to an unannounced accident.

UCS Question #3

Dan Dorman mentioned the NRC planned to conduct another public meeting in late March about this inspection and to release the team’s final report in mid-April. Would it be possible for the NRC to issue the final report before the public meeting to allow the public to review the report and participate meaningfully in the meeting?

NRC Answer: Don Jackson mentioned that the report for a recent team inspection at another nuclear plant was over 350 pages due to all the information it contained. He said it would take sustained effort for the report by the team for their inspection at Pilgrim to be issued by mid-April, with no real opportunity for putting it out sooner.

UCS Response: There are two items both under full control of the NRC—the public meeting and the team inspection report. I have no reason to doubt Don’s word that mid-April is the soonest that the report can be released. I have every reason to doubt why the NRC must hold the public meeting in late March. The NRC could conduct the public meeting in late April, or early May, or mid-May, or late-May, or early June, or any time after they release the team’s report. The only reason for the NRC to conduct a public meeting about a non-existent report is because that’s the way they prefer to do it.

UCS Question #4

Audience members for this meeting are given three strikes before they are out of the meeting. How many strikes has the NRC given Pilgrim before it is out?

NRC Answer: Bill Dean began to answer the question, but Dan Dorman interrupted him. Dan labeled the question rhetorical and directed Brett to proceed with the next speaker.

UCS Response: I appreciate NRC bringing back Bert the turtle with this Duck and Cover gimmick. To be sure, I’d have better appreciated the NRC’s explanation why audience members get dragged out of the room after three strikes while Pilgrim does not get shut down after 10 to 15 violations of federal safety regulations. But this is America where everyone has the right to chicken out. My apologies if I put the NRC in a fowl mood.

To Be (Shut Down) or Not to Be (Shut Down)

The recurring theme during the meeting was whether the known performance problems warranted the shutdown of Pilgrim (either permanently or until the problem backlog was eliminated) or if Pilgrim could continue operating without exposing the community to undue risk.

Best I could tell, the meeting did not change any participant’s viewpoint. If one entered the room believing Pilgrim was troubled but sufficiently safe, one left the room with this belief intact. If one entered the room feeling Pilgrim’s problems posed too great a hazard, one probably left the room with even stronger convictions.

The meeting was somewhat like a court trial in that two reasonably supported but entirely opposite arguments were presented. The meeting was unlike a court trial in that instead of a jury, only time may decide which argument is right.

The Argument for Pilgrim Continuing to Operate

The team inspection led by Don Jackson is a direct result of an increasing number of problems at Pilgrim that caused the NRC to drop its performance assessment from Column 1 of the ROP’s Action Matrix into Column 2, 3 and eventually 4. The NRC developed the ROP in the late 1990s in response to high-profile troubled nuclear plants like Millstone, Salem, and Cooper.

The Action Matrix has five columns. A reactor with performance so bad that the NRC places it into Action Matrix Column 5 cannot operate until the NRC is satisfied enough of the problems have been corrected to permit restart.

Dan Dorman and Don Jackson tried to explain during the meeting that it was not the number of problems that determined placement into Column 5, it was the severity of the problems that mattered. They said several times that the 10 to 15 apparent violations identified by the team reinforced the NRC’s determination that Pilgrim was a Column 4 performer, but did not cause them to feel movement into Column 5 was warranted.

The Action Matrix is like our legal system. Persons guilty of a single misdemeanor generally receive lesser sanctions than persons guilty of multiple misdemeanors who in turn generally receive lesser sanctions than persons guilty of a single felony. Persons guilty of multiple felonies tend to be those receiving the severest sanctions and incarceration.

Pilgrim got into Column 4 as the result of several violations identified by NRC inspectors that were classified as White, the second least severe classification in the NRC’s Green, White, Yellow, and Red system. The data suggest performance shortcomings warranting regulatory attention, but it doesn’t suggest a trip to nuclear jail.

The Argument for Pilgrim Shutting Down

The NRC panelists stated several times during the meeting that they did not see any immediate safety concern that required Pilgrim to be shut down. Those assurances would be more meaningful and credible had the panelists or their NRC colleagues periodically seen an immediate safety concern, even from a distance.

The last time the NRC saw an immediate safety concern and ordered an operating reactor to shut down was March 31, 1987 when the agency ordered the Unit 2 and 3 reactors at the Peach Bottom nuclear plant in Pennsylvania to be shut down (the Unit 1 reactor had already been permanently shut down). Dan Dorman and Ray Lorson did not join the NRC staff until 1991. Don Jackson did not come to the NRC until 2003. Of the four NRC panelists, only Bill Dean was with the agency the last time an immediate safety concern was spotted.

Yet there have been times since 1987 when immediate safety concerns have existed:

Davis-Besse Safety Blindspot

In the fall of 2001, the NRC staff drafted an order that would require the Davis-Besse nuclear plant to be shut down. To justify the order, the NRC staff assembled the strongest circumstantial case one could hope to build that an operating reactor was unsafe. The NRC staff evaluated the reactor against five criteria in Regulatory Guide 1.174 (RG 1.174). All five criteria had to be satisfied for a reactor to be considered safe. The NRC staff determined that one criterion was not met and the other four criteria were most likely not met. Absent dead bodies or a mushroom cloud, you cannot build a stronger case that an operating reactor is unsafe.

Fig. 4 (Source: Nuclear Regulatory Commission)

But NRC senior managers shelved the order and allowed Davis-Besse to continue operating. When the reactor finally shut down, workers discovered the reactor was less safe than the NRC staff had feared. Per the NRC, Davis-Besse came closer to a meltdown than any reactor since the Three Mile Island accident in March 1979 (much closer than Peach Bottom ventured in March 1987).

Worse still, when interviewed by the NRC’s Office of the Inspector General, the NRC senior managers stated, under oath, stood behind their decision. They claimed they needed absolute proof that an operating reactor was unsafe before they would order it shut down. Somehow, failing to meet five of five safety principles does not constitute absolute proof to the NRC. Perhaps not meeting eight or nine out of five safety principles would suffice.

Oconee Safety Blindspot

In June 2010, the NRC issued a confirmatory action letter (CAL) to the owner of the Oconee nuclear plant in South Carolina. The CAL required that the owner take fifteen steps to reduce risk of failure at the upriver Jocassee Dam (which was also owned by Oconee’s owner) and to lessen the flooding vulnerability at Oconee should the dam fail.

The NRC staff discovered that the failure rate for the Jocassee Dam was as high as other hazards that Oconee was protected against. Thus, failure of the dam could not be dismissed as incredible or overly speculative.

The NRC staff further estimated that if the Jocassee Dam failed, flooding at the Oconee site created a 100 percent chance of causing all three operating reactors to melt down, all cooling of the spent fuel pools to be lost, and all three reactor containments to fail.

The high risk of flooding causing three operating reactors to melt down prompted the NRC to issue the CAL to Oconee’s owner nine months before flooding caused three operating reactors at Fukushima to melt down.

The hazard was real enough to cause NRC to require the owner to take steps to lower the risk, but not real enough to warrant the reactors to shut down until the risk was better managed.

Most galling is the fact that the NRC withheld information about this hazard from the public. Their June 2010 CAL was issued in secret. When the NRC conducted their annual public meeting in the Oconee community in April 2011—about six weeks after flooding melted three operating reactors at Fukushima—they said nothing about the CAL being issued to better manage flooding vulnerabilities at Oconee. The public cannot trust an agency that withholds relevant information from them.

It may be true that the NRC would order an operating reactor to be shut down if it saw an immediate safety concern. But it’s been nearly thirty years since the NRC noticed an immediate safety concern at an operating reactor. Since then, the NRC has noticed very serious safety problems at Davis-Besse and Oconee, yet allowed those reactors to continue operating.

The Davis-Besse and Oconee cases occurred after the NRC adopted the ROP and its Action Matrix. None of the safety problems that led to the NRC staff drafting a shutdown order for Davis-Besse or issuing a CAL for flood protection problems at Oconee were considered in the ROP. Thus these safety problems were entirely invisible as far as the Action Matrix was concerned.

The NRC should not rely on a safety yardstick that ignores significant safety issues.

UCS’s Argument about Pilgrim

Because the NRC has demonstrated its ability to jettison safety standards when an operating reactor doesn’t measure up, and because it has not recently demonstrated an ability to spot an immediate safety concern, it is entirely reasonable for the community around Pilgrim to have anxiety about the plant’s known performance problems. Shutting down Pilgrim would lessen that anxiety.

Should public anxiety be used as a pretext for shutting down an operating reactor?

Absolutely not.

Instead, the public should have trust and confidence in the NRC to protect them from Pilgrim’s problems. But the NRC has not done much to warrant such trust and confidence by the NRC. If public anxiety is high, it’s because public trust and confidence in the NRC is low.

Public trust and confidence in the NRC should be the proper context for a troubled reactor continuing to operate.

That proper context is missing.

The NRC must take steps to restore public trust and confidence. They should consistently establish and enforce safety regulations. NRC senior managers must stop looking for absolute proof that operating reactors are unsafe and instead look for absolute proof that operating reactors comply with federal safety regulations.

And when NRC senior managers see safety problems, they must disclose that finding to the public. Hiding such information, as they did with the flooding vulnerabilities at Oconee, provides the public with a distorted view. And such antics provide the public with zero reason to trust anything the NRC utters. When you cherry-pick what you say and when you say it, you stop being a credible authority.

If the NRC allows Pilgrim to continue operating and the reactor has an accident, will the agency be able to honestly look victims and survivors in the eye and say they did everything they could to protect them?

Nuclear Regulatory Crusader

To many, the acronym NRC stands for Nuclear Regulatory Commission. At times, NRC has been said to stand for Nobody Really Cares, Nuclear Rubberstamp Committee, and Nielsen Ratings Commission.

In regard to Larry Criscione, it may stand for Nuclear Regulatory Crusader.

(Source: NRC)

Larry is an engineer working for the U.S. Nuclear Regulatory Commission (NRC). Last year, Larry received the Joe A. Callaway Award for Civic Courage from The Safeek Nader Trust. Joe Callaway established the award in 1990 to recognize individuals who, with integrity and at some personal risk, take a public stance to advance truth and justice.

In March 2011, the three operating reactors at the Fukushima Daiichi nuclear plant in Japan melted down after a tsunami generated by a large earthquake flooded the site and disabled primary and backup power supplies to emergency equipment. In public, the NRC denied that reactors operating in the U.S. were vulnerable to such hazards.

In private, the NRC knew otherwise.

Flooding Risk at Oconee

In June 2010—nine months before Fukushima—the NRC issued a Confirmatory Action Letter to the owner of the Oconee nuclear plant in South Carolina requiring more than a dozen measures be taken. The measures were intended to lessen the chances that the Jocassee Dam fails and to increase the chances that the three operating reactors at Oconee survive should the dam fail anyway.

An evaluation showed that if the dam—located about 21 miles upriver from Oconee—failed, the site would be inundated with about 12.5 to 16.8 feet of flood water. The site was protected by a flood wall about seven feet tall, so it mattered little whether the actual depth was 12.5, 13, 14, 15, or 16.8 feet.

The NRC estimated that if the dam failed and flooded the site, there was a 100 percent chance that all three reactors would meltdown.

But the NRC issued the Confirmatory Action Letter secretly and did not tell the public about the hazard it required Oconee’s owner to lessen. After Fukushima tragically demonstrated the hazard posed by flooding, the NRC continued to cover-up measures taken and planned to lessen the flooding vulnerability at Oconee.

Larry and the OIG

So, Larry sent a 19-page letter dated September 18, 2002, to the NRC Chairman chronicling this history and asking four things:

  1. The NRC’s Office of General Counsel (OGC) should review the documents related to flooding at Oconee and the associated federal regulations to determine whether the documents could be made publicly available.
  1. The NRC’s Office of Nuclear Security and Incident Response (NSIR) should review the information on flooding hazards redacted from documents released to the public in response to Freedom of Information Act (FOIA) requests to determine whether additional information could be made publicly available.
  1. Based on the OGC and NSIR reviews, ensure that all flooding hazard documents that can be made publicly available are publicly available.
  1. The NRC’s Office of the Inspector General (OIG) should investigate whether the agency has been inappropriately marking documents as containing “Security-Related Information.”

Exercising his rights under the Lloyd-La Follette Act of 1912, Larry copied U.S. Congressional staff members on the email transmitting his letter to the NRC Chairman.

Larry’s letter was obtained by a reporter and featured in a Huffington Post article dated October 19, 2012.

As Larry had requested, the NRC’s OIG investigated handling of documents about flooding hazards. But rather than investigate whether NRC had improperly withheld information as he contended, OIG investigated whether Larry had improperly released information. As detailed in our 2015 report on the NRC and nuclear power safety, OIG made Larry an offer—he could voluntarily resign from the NRC or they would turn over his case to the Department of Justice (DOJ) for prosecution.

Larry did not resign.

OIG did refer the case to DOJ.

DOJ did not prosecute.

Through FOIA, UCS obtained DOJ’s response to NRC declining to prosecute Criscione. Under the Primary Reasons for Declination section, DOJ checked one box—No Federal Offense Committed.

Fortunately for Larry, not breaking the law is not yet against the law.

Thanks to Larry’s selfless efforts, the flooding hazards at Oconee have been made public. Larry had been right about the NRC inappropriately withholding information from the public. When lawyers and investigators were all through, the information he sought to have publicly released was publicly released. The NRC lacked legal grounds to continue hiding it.

More importantly, NRC’s mangers may think twice—or at least once—before withholding dam safety information in the future.

Unfortunately for Larry, he experienced unnecessary stress and expense defending himself against baseless OIG investigations. The Callaway Award does not fully offset those unfortunate consequences. But it helps show Larry and others who have our backs that not everyone wants to twist a dagger in their backs.

A video of the award presentation and Larry’s acceptance speech has been posted to YouTube.

Bottom Line

Doing the right thing when it’s relatively easy fails to accurately measure courage.

Larry Criscione did the right thing when it was a very hard thing to do. He could have remained silent like so many of his co-workers opted to do. He faced a strenuous courage test and aced it.

Not-so-Fabulous Five

To some, “Fabulous Five “ brings back memories of the 1991 recruits for the University of Michigan’s basketball team—Chris Webber, Jalen Rose, Juwan Howard, Jimmy King, and Ray Jackson. The five powered Michigan to the NCAA Division I championship games in 1992 and 1993.

Others may recall the “Fab Five,” a made-for-TV movie about a 2006 cheerleader scandal at a high school in Texas.

No one hearing “Fabulous Five” thinks about the performance of the nuclear reactors owned and operated by Entergy between 2011 and 2015. The performance during those five years was anything but fabulous, unless fabulously bad counts.

Performance Reports

Every quarter, the Nuclear Regulatory Commission (NRC) takes operating data submitted by plant owners and findings by the NRC’s inspectors to assign each reactor to one of five columns in the agency’s Action Matrix. When performance meets or exceeds NRC’s expectations, a reactor is placed in Column 1. If performance levels drop, a reactor gets placed into Columns 2, 3, or 4 depending on the depth and breadth of the performance decline. When performance drops so low that operation is not permissible until problems are corrected, a reactor falls into Column 5. The NRC began using this rating system in the fourth quarter of 2000.

Back in 2000, there were 105 reactors operating in the United States. Several reactors permanently shut down and one reactor commenced operating for a current total of slightly under 100 operating reactors. Entergy operated 11 reactors during much of that period, with one reactor permanently shutting down in recent years. Based on the average Action Matrix column placement, Entergy’s reactors generally outperformed the U.S. reactor fleet between 2000 and 2010 as shown in Figure 1. (Action Matrix column placement is like golf scores—low numbers win.) But the performance of Entergy’s reactors significantly declined beginning in 2011.

Fig. 1 (

Fig. 1 (Source: Union of Concerned Scientists)

Performance Plunge

Figure 2 shows a closer look at this five-year period. For the first and second quarters of 2011, all eleven of Entergy’s reactors were placed by the NRC into Action Matrix Column 1. Those ratings reflect top performance—the NRC does not issue 1-plus scores. By fourth quarter 2014—just 14 quarters later—the average Entergy reactor was in Action Matrix Column 2. The performance difference between Entergy’s reactors and all U.S. reactors was wider than ever, and not in Entergy’s favor.

Fig. 2 (

Fig. 2 (Source: Union of Concerned Scientists)

But 10 to 11 reactors is a smaller sample than 98 to 105 reactors. Perhaps one poorly performing reactor is dragging down the Entergy fleet. Figure 3 belies that notion. Only two of Entergy’s eleven reactors remained in Column 1 each and every quarter between 2011 and 2015: Indian Point Unit 2 and Vermont Yankee. The other nine reactors visited Columns 2, 3, and 4.

Fig. 3 (

Fig. 3 (Source: Union of Concerned Scientists)

The individual Entergy reactor ratings are hard to discern. Only people who do extremely well on ink blot tests and those who can relax their minds to see prancing unicorns or frolicking grizzly bears emerge from squiggly line drawings can get much out of Figure 3. The rest of us can hopefully gain these insights from Figure 4. This figure shows the percentage of U.S. and Entergy reactors placed into Column 1 each quarter by the NRC from 2011 to 2015. For the first and second quarters of 2011, 100 percent of Entergy’s reactors resided in Column 1—a feat the U.S. reactor fleet has never achieved. But by the fourth quarter of 2014, only 30 percent of Entergy’s reactors remained in Column 1. It was clearly not a case of one bad apple spoiling the bushel, but a fleet with bushels of reactor performance problems.

Fig. 4 (

Fig. 4 (Source: Union of Concerned Scientists)

Bottom Line

The NRC rates performance for each individual reactor. For example, the NRC has rated performance for Indian Point Unit 2 as being in an Action Matrix column while placing Indian Point Unit 3 in another column, despite the reactors being side-by-side at the same site under the same management. Such granularity has its advantages. Like snowflakes, no two reactors are identical and their differences can, and do, factor into performance differences.

The NRC does not connect these individual dots to see the bigger picture. Thirty percent of Entergy’s fleet rated outside of Column 1 cannot be explained by a faulty design, an incapable senior manager, or poor relationships between work force and management. Bad luck might explain an underperforming reactor or two. But bad luck does not cause performance to drop at 70 percent of the Entergy fleet. At times, individual snowflakes team up to cause blizzards.

When its performance assessments reveal broad underperformance by the owner of a fleet of nuclear reactors, the NRC must determine whether bad corporate behavior is spoiling the bushel of reactors. The NRC need not give aptitude tests to Chief Nuclear Officers or examine budget allocations. The NRC could simply issue a “Show Cause” order to the owner requiring a formal response as to why so many of its reactors have performance problems.

When many among a fleet of ships is listing, taking on water, or steaming off-course, it would be irresponsible to wait until a ship sinks before asking the Admiral of the Fleet “what’s up?” NRC cannot wait for a reactor to meltdown before asking Entergy to explain why so many of its reactors are experiencing so many problems.

UCS to the NRC: Stop Dragging Your Feet on Important Nuclear Security Updates

Yesterday, UCS sent a letter to Nuclear Regulatory Commission (NRC) chairman Stephen Burns urging the NRC to quickly issue new versions of two outdated security documents that play a critical role in defining how nuclear plants can be adequately protected against terrorist attacks.

 NRC)

NRC Chair Burns (Source: NRC)

The NRC requires nuclear power plants to be protected against radiological sabotage. The design basis threat, or DBT, specifies the characteristics of the attackers that a nuclear plant’s security plan must be designed to protect against (e.g., how many attackers and what sort of equipment they may have). The DBT includes both physical attacks and cyber attacks, and specifies that the attackers can include both outsiders and insiders.

In addition, the 2005 Energy Policy Act requires that every three years the NRC must stage mock attacks (known as “force-on-force” exercises) at each nuclear power plant to demonstrate that plant security forces can protect against the DBT.

As is the case for many of its other regulations, the NRC issues documents that provide guidance to nuclear reactor owners on acceptable means for meeting these security requirements. The NRC periodically reviews these guidance documents and updates them when appropriate. However, the NRC is taking far longer than usual to revise two important security guidance documents, which have not been updated since 2007 and 2009.

Why?

Because the nuclear industry is blocking the way. As I note in the letter, “finalizing the revisions has been unnecessarily delayed due to extensive, persistent and … unreasonable objections raised by the Nuclear Energy Institute (NEI) and the power reactor licensees to the changes proposed by the NRC staff.”

 

Watts Bar Hokey Pokey is Not Okey Dokey

Fission Stories #200

The Watts Bar Nuclear Plant near Spring City, Tennessee has two pressurized water reactors (PWRs) like that shown in Figure 1. Water flowing through the reactor core gets heated to over 500°F, but does not boil because pressure of over 2,000 pounds per square inch prevents it. The heated water flows through tubes inside the steam generators. Heat conducted through the thin metal walls of the tubes boils water surrounding the tubes. The steam flows through a turbine that spins a generator to make electricity.

Fig. 1(

Fig. 1(Source: Nuclear Regulatory Commission)

PWRs feature emergency core cooling systems (see Figure 2) intended to provide makeup water should a pipe connected to the reactor vessel break and rapidly drain the pressurized water from the vessel. Accumulators located inside the containment building are metal tanks partially filled with water. The remaining space inside the accumulator above the water level is filled with nitrogen gas. The nitrogen gas is pressurized. If a pipe breaks, the pressure inside the reactor vessel will decrease as water jets out the broken pipe ends. When the reactor vessel pressure drops below about 600 pounds per square inch, the accumulator water will be “pushed” into the reactor vessel. The charging, safety injection, and residual heat removal pumps located outside containment will start up and supplement the water makeup function.

Fig. 2 (

Fig. 2 (Source: Nuclear Regulatory Commission)

The emergency core cooling (ECC) accumulators and pumps are designed to maintain adequate cooling of the reactor core for breaks of small, medium, or large diameter pipes connected to the reactor vessel. As shown in Figure 3, the size of the break determines how quickly the transition from the high head injection (e.g., charging pumps) systems to the low pressure systems.

Fig. 3 (

Fig. 3 (Source: Nuclear Regulatory Commission)

Each PWR at Watts Bar has two charging pumps. Each charging pump is powered by an electric motor and is designed to provide 150 gallons per minute of makeup flow at the high pressure conditions. The charging pumps are located within the auxiliary building that is adjacent to the reactor containment building. Because it gets warm in Tennessee during the summer and the running motors on the charging pumps give off more heat, air conditioning units called room coolers are installed in the auxiliary building to protect the charging pumps from overheating damage. (The irony is duly noted—the components installed to protect the reactor core from overheating damage are vulnerable to overheating damage themselves.)

Each room cooler consists of a bladed fan that blows air across metal tubes filled with cooling water. The air gets cooled down as it flows past the tubes. The fan is spun by an electric motor. A belt wraps around the motor shaft and fan shaft so that when the former rotates, the latter rotates too.

Revisions and re-revisions

On November 3, 1995, the shaft for a fan on one of the charging pump room coolers for Watts Bar Unit 1 was discovered to be damaged. Workers determined that the fan belt had been tightened too much, causing the fan shaft’s damage. The maintenance procedure for the room coolers was revised to include more guidance for properly installing and tensioning the fan belt. The procedure revision was a CAPR—corrective action to prevent recurrence.

And it did prevent recurrence, at least until 2011. A revision to the maintenance procedure in 2011 removed the guidance on proper tensioning of the fan belt.

Charging pump room cooler 1B-B was found broken on December 4, 2015. Workers disassembled the unit, repaired or replaced its broken parts, and reassembled it.

Charging pump room cooler 1B-B was found broken on August 3, 2016. Workers determined that the fan belt had been tightened too much which put more strain on the fan bearing causing it to degrade.

The corrective action was to re-revise the maintenance procedure to reinsert the guidance about properly installing and tensioning the fan belt. Workers also checked all other coolers at Watts Bar that had their fan belts tensioned during the 2011 revision to the maintenance procedure to ensure they were properly tightened.

Report to the Commission

The charging pumps provide high pressure makeup to the reactor vessel should a broken pipe cause a loss of coolant accident. If the pipe has a large diameter, the reactor vessel pressure will quickly drop down to the range where the accumulators and the residual heat removal pumps can supply the necessary makeup water. Following breaks of smaller diameter pipes, the reactor pressure will also decrease, albeit at a slower rate. An evaluation by Westinghouse, the vendor for the PWRs at Watts Bar, concluded that the charging pumps might be needed for up to 7.5 days during an accident.

An engineering evaluation by the owner concluded that a charging pump running without its associated room cooler would fail in about 74 hours due to overheating of its electric motor. Because the faulty room cooler could have prevented the charging pump from operating for the entire duration of its safety mission, the owner reported the problem to the NRC.

Our Takeaway

Workers at Watts Bar danced the nuclear hokey pokey. They started with the fan belt guidance out of the procedure, then took the step of putting the guidance into the procedure, back-stepped to remove the guidance, and re-took the step of placing the guidance back into the procedure. When it was in the procedure, the fan belt guidance seemed to protect against room cooler failures. Perhaps it’s time to stop the hokey pokey now that the useful guidance is once again in the procedure.

Right now, the nuclear industry seeks to significantly reduce costs through its Delivering the Nuclear Promise initiative while the Nuclear Regulatory Commission seeks to downsize through its Project AIM efforts. The lesson of this Watts Bar episode should not be lost upon the promisers and projectors. The workers who removed the fan belt tensioning guidance in 2011 were likely unaware of the reason it had been added back in 1995. Before the promisers and projectors discontinue this practice or eliminate that activity, they need to make really sure they are not undoing past fixes. Perhaps it is no longer necessary to do that thing, or perhaps it can be done more efficiently. But the reasons why practices were started need to be fully understood before they can be safely discontinued or streamlined.

In other words, put on the thinking caps and take off those hokey pokey dancing shoes.

Fission Stories” is a column by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.

Frazzled at FitzPatrick

Fission Stories #199

The James A. FitzPatrick nuclear plant near Oswego, New York has one boiling water reactor (BWRs) with a Mark I containment design. Water flowing through BWR cores is heated to boiling with the steam flowing through turbine/generator to make electricity. Steam exits the turbines and flows past thousands of tubes within the condenser. Water from the lake flowing inside the tubes cools the steam and transforms it into water. The condensed steam is pumped to the reactor vessel to make more steam.

Fig. 1 (Source: Nuclear Regulatory Commission)

The operators reduced the reactor power level on January 22, 2016, to 65 percent for scheduled maintenance. At 10:17 pm on January 23, the operators had increased the reactor power level to 89 percent on the way back to full power following completion of the maintenance. An alarm alerted them that the water level at the intake structure had dropped nearly two feet below normal. Environmental conditions formed chips of ice, called frazil ice, in the lake. Water being drawn into the plant caused ice to collect on the traveling screens at the intake structure. The traveling screens are metal mesh plates that rotate on rollers to prevent debris in the lake water from being drawn into the plant. Ice accumulating on the traveling screen partially blocked the incoming flow. As a result, the water level inboard of the traveling screens dropped lower than the lake’s level. If that level dropped too low, the circulating water pumps would pull in air instead of water (Fig. 2).

Fig. 2 (

Fig. 2 (Source: Nuclear Regulatory Commission)

By procedure, the operators responded to the alarm by reducing the reactor power level to 75 percent and turning off one of the three pumps that circulate lake water through the condenser (Fig. 3). Reducing the incoming water flow rate reduced the amount of ice drawn onto the traveling screens. But the water level at the intake structure continued dropping until it reached four feet below normal. Per procedure, the operators manually scrammed the reactor at 10:40 pm.

Fig. 3 (

Fig. 3 (Source: Nuclear Regulatory Commission)

Scramming the reactor caused control rods to fully insert within seconds to terminate the nuclear chain reaction. The rapid power reduction significantly reduced the amount of steam flowing to the turbine/generator, leading to the turbine being turned off and the generator taken offline.

With the reactor operating, electricity produced by the generator flowed out through the switchyard to the offsite power grid. Electricity from the generator also flowed through a transformer to supply power to equipment throughout the plant.

The plant’s design called for the power supply to swiftly transfer from the generator’s output to the offsite power grid through two other transformers. But the cold weather hardened the lubricating oil for electrical breaker 10042 in the switchyard, causing it to open more slowly than desired. The slowed breaker prevented the swift transfer. Instead, supply was transferred about three seconds later by a backup logic circuit. That momentary power interruption caused non-essential equipment throughout the plant to stop running; most notably, the other two circulating water pumps at the intake structure.

Fig. 4 (

Fig. 4 (click to enlarge) (Source: Nuclear Regulatory Commission)

With no lake water flowing through the tubes inside the condenser, the operators manually closed the two isolation valves in the main steam lines between the reactor vessel and the turbine/generator. Steam continued to be produced by the reactor core’s decay heat. This steam had no place to go and caused the pressure inside the reactor vessel to rise. When the pressure rose about 10 percent above normal pressure, safety/relief valves (SRVs) automatically opened to discharge steam through a pipe into the water of the suppression chamber (also called the torus due to his donut shape.) When the pressure dropped sufficiently low, the SRVs automatically reclosed. The SRVs cycled opened and closed to control reactor pressure (Fig. 5)

Fig. 5 (

Fig. 5 (Source: Nuclear Regulatory Commission)

HPCI Use and Misuse

By procedure, the operators started the High Pressure Coolant Injection (HPCI) system in pressure control mode. The HPCI system uses a turbine supplied with steam from the reactor vessel to spin a pump that transfers makeup water from the Condensate Storage Tank to the reactor vessel. The steam exiting the HPCI turbine flows into the suppression chamber water. HPCI system operation prevents the SRVs from cycling opened and closed. The SRVs have a nasty habit of sticking open, so minimizing the times they open lessens the chances they stay open.

The normal source of water for the HPCI system is the Condensate Storage Tank. But if this tank’s water level drops too low or the water level inside the suppression chamber rises too high, valves will automatically close and open to swap the supply from the Condensate Storage Tank to the suppression chamber.

More than an hour after the scram, the water level within the suppression chamber was approaching the swap-over setpoint. Procedures directed the operators to bypass the automatic swap-over for this plant condition. The control room supervisor recognized this need and directed the operators to take this step. But they failed to complete the task before the HPCI pump suction was automatically transferred over to the suppression chamber.

Procedures only permitted HPCI to be operated in pressure control mode when it took water from the Condensate Storage Tank. So, the operators had to shut down the HPCI system and revert back to the undesirable reliance on SRVs cycling to control reactor pressure.

The NRC issued a green finding, the least severe among its green, white, yellow, and red violation classification scheme, for the failure to properly implement procedures resulting in the avoidable need to rely on the unreliable SRVs for pressure control.

RHR Use and Misuse

More than twenty-four hours later, the operators sought to place the Residual Heat Removal (RHR) system in shutdown cooling mode. The RHR system is like a Swiss army knife—it can makeup water to the reactor vessel, cool water in the reactor vessel, cool the containment atmosphere, cool the torus water and airspace, and cool the spent fuel pool (Fig. 6).

 Nuclear Regulatory Commission)

Fig. 6 (Source: Nuclear Regulatory Commission)

The shutdown cooling mode uses one or two of the RHR pumps to take water from a recirculation system pipe connected to the reactor vessel, route it through heat exchangers where lake water cools it down, and return the cooled water to the recirculation system pipe so it flows into the reactor vessel (Fig. 7).

 Nuclear Regulatory Commission)

Fig. 7 (Source: Nuclear Regulatory Commission)

The procedure directed the operators to flush the RHR system piping before placing the system in shutdown cooling mode. The RHR system is normally in standby and stagnant water inside its pipes is “dirty” water compared to the nearly pure water circulating through the reactor vessel. Workers used the condensate transfer system to drain water from the RHR system pipes and replace it with “clean” water. Workers opened valve 10RHR-274 to perform this flushing activity.

The procedure directed operators to close 10RHR-274 before placing the RHR system into the shutdown cooling mode. But the operators failed to close this valve. When properly aligned, the RHR shutdown cooling mode merely circulates water from the reactor vessel through heat exchangers and back to the vessel, neither removing nor adding water inventory. With the improper alignment caused by the open valve, the RHR shutdown cooling mode added water to the reactor vessel. And not just a little bit of additional water.

The normal water level inside the reactor vessel is about 196 inches (16 1/3 feet) above the top of the reactor core. A rule-of-thumb is that about 200 gallons of water is needed to raise or lower the vessel level by one inch. So, nearly 40,000 gallons of water must drain out or boil off for the normal water level to drop to the reactor core’s level, even more to uncover the core.

Fig. 8 (

Fig. 8 (Source: Nuclear Regulatory Commission)

By running RHR shutdown cooling mode with the valve mistakenly open, the operators added water to the reactor vessel at FitzPatrick until water poured into the main steam lines. The main steam lines are located about 86 inches (over 7 feet) above the normal water level. It took nearly 17,200 gallons of water to increase the vessel level to the point of sending water down the main steam pipes.

As shown in Fig. 8, the level of the main steam line nozzles is above the upper scales of the Narrow Range and Wide Range water level instruments—the gauges the operators are trained to monitor frequently. Even if distracted, an alarm sounds in the control room when the vessel level rises just a few inches (not feet) above normal.

Sending water through the main steam lines could have disabled the HPCI system, the Reactor Core Isolation Cooling (RCIC) system (a smaller version of HPCI), and the SRVs. These systems and components are designed for steam, not water. Overfilling the reactor vessel could have taken away all of the high pressure safety systems for the reactor.

The NRC issued a green finding, the least severe among its green, white, yellow, and red violation classification scheme, for the failure to follow procedures resulting in loss of vessel level and potential impairment of multiple safety systems.

Our Takeaway

The HPCI swap-over miscue is a reminder of the trap one can fall into when given plenty of time to accomplish a short-term task. It did not take very long to install the bypass on the automatic swap-over. The operators had many tasks to perform besides installing the bypass. It was tempting to undertake seemingly higher priority tasks during the ample time before the swap-over point was reached. But time expired before the bypass was installed.

The RHR shutdown cooling miscue is a reminder about the importance of follow-up. Operators must maintain situational awareness, especially after the situation changes. In this case, placing the RHR system in shutdown cooling mode should have been followed by close monitoring of reactor water parameters to confirm that the temperature began decreasing and the level remained constant. Early awareness that something was wrong would have enabled intervention to minimize the consequences.

This one event revealed problems with the operators planning and implementing tasks. If operator performance is deficient when ample time is available and stress levels are low, how would the operators perform during an accident? The NRC’s Green findings would likely become Yellow or Red as the consequences of miscues become more significant.

So, the proper response to NRC’s slaps on the wrists is not to purchase wrist guards to lessen the sting of future slaps, but to take steps necessary to avoid future slaps, or worse.

Fission Stories” is a column by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.

End of the (Weekly) Line

It began on July 6, 2010, with commentary about a flood inside the Unit 2 containment building at Indian Point. Fission Stories were weekly commentaries about nuclear power plant problems. Fission Stories #198 ended the series on September 29, 2015.

In March 2013, the weekly Fission Stories were supplemented by Nuclear Energy Activist Toolkit (NEAT) commentaries. The NEAT commentaries were more educational than advocacy, seeking to explain technology and regulatory processes rather than critique them. NEAT #64 ended the series on September 22, 2015.

The Disaster by Design/Safety by Intent weekly commentaries began on October 6, 2015, with a summary of how U.S. nuclear plants are vulnerable to flooding.

After nearly 325 posts, UCS is retiring the weekly commentaries. Instead, we are reactivating the Fission Stories and Nuclear Energy Activist Toolkit commentaries to join the Disaster by Design/Safety by Intent. When we come across something that warrants commentary, we will use whichever of these templates fits best and post it. The result may be multiple postings in one week or multiple weeks between postings.

This change gives us the freedom of posting commentaries that are more timely and topical rather than finding topics that match the current theme. Hopefully, this will result in better use of our resources and, more importantly, better meet your needs.

We truly appreciate those who have read these commentaries over the years and look forward to sharing our perspectives with you in the future via this revised format.

You can sign up for an RSS feed and be notified of new AllThingsNuclear posts by clicking here. (Note: If you get a screen full of html code when you follow this link, try using a different browser.)

Protecting Against Fatigued Nuclear Plant Workers

Disaster by Design/ Safety by Intent #62

Safety by Intent

The Nuclear Regulatory Commission (NRC) revised its regulations requiring nuclear plant workers to be fit for duty on March 31, 2008, to include measures intended to protect against mistakes made by workers impaired by fatigue. Specifically, Subpart I, “Managing Fatigue,” was added to 10 CFR Part 26, “Fitness for Duty Programs.”

The NRC issued its fitness for duty requirements in the late 1980s in response to Congressional concerns about reports of illegal drug use by nuclear plant workers. The original requirements instituted initial, random, and for-cause drug and alcohol testing of all workers granted access inside nuclear power plants.

On September 28, 1999, Barry Quigley, a worker at a nuclear power plant in Illinois, petitioned the NRC to revise its fitness for duty regulation to impose limits on the number of hours worked by nuclear plant staffers. Quigley proposed that the NRC revise its regulations to limit workers to 60 hours per week and 108 hours over al-two-week periods during normal operation with some relaxation of these limits when the plant is shut down.

The NRC convened a series of public meetings to discuss the working hour limits petition. I participated in many of the meetings on behalf of UCS. The matter interested a lot of groups and individuals with a range of viewpoints. Some, like the Professional Reactor Operator Society (PROS) and the International Brotherhood of Electrical Workers (IBEW), expressed concern that limits on working hours could reduce the amount of overtime pay earned by their members. They pointed out potential consequences from the working hour limits being sought—workers might obtain second jobs to replace the lost overtime wages.

The NRC invited specialists to the meetings to inform the discussions. For example, Dr. Gregory Belenky from the Division of Neuropsychiatry at the Walter Reed institute of Research presented insights from research on sleep and human performance.

Fig. 1 (

Fig. 1 (Source: Nuclear Regulatory Commission)

The differing perspectives by various stakeholders shaped by the insights from the specialists led to changes in the working hour limits proposed in Quigley’s petition. For example, the petition would impose working hour limits on all persons subject to the drug and alcohol provisions in Part 26. Industry representatives pointed out that many workers performed tasks that were very unlikely to contribute to a nuclear plant accident even if a worker was impaired by fatigue during their performance. An engineer calculating the power supply loads to be met by an emergency diesel generator could make a mistake due to fatigue. But that engineer’s work must be independently checked by another engineer and approved by a third individual, providing opportunities for any mistakes to be corrected. The scope of the fatigue management rule was therefore narrowed to only those workers with “hands on” tasks whose mistakes might more immediately and directly have adverse consequences—operators, maintenance personnel, and (after 9/11) security force personnel.

The Outcome

The final rule limits individuals to working no more than 16 hours during any 24-hour period, 26 hours during any 48-hour period, and 72 hours during any 7-day period.

The final rule also contained measures intended to address the situation where individuals are within the working hour limits but feel fatigued. For example, a worker may not have gotten a full night’s rest due to caring for an ill child. Under the final rule, that individual has the right to self-declare feeling fatigued without fear of reprisals. This provision explicitly addressed a problem that NRC identified in 2002 with some workers being compelled to work when impaired by fatigue or being fired for refusing to work.

The final rule contains another provision that had not been in Quigley’s petition that was added as a result of the insights provided by the specialists—the need for break periods. The specialists agreed that it was vitally important for individuals to have periodic opportunities for rest and relaxation. The final rule therefore requires that workers receive a 10-hour break between work periods and a 34-hour break every nine days. Individuals working 8-hour shifts must be given at least one day off per week, persons working 10-hour shifts must be given at least two days off per week, and individuals working 12-hour shifts must be given at least 2.5 days off per week when averaged over a shift cycle of six weeks or less.

The final rule recognized that situations could arise that required individuals to exceed the working hour limits. The rule contains a provision describing when management can authorize individuals to exceed the limits. The final rule also requires owners to submit annual reports to the NRC on the number of times when individuals exceeded the working hour limits.

The final rule adopted by the NRC was more compromise than consensus. No stakeholder got everything he or she wanted included in the final rule. I am not a fan of the provision allowing individuals to work longer hours when a reactor is shut down, particularly when that reactor is at a plant with multiple reactors and at least one other reactor is operating. But the NRC’s rulemaking process considered my viewpoints equally with the viewpoints of Barry Quigley, PROS, IBEW, the nuclear industry, and all other stakeholders. The NRC’s regulatory analysis supporting the final rule explained why some aspects were included in the final rule while others were not.

Many NRC staffers were involved in the multi-year process leading to the final rule. Among them, Dr. David Desaulniers played a key role as the efforts’ technical lead. In addition to the considerable education and experience he brought to the table, Dr. Desaulniers served as a calming influence when stakeholders passionate about their viewpoints disagreed on the problem and its solution. He effectively enabled open discussions while discouraging non-productive debates.

The final rule does not provide absolute protection against mistakes made by fatigued nuclear plant workers. But it provides significantly better protection than had existed.

Disaster by Design

The problem that happened yesterday is much easier to solve than the problem that might occur tomorrow.

Worker fatigue did not cause the Three Mile Island accident and did not contribute to the Davis-Besse near-miss. Worker fatigue was therefore a potential problem. Nevertheless, the NRC revised its regulations to better manage the risk from this potential problem.

No one can count the umber of accidents avoided by the NRC’s working hour limits rulemaking. But the NRC’s rulemaking makes it less likely for worker fatigue to account for one accident. That seems like a good deal.

—–

UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.