UCS Blog - All Things Nuclear, Nuclear Power Safety - Latest 2

Watts Bar Lacks a Proper Safety Culture

The Nuclear Regulatory Commission (NRC) issued a Chilled Work Environment Letter to the Tennessee Valley Authority (TVA) on March 23, 2016, about safety culture problems at the Watts Bar nuclear plant. TVA promised to take steps to restore a proper safety culture at the plant.

Nearly 13 months later, has a proper safety culture been restored at Watts Bar?

No, according to a report issued April 19, 2017, by the TVA Office of the Inspector General (TVA OIG).

Fig. 1. (Source: D. Lochbaum)

The TVA OIG report paints a very disturbing picture of conditions at Watts Bar. I monitored safety culture problems at Millstone (1996-2000), Davis-Besse (2002-2004), and Salem/Hope Creek (2004-2005). The problems described in the TVA OIG report are comparable to the unacceptable conditions that existed at Millstone and Davis-Besse. A difference is that the NRC did not allow Millstone or Davis-Besse to operate until those safety culture problems were corrected to an acceptable level.

The TVA OIG report explains why TVA keeps reporting that the chilled work environment at Watts Bar was confined to the Operations Department and did not contaminate other work organizations at the site: The TVA Office of the General Counsel instructed the Employee Concerns Program and others within TVA not to use “chilled work environment” and to use “degraded work environment” instead. So, while TVA cannot find chilled work environments outside Operations, they find “degraded work environments” almost every place they look. But through an artifice of semantics conjured up by TVA’s attorneys, no chilled work environments are being found.

The TVA OIG didn’t buy the semantics: “Additionally, when 75 percent of a work group at a nuclear utility perceives that they are working in a chilled environment as is the case with ECP at TVA, it would seem reasonable to conclude that there is a chilled work environment in that group and unreasonable to pass it off as a ‘degraded work environment’.”

How bad is the chilled work environment at Watts Bar? The TVA OIG report indicates that 75% of the Employee Concerns Program (ECP) staff did not feel safe to raise concerns without fear of retaliation. ECP is supposed to be the organization that workers with safety concerns can go for help resolving them. When the helpers feel chilled, how can they truly help workers?

The ECP hired two individuals from outside TVA in February 2016 to conduct an independent investigation of the work environment at Watts Bar. According to the TVA OIG, this investigation was independent and forthright, but the ensuing report was anything but independent. The TVA OIG reviewed emails and interviewed the independent investigators and found that “the term ‘chilled work environment’ was edited out of the text of the report by ECP personnel.” In fact, the independent investigators did not write the six-page Executive Summary for “their” report—ECP wrote it. ECP wrote that a “degraded work environment” rather than a “chilled work environment” existed at Watts Bar. TVA OIG reported being unable to find “degraded work environment” being used within TVA or elsewhere prior to this “independent” report.

One of the two independent investigators told the TVA OIG that TVA management “did not like the fact that he stated that TVA management contributed to the poor SCWE [safety conscious work environment]” at Watts Bar. He was not invited back to participate in subsequent debriefing activities which “he attributed to management’s reaction to his report-out to them of the results from Phase I.” In other words, TVA shot the messenger.

The TVA OIG report states that “both the independent investigation commissioned by TVA and the SRTR [Special Review Team Report] were inappropriately influenced by TVA management” and that “the independent investigators were told by TVA ECP what they could and could not put in their report and the Executive Summary of that report was written by ECP, not the independent investigators.”

As to whether the chilled work environment issues were confined to the Operations Department, “Through personnel interviews conducted by OIG investigators, it was learned that many instances of HIRD [harassment, intimidation, retaliation, and/or discrimination] have occurred or have been alleged to have occurred in Operations and in other departments at WBN [Watts Bar Nuclear].” More specifically, surveys conducted during 2016 after workers raised concerns that led to the NRC’s Chilled Work Environment Letter being issued reveal safety culture issues outside of the Operations Department at Watts Bar.

Maintenance Department: 36% of workers feel free to report problems and concerns. 55% of workers believe they could report problems and concerns without fear of retaliation. 91% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

Chemistry Department: 50% of workers feel free to report problems and concerns. 50% of workers believe they could report problems and concerns without fear of retaliation. 50% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

Security Department: 34% of workers believe they could report problems and concerns without fear of retaliation. 67% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

Engineering Department: 67% of workers believe they could report problems and concerns without fear of retaliation. 66% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

Radiation Protection Department: 78% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

The TVA OIG explicitly states “TVA’s continuing denials have been found to be incorrect by the NRC and independent assessors: a chilled work environment exists in at least several departments at WBN and within the ECP program itself.”

The TVA OIG makes an interesting observation regarding the 51 actions that TVA identified as necessary to correct the problems expressed in the NRC’s Chilled Work Environment Letter—none of them pertain to TVA’s upper management. The TVA OIG states “It is certainly worth considering whether this might be at least a contributor, if not a root cause, of the failure of any of the CAPRs [corrective actions to prevent recurrence], remediation plans, and the like to correct the continuing recurrence of chilled work environments at TVA over the past decade.” Indeed!

Watts Bar Needs a Proper Safety Culture

The TVA OIG report makes it extremely clear that Watts Bar lacks a proper safety culture and that lack is broader than just within the Operations Department.

Watts Bar needs a proper safety culture because it is the fundamental foundation for nuclear safety overall. If workers do not raise safety concerns—either out of fear of retaliation or out of distrust that management will correct them—the inventory of unresolved safety concerns increases over time. Nuclear power plants are robust and require a large number of failures and malfunctions before an incident morphs into a disaster. The rising number of unresolved safety concerns reduces the number of failures needed to facilitate such transformations.

Proper safety cultures cannot be acquired from eBay or Amazon. Senior managers must make it happen. If TVA’s senior managers can’t or won’t make it happen, either TVA needs new senior managers or NRC needs to write TVA another letter—a stronger letter perhaps along the lines of a Show Cause Order compelling TVA’s lawyers to explain why Watts Bar can continue to operate safely with “degraded work environments” all over the site.

In the meantime, if Watts Bar experiences a disaster, it won’t be an accident. It’ll be an outcome of operating a nuclear power reactor with a safety culture documented to be woefully inadequate.

Columbia Generating Station: NRC’s Special Inspection of Self-Inflicted Safety Woes

Energy Northwest’s Columbia Generating Station near Richland, Washington has one General Electric boiling water reactor (BWR/5) with a Mark II containment design that began operating in 1984. In the late morning hours of Sunday, December 18, 2016, the station stopped generating electricity and began generating problems.

The Nuclear Regulatory Commission (NRC) dispatched a special inspection team to investigate the event after determining it could have increased the risk of reactor core damage by a factor of ten. The NRC team sought to understand the problems occurring during this near-miss as well as assess the breadth and effectiveness of the solutions proposed by the company for them.

Trouble Begins Offsite

The plant was operating at full power when the main generator output breakers opened at 11:24 am due to an electrical transient within the Ashe substation. The Ashe substation is owned and maintained by the Bonneville Power Authority and serves as the connection between electricity produced at the plant and the offsite power grid. At least three electrical breakers at the Ashe substation were supposed to have opened to de-energize the faulted transmission line(s). Had they done so, the loss of the transmission lines could have triggered protective devices at the Columbia Generating Station to automatically trip the main generator. But cold weather kept the breakers from functioning properly. Instead of the protective systems at the Columbia Generating Station responding on a system level (i.e., the de-energized transmission line(s) triggering a main generator trip), they responded at the component level (i.e., the main generator output breaker sensed the electrical transient and opened).

The turbine control valves automatically closed because the main generator was no longer fully loaded with its output breakers opened. The closure of the turbine control valves automatically tripped the reactor. The control rods fully inserted within seconds to stop the nuclear chain reaction. The output breakers, turbine control valves, and control rods all functioned per the plant’s design (see Figure 1).

Fig. 1 (Source: Nuclear Regulatory Commission annotated by UCS)

Before the trip, the main generator was producing electricity at 25,000 volts. The main transformer increased the voltage up to 500,000 volts for transmission out to the offsite power grid. The auxiliary transformers reduced the voltage to 4,160 volts and 6,900 volts for supply to equipment in the plant. The output breakers that opened to start this event are represented by the square box in the upper left corner of Figure 2.

Fig. 2 (Source: Nuclear Regulatory Commission annotated by UCS)

Trouble Begins Onsite – Loss of Heat Sink and Normal Makeup

The main generator was disconnected from the offsite power grid but continued to supply electricity through the auxiliary transformers to plant equipment. Because steam was no longer flowing to the turbine, the voltage and frequency of the electricity dropped. The voltages flowing to in-plant equipment dropped low enough to cause electrical breakers to automatically open at 11:25 am to protect motors and other electrical equipment from damage caused by under-voltage. For example, an electric motor requires an electrical current of a certain voltage in order to operate. Electrical current of lower voltage may not be enough to enable the motor to run, but that current flowing through the motor may be enough to heat it up and damage it. One of the de-energized loads caused the Main Steam Isolation Valves (MSIVs) to close. Their closure meant that steam produced by the reactor’s decay heat no longer flowed to the condenser where it got cooled by water from the plant’s cooling towers. Instead, the steam bottled up in the reactor vessel and piping until it increased the pressure to the point where the safety/relief valves opened to discharge steam to the suppression pool (see Figure 3).

The closure of the MSIVs also stopped the normal flow of makeup cooling water to the reactor vessel. The feedwater system uses steam-driven turbines connected to pumps to supply makeup cooling water to the reactor vessel. But the steam supply for the feedwater pumps is downstream of the now-closed MSIVs. The condensate and condensate booster pumps upstream of the feedwater pumps have electric motors and continued to be available. But collectively they only pump water at about two-thirds of the pressure inside the reactor vessel, meaning they could not supply makeup water unless the pressure inside the reactor vessel decreased by nearly one-third its normal pressure.

Fig. 3 (Source: Nuclear Regulatory Commission annotated by UCS)

Troubles Onsite Grow – Loss of Normal Power for Safety Buses

At 11:28 am, the safety buses SM7 and SM8 tripped on low voltage, causing their respective emergency diesel generators to start and provide power to these vital buses. This was not supposed to happen during this event. By procedure, the operators were directed to manually trip the turbine and generator following the automatic trip of the reactor. They tripped the turbine at 11:27 am, but never tripped the main generator. Tripping the main generator as specified in the procedures would have immediately caused electrical breakers to close and other electrical breakers to open to swap the supply of electricity to plant equipment from the auxiliary transformers to the startup transformers as shown in Figure 4. The startup transformers reduce 230,000 volt electricity from the offsite power grid to 4,160 volts and 6,900 volts for use by plant equipment when the main generator is unavailable. With electricity to plant equipment from the startup transformers, the MSIVs would have remained open and makeup cooling water supplied by the feedwater pumps as normally provided.

Fig. 4 (Source: Nuclear Regulatory Commission annotated by UCS)

Even More Trouble Onsite – Loss of Backup Makeup

The operators manually started the Reactor Core Isolation Cooling (RCIC) system (not shown on the Figure 3, but a smaller version of the High Pressure Coolant System) at 11:32 am to provide makeup cooling water because the feedwater system was unavailable. The RCIC systems’ primary function is to supply makeup cooling water when the feedwater system cannot do so. Like the feedwater pumps, the RCIC pump is connected to a steam-driven turbine. Unlike the feedwater pumps, the RCIC pump’s turbine is supplied with steam from the reactor vessel through a connection upstream of the closed MSIVs. The RCIC pump transfers water from a large storage tank to the reactor vessel.

The operators failed to follow the procedure when starting the RCIC system. The procedure called for them to close the steam admission valve (V-45) and then open the trip valve (V-1) as soon as V-45 was fully closed (see Figure 5). But they did not open V-1. The failure to open V-1 disabled the control system designed to bring the RCIC turbine up to desired speed in 12 seconds. Instead, the RCIC turbine tried to obtain the desired speed instantly. Too much steam too soon caused the RCIC turbine to automatically trip on high speed. This trip guards against the spinning turbine blades coming apart due to excessive forces.

It took about 13 minutes for workers to go down into the RCIC room in the reactor building’s basement and reset the mis-positioned valves to allow the system to be properly started. In that time, the water level inside the reactor vessel dropped about a foot as it boiled away. That still left 162 inches (13.5 feet) of water above the top of fuel in the reactor core. The operators had several hours to restore makeup cooling water flow before the reactor core started uncovering and overheating.

Fig. 5 (Source: Nuclear Regulatory Commission annotated by UCS)

The operators manually started the High Pressure Core Spray (HPCS) system at 12:09 pm to provide makeup cooling water with the feedwater and RCIC systems both unavailable. The main HPCS pump (HPCS-P-1) has an electric motor. The pump transfer water from the large storage tank to the reactor vessel. While RCIC is designed to supply makeup water to compensate for inventory boiled off after the reactor shuts down, the HPCS system is designed to also compensate for water being lost through a small-diameter (about 2 inches) pipe that drains cooling water from the reactor vessel. Consequently, the HPCS system flow rate is about ten times greater than the RCIC system flow rate. And whereas the RCIC system flow rate can be throttled to match the makeup need, the HPCS system makeup flow is either full or zero.

The HPCS system refilled the reactor vessel soon after it was started. The operators closed the HPCS system injection valve (V-4) after about a minute. The minimum flow valve (V-12) automatically opened to direct the pump flow to the suppression pool instead of to the reactor vessel (see Figure 6). The HCPS system ran in “idle” mode for the next 3 hours and 42 minutes.

Fig. 6 (Source: Nuclear Regulatory Commission annotated by UCS)

Yet More Trouble Onsite – Water Leaking into Reactor Building

On December 18, workers discovered that the restricting orifice (RO) downstream of V-12 had leaked an estimated 4.7 gallons per minute into the reactor building while the HPCS system had operated. The NRC team learned that the gasket material used in this restricting orifice had been the subject of an industry operating experience report in 2007. A condition report was written at Columbia Generating Station in 2008 to have engineering assess the operating experience report and gasket materials used at the plant. In early 2010, the condition report was closed out based on engineering’s evaluation to use the gasket material recommended in the industry report. But the “bad” gaskets were not replaced.

Operating experience cited in the 2007 industry report revealed that the original gasket material was vulnerable to erosion. The report described two adverse consequences from the material’s erosion. First, pieces of the gasket could be carried by the water into the reactor vessel where the material impacting the fuel rods could damage their cladding. Second, gasket erosion could allow leakage. The 2007 industry report thus forecast the problem experienced at Columbia Generating Station in December 2016. The solution recommended by the 2007 report was not implemented until after the forecast problem has occurred.

NRC Sanctions

The NRC’s special inspection team identified three safety violations at the Columbia Generating Station. Two violations involved the operators failing to follow written procedures: (1) the failure to trip the main generator which resulted in the unnecessary closure of the MSIVs, and (2) the failure to properly start the RCIC system which resulted in the unnecessary trip of its turbine. The third violation was associated with the continued use of gasket material determined nearly a decade earlier to be improper for this application.

UCS Perspective

Self-inflicted problems turned a fairly routine incident into a near-miss. Luck stopped it from progressing further.

The problem started offsite due to causes outside the control of the plant’s owner. Those uncontrollable causes resulted in the main generator output breakers opening as designed.

By procedure, the operators were supposed to trip the main generator. Failing to do so resulted in the unnecessary closure of the MSIVs and the loss of the normal makeup cooling flow to the reactor vessel.

By procedure, the operators were supposed to manually start the RCIC system to provide backup cooling water flow to the reactor vessel. But they failed to properly start the system and it immediately tripped.

Procedures are like recipes—positive outcomes are achieved only when they are followed.

The operators resorted to using the HPCS system. It took about a minute for the HPCS system to recover the reactor vessel water level—the operators left it running in “idle” for the next three hours and 42 minutes during which time about 5 gallons per minute leaked into the reactor building. The leak was through eroded gasket material that had been identified as improper for this application nearly a decade earlier, but never replaced.

Defense-in-depth is a nuclear safety hallmark. That hallmark works best when operators don’t bypass barriers and when workers patch known holes in barriers. Luckily, other barriers remained effective to thwart this near-miss from becoming a disaster. But luck is a fickle factor that needs to be minimized whenever possible.

Managing Nuclear Worker Fatigue

The Nuclear Regulatory Commission (NRC) issued a policy statement on February 18, 1982, seeking to protect nuclear plant personnel against impairment by fatigue from working too many hours. The NRC backed up this policy statement by issuing Generic Letter 82-12, “Nuclear Power Plant Staff Working Hours,” on June 15, 1982. The Generic Letter outlined guidelines such as limiting individuals to 16-hour shifts and providing for a break of at least 8 hours between shifts. But policy statements and guidelines are not enforceable regulatory requirements.

Fig. 1 (Source: GDJ’s Clipart)

UCS issued a report titled “Overtime and Staffing Problems in the Commercial Nuclear Power Industry” in March 1999 describing how the NRC’s regulations failed to adequately protect against human impairment caused by fatigue. Our report revealed that workers at one nuclear plant in the Midwest logged more than 50,000 overtime hours in one year.

Barry Quigley, then a worker at a nuclear plant in the Midwest, submitted a petition for rulemaking to the NRC on September 28, 1999. The NRC issued regulations in the 1980s intended to protect against human impairment caused by drugs and alcohol. Nuclear plant workers were subject to initial, random follow-up, and for-cause drug and alcohol testing. Quiqley’s petition sought to extend the fitness-for-duty requirements to include limits on working hours. The NRC revised its regulations on March 31, 2008, to require that owners implement fatigue management measures. The revised regulations permit individuals to exceed the working hour limits, but only under certain conditions. Owners are required to submit annual reports to the NRC on the number of working hour limit waivers granted.

The NRC’s Office of Nuclear Regulatory Research recently analyzed the first five years of the working hour limits regulation. The analysis reported that in 2000, the year when the NRC initiated the rulemaking process, more than 7,500 waivers of the working hour limits suggested by Generic Letter 82-12 were being issued at some plants while about one-third of the plants granted over 1,000 waivers annually. In 2010, the first year the revised regulations were in effect, a total of 3,800 waivers were granted for the entire fleet of operating reactors. By 2015, the number of waivers for all nuclear plants had dropped to 338. The Grand Gulf nuclear plant near Port Gibson, Mississippi topped the 2015 list with 69 waivers. But 54 (78%) of the waivers were associated with the force-on-force security exercise.

The analysis indicates that owners have learned how to manage worker shifts within the NRC’s revised regulations. Zero waivers are unattainable due to unforeseen events like workers calling in sick and tasks unexpectedly taking longer to complete. The analysis suggests that the revised regulations enable owners to handle such unforeseen needs without the associated controls and reporting being an undue burden.

The regulatory requirements adopted by the NRC to protect against sleepy nuclear plant workers should let people living near nuclear plants sleep a little better.

Leak at the Creek: Davis-Besse-like Cooling Leak Shuts Down Wolf Creek

The Wolf Creek Generating Station near Burlington, Kansas has one Westinghouse four-loop pressurized water reactor that began operating in 1985. In the early morning hours of Friday, September 2, 2016, the reactor was operating at full power. A test completed at 4:08 am indicated that leakage into the containment from unidentified sources was 1.358 gallons per minute (gpm). The maximum regulatory limit for was such leakage was 1.0 gpm. If the test results were valid, the reactor had to be shut down within hours. Workers began running the test again to either confirm the excessive leak or determine whether it may have been a bad test. The computer collects data over a two-hour period and averages it to avoid false indications caused by momentary instrumentation spikes and other glitches. (It is standard industry practice to question test results suggesting problems but accept without question “good” test results.)

The retest results came in at 6:52 am and showed the unidentified leakage rate to be 0.521 gpm, within the legal limit. Nevertheless, management took the conservative step of entering the response procedure for excessive leakage. At 10 am, the operators began shutting down the reactor. They completed the shutdown by tripping the reactor from 30 percent power at 11:58 am.

Wolf Creek has three limits on reactor cooling water leakage. There’s a limit of 10 gpm from known sources, such as a tank that collects water seeping through valve gaskets. The source of such leakage is known and being monitored for protection against further degradation. There’s a stricter limit of 1 gpm from unknown sources. While such leakage is usually found to be from fairly benign sources, not knowing it to be so imposes a tighter limitation. Finally, there’s the strictest limit of zero leakage, not even an occasional drop or two, from the reactor coolant pressure boundary (i.e., leaks through a cracked pipe or reactor vessel weld. Reactor coolant pressure boundary leaks can propagate very quickly into very undesirable dimensions; hence, there’s no tolerance for them. Figure shows that the unknown leakage rate at Wolf Creek held steady around one-tenth (0.10) gallon per minute during July and August 2016 but significantly increase in early September.

Fig. 1 (Source: Freedom of Information Act response to Greenpeace)

The reactor core at Wolf Creek sits inside the reactor vessel made of metal six or more inches thick (see Figure 2). The reactor vessel sits inside the steel-reinforced concrete containment structure several feet thick. The dome-shaped top, or head, of the reactor vessel is bolted to its lower portion. Dozens of penetrations through the head permit connections between the control rods within the reactor core and their motors housed within a platform mounted on the head. Other penetrations allow temperature instruments inside the reactor vessel to send readings to gauges and computers outside it.

Fig. 2 (Source: Nuclear Regulatory Commission)

Wolf Creek has 78 penetrations through its reactor vessel head, including a small handful of spares. Workers entered containment after the reactor shut down looking for the source(s) of the leakage. They found cooling water spraying from penetration 77 atop the reactor vessel head. The leak sprayed water towards several other penetrations as shown in Figure 3. Penetration 77 allowed a thermocouple within the vessel to send its measurements to instrumentation.

Fig. 3 (Source: Wolf Creek Nuclear Operating Corporation)

The spray slowed and then stopped as the operators cooled the reactor water temperature below the boiling point. Workers performed a closer examination of the leakage source (see Figure 4) and its consequences. The reactor cooling water at Wolf Creek is borated. Boric acid is dissolved in the water to help control the nuclear chain reaction in the core as uranium fuel is consumed. Once water leaked from the vessel evaporated, boric acid crystals remained behind, looking somewhat like frost accumulation.

Fig. 4 (Source: Freedom of Information Act response to Greenpeace)

The spray from leaking Penetration 77 blanketed many neighbors with boric acid as shown in Figure 5. The vertical tubes are made from metal that resists corrosion by boric acid. The reactor vessel (the grayish dome-shaped object on the left side of the picture) is made from metal that is considerably less resistant to boric acid corrosion. The inner surface of the reactor vessel is coated with a thin layer of stainless steel for protection against boric acid. The outer surface is only protected when borated water doesn’t leak onto it.

Fig. 5 (Source: Freedom of Information Act response to Greenpeace)

The white-as-frost blankets coating the penetrations indicated little to no corrosion damage. But rust-colored residue in the Figure 6 pictures is a clear sign of corrosion degradation to the reactor vessel head by the boric acid. It may not be déjà vu all over again, but it’s too much Davis-Besse all over again. Boric acid corroded the Davis-Besse reactor head all the way down to the thin stainless steel liner. The NRC determined Davis-Besse to have come closer to an accident than any other US reactor since the March 1979 meltdown at Three Mile Island.

Fig. 6 (Source: Freedom of Information Act response to Greenpeace)

Fortunately, the degradation appears much worse in the pictures than it actually was. Actually, fortune had an ally at Wolf Creek that was missing at Davis-Besse. Both reactors exhibited signs that reactor cooling water was leaking into containment. The indicated leak rates at both reactors were below regulatory limits, except for one anomalous indication at Wolf Creek. Managers at Davis-Besse opted to dismiss the warning signs and keep the reactor operating. Managers at Wolf Creek heeded the danger signs and shut down the reactor. It’s not that they erred on the side of caution—putting nuclear safety first must never be considered an error. It’s that they avoided making the Davis-Besse mistake of putting production ahead of safety.

Wolf Creek restarted on November 21, 2016, after repairing Penetration 77, removing the boric acid, and verifying no significant damage to other penetrations and the reactor vessel head. But they also conducted refueling activities—already planned to require 55 days—during that 80-day period. The NRC closely monitored the response to the leakage and its repair and found no violations.

Davis-Besse chose production over safety but got neither. The reactor was shut down for over two years, generating no revenue but lots of costly repair bills. The reactor vessel head and other components inside the containment extensively damaged by boric acid corrosion were replaced. Many senior managers at the plant and in the corporate officers were also replaced. And the NRC fined the owner a record $5,450.000 fine for numerous safety violations.

Nuclear Safety Snapshot

Figure 7 shows the reactor vessel head at Wolf Creek without any boric acid blankets and corrosion. But the image I’ll remember about this event is neither this picture, nor the picture of the hole in Penetration 77, nor the picture of the boric acid blankets on adjacent penetrations, and nor the picture of rust-colored residue. It’s the mental picture of operators and managers at Wolf Creek who, when faced with Davis-Besse-like cooling water leak indications, responded unlike their counterparts by shutting the reactor down and fixing the problem rather than rationalizing it away. It’s an easy decision when viewed in hindsight but a tough one at the time it was made.

Davis-Besse made headlines, lots and lots of headlines, for exercising very poor judgment. Wolf Creek may not warrant headlines for using good judgment, but they at least deserve to be on the front page somewhere below the banner headline and feature article about today’s bad guys.

Fig. 7 (Source: Freedom of Information Act —response to Greenpeace)

Nuclear Safety Video

Unfortunately, the picture of Wolf Creek responding well to a safety challenge is a snapshot in time that does not assure success in facing tomorrow’s challenges.

Fortunately, the picture of Davis-Besse responding poorly to a safety challenge is also a snapshot in time that does not assure failure in facing future challenges.

Nuclear safety is dynamic, more like a video than a snapshot. That video is more likely to have a happy ending when the lessons of what worked well along with lessons from what didn’t work factor into decision-making. Being pulled away from bad choices is helpful. Being pushed towards good choices is helpful, too. Nuclear safety works best when both forces are applied.

The NRC and the nuclear industry made quite the hullabaloo about Davis-Besse. Why have they been so silent about Wolf Creek? It’s a swell snapshot that could help the video turn out swell, too.

The NRC and Nuclear Safety Culture: Do As I Say, Not As I Do

Many times over the past 20 years the Nuclear Regulatory Commission (NRC) has intervened when evidence strongly suggested a nuclear power plant had nuclear safety culture problems. The evidence used by the NRC to trigger its interventions was readily available to the plant owners, but the owners had downplayed or rationalized away the evidence until the NRC forced them to face reality.

The evidence used by the NRC to detect these nuclear safety culture problems included work force surveys indicating a sizeable portion of workers reluctant to raise safety concerns and allegations received by NRC from workers about reprisals and harassment they experienced after raising safety concerns.

Ample evidence strongly suggests that the NRC itself has nuclear safety culture problems. The NRC’s Office of the Inspector General (OIG) has surveyed the safety culture and climate within the NRC every three years for the past two decades. The latest survey was conducted during 2015 and released in March 2016. Figure 1 from the OIG’s 2015 survey along with data from the annual Federal Employee Viewpoint Surveys and other sources show safety culture problems as bad as—it not considerably worse—than the worst safety culture problems identified at Millstone, Davis-Besse, and yes, even the TVA reactors.

FIg. 1 (Source: Nuclear Regulatory Commission Office of the Inspector General)

After the OIG’s 2009 survey of the NRC’s safety culture and climate, UCS submitted a request under the Freedom of Information Act for all records related to the actions taken by the agency in response to the survey. We obtained many records which described very few actions. And regardless of the number of actions, the OIG’s 2015 survey showed that the NRC’s safety culture was worse than in 2009 (see the last column on the right in Figure 1).

Why would the NRC take steps to remedy safety culture problems at nuclear plants yet have taken no steps to remedy its own safety culture problems? The answer is the same as to the question of why the plant owners failed to take steps to correct safety culture problems before the NRC intervened—they did not perceive the problems to exist. Likewise, Figure 2 shows that the NRC’s senior management does not perceive safety culture within the agency to need remediation.

Fig. 2 (Source: Nuclear Regulatory Commission Office of the Inspector General)

The OIG employs a consultant to conduct the triennial safety culture surveys. I attended a briefing several years ago by the consultant on the survey results. The consultant reported surveying many other federal agencies and large private corporations. The consultant pointed out that the gap between results by senior management and by the overall workforce was wider at NRC than at any other federal or private entity it had surveyed.

Just as plant owners failed to correct the problem they could not see, NRC senior management cannot fix the agency’s “invisible” safety culture problems. The NRC intervened to enable owners to see, and then fix, their safety culture problems. Someone needs to intervene to help NRC senior management see the agency’s safety culture problems so they can take the corrective measures they have often compelled plant owners to take.

UCS recently issued a report on the NRC’s safety culture problems and its history of inducing safety culture fixes at nuclear plants. And The Bulletin posted my commentary about the NRC safety culture report.

If I found a lamp washed up on a beach and rubbed it to release a genie who granted me three wishes, my first wish would be for irradiated fuel to be transferred from dangerous, overcrowded spent fuel pools into more safe and secure dry storage as soon as practical. But my second wish would be for the NRC to undertake the reforms needed to achieve and sustain a positive nuclear safety culture at the agency. My third wish would be for a thousand additional wishes, so don’t worry that I squandered my first two.

Kudos to NRC for Lessons-Learned Review at Columbia Fuel Fabrication Facility

Disaster by Design/Safety by Intent #63

Safety by Intent

Westinghouse Electric Corporation notified the Nuclear Regulatory Commission (NRC) on July 14, 2016, that workers at its Columbia Fuel Fabrication Facility (CFFF) in South Carolina found significant accumulation of uranium in a ventilation system. The amount of enriched uranium exceeded limits established at the facility as protection against inadvertent criticality.

The uranium accumulated in process vent scrubber S-1030 shown towards the upper left side of Figure 1.

Fig. 1 (Source: Nuclear Regulatory Commission)

The NRC dispatched an Augmented Inspection Team (AIT) to the site to investigate the causes and corrective actions for the event. The NRC sends Special Inspection Teams and Augmented Inspection Teams to investigate discoveries like the one reported at CFFF that have the potential for increasing the risk of an accident.

The AIT concluded in its report dated October 26, 2016, that “Westinghouse failed to provide adequate levels of oversight, enforcement, and accountability to the organizations directly involved with configuration management, operations, and maintenance of the wet ventilation systems.” Specifically, Westinghouse had assumed that only minute quantities of uranium could collect in that portion of the ventilation system and took no actions to either validate or confirm that key assumption.

To this point, both Westinghouse and NRC followed established practices. Upon discovery a condition above the reporting threshold, Westinghouse notified the NRC. Upon receiving notification from Westinghouse about a condition above its normal response threshold, the NRC dispatched an Augmented Inspection Team.

The NRC’s Extra Effort

The NRC did not stop with its AIT probe into whatever problems Westinghouse had that resulted in the event at CFFF. Two days after issuing the AIT report, the NRC chartered a team to examine lessons the agency could learn from the event. This second team was not tasked with supplemental Westinghouse bashing. That had been the AIT’s role. The lessons-learned team was tasked with assessing whether the NRC could make changes in its efforts so as to lessen the likelihood events like the CFFF would recur. Specifically, the lessons learned team was asked to evaluate the NRC’s license review process, inspection program, operating experience program, organization of oversight groups, and knowledge management programs.

It is commendable that the NRC undertook this introspective review. The review would either confirm that the agency is effective applying its resources or recommend ways to reallocate resources for increased effectiveness.

The NRC’s Extra Safety Gains

The AIT verified that Westinghouse had taken or would be taking appropriate corrective actions to lessen the likelihood of recurrence of this problem at its CFFF. The lessons-learned task force identified steps the NRC could take in all five focus areas to lessen the likelihood that such an event could recur at any NRC-licensed fuel cycle facility.

The team concluded that the NRC’s license review process and its inspection program allocated resources based on perceived risk significance. In other words, items with high and moderate risk significance received more attention than items having low risk consequences. The team did not find this triage system unacceptable. It is imperative to properly focus limited resources. But the team did make recommendations on ways NRC’s reviewers and inspectors could verify that items deemed low risk truly have low risk.

The team characterized the agency’s operating experience and knowledge management programs as being more supplemental than integral parts of business. Some of the NRC staff interviewed by the team used the programs extensively; other staffers were aware of the programs but had not used them. The team made several recommendations intended to integrate the operating experience and knowledge management programs into day-to-day work practices. For example, the team recommended training on using the operating experience database to lower the height and shorten the duration of the learning curve needed for users to become proficient with this tool.

The NRC’s Safety Backstop

In theory, NRC’s reviewers and inspectors should find no safety problems. NRC’s licensees—the owners of nuclear power plants and fuel cycle facilities—are responsible under the law for complying with regulations intended to manage risk to workers and the public.

In practice, NRC’s reviewers and inspectors could, and do, find safety problems. Not because NRC’s licensees are deliberately violating safety regulations, but compliance is a dynamic challenge.

By undertaking the lessons learned review of the CFFF event, the NRC makes its safety backstop more robust and reliable. The recommendations made by the team will, when implemented, improve the effectiveness of NRC’s reviewers and inspectors. The NRC’s reviewers and inspectors were already good, but the agency’s efforts to make them better result in making workers and the public safer.

It may not be the ultimate win-win situation, but it’s got to be among the top ten.


UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Nuclear Safety Performance at Pilgrim

The Nuclear Regulatory Commission (NRC) held a public meeting on Tuesday, January 31, 2017, in Plymouth, Massachusetts. A large crowd of over 300 individuals (perhaps thousands more by White House math) attended, including me. Elected officials in Massachusetts—the attorney general, the governor, the entire US Congressional delegation, and state senators and representatives—had requested the meeting. Many of these officials, or their representatives, attended the meeting.

The elected officials asked the NRC to conduct a public meeting to discuss the contents of an email from the leader of an NRC inspection team at Pilgrim to others within the agency regarding the results from the first week’s efforts. An NRC staffer forwarded this email to others within the agency, and inadvertently to Diane Turco of the Cape Downwinders, a local organization. The contents of the leaked email generated considerable attention.

Unique NRC Meeting
During my nearly two decades at UCS, I have attended dozens, perhaps hundreds (maybe even millions by White House accounting) of NRC meetings. The Plymouth meeting was unique. It was the only NRC meeting I’ve attended to discuss an email.

And it was the only NRC meeting I’ve attended where public speaking slots were chosen by raffle. In all prior meetings, members of the public raised their hands to be called upon by the NRC staff, queued behind a microphone in the room in order to speak, or added their names to a list to speak in the order specified by the sign-up sheet. At this meeting, the NRC used a raffle system. I received Ticket #4 (see Figure 1), giving me an opportunity to “win” a chance to speak for up to 3 minutes (or 180 seconds, whichever came first) during the meeting.

Fig. 1 (Source: Nuclear Regulatory Commission)

Fig. 2 (Source: Nuclear Regulatory Commission)

My ticket, along with at least 74 other tickets, was placed into a fishbowl. Brett Klukan, an attorney in NRC Region I, drew tickets from the bowl to establish the speaker order. Because the fishbowl was clear glass, Brett gazed at the ceiling to avoid charges of cherry-picking preferred ticket numbers (see Figure 2). Brett then wrote the number drawn on a whiteboard without showing the number to anyone else, somewhat offsetting the averted gaze tactic since he could have jotted down any number he wished.Unique NRC Discussion

Brett Klukan opened the meeting by introducing the NRC panelists and covering some ground rules for the meeting. The ground rules included a decorum standard—any audience member disrupting the meeting three times would be asked to leave. If the individual did not leave voluntarily, Brett explained that law enforcement officers (and there were numerous uniformed officers in the room and in the hallway outside) would escort the person from the room.

Brett then turned the meeting over to the NRC panel of Dan Dorman, the Regional Administrator for NRC’s Region I, Bill Dean, the NRC’s Director of the Office of Nuclear Reactor Regulation, Raymond Lorson, the Director of the Division of Reactor Safety in Region I, and Don Jackson, the leader of the NRC inspection team at Pilgrim and author of the email.

Don went through the leaked email, which he had written, updating the audience on each issue and supplementing the email with results from the team’s efforts since that initial week. I had expected the NRC to talk about what systems, components, and administrative processes the inspection team examined, but anticipated the NRC would not discuss results until the team’s report was approved and publicly released. But Don candidly provided the results, too. More than once, Don explained that the team identified an apparent violation of NRC’s regulations—in fact, he stated that 10 to 15 potential violations had been identified.

After the NRC panel finished their remarks, the meeting moved to comments and questions from the public. I was the third member of the audience to speak to the NRC. Figure 3 shows Brett Klukan at the podium to the left, the NRC panel in the center, and several members of the audience turning to look at the speaker standing at the microphone located towards the back of the room out of view to the far right.

Fig. 3 (Source: Nuclear Regulatory Commission)

I asked the NRC four questions. After I posed the four questions, the NRC panel answered. My questions and the NRC’s answers:

UCS Question #1

The NRC’s 20-member inspection team covered a lot of ground, but still examined a small fraction of the safety systems at Pilgrim. Based on the large number of safety violations in the small sample the team examined, what assurance can the NRC provide about the state of the majority of safety systems the team did not examine?

NRC Answer: The NRC’s reactor oversight process (ROP) features periodic inspections of safety systems at Pilgrim with the team inspection being supplemental to those activities. If there were problems in those other safety systems, the periodic inspections would reveal them.

UCS Response: Don Jackson described his team identifying 10 to 15 apparent violations of federal safety regulations in the small sample of safety systems they examined—violations that apparently were NOT revealed previously by the ROP’s periodic inspection efforts. Those routine inspection efforts failed to identify violations among the small sample, strongly suggesting that the routine inspection efforts also fail to find violations in the larger sample.

UCS Question #2

Don Jackson explained that the text in his email about the staff at Pilgrim appearing overwhelmed or shocked referred to their reaction to the arrival of the NRC’s 20-member inspection team. Does the NRC believe that this staff might also be overwhelmed or shocked in response to an accident?

NRC Answer: Don Jackson explained that his email comments referred primarily to the plant’s support staff (e.g, engineers, maintenance workers, etc.) rather than about the control room operators. Don said that his assessment of the operators at Pilgrim during their duties in the control room and during exercises on the control room simulator gave him complete confidence that the operators would be able to successfully respond to an accident.

UCS Response: Even if Don’s assessment is correct (and the operators losing control of the reactor during a routine startup causing it to automatically shut down to avoid fuel damage, the operators mis-operating numerous safety components following Winter Storm Juno and the operators not receiving proper training on the use of the high pressure coolant injection system leaves room for doubt), it is incomplete. The response to an accident involves considerably more than the handful of operators on duty at the time. NRC’s regulations require dozens of other plant workers to staff the Technical Support Center, the Operations Support Center, and the Emergency Operations Facility. The work force freaking out because 20 NRC inspectors arrive on site—by an appointment made weeks in advance—suggests that work force could be equally stressed out responding to an unannounced accident.

UCS Question #3

Dan Dorman mentioned the NRC planned to conduct another public meeting in late March about this inspection and to release the team’s final report in mid-April. Would it be possible for the NRC to issue the final report before the public meeting to allow the public to review the report and participate meaningfully in the meeting?

NRC Answer: Don Jackson mentioned that the report for a recent team inspection at another nuclear plant was over 350 pages due to all the information it contained. He said it would take sustained effort for the report by the team for their inspection at Pilgrim to be issued by mid-April, with no real opportunity for putting it out sooner.

UCS Response: There are two items both under full control of the NRC—the public meeting and the team inspection report. I have no reason to doubt Don’s word that mid-April is the soonest that the report can be released. I have every reason to doubt why the NRC must hold the public meeting in late March. The NRC could conduct the public meeting in late April, or early May, or mid-May, or late-May, or early June, or any time after they release the team’s report. The only reason for the NRC to conduct a public meeting about a non-existent report is because that’s the way they prefer to do it.

UCS Question #4

Audience members for this meeting are given three strikes before they are out of the meeting. How many strikes has the NRC given Pilgrim before it is out?

NRC Answer: Bill Dean began to answer the question, but Dan Dorman interrupted him. Dan labeled the question rhetorical and directed Brett to proceed with the next speaker.

UCS Response: I appreciate NRC bringing back Bert the turtle with this Duck and Cover gimmick. To be sure, I’d have better appreciated the NRC’s explanation why audience members get dragged out of the room after three strikes while Pilgrim does not get shut down after 10 to 15 violations of federal safety regulations. But this is America where everyone has the right to chicken out. My apologies if I put the NRC in a fowl mood.

To Be (Shut Down) or Not to Be (Shut Down)

The recurring theme during the meeting was whether the known performance problems warranted the shutdown of Pilgrim (either permanently or until the problem backlog was eliminated) or if Pilgrim could continue operating without exposing the community to undue risk.

Best I could tell, the meeting did not change any participant’s viewpoint. If one entered the room believing Pilgrim was troubled but sufficiently safe, one left the room with this belief intact. If one entered the room feeling Pilgrim’s problems posed too great a hazard, one probably left the room with even stronger convictions.

The meeting was somewhat like a court trial in that two reasonably supported but entirely opposite arguments were presented. The meeting was unlike a court trial in that instead of a jury, only time may decide which argument is right.

The Argument for Pilgrim Continuing to Operate

The team inspection led by Don Jackson is a direct result of an increasing number of problems at Pilgrim that caused the NRC to drop its performance assessment from Column 1 of the ROP’s Action Matrix into Column 2, 3 and eventually 4. The NRC developed the ROP in the late 1990s in response to high-profile troubled nuclear plants like Millstone, Salem, and Cooper.

The Action Matrix has five columns. A reactor with performance so bad that the NRC places it into Action Matrix Column 5 cannot operate until the NRC is satisfied enough of the problems have been corrected to permit restart.

Dan Dorman and Don Jackson tried to explain during the meeting that it was not the number of problems that determined placement into Column 5, it was the severity of the problems that mattered. They said several times that the 10 to 15 apparent violations identified by the team reinforced the NRC’s determination that Pilgrim was a Column 4 performer, but did not cause them to feel movement into Column 5 was warranted.

The Action Matrix is like our legal system. Persons guilty of a single misdemeanor generally receive lesser sanctions than persons guilty of multiple misdemeanors who in turn generally receive lesser sanctions than persons guilty of a single felony. Persons guilty of multiple felonies tend to be those receiving the severest sanctions and incarceration.

Pilgrim got into Column 4 as the result of several violations identified by NRC inspectors that were classified as White, the second least severe classification in the NRC’s Green, White, Yellow, and Red system. The data suggest performance shortcomings warranting regulatory attention, but it doesn’t suggest a trip to nuclear jail.

The Argument for Pilgrim Shutting Down

The NRC panelists stated several times during the meeting that they did not see any immediate safety concern that required Pilgrim to be shut down. Those assurances would be more meaningful and credible had the panelists or their NRC colleagues periodically seen an immediate safety concern, even from a distance.

The last time the NRC saw an immediate safety concern and ordered an operating reactor to shut down was March 31, 1987 when the agency ordered the Unit 2 and 3 reactors at the Peach Bottom nuclear plant in Pennsylvania to be shut down (the Unit 1 reactor had already been permanently shut down). Dan Dorman and Ray Lorson did not join the NRC staff until 1991. Don Jackson did not come to the NRC until 2003. Of the four NRC panelists, only Bill Dean was with the agency the last time an immediate safety concern was spotted.

Yet there have been times since 1987 when immediate safety concerns have existed:

Davis-Besse Safety Blindspot

In the fall of 2001, the NRC staff drafted an order that would require the Davis-Besse nuclear plant to be shut down. To justify the order, the NRC staff assembled the strongest circumstantial case one could hope to build that an operating reactor was unsafe. The NRC staff evaluated the reactor against five criteria in Regulatory Guide 1.174 (RG 1.174). All five criteria had to be satisfied for a reactor to be considered safe. The NRC staff determined that one criterion was not met and the other four criteria were most likely not met. Absent dead bodies or a mushroom cloud, you cannot build a stronger case that an operating reactor is unsafe.

Fig. 4 (Source: Nuclear Regulatory Commission)

But NRC senior managers shelved the order and allowed Davis-Besse to continue operating. When the reactor finally shut down, workers discovered the reactor was less safe than the NRC staff had feared. Per the NRC, Davis-Besse came closer to a meltdown than any reactor since the Three Mile Island accident in March 1979 (much closer than Peach Bottom ventured in March 1987).

Worse still, when interviewed by the NRC’s Office of the Inspector General, the NRC senior managers stated, under oath, stood behind their decision. They claimed they needed absolute proof that an operating reactor was unsafe before they would order it shut down. Somehow, failing to meet five of five safety principles does not constitute absolute proof to the NRC. Perhaps not meeting eight or nine out of five safety principles would suffice.

Oconee Safety Blindspot

In June 2010, the NRC issued a confirmatory action letter (CAL) to the owner of the Oconee nuclear plant in South Carolina. The CAL required that the owner take fifteen steps to reduce risk of failure at the upriver Jocassee Dam (which was also owned by Oconee’s owner) and to lessen the flooding vulnerability at Oconee should the dam fail.

The NRC staff discovered that the failure rate for the Jocassee Dam was as high as other hazards that Oconee was protected against. Thus, failure of the dam could not be dismissed as incredible or overly speculative.

The NRC staff further estimated that if the Jocassee Dam failed, flooding at the Oconee site created a 100 percent chance of causing all three operating reactors to melt down, all cooling of the spent fuel pools to be lost, and all three reactor containments to fail.

The high risk of flooding causing three operating reactors to melt down prompted the NRC to issue the CAL to Oconee’s owner nine months before flooding caused three operating reactors at Fukushima to melt down.

The hazard was real enough to cause NRC to require the owner to take steps to lower the risk, but not real enough to warrant the reactors to shut down until the risk was better managed.

Most galling is the fact that the NRC withheld information about this hazard from the public. Their June 2010 CAL was issued in secret. When the NRC conducted their annual public meeting in the Oconee community in April 2011—about six weeks after flooding melted three operating reactors at Fukushima—they said nothing about the CAL being issued to better manage flooding vulnerabilities at Oconee. The public cannot trust an agency that withholds relevant information from them.

It may be true that the NRC would order an operating reactor to be shut down if it saw an immediate safety concern. But it’s been nearly thirty years since the NRC noticed an immediate safety concern at an operating reactor. Since then, the NRC has noticed very serious safety problems at Davis-Besse and Oconee, yet allowed those reactors to continue operating.

The Davis-Besse and Oconee cases occurred after the NRC adopted the ROP and its Action Matrix. None of the safety problems that led to the NRC staff drafting a shutdown order for Davis-Besse or issuing a CAL for flood protection problems at Oconee were considered in the ROP. Thus these safety problems were entirely invisible as far as the Action Matrix was concerned.

The NRC should not rely on a safety yardstick that ignores significant safety issues.

UCS’s Argument about Pilgrim

Because the NRC has demonstrated its ability to jettison safety standards when an operating reactor doesn’t measure up, and because it has not recently demonstrated an ability to spot an immediate safety concern, it is entirely reasonable for the community around Pilgrim to have anxiety about the plant’s known performance problems. Shutting down Pilgrim would lessen that anxiety.

Should public anxiety be used as a pretext for shutting down an operating reactor?

Absolutely not.

Instead, the public should have trust and confidence in the NRC to protect them from Pilgrim’s problems. But the NRC has not done much to warrant such trust and confidence by the NRC. If public anxiety is high, it’s because public trust and confidence in the NRC is low.

Public trust and confidence in the NRC should be the proper context for a troubled reactor continuing to operate.

That proper context is missing.

The NRC must take steps to restore public trust and confidence. They should consistently establish and enforce safety regulations. NRC senior managers must stop looking for absolute proof that operating reactors are unsafe and instead look for absolute proof that operating reactors comply with federal safety regulations.

And when NRC senior managers see safety problems, they must disclose that finding to the public. Hiding such information, as they did with the flooding vulnerabilities at Oconee, provides the public with a distorted view. And such antics provide the public with zero reason to trust anything the NRC utters. When you cherry-pick what you say and when you say it, you stop being a credible authority.

If the NRC allows Pilgrim to continue operating and the reactor has an accident, will the agency be able to honestly look victims and survivors in the eye and say they did everything they could to protect them?

Nuclear Regulatory Crusader

To many, the acronym NRC stands for Nuclear Regulatory Commission. At times, NRC has been said to stand for Nobody Really Cares, Nuclear Rubberstamp Committee, and Nielsen Ratings Commission.

In regard to Larry Criscione, it may stand for Nuclear Regulatory Crusader.

(Source: NRC)

Larry is an engineer working for the U.S. Nuclear Regulatory Commission (NRC). Last year, Larry received the Joe A. Callaway Award for Civic Courage from The Safeek Nader Trust. Joe Callaway established the award in 1990 to recognize individuals who, with integrity and at some personal risk, take a public stance to advance truth and justice.

In March 2011, the three operating reactors at the Fukushima Daiichi nuclear plant in Japan melted down after a tsunami generated by a large earthquake flooded the site and disabled primary and backup power supplies to emergency equipment. In public, the NRC denied that reactors operating in the U.S. were vulnerable to such hazards.

In private, the NRC knew otherwise.

Flooding Risk at Oconee

In June 2010—nine months before Fukushima—the NRC issued a Confirmatory Action Letter to the owner of the Oconee nuclear plant in South Carolina requiring more than a dozen measures be taken. The measures were intended to lessen the chances that the Jocassee Dam fails and to increase the chances that the three operating reactors at Oconee survive should the dam fail anyway.

An evaluation showed that if the dam—located about 21 miles upriver from Oconee—failed, the site would be inundated with about 12.5 to 16.8 feet of flood water. The site was protected by a flood wall about seven feet tall, so it mattered little whether the actual depth was 12.5, 13, 14, 15, or 16.8 feet.

The NRC estimated that if the dam failed and flooded the site, there was a 100 percent chance that all three reactors would meltdown.

But the NRC issued the Confirmatory Action Letter secretly and did not tell the public about the hazard it required Oconee’s owner to lessen. After Fukushima tragically demonstrated the hazard posed by flooding, the NRC continued to cover-up measures taken and planned to lessen the flooding vulnerability at Oconee.

Larry and the OIG

So, Larry sent a 19-page letter dated September 18, 2002, to the NRC Chairman chronicling this history and asking four things:

  1. The NRC’s Office of General Counsel (OGC) should review the documents related to flooding at Oconee and the associated federal regulations to determine whether the documents could be made publicly available.
  1. The NRC’s Office of Nuclear Security and Incident Response (NSIR) should review the information on flooding hazards redacted from documents released to the public in response to Freedom of Information Act (FOIA) requests to determine whether additional information could be made publicly available.
  1. Based on the OGC and NSIR reviews, ensure that all flooding hazard documents that can be made publicly available are publicly available.
  1. The NRC’s Office of the Inspector General (OIG) should investigate whether the agency has been inappropriately marking documents as containing “Security-Related Information.”

Exercising his rights under the Lloyd-La Follette Act of 1912, Larry copied U.S. Congressional staff members on the email transmitting his letter to the NRC Chairman.

Larry’s letter was obtained by a reporter and featured in a Huffington Post article dated October 19, 2012.

As Larry had requested, the NRC’s OIG investigated handling of documents about flooding hazards. But rather than investigate whether NRC had improperly withheld information as he contended, OIG investigated whether Larry had improperly released information. As detailed in our 2015 report on the NRC and nuclear power safety, OIG made Larry an offer—he could voluntarily resign from the NRC or they would turn over his case to the Department of Justice (DOJ) for prosecution.

Larry did not resign.

OIG did refer the case to DOJ.

DOJ did not prosecute.

Through FOIA, UCS obtained DOJ’s response to NRC declining to prosecute Criscione. Under the Primary Reasons for Declination section, DOJ checked one box—No Federal Offense Committed.

Fortunately for Larry, not breaking the law is not yet against the law.

Thanks to Larry’s selfless efforts, the flooding hazards at Oconee have been made public. Larry had been right about the NRC inappropriately withholding information from the public. When lawyers and investigators were all through, the information he sought to have publicly released was publicly released. The NRC lacked legal grounds to continue hiding it.

More importantly, NRC’s mangers may think twice—or at least once—before withholding dam safety information in the future.

Unfortunately for Larry, he experienced unnecessary stress and expense defending himself against baseless OIG investigations. The Callaway Award does not fully offset those unfortunate consequences. But it helps show Larry and others who have our backs that not everyone wants to twist a dagger in their backs.

A video of the award presentation and Larry’s acceptance speech has been posted to YouTube.

Bottom Line

Doing the right thing when it’s relatively easy fails to accurately measure courage.

Larry Criscione did the right thing when it was a very hard thing to do. He could have remained silent like so many of his co-workers opted to do. He faced a strenuous courage test and aced it.

Not-so-Fabulous Five

To some, “Fabulous Five “ brings back memories of the 1991 recruits for the University of Michigan’s basketball team—Chris Webber, Jalen Rose, Juwan Howard, Jimmy King, and Ray Jackson. The five powered Michigan to the NCAA Division I championship games in 1992 and 1993.

Others may recall the “Fab Five,” a made-for-TV movie about a 2006 cheerleader scandal at a high school in Texas.

No one hearing “Fabulous Five” thinks about the performance of the nuclear reactors owned and operated by Entergy between 2011 and 2015. The performance during those five years was anything but fabulous, unless fabulously bad counts.

Performance Reports

Every quarter, the Nuclear Regulatory Commission (NRC) takes operating data submitted by plant owners and findings by the NRC’s inspectors to assign each reactor to one of five columns in the agency’s Action Matrix. When performance meets or exceeds NRC’s expectations, a reactor is placed in Column 1. If performance levels drop, a reactor gets placed into Columns 2, 3, or 4 depending on the depth and breadth of the performance decline. When performance drops so low that operation is not permissible until problems are corrected, a reactor falls into Column 5. The NRC began using this rating system in the fourth quarter of 2000.

Back in 2000, there were 105 reactors operating in the United States. Several reactors permanently shut down and one reactor commenced operating for a current total of slightly under 100 operating reactors. Entergy operated 11 reactors during much of that period, with one reactor permanently shutting down in recent years. Based on the average Action Matrix column placement, Entergy’s reactors generally outperformed the U.S. reactor fleet between 2000 and 2010 as shown in Figure 1. (Action Matrix column placement is like golf scores—low numbers win.) But the performance of Entergy’s reactors significantly declined beginning in 2011.

Fig. 1 (

Fig. 1 (Source: Union of Concerned Scientists)

Performance Plunge

Figure 2 shows a closer look at this five-year period. For the first and second quarters of 2011, all eleven of Entergy’s reactors were placed by the NRC into Action Matrix Column 1. Those ratings reflect top performance—the NRC does not issue 1-plus scores. By fourth quarter 2014—just 14 quarters later—the average Entergy reactor was in Action Matrix Column 2. The performance difference between Entergy’s reactors and all U.S. reactors was wider than ever, and not in Entergy’s favor.

Fig. 2 (

Fig. 2 (Source: Union of Concerned Scientists)

But 10 to 11 reactors is a smaller sample than 98 to 105 reactors. Perhaps one poorly performing reactor is dragging down the Entergy fleet. Figure 3 belies that notion. Only two of Entergy’s eleven reactors remained in Column 1 each and every quarter between 2011 and 2015: Indian Point Unit 2 and Vermont Yankee. The other nine reactors visited Columns 2, 3, and 4.

Fig. 3 (

Fig. 3 (Source: Union of Concerned Scientists)

The individual Entergy reactor ratings are hard to discern. Only people who do extremely well on ink blot tests and those who can relax their minds to see prancing unicorns or frolicking grizzly bears emerge from squiggly line drawings can get much out of Figure 3. The rest of us can hopefully gain these insights from Figure 4. This figure shows the percentage of U.S. and Entergy reactors placed into Column 1 each quarter by the NRC from 2011 to 2015. For the first and second quarters of 2011, 100 percent of Entergy’s reactors resided in Column 1—a feat the U.S. reactor fleet has never achieved. But by the fourth quarter of 2014, only 30 percent of Entergy’s reactors remained in Column 1. It was clearly not a case of one bad apple spoiling the bushel, but a fleet with bushels of reactor performance problems.

Fig. 4 (

Fig. 4 (Source: Union of Concerned Scientists)

Bottom Line

The NRC rates performance for each individual reactor. For example, the NRC has rated performance for Indian Point Unit 2 as being in an Action Matrix column while placing Indian Point Unit 3 in another column, despite the reactors being side-by-side at the same site under the same management. Such granularity has its advantages. Like snowflakes, no two reactors are identical and their differences can, and do, factor into performance differences.

The NRC does not connect these individual dots to see the bigger picture. Thirty percent of Entergy’s fleet rated outside of Column 1 cannot be explained by a faulty design, an incapable senior manager, or poor relationships between work force and management. Bad luck might explain an underperforming reactor or two. But bad luck does not cause performance to drop at 70 percent of the Entergy fleet. At times, individual snowflakes team up to cause blizzards.

When its performance assessments reveal broad underperformance by the owner of a fleet of nuclear reactors, the NRC must determine whether bad corporate behavior is spoiling the bushel of reactors. The NRC need not give aptitude tests to Chief Nuclear Officers or examine budget allocations. The NRC could simply issue a “Show Cause” order to the owner requiring a formal response as to why so many of its reactors have performance problems.

When many among a fleet of ships is listing, taking on water, or steaming off-course, it would be irresponsible to wait until a ship sinks before asking the Admiral of the Fleet “what’s up?” NRC cannot wait for a reactor to meltdown before asking Entergy to explain why so many of its reactors are experiencing so many problems.

UCS to the NRC: Stop Dragging Your Feet on Important Nuclear Security Updates

Yesterday, UCS sent a letter to Nuclear Regulatory Commission (NRC) chairman Stephen Burns urging the NRC to quickly issue new versions of two outdated security documents that play a critical role in defining how nuclear plants can be adequately protected against terrorist attacks.


NRC Chair Burns (Source: NRC)

The NRC requires nuclear power plants to be protected against radiological sabotage. The design basis threat, or DBT, specifies the characteristics of the attackers that a nuclear plant’s security plan must be designed to protect against (e.g., how many attackers and what sort of equipment they may have). The DBT includes both physical attacks and cyber attacks, and specifies that the attackers can include both outsiders and insiders.

In addition, the 2005 Energy Policy Act requires that every three years the NRC must stage mock attacks (known as “force-on-force” exercises) at each nuclear power plant to demonstrate that plant security forces can protect against the DBT.

As is the case for many of its other regulations, the NRC issues documents that provide guidance to nuclear reactor owners on acceptable means for meeting these security requirements. The NRC periodically reviews these guidance documents and updates them when appropriate. However, the NRC is taking far longer than usual to revise two important security guidance documents, which have not been updated since 2007 and 2009.


Because the nuclear industry is blocking the way. As I note in the letter, “finalizing the revisions has been unnecessarily delayed due to extensive, persistent and … unreasonable objections raised by the Nuclear Energy Institute (NEI) and the power reactor licensees to the changes proposed by the NRC staff.”


Watts Bar Hokey Pokey is Not Okey Dokey

Fission Stories #200

The Watts Bar Nuclear Plant near Spring City, Tennessee has two pressurized water reactors (PWRs) like that shown in Figure 1. Water flowing through the reactor core gets heated to over 500°F, but does not boil because pressure of over 2,000 pounds per square inch prevents it. The heated water flows through tubes inside the steam generators. Heat conducted through the thin metal walls of the tubes boils water surrounding the tubes. The steam flows through a turbine that spins a generator to make electricity.

Fig. 1(

Fig. 1(Source: Nuclear Regulatory Commission)

PWRs feature emergency core cooling systems (see Figure 2) intended to provide makeup water should a pipe connected to the reactor vessel break and rapidly drain the pressurized water from the vessel. Accumulators located inside the containment building are metal tanks partially filled with water. The remaining space inside the accumulator above the water level is filled with nitrogen gas. The nitrogen gas is pressurized. If a pipe breaks, the pressure inside the reactor vessel will decrease as water jets out the broken pipe ends. When the reactor vessel pressure drops below about 600 pounds per square inch, the accumulator water will be “pushed” into the reactor vessel. The charging, safety injection, and residual heat removal pumps located outside containment will start up and supplement the water makeup function.

Fig. 2 (

Fig. 2 (Source: Nuclear Regulatory Commission)

The emergency core cooling (ECC) accumulators and pumps are designed to maintain adequate cooling of the reactor core for breaks of small, medium, or large diameter pipes connected to the reactor vessel. As shown in Figure 3, the size of the break determines how quickly the transition from the high head injection (e.g., charging pumps) systems to the low pressure systems.

Fig. 3 (

Fig. 3 (Source: Nuclear Regulatory Commission)

Each PWR at Watts Bar has two charging pumps. Each charging pump is powered by an electric motor and is designed to provide 150 gallons per minute of makeup flow at the high pressure conditions. The charging pumps are located within the auxiliary building that is adjacent to the reactor containment building. Because it gets warm in Tennessee during the summer and the running motors on the charging pumps give off more heat, air conditioning units called room coolers are installed in the auxiliary building to protect the charging pumps from overheating damage. (The irony is duly noted—the components installed to protect the reactor core from overheating damage are vulnerable to overheating damage themselves.)

Each room cooler consists of a bladed fan that blows air across metal tubes filled with cooling water. The air gets cooled down as it flows past the tubes. The fan is spun by an electric motor. A belt wraps around the motor shaft and fan shaft so that when the former rotates, the latter rotates too.

Revisions and re-revisions

On November 3, 1995, the shaft for a fan on one of the charging pump room coolers for Watts Bar Unit 1 was discovered to be damaged. Workers determined that the fan belt had been tightened too much, causing the fan shaft’s damage. The maintenance procedure for the room coolers was revised to include more guidance for properly installing and tensioning the fan belt. The procedure revision was a CAPR—corrective action to prevent recurrence.

And it did prevent recurrence, at least until 2011. A revision to the maintenance procedure in 2011 removed the guidance on proper tensioning of the fan belt.

Charging pump room cooler 1B-B was found broken on December 4, 2015. Workers disassembled the unit, repaired or replaced its broken parts, and reassembled it.

Charging pump room cooler 1B-B was found broken on August 3, 2016. Workers determined that the fan belt had been tightened too much which put more strain on the fan bearing causing it to degrade.

The corrective action was to re-revise the maintenance procedure to reinsert the guidance about properly installing and tensioning the fan belt. Workers also checked all other coolers at Watts Bar that had their fan belts tensioned during the 2011 revision to the maintenance procedure to ensure they were properly tightened.

Report to the Commission

The charging pumps provide high pressure makeup to the reactor vessel should a broken pipe cause a loss of coolant accident. If the pipe has a large diameter, the reactor vessel pressure will quickly drop down to the range where the accumulators and the residual heat removal pumps can supply the necessary makeup water. Following breaks of smaller diameter pipes, the reactor pressure will also decrease, albeit at a slower rate. An evaluation by Westinghouse, the vendor for the PWRs at Watts Bar, concluded that the charging pumps might be needed for up to 7.5 days during an accident.

An engineering evaluation by the owner concluded that a charging pump running without its associated room cooler would fail in about 74 hours due to overheating of its electric motor. Because the faulty room cooler could have prevented the charging pump from operating for the entire duration of its safety mission, the owner reported the problem to the NRC.

Our Takeaway

Workers at Watts Bar danced the nuclear hokey pokey. They started with the fan belt guidance out of the procedure, then took the step of putting the guidance into the procedure, back-stepped to remove the guidance, and re-took the step of placing the guidance back into the procedure. When it was in the procedure, the fan belt guidance seemed to protect against room cooler failures. Perhaps it’s time to stop the hokey pokey now that the useful guidance is once again in the procedure.

Right now, the nuclear industry seeks to significantly reduce costs through its Delivering the Nuclear Promise initiative while the Nuclear Regulatory Commission seeks to downsize through its Project AIM efforts. The lesson of this Watts Bar episode should not be lost upon the promisers and projectors. The workers who removed the fan belt tensioning guidance in 2011 were likely unaware of the reason it had been added back in 1995. Before the promisers and projectors discontinue this practice or eliminate that activity, they need to make really sure they are not undoing past fixes. Perhaps it is no longer necessary to do that thing, or perhaps it can be done more efficiently. But the reasons why practices were started need to be fully understood before they can be safely discontinued or streamlined.

In other words, put on the thinking caps and take off those hokey pokey dancing shoes.

Fission Stories” is a column by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.