UCS Blog - All Things Nuclear, Nuclear Power Safety - Latest 2

TVA’s Nuclear Allegators

The Nuclear Regulatory Commission (NRC) receives reports about potential safety problems from plant workers, the public, members of the news media, and elected officials. The NRC calls these potential safety problems allegations, making the sources allegators. In the five years between 2012 and 2016, the NRC received 450 to 600 allegations each year. The majority of the allegations involve the nuclear power reactors licensed by the NRC.

Fig. 1 (Source: Nuclear Regulatory Commission)

While the allegations received by the NRC about nuclear power reactors cover a wide range of issues, nearly half involve chilled work environments where workers don’t feel free to raise concerns and discrimination by management for having raised concerns.

Fig. 2 (Source: Nuclear Regulatory Commission)

In 2016, the NRC received more allegations about conditions at the Watts Bar nuclear plant in Tennessee than about any other facility in America. Watts Bar’s 31 allegations exceeded the allegations from the second highest site (the Sequoyah nuclear plant, also in Tennessee, at 17) and third highest site (the Palo Verde nuclear plant in Arizona, at 12) combined.  The Browns Ferry nuclear plant in Alabama and the Pilgrim nuclear plant in Massachusetts tied for fourth place with 10 allegations each. In other words, Watts Bar tops the list with a very comfortable margin.

Fig. 3 (Source: Nuclear Regulatory Commission)

In 2016, the NRC received double-digit numbers of allegations about five nuclear plants. Watts Bar, Sequoyah and Browns Ferry are owned and operated by the Tennessee Valley Authority (TVA). Why did three TVA nuclear plants place among the top five sources of allegations to the NRC?

Because TVA only operates three nuclear plants.

The NRC received zero allegations about ten nuclear plants during 2016. In the five year period between 2012 and 2016, the NRC only received a total of three allegations each about the Clinton nuclear plant in Illinois and the Three Mile Island Unit 1 reactor in Pennsylvania (the unit that didn’t melt down). By comparison, the NRC received 110 allegations about Watts Bar, 55 allegations about Sequoyah, and 58 allegations about Browns Ferry.

TVA President Bill Johnson told Chattanooga Time Free Press Business Editor Dave Flessner that TVA is working on its safety culture problems and “there should be no public concern about the safety of our nuclear plants.” The NRC received 30 of the 31 allegations last year from workers at Watts Bar, all 17 allegations last year from workers at Sequoyah, and all 10 allegations last year from workers at Browns Ferry.

So President Johnson is somewhat right— the public has no concerns about the safety of TVA’s nuclear plants. But when so many TVA nuclear plant workers have so many nuclear safety concerns, the public has every reason to be very, very concerned.

Nuclear plant workers are somewhat like canaries in coal mines. Each is likely to be the first to sense danger. And when nuclear canaries morph into nuclear allegators in such large numbers, that sense of ominous danger cannot be downplayed.

Ad Hoc Fire Protection at Nuclear Plants Not Good Enough

A fire at a nuclear reactor is serious business. There are many ways to trigger a nuclear accident leading to damage of the reactor core, which can result in the release of radiation. But according to a senior manager at the US Nuclear Regulatory Commission (NRC), for a typical nuclear reactor, roughly half the risk that the reactor core will be damaged is due to the risk of fire. In other words, the odds that a fire will cause an accident leading to core damage equals that from all other causes combined. And that risk estimate assumes the fire protection regulations are being met.

However, a dozen reactors are not in compliance with NRC fire regulations:

  • Prairie Island Units 1 and 2 in Minnesota
  • HB Robinson in South Carolina
  • Catawba Units 1 and 2 in South Carolina
  • McGuire Units 1 and 2 in North Carolina
  • Beaver Valley Units 1 and 2 in Pennsylvania
  • Davis-Besse in Ohio
  • Hatch Units 1 and 2 in Georgia

Instead, they are using “compensatory measures,” which are not defined or regulated by the NRC. While originally intended as interim measures while the reactor came into compliance with the regulations, some reactors have used these measures for decades rather than comply with the fire regulations.

The Union of Concerned Scientists and Beyond Nuclear petitioned the NRC on May 1, 2017, to amend its regulations to include requirements for compensatory measures used when fire protection regulations are violated.

Fire Risks

The dangers of fire at nuclear reactors were made obvious in March 1975 when a fire at the Browns Ferry nuclear plant disabled all the emergency core cooling systems on Unit 1 and most of those systems on Unit 2. Only heroic worker responses prevented one or both reactor cores from damage.

The NRC issued regulations in 1980 requiring electrical cables for a primary safety system to be separated from the cables for its backup, making it less likely that a single fire could disable multiple emergency systems.

Fig. 1 Fire burning insulation off cables installed in metal trays passing through a wall. (Source: Tennessee Valley Authority)

After discovering in the late 1990s that most operating reactors did not meet the 1980 regulations, the NRC issued alternative regulations in 2004. These regulations would permit electrical cables to be in close proximity as long as analysis showed the fire could be put out before it damaged both sets of cables. Owners had the option of complying with either the 1980 or 2014 regulations. But the dozen reactors listed above are still not in compliance with either set of regulations.

The NRC issued the 1980 and 2004 fire protection regulations following formal rulemaking processes that allowed plant owners to contest proposed measures they felt were too onerous and the public to contest measures considered too lax. These final rules defined the appropriate level of protection against fire hazards.

Rules Needed for “Compensatory Measures”

UCS and Beyond Nuclear petitioned the NRC to initiate a rulemaking process that will define the compensatory measures that can be substituted for compliance with the fire protection regulations.

The rule we seek will reduce confusion about proper compensatory measures. The most common compensatory measure is “fire watches”—human fire detectors who monitor for fires and report any sightings to the control room operators who then call out the onsite fire brigades.

For example, the owner of the Waterford nuclear plant in Louisiana deployed “continuous fire watches.” The NRC later found that they had secretly and creatively redefined “continuous fire watch” to be someone wandering by every 15 to 20 minutes. The NRC was not pleased by this move, but could not sanction the owner because there are no requirements for fire protection compensatory measures. Our petition seeks to fill that void.

The rule we seek will also restore public participation in nuclear safety decisions. The public had opportunities to legally challenge elements of the 1980 and 2004 fire protection regulations it felt to be insufficient. But because fire protection compensatory measures are governed only by an informal, cozy relationship between the NRC and plant owners, the public has been locked out of the process. Our petition seeks to rectify that situation.

The NRC is currently reviewing our submittal to determine whether it satisfies the criteria to be accepted as a petition for rulemaking. When it does, the NRC will publish the proposed rule in the Federal Register for public comment. Stay tuned—we’ll post another commentary when the NRC opens the public comment period so you can register your vote (hopefully in favor of formal requirements for fire protection compensatory measures.)

Exelon Generation Company (a.k.a. Nuclear Whiners)

The Unit 3 reactor at the Dresden Nuclear Power Station near Morris, Illinois is a boiling water reactor with a Mark I containment design that began operating in 1971. On June 27, 2016, operators manually started the high pressure coolant injection (HPCI) system for a test run required every quarter by the reactor’s operating license. Soon after starting HPCI, alarms sounded in the main control room. The operators shut down the HPCI system and dispatched equipment operators to the HPCI room in the reactor building to investigate the problem.

The equipment operators opened the HPCI room door and saw flames around the HPCI system’s auxiliary oil pump motor and the room filling with smoke. They reported the fire to the control room operators and used a portable extinguisher to put out the fire within three minutes.

Fig. 1 (Source: NRC)

What Broke?

The HPCI system is part of the emergency core cooling systems (ECCS) on boiling water reactors like Dresden Unit 3. The HPCI system is normally in standby mode when the reactor is operating. The HPCI system’s primary purpose is to provide makeup water to the reactor vessel in event that a small-diameter pump connected to the vessel breaks. The rupture of a small-diameter pipe allows cooling water to escape, but maintains the pressure within the reactor vessel too high for the many low pressure ECCS pumps to deliver makeup flow. The HPCI system takes steam produced by the reactor core’s decay heat to spin a turbine connected to a pump. The steam-driven pump transfers water from a large storage tank outside the reactor building into the reactor vessel. The HPCI system can also be used during transients without broken pipes. The HPCI system’s operation can be used by operators to help control the pressure inside the reactor vessel by drawing off the steam being produced by decay heat.

The HPCI auxiliary oil pump is powered by an electric motor. The auxiliary oil pump runs to provide lubricating oil to the HPCI system as the system starts and begins operating. Once the HPCI system is up and running, the auxiliary oil pump is no longer needed. At other boiling water reactors, the auxiliary oil pump is automatically turned off once the HPCI system is up and running—at Dresden, the auxiliary oil pump continues running.

Why the Failure was Reported

On August 25, 2016, Exelon Generation Company (hereafter Exelon) reported the HPCI system problem to the Nuclear Regulatory Commission (NRC). Exelon reported the problem “under 10 CFR 50.73(a)(20(v)(D), ‘Any event or condition that could have prevented the fulfillment of the safety function of structures or systems that are needed to mitigate the consequences of an accident.’”

Why It Broke

Exelon additionally informed the NRC that the HPCI system auxiliary oil pump motor caught fire due to “inadequate control of critical parameters when installing a DC shunt wound motor.” The HPCI system auxiliary oil pump motor had failed in March 2015 during planned maintenance. The failure in 2015 was attributed by Exelon to “inadequate cleaning and inspection of the motor” which allowed carbon dust to accumulate inside the motor.

How the NRC Assessed the Failure

The NRC issued an inspection report on December 5, 2016, with a preliminary white finding for the HPCI system problem. The NRC determined that the repair of HPCI system auxiliary oil pump motor following its failure in March 2015 resulted in the motor receiving higher electrical current than needed for the motor to run. Consequently, when the HPCI system was tested in June 2016, the high electrical current flowing to the auxiliary oil pump motor caused its windings to overheat and catch fire. The NRC determined that the inadequate repair in March 2015 caused the failure in June 2016. The NRC proposed a white finding in its green, white, yellow, and red string of increasing significant findings and gave Exelon ten days to contest that classification.

During a telephone call between the NRC staff and Exelon representatives on December 15, 2016, Exelon “did not contest the characterization of the risk significance of this finding” and declined the option “to discuss this issue in a Regulatory Conference or to provide a written response.” With the proposed white finding seemingly uncontested, the NRC issued the final white finding on February 27, 2017.

Why the NRC Reassessed the Failure

It took the NRC over two months to finalize an uncontested preliminary finding because Exelon essentially contested the preliminary finding, but not in the way used by the rest of the industry and consistent with the NRC’s longstanding procedures over the 17 years that the agency’s Reactor Oversight Process has been in place.

Instead, Exelon mailed a letter dated January 12, 2017, to the NRC requesting that the agency improve the computer models it uses to determine the significance of events.  Exelon whined that NRC’s computer model over-estimated the real risk because it considered only the failure of a standby component to start and the failure causing a running component to stop. Exelon pointed out that the auxiliary oil pump did permit the HPCI system to successfully start during the June 2016 test run and it later catching on fire did not disable the HPCI system. Exelon whined that the NRC’s modeling was “analogous to the situation where the starter motor of a car breaks down after the car is running and then concluding that ‘the car won’t run’ even though it is already running.”

The NRC carefully considered each of Exelon’s whines in its January 12 letter and still concluded that the failure warranted a white finding. So, the agency issued a white finding. With respect to Exelon’s whine that the auxiliary oil pump burned up after the HPCI system was up and running, the NRC reminded the company that the operators shut down the HPCI system in response to the alarms—had it been necessary to restart the HPCI system, the toasted auxiliary oil pump would have prevented it. It is not uncommon for the HPCI system to be automatically shut down (e.g., due to high water level in the reactor vessel) or to be manually shut down (e.g., due to operators restoring the vessel water level to within the prescribed band or responding to a fire alarm in the HPCI room) only to be restarted later during the transient. The NRC’s review determined that their computer model’s treatment of a “failure to restart” would yield results very similar to its treatment of a “failure to start.”

The auxiliary oil pump’s impairment reduced the HPCI system to one and done use. In an actual emergency, one and done might not have cut it—thus, NRC issued the white finding for Exelon’s poor performance that let the auxiliary oil pump literally go up in smoke.

The NRC conducted a public meeting on May 2, 2017, in response to Exelon’s letter. I called into the meeting to see if Exelon’s whines are as shallow and ill-conceived as they appear in print. I admit to being surprised—their whining came across even shallower live than in writing. And I would have bet it impossible after reading, and re-reading, their whiny letter.

What’s With the Whining?

Does Exelon hire whiners, or does the company train people to become whiners?

It’s a moot point because Exelon should stop whining and start performing.

Exelon whined that the NRC failed to recognize or appreciate that the auxiliary oil pump is only needed during startup of the HPCI system. During the June 2016 test run, the HPCI system successfully started and achieved steady-state running before the auxiliary oil pump caught fire. Workers put out the fire before it disabled the HPCI pump. But the NRC’s justification for the final white characterization of the “uncontested” finding explained why those considerations did not change their conclusion. While the auxiliary oil pump did not catch fire until after the HPCI system was successfully started during the June 2016 test run, its becoming toast would have prevented a second start.

Exelon expended considerable effort contesting and re-contesting the “uncontested” white finding. Had Exelon expended a fraction of that effort properly cleaning and inspection the auxiliary oil pump motor, the motor would not have failed in March 2015. Had Exelon expended a fraction of that effort properly setting control parameters when the failed motor was replaced in March 2015, it would not have caught on fire in June 2016. If the motor had not caught on fire in June 2016, the NRC would not even have reached for its box of crayons in December 2016. If the NRC had not reached for its box of crayons, Exelon would not have been whining in January and May 2017 that the green crayon instead of the white one should have been picked.

So, Exelon would be better off if it stopped whining and started performing. And the people living around Exelon’s nuclear plants would be better off, too.

US Needs More Options than Yucca Mountain for Nuclear Waste

On Wednesday, I testified at a hearing of the Environment Subcommittee of the House Energy and Commerce Committee. The hearing focused on the discussion draft of a bill entitled “The Nuclear Waste Policy Amendments Act of 2017.”

Yucca Mountain (Source: White House)

The draft bill’s primary objective is to revive the program to build a geologic repository at the Yucca Mountain site in Nevada for spent nuclear fuel and other high-level radioactive wastes. The Obama administration cancelled the program in 2009, calling it “unworkable,” and the state of Nevada is bitterly opposed to it, but Yucca Mountain still has devoted advocates in Congress, including the chairman of the subcommittee, John Shimkus (R-IL).

UCS supports the need for a geologic repository for nuclear waste in the United States but doesn’t have a position on the suitability of the Yucca Mountain site. We don’t have the scientific expertise needed to make that judgement.

However, in my testimony, I expressed several concerns about the draft bill, including its focus on locating a repository only at Yucca Mountain and its proposal to weaken the NRC’s review standards for changes to repository design.

UCS believes that rigorous science must underlie the choice of any geologic repository, and that the US needs options in addition to Yucca Mountain, which has many unresolved safety issues. In addition, we believe that any legislation that revises the Nuclear Waste Policy Act must be comprehensive and include measures to enhance the safety and security of spent fuel at reactor sites—where it will be for at least several more decades. For example, we think it is essential to speed up the transfer of spent fuel from pools to dry storage casks.

Watts Bar Lacks a Proper Safety Culture

The Nuclear Regulatory Commission (NRC) issued a Chilled Work Environment Letter to the Tennessee Valley Authority (TVA) on March 23, 2016, about safety culture problems at the Watts Bar nuclear plant. TVA promised to take steps to restore a proper safety culture at the plant.

Nearly 13 months later, has a proper safety culture been restored at Watts Bar?

No, according to a report issued April 19, 2017, by the TVA Office of the Inspector General (TVA OIG).

Fig. 1. (Source: D. Lochbaum)

The TVA OIG report paints a very disturbing picture of conditions at Watts Bar. I monitored safety culture problems at Millstone (1996-2000), Davis-Besse (2002-2004), and Salem/Hope Creek (2004-2005). The problems described in the TVA OIG report are comparable to the unacceptable conditions that existed at Millstone and Davis-Besse. A difference is that the NRC did not allow Millstone or Davis-Besse to operate until those safety culture problems were corrected to an acceptable level.

The TVA OIG report explains why TVA keeps reporting that the chilled work environment at Watts Bar was confined to the Operations Department and did not contaminate other work organizations at the site: The TVA Office of the General Counsel instructed the Employee Concerns Program and others within TVA not to use “chilled work environment” and to use “degraded work environment” instead. So, while TVA cannot find chilled work environments outside Operations, they find “degraded work environments” almost every place they look. But through an artifice of semantics conjured up by TVA’s attorneys, no chilled work environments are being found.

The TVA OIG didn’t buy the semantics: “Additionally, when 75 percent of a work group at a nuclear utility perceives that they are working in a chilled environment as is the case with ECP at TVA, it would seem reasonable to conclude that there is a chilled work environment in that group and unreasonable to pass it off as a ‘degraded work environment’.”

How bad is the chilled work environment at Watts Bar? The TVA OIG report indicates that 75% of the Employee Concerns Program (ECP) staff did not feel safe to raise concerns without fear of retaliation. ECP is supposed to be the organization that workers with safety concerns can go for help resolving them. When the helpers feel chilled, how can they truly help workers?

The ECP hired two individuals from outside TVA in February 2016 to conduct an independent investigation of the work environment at Watts Bar. According to the TVA OIG, this investigation was independent and forthright, but the ensuing report was anything but independent. The TVA OIG reviewed emails and interviewed the independent investigators and found that “the term ‘chilled work environment’ was edited out of the text of the report by ECP personnel.” In fact, the independent investigators did not write the six-page Executive Summary for “their” report—ECP wrote it. ECP wrote that a “degraded work environment” rather than a “chilled work environment” existed at Watts Bar. TVA OIG reported being unable to find “degraded work environment” being used within TVA or elsewhere prior to this “independent” report.

One of the two independent investigators told the TVA OIG that TVA management “did not like the fact that he stated that TVA management contributed to the poor SCWE [safety conscious work environment]” at Watts Bar. He was not invited back to participate in subsequent debriefing activities which “he attributed to management’s reaction to his report-out to them of the results from Phase I.” In other words, TVA shot the messenger.

The TVA OIG report states that “both the independent investigation commissioned by TVA and the SRTR [Special Review Team Report] were inappropriately influenced by TVA management” and that “the independent investigators were told by TVA ECP what they could and could not put in their report and the Executive Summary of that report was written by ECP, not the independent investigators.”

As to whether the chilled work environment issues were confined to the Operations Department, “Through personnel interviews conducted by OIG investigators, it was learned that many instances of HIRD [harassment, intimidation, retaliation, and/or discrimination] have occurred or have been alleged to have occurred in Operations and in other departments at WBN [Watts Bar Nuclear].” More specifically, surveys conducted during 2016 after workers raised concerns that led to the NRC’s Chilled Work Environment Letter being issued reveal safety culture issues outside of the Operations Department at Watts Bar.

Maintenance Department: 36% of workers feel free to report problems and concerns. 55% of workers believe they could report problems and concerns without fear of retaliation. 91% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

Chemistry Department: 50% of workers feel free to report problems and concerns. 50% of workers believe they could report problems and concerns without fear of retaliation. 50% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

Security Department: 34% of workers believe they could report problems and concerns without fear of retaliation. 67% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

Engineering Department: 67% of workers believe they could report problems and concerns without fear of retaliation. 66% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

Radiation Protection Department: 78% of the workers witnessed behavior contrary to a healthy nuclear safety culture.

The TVA OIG explicitly states “TVA’s continuing denials have been found to be incorrect by the NRC and independent assessors: a chilled work environment exists in at least several departments at WBN and within the ECP program itself.”

The TVA OIG makes an interesting observation regarding the 51 actions that TVA identified as necessary to correct the problems expressed in the NRC’s Chilled Work Environment Letter—none of them pertain to TVA’s upper management. The TVA OIG states “It is certainly worth considering whether this might be at least a contributor, if not a root cause, of the failure of any of the CAPRs [corrective actions to prevent recurrence], remediation plans, and the like to correct the continuing recurrence of chilled work environments at TVA over the past decade.” Indeed!

Watts Bar Needs a Proper Safety Culture

The TVA OIG report makes it extremely clear that Watts Bar lacks a proper safety culture and that lack is broader than just within the Operations Department.

Watts Bar needs a proper safety culture because it is the fundamental foundation for nuclear safety overall. If workers do not raise safety concerns—either out of fear of retaliation or out of distrust that management will correct them—the inventory of unresolved safety concerns increases over time. Nuclear power plants are robust and require a large number of failures and malfunctions before an incident morphs into a disaster. The rising number of unresolved safety concerns reduces the number of failures needed to facilitate such transformations.

Proper safety cultures cannot be acquired from eBay or Amazon. Senior managers must make it happen. If TVA’s senior managers can’t or won’t make it happen, either TVA needs new senior managers or NRC needs to write TVA another letter—a stronger letter perhaps along the lines of a Show Cause Order compelling TVA’s lawyers to explain why Watts Bar can continue to operate safely with “degraded work environments” all over the site.

In the meantime, if Watts Bar experiences a disaster, it won’t be an accident. It’ll be an outcome of operating a nuclear power reactor with a safety culture documented to be woefully inadequate.

Columbia Generating Station: NRC’s Special Inspection of Self-Inflicted Safety Woes

Energy Northwest’s Columbia Generating Station near Richland, Washington has one General Electric boiling water reactor (BWR/5) with a Mark II containment design that began operating in 1984. In the late morning hours of Sunday, December 18, 2016, the station stopped generating electricity and began generating problems.

The Nuclear Regulatory Commission (NRC) dispatched a special inspection team to investigate the event after determining it could have increased the risk of reactor core damage by a factor of ten. The NRC team sought to understand the problems occurring during this near-miss as well as assess the breadth and effectiveness of the solutions proposed by the company for them.

Trouble Begins Offsite

The plant was operating at full power when the main generator output breakers opened at 11:24 am due to an electrical transient within the Ashe substation. The Ashe substation is owned and maintained by the Bonneville Power Authority and serves as the connection between electricity produced at the plant and the offsite power grid. At least three electrical breakers at the Ashe substation were supposed to have opened to de-energize the faulted transmission line(s). Had they done so, the loss of the transmission lines could have triggered protective devices at the Columbia Generating Station to automatically trip the main generator. But cold weather kept the breakers from functioning properly. Instead of the protective systems at the Columbia Generating Station responding on a system level (i.e., the de-energized transmission line(s) triggering a main generator trip), they responded at the component level (i.e., the main generator output breaker sensed the electrical transient and opened).

The turbine control valves automatically closed because the main generator was no longer fully loaded with its output breakers opened. The closure of the turbine control valves automatically tripped the reactor. The control rods fully inserted within seconds to stop the nuclear chain reaction. The output breakers, turbine control valves, and control rods all functioned per the plant’s design (see Figure 1).

Fig. 1 (Source: Nuclear Regulatory Commission annotated by UCS)

Before the trip, the main generator was producing electricity at 25,000 volts. The main transformer increased the voltage up to 500,000 volts for transmission out to the offsite power grid. The auxiliary transformers reduced the voltage to 4,160 volts and 6,900 volts for supply to equipment in the plant. The output breakers that opened to start this event are represented by the square box in the upper left corner of Figure 2.

Fig. 2 (Source: Nuclear Regulatory Commission annotated by UCS)

Trouble Begins Onsite – Loss of Heat Sink and Normal Makeup

The main generator was disconnected from the offsite power grid but continued to supply electricity through the auxiliary transformers to plant equipment. Because steam was no longer flowing to the turbine, the voltage and frequency of the electricity dropped. The voltages flowing to in-plant equipment dropped low enough to cause electrical breakers to automatically open at 11:25 am to protect motors and other electrical equipment from damage caused by under-voltage. For example, an electric motor requires an electrical current of a certain voltage in order to operate. Electrical current of lower voltage may not be enough to enable the motor to run, but that current flowing through the motor may be enough to heat it up and damage it. One of the de-energized loads caused the Main Steam Isolation Valves (MSIVs) to close. Their closure meant that steam produced by the reactor’s decay heat no longer flowed to the condenser where it got cooled by water from the plant’s cooling towers. Instead, the steam bottled up in the reactor vessel and piping until it increased the pressure to the point where the safety/relief valves opened to discharge steam to the suppression pool (see Figure 3).

The closure of the MSIVs also stopped the normal flow of makeup cooling water to the reactor vessel. The feedwater system uses steam-driven turbines connected to pumps to supply makeup cooling water to the reactor vessel. But the steam supply for the feedwater pumps is downstream of the now-closed MSIVs. The condensate and condensate booster pumps upstream of the feedwater pumps have electric motors and continued to be available. But collectively they only pump water at about two-thirds of the pressure inside the reactor vessel, meaning they could not supply makeup water unless the pressure inside the reactor vessel decreased by nearly one-third its normal pressure.

Fig. 3 (Source: Nuclear Regulatory Commission annotated by UCS)

Troubles Onsite Grow – Loss of Normal Power for Safety Buses

At 11:28 am, the safety buses SM7 and SM8 tripped on low voltage, causing their respective emergency diesel generators to start and provide power to these vital buses. This was not supposed to happen during this event. By procedure, the operators were directed to manually trip the turbine and generator following the automatic trip of the reactor. They tripped the turbine at 11:27 am, but never tripped the main generator. Tripping the main generator as specified in the procedures would have immediately caused electrical breakers to close and other electrical breakers to open to swap the supply of electricity to plant equipment from the auxiliary transformers to the startup transformers as shown in Figure 4. The startup transformers reduce 230,000 volt electricity from the offsite power grid to 4,160 volts and 6,900 volts for use by plant equipment when the main generator is unavailable. With electricity to plant equipment from the startup transformers, the MSIVs would have remained open and makeup cooling water supplied by the feedwater pumps as normally provided.

Fig. 4 (Source: Nuclear Regulatory Commission annotated by UCS)

Even More Trouble Onsite – Loss of Backup Makeup

The operators manually started the Reactor Core Isolation Cooling (RCIC) system (not shown on the Figure 3, but a smaller version of the High Pressure Coolant System) at 11:32 am to provide makeup cooling water because the feedwater system was unavailable. The RCIC systems’ primary function is to supply makeup cooling water when the feedwater system cannot do so. Like the feedwater pumps, the RCIC pump is connected to a steam-driven turbine. Unlike the feedwater pumps, the RCIC pump’s turbine is supplied with steam from the reactor vessel through a connection upstream of the closed MSIVs. The RCIC pump transfers water from a large storage tank to the reactor vessel.

The operators failed to follow the procedure when starting the RCIC system. The procedure called for them to close the steam admission valve (V-45) and then open the trip valve (V-1) as soon as V-45 was fully closed (see Figure 5). But they did not open V-1. The failure to open V-1 disabled the control system designed to bring the RCIC turbine up to desired speed in 12 seconds. Instead, the RCIC turbine tried to obtain the desired speed instantly. Too much steam too soon caused the RCIC turbine to automatically trip on high speed. This trip guards against the spinning turbine blades coming apart due to excessive forces.

It took about 13 minutes for workers to go down into the RCIC room in the reactor building’s basement and reset the mis-positioned valves to allow the system to be properly started. In that time, the water level inside the reactor vessel dropped about a foot as it boiled away. That still left 162 inches (13.5 feet) of water above the top of fuel in the reactor core. The operators had several hours to restore makeup cooling water flow before the reactor core started uncovering and overheating.

Fig. 5 (Source: Nuclear Regulatory Commission annotated by UCS)

The operators manually started the High Pressure Core Spray (HPCS) system at 12:09 pm to provide makeup cooling water with the feedwater and RCIC systems both unavailable. The main HPCS pump (HPCS-P-1) has an electric motor. The pump transfer water from the large storage tank to the reactor vessel. While RCIC is designed to supply makeup water to compensate for inventory boiled off after the reactor shuts down, the HPCS system is designed to also compensate for water being lost through a small-diameter (about 2 inches) pipe that drains cooling water from the reactor vessel. Consequently, the HPCS system flow rate is about ten times greater than the RCIC system flow rate. And whereas the RCIC system flow rate can be throttled to match the makeup need, the HPCS system makeup flow is either full or zero.

The HPCS system refilled the reactor vessel soon after it was started. The operators closed the HPCS system injection valve (V-4) after about a minute. The minimum flow valve (V-12) automatically opened to direct the pump flow to the suppression pool instead of to the reactor vessel (see Figure 6). The HCPS system ran in “idle” mode for the next 3 hours and 42 minutes.

Fig. 6 (Source: Nuclear Regulatory Commission annotated by UCS)

Yet More Trouble Onsite – Water Leaking into Reactor Building

On December 18, workers discovered that the restricting orifice (RO) downstream of V-12 had leaked an estimated 4.7 gallons per minute into the reactor building while the HPCS system had operated. The NRC team learned that the gasket material used in this restricting orifice had been the subject of an industry operating experience report in 2007. A condition report was written at Columbia Generating Station in 2008 to have engineering assess the operating experience report and gasket materials used at the plant. In early 2010, the condition report was closed out based on engineering’s evaluation to use the gasket material recommended in the industry report. But the “bad” gaskets were not replaced.

Operating experience cited in the 2007 industry report revealed that the original gasket material was vulnerable to erosion. The report described two adverse consequences from the material’s erosion. First, pieces of the gasket could be carried by the water into the reactor vessel where the material impacting the fuel rods could damage their cladding. Second, gasket erosion could allow leakage. The 2007 industry report thus forecast the problem experienced at Columbia Generating Station in December 2016. The solution recommended by the 2007 report was not implemented until after the forecast problem has occurred.

NRC Sanctions

The NRC’s special inspection team identified three safety violations at the Columbia Generating Station. Two violations involved the operators failing to follow written procedures: (1) the failure to trip the main generator which resulted in the unnecessary closure of the MSIVs, and (2) the failure to properly start the RCIC system which resulted in the unnecessary trip of its turbine. The third violation was associated with the continued use of gasket material determined nearly a decade earlier to be improper for this application.

UCS Perspective

Self-inflicted problems turned a fairly routine incident into a near-miss. Luck stopped it from progressing further.

The problem started offsite due to causes outside the control of the plant’s owner. Those uncontrollable causes resulted in the main generator output breakers opening as designed.

By procedure, the operators were supposed to trip the main generator. Failing to do so resulted in the unnecessary closure of the MSIVs and the loss of the normal makeup cooling flow to the reactor vessel.

By procedure, the operators were supposed to manually start the RCIC system to provide backup cooling water flow to the reactor vessel. But they failed to properly start the system and it immediately tripped.

Procedures are like recipes—positive outcomes are achieved only when they are followed.

The operators resorted to using the HPCS system. It took about a minute for the HPCS system to recover the reactor vessel water level—the operators left it running in “idle” for the next three hours and 42 minutes during which time about 5 gallons per minute leaked into the reactor building. The leak was through eroded gasket material that had been identified as improper for this application nearly a decade earlier, but never replaced.

Defense-in-depth is a nuclear safety hallmark. That hallmark works best when operators don’t bypass barriers and when workers patch known holes in barriers. Luckily, other barriers remained effective to thwart this near-miss from becoming a disaster. But luck is a fickle factor that needs to be minimized whenever possible.

Managing Nuclear Worker Fatigue

The Nuclear Regulatory Commission (NRC) issued a policy statement on February 18, 1982, seeking to protect nuclear plant personnel against impairment by fatigue from working too many hours. The NRC backed up this policy statement by issuing Generic Letter 82-12, “Nuclear Power Plant Staff Working Hours,” on June 15, 1982. The Generic Letter outlined guidelines such as limiting individuals to 16-hour shifts and providing for a break of at least 8 hours between shifts. But policy statements and guidelines are not enforceable regulatory requirements.

Fig. 1 (Source: GDJ’s Clipart)

UCS issued a report titled “Overtime and Staffing Problems in the Commercial Nuclear Power Industry” in March 1999 describing how the NRC’s regulations failed to adequately protect against human impairment caused by fatigue. Our report revealed that workers at one nuclear plant in the Midwest logged more than 50,000 overtime hours in one year.

Barry Quigley, then a worker at a nuclear plant in the Midwest, submitted a petition for rulemaking to the NRC on September 28, 1999. The NRC issued regulations in the 1980s intended to protect against human impairment caused by drugs and alcohol. Nuclear plant workers were subject to initial, random follow-up, and for-cause drug and alcohol testing. Quiqley’s petition sought to extend the fitness-for-duty requirements to include limits on working hours. The NRC revised its regulations on March 31, 2008, to require that owners implement fatigue management measures. The revised regulations permit individuals to exceed the working hour limits, but only under certain conditions. Owners are required to submit annual reports to the NRC on the number of working hour limit waivers granted.

The NRC’s Office of Nuclear Regulatory Research recently analyzed the first five years of the working hour limits regulation. The analysis reported that in 2000, the year when the NRC initiated the rulemaking process, more than 7,500 waivers of the working hour limits suggested by Generic Letter 82-12 were being issued at some plants while about one-third of the plants granted over 1,000 waivers annually. In 2010, the first year the revised regulations were in effect, a total of 3,800 waivers were granted for the entire fleet of operating reactors. By 2015, the number of waivers for all nuclear plants had dropped to 338. The Grand Gulf nuclear plant near Port Gibson, Mississippi topped the 2015 list with 69 waivers. But 54 (78%) of the waivers were associated with the force-on-force security exercise.

The analysis indicates that owners have learned how to manage worker shifts within the NRC’s revised regulations. Zero waivers are unattainable due to unforeseen events like workers calling in sick and tasks unexpectedly taking longer to complete. The analysis suggests that the revised regulations enable owners to handle such unforeseen needs without the associated controls and reporting being an undue burden.

The regulatory requirements adopted by the NRC to protect against sleepy nuclear plant workers should let people living near nuclear plants sleep a little better.

Leak at the Creek: Davis-Besse-like Cooling Leak Shuts Down Wolf Creek

The Wolf Creek Generating Station near Burlington, Kansas has one Westinghouse four-loop pressurized water reactor that began operating in 1985. In the early morning hours of Friday, September 2, 2016, the reactor was operating at full power. A test completed at 4:08 am indicated that leakage into the containment from unidentified sources was 1.358 gallons per minute (gpm). The maximum regulatory limit for was such leakage was 1.0 gpm. If the test results were valid, the reactor had to be shut down within hours. Workers began running the test again to either confirm the excessive leak or determine whether it may have been a bad test. The computer collects data over a two-hour period and averages it to avoid false indications caused by momentary instrumentation spikes and other glitches. (It is standard industry practice to question test results suggesting problems but accept without question “good” test results.)

The retest results came in at 6:52 am and showed the unidentified leakage rate to be 0.521 gpm, within the legal limit. Nevertheless, management took the conservative step of entering the response procedure for excessive leakage. At 10 am, the operators began shutting down the reactor. They completed the shutdown by tripping the reactor from 30 percent power at 11:58 am.

Wolf Creek has three limits on reactor cooling water leakage. There’s a limit of 10 gpm from known sources, such as a tank that collects water seeping through valve gaskets. The source of such leakage is known and being monitored for protection against further degradation. There’s a stricter limit of 1 gpm from unknown sources. While such leakage is usually found to be from fairly benign sources, not knowing it to be so imposes a tighter limitation. Finally, there’s the strictest limit of zero leakage, not even an occasional drop or two, from the reactor coolant pressure boundary (i.e., leaks through a cracked pipe or reactor vessel weld. Reactor coolant pressure boundary leaks can propagate very quickly into very undesirable dimensions; hence, there’s no tolerance for them. Figure shows that the unknown leakage rate at Wolf Creek held steady around one-tenth (0.10) gallon per minute during July and August 2016 but significantly increase in early September.

Fig. 1 (Source: Freedom of Information Act response to Greenpeace)

The reactor core at Wolf Creek sits inside the reactor vessel made of metal six or more inches thick (see Figure 2). The reactor vessel sits inside the steel-reinforced concrete containment structure several feet thick. The dome-shaped top, or head, of the reactor vessel is bolted to its lower portion. Dozens of penetrations through the head permit connections between the control rods within the reactor core and their motors housed within a platform mounted on the head. Other penetrations allow temperature instruments inside the reactor vessel to send readings to gauges and computers outside it.

Fig. 2 (Source: Nuclear Regulatory Commission)

Wolf Creek has 78 penetrations through its reactor vessel head, including a small handful of spares. Workers entered containment after the reactor shut down looking for the source(s) of the leakage. They found cooling water spraying from penetration 77 atop the reactor vessel head. The leak sprayed water towards several other penetrations as shown in Figure 3. Penetration 77 allowed a thermocouple within the vessel to send its measurements to instrumentation.

Fig. 3 (Source: Wolf Creek Nuclear Operating Corporation)

The spray slowed and then stopped as the operators cooled the reactor water temperature below the boiling point. Workers performed a closer examination of the leakage source (see Figure 4) and its consequences. The reactor cooling water at Wolf Creek is borated. Boric acid is dissolved in the water to help control the nuclear chain reaction in the core as uranium fuel is consumed. Once water leaked from the vessel evaporated, boric acid crystals remained behind, looking somewhat like frost accumulation.

Fig. 4 (Source: Freedom of Information Act response to Greenpeace)

The spray from leaking Penetration 77 blanketed many neighbors with boric acid as shown in Figure 5. The vertical tubes are made from metal that resists corrosion by boric acid. The reactor vessel (the grayish dome-shaped object on the left side of the picture) is made from metal that is considerably less resistant to boric acid corrosion. The inner surface of the reactor vessel is coated with a thin layer of stainless steel for protection against boric acid. The outer surface is only protected when borated water doesn’t leak onto it.

Fig. 5 (Source: Freedom of Information Act response to Greenpeace)

The white-as-frost blankets coating the penetrations indicated little to no corrosion damage. But rust-colored residue in the Figure 6 pictures is a clear sign of corrosion degradation to the reactor vessel head by the boric acid. It may not be déjà vu all over again, but it’s too much Davis-Besse all over again. Boric acid corroded the Davis-Besse reactor head all the way down to the thin stainless steel liner. The NRC determined Davis-Besse to have come closer to an accident than any other US reactor since the March 1979 meltdown at Three Mile Island.

Fig. 6 (Source: Freedom of Information Act response to Greenpeace)

Fortunately, the degradation appears much worse in the pictures than it actually was. Actually, fortune had an ally at Wolf Creek that was missing at Davis-Besse. Both reactors exhibited signs that reactor cooling water was leaking into containment. The indicated leak rates at both reactors were below regulatory limits, except for one anomalous indication at Wolf Creek. Managers at Davis-Besse opted to dismiss the warning signs and keep the reactor operating. Managers at Wolf Creek heeded the danger signs and shut down the reactor. It’s not that they erred on the side of caution—putting nuclear safety first must never be considered an error. It’s that they avoided making the Davis-Besse mistake of putting production ahead of safety.

Wolf Creek restarted on November 21, 2016, after repairing Penetration 77, removing the boric acid, and verifying no significant damage to other penetrations and the reactor vessel head. But they also conducted refueling activities—already planned to require 55 days—during that 80-day period. The NRC closely monitored the response to the leakage and its repair and found no violations.

Davis-Besse chose production over safety but got neither. The reactor was shut down for over two years, generating no revenue but lots of costly repair bills. The reactor vessel head and other components inside the containment extensively damaged by boric acid corrosion were replaced. Many senior managers at the plant and in the corporate officers were also replaced. And the NRC fined the owner a record $5,450.000 fine for numerous safety violations.

Nuclear Safety Snapshot

Figure 7 shows the reactor vessel head at Wolf Creek without any boric acid blankets and corrosion. But the image I’ll remember about this event is neither this picture, nor the picture of the hole in Penetration 77, nor the picture of the boric acid blankets on adjacent penetrations, and nor the picture of rust-colored residue. It’s the mental picture of operators and managers at Wolf Creek who, when faced with Davis-Besse-like cooling water leak indications, responded unlike their counterparts by shutting the reactor down and fixing the problem rather than rationalizing it away. It’s an easy decision when viewed in hindsight but a tough one at the time it was made.

Davis-Besse made headlines, lots and lots of headlines, for exercising very poor judgment. Wolf Creek may not warrant headlines for using good judgment, but they at least deserve to be on the front page somewhere below the banner headline and feature article about today’s bad guys.

Fig. 7 (Source: Freedom of Information Act —response to Greenpeace)

Nuclear Safety Video

Unfortunately, the picture of Wolf Creek responding well to a safety challenge is a snapshot in time that does not assure success in facing tomorrow’s challenges.

Fortunately, the picture of Davis-Besse responding poorly to a safety challenge is also a snapshot in time that does not assure failure in facing future challenges.

Nuclear safety is dynamic, more like a video than a snapshot. That video is more likely to have a happy ending when the lessons of what worked well along with lessons from what didn’t work factor into decision-making. Being pulled away from bad choices is helpful. Being pushed towards good choices is helpful, too. Nuclear safety works best when both forces are applied.

The NRC and the nuclear industry made quite the hullabaloo about Davis-Besse. Why have they been so silent about Wolf Creek? It’s a swell snapshot that could help the video turn out swell, too.

The NRC and Nuclear Safety Culture: Do As I Say, Not As I Do

Many times over the past 20 years the Nuclear Regulatory Commission (NRC) has intervened when evidence strongly suggested a nuclear power plant had nuclear safety culture problems. The evidence used by the NRC to trigger its interventions was readily available to the plant owners, but the owners had downplayed or rationalized away the evidence until the NRC forced them to face reality.

The evidence used by the NRC to detect these nuclear safety culture problems included work force surveys indicating a sizeable portion of workers reluctant to raise safety concerns and allegations received by NRC from workers about reprisals and harassment they experienced after raising safety concerns.

Ample evidence strongly suggests that the NRC itself has nuclear safety culture problems. The NRC’s Office of the Inspector General (OIG) has surveyed the safety culture and climate within the NRC every three years for the past two decades. The latest survey was conducted during 2015 and released in March 2016. Figure 1 from the OIG’s 2015 survey along with data from the annual Federal Employee Viewpoint Surveys and other sources show safety culture problems as bad as—it not considerably worse—than the worst safety culture problems identified at Millstone, Davis-Besse, and yes, even the TVA reactors.

FIg. 1 (Source: Nuclear Regulatory Commission Office of the Inspector General)

After the OIG’s 2009 survey of the NRC’s safety culture and climate, UCS submitted a request under the Freedom of Information Act for all records related to the actions taken by the agency in response to the survey. We obtained many records which described very few actions. And regardless of the number of actions, the OIG’s 2015 survey showed that the NRC’s safety culture was worse than in 2009 (see the last column on the right in Figure 1).

Why would the NRC take steps to remedy safety culture problems at nuclear plants yet have taken no steps to remedy its own safety culture problems? The answer is the same as to the question of why the plant owners failed to take steps to correct safety culture problems before the NRC intervened—they did not perceive the problems to exist. Likewise, Figure 2 shows that the NRC’s senior management does not perceive safety culture within the agency to need remediation.

Fig. 2 (Source: Nuclear Regulatory Commission Office of the Inspector General)

The OIG employs a consultant to conduct the triennial safety culture surveys. I attended a briefing several years ago by the consultant on the survey results. The consultant reported surveying many other federal agencies and large private corporations. The consultant pointed out that the gap between results by senior management and by the overall workforce was wider at NRC than at any other federal or private entity it had surveyed.

Just as plant owners failed to correct the problem they could not see, NRC senior management cannot fix the agency’s “invisible” safety culture problems. The NRC intervened to enable owners to see, and then fix, their safety culture problems. Someone needs to intervene to help NRC senior management see the agency’s safety culture problems so they can take the corrective measures they have often compelled plant owners to take.

UCS recently issued a report on the NRC’s safety culture problems and its history of inducing safety culture fixes at nuclear plants. And The Bulletin posted my commentary about the NRC safety culture report.

If I found a lamp washed up on a beach and rubbed it to release a genie who granted me three wishes, my first wish would be for irradiated fuel to be transferred from dangerous, overcrowded spent fuel pools into more safe and secure dry storage as soon as practical. But my second wish would be for the NRC to undertake the reforms needed to achieve and sustain a positive nuclear safety culture at the agency. My third wish would be for a thousand additional wishes, so don’t worry that I squandered my first two.

Kudos to NRC for Lessons-Learned Review at Columbia Fuel Fabrication Facility

Disaster by Design/Safety by Intent #63

Safety by Intent

Westinghouse Electric Corporation notified the Nuclear Regulatory Commission (NRC) on July 14, 2016, that workers at its Columbia Fuel Fabrication Facility (CFFF) in South Carolina found significant accumulation of uranium in a ventilation system. The amount of enriched uranium exceeded limits established at the facility as protection against inadvertent criticality.

The uranium accumulated in process vent scrubber S-1030 shown towards the upper left side of Figure 1.

Fig. 1 (Source: Nuclear Regulatory Commission)

The NRC dispatched an Augmented Inspection Team (AIT) to the site to investigate the causes and corrective actions for the event. The NRC sends Special Inspection Teams and Augmented Inspection Teams to investigate discoveries like the one reported at CFFF that have the potential for increasing the risk of an accident.

The AIT concluded in its report dated October 26, 2016, that “Westinghouse failed to provide adequate levels of oversight, enforcement, and accountability to the organizations directly involved with configuration management, operations, and maintenance of the wet ventilation systems.” Specifically, Westinghouse had assumed that only minute quantities of uranium could collect in that portion of the ventilation system and took no actions to either validate or confirm that key assumption.

To this point, both Westinghouse and NRC followed established practices. Upon discovery a condition above the reporting threshold, Westinghouse notified the NRC. Upon receiving notification from Westinghouse about a condition above its normal response threshold, the NRC dispatched an Augmented Inspection Team.

The NRC’s Extra Effort

The NRC did not stop with its AIT probe into whatever problems Westinghouse had that resulted in the event at CFFF. Two days after issuing the AIT report, the NRC chartered a team to examine lessons the agency could learn from the event. This second team was not tasked with supplemental Westinghouse bashing. That had been the AIT’s role. The lessons-learned team was tasked with assessing whether the NRC could make changes in its efforts so as to lessen the likelihood events like the CFFF would recur. Specifically, the lessons learned team was asked to evaluate the NRC’s license review process, inspection program, operating experience program, organization of oversight groups, and knowledge management programs.

It is commendable that the NRC undertook this introspective review. The review would either confirm that the agency is effective applying its resources or recommend ways to reallocate resources for increased effectiveness.

The NRC’s Extra Safety Gains

The AIT verified that Westinghouse had taken or would be taking appropriate corrective actions to lessen the likelihood of recurrence of this problem at its CFFF. The lessons-learned task force identified steps the NRC could take in all five focus areas to lessen the likelihood that such an event could recur at any NRC-licensed fuel cycle facility.

The team concluded that the NRC’s license review process and its inspection program allocated resources based on perceived risk significance. In other words, items with high and moderate risk significance received more attention than items having low risk consequences. The team did not find this triage system unacceptable. It is imperative to properly focus limited resources. But the team did make recommendations on ways NRC’s reviewers and inspectors could verify that items deemed low risk truly have low risk.

The team characterized the agency’s operating experience and knowledge management programs as being more supplemental than integral parts of business. Some of the NRC staff interviewed by the team used the programs extensively; other staffers were aware of the programs but had not used them. The team made several recommendations intended to integrate the operating experience and knowledge management programs into day-to-day work practices. For example, the team recommended training on using the operating experience database to lower the height and shorten the duration of the learning curve needed for users to become proficient with this tool.

The NRC’s Safety Backstop

In theory, NRC’s reviewers and inspectors should find no safety problems. NRC’s licensees—the owners of nuclear power plants and fuel cycle facilities—are responsible under the law for complying with regulations intended to manage risk to workers and the public.

In practice, NRC’s reviewers and inspectors could, and do, find safety problems. Not because NRC’s licensees are deliberately violating safety regulations, but compliance is a dynamic challenge.

By undertaking the lessons learned review of the CFFF event, the NRC makes its safety backstop more robust and reliable. The recommendations made by the team will, when implemented, improve the effectiveness of NRC’s reviewers and inspectors. The NRC’s reviewers and inspectors were already good, but the agency’s efforts to make them better result in making workers and the public safer.

It may not be the ultimate win-win situation, but it’s got to be among the top ten.

—–

UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Nuclear Safety Performance at Pilgrim

The Nuclear Regulatory Commission (NRC) held a public meeting on Tuesday, January 31, 2017, in Plymouth, Massachusetts. A large crowd of over 300 individuals (perhaps thousands more by White House math) attended, including me. Elected officials in Massachusetts—the attorney general, the governor, the entire US Congressional delegation, and state senators and representatives—had requested the meeting. Many of these officials, or their representatives, attended the meeting.

The elected officials asked the NRC to conduct a public meeting to discuss the contents of an email from the leader of an NRC inspection team at Pilgrim to others within the agency regarding the results from the first week’s efforts. An NRC staffer forwarded this email to others within the agency, and inadvertently to Diane Turco of the Cape Downwinders, a local organization. The contents of the leaked email generated considerable attention.

Unique NRC Meeting
During my nearly two decades at UCS, I have attended dozens, perhaps hundreds (maybe even millions by White House accounting) of NRC meetings. The Plymouth meeting was unique. It was the only NRC meeting I’ve attended to discuss an email.

And it was the only NRC meeting I’ve attended where public speaking slots were chosen by raffle. In all prior meetings, members of the public raised their hands to be called upon by the NRC staff, queued behind a microphone in the room in order to speak, or added their names to a list to speak in the order specified by the sign-up sheet. At this meeting, the NRC used a raffle system. I received Ticket #4 (see Figure 1), giving me an opportunity to “win” a chance to speak for up to 3 minutes (or 180 seconds, whichever came first) during the meeting.

Fig. 1 (Source: Nuclear Regulatory Commission)

Fig. 2 (Source: Nuclear Regulatory Commission)

My ticket, along with at least 74 other tickets, was placed into a fishbowl. Brett Klukan, an attorney in NRC Region I, drew tickets from the bowl to establish the speaker order. Because the fishbowl was clear glass, Brett gazed at the ceiling to avoid charges of cherry-picking preferred ticket numbers (see Figure 2). Brett then wrote the number drawn on a whiteboard without showing the number to anyone else, somewhat offsetting the averted gaze tactic since he could have jotted down any number he wished.Unique NRC Discussion

Brett Klukan opened the meeting by introducing the NRC panelists and covering some ground rules for the meeting. The ground rules included a decorum standard—any audience member disrupting the meeting three times would be asked to leave. If the individual did not leave voluntarily, Brett explained that law enforcement officers (and there were numerous uniformed officers in the room and in the hallway outside) would escort the person from the room.

Brett then turned the meeting over to the NRC panel of Dan Dorman, the Regional Administrator for NRC’s Region I, Bill Dean, the NRC’s Director of the Office of Nuclear Reactor Regulation, Raymond Lorson, the Director of the Division of Reactor Safety in Region I, and Don Jackson, the leader of the NRC inspection team at Pilgrim and author of the email.

Don went through the leaked email, which he had written, updating the audience on each issue and supplementing the email with results from the team’s efforts since that initial week. I had expected the NRC to talk about what systems, components, and administrative processes the inspection team examined, but anticipated the NRC would not discuss results until the team’s report was approved and publicly released. But Don candidly provided the results, too. More than once, Don explained that the team identified an apparent violation of NRC’s regulations—in fact, he stated that 10 to 15 potential violations had been identified.

After the NRC panel finished their remarks, the meeting moved to comments and questions from the public. I was the third member of the audience to speak to the NRC. Figure 3 shows Brett Klukan at the podium to the left, the NRC panel in the center, and several members of the audience turning to look at the speaker standing at the microphone located towards the back of the room out of view to the far right.

Fig. 3 (Source: Nuclear Regulatory Commission)

I asked the NRC four questions. After I posed the four questions, the NRC panel answered. My questions and the NRC’s answers:

UCS Question #1

The NRC’s 20-member inspection team covered a lot of ground, but still examined a small fraction of the safety systems at Pilgrim. Based on the large number of safety violations in the small sample the team examined, what assurance can the NRC provide about the state of the majority of safety systems the team did not examine?

NRC Answer: The NRC’s reactor oversight process (ROP) features periodic inspections of safety systems at Pilgrim with the team inspection being supplemental to those activities. If there were problems in those other safety systems, the periodic inspections would reveal them.

UCS Response: Don Jackson described his team identifying 10 to 15 apparent violations of federal safety regulations in the small sample of safety systems they examined—violations that apparently were NOT revealed previously by the ROP’s periodic inspection efforts. Those routine inspection efforts failed to identify violations among the small sample, strongly suggesting that the routine inspection efforts also fail to find violations in the larger sample.

UCS Question #2

Don Jackson explained that the text in his email about the staff at Pilgrim appearing overwhelmed or shocked referred to their reaction to the arrival of the NRC’s 20-member inspection team. Does the NRC believe that this staff might also be overwhelmed or shocked in response to an accident?

NRC Answer: Don Jackson explained that his email comments referred primarily to the plant’s support staff (e.g, engineers, maintenance workers, etc.) rather than about the control room operators. Don said that his assessment of the operators at Pilgrim during their duties in the control room and during exercises on the control room simulator gave him complete confidence that the operators would be able to successfully respond to an accident.

UCS Response: Even if Don’s assessment is correct (and the operators losing control of the reactor during a routine startup causing it to automatically shut down to avoid fuel damage, the operators mis-operating numerous safety components following Winter Storm Juno and the operators not receiving proper training on the use of the high pressure coolant injection system leaves room for doubt), it is incomplete. The response to an accident involves considerably more than the handful of operators on duty at the time. NRC’s regulations require dozens of other plant workers to staff the Technical Support Center, the Operations Support Center, and the Emergency Operations Facility. The work force freaking out because 20 NRC inspectors arrive on site—by an appointment made weeks in advance—suggests that work force could be equally stressed out responding to an unannounced accident.

UCS Question #3

Dan Dorman mentioned the NRC planned to conduct another public meeting in late March about this inspection and to release the team’s final report in mid-April. Would it be possible for the NRC to issue the final report before the public meeting to allow the public to review the report and participate meaningfully in the meeting?

NRC Answer: Don Jackson mentioned that the report for a recent team inspection at another nuclear plant was over 350 pages due to all the information it contained. He said it would take sustained effort for the report by the team for their inspection at Pilgrim to be issued by mid-April, with no real opportunity for putting it out sooner.

UCS Response: There are two items both under full control of the NRC—the public meeting and the team inspection report. I have no reason to doubt Don’s word that mid-April is the soonest that the report can be released. I have every reason to doubt why the NRC must hold the public meeting in late March. The NRC could conduct the public meeting in late April, or early May, or mid-May, or late-May, or early June, or any time after they release the team’s report. The only reason for the NRC to conduct a public meeting about a non-existent report is because that’s the way they prefer to do it.

UCS Question #4

Audience members for this meeting are given three strikes before they are out of the meeting. How many strikes has the NRC given Pilgrim before it is out?

NRC Answer: Bill Dean began to answer the question, but Dan Dorman interrupted him. Dan labeled the question rhetorical and directed Brett to proceed with the next speaker.

UCS Response: I appreciate NRC bringing back Bert the turtle with this Duck and Cover gimmick. To be sure, I’d have better appreciated the NRC’s explanation why audience members get dragged out of the room after three strikes while Pilgrim does not get shut down after 10 to 15 violations of federal safety regulations. But this is America where everyone has the right to chicken out. My apologies if I put the NRC in a fowl mood.

To Be (Shut Down) or Not to Be (Shut Down)

The recurring theme during the meeting was whether the known performance problems warranted the shutdown of Pilgrim (either permanently or until the problem backlog was eliminated) or if Pilgrim could continue operating without exposing the community to undue risk.

Best I could tell, the meeting did not change any participant’s viewpoint. If one entered the room believing Pilgrim was troubled but sufficiently safe, one left the room with this belief intact. If one entered the room feeling Pilgrim’s problems posed too great a hazard, one probably left the room with even stronger convictions.

The meeting was somewhat like a court trial in that two reasonably supported but entirely opposite arguments were presented. The meeting was unlike a court trial in that instead of a jury, only time may decide which argument is right.

The Argument for Pilgrim Continuing to Operate

The team inspection led by Don Jackson is a direct result of an increasing number of problems at Pilgrim that caused the NRC to drop its performance assessment from Column 1 of the ROP’s Action Matrix into Column 2, 3 and eventually 4. The NRC developed the ROP in the late 1990s in response to high-profile troubled nuclear plants like Millstone, Salem, and Cooper.

The Action Matrix has five columns. A reactor with performance so bad that the NRC places it into Action Matrix Column 5 cannot operate until the NRC is satisfied enough of the problems have been corrected to permit restart.

Dan Dorman and Don Jackson tried to explain during the meeting that it was not the number of problems that determined placement into Column 5, it was the severity of the problems that mattered. They said several times that the 10 to 15 apparent violations identified by the team reinforced the NRC’s determination that Pilgrim was a Column 4 performer, but did not cause them to feel movement into Column 5 was warranted.

The Action Matrix is like our legal system. Persons guilty of a single misdemeanor generally receive lesser sanctions than persons guilty of multiple misdemeanors who in turn generally receive lesser sanctions than persons guilty of a single felony. Persons guilty of multiple felonies tend to be those receiving the severest sanctions and incarceration.

Pilgrim got into Column 4 as the result of several violations identified by NRC inspectors that were classified as White, the second least severe classification in the NRC’s Green, White, Yellow, and Red system. The data suggest performance shortcomings warranting regulatory attention, but it doesn’t suggest a trip to nuclear jail.

The Argument for Pilgrim Shutting Down

The NRC panelists stated several times during the meeting that they did not see any immediate safety concern that required Pilgrim to be shut down. Those assurances would be more meaningful and credible had the panelists or their NRC colleagues periodically seen an immediate safety concern, even from a distance.

The last time the NRC saw an immediate safety concern and ordered an operating reactor to shut down was March 31, 1987 when the agency ordered the Unit 2 and 3 reactors at the Peach Bottom nuclear plant in Pennsylvania to be shut down (the Unit 1 reactor had already been permanently shut down). Dan Dorman and Ray Lorson did not join the NRC staff until 1991. Don Jackson did not come to the NRC until 2003. Of the four NRC panelists, only Bill Dean was with the agency the last time an immediate safety concern was spotted.

Yet there have been times since 1987 when immediate safety concerns have existed:

Davis-Besse Safety Blindspot

In the fall of 2001, the NRC staff drafted an order that would require the Davis-Besse nuclear plant to be shut down. To justify the order, the NRC staff assembled the strongest circumstantial case one could hope to build that an operating reactor was unsafe. The NRC staff evaluated the reactor against five criteria in Regulatory Guide 1.174 (RG 1.174). All five criteria had to be satisfied for a reactor to be considered safe. The NRC staff determined that one criterion was not met and the other four criteria were most likely not met. Absent dead bodies or a mushroom cloud, you cannot build a stronger case that an operating reactor is unsafe.

Fig. 4 (Source: Nuclear Regulatory Commission)

But NRC senior managers shelved the order and allowed Davis-Besse to continue operating. When the reactor finally shut down, workers discovered the reactor was less safe than the NRC staff had feared. Per the NRC, Davis-Besse came closer to a meltdown than any reactor since the Three Mile Island accident in March 1979 (much closer than Peach Bottom ventured in March 1987).

Worse still, when interviewed by the NRC’s Office of the Inspector General, the NRC senior managers stated, under oath, stood behind their decision. They claimed they needed absolute proof that an operating reactor was unsafe before they would order it shut down. Somehow, failing to meet five of five safety principles does not constitute absolute proof to the NRC. Perhaps not meeting eight or nine out of five safety principles would suffice.

Oconee Safety Blindspot

In June 2010, the NRC issued a confirmatory action letter (CAL) to the owner of the Oconee nuclear plant in South Carolina. The CAL required that the owner take fifteen steps to reduce risk of failure at the upriver Jocassee Dam (which was also owned by Oconee’s owner) and to lessen the flooding vulnerability at Oconee should the dam fail.

The NRC staff discovered that the failure rate for the Jocassee Dam was as high as other hazards that Oconee was protected against. Thus, failure of the dam could not be dismissed as incredible or overly speculative.

The NRC staff further estimated that if the Jocassee Dam failed, flooding at the Oconee site created a 100 percent chance of causing all three operating reactors to melt down, all cooling of the spent fuel pools to be lost, and all three reactor containments to fail.

The high risk of flooding causing three operating reactors to melt down prompted the NRC to issue the CAL to Oconee’s owner nine months before flooding caused three operating reactors at Fukushima to melt down.

The hazard was real enough to cause NRC to require the owner to take steps to lower the risk, but not real enough to warrant the reactors to shut down until the risk was better managed.

Most galling is the fact that the NRC withheld information about this hazard from the public. Their June 2010 CAL was issued in secret. When the NRC conducted their annual public meeting in the Oconee community in April 2011—about six weeks after flooding melted three operating reactors at Fukushima—they said nothing about the CAL being issued to better manage flooding vulnerabilities at Oconee. The public cannot trust an agency that withholds relevant information from them.

It may be true that the NRC would order an operating reactor to be shut down if it saw an immediate safety concern. But it’s been nearly thirty years since the NRC noticed an immediate safety concern at an operating reactor. Since then, the NRC has noticed very serious safety problems at Davis-Besse and Oconee, yet allowed those reactors to continue operating.

The Davis-Besse and Oconee cases occurred after the NRC adopted the ROP and its Action Matrix. None of the safety problems that led to the NRC staff drafting a shutdown order for Davis-Besse or issuing a CAL for flood protection problems at Oconee were considered in the ROP. Thus these safety problems were entirely invisible as far as the Action Matrix was concerned.

The NRC should not rely on a safety yardstick that ignores significant safety issues.

UCS’s Argument about Pilgrim

Because the NRC has demonstrated its ability to jettison safety standards when an operating reactor doesn’t measure up, and because it has not recently demonstrated an ability to spot an immediate safety concern, it is entirely reasonable for the community around Pilgrim to have anxiety about the plant’s known performance problems. Shutting down Pilgrim would lessen that anxiety.

Should public anxiety be used as a pretext for shutting down an operating reactor?

Absolutely not.

Instead, the public should have trust and confidence in the NRC to protect them from Pilgrim’s problems. But the NRC has not done much to warrant such trust and confidence by the NRC. If public anxiety is high, it’s because public trust and confidence in the NRC is low.

Public trust and confidence in the NRC should be the proper context for a troubled reactor continuing to operate.

That proper context is missing.

The NRC must take steps to restore public trust and confidence. They should consistently establish and enforce safety regulations. NRC senior managers must stop looking for absolute proof that operating reactors are unsafe and instead look for absolute proof that operating reactors comply with federal safety regulations.

And when NRC senior managers see safety problems, they must disclose that finding to the public. Hiding such information, as they did with the flooding vulnerabilities at Oconee, provides the public with a distorted view. And such antics provide the public with zero reason to trust anything the NRC utters. When you cherry-pick what you say and when you say it, you stop being a credible authority.

If the NRC allows Pilgrim to continue operating and the reactor has an accident, will the agency be able to honestly look victims and survivors in the eye and say they did everything they could to protect them?