UCS Blog - All Things Nuclear (with images) - Latest 1

Cuts to the Hedge

It’s Now or Never

One of the things President Obama could still do before leaving office is to cut the “hedge” force. These are nuclear weapons that the United States keeps in reserve for two reasons: technical and geopolitical. The argument for the technical hedge is that, if deployed weapons of one type experienced a problem, the U.S. could instead deploy weapons of another type from the hedge force. The geopolitical argument is that the international security situation could change, leading the United States to want to increase the number of deployed weapons.

In reality, both of these scenarios are extremely unlikely. The current nuclear stockpile is thoroughly understood and can be well maintained for decades to come by taking a sensible approach and minimizing warhead changes. It is also hard to imagine such a sudden change in the geopolitical situation that the United States would want to quickly deploy more nuclear forces. UCS and many others have long argued that the United States could reduce its arsenal to 1,000 warheads total, including hedge forces, and have more than enough warheads to ensure our security under any circumstance.

But setting that all that aside, let’s look at the current numbers in the hedge and how they could be reduced. The US keeps about 2,550 weapons (2,250 strategic and 320 tactical) in the hedge.

To comply with the New START treaty, the United States and Russia will each reduce their deployed accountable strategic weapons to 1,550 by 2018. For the United States, the actual number will likely be roughly 1,750. (This number is larger because of the way the treaty defines what counts as a weapon—bombers count as only one weapon even though they may carry multiple bombs or air-launched cruise missiles.) A study by my colleague Lisbeth Gronlund shows that the current U.S. hedge of 2,250 strategic warheads is almost twice the required technical hedge for an arsenal of that size with existing warhead types. Cutting the hedge would eliminate the costs of maintaining and storing these weapons, as well as reduce the overall U.S. arsenal and be a step toward eliminating nuclear weapons, as the United States is obligated to do under the terms of the Nuclear Non-Proliferation Treaty. President Obama could use his authority to order an immediate reduction in the size of the hedge, thereby transferring these weapons to the dismantlement queue.

Immediately Cut the Existing Hedge Maybe Obama could use a little Elvis.

Maybe Obama could use a little Elvis.

A 2013 administration report to Congress states that the Departments of Defense and Energy have re-examined their approach to determining the size of the hedge needed and concluded that a new, more efficient, strategy would allow the United States to “maintain a robust hedge against technical or geopolitical risk with fewer nuclear weapons.” It goes on to say:

A non-deployed hedge that is sized and ready to address these technical risks will also provide the United States the capability to upload additional weapons in response to geopolitical developments that alter our assessment of U.S. deployed force requirements.

In other words, a hedge that is large enough for one scenario (the failure of all weapons of one type) is also large enough to cover another scenario (a U.S. desire to quickly deploy more weapons for political reasons). That is actually significant progress, though it hasn’t led to any changes in the hedge yet.

Looking further ahead, the FY 2016 Stockpile Stewardship and Management Plan, which details plans for maintaining and upgrading U.S. nuclear warheads, states that the United States could eventually reduce the hedge by up to 50 percent. However, it specifies that this is only possible once the United States fully implements its ambitious “3+2” plan to replace its four types of ballistic missile warheads (two on land-based intercontinental ballistic missiles and two on submarine-launched ballistic missiles) with two sets of three newly-designed “interoperable” warheads—one set for use on ICBMs and the other on SLBMs. While the warheads themselves would not be interoperable (the ones for ICBMs would differ from those for SLBMs), the core of the weapon—the so-called nuclear explosive package—would be. Fully implementing the 3+2 plan will take decades, however, so this is irrelevant to current consideration of the hedge.

The same DOD document that talks about re-examining hedge requirements also discusses using “intra-leg hedging” to replace a failed weapon—in other words, replacing a failed SLBM warhead with another SLBM warhead, or a failed ICBM warhead with another ICBM warhead. Currently, it is not possible to do this with SLBM warhead types because while the arsenal includes two warheads for subs—the W76 and the W88—nearly all of the W88s are deployed, so none would be available as a backup if there were a problem with the W76. Instead, the United States would have to compensate for a problem with the W76 by deploying additional land- and air-based weapons, a strategy known as “inter-leg hedging.” While this would result in the same overall number of deployed weapons, fewer would be submarine-based. This has been the case with the U.S. arsenal for decades, and has not caused any problems. However, some DOD planners now see a chance to move toward their ideal “intra-leg” hedge force, and want to take it via the 3+2 program.

But there are a number of problems with building new warhead types to replace those in the existing arsenal. First, there are technical concerns. Using a nuclear explosive package that has not previously undergone nuclear explosive testing may reduce confidence in the reliability of the new warhead. This could lead some political and military leaders to push for renewed “proof testing” to demonstrate that the newly modified warheads will work as intended.

The unclassified executive summary of a study of the 3+2 plan by JASON, an independent group of scientists that advises the government, expresses skepticism about its benefits based partly on technical issues, noting that some of the program’s goals may compete with each other, and that some of the changes under consideration could “alter reliability or targeting accuracy.”

Second, on the political side, building new warheads could undermine U.S. nonproliferation goals by calling into question the U.S. commitment to the Comprehensive Test Ban Treaty and the Nuclear Nonproliferation Treaty. Finally, the 3+2 approach is almost certain to be more expensive than maintaining the existing stockpile through straightforward life extension programs. For example, the cost of the life extension program for the W76 warhead—the most common warhead in the U.S. stockpile—is around $4 billion. The cost estimate for the first warhead in the 3+2 plan is roughly twice that, and for far fewer warheads.

Moreover, as mentioned above, completing the 3+2 plan would take at least three decades. In short, the 3+2 plan is not the way to cut the hedge.

The good news is that the UCS study mentioned above finds that, for a New START-sized arsenal with existing warhead types, the hedge only needs to include 1,250 weapons to provide replacements in case of the technical failure of an entire class of weapon. And, as noted above, the DOD already concluded that there is no need for additional warheads beyond the technical hedge to meet its requirements.

In other words, rather than waiting decades to complete the 3+2 plan, the president could announce that the United States will immediately reduce the strategic hedge by 1,000 weapons—leaving 1,250.

In addition to strategic weapons, the hedge also contains 320 tactical weapons, all of which could be eliminated. These weapons are all B61 bombs, and would allow the US to add to the 180 tactical B61 bombs it currently deploys in Europe, or to deploy them elsewhere for “extended deterrence” purposes. The existing B61 bombs come in four versions, but are all in the process of being replaced with a single new variant—the B61-12—which will also serve as the U.S. strategic bomb. (The other existing U.S. strategic bomb, the B83, is planned for retirement.) Since there will no longer be a distinction between tactical and strategic bombs, there will no longer be a need for a separate tactical hedge.

Re-examine the Need for a Technical Hedge

More fundamentally, while immediately moving to cut the existing hedge, the United States should also reconsider the logic behind its decision to retain a technical hedge in the first place. Both Britain and France have significantly smaller and less diversified arsenals than the United States. Neither maintains a hedge in case of technical failures of their nuclear weapons. They also do not maintain multiple types of warheads for each delivery system. (France deploys one warhead type on submarines and another on aircraft. The UK deploys only one warhead type, on submarines.)

The failure of an entire class of weapons is highly unlikely, at least for existing weapon types, which have undergone nuclear explosive testing. The president should order a study to quantify the odds of such a failure and investigate whether it is necessary to maintain a technical hedge at all. Even if such a study finds that a technical hedge is advisable, it should not be necessary to employ three separate hedging strategies: keeping a technical hedge, deploying two types of warheads per delivery system, and deploying two types of ballistic missile delivery systems.

Trump’s Asia Advisors Want to Scrap the “Three Communiques” with China

My last post in this series ended with a video of President George W. Bush reiterating the U.S. commitment to a set of bilateral agreements known as “the three communiques.” Yesterday, two Asia experts advising the Trump transition, Randy Schriver and Dan Blumenthal, suggested the president-elect should scrap them. Both men are being considered for senior positions in the Trump administration. It now seems clear that Mr. Trump’s controversial outreach to Republic of China (ROC) President Tsai Ing-wen was not a simple “courtesy call,” but the first step in a coordinated effort by the Asia advisors on the Trump transition team to bring the Nixon-Kissinger era in US-China relations to a close. 

What are the “Three Communiques”?

The “three communiques” are a set of formal statements jointly issued by the the governments of the United States and the People’s Republic of China (PRC). The first communique, also known as the Shanghai Communique, was issued in February of 1972 during US President Richard Nixon’s historic trip to China. The second communique, also known as the Joint Communique on the Establishment of Diplomatic Relations, was issued on December 15, 1978 and became effective on January 1, 1979. The third communique, also known as the Joint Communique on Arms Sales to Taiwan, was issued on August 17, 1982.

President Richard Nixon and National Security Advisor Henry Kissinger meet with Chinese Premier Chou En-lai on the Shanghai Communiqué.

President Richard Nixon and National Security Advisor Henry Kissinger meet with Chinese Premier Chou En-lai on the Shanghai Communique.

All three communiques addressed US and PRC views on the sovereign status of Taiwan and their respective relations with the ROC government. In the Shanghai Communique China stated that the government of the People’s Republic of China is the sole legitimate government of China, that Taiwan is part of China and that unification was an internal affair. The US acknowledged “that all Chinese on either side of the Taiwan Strait maintain there is but one China and that Taiwan is a part of China” and reaffirmed the US interest in “a peaceful settlement of the Taiwan question by the Chinese themselves.”

In the Joint Communique on the Establishment of Diplomatic Relations the United States formally recognized that the government of the PRC is the sole legitimate government of China and that its continuing relations with Taiwan would be “unofficial” and conducted “within this context.” In The Joint Communique on Arms Sales to Taiwan, negotiated by President Ronald Reagan and Chinese Premier Zhao Ziyang, the United States declared it would not pursue a policy of “two Chinas” or “one China, one Taiwan.”

Schriver and Blumenthal questioned whether these three documents should still continue to govern US-China relations:

“There is, of course, a deeper and more complicated set of questions regarding the utility of communiqués drafted during the Cold War when an authoritarian Taiwan still claimed to rule “all of China.” A democratic Taiwan has long abandoned the claim that it represents “all Chinese across the Strait.” It is hard to think of another set of relationships still governed by joint communiqués from the Cold War era.”

The two prospective members of the Trump administration noted that the president-elect did not raise these questions during his call with ROC President Tsai. But should Mr. Schriver and Mr. Blumenthal be appointed to senior Asia-related positions in the US government, this “deeper and more complicated set of questions” is likely to be discussed.

Peter Navarro is another Asia expert advising the Trump transition who is being discussed as a nominee for a senior Asia-related position in the new administration. Like Schriver and Blumenthal, he also views the communiques pioneered by Nixon and Kissinger—and reinforced by every US president since—as a relic of the Cold War.  Moreover, he argues China is the now the most serious security challenge facing the United States, which must redefine its relationship with Taiwan in order to prevent the Chinese navy from gaining more open access to the Pacific Ocean.

Role for the Senate

The outlines of President-elect Trump’s China policy are taking shape under the direction of a new team of Asia experts who believe the United States needs a radical break with the past. The call to ROC President Tsai Ing-wen is just the first step in a series of significant changes these experts intend to make as senior officials in a new administration. Given the importance of the US-China relationship, and the potential consequences of a unilateral abrogation of official diplomatic agreements that have defined US-China relations for decades, Congress needs to exercise due diligence.

One of the most important powers Congress has over the conduct of US foreign and military policy is the power to examine, accept or reject executive appointments to key posts. Sub-cabinet nominations often move through the Senate on a voice vote. Congress needs to think seriously about the implications of the changes being proposed across a range of US interests, and must give President Trump’s nominees for Asia-related posts more careful scrutiny.

President Obama Can Still Reduce Stored Nuclear Weapons & Fissile Materials

It Ain’t Over ‘til It’s Over

During the summer and fall, reports appeared that President Obama was considering actions he could take to make a major impact on U.S. nuclear weapons policy before leaving office in January. While the situation has clearly changed since Trump became the president-elect, this still does not mean that Obama’s hands are completely tied. It does mean that major changes, such as declaring a no-first-use policy or taking nuclear missiles off hair-trigger alert, are unrealistic, as they would only serve to draw the ire of the incoming administration and likely be quickly reversed. However, most of these options were reportedly already off the table. There are other actions, less dramatic but still significant, that President Obama could take right now to improve the safety and security of all Americans.

Near the beginning of his term, the president gave a speech in Prague in which he pledged that “the United States will take concrete steps towards a world without nuclear weapons.” But despite initial success—the conclusion in 2010 of the New START arms agreement with Russia, in which each side agreed to limit its number of deployed strategic warheads to 1,550 by 2018—the Obama administration has made no further progress in this realm. In fact, of any Commander-in-Chief since the end of the Cold War, President Obama has so far presided over the smallest reduction in the U.S. nuclear stockpile.

In a different world, if Clinton had won the presidency, Obama might still be considering moves to change this, by announcing further cuts to U.S. deployed nuclear forces. After all, the Department of Defense has already said that the United States could safely reduce its deployed strategic nuclear forces by an additional third from New START levels even if Russia does not make similar reductions. An arsenal of this size would be more than enough to ensure a strong, stable nuclear deterrent. It would also reduce costs, a major consideration when it will take an estimated $1 trillion in spending to deploy, maintain and replace the entire nuclear triad (strategic bombers, land-based intercontinental ballistic missiles, and submarine-launched ballistic missiles) over the next 30 years. This is something Trump might want to keep in mind himself, since the Pentagon has already warned that it does not know where the money will come from to fund all the nuclear spending requirements that are on the books.

Lenny Kravitz, It Ain't Over 'til It's Over

This man knows.

Given the reality of the current situation, such a high-visibility and controversial cut has been ruled out. But President Obama could still make a difference by making some less controversial “housekeeping” type cuts in stocks that are not often thought about and would not adversely affect the U.S. deterrent: “hedge” weapons that are kept in reserve, and stockpiles of weapons-usable fissile materials (plutonium and highly-enriched uranium).

In addition to the roughly 1,950 nuclear weapons (1,750 strategic and 180 tactical) that the United States deploys, it also maintains a “hedge” force of about 2,550 weapons (2,250 strategic and 320 tactical). These are kept in reserve for two reasons: technical and geopolitical. The argument for the technical hedge is that, if deployed weapons of one type experienced a problem, the United States could instead deploy weapons of another type from the hedge force. The geopolitical argument is that the international security situation could change, leading the U.S. to want to increase the number of deployed weapons.

As I will discuss in detail in my next post, to reduce the role that nuclear weapons play in U.S. security policy, Obama could reduce the number of strategic weapons in the hedge, by almost half, to 1,250, and eliminate the existing hedge of 320 tactical weapons.

The United States also maintains stockpiles of weapons-usable fissile materials—plutonium and highly enriched uranium (HEU)—that are much larger than needed. Some of this fissile material has already been declared “excess to military needs” and is awaiting disposition. Even after that excess material is disposed of, however, the United States will still have far more material than it needs for its current or future arsenal. Obama could declare an additional 15 metric tons of plutonium and 140 metric tons of highly-enriched uranium as excess to military needs, which would be enough for more than 4,000 nuclear weapons. I will go into the details of these numbers in an upcoming post.

The Nuclear Safety Value of “What If?”

Disaster by Design/ Safety by Intent #61

Safety by Intent

Picture a driver distracted by tuning the car’s radio or reading a very clever roadside billboard and unknowingly traveling through a stop sign without even slowing down. Due to good fortune, the driver neither hits another vehicle nor gets hit.

Upon realizing the stop sign had been run, the driver could have two reactions. Based on the actual outcome, the driver could conclude that less time would be wasted in the future by simply not stopping at stop signs and red lights any more. Or, based on what could have happened, the driver could resolve to pay better attention to traffic safety signs.

Nuclear safety is best served when plant owners and the Nuclear Regulatory Commission (NRC) view things considering “what if” instead of “what was.” As evidenced by a problem recently reported to the NRC by the owner of the Peach Bottom nuclear plant in Pennsylvania, the nuclear industry typically considers the former rather than the latter.

What Was

On August 16, 2016, workers identified a small amount of water leaking from a one-inch diameter pipe going from the 18-inch diameter High Pressure Service Water (HPSW) system pipe downstream of the Residual Heat Removal (RHR) heat exchangers A and C to the radiation sampling system.

Fig. 1 (

Fig. 1 (Source: UCS adapted from NRC Plant Information Book (1994))

Following an accident, the HPSW system takes water from the Conowingo Pond, supplies it to the RHR system’s heat exchangers, and returns the warmed water to the pond. The RHR system provides cooling for the reactor core and the primary containment during an accident. By connecting to but being physically separate from the RHR system, the HPSW system discharges heat during an accident to the environment without also discharging radioactivity to it. The HPSW system features four motor-driven pumps each capable of supplying 4,500 gallons per minute flow.

The leak rate was approximately 120 drops per minute, well below the capacity of one HPSW pump, yet alone all four pumps. That small leak rate would not adversely affect the HPSW’s cooling role.

The leak’s location was downstream of the RHR heat exchangers. Thus, the leaked water would have already performed its intended safety function before it escaped from the pipe.

Based on what it was, the identified leak had zero safety implications.

What If

But the plant owner looked beyond “what was” to evaluate “what if.” Water leaked from a small crack in the one-inch diameter pipe going to a radiation sampling system. The engineering department evaluated the effect of that crack during a postulated design basis earthquake and concluded that the shaking movements could break the one-inch pipe. If so, approximately 77 gallons per minute could leak from the broken one-inch pipe.

The 77 gallon per minute leak was a very small fraction of the HPSW system’s flow. And the leak would occur after the water flowed through the RHR heat exchangers. If the pipe broke, the leaked water would go onto the floor instead of back into the pond.

The owner evaluated where the leaked water could go and concluded that it could enter the room housing RHR pump C and disable the pump. Because of this potential, RHR pump C was considered to be inoperable until the cracked pipe was repaired.

The RHR system has four motor-driven pumps. The accident studies show that reactor core and containment cooling can be accomplished by a single RHR pump.

The cracked one-inch pipe might have disabled RHR pump C after an earthquake but would not have affected RHR pumps A, B, and D.

The “what if” process assumed the earthquake occurred when the division 2 emergency diesel generators were out of service for maintenance. The unavailability of the emergency diesel generators and the loss of the offsite power grid took away RHR pumps B and D but would not have affected RHR pump A.

The NRC’s single failure criterion (defined in Appendix A to 10 CFR Part 50) further requires that safety studies assume a single failure of a safety component. Application of that criterion in this Peach Bottom case takes away RHR Pump A as justification for accepting the impaired RHR Pump C.

What Is

The discovery of a small amount of water leaking from the HPSW pipe downstream of the RHR heat exchangers could have been downplayed and tolerated for a long time before being fixed. Instead, workers determined that the little leak could, with help from an earthquake, cause a larger leak that could disable one of the RHR pumps.

The potential disabling of an RHR pump could have been downplayed and tolerated for a long time. Instead, workers recognized the challenge to the defense-in-depth approach to nuclear safety and quickly fixed the problem.

Disaster by Design

Bob Pollard, my predecessor at UCS, said he had no doubts that one could operate a safe nuclear plant and had no doubts that one could operate an economical nuclear plant. His doubts involved operating a safe reactor that was also economical.

Proper application of the “what if” process supports both safe and economical reactor operation. Misapplication of the process compromises safety and/or economics.

Proper application does not mean posing every conceivable “what if” question. For example, “what if anasteroid the size of the moon were to hit the plant?” can probably be left unanswered. But proper application entails asking, and answering, every credible question.

In this case at Peach Bottom, and many others elsewhere, the “what if” process served nuclear safety. Post-accident inquiries nearly always identify misapplications of this process.


UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Origins and Implications of the Taiwan Call

Over the past few election cycles Congress passed a series of laws that enabled presidential candidates to begin preparing for transition immediately after obtaining their party’s nomination. This cycle a large number of Republican foreign policy professionals refused to support their party’s nominee, draining the pool of talent candidate Trump could draw upon to plan his transition. The Republican President-elect’s controversial decision to speak with Tsai Ing-wen, the President of the Republic of China (ROC), may be a consequence of these two developments.

Congress enacted significant changes to the laws governing the presidential transition process in  2004,  2010  and  2015 that gave presidential campaign staff access to classified information, US government facilities and the incumbent administration immediately after the nominating conventions. The legislation codified a general trend allowing the two major political parties to build and empower what essentially become two administrations-in-waiting before voters have a chance to decide which one will occupy the White House.

Candidate Trump’s language and behavior during the primary campaign alienated many of the Republican foreign policy professionals who normally would assume significant positions in a presidential transition. Three leading architects of Asia-related policy in past Republican candidacies and administrations; Richard Armitage, Michael Green and Aaron Friedberg, joined a large group of Republican foreign policy experts who denounced Mr. Trump as unfit for office.

“Mr. Trump lacks the temperament to be President. In our experience, a President must be willing to listen to his advisers and department heads; must encourage consideration of conflicting views; and must acknowledge errors and learn from them. A President must be disciplined, control emotions, and act only after reflection and careful deliberation. A President must maintain cordial relationships with leaders of countries of different backgrounds and must have their respect and trust. In our judgment, Mr. Trump has none of these critical qualities.”

Having taken themselves out of the running for a position in the Trump transition effort, which began shortly after the convention, the Republican foreign policy establishment left the door open for other aspirants. The people who filled the open positions related to Asia appear to be the ones who arranged the call with ROC President Tsai Ing-wen. Unfortunately, because the new laws Congress enacted did not require presidential campaigns to publicly disclose any information about the individuals it empowered to conduct transition-related activities on behalf of presidential candidates, we don’t yet know the names or the titles of many of the key people involved.

New Advisors Signal New Policies

Trump’s decision to speak with Tsai, and his decision to use her official title, violated the letter and the spirit of a series of agreements that both governments upheld as fundamental conditions of normalized diplomatic relations between China and the United States. Those agreements did not include an explicit US statement recognizing the island of Taiwan as a part of China. They did, however, formally state that the United States agrees that there is only one China: the People’s Republic of China (PRC).

Ms. Tsai is not the president of Taiwan, as she is often mistakenly described in the US press. She is the President of the Republic of China (ROC). This distinction matters, especially to the Chinese. The ROC constitution claims sovereignty over the whole of China, not just the island of Taiwan. It is a rival Chinese government. The last Republican administration sternly rebuked former ROC president Chen Shui-Bian’s efforts to change the ROC constitution in a way that would limit its claims of sovereignty to the islands it now controls. President George W. Bush, repeating the language of his PRC counterparts, interpreted Chen’s efforts as an unilateral attempt to change the status quo and advance calls for Taiwan’s independence (see video below). The PRC has explicitly threatened to use “non-peaceful means and other necessary measures ” to prevent such an outcome.

For the moment, Mr. Trump is still a private citizen. But should President Trump continue to take calls from Ms. Tsai when he is in the Oval Office, or continue to refer to her as “President Tsai,” it would not be unreasonable for Chinese leaders to assume that the United States had changed its policy on Taiwan’s independence. That change is highly likely to have a significant and lasting impact on the people of Taiwan, the people of China, and the people of every allied nation and territory hosting US military bases in Asia. The economic impacts could also be quite dramatic.

Given the potential consequences, the US public, and the peoples of the region, need to know a lot more about the individuals advising President-elect Trump on Asia policy. It is remarkable that Trump’s Asia transition team was allowed to set up a call that could dramaticly impact US-China relations—one of the most important foreign policy and defense issues facing the United States—before President-elect Trump selected his Secretary of State or his Secretary of Defense. This can be explained, in part, by the changing nature of the transition process and the unusual character of the man leading it.

But the press should now take a hard and sustained look at who will be guiding President Trump on Asia policy and what they believe.

US President George W. Bush rebukes Taiwanese leader Chen Shui-Bian for unilateral moves towards independence at White House press event with PRC Premier Wen Jiabao on 12/9/03. Complete video available at C-Span.


UCS’s “China Transition Watch” is a series of occasional posts that discusses how actions and statements during the Trump transition may affect US-China relations. While not intended to be comprehensive, the goal of the series is to provide insight on key issues.


The Trump Administration’s Opening Move to Disrupt US-China Relations


Former US Secretary of State Henry Kissinger met with Chinese President Xi Jinping hours before US President-elect Donald Trump’s controversial telephone call with Republic of China President Tsai Ing-wen.

President-elect Donald Trump has a reputation for being disruptive. But it was still surprising that he chose to break with convention and speak directly to Tsai Ing-wen, the President of the Republic of China (ROC) in Taiwan, despite the fact that the United States withdrew its official diplomatic recognition of the ROC in 1979 as a precondition for establishing diplomatic relations with the People’s Republic of China (PRC).

The call took place just hours after former Secretary of State Henry Kissinger, who brokered the deal that led to the establishment of diplomatic relations with the PRC, spoke with President Xi Jinping in Beijing. Kissinger met with President-elect Trump shortly after the election. The Chinese press reported that Kissinger told Xi he wanted to “play a positive role in enhancing communications between the two countries.” It would not be unreasonable for the Chinese leadership to assume that Dr. Kissinger was carrying a message from the US president-elect. Did Kissinger know Trump would speak with Tsai? Was he there to explain it to Xi? Or was Kissinger unaware that Trump would be shaking the foundation of the US relationship with China while the US diplomat who laid its cornerstone was in Beijing?

If Kissinger was out-of-the-loop on Trump’s decision to take the call, and did not warn Xi it was coming when they met, Trump may have shattered the Chinese leadership’s faith in Kissinger’s ability to continue to influence the course of US-China relations.

And that may not have been an accident.

The Taipei Times reported that Trump’s conversation with Tsai was arranged while Stephen Yates, who served in the White House as Deputy Assistant to the Vice President for National Security Affairs under Dick Cheney, was in Taipei to meet with ROC Minister of Foreign Affairs David Lee (李大維) and National Security Council Secretary-General Joseph Wu (吳釗燮). Yates was an advocate for better US treatment of the ROC government when he worked for the Heritage Foundation and is reportedly being considered for an appointment in the Trump administration.

It is difficult to know if Mr. Trump planned this interestingly choreographed set of events with the intention of undermining Dr. Kissinger and disrupting the US relationship with China. It is possible that Mr. Trump did not know Dr. Kissinger was in Beijing or didn’t understand the implications of the call. It is also possible that some members of Mr. Trump’s transition team decided to “go rogue” in an effort to advance their own agenda while the president-elect’s attentions are focused elsewhere.

Reporters should follow up with Dr. Kissinger, the President-elect and his transition team to clarify exactly how and why the US president-elect came to speak with ROC President Tsai. The Chinese leadership needs to be clear about Mr. Trump’s intentions. So does the American public, not to mention anyone considering taking a job in the Trump administration, especially Mr. Romney or General Mattis. Any perceived change in US policy on the status of the ROC government in Taiwan brings with it an appreciable risk of war, as the veteran Chinese diplomat Sha Zukang reminded a audience of US China-watchers earlier this fall.

Nuclear Plant Security

Disaster by Design/ Safety by Intent #60

Security by Intent

Nuclear Energy Activist Toolkits #32 and #47 described the emergency plan preparations required by federal regulations for every operating nuclear power plant. Other federal regulations require design features backed by testing and inspection protocols intended to minimize the chances of a nuclear plant accident that might result in the emergency plans being needed. That’s Safety by Intent.

The necessary companion is Security by Intent. The string of equipment malfunctions and worker miscues that could trigger a nuclear accident could also be pulled intentionally. Federal regulations seek to minimize the chances of a nuclear plant accident being triggered by sabotage.

Fig. 1 (Source: Nuclear Regulatory Commission)

The regulations protect against sabotage by people working at the plant and/or people breaking into the plant. After 9/11, the NRC revised the regulations to better protect against sabotage by insiders. Prior to 9/11, individuals could freely enter the security fences around a nuclear plant only after background checks revealed no criminal or trustworthiness histories. After 9/11, the NRC revised its regulations to require that the background checks be periodically revisited to ensure that the initial determinations remained valid.

The NRC also revised its regulations after 9/11 to better protect against sabotage by outsiders. Prior to 9/11, the regulations required protection against a modest number of outside attackers. After 9/11, the NRC revised its regulations to increase the number of potential attackers. In addition, the revised regulations assume the attackers may use more challenging tactics and more harmful weapons.

The revised regulations also upped the training and qualification requirements for security force personnel, which resulted in better protection against sabotage by insiders and outsiders.

Testing Security

Prior to 9/11, the NRC determined how effectively the various security elements (e.g., intrusion detection system, locked doors to areas housing vital equipment, defensive positions by security officers, etc.) fit together to deter sabotage through force-on-force tests that pitted mock attackers against the plant’s gates, guards, and guns. Real bullets were not used, so the tests employed people (controllers) who would judge who had yelled “Bang!” first. The controllers introduced delays as the players awaited rulings on who continued the fight and who retired to the sidelines. The security at each operating nuclear plant was checked by a force-on-force test about once every eight years.

After 9/11, the NRC increased the frequency and realism of the force-on-force tests. Each operating plant gets a force-on-force test about once every three years. And while the participants still don’t use real bullets, they use laser guns that provide more accurate and timely resolution of who-shot-whom questions.

Seeing a Security Problem

The passive defense provided by security fences around nuclear power plants is backed by active monitoring. Intrusion detection systems warn onsite security force personnel about unauthorized persons climbing over or cutting through a fence. The security force personnel can focus cameras to see whether a near-sighted deer wandered into the fence, a lazy bird landed on it, or ne’er do wells are entering the site sans invitation. Security force personnel need to discern foe from fawn to decide how to respond properly.

The periodic security checks conducted by the NRC included holding up cards at various spots along the fences to evaluate how good the cameras could “see” under various lighting and weather conditions—much like the eye-charts used by optometrists to check on their patients’ visual acuity. The NRC wanted to know if sun glare, darkness, fog or other factors could mask a section of the fence and take longer for security force personnel to detect intruders.

The NRC inspectors used the same small set of cards during these camera checks at the plants. Like memorizing the lines on an eye-chart, security folks at the plants communicated the symbols on the NRC’s card deck to the people monitoring the cameras. The question for the monitors changed from “what do you see?” to “does what you see look more like x, y, or z?”

The NRC figured out the game, too. They changed their card deck without telling the plant owners. The game was up the first time a monitor reporting seeing a symbol from the discarded card deck.

Evolving Security Measures

The NRC extensively revised its regulations and oversight practices after 9/11 to provide better protection against nuclear plant sabotage. But the NRC had made changes to security regulations and practices before 9/11 and has made further changes since the 9/11 revisions. The hazard environment evolves as new threats emerge and more harmful weapons are developed. The NRC strives to minimize the gap between evolving hazards and defenses against them.

Disaster by Design

Some reasonable and informed individuals contend that more should be done to improve nuclear plant security. It is undeniable that doubling the size of the guard force or installing an additional fence around the existing ones would make it harder to sabotage a nuclear plant.

Other equally reasonable and informed individuals contend that the post-9/11 security measures are more than sufficient and, with international terrorists preoccupied with other targets, it might be time to lessen some of the more costly security measures.

When the overwhelming majority of reasonable and informed individuals felt that security measures were more than adequate, it is time to slash here and there.

When the overwhelming majority of reasonable and informed individuals felt that security measures were woefully inadequate, it is time to beef up there and here.

When a sizeable subset of reasonable and informed individuals feel that existing security measures are overkill and another sizeable subset feel that much more must be done, it is time for case-by-case actions to plug gaps while removing unwarranted extraneous aspects.

I know which camp UCS is in and know many fellow campers. But I also know several people in the camp down the road. It therefore seems a bad time to slash and not a good time for beefing up. But it seems a swell time to shift security surpluses to seal shortcomings (and schedule a spectacular shindig with any surviving savings.)


UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Let’s Get a Better Deal on Plutonium Disposition

President-elect Donald Trump has promised to renegotiate international agreements to get “better deals” for the United States. A good place for him to start would be the U.S.-Russia Plutonium Management and Disposition Agreement (PMDA), which obligates each country to dispose of 34 metric tons of excess plutonium from their military stockpiles, so the dangerous material cannot easily be reused for nuclear weapons. Collectively, this plutonium is enough for more than 15,000 nuclear bombs.

The agreement was originally signed by the Clinton administration in 2000 and amended in 2010, partly in response to a request by Russia. The agreement is a bad deal, at least for the United States. It commits the U.S. government to dispose of the plutonium by converting it into “mixed oxide” (MOX) reactor fuel and burning it in commercial nuclear reactors—a program that is now estimated to eventually cost U.S. taxpayers more than $50 billion and last 50 years or more.

The Department of Energy (DOE) has proposed a feasible alternative that could be accomplished more quickly and at less than half the cost. The agency’s favored dilute-and-dispose approach would mix the plutonium with inert materials and place small quantities of the mixture in waste drums, which then would be buried in a deep underground geologic repository, the Waste Isolation Pilot Plant (WIPP) in New Mexico. Another benefit of the dilute-and-dispose method is it poses a smaller risk of nuclear terrorism than the MOX option, which would entail additional handling and transporting weapon-usable materials.

There’s a sticking point, however. Under the terms of the agreement, the United States would have to obtain Russia’s consent to change its plutonium disposal method, just as Russia needed to obtain U.S. consent in 2010 when it wanted to pursue use of its plutonium as fuel for fast reactors instead of light-water reactors. Because the United States accommodated Russia’s request, it was hopeful that Russia would reciprocate, but instead Russia has criticized the U.S. proposal to switch to the cheaper, faster approach. Russia claims the method is reversible, implying that the United States could easily recover the plutonium to increase its nuclear weapon stockpile. That objection has little technical basis, however, and there are ways to address Russian concerns.

In October, Russia suspended implementation of the plutonium agreement as part of a larger chill in U.S.-Russian relations. As a rationale, it cited in part the U.S. plan to reduce its compliance cost by switching to the cheaper dilute-and-dispose method.

Next steps

The United States could of course go it alone and dispose of its plutonium as it sees fit—and the DOE is proceeding with plans to use the dilute-and-dispose approach for six metric tons of excess plutonium that is not part of the 34 metric tons covered by the PMDA. However, there are benefits to doing so within the agreement, such as verification measures, and it would be best if the United States could persuade Russia to resume implementation.

Regardless, the United States should not be compelled to spend a vast sum of money on a failing project simply because that’s what Russia wants.

Fulfilling the agreement would require the United States to finish building and then operate the facility that would fabricate the MOX fuel, which has been under construction since 2007 at the DOE’s Savannah River Site in South Carolina. The plant is far behind schedule and its projected budget has ballooned beyond anyone’s expectations. The most recent DOE and U.S. Army Corps of Engineers estimate projected that the plant would not be finished before 2048 and would cost more than $17 billion, roughly 10 times more than initial estimates. Adding operating costs, other program expenses, and uncertainties, DOE estimates the lifecycle cost of the project could exceed $50 billion. The DOE-Army Corps of Engineers report also highlighted construction quality control problems that should raise red flags.

Some in Congress are putting up roadblocks to getting a better deal on plutonium disposition. The MOX program, warts and all, is being kept on life support by South Carolina Sen. Lindsey Graham, who wants to keep wasting federal government money on the project in his state. It’s time for Graham to stop putting parochial interests ahead of the interests of U.S. taxpayers.

President Trump will have the opportunity to use his negotiating skills—and his reportedly good relationship with Russian President Vladimir Putin—to persuade Russia to resume complying with its part of the agreement and secure approval for the United States to change its disposition method. Let’s hope the United States and Russia can end their stalemate on plutonium disposition and find a path forward that benefits both nations.

Friendly Answers Following Blowing of the Winds

Disaster by Design/ Safety by Intent #59

Safety by Intent

With ample warning, Hurricane Matthew made landfall in South Carolina coast on October 8, 2016, bringing along its heavy rainfall and high winds.

The Federal Emergency Management Agency conducted Disaster Initiated Reviews for nuclear plants in South Carolina, North Carolina and Florida to determine whether Hurricane Matthew adversely affected emergency planning measures within a 10-mile radius of each site.H.B. Robinson Steam Electric Plant (Hartsville, SC)

The Robinson nuclear plant was operating at 100 percent power on October 8, 2016, when perturbations on the electrical grid caused by Hurricane Matthew caused the automatic shutdown of the reactor. The onsite emergency diesel generators provided backup power to essential equipment onsite.

FEMA’s Disaster Initiated Review found that all 61 pole-mounted emergency sirens that notify the population in event of an accident at Robinson were operable, with about half (30 sirens) on battery backup power due to localized loss of electricity. FEMA verified that Duke Energy had a plan to replace the batteries before their 7-day capacity became depleted. FMEA further verified that the counties within 10 miles of the site had the resources to conduct alternate alerting if that need arose.

FEMA found that Florence Country opened six shelters to accommodate persons displaced by Matthew while Darlington and Lee Counties had opened one shelter. But FEMA’s consultations with county officials found that sufficient resources existed to handle additional needs in event of a nuclear plant accident. And FEMA verified that the storm had not degraded critical transportation routes and assets within the 10-mile emergency planning zone or depleted shelter and care facilities.

FEMA concluded that Matthew had not impacted its pre-storm finding that emergency planning measures for the Robinson plant remained adequate.

Brunswick Steam Electric Plant (Southport, NC)

The State of North Carolina and both Brunswick and New Hanover counties activated their emergency operations centers because of Hurricane Matthew. The two reactors at the Brunswick nuclear plant continued operating throughout the storm.

 Jocelyn Augustino/FEMA)

Fig. 1 Lumberton, NC, October 11, 2016. (Source: Jocelyn Augustino/FEMA)

FEMA’s Disaster Initiated Review found that all 38 pole-mounted emergency sirens that notify the population in event of an accident at Brunswick were operable on normal power with battery backup power available. The New Hanover County emergency operations center in Wilmington deactivated on October 10 while the Brunswick County emergency operations center in Bolivia remained activated due to flooding in the southern part of the county. FEMA found that state and local resources remained sufficient to handle a nuclear plant accident.

FEMA learned that the storm caused intermittent lapses of the primary communications links between the Brunswick plant and offsite emergency operations centers, but that the secondary satellite communications system functioned per design and a tertiary communications system remained available.

FEMA found that two shelters in New Hanover County and three shelters in Brunswick County had been opened to accommodate persons displaced by Matthew. All five shelters had been closed when no longer needed following the storm. FEMA found that state and local resources remained sufficient to handle a nuclear plant accident.

FEMA concluded that Matthew had not impacted its pre-storm finding that emergency planning measures for the Brunswick plant remained adequate.

Shearon Harris Nuclear Power Plant (New Hill, NC)

The Harris nuclear plant had just begun a scheduled refueling outage. Workers shut down the reactor the previous day. After Matthew’s landfall, the Duke Energy Control Center notified plant workers about perturbations on the electrical grid caused by the storm. Following this notification, outage-related activities were suspended and the plant was disconnected from the grid and placed on backup power from the onsite emergency diesel generators. After the storm subsided, workers reconnected the plant to the electrical grid and resumed refueling activities.

FEMA’s Disaster Initiated Review found that the 83 pole-mounted emergency sirens around the site that notify the population in event of an accident at Harris were operable. FEMA additionally determined that the state and local authorities had sufficient resources remaining to perform functions such as independent radiological dose assessments and field monitoring in event of an accident. And FEMA verified that the storm had not degraded critical transportation routes and assets within the 10-mile emergency planning zone or depleted shelter and care facilities.

FEMA concluded that Matthew had not impacted its pre-storm finding that emergency planning measures for the Harris plant remained adequate.

St. Lucie Plant (Jensen Beach, FL)

Hurricane Matthew impacted the emergency planning zone for the St. Lucie plant beginning on October 6 as it traveled off the eastern coast of Florida as a Category 4 storm. The State of Florida activated its emergency operations center on October 4; St. Lucie County and Martin County activated their emergency operations centers on October 6.

FEMA’s Disaster Initiated Review found that 90 emergency sirens around the site provided notification of the public in event of an accident at St. Lucie. The storm disabled one siren and caused 23 other sirens to rely on battery backup power. FEMA confirmed the plant owner’s plan to fix the broken siren within four days and to replace the batteries on the sirens without electricity supply within five days to ensure their continued operability.

Flagler, FL, USA-- Damage to roadway in Flaglar County following Hurricane Matthew. FEMA, state and local officials continue damage assessments along Florida eastern coast.

Fig. 2. Flagler, FL (Source: Steve Zumwalt/FEMA)

FEMA met with Brevard County officials on October 8 upon being notified that due to supporting persons evacuated due to Matthew, the county could not support additional evacuees in event of a nuclear plant accident. During that meeting, a contingency reception center was established with support from the State of Florida and Miami-Dade County emergency management officials should need arise until conditions in Brevard County returned to normal.

FEMA concluded that with the contingency plans in place, the emergency planning measures for the St. Lucie plant remained adequate.

Disaster by Design

Americans are all-too-accustomed to seeing local, state, and federal officials and non-governmental organizations like the American Red Cross respond promptly to help those harmed by a disaster.

Graphic provides an update on FEMA's support for Hurricane Matthew recovery as of October 10, 2016. Includes info on staff deployed, supplies, search and rescue, emergency communications, and incident management teams.

Fig. 3 (Source: FEMA)

FEMA certainly pitched in to help those in need following Hurricane Matthew (Fig. 3). Less evident, but no less important, was the effort undertaken by FEMA in parallel with their disaster response activities. FEMA checked whether Matthew damaged the infrastructure or depleted response resources such that the public might not be adequately protected in event of an accident at one of the nuclear plants in the region. Upon finding anything that might undermine public protection, FEMA ensured that contingency measures were in place to sustain the necessary protection levels.

Disaster response and disaster readiness are two side of the same coin. FEMA demonstrated capabilities in both areas following Matthew.


UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Look! Up in the sky! It’s a bird! It’s a plane! It’s, it’s … a nuclear reactor?

Episodes of The Adventures of Superman television series began with an announcer proclaiming “Faster than a speeding bullet! More powerful than a locomotive! Able to leap tall buildings in a single bound!” followed by a crowd of people on a city sidewalk with someone saying, “Look! Up in the sky! It’s a bird! It’s a plane. It’s Superman!”

The series ran between 1952 and 1958 before my time, but I did faithfully watch its re-runs during the early 1960s. (I understood why adults on the sidewalk were initially puzzled by the thing in the sky that turned out to be Superman, but couldn’t quite get their befuddlement week after week.)

About the same time, adults in the woods in northwestern Georgia could have looked up into the sky and been puzzled by something that was not a bird, or a plane, or even Superman. It was a nuclear reactor suspended on cables strung between towers. Really, a nuke on a wire.

Nuclear Aircraft Lab

Beginning in the late 1950s and continuing through its closure in 1971, Lockheed operating the Georgia Nuclear Aircraft Laboratory on a 11,000 acre site near Dawsonville, Georgia for the U.S. Air Force. A short video produced by Lockheed circa 1960 documents the construction and initial operation of the first reactor at the laboratory. A second reactor was later added to the laboratory.

The primary purpose for the facility was to test components and systems intended for use in nuclear propelled aircraft (likely the reason Lockheed was a contractor to the Air Force rather than the Navy, Army, or Coast Guard.) The facility also conducted research into the effect of nuclear radiation on non-aircraft components and wildlife to support atomic weapons consequences studies.

Fig. 1 (

Fig. 1 (Source: Department of Energy)

The laboratory had three major areas – the Nuclear Support Facility (NSF), the Reactor Equipment Facility (REF) and the Shielding Demonstration Facility (SDF) (Fig. 1).

Fig. 2 (

Fig. 2

The Nuclear Support Facility consisted of administration offices, a warehouse, and a large concrete bunker housing a hot cell (Fig. 2). Materials irradiated in the reactors could be transported via a special railcar to the hot cell. Workers manipulating equipment remotely examined the materials for the effects of exposure to radiation.

Fig. 3 (

Fig. 3 (Source: Dave Lochbaum)

The hot cell bunker remains today, but its remains are surrounded by a barbed wire fence dotted with frequent “No Trespassing” signs (Fig. 3).

Fig. 4 (

Fig. 4 (Source: Lockheed)

The Reactor Equipment Facility housed a 28-foot long reactor vessel that could be raised from its normal pit in the floor to test radiation effects on components staged within the building. Workers operated equipment and monitored conditions from its control room (Fig. 4).

Fig. 5 (

Fig. 5

The Shielding Demonstration Facility consisted of an underground concrete bunker for the control building, a water-filled concrete pool to store the reactor, and metal towers used to hoist the reactor nearly 200 feet into the air (Fig. 5).

Fig. 6 (

Fig. 6

The SDF had a tall pole topped by microphones (Fig. 6). During reactor operation, workers monitored audio channels for sounds of approaching aircraft. If an incoming plane was detected but not diverted in time, workers had instructions to shut down the reactors to avoid exposing passengers to potentially lethal amounts of radiation. Sounds like a safety plan, of sorts.

Bottom Line

If you ever folded a sheet of paper and sailed a paper airplane across the room or office, you accomplished more flight time and distance than the nuclear propelled aircraft. And it cost you less, way less, than it cost the U.S. government to demonstrate it could not get a nuclear propelled aircraft off the ground.

But the money spent on atomic airplanes was not entirely wasted. Some of the research paid off in other applications.

Does any of your clothing have zippers? If yes, it doesn’t matter. Zippers were invented outside of atomic airplane research space.

Do any of your appliances, gizmos, and gadgets use rechargeable batteries? If yes, it doesn’t matter. Rechargeable batteries were invented via other means.

Did you ever build a paper airplane? If yes, maybe we can fly our planes someday. I’ve given up looking for some useful byproduct from the atomic airplane projects.


Equity within the Nuclear Regulatory Commission

Disaster by Design/ Safety by Intent #58

Safety by Intent

As articulated in a recent posting by UCS’s Center for Science and Democracy, UCS believes science can and should be applied to reduce racial and economic inequity. Inequity can result when biases can, intentionally or not, put a segment of the population at a disadvantage. The staff of UCS has received training sessions and briefings over the past year on institutional and individual biases that result in racial and economic inequities.

With the information from these sessions and briefings in mind, I reflected on my dealings with the Nuclear Regulatory Commission (NRC) over the years. I have discussed many concerns and problems with NRC managers and staffers, but could not recall one where race or gender was named as a contributing factor. But this process wasn’t very sciency. It was more gossipy than sciency. So, I undertook a less-gossip, more-science approach to the matter. (Gossip has it that the more science we use, the more points we get.)

The NRC’s Office of Small Business and Civil Rights manages four major programs: (1) Affirmative Action, including the Federal Women’s Program and implementing a managing diversity process; (2) Civil Rights; (3) Historically Black Colleges and Universities (HBCU); and (4) Small Business. One of the procedures used by this office in administering these programs states that a primary objective of these efforts is to “Build and maintain a high-performing diverse workforce based on mutual acceptance and trust, and where the contributions of all employees are recognized and valued.”

Diversity Data

In spring 2016, the NRC reported that its workforce was 39% female and 61% male. According to the 2010 census, 51.25% of the U.S. population was female 48.75% was male.

27% of the NRC’s workforce was under the age of 40 and 29% was over the age of 55 (doing the math then, 44% of the workers are 40 to 55 years old.) According to the 2010 census, 61.7% of the U.S. population was under the age of 40 and 21% was over the age of 55.

15% of the NRC’s workforce was African-American, 9% was Asian Pacific American, 6% was Hispanic, less than 1% was Native American, and 67% was white. According to the 2010 census, the U.S. population was 12.6% African-American, 5.0% Asian Pacific American, 16.3 Hispanic, 0.9% Native American, and 72.4% white.

The data show the NRC’s workforce to be older, have more male representation, and have less Hispanic representation than the U.S. population. But the NRC’s objective was to have a diverse workforce rather than a mirror-image replication of the U.S. population. The data indicate the NRC met part of its objective.

Equal Employment Opportunity Complaints 2005-2015

Numbers alone comprise only part of the NRC’s objective. For insight to the other part, I looked at the equal employment opportunity complaints filed within the NRC between 2005 and 2015 (Fig. 1).

The good news is that the annual number of complaints is relatively small for a workforce of nearly 4,000 individuals. The bad news is that the number of complaints trended upward over the decade.

Fig. 1 (

Fig. 1 (Source: Nuclear Regulatory Commission)

In 2015, 24% of the complaints alleged age discrimination, 22% alleged discrimination by sex, and 20% alleged racial discrimination (Fig. 2).

Fig 2 (

Fig 2 (Source: Nuclear Regulatory Commission)

In 2015, 20% of the complaints alleged non-sexual harassment, 18% alleged that discrimination factored into not being selected for a promotion, and another 18% alleged that discrimination factored into performance appraisals (Fig. 3).

Fig. 3 (

Fig. 3 (Source: Nuclear Regulatory Commission)

I looked for data showing how many of the equal employment opportunity complaints had been substantiated. The closest I found to this information was the chart showing the number of complaints settled between 2010 and April 2016 (Fig. 4). Assuming that a settlement reflects at least some of the complaint had validity, the data show an average of more than one valid equal opportunity problem every month  this entire decade.

Fig. 4 (

Fig. 4 (Source: Nuclear Regulatory Commission)

Disaster by Design

In nuclear power plant design, diversity is an ally. For example, most nuclear power plants have a diverse array of emergency core cooling pumps—some motor-driven, some steam-driven, some powered from emergency diesel generators, and some powered from banks of batteries. This diversity helps assure that at least one pump survives to cool the reactor core despite whatever challenge is presented.

In nuclear safety decision-making, diversity is an ally, too. Decisions made exclusively by a contingent of marine biologists, gaggle of electrical engineers, hearty band of lawyers, convention of brain surgeons, swarm of accountants, team of gymnasts, or roomful of chefs won’t be as good as decisions considering the perspectives of a range of experts. The NRC’s diversity objective does right by its workers and also does right for the American public. Rather, the NRC’s meeting this objective accomplishes both these righteous outcomes.

The NRC has a diverse workforce. For the most part, the contributions of all members of the diverse workforce are recognized and valued.

But the equal employment opportunity complaint data over the past decade reveal a small and sustainable discrimination against NRC workers on the basis of age, gender, race, and other factors. That NRC’s biases and behaviors allow it to persistently discriminate against its own suggest that these attributes could also let it reach decisions that discriminate against the public.

Fairness for NRC’s worker and the American public dictates that the agency adopt and embrace a zero-tolerance for discrimination due to race, gender, age, religion, and other factors. A validation of one internal discrimination case per month must never be close enough for government workers.


UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Public Safety Improvements

Disaster by Design/ Safety by Intent #57

Safety by Intent

Continuing the series initiated with Disaster by Design #47, this commentary describes efforts that yielded public safety improvements. But this commentary approaches the subject from a perspective differing from prior commentaries. While still discussing improvements in public safety, this commentary focuses on safety improvements achieved by the public.

Fig. 1 (

Fig. 1 (click to enlarge) (Source: Union of Concerned Scientists)

Safety Second

More than a decade before I joined UCS, the organization published “Safety Second: A Critical Evaluation of the NRC’s First Decade” in February 1985. (f you cannot find this book in your local library, at Amazon, or on the web, send me an email and I’ll reply with a digital copy.)

Chapter Three of the book, titled “The Public as Adversary,” opened with a quote by NRC Commissioner James K. Asselstine—“It is absolutely amazing, the lengths to which the Commission with go to avoid finding that a party is entitled to a hearing on an issue.” After summarizing several confrontational nuclear plant licensing proceedings, the chapter had a subsection titled “Public Contributions to Safety and Environmental Protection.”

The subsection listed 13 safety improvements at individual nuclear plants achieved by the public’s interventions in licensing proceedings (Fig. 1). Several cases involved the public championing concerns raised by whistleblowers who had voiced these same concerns to owners and/or the NRC without success.

The subsection listed another 13 safety improvements achieved generically across the fleet of operating nuclear plants by the public’s efforts (Fig. 2).

Fig. 2 (click to enlarge) (

Fig. 2 (click to enlarge) (Source: Union of Concerned Scientists)

Considering that “Safety Second” examined only a single decade (1975-1984), 26 safety improvements achieved by the public is impressive—averaging nearly three improvements annually.

Those outcomes become even more admirable when you consider the situation faced by the public intervenors. Many have regular jobs and tackle the mind-numbing technical jargon, endless acronyms, and baffling legal lexicon on their own time and at their own expense. If their efforts prevail, their unselfish efforts return no compensation other than the satisfaction of making their communities safer and more secure.

Safety Improvements since Safety Second

Shortly after I joined UCS in October 1996, Ray Shadis of the Friends of the Coast invited me to serve on a panel at a meeting they planned in Wiscasset, Maine on November 19, 1996, to discuss the recent report issued by the NRC’s Independent Safety Assessment Team (ISAT). The NRC sent the ISAT to Maine Yankee at the request of then-Governor Angus King. The ISAT only examined four of the dozens of safety systems at the plant and chronicled many serious problems in their 70-plus page report before concluding the plant was operating safely. I accepted Ray’s invitation and went to Maine for what was my first public speaking role representing UCS.

The efforts by Friends of the Coast and several other public interest groups in Maine transformed the ISAT’s report into a To Do list of things to fix by the plant’s owner. It was a long and expensive list—in May 1998, the company announced its Board of Directors voted to permanently close Maine Yankee rather than pay for the safety fixes.

Over the years, I have had the pleasure of working with many citizens and representatives of local public interest groups. They consistently reminded me that the American form of democracy works best when it is not a spectator sport. They got off the couch and into the game, even though the game is seldom played on a level field and it’s often hard to discern the officials from the opposing teams. Despite the daunting challenges, they demonstrate absolutely amazing persistence and resilience.

I wish I could acknowledge all the safety improvements achieved by the public the past two decades. Instead, I will cite a small sampling to illustrate the results achievable with persistence and passion.

Paul Gunter

Fig. 3 (

Fig. 3 Paul Gunter (Source: Beyond Nuclear)

Paul Gunter, Director of the Reactor Oversight Project at Beyond Nuclear, probably showed the power of one person by single-handedly derailing a tentative agreement reached between the NRC and plant owners. In the wake of the March 1975 fire at the Browns Ferry Nuclear Plant in Alabama, the NRC adopted regulations intended to better protect against fire hazards. The regulations essentially required that owners step through their plants one room at a time postulating a fire that damaged all equipment and cables inside it. The owners’ evaluations had to show that enough equipment located outside the fire room survived to safely cool the reactor core. If not, owners had to relocate equipment or install additional equipment until it was true for all rooms of the plant.

In the late 1990s, NRC inspectors discovered that most of the nuclear reactors operating in the United States, including those at Browns Ferry, did not meet the fire protection regulations. Instead of using equipment that would not be damaged in a fire, owners took credit for workers racing to the end of burned electrical cables and manually operating equipment damaged by the fire. The regulations permitted such manual actions, but only after being formally reviewed and approved by the NRC. Most of the reactors relied on unapproved manual actions that had taken the agency decades to discover.

Meetings between the NRC staff and industry representatives revealed that hundreds, if not thousands, of exemption requests would have to be submitted to the NRC and approved by the agency for all of the illegal manual actions.

Fearful that it lacked the resources needed to process so many exemption requests, the NRC hatched a plan with industry to rapidly issue a new regulation that would permit manual actions that met certain criteria. Such a regulation would retroactively approve all manual actions satisfying the newly imposed criteria.

Paul attended a public meeting on November 12, 2003, between NRC and industry where the draft regulation was discussed. To say that the criteria in the draft regulation were vague would understate the situation. Basically, the draft language would permit any and all manual actions as long as it was “feasible” they could be successfully performed. The draft language would permit more than a dozen manual actions that had to be completed within 30 minutes as long as a dry run of those steps by someone who had rehearsed them many times was able to simulate taking all the steps in 29 minutes and 59 seconds. The draft language contained zero requirements to ensure that all workers who might someday be required to tackle the task was as fit, fast and rehearsed as Demo Worker.

Paul shot down this trial buffoon with this short statement: “It’s feasible that I could go out of this meeting and go out and become a nuclear engineer. I don’t think that that’s likely, but if offers up the same concerns of your choice of words.”

The NRC discarded the loosey goosey “feasible” criterion almost immediately. The NRC developed definitive criterion that appears in the final regulations. Thanks, Paul!

Fig. 4 (

Fig. 4 George Galatis (Source: TIME Magazine)

George Galatis

The efforts by George Galatis certainly resulted in significant safety improvements at Millstone (CT) and in how the NRC oversees safety. George raised concerns with how spent fuel was being handled at Millstone. When neither the company nor the NRC did anything about the concerns (unless shrugging and ignoring counts), George formally petitioned the NRC to keep the three reactors at Millstone shut down for 60 days—the equivalent of a time-out given to misbehaving children. Millstone’s owner contested the petition, but should have readily accepted it. Once George appeared on the cover of TIME magazine, the reactors were shut down. Unit 1 never restarted. Unit 2 restarted more than three years later. And Unit 3 restarted after more than two years. Thanks, George!

Ann Harris and Curtis Overall

Ann Harris and Curtis Overall worked at the Tennessee Valley Authority’s Watts Bar Nuclear Plant during its construction. While performing their assigned tasks, both found problems they reported to management as required by plant procedures. Both experienced harassment and intimidation—including death threats by phone and mail—for having done their jobs and following procedures. TVA fired both workers, allegedly as part of Reductions in Force and not for having raised safety concerns.

Ann and Curtis filed complaints with the U.S. Department of Labor (DOL) contending that TVA violated the Energy Reorganization Act. The DOL’s Administrative Law Judges ruled in their favor.

Ann and Curtis literally put their jobs, and arguably their lives, on the line for safety. Their efforts resulted in lots of safety improvements at Watts Bar that likely otherwise would not have happened. Thanks, Ann! Thanks, Curtis (posthumously)!

Nuclear Information and Resource Service

The Nuclear Information and Resource Service (NIRS) under the leadership of the late Michael Mariotte demonstrated the might of a small organization teaming with grassroots activists and environmental attorneys when they opposed the proposal by Louisiana Energy Services to build and operate a uranium enrichment plant in Louisiana. NIRS partnered with the Citizens Against Nuclear Trash (CANT) to win one of the nation’s first courtroom verdicts on environmental justice grounds. Thanks, NIRS!

Project on Government Oversight

The 9/11 tragedy questioned whether the nation’s nuclear power plants were adequately protected against sabotage attempts. The NRC held many meetings with plant owners about security vulnerabilities and upgrades to lessen them.

These meetings were closed to the public for legitimate concerns that public discussion of security capabilities and shortcomings could unintentionally aid those planning us harm.

The Project on Government Oversight (POGO) crafted a novel and effective way of putting a spotlight on security problems without also handing the bad guys a blueprint for nuclear nightmares. On September 12, 2002, POGO released “Nuclear Power Plant Security: Voices from Inside the Fences.” POGO interviewed security force personnel at more than a dozen nuclear plants and identified common themes: under-staffed, under-trained, under-equipped, and under-paid defenders.

The post-9/11 security regulations adopted by the NRC contained measures on security officer training and qualifications. In addition, a parallel rulemaking process resulted in a final regulation that limited the working hours of security force personnel as protection against impairment due to fatigue. Thanks, POGO!

Galaxy of Public Stars

These summaries illustrate a small sampling of the many times that efforts by the public resulted in nuclear safety improvements. The efforts of the following individuals and public interest groups could just as easily have been summarized (listed alphabetically):

Jessica Azulay of the Alliance for a Green Economy

Anna Aurilio of the Alliance for Nuclear Accountability

Rochelle Becker, David Weisman, and John Geesman of the Alliance for Nuclear Responsibility

Garry Morgan, Gretel Johnston, and Sandy Kurtz of the Bellefonte Efficiency & Sustainability Team

Linda Gunter, Kevin Kamps, and Cindy Folcker of Beyond Nuclear

Lou Zeller of the Blue Ridge Environmental Defense League

Debbie Grinnell and Sandy Gavutis of the C-10

Diane Turco of the Cape Downwinders

Deb Katz of the Citizens Awareness Network

Keith Gunter, Ethyl Rivera, and Jessie Collins of the Citizens’ Resistance at Fermi-Two

Dan Hirsch of the Committee to Bridge the Gap

Paul Blanch of Connecticut

Nancy Burton of the Connecticut Coalition Against Millstone

Michael Keegan of Don’t Waste Michigan

Howard Lerner of the Environmental Law and Policy Center

Maggie and Arnie Gundersen and Carolina Aronson of Fairewinds Associates

Damon Moglen of the Friends of the Earth

Jim Riccio of Greenpeace

Manna Jo Greene of the Hudson River Sloop Clearwater

Arjun Makhijani and the Institute for Energy and Environmental Research

Pine duBois of the Jones River Watershed Association

Dale Bridenbaugh of MHB Technical Associates

Jane Swanson of the Mothers for Peace

Tom Cochran, Geoff Fettus, and Matthew McKinzie of the Natural Resources Defense Council

Clay Turnbull and Ray Shadis of  New England Coalition on Nuclear Pollution

Mike Mulligan of New Hampshire

Mark Leyse of New York

Jim Warren and Mary MacDowell of the North Carolina Waste Awareness and Reduction Network (NC WARN)

Dave Kraft and Linda Lewison of the Nuclear Energy Information Service

Tim Judson, Mary Olson, and Diane D’Arrigo of the Nuclear Information and Resource Service

Glenn Carroll of Nuclear Watch South

Catherine Thomasson and Chuck Johnson of the Physicians for Social Responsibility

Mary Lampert of Pilgrim Watch

Allison Fisher and Tyson Slocum of Public Citizen’s Energy Program

Paul Gallay and Deborah Brancato of Riverkeeper

Tom Clements of the Savannah River Site Watch (and Savannah native)

Seacoast Anti-Pollution League

Susan Corbett of the Sierra Club’s South Carolina Chapter

Sara Barczak of the Southern Alliance for Clean Energy

Don Safer of the Tennessee Environmental Council

Eric Epstein and Scott Portzline of the Three Mile Island Alert

Norm Cohen of Unplug Salem

Vermont Public Interest Research Group

Marilyn Elie of the Westchester Chapter of the Citizens Awareness Network

Many thanks to many people for many safety improvements!

Disaster by Design

Nuclear safety is all about proper balancing.

Emergency core cooling systems are installed to restore the balance between the heat produced by the reactor core and the heat carried away by cooling water. An imbalance for too long results in reactor core overheating as Fermi Unit 1, Three Mile Island and Fukushima remind us.

Other emergency systems are installed to control the balance between neutrons released by atoms splitting in the reactor core. If this control is lost, the reactor power level can soar to disastrous levels as SL-1 and Chernobyl remind us.

Nuclear safety requires a similar balance between industry and public influence on the NRC. When the public’s thumb gets too heavy on the NRC’s regulatory scale, owners can spend money for measures that do not improve safety. Conversely, when the industry’s thumb tips the scale too much, necessary safety margins can be undercut.

This commentary shows that the public’s efforts have yielded nuclear safety improvements. Past commentaries have chronicled nuclear safety improvements achieved by industry’s efforts and other safety improvements gained through NRC’s efforts. Too much is at stake for all voices not to be heard and all perspectives not to be considered.


UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

An Upcoming Missile Launch by North Korea?

Press reports are saying that North Korea is likely to try another test launch in the next few days of a new missile it is developing. But there is some controversy about which missile that may be.

Based on reports from two recent failed tests, most people assume the upcoming test will be of the intermediate-range Musudan missile, which North Korea has tested either six or eight times this year. But others see evidence that suggests it could be the mysterious long-range KN-08 missile.

What’s the evidence, and what are the implications?

The Musudan missile

This missile, called the Hwasong-10 in North Korea but Musudan in the west (after the region where it was first seen) appears to have a range of about 3,000 km. If it became operational, it would have the longest range of any system North Korea has tested as a ballistic missile (rather than as a satellite launcher).

The Musudan has a very poor test record. Starting in mid-April of this year, North Korea launched six tests from sites on its east coast (near Wonsan) into the Sea of Japan. The first five failed, all but one exploding quickly after launch. The sixth test, conducted on June 21, was successful (Fig. 1). It followed a trajectory that went much higher than normal so that it splashed down at a range of about 400 km. This nonstandard trajectory kept it from overflying Japan, which lies only about 1,000 km from the launch site. Analyzing the trajectory shows that it could reach a maximum range of 3,000 km (1,860 miles) if flown on a standard trajectory.

This maximum range is interesting since it is shorter than the 3,400 km to Guam, which is thought to be the intended target of the Musudan. It is also shorter than the 4,000 km that is frequently reported for the missile, but is consistent with my estimates of the range. That suggests North Korea has run into some design limitations that is keeping the range shorter than it would like.

 Google Earth)

Fig. 1 The flight path of the successful June 21 Musudan test, which was launched from Wonsan and traveled on a lofted trajectory to a range of 400 km. (Source: Google Earth)

The October tests

Press stories in October reported two additional tests—both of which failed—that US intelligence said were also Musudan tests. These two tests were notable since they were launched from a site on North Korea’s west coast (Kusong), unlike the previous tests.

Why switch the launch site? One obvious motivation is that from this site the missile could be launched to its full range without overflying other countries (Fig. 2). This is essentially the same flight path North Korea has used for its satellite launches. So following the successful June test on a lofted trajectory, it might make sense that North Korea would want to follow with a test on a standard trajectory. Since the Musudan is carried on a mobile launcher, switching launch sites in principle should be straightforward.

 Google Earth)

Fig. 2 The path a 3,000 km range test could follow from Kusong. (Source: Google Earth)

For these reasons, the general assumption has been that the two October tests were Musudans, and that the two failures indicate a continuing problem with the missile. Moreover, the assumption has been that the upcoming test would be another Musudan launch attempt.

The KN-08 missile

However, Jeffrey Lewis and his colleagues at the Monterey Institute raise the possibility that the two recent test failures were not of the Musudan missile, but of a longer range missile that may be in development—the KN-08, called the Hwasong-13 in North Korea.

The KN-08 has been seen in parades for several years. It has been described as a mobile long-range missile, but there remains a lot of controversy about whether such a missile is really being developed and what its capability might be if it is.

Technical analysis of the missile has shown that the design seen in parades makes more sense if North Korea were able to go beyond the Scud-level propulsion technology it has used in its previous missiles and use more advanced propellants. That more advanced technology has now been seen in the Musudan tests, which opens up the possibility that KN-08 development is real, and may have reached the point of flight testing.

Studying satellite images of the launch site for the two October tests, Jeffrey found that the burn marks on ground appeared to be larger for these tests than the previous Musudan tests at Wonsan—suggesting the launch of a larger missile. He also points out that the US military has misidentified several other missiles in recent tests, so the claim that the October tests were Musudans may not be air-tight.

While there are uncertainties that make this suggestive at best, it raises an interesting possibility that should be considered when analyzing the next launch.


As I noted above, if the two October test failures were Musudans, it would suggest serious ongoing problems with the Musudan program, despite the successful test in June. Since North Korea does not have the experience with this new propulsion technology that it does with its older Scud technology, that would not be surprising.

Even if the October tests were not Musudan failures, North Korea would still have no sense of the reliability of the missile based on previous tests. The fact that the last test worked may suggest they fixed something, but a one-in-six test record gives very little information about the chances for success of the next launch.

Conducting three quick launches (Oct. 15, 20, and the upcoming one) despite the failures is an odd way to develop a missile. Typically you would want to analyze the failures to identify and fix whatever the problem was. It may be that North Korean missiles don’t send back detailed information about their internal workings, which missiles elsewhere typically do. Without that information, North Korea’s approach would be to keep launching until it gets things to work.

It’s also possible, of course, that Pyongyang would like to make a splash during the late days of the US election campaign, thinking it would increase the visibility of a successful test. That would set a testing schedule that was not driven by a step-by-step development methodology. If that was North Korea’s motivation, it might want to launch a missile it had some reason to believe would succeed, which would suggest another Musudan test rather than a KN-08. On the other hand, if North Korea was going for maximum shock value—which a KN-08 launch would deliver—it might decide to try a Hail-Mary approach.

If this does turn out to be a KN-08 test, the two October failures suggest it is getting off to a slow start. But it would mean that a real development program is underway and that North Korea is focused on making it work.

Some details

The first four Musudan tests are believed to have been launched from the Kodo peninsula north of Wonsan, on the country’s east coast. The next two, including the successful test in June, were launched from facilities at the Wonsan Kalma Airport. The two tests in October, and the upcoming test, are from the Kusong Panghyon Airport near the west coast of the North Korea.

North Korea conducted a ground test of the Musudan engine in April, and the analysis of that test is what leads us to believe Pyongyang has shifted to more advanced propellants than used in its Nodong engines.

Nuclear Worker Training

Disaster by Design/ Safety by Intent #56

Safety by Intent

The Nuclear Waste Policy Act (NWPA) of 1982, as later amended in 1987, is best known for tasking the Department of Energy (DOE) with siting, constructing, and operating a geological repository for the long-term disposal of spent fuel from commercial nuclear power plants. It is less well-known that Section 306 of the NWPA tasked the Nuclear Regulatory Commission (NRC) with enacting regulations for the training and qualification of nuclear power plant workers.

The DOE has thus far failed its assigned mission and the federal government has paid out several billion dollars to parties across the country for damages incurred as a result of the failure. Fortunately, the NRC succeeded—albeit with some prodding from a public interest group and the courts—in its assigned mission, and not just by comparison to DOE’s ineptitude.

The need that prompted this NPWA provision stemmed from the March 1979 accident at Three Mile Island in Pennsylvania. Post-accident inquiries conducted by the NRC and the Congress concluded that the operators at Three Mile Island, and throughout the nuclear power industry, had not been provided sufficient training to enable them to effectively respond to accidents. As a result, the operators at Three Mile Island were set up for mistakes that increased the severity of the accident.

The NRC Path to Regulations

On February 13, 1984, the NRC staff outlined a rulemaking plan (SECY-84-76) that would develop regulations governing training and qualification programs for nuclear plant workers and satisfy the requirements of Section 306 in the NPWA.

The nuclear industry opposed the rulemaking plan. Instead, the industry sought to self-regulate training programs and recommended that the NRC merely adopt a policy statement on training rather than develop regulatory requirements. By a 3-2 vote, the Commission sided with the nuclear industry rather than its own staff by directing that a policy statement rather than a regulation be developed. One of the dissenting voters, Commissioner Victor Gilinsky, wrote that “In pressuring the Commission to accept a feeble approach toward shift experience requirements, the industry is jeopardizing its long standing safety record.” The NRC’s policy statement on training and qualification of nuclear plant workers was published in the Federal Register on March 20, 1985.

Public Citizen, a public interest group founded by Ralph Nader, petitioned the NRC in 1986 contending that the policy statement did not satisfy the NRC’s obligations under the NPWA to issue regulations. The NRC denied Public Citizen’s petition on January 14, 1987.

The NRC published an updated policy statement on nuclear plant worker training and qualifications in the Federal Register on November 18, 1988. Public Citizen filed a suit in the United States Court of Appeals for the District of Columbia Circuit contending that policy statements did not satisfy the NWPA. The court decision issued in April 1990 supported Public Citizen’s contention. The court wrote that “When Congress gives the agency its marching orders, the agency must obey all of them, not merely some.” The industry appealed the decision to the U.S. Supreme Court, but the Supremes declined to get involved.

The NRC staff submitted another proposed rulemaking plan for nuclear worker training to the Commission on April 25, 1991 (SECY-91-108). This time, the Commissioners’ vote was not split—the Commissioners unanimously rejected the proposed plan as being overly broad and too prescriptive.

The NRC staff tried again. They submitted a third rulemaking plan to the Commission on December 16, 1991 (SECY-91-371). This rulemaking plan proposed regulations requiring each owner to implement training programs for nuclear plant workers derived from a systemic analysis of job performance needs. Once again, the Commissioners voted unanimously on the plan; this time to publish the draft regulations for public comment. The final regulations were published in the Federal Register on April 26, 1993. Along the way, the NRC issued a report describing the criteria it would apply when determining whether training programs for nuclear workers conformed to the new regulations.

(For additional details and sources see a white paper recently issued by the NRC staff on the history of nuclear plant training and qualification requirements.)

Destination of the Long and Whining Road

The path to regulations on nuclear plant worker training and qualifications was certainly bumpy, cumbersome, and slow. Nevertheless, the destination reached by that tortuous process yielded positive safety improvements.

Training and qualification requirements existed for nuclear plant workers prior to the Three Mile Island accident. Before being licensed as control room operators, individuals had to demonstrate proficiency on written and oral examinations. Standards defined qualifications needed for other nuclear plant workers.

Today’s training programs and qualification standards are significantly different. Control room simulators may best illustrate the wide gap between conditions then and now. Simulators are full-scale replicas of nuclear plant control rooms (Fig. 1). The real control room’s switches, gauges, computer screens, alarms, and such connect to equipment in the plant. The simulator’s switches, gauges, computer screens, alarms, and such connect to a computer. Fidelity requirements ensure what happens in the simulator very closely models what happens in the real plant.

Fig. 1 (

Fig. 1 (Source: Dave Lochbaum

Back then, many owners did not have simulators. Instead, they sent workers to offsite simulators operated by reactor vendors. Workers’ access to simulators was limited during their initial training and even more restricted during periodic retraining. Now, simulators are readily available for all plants. Greater access affords greater use. Control room operators routinely spend every sixth week in retaining either in classrooms or in simulators. They receive formal training on modifications to the plant and its procedures. They must demonstrate proficiency applying that acquired knowledge in the simulator. In addition, workers commonly spend time in the simulator refreshing their awareness of tasks they have not performed in awhile before executing them “live” in the control room.

The expanded use of simulators reflects increased emphasis on applied knowledge and skills. The NRC’s regulations requires that training programs be built on a foundation of knowledge and skills needed for workers to perform their jobs. The NRC developed what it called “catalogs” identifying the knowledge and abilities needed by operators of pressurized water reactors (PWRs) and boiling water reactors (BWRs). The current PWR catalog contains nearly 5,100 items while the current BWR catalog lists nearly 7,000 items.

The catalogs are used by the NRC in the examinations it administers to individuals seeking licenses and control room operators.

For example, a recent NRC exam asked this multiple-choice question referring to the simple graphic (Fig. 2):

Fig. 2 (

Fig. 2 (Source: Nuclear Regulatory Commission)

A pump is located on shore, with the eye of the pump 4 feet higher than the reservoir’s water level. The pump’s suction pipe extends 4 feet below the surface of the reservoir. Which one of the following modifications would increase the pump’s available net positive suction head?

  1. Raise the pump and suction line by 2 feet.
  2. Lower the pump and suction line by 2 feet.
  3. Lengthen the suction pipe to draw water from 2 feet deeper in the reservoir.
  4. Shorten the suction pipe to draw water from 2 feet shallower in the reservoir.

The best (and correct) answer was B.

Prior to Three Mile Island, candidates might have been asked to define net positive such head for a pump or to calculate it given information about key parameters. Now, the NRC still tests candidates about net positive suction head, but do so from a more applied knowledge perspective.

The NRC reported that 85 to 89% of the candidates passed the agency’s written examinations administered over a 10-year period. This passing rate suggests that the examinations are reasonably challenging. If all candidates passed, one would wonder about the usefulness of the tests.

Bottom line, the training of nuclear plant workers—whether they are control room operators, maintenance workers, system engineers, radiation protection specialists, security force personnel, and others—is considerably broader and better than it had been prior to Three Mile Island. Better training may not be the only reason it has been 37 years since that accident, but it certainly contributes to that outcome.

Disaster by Design

Nuclear plant worker training is vastly improved over training received four decades ago. However, it’s not time to declare “Mission Accomplished” and fold the training tent. Disaster by Design #20 earlier this year chronicled six recent events at nuclear power plants worsened by training deficiencies. Fission Stories #58 provided additional details on one of the six events.

Fission Stories #80 also provided additional details on one of the six events. The owner had eliminated training of workers for certain tasks performed during refueling. Years later, untrained workers failed to put the head back on the reactor vessel. They misunderstood both of the methods used to determine if the head was properly re-installed.

As both the NRC and the nuclear industry struggle to downsize, we hope that training programs will not be scaled back or eliminated just to save a few bucks. The Three Mile Island accident taught us the value of training. It would be irresponsible for training programs to be slashed until another accident shows us those cuts were too much.

If it ain’t broke, don’t break it.


UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

On the Same (Nuclear) Pages

Disaster by Design/Safety by Intent #55

Safety by Intent

Merriam-Webster defines regulation as “an official rule or law that says how something should be done” and as “the act of regulating something.”

The Energy Reorganization Act of 1974 created the Nuclear Regulatory Commission (NRC) and tasked the agency with both saying how things should be done and regulating to ensure that those things get done right. How does the NRC discharge its statutory responsibilities?

Fig. 1 (

Fig. 1 (Source: Nuclear Regulatory Commission)

Fortunately, the NRC does it way more straight-forward than they picture doing it (Fig. 1). If there’s such a thing as “circular logic,” then the NRC has discovered “circular illogic.” How do you get to Step 5? When does Step 4 backtrack to Step 3 and when does it recycle to Step 1? Can Step 5 be used to skip Step 2 from Step 1, a la Chutes and Ladders?

(The NRC’s circular squares have little to do with this commentary. But it is UCS’s policy to illustrate every web posting with at least one graphic. So it was this NRC illustration or, sigh, yet another cooling tower image. My apologies to the cooling tower enthusiasts; all three of you.)

The NRC uses regulations backed by standard review plans, regulatory guides, and official endorsements of industry guides to clearly articulate its regulatory expectations. The NRC uses publicly available inspection procedures to clearly convey how it plans to gauge compliance with its regulatory expectations. Such efforts literally put the NRC and owners on the same pages when it comes to nuclear power plant safety requirements.


The safety regulations developed by the NRC are readily available online in Title 10 of the Code of Federal Regulations. Title 10 contains dozens of parts tailored to specific aspects of nuclear safety. For example, Part 100 defines the criteria applied when locating a nuclear power reactor. Part 20 establishes the requirements that protect workers and the public from radiation. Part 50 governs the licensing of nuclear power plants. Part 73 covers the security measures needed to protect nuclear plants from radiological sabotage. And so on.

For example, Section 100.10 in Part 100 defined “Factors to be considered when evaluating sites” for proposed nuclear power reactors. Applications for reactor operating licenses had to describe the site’s seismology, meteorology, hydrology, geology and the evaluations concluding these physical characteristics posed no undue hazard to the reactor.

Regulatory Guides

The applicants for licenses and certificates from the NRC and the holders of licenses and certificates issued by the NRC have the responsibility of complying with the agency’s regulations. The NRC supplemented its regulations with Regulatory Guides that helped applicants meet their obligation through increased understanding of the regulatory expectations.

Continuing the example from Section 100.10, the NRC issued Regulatory Guide 1.70. Section of this guidance document describes the expectations for meteorology. The NRC expressed its expectation that nuclear plants be designed to accommodate the weight of snowfall from a once in 100-year event.

Fig. 2 (

Fig. 2 (Source: Nuclear Regulatory Commission)

Similarly, Regulatory Guide 1.76 describes the expectations for tornadoes, including assumptions for wind speeds of 230 miles per hour for the central United States and 160 miles per hour in the western United States (Fig. 2). In addition, the guidance explains the expectations for debris transported by tornado winds and striking parts of the nuclear plant.

As reflected by the name, a regulatory guide is not born as a regulatory requirement. It can be adopted as a requirement when an owner commits to its provisions to comply with a regulation. But owners are entirely free to comply with the regulation through methods other than those described in regulatory guides. To do so, the owners need only convince the NRC that the alternate methods are comparable to, or better, than the methods in the regulatory guides.

NRC-Endorsed Industry Standards

The NRC has frequently endorsed standards developed by the industry as acceptable means of complying with its regulations. Like regulatory guides, NRC-endorsed industry standards are not born as regulatory requirements. But they can become adopted as requirements when owners commit to comply with regulations by meeting the industry standards.

“No Surprise” Regulatory Guides and Endorsed Industry Standards

Regulatory Guides and industry standards are typically developed through an iterative process. A draft will be circulated for review and comment by all parties. Drafts will be updated to incorporate comments and, if necessary, distributed for additional review and comment periods. As a result, the final regulatory guides issued by the NRC and industry standards endorsed by the NRC should reflect a common understanding between the agency and its licensees as to their contents.

Standard Review Plan

The Standard Review Plan (NUREG-0800 for nuclear power reactors) was developed to help the NRC’s reviewers determine whether applications for operating licenses properly showed compliance with applicable regulations. This “answer key” also helps applicants conduct all the homework necessary to prepare high quality submittals.

The Standard Review Plan is a valuable complement to the regulations and regulatory guides. Regulatory guides identify the NRC’s expectations for factoring meteorology into reactor siting and design decisions. The Standard Review Plan identifies the spectrum of regulations that include meteorological considerations. The regulatory guides define the tornado wind speeds and the snowfall amounts the NRC expects to be considered; the Standard Review Plan describes how these parameters are to be applied in judging the integrity of plant structures and in the radiological protection of the public following an accident.

Inspection Procedures

The NRC conducts numerous inspections at each operating nuclear plant under its Reactor Oversight Process. The owners are notified in advance about upcoming inspections and the inspection procedures are available online.

For example, in March 2016, the NRC informed the owner of the Comanche Peak nuclear plant in Texas that it planned to inspect plant modifications and 50.59 evaluations using procedure 71111.17T beginning September 12, 2016; to inspect the plant’s cooling systems or heat sink using procedure 71111.07T beginning February 6, 2017; to inspect radiation protection of workers using procedure 71124.04 beginning November 6, 2017; and to conduct 24 other inspections at the plant.

The glass-half-empty gang will point out that giving owners months of notice as well as the test questions so far in advance makes it easier for them to look good on the inspections.

The glass-half-full crowd will likely agree with this point, but will recognize that looking good on safety inspections has positive safety connotations.

Disaster by Design

Prior to joining UCS, I worked for awhile as a consultant in the engineering department for a company with two operating nuclear reactors. Engineering had issued a procedure for coatings applied to piping and equipment for protection against rusting and degradation. The procedure prohibited applying a certain epoxy to equipment inside containment. So, during a refueling outage workers unbolted a component, moved it outside containment, and applied the epoxy coating. They then moved the component back inside containment and reconnected it.

The letter of the procedure had been satisfied, but not its spirit. The reason the epoxy was banned was that following certain accidents, it could react chemically with fluid discharged into containment with harmful consequences. Fortunately, the mis-applied epoxy coating was detected and corrected before the reactor restarted from the outage.

This benign example illustrates the potentially more serious consequences that can occur when the NRC and plant owners are not on the same pages. The NRC can set the safety bar at an appropriate height to adequately manage a risk, but owners need to see the bar and understand all its associated fine print in order to facilitate compliance.

The NRC’s readily available regulations, regulatory guides, standard review plans, and inspection procedures guard against miscommunications and misinterpretations that can undermine safety.


UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Money Problems for Minuteman Replacement

Cost estimates of the plan to replace the U.S nuclear stockpile continue to increase on several fronts. The latest Arms Control Today reports that the cost of the replacement for the Minuteman III (MMIII) missile, called the ground-based strategic deterrent (GBSD), may rise to $100 billion or more.

The article cites an “informed source” who says that this brings the total cost to acquire, operate, and sustain the system over its expected 50-year life span to $238 billion.

The latest bad news for the GBSD follows a story from early September that reported a potential increase to $85 billion, a jump of 36 percent from the current estimate. Such sharp increases are raising new questions about the viability of the program and the overall budget for modernizing U.S. nuclear weapons.

With all three legs of the triad—land-based missiles, bombers, and submarines—being considered for modernization, there is concern about an approaching “bow wave” of spending on nuclear programs in the 2020s that could submerge the U.S. defense budget.

Out With the Old… An unarmed Minuteman III missile launched in an operational test from Vandenberg Air Force Base, CA, February 20, 2016. Image Michael Peterson, U.S. Air Force

An unarmed Minuteman III missile launches in an operational test from Vandenberg Air Force Base, CA. Image: Michael Peterson, U.S. Air Force

The Minuteman III, which became operational in 1970, is expected to remain operational until at least 2030. The United States currently deploys 440 of these missiles in silos on three Air Force bases scattered across five states: Montana, North Dakota, Wyoming, Nebraska and Colorado. That is down from 450 missiles deployed previously, and under the New START arms control agreement with Russia that number will be reduced to 400 deployed missiles by 2018.

Note, however, that the 50 missiles removed from deployment will not be destroyed but kept in reserve, and all 450 silos will be maintained.

A 2014 RAND study of future options for the Minuteman III concluded that incremental modernization of the existing missile would be a cost-effective alternative and should be considered. Specifically, RAND calculated at the time that incrementally modernizing the MMIII would cost $60 to $90 billion, while a new silo-based ICBM would require between $84 billion and $125 billion over a 39-year life cycle.

One potential complication with indefinitely extending the life of the existing MMIII is that the United States will eventually run out of missiles to use for testing. The time when this would happen could be extended by reducing the number of destructive tests, reducing the number of deployed missiles, or both. Moreover, given that there are questions about the long-term need to maintain these missiles at all (see discussion below), eventual depletion of the missile inventory may not be a good reason to undertake the expense of a new missile.

And In With the New

Despite these questions, however, the Air Force decided to go ahead with planning to develop and deploy a new ICBM, which it estimated in 2015 would cost $62 billion over 30 years. The GBSD is scheduled to begin deployment by 2029 and last until 2075. It will use the existing MMIII silos and launch control facilities, but will have a new missile, as well as a new command and control system. The plan is to build 666 of these new missiles (400 will be deployed) and the modernized command and control structure to go with them.

A report in early September cited a new analysis by the Pentagon’s Cost Assessment and Program Evaluation (CAPE) office, which provides independent assessments of DOD programs. The report concluded that the GBSD would instead require $85 billion: $22.6 billion for research and development, $61.5 billion for procurement, and $718 million for military construction. This is in line with the previously noted RAND estimate for a similar program.

The report also mentioned a memo from Frank Kendall, the Pentagon’s top acquisition official, which noted that, given the high level of uncertainty involved with the program, the $85 billion estimate is still assumed to be on the low end of potential costs. According to the memo, a revised final cost estimate for the program is expected in 2018, when the service has a more detailed design for the missile and a better grasp of overall costs. The more recent reporting on the program indicates Kendall’s memo did   not include the higher-end $100 billion figure from the original CAPE report. The CAPE report was prepared in support of a “milestone AAA” decision about whether to proceed with acquisition of the system, which Kendall approved on August 23.

Although earlier in the process of investigating alternatives there was talk of moving to a mobile basing system for the GBSD, the Air Force narrowed its focus to systems that would use existing silos. The RAND study estimated that a mobile-based missile would cost roughly twice as much as continuing to modernize the existing MMIII. But even though the current GBSD plan abandons the idea of mobile basing, it is not clear whether the Air Force has completely ruled out the possibility of moving to an alternative basing mode at some point. In an email from March of this year, an Air Force spokesperson said that the selected GBSD design “will provide the option for alternative modes of operation in the future.”

The Bigger Picture

In addition to the follow-on ICBM, the United States plans to replace its existing Ohio-class ballistic missile submarines and is developing a new bomber. Taken together, the cost of modernizing all three legs of the triad has been estimated at $1 trillion over the next three decades, with a large chunk of that spending coming due in the 2020s.

Given that it is U.S. policy to reduce reliance on nuclear weapons over time, the Union of Concerned Scientists and others have questioned whether all of these programs are needed. In particular, we have advocated for cancelling the proposed new nuclear-armed cruise missile, which would save $20-30 billion.

However, to significantly reduce its nuclear weapons budget in the long run, the United States would most likely have to eliminate one or more legs of the triad. The most vulnerable leg both politically and literally—in terms of its ability to withstand a Russian nuclear attack—is the land-based ICBMs. The original rationale for these missiles during the Cold War was as insurance against a first strike from Moscow. The “Minuteman” is named for its ability to launch quickly—within minutes—before the missiles could be wiped out by incoming warheads. Even if they were not launched before an attack landed, however, the missiles could still act as a “warhead sink”—if the Soviet Union/Russia wanted to take out the MMIII missiles in their widely spaced and deeply buried silos, it would have to expend a large portion of its nuclear arsenal to do so.

Now that the likelihood of a massive surprise attack is very low, and submarine-launched ballistic missiles provide a formidable deterrent force that is secure against a first strike, a number of analysts have questioned the logic behind retaining the ICBMs, much less spending billions to upgrade them. Former Defense Secretary William Perry has argued for eliminating the land-based leg of the triad, calling it “destabilizing,” and saying that ICBMs are not needed in “any reasonable definition of deterrence.”

Perry and others also argue that ICBMs are riskier than the other legs of the triad, precisely because of their ability to launch in minutes. This short time frame, combined with the decision in the most recent U.S. Nuclear Posture Review to retain options in the warplan to launch on warning, before an incoming attack can land, means that ICBMs are more vulnerable than other legs of the triad to being launched based on mistaken information. And, once launched, they cannot be recalled.

But even if the US decided to retain some ICBMs for the time being, there is nothing magical about having 400 of them. That assumes a constant number of deployed ICBMs from 2018 to 2029. Since the US submarine force provides a strong and secure deterrent, and the Pentagon sees “no viable near or mid-term threats to the survivability of U.S. SSBNs,” a much smaller number of refurbished MMIIIs would be enough to serve—along with the bomber fleet—as a hedge as the US addressed any long-term concerns about submarine vulnerability. This would greatly cut costs and provide plenty of missiles for continued testing.

Where to Cut?

The cost of nuclear modernization programs, together with plans for additional major spending on conventional weapons and a tight defense budget, means that difficult choices will need to be made, and soon. Given significant increases in the estimates for replacing the MMIII and existing skepticism over the long-term requirement for ICBMs, the GBSD may be one program that faces some serious questions.

Nuclear (Information) Power

Disaster by Design/Safety by Intent #54

Safety by Intent

Robin Morgan wrote that “Knowledge is power. Information is power.”

Among many lessons learned from the March 1979 core meltdown at Three Mile Island was the need to collect, assess, and disseminate relevant operating experience in a timely manner. In other words, nuclear information has the power to promote nuclear safety, but only when that information is shared so as to replicate good practices and eradicate bad ones. Both the Nuclear Regulatory Commission (NRC) and the nuclear industry undertook parallel efforts after Three Mile Island to improve operating experience efforts.

NRC’s Information Sharing

The centerpiece of the NRC’s operating experience efforts is its generic communications program. The NRC instituted this program before the Three Mile Island accident, but took steps following the accident to expand the program and to shorten the time between events and advisories. The NRC also lowered the threshold used to screen the information to share more operating experience with plant owners.

Fig. 1 (

Fig. 1 (Source: Nuclear Regulatory Commission)

The NRC has issued thousands of generic communications since the Three Mile Island accident. Bulletins and Generic Letters typically alert owners to a potential problem and require them to either confirm their facilities are not vulnerable or implement measures to reduce vulnerabilities. Regulatory Issue Summaries and Information Notices typically apprise owners about operating experience but do not require that the owners take specific actions in response.

Examples illustrating these various generic communications are:

  • Bulletin 2003-01, “Potential Impact of Debris Blockage on Emergency Sump Recirculation at Pressurized Water Reactors,” warned owners that a rupture inside containment of a pipe filled with steam or water could generate large amounts of debris as the high pressure fluid jetting from the broken pipe ends scoured coatings off equipment, insulation off piping, and even paint off walls. Water could carry this debris down into the concrete pit (called the sump) in the containment’s basement. The plants are designed to respond to the loss of cooling water inventory via the broken pipe using emergency pumps that transfer makeup water from external storage tanks. Before the tanks empty, the designs swap-over the pumps to get water from the containment sumps instead. The bulletin required owners to take steps as necessary to reduce the amount of debris and enhance the resistance of containment sumps to debris accumulation.
  • Generic Letter 2007-01, “Inaccessible or Underground Power Cable Failures that Disable Accident Mitigation Systems or Cause Plant Transients,” warned owners about a rash of unexpected failures of electrical cables. Many of the electrical cables had been qualified for 40 years of service, but failed before the end of their qualified lifetimes due to submergence in water. Several of the failed cables had been routed through underground metal conduits and buried concrete trenches. Groundwater or rainwater leaked into the conduits and trenches, subjecting the cable insulation to more rapid deterioration than anticipated. The generic letter required owners to provide the NRC with details about past cable failures of this nature at their facilities and to describe the inspection and testing programs used to protect against future cable failures.
  • Information Notice 2009-25, “Small Arms Firing Range Safety Issues,” warned owners about problems experienced at some plants with firing ranges used by security force personnel for weapons and tactics training. A “room clearing” exercise at one facility in May 2009 had security members shoot at “bad guy” targets. Some targets had been placed improperly with the result that some bullets escaped the firing range and hit buildings inside the security fence surrounding the plant. A similar event in December 2005 at another facility resulted in a worker inside the security fence being struck in the leg by an errant bullet.
  • Information Notice 2011-13, “Control Rod Blade Cracking Resulting in Reduced Design Lifetime,” warned owners of boiling water reactors about experience at a foreign nuclear plant. Workers discovered severe degradation of the control rods caused by irradiation-assisted stress-corrosion cracking. The control rods contain boron, a material that acts like neutron glue to govern, or even interrupt, the nuclear chain reaction rate within the reactor core. The control rods had a design lifetime based on calculations for how long it would take for their boron contends to be used up. The cracking allowed some of the boron to leach from the control rods. The information notice alerted owners of the fact that the vendor recommended imposing a limit of 54 to 60% of the boron depletion lifetime to account for the potential leaching effect.
  • Regulatory Issue Summary 2015-11, “Protective Action Recommendations for Members of the Public on Bodies of Water,” reminded owners of their obligations under Appendix E, “Emergency Planning and Preparedness for Production and Utilization Facilities,” to 10 CFR Part 50. Specifically, the regulatory issue summary reinforced the NRC’s expectation that owners’ emergency plan measures account for all affected members of the public whether on land or on water.
  • Regulatory Issue Summary 2014-12, “Decommissioning Fund Status Report Calculations—Update to Low-Level Waste Burial Charge Information,” informed owners that they could use data in Revision15 of NUREG-1307, “Report on Waste Burial Charges: Changes in Decommissioning Waste Disposal Costs at Low-Level Waste Burial Facilities,” in preparing periodic funding status reports required by 10 CFR 50.75(f). Owners are required to estimate the cost of decommissioning their facilities based on (1) labor rates, (2) energy costs, and (3) low-level waste disposal costs. The U.S. Department of Labor periodically publishes data on labor and energy costs that owners can use. The regulatory information summary identified a source of low-level waste disposal cost data acceptable to the NRC.

Nuclear Industry’s Information Sharing

The nuclear industry formed the Institute for Nuclear Power Operations (INPO) in December 1979 as part of its responses to the Three Mile Island accident. Information sharing is one of several functions performed by INPO to support the nuclear industry.

Like the NRC’s information sharing efforts, INPO collects information about problems encountered at one plant and shares it with other owners. Unlike the NRC’s efforts, INPO also collects information about solutions and successes enjoyed at one plant and shares them as good practices with other owners, too. It is as important to know how to do something right as it is to know how to do it wrong. (I am unable cite any specific INPO reports on operating experience because they are deemed top secret materials, nearly as tightly controlled as the launch codes for U.S. nuclear weapons and the original recipe for Kentucky Fried Chicken.)

INPO’s Equipment Performance Information Exchange (EPIX) program collects information on component failures. A few years ago, researchers at the Idaho National Laboratory used the EPIX database entries from 1998 to 2007 to examine emergency diesel generator (EDG) reliability.

Fig. 2 (

Fig. 2 (Source: Idaho National Laboratory)

The decade of data provided the researchers with insights such as what EDG components resulted in failures to start (FTS). The usual suspect was I&C—instrumentation and controls or the control circuits. The researchers also examined failure modes and rates for the EDGs supplied by various manufacturers to the nuclear industry.

The EPIX database also provides inputs to the probabilistic risk assessments (PRAs) developed by the owners for their plants. The PRAs estimate the likelihoods that emergency systems successfully perform their safety role to protect workers and the public during postulated accidents. The EPIX database allows PRA developers to specify performance data (e.g, failure to operate upon demand, malfunction during operation, etc.) for the individual components that must function for the emergency systems to do their thing. Because the EPIX database contains information spanning the entire fleet of operating reactors, it provides a more statistically significant foundation for equipment reliability forecasts than can be derived from even lots of valves at a single reactor.

If Information is Power, Information Sharing is Powerful Protection

The operating experience efforts by the NRC and the nuclear industry share information about equipment malfunctions and worker miscues. Sharing allows all owners to benefit from each individual owner’s lessons rather than postponing that benefit until after learning the lesson the harder way.

It is commendable that the operating experience efforts seek to reduce the recurrence of malfunctions and miscues even from those that did not result in serious consequences. Doing so increases the reliability of each barrier in the defense-in-depth approach to nuclear safety, making it less and less likely that all the barriers will fail someday and result in a nuclear accident.

Disaster by Design

The NRC’s generic communications cited above illustrate the challenge to successful operating experience programs. Each generic communication describes several malfunctions or miscues. There are very, very few “first time” operating experience reports. Instead, there are countless sequels to prior reports and innumerable updated collections of past faux pas. The challenge is in making steps taken today in response to an operating experience report durable enough to remain effective next year and next decade. An associated challenge involves ensuing that the “fix” for today’s operating experience report does not undermine the “fix” to last year’s operating experience report.

Information is power. But information sharing is not absolute power. Information sharing must be complemented by adequate training regimes, effective configuration control programs, and all the other niceties of proper management oversight. The safety chain is only as strong as its weakest link. Successful operating experience programs can help avoid links being unduly weakened.


UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Setting the Nuclear Safety Bar

Disaster by Design/ Safety by Intent #53

Safety by Intent

Disaster by Design/Safety by Intent #52, last week’s commentary, described the timely and effective response by the Nuclear Regulatory Commission (NRC) to the unexpected discovery of cracked control rod drive mechanism (CRDM) nozzles at the Oconee nuclear plant in South Carolina. Soon after being surprised, the NRC determined who needed to do what when in order to properly resolve the safety problem. When the phased actions were taken, the results confirmed that the NRC’s triage was appropriate.

This commentary expands upon a theme implied in last week’s commentary—namely, that the NRC does a good job setting the nuclear safety bar at the Goldilocks height: not too low to expose workers and the public to undue risk, not too high to impose undue costs on plant owners, but just right.

Nuclear power safety was one of the first areas that UCS took on following our formation in May 1969. Over the ensuing four decades, UCS often advocated for nuclear safety fixes. The campaigns undertaken by Bob Pollard, my predecessor at UCS, during his tenure between 1976 and 1996 and those we undertook since my joining the organization in fall 1996 share a recurring theme—the overwhelming majority did not contend that the nuclear safety bar was set too low and needed to be raised. Instead, the overwhelming majority of our campaigns sought to bring one or more reactors back to the safe, and legal, side of the bar.

Once the safety bar is set, the limbo beneath it must not be an option.

NRC Lessons Learned Task Force

The NRC’s successful response to the CRDM nozzle cracking problem was tainted by how it mismanaged the problem at Davis-Besse. Among many remedies undertaken in the wake of that debacle, the NRC formed a Lessons Learned Task Force (LLTF) chartered with recommending ways to avoid the next Davis-Besse.

The LLTF made 51 recommendations in its report dated September 30, 2002 (Figs. 1, 2, 3). The majority of the recommendations outlined things the NRC should do to better enforce existing regulatory requirements.

Fig. 1 (

Fig. 1 (Source: Nuclear Regulatory Commission)

For example, Recommendation 3.1.2(1) sought to have the NRC verify that plant owners had implemented effective measures to address safety issues identified through the NRC’s generic communications program. And Recommendation 3.2.1(3) sought to have the NRC inspect plant procedures used by workers in response to indications of reactor coolant leakage.

Only four of the fifty-one (less than 8%) recommendations suggested evaluating whether the safety bar needs to be raised. Those four recommendations were:

Recommendation 3.1.5(1): The LLTF recommended that the NRC evaluate whether to require that leakage detection capabilities were upgraded to better handle low leak rates. The degradation at Davis-Besse was caused by a small leak over several years.

Recommendation 3.2.1(1): The LLTF recommended that the NRC should upgrade regulatory requirements for reactor coolant leakage. Existing requirements did not allow any reactor coolant pressure boundary leakage, a small amount of unidentified leakage, and a slightly larger amount of identified leakage. Workers at Davis-Besse, and other pressurized water reactors, tend to assign leaks to the latter two bins when the reactor is operating. Reactor coolant pressure boundary leaks are typically only determined when the reactor is shut down. When any one of the three limits is exceeded, the reactor must be shut down within hours. The LLRT sought to address the disconnect between the reactor coolant pressure boundary leak limit being the most stringent, but least followed, safety requirement.

Fig. 2(

Fig. 2(Source: Nuclear Regulatory Commission)

Recommendation 3.2.4(1): The LLTF recommended that the NRC should evaluate its requirements that plant owners review operating experience. The leaks at Davis-Besse had been preceded by similar leaks at Oconee (SC), Turkey Point (FL), Salem (NJ), and Bugey (France) Davis-Besse’s owner was aware of these prior events, but was under no obligation to take steps to prevent them from happening at their plant in response to that awareness.

Fig. 3 (

Fig. 3 (Source: Nuclear Regulatory Commission)

Recommendation 3.3.4(9): The LLTF recommended that the NRC require that owners of reactors with non-standard limits on reactor coolant leakage revise the limits to conform with the standard requirements.

The LLTF’s recommendations implicitly reveal the agency’s determination that the near-miss at Davis-Besse was not caused by ineffective and inadequate regulatory requirements, but rather by ineffective and inadequate enforcement of existing requirements. The LLTF’s recommendations did not seek to raise the safety bar, but to better ensure that reactors operated on the proper side of that bar.

To cite another determination by another entity, the Government Accountability Office (GAO) examined the NRC’s oversight efforts at the request of the U.S. Congress after TIME magazine featured a cover story in March 1996 on the agency’s shortcomings at Millstone (CT). The GAO concluded that “NRC has not taken aggressive enforcement action to force the licensees to fix their long-standing safety problems on a timely basis. As a result, the plants’ conditions have worsened, making safety margins smaller.”

Time and again, TIME and others have found that safety problems at U.S. nuclear power plants have been caused by non-compliance with regulatory requirements. This recurring findings are tacit endorsements that the regulatory requirements are appropriate; what is inappropriate is non-compliance with them.

Disaster by Design

The NRC’s mission is to establish and enforce regulatory requirements that protect workers and the public. The record is clear that the NRC does a fine job with the first part of its important mission but struggles to do as well with the second part.

Both parts must be successfully performed before the NRC can proclaim “Mission Accomplished.”


UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.

Sputnik Revisited

Fifty-nine years ago today, the Soviet Union launched Sputnik into orbit, setting off a panic in the United States that contributed to the evolution of a “space race” between the two superpowers.

Last week, Congress held a hearing on the question of whether the United States was losing a new space race with China. Unfortunately, the witnesses seemed more interested in re-creating the alarmism of the Sputnik era rather than offering Congress an accurate picture of the Chinese space program. This raises doubts about the value of the hearing’s contribution to congressional perspectives on US-China relations in space.


Cooperation vs. Competition

One of the questions discussed during the hearing was whether to permit cooperation in space between China and the United States.  Science is an inherently collaborative enterprise. Knowledge grows faster when you divide the labor of learning and share the results. That’s especially true in space science because the satellites used to observe and measure the space environment are expensive to develop and deploy. China has the economic and technical resources to make important contributions to our understanding of the Earth, the solar system and the wider universe in which we live.  So it is not surprising that many US space scientists would welcome opportunities for greater cooperation with colleagues in China.

Unfortunately, the US Congress restricts scientific cooperation with China in space, in part because of concerns that US scientists might share knowledge or technology with military applications.

Space technology is inherently dual use. Satellites that observe the Earth’s atmosphere, lands, and oceans are valuable to farmers and the soldiers they feed. Communication satellites may carry military commands right along side the TV signals for Monday Night Football. GPS satellites can help guide you to grandma’s house or guide a missile to its target. So Congressional concern about US-China cooperation is appropriate.

But the testimony given during the hearing did not address this dual use problem. It did not even discuss Chinese satellite technology.

Instead, the hearing focused on the history of human space flight, one of the few areas of space activity with no demonstrable military applications. Yet the consensus of the witnesses and most of the members of Congress who invited their testimony was that—although China’s human space flight program is just now reaching milestones the United States passed in the 1970s—Chinese progress in human space flight is a serious threat to US national power and international prestige. Through their eyes, cooperating in space with a geopolitical competitor appeared ill-advised.

Substance vs. Symbolism

The witnesses argued that winning this symbolic competition for geopolitical influence was the driving force behind the Chinese space program. The historical evidence they offered to support this assertion was sparse: a 4-character slogan (两弹一星) from the Maoist era and a 16 character comment on technology policy spoken by Deng Xiaoping in the early 1980s (军民结合,平战结合,军品优先,以民养军).

Yet, neither had anything to do with human spaceflight. The 4-character slogan refers to Maoist China’s program to develop nuclear weapons and launch a satellite. The latter refers to his successor’s effort to rebalance national investments in science and technology. The witnesses implied Deng shifted that balance in favor of the military and national security. A more detailed and careful look at Chinese history—and especially the history of its space program—suggests the exact opposite.

Deng cancelled China’s fledging human spaceflight program in August of 1978. He said that China “should not participate in the space race” and instead should “focus our energies on urgently needed practical satellite applications.” China’s human spaceflight program did not resume until 1991, and it did not become a priority in space-related funding until 1999.

Moreover, the “urgently needed” satellite application that motivated Deng wasn’t connected to the military or China’s international prestige. Deng told his space scientists that China needed a communication satellite for a distance learning program intended to resuscitate an education system decimated by the anti-intellectual purges of Mao’s Cultural Revolution (1966-1976). Deng’s sense of urgency was so great he suggested that if China’s scientists and engineers couldn’t put a communication satellite in space in a reasonable amount of time, China should buy one from the United States.

One of the late Chinese leader’s most famous political aphorisms was, “It doesn’t matter if the cat is black or white, a good cat catches mice.” Deng’s pragmatism certainly seems to have guided Chinese space policy, which was focused on developing the domestic economy, not defeating the United States in a symbolic political competition over the future of human spaceflight.

Civilian vs. Military

The rebalance of Chinese investments in science and technology from military to civilian projects is reflected in China’s military spending. Deng established guidelines that fixed Chinese military expenditures at approximately 2% of China’s national GDP. Those guidelines still hold.


Source: Stockholm International Peace Research Institute (SIPRI) https://www.sipri.org/databases/milex

The point of Deng’s 16-character expression was that by shifting priorities in science and technology investment towards education and civilian projects China could, over the long term, develop the economic capacity to support a strong military. And Deng was right. China’s overall spending on its military has grown significantly while remaining a comparatively low percentage of its total GDP because China’s total GDP grew by more than 10% per year for more than twenty years.

Chinese investments in space technology follow the same pattern. The central focus of China’s space program is basic satellite technology, not human spaceflight. China now maintains robust constellations of earth observation, communication, navigation and data relay satellites that serve both civilian and military needs. At the same time China is opening a new space port and a building a new generation of wide-bodied rockets that can carry heavier payloads into space, indicating the rate of increase in the number of functioning Chinese satellites will continue to accelerate.

Friendship vs. Fear

The witnesses assumed, apparently based on a spotty understanding of its history, that the Chinese space program is driven by the malicious ambition of displacing the United States as the dominant world power. They warned Congress that human spaceflight was an important barometer of national power and that the United States could not afford to be perceived to be losing a human space race to China. In the words of one of the witnesses, “The day that the Chinese land a human being on the Moon…is the day that American uniqueness will be openly challenged and Chinese prestige will be placed on the same level of that as the United States.”

Despite persistent rumors, China has not yet decided to pursue a human lunar mission. For the present, the terminal goal of its human spaceflight program is the construction of a space station in low earth orbit. They’ll be working on achieving that goal for quite awhile. This is something the United States first did in 1973.

The witnesses did not seem to understand that the two Tiangong spacecraft China has placed in orbit are not space stations. They are experimental craft meant to test the various technologies China will need to eventually construct its space station. Construction will begin only after the Tiangong phase of the program is complete. China hopes to begin the construction of its space station station in the early 2020s, and they plan to operate that station for 8 to 10 years.

Chinese space scientists and engineers are conducting feasibility studies for human missions to the moon. One of the options under consideration is joint missions with other nations. Yang Liwei, China’s first space traveler and a vice director of the human spaceflight office, said that China remains open to cooperation in human spaceflight with the United States.

Another solution to the supposed geopolitical image problem of a Chinese person landing on the moon might be to have an American land with her. Instead of following the witnesses’ misguided advice, and wasting precious US space exploration funding on a vain effort to “beat” China to a destination US astronauts visited nearly fifty years ago, organizing a joint mission with a capable new partner might be a better way to demonstrate US leadership in space, and on Earth.

Rapid Regulator Response

Disaster by Design/ Safety by Intent #52

Safety by Intent

The discovery of significant corrosion to the reactor vessel head at the Davis-Besse nuclear plant in Ohio gave the Nuclear Regulatory Commission (NRC) a figurative black eye. On the same day in April 2002 that the NRC announced it rated Davis-Besse one of the top performing nuclear plants in the country, the agency reported that the corrosion spanning several years at the plant had compromised safety margins more than any event since the Three Mile Island accident in March 1979.

The well-deserved black eye overshadowed what had been stellar performance by a regulator with eyes wide open seeing a safety problem and swiftly acting to effectively resolve it in a timely manner. Prior commentaries have chronicled the NRC’s shortcomings. This commentary covers the history before the NRC snatched defeat from the jaws of victory.

Oconee Eye-Opener

In March 2001, workers at the Oconee nuclear plant in South Carolina saw something neither they nor workers at the nation’s other pressurized water reactors expected to ever see—signs that water had leaked from the reactor vessel from cracks in the control rod drive mechanism (CRDM) nozzles that penetrated the dome-shaped head.

The control rods that regulate the power produced by the reactor core are connected by long metal poles to their motors mounted on a service platform above the reactor vessel head. These poles pass through the CRDM nozzles. The CRDM nozzles function as sleeves allowing the motors to move the poles as necessary to withdraw or insert control rods (Fig. 1).

Fig. 1 (

Fig. 1 CRDM nozzle (Source: Nuclear Regulatory Commission)

The upper ends of the CRDM nozzles had flanges where the control rod drive mechanisms were bolted on. The flanged connections provided tight seals to prevent water inside the CRDM nozzles from leaking out. To prevent water from leaking out of the vessel around the edges of the CRDM nozzles, the lower ends of the nozzles are connected to the inner surface of the head by what are called J-groove welds. The CRDM nozzles are vertical whereas the head’s inner surface is curved. While the angles between the CRDM nozzle and the inner surface varied depending on whether the CRDM was near the center or nearer the edge of the head, the J-groove weld located at these intersections was believed to be where forces caused by expansion and contraction of metals being heated up and cooled down would be the largest.

Stress corrosion cracking is a longstanding problem in pressurized water reactors. Impurities in the water can find microscopic crevices in the metal walls and head of the reactor vessel. These impurities can start a corrosion process that gets accelerated by forces on the metal from thermal stresses. Because they were clearly the places where stresses were the largest, the standard industry practice reviewed and accepted by the NRC was to only inspect the J-groove welds and not examine the rest of the CRDM nozzles. The theory was that if the J-groove welds did not exhibit evidence of significant stress corrosion cracking, the remaining low-stress portions of the CRDM nozzle would be in even better condition.

But cracks formed in the CRDM nozzles at Oconee above the J-groove weld areas that were being inspected. The cracks grew slowly over time until they passed entirely through the walls of some CRDM nozzles, allowing water to leak out.

Nuclear plants have multiple means to detect leakage—radiation detectors that sense radioactive gases or particles within the leaked water, humidity detectors that sense the increasing amount of moisture inside containment, and level detectors that sense more water entering collection sumps in the containment’s basement. The cracks at Oconee were large enough to allow water to leak out, but small enough to limit the leak rate to below that amount that can be detected.

The leakage had entirely stopped by the time workers conducted their inspections at Oconee. The reactor had been shut down, depressurized, and the head removed to allow spent fuel assemblies in the reactor core to be replaced with fresh fuel. There was no longer pressure over 2,000 pounds per square inch to force water through the tiny cracks in the CRDM nozzles.

Fig. 2 (

Fig. 2 (Source: Nuclear Regulatory Commission)

So workers did not see water spurting through the nozzles or observe puddles on the floor. Instead, they saw “collars” of white powder on the outer surface of the head surrounding some of the CRDM nozzles (Fig. 2). The water in pressurized water reactors is borated to help control the reactor power level. Boric acid is dissolved into the water. Workers can adjust the boron concentration of the water during reactor operation to compensate for fuel depletion and other factors. As water leaking from the CRDM nozzles evaporated, boric acid in the form of white powder was left behind as tell-tale evidence of a cracked and leaking nozzle.

NRC’s Ad Hoc Triage

Because cracks in CRDM nozzles outside of the J-groove weld region were unanticipated, neither the nuclear industry nor the NRC had a pre-planned response ready to go. Consequently, the NRC was forced to figure what was causing the unexpected cracking, which reactors might be particularly susceptible to cracking, and what to do about it to prevent it from undermining safety. Answering these questions would require considerable homework, and safety dictated that the NRC not take too long to find the answers.

Fortunately, while CRDM nozzle cracking outside of the J-groove weld regions was unanticipated, the factors contributing to cracks forming and growing in reactor vessel materials had received considerable attention by the nuclear industry and the NRC. The nuclear industry instituted the Materials Reliability Program (MRP) in the late 1990s. The NRC had closely monitored the development and implementation of this program. The MRP’s efforts included defining guidance on what components to inspect and how best to inspect them as well as methods to mitigate the initiation and growth of cracks.

The NRC issued Bulletin 2001-01, “Circumferential Cracking of Reactor Vessel Head Penetration Nozzles,” on August 3, 2001, to the owners of U.S. pressurized water reactors. The NRC required that owners look to see whether CRDM nozzles at their reactors also had the unexpected cracking.

The bulletin reflected a timely response by the NRC. The bulletin was issued roughly five months after the cracking problem first surfaced, but in time for owners to incorporate any additional inspections into reactor refueling outages already scheduled for the fall of 2001.

The bulletin also demonstrated thoughtful triage by the NRC. The bulletin did not require that all owners take the same measures on the same timeframe. Instead, it required that all owners take the appropriate measures to address the problem. The bulletin established a process to be used to determine how susceptible individual reactors were to CRDM nozzle cracking. More susceptible reactors had to take more steps more expeditiously. Less susceptible reactors needed to take steps, but at a justifiably slower pace.

NRC’s 20/20 Vision

The NRC required the owners of the most susceptible reactors to inspect their CRDM nozzles by December 31, 2001, even if an outage that fall had not been planned. The NRC permitted owners of less susceptible reactors to inspect their CRDM nozzles at later times, but required them to review past inspection records to confirm that no signs of degradation had been identified.

Fig. 3 (

Fig. 3 (Source: NRC 2002 Regulatory Information Conference)

The CRDM nozzle inspections at the more susceptible reactors proved the NRC to have 20/20 vision. Eight of the top twelve most susceptible reactors had cracked CRDM nozzles that were leaking cooling water (Fig. 3). A ninth reactor had cracked CRDM nozzles, but the cracks had not yet penetrated all the way through the nozzles’ walls and leaked.

NRC’s Sustained Oversight

A little over a month after the NRC issued Bulletin 2001-01, terrorists piloted hijacked aircraft into the World Trade Center and the Pentagon. The NRC responded to the tragic events by identifying measures to be taken by owners to lessen nuclear plant vulnerabilities to sabotage attacks. My review of the CRDM nozzle cracking documents and the post-9/11 security documents did not find any evidence or even hints that either effort was hampered by insufficient resources or management oversight. Instead, it was clear that the NRC had the capacity and wherewithal to sustain the CRDM nozzle response plan while embarking on an equally important security response plan.

NRC’s Overlooked Success

Had it not been for Davis-Besse, the NRC’s response to the CRDM nozzle cracking reported at Oconee would have been an unqualified regulatory success. The agency responded quickly to an emerging hazard by accurately defining susceptibility of other reactors to this shared threat and requiring owners to take actions within timeframes determined by the identified threat level. As plant owners took the steps mandated by the NRC, the results confirmed that the NRC’s response plan was spot on.

Disaster by Design

The NRC properly identified Davis-Besse among the twelve reactors most susceptible to CRDM nozzle cracking. Davis-Besse appears as the green circle amid the red triangles on the left-hand side of the “Inspection Confirm Rankings” graphic (Fig. 3). It was the seventh most susceptible pressurized water reactor to this safety problem. The NRC had required that Davis-Besse’s CRDM nozzles be inspected by December 31, 2001. But the NRC granted the owner’s request to postpone the safety inspections until spring of 2002. When the deferred safety inspections were finally conducted, Davis-Besse went from being green circle on the graphic to a red triangle the size of the Great Pyramid.

After determining that highly susceptible reactors needed to do X, Y, and Z by a specified deadline for safety reasons, the NRC should not accept less than X, Y, and Z by that deadline. Setting a safety bar and then allowing reactors to limbo beneath it invites disaster—and Three Mile Island, Chernobyl, and Fukushima show that disaster sometimes accepts the invitation.


UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.