UCS Blog - All Things Nuclear (with images) - Latest 1

Marijuana and Nuclear Power Plants

The Nuclear Regulatory Commission (NRC) adopted regulations in the mid-1980s seeking to ensure that nuclear power plant workers are fit for duty. The NRC’s regulations contained provisions seeking to verify that workers were trustworthy and reliable as well as measures intended to prevent workers from being impaired on duty. The former measures included background checks before workers could gain access to the plant while the latter components included drug and alcohol testing.

The regulations require that nuclear plant owners test workers for marijuana and alcohol use at the time of hiring, randomly thereafter, and for cause when circumstances warrant it. In 2014, marijuana use was the #1 reason for positive drug and alcohol tests by contractors and vendors and was the #2 reasons for positive tests by nuclear plant employees. Positive tests for alcohol are the #1 reason for positive tests by employees and the #2 reason for positive tests by contractors and vendors. A positive test may not be a career killer, but it is often a career crimper.

Fig. 1 (Source: Nuclear Regulatory Commission)

Alcohol can be legally purchased and consumed in all 50 states. So, mere detection of having used alcohol will not result in a positive test. But detection of a blood alcohol concentration of 0.04 percent or higher yields a positive test. People have different metabolisms and alcoholic beverages come in different sizes, but that threshold is often equated to having consumed one alcoholic beverage within five hours of the test. Similar to the reason that states require motorists to not drive under the influence of alcohol (i.e., don’t drink and drive), the NRC’s regulations seek to control alcohol consumption by workers (i.e, don’t drink and operate nuclear plants.)

Unlike the reason for the alcohol controls, the NRC’s ban on marijuana use is not because it might make them more likely to make mistakes or otherwise impair their performance, thus reducing nuclear safety levels. The NRC banned marijuana use because at the time marijuana was an illegal substance in all 50 states and its criminal use meant that workers fell short of the trustworthiness and reliability standards in the fitness for duty regulation. Since the NRC adopted its regulation, 8 states have legalized recreational use of marijuana and another 12 states have decriminalized its use.

Fig. 2 (Source: NORML)

The NRC recognized that marijuana’s legalization creates potential problems with its fitness for duty regulation. If an individual uses marijuana in a state that has legalized or decriminalized its use but tests positive at a nuclear plant in a state where its use is not legal, is the individual sufficiently trustworthy and reliable? In the eyes of the NRC, the answer remains yes.

Fig. 3 (Source: Nuclear Regulatory Commission)

The NRC conceded that no comparable scientific basis links marijuana use to performance impairment as existed when the alcohol limits were established. But the NRC continues to consider marijuana use as indicating one lacks the trustworthiness needed to work in a nuclear power plant.

The NRC is in a hard spot on this one. Revising its regulations to eliminate marijuana as a disqualifier for working in a nuclear power plant would likely spawn news reports about the agency permitting Reefer Madness at nuclear plants. But the country’s evolving mores are undermining the basis for the NRC’s regulation.

Nuclear Plant Cyber Security

There has been considerable media coverage recently about alleged hacking into computer systems at or for U.S. nuclear power plants. The good news is that the Nuclear Regulatory Commission (NRC) and the nuclear industry are not merely reacting to this news and playing catch-up to the cyber threat. The NRC included cyber security protective measures among the regulatory requirements it imposed on the nuclear industry in the wake of 9/11. The hacking reported to date seems to have involved non-critical systems at nuclear plants as explained below.

The bad news is that there are bad people out there trying to do bad things to good people. We are better protected against cyber attacks than we were 15 years ago, but are not invulnerable to them.

Nuclear Plant Cyber Security History

The NRC has long had regulations in place requiring that nuclear plant owners take steps to protect their facilities from sabotage by a small group of intruders and/or an insider. After 9/11, the NRC issued a series of orders mandating upgrades to the security requirements. An order issued in February 2002 included measures intended to address cyber security vulnerabilities. An order issued in April 2003 established cyber attack characteristics that the NRC required owners to protect against.

The orders imposed regulatory requirements for cyber security on nuclear plant owners. To help the owners better understand the agency’s expectations for what it took to comply with the requirements, the NRC issued NUREG/CR-6847, “Cyber Security Self-Assessment Method for U.S. Nuclear Power Plants,” in October 2004; Regulatory Guide 5.71, “Cyber Security Programs for Nuclear Facilities,” in January 2010; NUREG/CR-7117, “Secure Network Design,” in June 2012; and NUREG/CR-7141, “The U.S. Nuclear Regulatory Commission’s Cyber Security Regulatory Framework for Nuclear Power Reactors,” in November 2014. In parallel, the Nuclear Energy Institute developed NEI-08-09, “Cyber Security Plan for Nuclear Power Reactors,” in April 2010 that the NRC formally endorsed as an acceptable means for conforming to the cyber security regulatory requirements.

First Step: NANA

Anyone who has read more than one report about the U.S. nuclear power industry will appreciate that NANA was a key step in the road to cyber security regulations—Need A New Acronym. The nuclear industry and its regulator need to be able to talk in public without any chance of the public following the conversation, so acronyms are essential elements of the nukespeak. Many FTEs (full-time equivalents, or NRC person-hours) went into the search for the new acronym, but the effort yielded CDA—Critical Digital Assets. It was a perfect choice. Even if one decoded the acronym, the words don’t give away much about what the heck it means.

Finding CDA Among the NCDA, CAA, and NCAA

Armed with the perfect acronym, the next step involved distinguishing CDA from non-critical digital assets (NCDA), critical analog assets (CAA), and non-critical analog assets (NCAA, sorry college sports enthusiasts). Doing so is an easy three-step process.

Step 1: Inventory the Plant’s Digital Assets

The NRC bins the digital assets at a nuclear power plant into the six categories shown in Figure 1. Security systems include the computers that control access to vital areas within the plant, sensors that detect unauthorized entries, and cameras that monitor restricted areas. Business systems include the computers that enable workers to access PDFs of procedures, manuals, and engineering reports. Emergency preparedness systems include the digital equipment used to notify offsite officials of conditions at the plant. Data acquisition systems include sensors monitoring plant parameters and the equipment relaying that information to gauges and indicators in the control room as well as to the plant process computer. Safety systems could include the equipment detecting high temperatures or smoke and automatically initiate fire suppression systems. Control systems include process controllers that govern the operation of the main turbine or regulate the rate of feedwater flow to the steam generators (pressurized water reactors) or reactor pressure vessels (boiling water reactors). The first step has owners inventorying the digital assets at their nuclear power plants.

Fig.1 (Source: Nuclear Regulatory Commission)

Step 2: Screen Out the Non-Critical Systems, Screen in the Critical Systems

Figure 2 illustrates the evaluations performed for the inventory of digital assets assembled in Step 1 to determine which systems are critical. The first decision involves whether the digital asset performs a safety, security, or emergency preparedness (SSEP) function. If not, the evaluation then determines whether the digital asset affects, supports, or protects a critical system. If the answer to any question is yes, the digital asset is a critical system. If all the answers are no, the digital asset is a non-critical system.

Fig. 2 (Source: Nuclear Regulatory Commission)

Step 3: Screen Out the NCDA, Screen in the CDA

Figure 3 illustrates the evaluations performed for the inventory of critical systems identified in Step 2 to determine which are critical digital assets. The first decision involves whether the critical system performs a safety, security, or emergency preparedness (SSEP) function. If not, the evaluation determines whether the critical system affects, supports, or protects a critical asset. If the answer to any question is yes, the critical system is a critical digital asset. If all the answers are no, the critical system is a non-critical digital asset.

Fig. 3 (Source: Nuclear Regulatory Commission)

Remaining Steps

Once the CDAs are identified, the NRC requires that owners use defense-in-depth strategies to protect workers and the public from harm caused by a cyber-based attack. The defense-in-depth protective layers are:

  • Prompt detection and response to a cyber-based attack
  • Mitigating the adverse consequences of a cyber-based attack
  • Restoring CDAs affected by a cyber-based attack
  • Correcting vulnerabilities exploited by a cyber-based attack

The Power of One (Bad Person)

The NRC instituted cyber security regulatory requirements many years ago. The NRC’s inspectors have assessed how effectively measures undertaken by plant owners conform to these requirements. Thus, the U.S. nuclear industry does not have to quickly develop protections against cyber attacks in response to recent reports of hacking and attacking. The job instead is to ensure required protections remain in place as effectively as possible.

Unfortunately, digital technology can also broaden the potential harm caused by an insider. The NRC’s security regulations have long recognized that an insider might attempt sabotage alone or in conjunction with unauthorized intruders. In what the military terms a “force multiplier,” digital technology could enable the insider to attack multiple CDAs. The insider could also supply passwords to the outside bad guys, saving them the trouble of hacking and the risk of detection.

The hacking of computer systems by outsiders made news. The mis-use of CDAs by an insider can make for grim headlines.

Cooper: Nuclear Plant Operated 89 Days with Key Safety System Impaired

The Nebraska Public Power District’s Cooper Nuclear Station about 23 miles south of Nebraska City has one boiling water reactor that began operating in the mid-1970s to add about 800 megawatts of electricity to the power grid. Workers shut down the reactor on September 24, 2016, to enter a scheduled refueling outage. That process eventually led to NRC special inspections.

Following the outage, workers reconnected the plant to the electrical grid on November 8, 2016, to begin its 30th operating cycle. During the outage, workers closed two valves that are normally open when while the reactor operates. Later during the outage, workers were directed to re-open the valves and they completed paperwork indicating the valves had been opened. But a quarterly check on February 5, 2017, revealed that both of the valves remained closed. The closed valves impaired a key safety system for 89 days until the mis-positioned valves were discovered and opened. The NRC dispatched a special inspection team to the site on March 1, 2017, to look into the causes and consequences of the improperly closed valves.

The Event

Workers shut down the reactor on September 24, 2016. The drywell head and reactor vessel head were removed to allow access to the fuel in the reactor core. By September 28, the water level had been increased to more than 21 feet above the flange where the reactor vessel head is bolted to the lower portion of the vessel. Flooding this volume—called the reactor cavity or refueling well—permits spent fuel bundles to be removed while still underwater, protecting workers from the radiation.

With the reactor shut down and so much water inventory available, the full array of emergency core cooling systems required when the reactor operates was reduced to a minimal amount. The reduction of systems required to remain in service facilitates maintenance and testing of out-of-service components.

In the late afternoon of September 29, workers removed Loop A of the Residual Heat Removal (RHR) system from service for maintenance. The RHR system is like a nuclear Swiss Army knife—it can supply cooling water for the reactor core, containment building, and suppression pool and it can provide makeup water to the reactor vessel and suppression pool. Cross-connections enable the RHR system to perform so many diverse functions. Workers open and close valves to transition from one RHR mode of operation to another.

As indicated in Figure 1, the RHR system at Cooper consisted of two subsystems called Loop A and Loop B. The two subsystems provide redundancy—only one loop need function for the necessary cooling or makeup job to be accomplished successfully.

Fig. 1 (Source: Nebraska Public Power District, Individual Plant Examination (1993))

RHR Loop A features two motor-driven pumps (labeled P-A and P-C in the figure) that can draw water from the Condensate Storage Tank (CST), suppression chamber, or reactor vessel. The pump(s) send the water through, or around, a heat exchanger (labeled HX-A). When passing through the heat exchanger, heat is conducted through the metal tube walls to be carried away by the Service Water (SW) system. The water can be sent to the reactor vessel, sprayed inside the containment building, or sent to the suppression chamber. RHR Loop B is essentially identical.

Work packages for maintenance activities include steps when applicable to open electrical breakers to de-energize components and protect workers from electrical shocks and close valves to allow isolated sections of piping to be drained of water so valves or pumps can be removed or replaced. The instructions for the RHR Loop A maintenance begun on September 29 included closing valves V-58 and V-60. These are valves that can only be opened and closed manually using handwheels. Valve V-58 is in the minimum flow line for RHR Pump A while V-60 is in the minimum flow line for RHR Pump C. These two minimum flow lines connect downstream of these manual valves and then this common line connects to a larger pipe going to the suppression chamber.

Motor-operated valve MOV-M016A in the common line automatically opens when either RHR Pump A or C is running and the pump’s flow rate is less than 2,731 gallons per minute. The large RHR pumps generate considerable heat when they are running. The minimum flow line arrangement ensures that there’s sufficient water flow through the pumps to prevent them from being damaged by overheating. MOV-M016A automatically closes when pump flow rises above 2,731 gallons per minute to prevent cooling flow or makeup flow from being diverted.

The maintenance on RHR Loop A was completed by October 7. The work instructions directed operators to reopen valves V-58 and V-60 and then seal the valves in the opened position. For these valves, sealing involved installing a chain and padlock around the handwheel so the valve could not be repositioned. The valves were sealed, but mistakenly in the closed rather than opened position. Another operator independently verified that this step in the work instruction had been completed, but failed to notice that the valves were sealed in the wrong position.

At that time during the refueling outage, RHR Loop A was not required to be operable. All of the fuel had been offloaded from the reactor core into the spent fuel pool. On October 19, workers began transferring fuel bundles back into the reactor core.

On October 20, operators declared RHR Loop A operable. Due to the closed valves in the minimum flow lines, RHR Loop A was actually inoperable, but that misalignment was not known at the time.

The plant was connected to the electrical grid on November 8 to end the refueling outage and begin the next operating cycle.

Between November 23 and 29, workers audited all sealed valves in the plant per a procedure required to be performed every quarter. Workers confirmed that valves V-58 and V-60 were sealed, but failed to notice that the valves were sealed closed instead of opened.

On February 5, 2017, workers were once again performing the quarterly audit of all sealed valves. This time, they noticed that valves V-58 and V-60 were not opened as required. They corrected the error and notified the NRC about its discovery.

The Consequences

Valves V-58 and V-60 had been improperly closed for 89 days, 12 hours, and 49 minutes. During that period, the pumps in RHR Loop A had been operated 15 times for various tests. The longest time that any pump was operated without its minimum flow line available was determined to be 2 minutes and 18 seconds. Collectively, the pumps in RHR Loop A operated for a total of 21 minutes and 28 seconds with flow less than 2,731 gallons per minute.

Running the pumps at less than “minimum” flow introduced the potential for their having been damaged by overheating. Workers undertook several steps to determine whether damage had occurred. Considerable data is collected during periodic testing of the RHR pumps (as suggested by the fact it was known that the longest a pump ran without its minimum flow line was 2 minutes and 18 seconds). Workers reviewed data such as differential pressures and vibration levels from tests over the prior two years and found that current pump performance was unchanged from performance prior to the fall 2016 refueling outage.

Workers also calculated how long it would take a RHR pump to operate before becoming damaged. They estimated that time to be 32 minutes. To double-check their work, a consulting firm was hired to independently answer the same question. The consultant concluded that it would take an hour for an RHR pump to become damaged. (The 28 minute difference between the two calculations was likely due to the workers onsite making conservative assumptions that the more detailed analysis was able to reduce. But it’s a difference without distinction—both calculations yield ample margin to the total time the RHR pumps ran.)

The testing and analysis clearly indicate that the RHR pumps were not damaged by their operating during the 89-plus days their minimum flow lines were unavailable.

The Potential Consequences  

The RHR system can perform a variety of safety functions. If the largest pipe connected to the reactor vessel were two rupture, the two pumps in either RHR Loop are designed to provide more than sufficient makeup flow to refill the reactor vessel before the reactor core overheats.

The RHR system has high capacity, low head pumps. This means the pumps supply a lot of water (many thousands of gallons each minute) but at a low pressure. The RHR pumps deliver water at roughly one-third of the normal operating pressure inside the reactor vessel. When small or medium-sized pipes ruptured, cooling water drains out but the reactor vessel pressure takes longer to drop below the point where the RHR pumps can supply makeup flow. During such an accident, the RHR pumps will automatically start but will send water through the minimum flow lines until reactor vessel pressures drops low enough. The closure of valves V-58 and V-60 could have resulted in RHR Pumps A and C being disabled by overheating about an hour into an accident.

Had RHR Pumps B and D remained available, their loss would have been inconsequential. Had RHR Pumps B and D been unavailable (such as due to failure of the emergency diesel generator that supplies them electricity), the headline could have been far worse.

NRC Sanctions

The NRC’s special inspection team identified the following two apparent violations of regulatory requirements, both classified as Green in the agency’s Green, White, Yellow and Red classification system:

  • Exceeding the allowed outage time in the operating license for RHR Loop A being inoperable. The operating license permitted Cooper to run for up to 7 days with one RHR loop unavailable, but the reactor operated far longer than that period with the mis-positioned valves.
  • Failure to implement an adequate procedure to control equipment. Workers used a procedure every quarter to check sealed valves. But the guidance in that procedure was not clear enough to ensure workers verified both that a valve was sealed and that it was in the correct position.

UCS Perspective

This near-miss illustrates the virtues, and limitations, of the defense-in-depth approach to nuclear safety.

The maintenance procedure directed operators to re-open valves V-58 and V-60 when the work on RHR Loop A was completed.

While quite explicit, that procedure step alone was not deemed reliable enough. So, the maintenance procedure required a second operator to independently verify that the valves had been re-opened.

While the backup measure was also explicit, it was not considered an absolute check. So, another procedure required each sealed valves to be verified every quarter.

It would have been good had the first quarterly check identified the mis-positioned valves.

It would have been better had the independent verifier found the mis-positioned valves.

It would have best had the operator re-opened the valves as instructed.

But because no single barrier is 100% reliable, multiple barriers are employed. In this case, the third barrier detected and corrected a problem before it could be contribute to a really bad day at the nuclear plant.

Defense-in-depth also accounts for the NRC’s levying two Green findings instead of imposing harsher sanctions. The RHR system performs many safety roles in mitigating accidents. The mis-positioned valves impaired, but did not incapacitate, one of two RHR loops. That impairment could have prevented one RHR loop from successfully performing its necessary safety function during some, but not all, credible accident scenarios. Even had the impairment taken RHR Loop A out of the game, other players on the Emergency Core Cooling System team at Cooper could have stepped in.

Had the mis-positioned valves left Cooper with a shorter list of “what ifs” that needed to line up to cause disaster or with significantly fewer options available to mitigate an accident, the NRC’s sanctions would have been more severe. The Green findings are sufficient in this case to remind Cooper’s owner, and other nuclear plant owners, of the importance of complying with safety regulations.

Accidents certainly reveal lessons that can be learned to lessen the chances of another accident. Near-misses like this one also reveal lessons of equal value, but at a cheaper price.

Turkey Point: Fire and Explosion at the Nuclear Plant

The Florida Power & Light Company’s Turkey Point Nuclear Generating Station about 20 miles south of Miami has two Westinghouse pressurized water reactors that began operating in the early 1970s. Built next to two fossil-fired generating units, Units 3 and 4 each add about 875 megawatts of nuclear-generated electricity to the power grid.

Both reactors hummed along at full power on the morning of Saturday, March 18, 2017, when problems arose.

The Event

At 11:07 am, a high energy arc flash (HEAF) in Cubicle 3AA06 of safety-related Bus 3A ignited a fire and caused an explosion. The explosion inside the small concrete-wall room (called Switchgear Room 3A) injured a worker and blew open Fire Door D070-3 into the adjacent room housing the safety-related Bus 3B (called Switchgear Room 3B.)

A second later, the Unit 3 reactor automatically tripped when Reactor Coolant Pump 3A stopped running. This motor-driven pump received its electrical power from Bus 3A. The HEAF event damaged Bus 3A, causing the reactor coolant pump to trip on under-voltage (i.e., less than the desired voltage of 4,160 volts.) The pump’s trip triggered the insertion of all control rods into the reactor core, terminating the nuclear chain reaction.

Another second later and Reactor Coolant Pumps 3B and 3C also stopped running. These motor-driven pumps received electricity from Bus 3B. The HEAF event should have been isolated to the Switchgear Room 3A, but the force of the explosion blew open the connecting fire door, allowing Bus 3B to also be affected. Reactor Coolant Pumps 3B and 3C tripped on under-frequency (i.e., alternating current electricity at too much less than the desired 60 cycles per second). Each Turkey Point unit has three Reactor Coolant Pumps that force the flow of water through the reactor core, out the reactor vessel to the steam generators where heat gets transferred to a secondary loop of water, and then back to the reactor vessel. With all three pumps turned off, the reactor core would be cooled by natural circulation. Natural circulation can remove small amounts of heat, but not larger amounts; hence, the reactor automatically shuts down when even one of its three Reactor Coolant Pumps is not running.

At shortly before 11:09 am, the operators in the control room received word about a fire in Switchgear Room 3A and the injured worker. The operators dispatched the plant’s fire brigade to the area. At 11:19 am, the operators declared an emergency due to a “Fire or Explosion Affecting the Operability of Plant Systems Required to Establish or Maintain Safe Shutdown.”

At 11:30 am, the fire brigade reported to the control room operators that there was no fire in either Switchgear Room 3A or 3B.

Complication #1

The Switchgear Building is shown on the right end of the Unit 3 turbine building. Switchgear Rooms 3A and 3B are located adjacent to each other within the Switchgear Building. The safety-related buses inside these rooms take 4,160 volt electricity from the main generator, the offsite power grid, or an EDG and supply it to safety equipment needed to protect workers and the public from transients and accidents. Buses 3A and 3B are fully redundant; either can power enough safety equipment to mitigate accidents.

Fig. 1 (Source: Nuclear Regulatory Commission)

To guard against a single file disabling both Bus 3A and Bus 3B despite their proximity, each switchgear room is designed as a 3-hour fire barrier. The floor, walls, and ceiling of the room are made from reinforced concrete. The opening between the rooms has a normally closed door with a 3-hour fire resistance rating.

Current regulatory requirements do not require the room to have blast resistant fire doors, unless the doors are within 3 feet of a potential explosive hazard. (I could give you three guesses why all the values are 3’s, but a correct guess would divulge one-third of nuclear power’s secrets.) Cubicle 3AA06 that experienced the HEAF event was 14.5 feet from the door.

Fire Door D070-3, presumably unaware that it was well outside the 3-feet danger zone, was blown open by the HEAF event. The opened door created the potential for one fire to disable Buses 3A and 3B, plunging the site into a station blackout. Fukushima reminded the world why it is best to stay out of the station blackout pool.

Complication #2

The HEAF event activated all eleven fire detectors in Switchgear Room 3A and activated both of the very early warning fire detectors in Switchgear Room 3B. Activation of these detectors sounded alarms at Fire Alarm Control Panel 3C286, which the operators acknowledged. These detectors comprise part of the plant’s fire detection and suppression systems intended to extinguish fires before they cause enough damage to undermine nuclear safety margins.

But workers failed to reset the detectors and restore them to service until 62 hours later. Bus 3B provided the only source of electricity to safety equipment after Bus 3A was damaged by the HEAF event. The plant’s fire protection program required that Switchgear Room 3B be protected by the full array of fire detectors or by a continuous fire watch (i.e., workers assigned to the area to immediately report signs of smoke or fire to the control room.) The fire detectors were out-of-service for 62 hours after the HEAF event and the continuous fire watches were put in place late.

Workers were in Switchgear Room 3B for nearly four hours after the HEAF event performing tasks like smoke removal. But a continuous fire watch was not posted after they left the area until 1:15 pm on March 19, the day following the HEAF event. And these workers were placed in Switchgear Room 3A, not in Switchgear Room 3B housing the bus that needed to be protected.

Had a fire started in Switchgear Room 3B, neither the installed fire detectors nor the human fire detectors would have alerted control room operators. The lights going out on Broadway, or whatever they call the main avenue at Turkey Point, might have been their first indication.

Complication #3

At 12:30 pm on March 18, workers informed the control room operators that the HEAF event damaged Bus 3A such that it could not be re-energized until repairs were completed. Bus 3A provided power to Reactor Coolant Pump 3A and to other safety equipment like the ventilation fan for the room containing Emergency Diesel Generator (EDG) 3A. Due to the loss of power to the room’s ventilation fan, the operators immediately declared EDG 3A inoperable.

EDGs 3A and 3B are the onsite backup sources of electrical power for safety equipment. When the reactor is operating, the equipment is powered by electricity produced by the main generator as shown by the green line in Figure 2. When the reactor is not operating, electricity from the offsite power grid flows in through transformers and Bus 3A to the equipment as indicated by the blue line in Figure 2. When under-voltage or under-frequency is detected on their respective bus, EDG 3A and 3B will automatically start and connect to the bus to supply electricity for the equipment as shown by the red line in Figure 2.

Fig. 2 (Source: Nuclear Regulatory Commission with colors added by UCS)

Very shortly after the HEAF event, EDG 3A automatically started due to under-voltage on Bus 3A. But protective relays detected a fault on Bus 3A and prevented electrical breakers from closing to connect EDG 3A to Bus 3A. EDG 3A was operating, but disconnected from Bus 3A, when the operators declared it inoperable at 12:30 pm due to loss of the ventilation fan for its room.

But the operators allowed “inoperable” EDG 3A to continue operating until 1:32 pm. Given that (a) its ventilation fan was not functioning, and (b) it was not even connected to Bus 3A, they should not have permitted this inoperable EDG from operating for over an hour.

Complication #4

A few hours before the HEAF event on Unit 3, workers removed High Head Safety Injection (HHSI) pumps 4A and 4B from service for maintenance. The HHSI pumps are designed to transfer makeup water from the Refueling Water Storage Tank (RWST) to the reactor vessel during accidents that drain cooling water from the vessel. Each unit has two HHSI pumps; only one HHSI pump needs to function in order to provide adequate reactor cooling until the pressure inside the reactor vessel drops low enough to permit the Low Head Safety Injection pumps to take over.

On the day before, workers found a small leak from a small test line downstream of the common pipe for the recirculation lines of HHSI Pumps 4A and 4B (circled in orange in Figure 3). The repair work was estimated to take 18 hours. Both pumps had to be isolated in order for workers to repair the leaking section.

Pipes cross-connect the HHSI systems for Units 3 and 4 such that HHSI Pumps 3A and 3B (circled in purple in Figure 3) could supply makeup cooling water to the Unit 4 reactor vessel when HHSI Pumps 4A and 4B were removed from service. The operating license allowed Unit 4 to continue running for up to 72 hours in this configuration.

Fig. 3 (Source: Nuclear Regulatory Commission with colors added by UCS)

Before removing HHSI Pumps 4A and 4B from service, operators took steps to protect HHSI Pumps 3A and 3B by further restricting access to the rooms housing them and posting caution signs at the electrical breakers supplying electricity to these motor-driven pumps.

But operators did not protect Buses 3A and 3B that provide power to HHSI Pumps 3A and 3B respectively. Instead, they authorized work to be performed in Switchgear Room 3A that caused the HEAF event.

The owner uses a computer program to characterize risk of actual and proposed plant operating configurations. Workers can enter components that are broken and/or out of service for maintenance and the program bins the associated risk into one of three color bands: green, yellow, and red in order of increasing risk. With only HHSI Pumps 4A and 4B out of service, the program determined the risk for Units 3 and 4 to be in the green range. After the HEAF event disabled HHSI Pump 3A, the program determined that the risk for Unit 4 increased to nearly the green/yellow threshold while the risk for Unit 3 moved solidly into the red band.

The Cause(s)

On the morning of Saturday, March 18, 2017, workers were wrapping a fire-retardant material called Thermo-Lag around electrical cabling in the room housing Bus 3A. Meshing made from carbon fibers was installed to connect sections of Thermal-Lag around the cabling for a tight fit. To minimize the amount of debris created in the room, workers cut the Thermal-Lag material to the desired lengths at a location outside the room about 15 feet away. But they cut and trimmed the carbon fiber mesh to size inside the room.

Bus 3A is essentially the nuclear-sized equivalent of a home’s breaker panel. Open the panel and one can open a breaker to stop the flow of electricity through that electrical circuit within the house. Bus 3A is a large metal cabinet. The cabinet is made up of many cubicles housing the electrical breakers controlling the supply of electricity to the bus and the flow of electricity to components powered by the bus. Because energized electrical cables and components emit heat, the metal doors of the cubicles often have louvers to let hot air escape.

The louvers also allow dust and small airborne debris (like pieces of carbon fiber) to enter the cubicles. The violence of the HEAF event (a.k.a. the explosion) destroyed some of the evidence at the scene, but carbon fiber pieces were found inside the cubicle where the HEAF occurred.  The carbon fiber was conductive, meaning that it could transport electrical current. Carbon fiber pieces inside the cubicle, according to the NRC, “may have played a significant factor in the resulting bus failure.”

Further evidence inside the cubicle revealed that the bolts for the connection of the “C” phase to the bottom of the panel had been installed backwards. These backwards bolts were the spot where high-energy electrical current flashed over, or arced, to the metal cabinet.

As odd as it seems, installing fire retardant materials intended to lessen the chances that a single fire compromises both electrical safety systems started a fire that compromised both electrical safety systems.

The Precursor Events (and LEAF)

On February 2, 2017, three electrical breakers unexpectedly tripped open while workers were cleaning up after removing and replacing thermal insulation in the new electrical equipment room.

On February 8, 2017, “A loud bang and possible flash were reported to have occurred” in the new electrical equipment room as workers were cutting and installing Thermo-Lag. Two electrical breakers unexpectedly tripped open. The equipment involved used 480 volts or less, making this a low energy arc fault (LEAF) event.

NRC Sanctions

The NRC dispatched a special inspection team to investigate the causes and corrective actions of this HEAF event. The NRC team identified the following apparent violations of regulatory requirements that the agency is processing to determine the associated severity levels of any applicable sanctions:

  • Failure to establish proper fire detection capability in the area following the HEAF event.
  • Failure to properly manage risk by allowing HHSI Pumps 4A and 4B to be removed from service and then allowing work inside the room housing Bus 3A.
  • Failure to implement effective Foreign Material Exclusion measures inside the room housing Bus 3A that enabled conductive particles to enter energized cubicles.
  • Failure to provide adequate design control in that equipment installed inside Cubicle 3AA06 did not conform to vendor drawings or engineering calculations.

UCS Perspective

This event illustrates both the lessons learned and the lessons unlearned from the fire at the Browns Ferry Nuclear Plant in Alabama that happened almost exactly 42 years earlier. The lesson learned was that a single fire could disable primary safety systems and their backups.

The NRC adopted regulations in 1980 intended to lessen the chances that one fire could wreak so much damage. The NRC found in the late 1990s that most of the nation’s nuclear power reactors, including those at Browns Ferry, did not comply with these fire protection regulations. The NRC amended its regulations in 2004 giving plant owners an alternative means for managing the fire hazard risk. Workers were installing fire protection devices at Turkey Point in March 2017 seeking to achieve compliance with the 2004 regulations because the plant never complied with the 1980 regulations.

The unlearned lesson involved sheer and utter failures to take steps after small miscues to prevent a bigger miscue from happening. The fire at Browns Ferry was started by a worker using a lit candle to check for air leaking around sealed wall penetrations. The candle’s flame ignited the highly flammable sealant material. The fire ultimately damaged cables for all the emergency core cooling systems on Unit 1and most of those systems on Unit 2. Candles had routinely been used at Browns Ferry and other nuclear power plants to check for air leaks. Small fires had been started, but had always been extinguished before causing much damage. So, the unsafe and unsound practice was continued until it very nearly caused two reactors to meltdown. Then and only then did the nuclear industry change to a method that did not stick open flames next to highly flammable materials to see if air flow caused the flames to flicker.

Workers at Turkey Point were installing fire retardant materials around cabling. They cut some material in the vicinity of its application. On two occasions in February 2017, small debris caused electrical breakers to trip open unexpectedly. But they continued the unsafe and unsound practice until it caused a fire and explosion the following month that injured a worker and risked putting the reactor into a station blackout event. Then and only then did the plant owner find a better way to cut and install the material. That must have been one of the easiest searches in nuclear history.

The NRC – Ahead of this HEAF Curveball

The NRC and its international regulatory counterparts have been concerned about HEAF events in recent years. During the past two annual Regulatory Information Conferences (RICs), the NRC conducted sessions about fire protection research that covered HEAF. For example, the 2016 RIC included presentations from the Japanese and American regulators about HEAF. These presentations included videos of HEAF events conducted under lab conditions. The 2017 RIC included presentations about HEAF by the German and American regulators. Ironically, the HEAF event at Turkey Point occurred just a few days after the 2017 RIC session.

HEAF events were not fully appreciated when regulations were developed and plants were designed and built. The cooperative international research efforts are defining HEAF events faster than could be accomplished by any country alone. The research is defining factors that affect the chances and consequences of HEAF events. For example, the research indicates that the presence of aluminum, like in cable trays holding the energized electrical cables, can be ignited during a HEAF event, significantly adding to the magnitude and duration of the event.

As HEAF research defined risk factors, the NRC has been working with nuclear industry representatives to better understand the role these factors may play across the US fleet of reactors. For example, the NRC recently obtained a list of aluminum usage around high voltage electrical equipment.

The NRC needs to understand HEAF factors as fully as practical before it can determine if additional measures are needed to manage the risk. The NRC is also collecting information about potential HEAF vulnerabilities. Collectively, these efforts should enable the NRC to identify any nuclear safety problems posed by HEAF events and to implement a triaged plan that resolves the biggest vulnerabilities sooner rather than later.

Historic Treaty Makes Nuclear Weapons Illegal

Remember this day, July 7, 2017. Today, history was made at the United Nations and the nuclear status quo was put on notice and most of the world stood up and said simply, “Enough.”

(Source: United Nations)

Just hours ago, 122 nations and a dedicated group of global campaigners successfully adopted a legally binding international treaty prohibiting nuclear weapons and making it illegal “to develop, test, produce, manufacture, otherwise acquire, possess or stockpile nuclear weapons or other nuclear explosive devices.” Nuclear weapons now join biological and chemical weapons, land mines and cluster munitions that are now explicitly and completely banned under international law.

Our heartfelt gratitude to all who worked tirelessly to make this moment possible, including the International Campaign to Abolish Nuclear Weapons (ICAN), Reaching Critical Will, the governments of Norway, Mexico and Austria (which hosted three international conferences on the Humanitarian Consequences of Nuclear Weapons which inspired this effort) and so many other nations, civil society organizations, scientists, doctors & other public health professionals and global citizens/activists.

This is a powerful expression of conscience and principle on behalf of humanity from 63 percent of the 193 UN member states—one anchored in the simple truth that nuclear weapons are illegitimate instruments of security. ICAN lays out the imperative quite well:

“Nuclear weapons are the most destructive, inhumane and indiscriminate weapons ever created. Both in the scale of the devastation they cause, and in their uniquely persistent, spreading, genetically damaging radioactive fallout, they are unlike any other weapons. They are a threat to human survival.”

Challenging the status quo is at the heart of most successful mass movements for social and planetary progress. Those who benefit from the status quo never give up easily. Movements to end slavery, give women the right to vote, establish marriage equality in the United States and other examples of momentous social change were first bitterly opposed and derided by opponents as naïve, wrong, out of touch, costly, unachievable, etc.

Nuclear weapons are no different. The United States, Russia and other nuclear-armed and nuclear “umbrella” states chose not to participate in these ban treaty negotiations, and dismissed it outright. Indeed, senior officials in the Obama administration spent years doing verbal gymnastics to align the rhetoric of the president who stood up in Prague pledging to work toward “the peace and security of a world free of nuclear weapons” with outright hostility to the ban treaty. To no one’s surprise, the Trump administration has embraced the Obama administration’s plans to perpetuate the nuclear status quo and has forfeited any role or leadership in this critical discussion.

And don’t even get me started about all of the Washington insiders who believe nuclear deterrence will never fail and we can rely on the sound judgement of a small number of people (most of them men) to prevent global nuclear catastrophe.

The ban treaty effort is meant to provide renewed energy and momentum to the moribund global nuclear disarmament process. It is intended to be a prod to the nuclear-armed signatories of the Nuclear Non-Proliferation Treaty (NPT), which have largely ignored their obligation to pursue nuclear disarmament. It will help revive the NPT and the UN’s Conference on Disarmament, not replace them.

Indeed, most of the world has run out of patience and today they spoke loudly. The treaty will be open for signature in September and one can only hope that this is a true turning point in our effort to save humanity from these most horrible of all weapons.

Reentry Heating from North Korea’s July 4 Missile Test

In a previous post, I estimated what North Korea could have learned from its May 14 Hwasong-12 missile test that is relevant to developing a reentry vehicle (RV) for a longer range missile.

I’ve updated the numbers in that post for the July 4 missile test (Table 1). In particular, I compare several measures of the heating experienced by the RV on the July 4 test to what would be experienced by the same RV on a 10,000 km-range missile on a standard trajectory (MET).

Table 1. A comparison of RV heating on the July 4 test and on a 10,000 km-range trajectory, assuming both missiles have the same RV and payload. A discussion of these quantities can be found in the earlier post.

The numbers in Table 1 are very nearly the same as those for the May 14 test, which means this test would give only a marginal amount of new information.

The maximum heating rate (q) would be essentially the same for the two trajectories. However, the total heat absorbed (Q) by the 10,000 km missile would be 60% larger and the duration of heating (τ) would be more than two and a half times as long.

In its statement after the July 4 test, North Korea said:

the inner temperature of the warhead tip was maintained at 25 to 45 degrees centigrade despite the harsh atmospheric reentry conditions of having to face the heat reaching thousands of degrees centigrade

While this may be true, the additional heat that would be absorbed on a 10,000 km trajectory and the longer time available for that heat to conduct to the interior of the RV means that this test did not replicate the heating environment a 10,000 km-range missile would have to withstand. The heat shield may in fact be sufficient to protect the warhead, but this test does not conclusively demonstrate that.

Nuclear Regulatory Commission: Contradictory Decisions Undermine Nuclear Safety

As described in a recent All Things Nuclear commentary, one of the two emergency diesel generators (EDGs) for the Unit 3 reactor at the Palo Verde Nuclear Generation Station in Arizona was severely damaged during a test run on December 15, 2016. The operating license issued by the Nuclear Regulatory Commission (NRC) allowed the reactor to continue running for up to 10 days with one EDG out of service. Because the extensive damage required far longer than the 10 days provided in the operating license to repair, the owner asked the NRC for permission to continue operating Unit 3 for up to 62 days with only one EDG available. The NRC approved that request on January 4, 2017.

The NRC’s approval contradicted four other agency decisions on virtually the same issue.

Two of the four decisions also involved the Palo Verde reactors, so it’s not a case of the underlying requirements varying. And one of the four decisions was made afterwards, so it’s not a case of the underlying requirements changing over time. UCS requested that Hubert Bell, the NRC’s Inspector General, have his office investigate these five NRC decisions to determine whether they are consistent with regulations, policies, and practices and, if not, identify gaps that the NRC staff needs to close in order to make better decisions more often in the future.

Emergency Diesel Generator Safety Role

NRC’s safety regulations, specifically General Design Criteria 34 and 35 in Appendix A to 10 CFR Part 50, require that nuclear power reactors be designed to protect the public from postulated accidents such as the rupture of the largest diameter pipe connected to the reactor vessel that causes cooling water to rapidly drain away and impedes the flow of makeup cooling water. For reliability, an array of redundant emergency pumps—most powered by electricity but a few steam-driven—are installed. Reliability also requires redundant sources of electricity for these emergency pumps. At least two transmission lines must connect the reactor to its offsite electrical power grid and at least two onsite source of backup electrical power must be provided.  Emergency diesel generators are the onsite backup power sources at every U.S. nuclear power plant except one (Oconee in South Carolina which relies on backup power from generators at a nearby hydroelectric dam).

Because, as the March 2011 earthquake in Japan demonstrated at Fukushima, all of the multiple connections to the offsite power grid could be disabled for the same reason, the NRC’s safety regulations require that postulated accidents be mitigated relying solely on emergency equipment powered from the onsite backup power sources. If electricity from the offsite power grid is available, workers are encouraged to use it. But the reactor must be designed to cope with accidents assuming that offsite power is not available.

The NRC’s safety regulations further require that reactors cope with postulated accidents assuming offsite power is not available and that one additional safety system malfunction or single operator mistake impairs the response. This single failure provision is the reason that Palo Verde and other U.S. nuclear power reactors have two or more EDGs per reactor.

Should a pipe connected to the reactor vessel break when offsite power is unavailable and a single failure disables one EDG, the remaining EDG(s) are designed to automatically startup and connect to in-plant electrical circuit within seconds. The array of motor-driven emergency pumps are then designed to automatically start and begin supplying makeup cooling water to the reactor vessel within a few more seconds. Computer studies are run to confirm that sufficient makeup flow is provided in time to prevent the reactor core from getting overheated and damaged.

Palo Verde: 62-Day EDG Outage Time Basis

In the safety evaluation issued with the January 4, 2017, amendment, the NRC staff wrote “Offsite power sources, and one train of onsite power source would continue to be available for the scenario of a loss-of-coolant-accident.” That statement contradicted NRC’s statements previously made about Palo Verde and DC Cook and subsequently made about the regulations themselves. Futhermore, this statement pretended that the regulations in General Design Criteria 34 and 35 simply do not exist.

Palo Verde: 2006 Precedent

On December 5, 2006, the NRC issued an amendment to the operating licenses for Palo Verde Units 1, 2, and 3 extending the EDG allowed outage time to 10 days from its original 72 hour limit. In the safety evaluation issued for this 2006 amendment, the NRC staff explicitly linked the reactor’s response to a loss of coolant accident with concurrent loss of offsite power:

During plant operation with both EDGs operable, if a LOOP [loss of offsite power] occurs, the ESF [engineered safeguards or emergency system] electrical loads are automatically and sequentially loaded to the EDGs in sufficient time to provide for safe reactor shutdown or to mitigate the consequences of a design-basis accident (DBA) such as a loss-of-coolant accident (LOCA).

Palo Verde: 2007 Precedent

On February 21, 2007, the NRC issued a White inspection finding for one of the EDGs on Palo Verde Unit 3 being non-functional for 18 days while the reactor operated (exceeding the 10 day allowed outage time provided by the December 2006 amendment.) The NRC determined the EDG impairment actually existed for a total of 58 days. The affected EDG was successfully tested 40 days into that period. Workers discovered a faulty part in the EDG 18 days later. The NRC assumed the EDG was non-functional between its last successful test run and replacement of the faulty part. Originally, the NRC staff estimated that the affected EDG has a 75 percent chance of successfully starting during the initial 40 days and a 0 percent chance of successfully starting during the final 18 days. Based on those assumptions, the NRC determined the risk to approach the White/Yellow inspection finding threshold. The owner contested the NRC’s preliminary assessment. The NRC’s final assessment and associated White inspection finding only considered the EDG’s unavailability during the final 18 days.

Fig. 1 (Source: NRC)

Somehow, the same NRC that estimated a risk rising to the White level for an EDG being unavailable for 18 days and a risk rising to the White/Yellow level for an additional 40 days of the EDG being impaired by 25 percent concluded that an EDG being unavailable for 62 days now had risk of Green or less. The inconsistency makes no sense. And it makes little safety.

DC Cook: 2015 Precedent

One of the two EDGs for the Unit 1 reactor at the DC Cook nuclear plant in Michigan was severely damaged during a test run on May 21, 2015. The owner applied to the NRC for a one-time amendment to the operating license to allow the reactor to continue running for up to 65 days while the EDG was repaired and restored to service.

The NRC asked the owner how the reactor would respond to a loss of coolant accident with a concurrent loss of offsite power and the single failure of the remaining EDG. In other words, the NRC asked how the reactor would comply with federal safety regulations.

The owner shut down the Unit 1 reactor and restarted it on July 29, 2015, after repairing its broken EDG.

Rulemaking: 2017 Subsequent

On January 26, 2017, the NRC staff asked their Chairman and Commissioners for permission to terminate a rulemaking effort initiated in 2008 seeking to revise federal regulations to decouple LOOP from LOCA. The NRC staff explained that their work to date had identified numerous safety issues about decoupling LOOP from LOCA. Rather than put words in the NRC’s mouth, I’ll quote from the NRC staff’s paper: “The NRC staff determined that these issues would need to be adequately addressed in order to complete a regulatory basis that could support a proposed LOOP/LOCA rulemaking. To complete a fully developed regulatory basis for the LOOP/LOCA rulemaking, the NRC staff would need to ensure that these areas of uncertainty are adequately addressed as part of the rulemaking activity.”

It’s baffling how the numerous issues that had to be resolved before the NRC staff could complete a regulatory basis for the LOOP/LOCA rulemaking would not also have to resolved before the NRC would approve running a reactor for months assuming that a LOOP/LOCA could not occur.

4 out of 5 Ain’t Safe Enough

In deciding whether a loss of offsite power event could be unlinked from a postulated loss of coolant accident, the NRC answered “no” four out of five times.

Fig. 2 (Source: UCS)

Four out of five may be enough when it comes to dentists who recommend sugarless gum, but it’s not nearly save enough when the lives of millions of Americans are at stake.

We are hopeful that the Inspector General will help the NRC do better in the future.

North Korea Appears to Launch Missile with 6,700 km Range

Current reports of North Korea’s July 4 missile test say the missile had a range of “more that 930 km” (580 miles), and flew for 37 minutes (according to US Pacific Command).

A missile of that range would need to fly on a very highly lofted trajectory to have such a long flight time.

Assuming a range of 950 km, then a flight time of 37 minutes would require it to reach a maximum altitude of more than 2,800 km (1700 miles).

So if the reports are correct, that same missile could reach a maximum range of roughly 6,700 km (4,160 miles) on a standard trajectory.

That range would not be enough to reach the lower 48 states or the large islands of Hawaii, but would allow it to reach all of Alaska.

There is not enough information yet to determine whether this launch could be done with a modified version of the Hwasong-12 missile that was launched on May 14.

Trump Administration Blocks Government Scientists from Attending International Meeting on Nuclear Power

The Trump administration has barred the participation of US government technical experts on nuclear energy from attending a major international conference in Russia.The conference, co-sponsored by the International Atomic Energy Agency (IAEA) and ROSATOM, the Russia state atomic energy corporation, began today in the city of Ekaterinburg.

Preventing US government scientists from delivering scheduled talks at an IAEA conference is highly unusual. This decision is apparently a consequence of the deteriorating relationship between the US and Russia. I learned about this when I arrived at the conference today to find that I was one of only a handful of US participants, out of several hundred attendees.

With so many communication channels between the U.S. and Russia now cut off, it is essential to preserve scientific cooperation in areas where there is common ground between the two countries. The Trump administration’s action is inconsistent with this goal.

Tillerson, Mattis and the Chinese

Rex Tillerson and James Mattis are talking to their Chinese counterparts. The conversation is just getting started but it appears to be constructive. Their remarks to the press after a recent meeting in Washington with State Councilor Yang Jiechi and General Fang Fenghui should calm Asian fears about potentially destabilizing changes to US policy in the region.

US Secretary of State Rex Tillerson and US Secretary of State James Mattis meet with Chinese State Councillor Yang Jiechi and General Fang Fenghui, Chief of the General Staff of China’s People’s Liberation Army in Washington on 21 June 2017.

No Panic on North Korea

Mattis addressed concerns about North Korea’s nuclear program by reminding reporters that, “China’s end state on the Korean Peninsula in terms of nuclear weapons is the same as ours, and we continue to work towards that end state.”  Tillerson added that the United States and China “affirmed our strong commitment to cooperate, including through the UN, to realize our shared goal of denuclearization of the Korean Peninsula.”

China’s People’s Daily emphasized the need for “continued peace and stability” on the Korean penninsula and “resolving problems through negotiations.” It highlighted a proposal to reconstitute diplomatic talks around a “joint freeze” that would require the United States and its regional allies to stop regular military exercises in return for a halt in North Korean nuclear and missile tests.

Tillerson responded cooly to the “joint freeze” proposal, noting that the United States “will continue to take necessary measures to defend ourselves and our allies.”

Preserving Strategic Stability

The former Exxon executive reiterated his desire to focus on the long-term. He wants to use the new dialogues with China to redefine “how we’re going to engage and how we’re going to live with one another over the next 40 years.” Tillerson announced that “US and Chinese civilian and military teams” will “start discussions in new areas of strategic concern like space, cyberspace, nuclear forces, and nonproliferation issues.”

If those discussions do indeed take place it would represent a significant step forward in US and Chinese efforts to manage technologies both sides see as potent sources of military advantage that could undermine strategic stability.

The People’s Daily, which is owned and operated by the Chinese Communist Party, focused its description of the talks on the issues that could lead to a military conflict rather than the weapons that might be used after it starts. It reported that “the American side indicated the US government adheres to pursuing the one-China policy, that the United States recognizes Tibet is a part of China and that it does not support activities to divide or break up China.”

Neither Tillerson nor Mattis specifically mentioned Taiwan or Tibet, although Tillerson did resurrect  traditional US talking points on China’s on human rights record.

Thucydides Trappings

Politico reported that the Secretary of Defense, the National Security Adviser and other senior members of the Trump administration are turning to the ancient Greeks for guidance on US-China policy. Hopefully, the impetus is a desire to avoid war, but history buffs with a fixation on the rise and fall of nations can have other motivations. Mattis told the press that “while competition between our nations is bound to occur, conflict is not inevitable.” Steve Bannon, on the other hand, may believe that if the United States and China are destined for war, as Harvard’s Graham Allison suggests, history may hold the key to US victory.

Ancient wisdom is not always the best answer to contemporary problems. The marriage counselor who sends his patients to Plato’s Phaedrus to discover the true meaning of human love is less apt to be successful than the one who helps troubled couples talk through the arguments that drove them apart. Tillerson and Mattis may find it more helpful to review the unsettled history of the US government’s relationship with the Chinese Communist Party than to look for the true cause of human conflict in The History of the Peloponnesian War.

Productive leaders tend to be more interested in the promise of the future than the problems of the past.  A dialogue that begins with a frank airing of old grievances can be cathartic. Skilled negotiators can use it to help build trust, encourage compromise and facilitate cooperation. Tillerson’s focus on the next forty years of the US-China relationship is encouraging and unsurprisingly businesslike.

For now, at least, Asia can rest a little easier knowing the governments of the United States and China are willing and able to talk constructively.

The Case of the Missing Numbers

Good performance requires good long-term planning. For federal agencies like the National Nuclear Security Administration (NNSA), one of its important functions is preparing its part of the federal government’s annual budget request, which normally includes information on projected budget requirements for future years. This year, not so much.

This is important because the Congress, which has final say on what the government funds, needs to know which programs will require increased funding in the following years. Those numbers give Congress and the public a sense of priorities and long-term planning that informs the annual federal budget process.

For the NNSA, those long-term budget numbers are called the Future-Years Nuclear Security Program, or FYNSP (commonly pronounced  “fin-sip”), and they are so important that they are, in fact, required by Congress.  In a typical budget request, the budget numbers are simply listed as “Outyears” and they are provided both by location—each NNSA facility, including the three nuclear weapons labs—and for each program area and project.

I assume this isn’t why the budget numbers are missing . . .

However, for almost the entire FY 2018 request, the NNSA budget does not provide future year numbers. In particular, for the Weapons Activities programs (as we discussed in The Bad, the FY 2018 requests were substantially more than the Obama administration projected in their FYNSP) there are no such projections at all in this budget. For example, we don’t know how much the NNSA thinks the B61 life extension program will cost in FY 2019-FY2022. That is information that the Congress should have.

(To be fair to the NNSA, the Department of Defense, where the budgets are far, far larger, also did not include outyear budget projections.)

The NNSA FY2018 budget offers an explanation for why there are no outyear budget figures:

Estimates for the FY 2019 – FY 2023 base budget topline for the National Nuclear Security Administration reflect FY 2018 levels inflated by 2.1 percent annually. This outyear topline does not reflect a policy judgement. Instead, the Administration will make a policy judgement on amounts for the National Nuclear Security Administrations’ FY 2019 – FY 2023 topline in the FY 2019 Budget, in accordance with the National Security Strategy and Nuclear Posture Review that are currently under development.

So, the budget doesn’t have projections because the NNSA is awaiting the results of the Pentagon-led Nuclear Posture Review and the Congressionally-mandated National Security Strategy that the Trump administration is conducting.

Frankly, that explanation is not satisfactory. There is almost no chance that the Nuclear Posture Review will decide to abandon most of the programs designed to maintain and improve the weapons in the US nuclear arsenal. And significant changes to the programs that are already underway (updates to the B61, W88, and W76) are highly unlikely because such modifications would inevitably lead to delays that the Pentagon and the NNSA would not support. For example, as mentioned in “The Bad,” NNSA officials have said any delays would affect certification requirements for the B61.

The only exception is the life extension program for the W80, which is intended for use on the proposed new nuclear-armed cruise missile, the Long-Range Standoff weapon, or LRSO. Secretary of Defense Mattis has testified that he is not yet convinced of the case for the LRSO, so there is a possibility that the program could be cancelled. (And it should be.) But even so, the NNSA should be planning as if it will not be, as the adverse impact of cancellation is significantly less than the consequences of undertaking required budget work on a weapon that is later cancelled.

Obama’s First NNSA Budget

For comparison, the Obama administration faced a similar situation when it came to office in 2009. Like the Trump administration, the first budget request, for FY2010, was delivered to Congress later than normal, in May rather than February. The Obama administration was also, like the Trump administration, doing a Nuclear Posture Review and a National Security Strategy. There was also a change in the political party of the President, so one might expect more substantive changes in nuclear weapons policy than if there was continuity in the White House.

Despite those similarities, the Obama administration delivered a FY2010 budget request that included projections for future years. To be fair, the Obama budget also stated that the projections for Weapons Activities were “only a continuation of current capabilities, pending upcoming strategic nuclear policy decisions.” But the budget actually included additional money for a study of the B61 life extension program, along with further increases in later years.

Moreover, the status of Weapons Activities was dramatically different in 2010 than it is now. In 2010, the W76 was the only active life extension program, and it was already in full production. The B61 was still in study phase, and there was no other active work being done on weapons in the stockpile.

Now, in 2017, the NNSA is involved in four major warhead projects simultaneously, three of which are ramping up substantially. The idea that the NNSA is putting the planning efforts for future work on these programs essentially on hold for a year is troubling.

I suspect one important factor leading to the missing future year budgets is the lack of people in place to do the planning. The man in charge of the NNSA is Lt. Gen. Frank Klotz (Air Force, retired), who by all accounts has done an able job running the agency. He is a holdover from the Obama era, and he was not asked by the Trump team to stay on until the very last day of the Obama administration (which he dutifully did). But no other officials have been nominated for any slots, leaving key positions like the deputy administrator empty while other slots have officials serving only in an acting capacity.

Playing with numbers

One small thing flagged but not described in The Good is the level of increases the Trump administration claims for its NNSA budgets compared to the Obama team’s budgets. The Trump budget claims an 11% increase for the NNSA overall, and even higher increases in Weapons Activities—around 15%–where the work on nuclear weapons is funded.

But those increases are in comparison to the final FY2016 budget, not the FY2017 budget. Notably, the FY2018 request only lists the FY2017 numbers that were in place under the Continuing Resolution (CR) that operated for a good portion of the year.

But in fact Congress did pass a final appropriations bill, albeit very far into the 2017 fiscal year, and for the NNSA those numbers were significantly higher than under the CR. If you compare the Trump budget to those figures, the NNSA budget receives an increase of 7%, not 11%, and the budget increase for  Weapons Activities is 11%, not 15%.

Make no mistake, those are still substantial increases (though as mentioned in The Good they are not dramatically more than increases the Obama administration requested and got Congress to support).

But it’s troubling that the Trump budget was presented in a way that makes it look like it has increased NNSA funding more than it actually has. Who is the audience for this charade?

 

Nuclear Leaks: The Back Story the NRC Doesn’t Want You to Know about Palo Verde

As described in a recent All Things Nuclear commentary, one of two emergency diesel generators (EDGs) for the Unit 3 reactor at the Palo Verde Nuclear Generation Station in Arizona was severely damaged during a test run on December 15, 2016. The operating license issued by the Nuclear Regulatory Commission (NRC) allowed the reactor to continue running for up to 10 days with one EDG out of service. Because the extensive damage required far longer than 10 days to repair, the owner asked the NRC for permission to continue operating Unit 3 for up to 62 days with only one EDG available. The NRC approved that request.

Around May 18, 2017, I received an envelope in the mail containing internal NRC documents with the back story for this EDG saga. I submitted a request under the Freedom of Information Act (FOIA) for these materials, but the NRC informed me that they could not release the documents because the matter was still under review by the agency. I asked the NRC’s Office of Public Affairs for a rough estimate of when the agency would conclude its review and release the documents. I was told that their review of the safety issues raised in the documents wasn’t a priority for the NRC and they’d get to it when they got to it.

Well, nuclear safety is a priority for me at UCS. And since I already have the documents, I don’t need to wait for the NRC to get around to concluding its stonewalling— I mean “review”—of the issues.  Here is the back story the NRC does not want you to know about the busted EDG at Palo Verde.

Emergency Diesel Generator Safety Role

The NRC issued the operating license for Palo Verde Unit 3 on November 25, 1987. That initial operating license allowed Unit 3 to continue running for up to 72 hours with one of its two EDGs out of service. Called the “allowable outage time,” the 72 hours balanced the safety need to have a reliable backup power supply with the need to periodically test the EDGs and perform routine maintenance.

The EDGs are among the most important safety equipment at nuclear power plants like Palo Verde. The March 2011 accident at Fukushima Daiichi tragically demonstrated this vital role. A large earthquake knocked out the electrical power grid to which Fukushima Daiichi’s operating reactors were connected. Power was lost to the pumps providing cooling water to the reactor vessels, but the EDGs automatically started and took over this role. About 45 minutes later, a tsunami wave spawned by the earthquake inundated the site and flooded the rooms housing the EDGs. With both the normal and backup power supplies unavailable, workers could only supply makeup cooling water using battery-powered systems and portable generators. They fought a heroic but futile battle and all three reactors operating at the time suffered meltdowns.

More EDG Allowable Outage Time

On December 23, 2005, the owner of Palo Verde submitted a request to the NRC seeking to extend the allowable outage time for an EDG to be out of service to 10 days from 72 hours. Longer EDG allowable outage times were being sought by nuclear plant owners. Originally, nuclear power reactors shut down every year for refueling. The refueling outages provided ample time to conduct the routine testing and inspection tasks required for the EDGs. To boost electrical output (and hence revenue), owners transitioned to only refueling reactors every 18 or 24 months and to shorten the duration of the refueling outages. To facilitate the transitions, more and more testing and inspections previously performed during refueling outages were being conducted with the reactors operating. The argument supporting online maintenance was that while it adversely affected availability (i.e., an EDG was deliberately removed from service for testing and inspecting), the increased reliability (i.e., tests to confirm EDGs were operable were conducted every few weeks instead of spot checks every 18 to 24 months). The NRC approved the amendment to the operating licenses extending the EDG allowable outage times to 10 days on December 5, 2006.

More NRC/Industry Efforts on Allowable Outage Times

While the EDGs have important safety roles to play, they are not the only safety role players. The operating license for a nuclear power reactor covers dozens of components, each with its own allowable outage time. Around the time that longer EDG allowable outage times were sought and obtained at Palo Verde, the nuclear industry and the NRC were working on protocols to make proper decisions about allowable outage times for various safety components. On behalf of the nuclear industry, the Nuclear Energy Institute submitted guidance document NEI 06-09 to the NRC. On May 17, 2007, the NRC issued its safety evaluation report documenting its endorsement of NEI-06-09 along with its qualifications for that endorsement.

To create yet another acronym for no apparent reason, the nuclear industry and NRC conjured up Risk Informed Completion Time (RICT) to use in place of allowable outage time (AOT). The NRC explicitly endorsed a 30-day limit on RICTs (AOTs):

“The RICT is further limited to a deterministic maximum of 30 days (referred to as the backstop CT [completion time] from the time the TS [technical specification or operating license requirement] was first entered.”

The NRC explained why the 30-day maximum limit was necessary:

“The 30-day backstop CT assures that the TS equipment is not out of service for extended periods, and is a reasonable upper limit to permit repairs and restoration of equipment to an operable status.”

NEI 06-09 and the NRC’s safety evaluation applied to all components within a nuclear power reactor’s operating license. The 30-day backstop limit was the longest AOT (RICT) permitted. Shorter RICTs (AOTs) might apply for components with especially vital safety roles.

For example, the NRC established more limiting AOTs (RICTs) for the EDGs. In February 2002, the NRC issued Branch Technical Position 8-8, “Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions.” This Branch Technical Position is part of the NRC’s Standard Review Plan for operating reactors. The Standard Review Plan helps plant owners meet NRC’s expectations and NRC reviewers and inspectors verify that expectations have been met. The Branch Technical Position is quite clear about the EDG allowable outage time limit:

“An EDG or offsite power AOT license amendment of more than 14 days should not be considered by the staff for review.” [underlining in original]

Exceptions and Precedent

Consistent with the “every rule has its exception” cliché, neither the 14-day EDG AOT in NRC Branch Technical Position 8-8 nor the 30-day backstop limit in the NRC’s safety evaluation for NEI 06-09 are considered hard and fast limits. Owners can, and do, request NRC’s permission for longer times under special circumstances.

The owner of the DC Cook nuclear plant in Michigan asked the NRC on May 28, 2015, for permission to operate the Unit 1 reactor for up to 65 days with one of its two EDGs out of service. The operating licensee for Unit 1 already allowed one EDG to be out of service for up to 14 days. During testing of an EDG on May 21, 2015, inadequate lubrication caused one of the bearings to be severely damaged. Repairs were estimated to require 56 days.

The NRC emailed the owner questions about the 65-day EDG AOT on May 28 and May 29. Among the questions asked by the NRC was how Unit 1 would respond to a design basis loss of coolant accident (LOCA) concurrent with a loss of offsite power (LOOP) and a single failure of the only EDG in service. The EDGs are designed to automatically start from the standby mode and deliver electricity to safety components within seconds. This rapid response is needed to ensure the reactor core is cooled should a broken pipe (i.e., LOCA) drain cooling water should electrical power to the makeup pumps not be available (i.e., LOOP). The single failure provision is an inherent element of the redundancy and defense-in-depth approach to nuclear safety.

The NRC did not approve the request for a 65-day EDG AOT for Cook Unit 1.

The NRC did not deny the request either.

On June 1, 2015, the owner formally withdrew its request for the 65-day EDG AOT and shut down the Unit 1 reactor. The Unit 1 reactor was restarted on July 29, 2015.

More on the Back Story

About 18 months after one of two EDGs for the Unit 1 reactor at DC Cook was severely damaged during a test run, one of two EDGs for the Unit 3 reactor at Palo Verde was severely damaged during a test run.

About 18 months after DC Cook’s owner requested permission from the NRC to continue running Unit 1 for up to 65 days with only one EDG in service, Palo Verde’s owner requested permission to continue running Unit 3 for up to 62 days.

About 18 months after the NRC staff asked DC Cook’s owner how Unit 1 would respond to a loss of coolant accident concurrent with a loss of offsite power and failure of the remaining EDG, the NRC staff merely assumed that a loss of coolant accident would not happen during the 62 days that Palo Verde Unit 3 ran with only one EDG in service. Enter the back story as reported by the Arizona Republic.

On December 23, 2016, and January 9, 2017, Differing Professional Opinions (DPOs) were initiated by member(s) of the NRC staff registering formal disagreement with NRC senior management’s plan to allow the 62-day EDG AOT for Palo Verde Unit 3. The initiator(s) checked a box on the DPO form to have the DPO case file be made publicly available (Fig. 1).

Fig. 1 (Source: United States Postal Service)

The DPO initiator(s) allege that the 62-day EDG AOT was approved by the NRC because the agency assumed that a loss of coolant accident simply would not happen. The DPO stated:

“The NRC and licensee ignored the loss of coolant accident (LOCA) consequence element. Longer outage times increase the vulnerability to a design basis accident involving a LOCA with the loss of offsite power (LOOP) event with a failure of Train A equipment.”

Palo Verde has two fully redundant sets of safety equipment, Trains A and B. The broken EDG provided electrical power (when unbroken) to Train B equipment. The 62-day EDG AOT was approved based on workers scurrying about to manually start combustible gas turbines and portable generators to provide electrical power that would otherwise be supplied by EDG 3B. The DPO stated:

“The Train B EDG auto starts and loads all safety equipment in 40 seconds. The manual actions take at least 20 minutes, if not significantly longer.”

Again, the rapid response is required to mitigate a loss of coolant accident that drains water from the reactor vessel. When water does not drain away, it takes time for the reactor core’s decay heat to warm up and boil away the reactor vessel’s water, justifying a slower response time.

The NRC staff considered a loss of coolant accident for the broken EDG at Cook but allegedly dismissed it at Palo Verde. Curious.

The DPO also disparaged the non-routine measures undertaken by the NRC to hide their deliberations from the public:

“The pre-submittal call occurred on a “non-recorded” [telephone] line. The NRC staff debated the merits of the call in a headquarters staff only discussion. Note that the Notice of Enforcement Discretion calls are done on recorded [telephone] lines.”

President Richard Nixon’s downfall occurred when it become known that tape recordings of his impeachable offenses existed. The NRC avoided this trap by deliberately not following their routine practice of recording the telephone discussions. Peachy!

Cognitive Dissonance or Unnatural Selection?

The NRC’s approval of the 62-day EDG AOT for Palo Verde Unit 3 is perplexing, at best.

In the amendment it issued January 4, 2017, approving the extension, the NRC wrote:

“Offsite power sources and one train of onsite power source would continue to be available for the scenario of a loss-of-coolant accident” while EDG 3B was out of service.

In other words, the NRC assumed that loss of offsite power (LOOP) and loss of coolant accident (LOCA) are separate events. The NRC assumed that if a LOCA occurred, electrical power from the offsite grid would enable safety equipment to refill the reactor vessel and prevent meltdown. And the NRC assumed that if a LOOP occurred, a LOCA would not drain water from the reactor vessel, giving workers time to find, deploy, and start up the portable equipment and prevent core overheating.

But in the amendment it issued December 5, 2006, establishing the 10-day EDG AOT, the NRC wrote:

“During plant operation with both EDGs operable, if a LOOP occurs, the ESF [engineered safeguards] electrical loads are automatically and sequentially loaded to the EDGs in sufficient time to provide for safe reactor shutdown or to mitigate the consequences of a design-basis accident (DBA) such as a loss-of-coolant accident (LOCA).”

In those words, the NRC assumed that LOOP and LOCA could occur concurrently in design basis space.

More importantly, page B 3.8.1-2 of the bases document dated May 12, 2016, for the Palo Verde operating licenses is quite explicit about the LOOP/LOCA relationship:

“In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).”

In those words, the operating licenses issued the NRC assumed that LOOP and LOCA could occur concurrently in design basis space.

So, the NRC either experienced cognitive dissonance in having two opposing viewpoints on the same issue or made the unnatural selection of LOCA without LOOP.

Actions May Speak Louder Than Words, But Inaction Shouts Loudest

Check out this chronology:

  • December 15, 2016: EDG 3B for Palo Verde Unit 3 failed catastrophically during a test run
  • December 21, 2016: Owner requested 21-day EDG AOT
  • December 23 2016: NRC approved 21-day EDG AOT
  • December 23, 2016: DPO submitted opposing 21-day EDG AOT
  • December 30, 2016: Owner requested 62-day EDG AOT
  • January 4, 2017: NRC approved 62-day EDG AOT
  • January 9, 2017: DPO submitted opposing 62-day EDG AOT
  • February 6, 2017: NRC special inspection team arrived at Palo Verde to examine EDG’s failure cause
  • February 10, 2017: NRC special inspection team concluded its onsite examinations
  • April 10, 2017: NRC issued special inspection team report

The NRC jumped through hoops during the Christmas and New Year’s holidays to expeditiously approve a request to allow Unit 3 to continue generating revenue.

The NRC has not yet responded to two DPOs questioning the safety rationale behind the NRC’s approval.

If the NRC really and truly had a solid basis for letting Palo Verde Unit 3 run for so long with only one EDG, they have had plenty of time to address the issues raised in the DPOs. Way more than 62 days, in fact.

William Shakespeare wrote about something rotten in Denmark.

The bard never traveled to Rockville to visit the NRC’s headquarters. Had he done so, he might have discovered that rottenness is not confined to Denmark.

Oyster Creek Reactor: Bad Nuclear Vibrations

The Oyster Creek Nuclear Generating Station near Forked River, New Jersey is the oldest nuclear power plant operating in the United States. It began operating in 1969 around the time Neil Armstrong and Buzz Aldrin were hiking the lunar landscape.

Oyster Creek has a boiling water reactor (BWR) with a Mark I containment design, similar to the Unit 1 reactor at Fukushima Daiichi. Water entering the reactor vessel is heated to the boiling point by the energy released by the nuclear chain reaction within the core (see Figure 1). The steam flows through pipes from the reactor vessel to the turbines. The steam spins the turbines connected to the generator that produces electricity distributed by the offsite power grid. Steam discharged from the turbines flows into the condenser where it is cooled by water drawn from the Atlantic Ocean, or Barnegat Bay. The steam vapor is converted back into liquid form. Condensate and feedwater pumps supply the water collected in the condenser to the reactor vessel to repeat the cycle.

Fig. 1 (Source: Tennessee Valley Authority)

The turbine is actually a set of four turbines—one high pressure turbine (HPT) and three low pressure turbines (LPTs). The steam passes through the high pressure turbine and then enters the moisture separators. The moisture separators remove any water droplets that may have formed during the steam’s passage through the high pressure turbine. The steam leaving the moisture separators then flows in parallel through the three low pressure turbines.

The control system for the turbine uses the speed of the turbine shaft (normally 1,800 revolutions per minute) and the pressure of the steam entering the turbine (typically around 940 pounds per square inch) to regulate the position of control valves (CVs) in the steam pipes to the high pressure turbine. If the turbine speed drops or the inlet pressure rises, the control system opens the control valves a bit to bring these parameters back to their desired values. Conversely, if the turbine speed increases or the inlet pressure drops, the control system signals the control valves to close a tad to restore the proper conditions. It has been said that the turbine is slave to the reactor—if the reactor power level increases or decreases, the turbine control system automatically repositions the control valves to correspond to the changed steam flow rate.

The inlet pressure is monitored by Pressure Transmitters (PT) that send signals to the Electro-Hydraulic Control (EHC) system. The EHC system derives its name from the fact that it uses electrical inputs (e.g, inlet pressure, turbine speed, desired speed, desired inlet pressure, etc.) to regulate the oil pressure in the hydraulic system that positions the valves.

Fig. 2 (Source: Nuclear Regulatory Commission)

Bad Vibrations

In the early morning hours of November 20, 2016, the operators at Oyster Creek were conducting the quarterly test of the turbine control system. With the reactor at 95 percent power, the operator depressed a test pushbutton at 3:26 am per the procedure. The plant’s response was unexpected. The positions of the control valves and bypass valves began opening and closing small amounts causing the reactor pressure to fluctuate. Workers in the turbine building notified the control room operators that the linkages to the valves were vibrating. The operators began reducing the reactor power level in an attempt to stop the vibrations and pressure fluctuations.

The reactor automatically shut down at 3:42 pm from 92 percent power on high neutron flux in the reactor. Workers later found the linkage for control valve #2 had broken due to the vibrations and the linkage for control valve #4 had vibrated loose. The linkages are “mechanical arms” that enable the turbine control system to reposition the valves. The broken and loosened linkages impaired the ability of the control system to properly reposition the valves.

These mechanical malfunctions prevented the EHC system from properly controlling reactor pressure during the test and subsequent power reduction. The pressure inside the reactor vessel increased. In a BWR, reactor pressure increases collapse and shrink steam bubbles. Displacing steam void spaces with water increases the reactor power level. When atoms split to release energy, they also release neutrons. The neutrons can interact with other atoms to causing them to split. Water is much better than steam bubbles at slower down the neutrons to the range where the neutrons best interact with atoms. Put another way, the steam bubbles permit high energy neutrons to speed away from the fuel and get captured by non-fuel parts within the reactor vessel while the water better confines the neutrons to the fuel region.

The EHC system’s problem allowed the pressure inside the reactor vessel to increase. The higher pressure collapsed steam bubbles, increasing the reactor power level. As the reactor power level increased, more neutrons scurried about as more and more atoms split. The neutron monitoring system detected the increasing inventory of neutrons and initiated the automatic shut down of the reactor to avoid excessive power and fuel damage.

Workers attributed the vibrations to a design flaw. A component in the EHC system is specifically designed to dampen vibrations in the tubing providing hydraulic fluid to the linkages governing valve positions. But under certain conditions, depressing the test pushbutton creates a pressure pulse on that component. Instead of dampening the pressure piles, the component reacts in a way that causes the hydraulic system pressure to oscillate, creating the vibrations that damaged the linkages.

The component and damaged linkages were replaced. In addition, the test procedure was revised to avoid performing that specific portion of the test when the reactor is operating. In the future, that part of the turbine valve test will be performed during an outage.

Vibrations Re-Visited

It was not the first time that Oyster Creek was shut down due to problems performing this test. It wasn’t even the first time this decade.

On December 14, 2013, operators conducted the quarterly test of the turbine control system at 95 percent power. They encountered unanticipated valve responses and reactor pressure changes during the test. The operators manually shut down the reactor as reactor pressure rose towards the automatic shut down setpoint.

Improper assembly of components in the EHC system and vibrations that caused them to come apart resulted in control valves #2 and #3 closing. Their closure increased the pressure within the reactor pressure, leading the operators to manually shut down the reactor before it automatically scrammed.

The faulty parts were replaced.

Bad Vibrations at a Good Time

If every test was always successful, there would be little value derived by the testing program.

Similarly, if every test was seldom successful, there would be little value from the testing program.

Tests that occasionally are unsuccessful have value.

First, they reveal things that need to be fixed

Second, they provide insights on the reliability of the items being tested. (I suppose tests that always fail also yield insights about reliability, so I should qualify this statement to say they provide useful and meaningful insights about reliability.)

Third, they occur during a test rather than when needed to prevent or mitigate an accident. Accidents may reveal more insights than those revealed by test failures. But the cost per insight is a better deal with test failures.

Increase in Cancer Risk for Japanese Workers Accidentally Exposed to Plutonium

According to news reports, five workers were accidentally exposed to high levels of radiation at the Oarai nuclear research and development center in Tokai-mura, Japan on June 6th. The Japan Atomic Energy Agency, the operator of the facility, reported that five workers inhaled plutonium and americium that was released from a storage container that the workers had opened. The radioactive materials were contained in two plastic bags, but they had apparently ripped.

We wish to express our sympathy for the victims of this accident.

This incident is a reminder of the extremely hazardous nature of these materials, especially when they are inhaled, and illustrates why they require such stringent procedures when they are stored and processed.

According to the earliest reports, it was estimated that one worker had inhaled 22,000 becquerels (Bq) of plutonium-239, and 220 Bq of americium-241. (One becquerel of a radioactive substance undergoes one radioactive decay per second.) The others inhaled between 2,200 and 14,000 Bq of plutonium-239 and quantities of americium-241 similar to that of the first worker.

More recent reports have stated that the amount of plutonium inhaled by the most highly exposed worker is now estimated to be 360,000 Bq, and that the 22,000 Bq measurement in the lungs was made 10 hours after the event occurred. Apparently, the plutonium that remains in the body decreases rapidly during the first hours after exposure, as a fraction of the quantity initially inhaled is expelled through respiration. But there are large uncertainties.

The mass equivalent of 360,000 Bq of Pu-239 is about 150 micrograms. It is commonly heard that plutonium is so radiotoxic that inhaling only one microgram will cause cancer with essentially one hundred percent certainty. This is not far off the mark for certain isotopes of plutonium, like Pu-238, but Pu-239 decays more slowly, so it is less toxic per gram.  The actual level of harm also depends on a number of other factors. Estimating the health impacts of these exposures in the absence of more information is tricky, because those impacts depend on the exact composition of the radioactive materials, their chemical forms, and the sizes of the particles that were inhaled. Smaller particles become more deeply lodged in the lungs and are harder to clear by coughing. And more soluble compounds will dissolve more readily in the bloodstream and be transported from the lungs to other organs, resulting in exposure of more of the body to radiation. However, it is possible to make a rough estimate.

Using Department of Energy data, the inhalation of 360,000 Bq of Pu-239 would result in a whole-body radiation dose to an average adult over a 50-year period between 580 rem and nearly 4300 rem, depending on the solubility of the compounds inhaled. The material was most likely an oxide, which is relatively insoluble, corresponding to the lower bound of the estimate. But without further information on the material form, the best estimate would be around 1800 rem.

What is the health impact of such a dose? For isotopes such as plutonium-239 or americium-241, which emit relatively large, heavy charged particles known as alpha particles, there is a high likelihood that a dose of around 1000 rem will cause a fatal cancer. This is well below the radiation dose that the most highly exposed worker will receive over a 50-year period. This shows how costly a mistake can be when working with plutonium.

The workers are receiving chelation therapy to try to remove some plutonium from their bloodstream. However, the effectiveness of this therapy is limited at best, especially for insoluble forms, like oxides, that tend to be retained in the lungs.

The workers were exposed when they opened up an old storage can that held materials related to production of fuel from fast reactors. The plutonium facilities at Tokai-mura have been used to produce plutonium-uranium mixed-oxide (MOX) fuel for experimental test reactors, including the Joyo fast reactor, as well as the now-shutdown Monju fast reactor. Americium-241 was present as the result of the decay of the isotope plutonium-241.

I had the opportunity to tour some of these facilities about twenty years ago. MOX fuel fabrication at these facilities was primarily done in gloveboxes through manual means, and we were able to stand next to gloveboxes containing MOX pellets. The gloveboxes represented the only barrier between us and the plutonium they contained. In light of the incident this week, that is a sobering memory.

Palo Verde: Running Without a Backup Power Supply

The Arizona Public Service Company’s Palo Verde Generating Station about 60 miles west of Phoenix has three Combustion Engineering pressurized water reactors that began operating in the mid 1980s. In the early morning hours of Thursday, December 15, 2016, workers started one of two emergency diesel generators (EDGs) on the Unit 3 reactor for a routine test. The EDGs are the third tier of electrical power to emergency equipment for Unit 3.

When the unit is operating, the source of power is the electricity produced by the main generator (labeled A in Figure 1.) The electricity flows through the Main Transformer to the switchyard and offsite power grid and also flows through the Unit Auxiliary Transformer to in-plant equipment. If the unit is not operating, electrical power flows from the offsite power grid through the Startup Transformer (B) to in-plant equipment. When the main generator is offline and power from the offsite power grid is unavailable, the EDGs (C) step in to provide electrical power to a subset of in-plant equipment—the emergency equipment needed to protect the reactor core and minimize release of radioactivity to the environment. An additional backup power source exists at Palo Verde in the form of gas turbine generators (D) that can supply power to any of the three units.

Fig. 1 (Source: Arizona Public Service Company)

I toured the Palo Verde site on May 11, 2016. The tour included one of EDG rooms on Unit 2 as shown in Figure 2. Each unit at Palo Verde has two EDGs. The EDG being tested on December 15, 2016, was manufactured in 1981 and was a Cooper Bessemer 20-cylinder V-type turbocharged engine. The engine operated at 600 revolutions per minute with a rated output of 5,500,000 watts.

Fig. 2 (Source: Arizona Public Service Company)

Assuming one of the two EDGs for a unit fails and there are no additional equipment failures, the remaining EDG and the equipment powered by it are sufficient to mitigate any design basis accident (including a loss of coolant accident caused by a broken pipe connected to the reactor vessel) and protect workers and the public from excessive exposure to radiation. Figure 3 shows the major components powered by the Unit 3 EDGs—a High Pressure Safety Injection (HPSI) train, a Low Pressure Safety Injection (LPSI) train, a Containment Spray train, an Essential Cooling Water Pump, an Auxiliary Feedwater Pump, and so on.

Fig. 3 (Source: Arizona Public Service Company Individual Plant Examination)

Because the EDGs are normally in standby mode, the operating license for each unit requires that they be periodically tested to verify they remain ready to save the day should that need arise. At 3:02 am on December 15, 2016, workers started EDG 3B. Workers increased the loading on EDG 3B to about 2,700,000 watts, roughly half load, at 3:46 am per the test procedure.

Ten minutes later, alarms sounded and flashed in the Unit 3 Control Room alerting operators that EDG B had automatically stopped running to due low lube oil pressure. A worker in the area notified the control room operators about a large amount of smoke as well as oil on the floor of the EDG room. The operators contacted the onsite fire department which arrived in the EDG room at 4:06 am. There was no fire ongoing when they arrived, but they remained on scene for about 90 minutes to assist in the response to the event.

Operators declared an Alert, the third most serious in the NRC’s four emergency classifications, at 4:10 am due to a fire or explosion resulting in control room indication of degraded safety system performance. The emergency declaration was terminated at 6:36 am.

Seven weeks later after the fire had long been out, the oil on the floor long since wiped up, and all sharp-edged metal fragments long gone, and any toxic smoke long dissipated, the Nuclear Regulatory Commission (NRC) dispatched a special inspection team to investigate the event and its cause. The NRC dispatched its special inspection team more than a month after it authorized Unit 3 to continue operating for up to 62 days while its blown-up backup power source was repaired. The Unit 3 operating license originally allowed the reactor to operate for only 10 days with one of two EDGs out of service.

Workers at Palo Verde determined that EDG 3B failed because the connecting rod on cylinder 9R failed. It was the fifth time that an EDG of that type at a US nuclear power plant experienced a connecting rod failure and it was the second time that Cylinder 9R on EDG 3B at Palo Verde. It had also failed during a test in 1986.

Examinations in 2017 following the most recent failure traced its root cause back to the first failure. The forces resulting from that failure caused misalignment of the main engine crankshaft. (In this engine, the crankshaft rotates. The crankshaft causes the connecting rods to rise and fall with each rotation, in turn driving the pistons in and out of the cylinders.) The misalignment was very minor—the tolerances are on the order of thousands of an inch. But this minor misalignment over hundreds of hours of EDG operation over the ensuing three decades resulted in high cyclic fatigue failure of the connecting rod.

Workers installed a new crankshaft aligned within the tight tolerances established by the vendor. Workers also installed new connecting rods and repaired the crankcase. After testing the repairs, EDG B was returned to service.

NRC Sanctions

The NRC’s special inspection team did not identify any violations contributing to the cause of the EDG failure, in the response to the failure, or in the corrective actions undertaken to remedy the failure.

UCS Perspective

The NRC’s timeline for this event isn’t comforting.

The operating licenses issued by the NRC for the three reactors at Palo Verde allow each unit to continue running for up to 10 days when one of two EDGs is out of service. The Unit 3 EDG that was blown apart on December 15 could not be repaired within 10 days. So, the owner applied to the NRC for permission to operate Unit 3 for up to 21 days with only one EDG. But the EDG could not be repaired within 21 days. So, the owner applied to the NRC for permission to operate Unit 3 for up to 62 days with only one EDG.

The NRC approved both requests, the second on January 4, 2017. More than a month later, on February 6, 2017, the NRC special inspection team arrived onsite to examine what happened and why it happened.

Wouldn’t a prudent safety regulator have asked and answered those questions before allowing a reactor to continue operating for six times as permitted by its operating license?

Wouldn’t a prudent safety regulator have ensured the cause of EDG 3B blowing itself apart might not also cause EDG 3A to blow itself apart before allowing a reactor to continue operating for two months with a potential explosion in waiting?

Whether the answers are yes or no, could that prudent regulator please call the NRC and share some of that prudency? The NRC may be many things, but it’ll seldom be accused and never be convicted of excessive prudency.

Where’s a prudent regulator when America needs one?

The Ugly: Post #3 on the NNSA’s FY2018 Budget Request

On Tuesday, May 23, the Trump administration released its Fiscal Year 2018 (FY2018) budget request. I am doing a three-part analysis of the National Nuclear Security Administration’s budget. That agency, a part of the Department of Energy, is responsible for developing and maintaining US nuclear weapons. Previously we focused on The Good and The Bad, and today we have The Ugly.

The Ugly NNSA’s “New” Warhead a Sign of Things to Come?

The NNSA’s FY2018 budget request includes what might seem to be a relatively innocuous statement:

In February 2017, DOD and NNSA representatives agreed to use the term “IW1” rather than “W78/88-1 LEP” to reflect that IW1 replaces capability rather than extending the life of current stockpile systems.

In other words, rather than extending the life of the W78 and W88 warheads via a life extension program (or LEP), the NNSA will develop the IW1 to “replace” those warheads.

To my mind, that is an admission that the IW1—short for Interoperable Warhead One–is a new nuclear weapon, as UCS has been saying for quite some time.

The Obama administration was loath to admit as much, arguing that the proposed system—combining a primary based on one from an existing warhead and a secondary from another warhead—was not a “new” warhead. That reluctance stemmed from the administration’s declaration in its 2010 Nuclear Posture Review (NPR) that the United States would not develop new nuclear warheads or new military capabilities or new missions for nuclear weapons. Declaring the IW1 a new warhead would destroy that pledge.

That semantic sleight of hand by the Obama team was somewhat ugly: the IW1 is a new warhead. (For a lot more detail on the IW1 and the misguided “3+2 plan” of which it is part, see our report Bad Math on New Nuclear Weapons.)

However, what might be coming from the Trump administration is truly ugly.

The fact that the FY2018 NNSA budget admits the IW1 is a new warhead may be signal that the Trump team—which is doing its own NPR—will eliminate the Obama pledge not to develop new weapons or pursue new military capabilities and missions.

That change would send a clear message to the rest of the world that the United States believes it needs new types of nuclear weapons and new nuclear capabilities for its security. This would further damage the Nuclear Non-Proliferation Treaty (NPT), which is already fraying because the weapon states are not living up to their commitment to eliminate their nuclear weapons. Deep frustration on the part of the non-nuclear weapon states has led to the current negotiations on a treaty to ban nuclear weapons. New US weapons could also damage our efforts to halt North Korea’s nuclear program and undermine the agreement with Iran that has massively reduced their program to produce fissile materials for nuclear weapons.

Moreover, a likely corollary of withdrawing that pledge would be to pursue a new type of nuclear weapon, or a new capability. Some options have already been suggested:

  1. The Defense Science Board recommended developing weapons with “lower-yield, primary-only options” (because the B61 bomb and the air-launched cruise missile already have low-yield options, this was presumably for missile warheads, though the report does not specify).
  2. The author of the Obama NPR—Jim Miller—and Admiral Sandy Winnefeld (USN, retired) have proposed reviving the submarine-launched nuclear-armed cruise missile that was retired in the Obama NPR.

Those options are contrary to US security interests. Nuclear weapons are the only threat to the survival of the United States. Given that, and because there will not be a winner in a nuclear war, the US goal must be to reduce the role that these weapons play in security policy until they no longer are a threat to our survival. Continuing to invest in new types of nuclear weapons convinces the rest of the world that the United States will never give up its nuclear weapons, and encourages other nuclear-weapon states to respond in ways that will continue to threaten the United States.

Make no mistake, the United States already has incredibly powerful and reliable nuclear weapons that would deter any nuclear attack on it or its allies, and it will for the foreseeable future.

So the idea that the United States should pursue new types of weapons? That is truly ugly.

Upcoming GMD Missile Defense Test: Part 2

The upcoming missile defense test will also be the first intercept test of a new kill vehicle and will use an upgraded booster for the interceptor.

The GMD system currently has 36 deployed interceptors. A majority of the interceptors use a type of kill vehicle, the CE-I variant, that has had only two successful intercept tests in four tries. Its last successful intercept test was in 2008; the most recent test failed.

The other interceptors are equipped with the CE-II kill vehicle, which has had only a single successful intercept test in three tries. The Director of Operational Test and Evaluation’s 2014 report stated: “The reliability of the interceptors is low, and the [Missile Defense Agency (MDA)] continues discovering new failure modes during testing.”

The upcoming test will be the first intercept test of the new CE-II Block 1 kill vehicle. It uses newly designed divert thrusters meant to fix persistent problems guiding the kill vehicle. The divert thrusters are the small motors that make course adjustments when the kill vehicle is homing on its target. They make the fine adjustments in direction that make the difference between a hit and a miss.

The kill vehicle is the heart of the homeland missile defense system. Yet it has been dogged by a persistent problem called the track gate anomaly, which has appeared in tests for more than a decade, and which led to a failed intercept in 2010. The MDA has tried software and hardware fixes, essentially to compensate for vibrations caused by the rough combustion of the small divert motors. The CE-II Block 1 kill vehicle uses a new set of those motors to try to solve this problem. It was flight tested in January 2016, without complete success. In that case, one of the four motors stopped working and the kill vehicle flew off course—way off course.

The improved interceptor booster has upgraded avionics, and addresses obsolescence and reliability issues.

What if the test fails?

The MDA has been committed to increasing the number of interceptors to 44 before the end of 2017. To do so, it will be emplacing 10 new interceptors with CE-II Block 1 kill vehicles on them (eight CE-II Block 1 interceptors to complete the fleet and two to replace older interceptors equipped with the CE-I kill vehicle.) The MDA Director stated in testimony that he is waiting for the (presumably) successful intercept test before delivering these.

While that may seem an obvious criterion, that’s not the way GMD business has been done in the past. All (or nearly all) other currently-fielded GBI were fielded before they had completed a successful intercept test, as is shown in Fig. 1.

Fig. 1. This shows the number of deployed interceptors with the CE-I and CE-II kill vehicles (vertical axis) and the tests of those kill vehicles. (Source: “Shielded from Oversight”)

So, should this test fail, a consequence may be that the interceptor fielding would be put on hold until the test was repeated successfully. Because GMD tests take a significant amount of time to plan and organize, this is unlikely to happen quickly. For example, the January FTG-06 2010 intercept test failed and was repeated in December of that year.

Will political pressure to field these interceptors win out even if the test fails?

What if it’s a success?

Even if the test is successful, it is very important to look wholistically at the capabilities of the system and what has actually been demonstrated. While this test may demonstrate that the MDA is on the right track with the fixes to the kill vehicle, overall it is not even close to demonstrating that the system works in a real-world setting. The system has not yet been tested in the range of conditions under which it is expected to operate—for example, it hasn’t been successfully tested at night or against complex countermeasures that a determined adversary would surely try to include. The Pentagon’s Director for Operational Test and Evaluation assessment in 2014 is that the tests to date are “insufficient to demonstrate that an operationally useful defense capability exists.”

A successful test this week is the basis for better understanding the capabilities of the system, but it is not the basis for expanding the system.

Upcoming GMD Missile Defense Test: Part 1

Scheduled for later this week is the 18th intercept test of the Ground-based Midcourse Defense (GMD) system since 1999, and the 10th since the system was declared operational in 2004. What do we know about the test, and what’s riding on it?

The GMD system is, after more than 15 years on an accelerated deployment schedule and on order of $40 billion spent, still essentially an advanced prototype. It has serious reliability issues. In 9 of the 17 intercept tests since 1999, the kill vehicle failed to destroy the target. The test record has not been getting better over time as you would expect for a system that is maturing. And the tests have still not been done under realistic conditions.

The Missile Defense Agency (MDA) has said the upcoming test will be the first test against an ICBM-range target missile. Defending against long-range missile is, of course, what the whole system is about.

MDA classifies targets for the GMD system as intermediate range ballistic missiles (IRBM) (3,000-4,500 km) and intercontinental ballistic missiles (ICBM) (>5,500 km). This test will apparently use a three-stage ICBM-range target.

That leads to an important issue: what do we know about the target and how representative is it of what the US might face?

I was able to get the hazard zones for the test from the published Notices to Mariners for May 31-June 1, which are plotted in white in Google Earth. Figure 1 shows the zones where the stages will land from the launch of the target missile from Kwajalein and the interceptor from Vandenberg. These zones indicate the direction those missiles were launched. The large white region in the center is where debris from the intercept would land.

These zones allow us to determine that the target and interceptor will meet essentially head-on, and allow us to estimate the range of the target missile.

Fig. 1

A straight flight out of Kwajalein (thin white line in Fig. 2) would send the target north of the intercept zone, so the target missile apparently maneuvers during boost phase to follow the light blue line and make the collision with the GMD interceptor (yellow line) more head-on.

Fig. 2

The hard limit of the range of the target is about 5,800 km. If its range were any longer, it would land east of the hazard zone. So the target appears to be just slightly longer than the minimum range (5,500 km) considered to be an ICBM.

One important factor in a missile defense intercept is the closing speed of the engagement, how fast the distance between the target and interceptor disappears. This depends on the speeds of both the target and interceptor and the angle at which they approach. The angle of attack is significant: a head-on collision maximizes closing speed and a tail chase minimizes it.

Faster closing speeds give the interceptor less time to make course corrections, and are therefore more stressing for the interceptor. Table 1 shows the burnout speeds of missiles of various ranges on standard trajectories.

Table 1.

The conclusion I make from this is that the upcoming missile defense test is likely to be against an ICBM-range target that is marginally longer range than an IRBM, but significantly shorter range than missiles North Korea would need to target the United States. However, the closing velocity is likely to be larger than in many of the previous tests, which have been at significant crossing angles or with slower targets.

In Part 2 of this post, I look at what else is new in this test, and what the implications are.

Th Bad: Post #2 on the NNSA’s FY2018 Budget Request

On Tuesday, May 23, the Trump administration released its Fiscal Year 2018 (FY2018) budget request. I am doing a three-part analysis of the National Nuclear Security Administration’s budget. That agency, a part of the Department of Energy, is responsible for developing and maintaining US nuclear weapons. Yesterday we focused on The Good, today we have The Bad, and The Ugly is still to come.

The Bad Rising costs in warhead life extension programs

The NNSA’s most important task is to ensure that the weapons in the US nuclear arsenal are safe, secure and effective. As part of that work, the NNSA is simultaneously undertaking four different programs to extend the lives of four different warheads in the US stockpile: the W76 warhead deployed on submarines, the B61 bomb deployed on aircraft, the W88 warhead deployed on submarines and the W80 warhead for the proposed new air-launched cruise missile. The NNSA has not had such a confluence of work in decades.

That leads many observers to worry about how well the NNSA will manage such a heavy workload, especially when it is also trying to build one major new facility for uranium metal work and ramp up the new approach to dispose of excess plutonium.

Those concerns are only increased when a new president comes in talking about the need to “greatly strengthen and expand” the US nuclear capability. As described in The Good, this budget does not hint at any such effort.

Trump’s budget does, however, reveal rising costs for the existing warhead life extension programs initiated under the Obama administration. For the B61 and the W88, the Trump budget requests significantly more than what the Obama administration projected would be required for FY2018. For the B61, the Obama administration projected in the FY2017 budget that $728 million would be required in FY2018, an already large 15 percent increase above the FY2017 request. But the Trump administration’s request is $789 million, a 22 percent increase above FY2017. For the W88, a planned decrease of $30 million to $255 million (a 9 percent cut) became a $50 million–or 15 percent–increase, to $332 million.

The FY18 budget request offers relatively mundane explanations for these rising costs, including unexplained “increases.” They are particularly troubling, however, when considered in tandem with a recent Government Accountability Office (GAO) report on the life extension programs.

That report cites internal NNSA cost estimates showing the B61 will cost $10 billion, or $2.6 billion more than the NNSA currently predicts, and take an extra two years to produce the first new B61-12. Another internal NNSA estimate found that the W88 update could cost $1 billion more than previously expected. The GAO report also cites yet another internal NNSA estimate that the W80-4 warhead, being developed for the proposed new nuclear-armed cruise missile, may be underfunded by $1 billion, while a proposal to update the warhead’s secondary could add another $250-300 million to the total cost. That could bring the W88 program to over $10 billion as well.

Cost increases like that will mean increasing trouble for the NNSA. The “Weapons Activities” budget line, which funds all work on nuclear warheads, has already benefited from eight straight years of rising budgets averaging over 5% annually. The Trump budget seeks a 10% increase above the final level of funding Congress approved in the FY17 omnibus appropriations bill. If the numbers the GAO cites are correct, even larger increases will be needed in the future.

Another complicating factor is very tight timelines. The GAO notes the W80-4 is operating on an “accelerated, compressed schedule,” while officials have said the B61 may no longer meet certification requirements if there are any further delays producing new bombs. It looks more and more like the intersection of multiple warhead life extension programs, rising costs, and rushed production schedules could lead to a train wreck for NNSA.

And that is before the NNSA even starts work on its most far-reaching plan to develop a suite of new warheads to replace the existing ballistic missile warheads (but more on that in The Ugly).

Disappearing Dismantlement

In its final budget, the Obama administration proposed a modest increase in funding—from $52 million in FY2016 to $69 million in FY2017—for dismantling warheads that have been retired from the US nuclear stockpile. The result would be that the long line of weapons already in the queue for dismantlement would be taken apart more quickly, thus allowing the warheads retired under the New START agreement with Russia to be dismantled sooner as well.

Those in Congress who supported the Obama administration proposal pointed out that increasing dismantlement in the near term actually benefits life extension programs in the mid-term. Bringing on new employees and training them to dismantle warheads will help prepare them for the coming work on the B61 and the W88, which will entail dismantling the warheads, replacing aged components and reassembling them.

Led by the House Armed Services Committee, however, Congress ended up rejecting most of the increase, allowing only an additional $4 million in FY2017. For the House, anything proposed by the Obama administration that smacked of disarmament was too much, even if it was only taking apart weapons that have already been retired.

And now the Trump administration has dumped any thought of dismantling weapons sooner, noting in the FY18 budget that it is “eliminating the planned acceleration stated in the FY 2017 budget request.”

 

UCS in Science: The NRC Must Act to Reduce the Dangers of Spent Fuel Pool Fires at Nuclear Plants

In a Policy Forum article published in this week’s Science magazine, I argue, along with my co-authors Frank von Hippel and Michael Schoeppner, that the U.S. Nuclear Regulatory Commission (NRC) needs to take prompt action to reduce the alarmingly high potential for fires in spent fuel pools at U.S. nuclear plants.

The NRC allows nuclear plant owners to pack spent fuel into cooling pools at much higher densities than they were originally designed to handle. This has greatly increased the risk to the public should a large earthquake or terrorist attack breach the liner of a spent fuel pool, causing the pool to rapidly lose its cooling water. In such a scenario the spent fuel could heat up and catch fire within hours, releasing a large fraction of its highly radioactive contents. Since spent fuel pools are not enclosed in high-strength, leak-tight containment buildings, unlike the reactors themselves, much of this radioactive material could be readily discharged into the environment.

The consequences of a fire could be truly disastrous at densely packed pools, which typically contains much more cesium-137—a long-lived, extremely hazardous radioactive isotope—than is present in reactor cores. My Princeton University co-authors have calculated, using sophisticated computer models, that a spent fuel pool fire at the Peach Bottom nuclear plant in Pennsylvania could heavily contaminate over 30,000 square miles with long-lived radioactivity and require the long-term relocation of nearly 20 million people, for average weather conditions. Depending on the wind direction and other factors, the plume could reach anywhere from Maine to Georgia. My co-authors estimate the financial impact on the American economy of such contamination could reach $2 trillion: ten times the estimated $200 billion in damages caused by the release of radioactivity from the damaged Fukushima Daiichi plant.

The danger could be greatly reduced if plant owners thinned out the pools by transferring their older fuel to dry storage casks. But despite the relatively modest cost of this common-sense step—about $50 million per reactor—owners won’t do it voluntarily because they care more about their bottom line.

The NRC could require plant owners to expedite transfer of spent fuel to dry casks. But it refuses to do so, basing its decision on quantitative risk analyses that, as discussed in our Science article, underestimate the benefits of such a transfer by making numerous unrealistic and faulty assumptions. For example, its estimate of the economic damages of a fire in a densely packed spent fuel pool was $125 billion; nearly 20 times lower than the independent estimate of my Princeton co-authors.

In light of our findings, our article calls on the NRC to strengthen the technical basis of its risk analysis methodology by basing it on sound science and sensible policy judgments. We are confident that such an analysis will reveal that the substantial benefits of expedited transfer would more than justify the cost.

Pages