Union of Concerned Scientists

• Scientific Integrity
• Global Warming
• Clean Vehicles
• Clean Energy
• Nuclear Power
  • Nuclear Power 101
  • Nuclear Power Technology
  • Nuclear Power Risk
    • Nuclear Power Safety
    • Sabotage and Attacks on Reactors
    • Nuclear Proliferation and Terrorism
  • Nuclear Power and Global Warming
  • Nuclear Power Solutions
  • What You Can Do
  • Successes
• Nuclear Weapons & Global Security
• Food & Agriculture
• Invasive Species

Nuclear Plant Safety: Will the Luck Run Out?

December 15, 1998

The twentieth anniversary of the worst nuclear power plant accident in the United States is approaching. On March 28, 1979, the reactor core at the Three Mile Island Unit 2 facility outside Harrisburg, Pennsylvania suffered a partial meltdown when a minor plant incident was complicated by equipment failures and personnel errors. According to surveys conducted by the Pennsylvania Department of Health, approximately 144,000 people living within 15 miles of the plant evacuated the area during the crisis. Nearby schools were closed for a week after the accident. Lethal levels of radiation prevented plant workers from entering the reactor containment building for nearly a year. The severely damaged facility never resumed operating and cost several hundred million dollars to clean up.

Although several nuclear plants have unexpectedly released radioactive gas or liquid to the environment and others have suffered incidents that required costly repairs, no other event in this country has approached the severity of the Three Mile Island (TMI) disaster. Some people suggest that this means the nuclear industry has fully captured the lessons learned at TMI. But closer examination of the available data reveals that even though many substantive improvements have been made in nuclear plant safety, luck is still playing a large role in protecting public health and safety.

The TMI accident began when workers making adjustments to a water purification system inadvertently stopped the cooling flow for the reactor core. The backup equipment installed specifically to cope with this situation failed. Emergency pumps designed to protect the reactor core automatically started, but the operators shut them down. They mistakenly relied on a broken instrument gauge and failed to look at a backup gauge that showed the emergency pumps were needed. The reactor core overheated, partially melted, and released more than ten million curies of radioactivity into the atmosphere.

According to the Nuclear Regulatory Commission (NRC), over the past decade US nuclear plants have reported more than 200 events very much like the one that triggered the TMI accident. The cooling water for the reactor core was unexpectedly lost in each of these events. In addition, there have been numerous other events caused by fires, pipe ruptures, and power failures. Yet none of these events led to reactor core meltdown. Why not? These events were not complicated by faulty backup equipment and worker errors as at TMI. Thus, the plants' design and operation limited these events to minor consequences. TMI was not the only potentially serious initiating event experienced by the US nuclear industry. It was simply the only such event that led to an accident.

One of the ingredients for an accident is faulty backup equipment. In recent years, the NRC and nuclear plant owners have reported several hundred instances where backup equipment was discovered to be faulty. A sampling:

• The NRC reported in July 1996 that the Haddam Neck Nuclear Plant in Connecticut had operated for its entire 28-year lifetime with the piping that supplies water to the reactor core too small to allow the necessary amount of water. As at TMI, the fuel in Haddam Neck's reactor core was not properly protected from severe damage by overheating.
  
  
• Two years later, the owner of the Big Rock Point nuclear plant in Michigan discovered that the facility had operated during the final third of its 39-year lifetime with the piping that would have supplied a borated solution to the reactor core completely severed. This vital emergency system would have been unable to shut down the reactor had there been an accident during this 13-year period. The borated solution is the only backup system for shutting down the reactor core. If the primary system failed, as it did at the Browns Ferry nuclear plant in 1980, the backup system would have been unable to stop the nuclear reaction.
  
  
• The owner of the Sequoyah Nuclear Plant reported in March 1992 that 27 of the 48 doors from the Unit 2 reactor containment building into the ice condenser would not freely open because water had gotten under the floor of the ice condenser and frozen, buckling the concrete upward several inches and blocking the doors. Further investigation revealed that 11 of the 48 ice condenser doors on Unit 1 were similarly affected. The ice condenser is a large vault containing over two million pounds of ice. The ice functions to absorb the energy released inside the reactor containment building when a pipe breaks. With so many ice condenser doors disabled, Sequoyah's reactor containment building could easily have been overpressurized and failed in event of an accident. The reactor containment building is the final barrier between radioactive material and the environment. If it failed, large amounts of radioactivity would have been released directly to the atmosphere.
  
  
• In November 1997, the NRC reported that its inspectors had found fibrous material inside the containment of the Donald C. Cook Nuclear Plant in Michigan. In case of an accident, this material may have clogged the debris screens that protect the emergency pumps. If these screens became clogged, as they did at the Perry Nuclear Power Plant in Ohio in March 1993 and the Limerick nuclear plant in Pennsylvania during September 1995, the emergency pumps would not have been able to supply necessary cooling water to the reactor core.
  
  
• In 1997, the owner of the Quad Cities nuclear plant in Illinois informed the NRC that a fire could cut off the power to all of the emergency pumps and cause serious reactor core damage. Following the disastrous fire at the Browns Ferry nuclear plant in March 1975, the NRC required all owners to modify their plants to ensure that a fire could not interrupt the power to both the primary emergency pumps and their backups. More than 22 years later, the Quad Cities plant was still vulnerable. It took the plant's owners nearly a year to re-route power cables and revise emergency procedures to remedy the problems.
  

None of these backup equipment failures led to reactor core meltdown. Why not? These plants did not experience an initiating event, which required the backup equipment to function. Safety was achieved by not challenging the equipment rather than by having the equipment successfully fulfill the required safety functions. In other words, luck.

The remaining ingredient for an accident is worker errors. The NRC reported 728 nuclear plant problems caused by worker mistakes during a recent two-year period. That's an average of more than three mistakes per year at each nuclear plant. The Union of Concerned Scientists monitored safety performance at ten nuclear plants during 1997. The data indicated that worker errors contributed to 35 percent of the safety problems reported at the average nuclear plant. The River Bend nuclear plant in Louisiana led the list with nearly 68 percent of its safety problems involving worker mistakes. None of these worker mistakes led to reactor core meltdown. Why not? These errors were not made in conjunction with an initiating event and faulty backup equipment. It was simply a matter of timing

The abundance of initiating events, equipment failures, and worker mistakes can be interpreted two ways. Some argue that this data demonstrates the success of the defense-in-depth approach to safety at US nuclear power plants. They maintain that backup system upon backup system and multiple barriers enable nuclear plants to tolerate problems without undue risk to the public. They suggest that the large number of reported problems shows the soundness of the defense-in-depth safety concept. They point to the fact that only one major reactor accident, Three Mile Island, has occurred in the US as the ultimate proof of the industry's safety record.

This data can also be interpreted in a more ominous way. At a casino, a jackpot occurs when three spinning wheels on a slot machine all stop in a certain combination. A nuclear power plant can be compared to a slot machine having an event wheel, an equipment wheel, and a worker performance wheel. Sometimes the event wheel stops on some initiating event such as "fire," "broken pipe," or "loss of power." Sometimes the equipment wheel stops on "failure." Sometimes the worker performance wheel stops on "mistake." At Three Mile Island, the wheels stopped on "loss of feedwater," "failure," and "mistake" to produce a major reactor accident. At Chernobyl, the wheels stopped on "loss of control," "failure," and "mistake" to produce another major reactor accident. Will there be another major reactor accident? The abundance of initiating events, equipment failures, and worker mistakes demonstrates that the wheels still stop frequently on these symbols. The TMI accident demonstrated that the wheels can line up for a major reactor accident.

Even the most adamant nuclear proponent must admit that a major reactor accident cannot be ruled out for the nuclear plants operating today. The key question is when will the next reactor accident occur? The NRC told the US Congress in April 1985 that:

"The most complete and recent probabilistic risk assessments suggest core melt frequencies in the range of [one in one thousand] per reactor year to [one in ten thousand] per reactor year. A typical value is [three in ten thousand]. Were this the industry average, then in a population of 100 reactors operating over a period of 20 years, the crude cumulative probability of [a severe reactor] accident would be 45%."

With 103 reactors currently operating in the United States, these data suggest that a major reactor accident may be fairly likely to occur in the near future. It seems only a matter of time before the initiating event wheel, the equipment wheel, and the human performance wheel stop in a combination that produces another accident.

Why should anyone be concerned about preventing another reactor accident? After all, the TMI accident produced some dramatic headlines and prompted a Saturday Night Live skit, but it did not leave portions of the Pennsylvania countryside uninhabitable. If TMI represented the worst-case reactor accident, then it might be acceptable to suffer one such disaster every generation. Unfortunately, things can be much worse than TMI. A study prepared in 1982 by the Sandia National Laboratory concluded that an accident at the Limerick nuclear plant outside Philadelphia could kill 74,000 people within the first year and cause 34,000 subsequent cancer deaths. Another 610,000 people could experience radiation-related injuries such as cataracts, temporary sterility, and thyroid nodules. The study estimated that an accident at Limerick could cost $200 billion for lost wages, relocation expenses, and decontamination efforts. The calculated results from an accident at the other nuclear plants were not as severe, but they were still significant. The study provided ample reasons for doing all that can be done to prevent another reactor accident.

What must be done to protect the public? The NRC has to rigorously enforce federal safety regulations at all nuclear plants. For example, regulations require nuclear plant owners to have programs in place to minimize the occurrence of worker mistakes and to prevent their recurrence. The high rate of personnel errors at the River Bend nuclear plant, accounting for 68 percent of the reported problems at this facility during 1997, strongly suggests that these regulations are being violated. The NRC must strictly enforce the regulations at River Bend, and at all nuclear plants, to reduce the frequency of worker mistakes. These measures will reduce the chances that the human performance wheel stops on "mistake."

In addition, the NRC must establish objective criteria to determine when a nuclear power plant with declining performance must be shut down. During the past decade, many nuclear plants, including Salem, Millstone, Clinton, D C Cook, FitzPatrick, LaSalle, Crystal River, and Indian Point 3, have been shut down for more than a year while their owners corrected numerous safety problems. Some of these safety problems required extensive repairs to emergency equipment that had been broken or improperly designed. At these plants, the equipment wheel was essentially permanently stuck on "failure." The NRC must take actions to limit the time that any plant's equipment wheel spends on "failure."

Nearly twenty years have passed since the reactor core meltdown at Three Mile Island. There have been thousands of similar initiating events, backup equipment failures, and worker mistakes in the intervening years. Fortune played a large role in preventing one or more of these initiating events from being complicated by faulty backup equipment and human errors to create another nuclear disaster. Unless actions are taken to reduce the frequency of equipment failures and worker mistakes, that era of good luck will run out. Unless these actions are taken soon, we should not bet on going another two decades without a major reactor accident.

David Lochbaum
Nuclear Safety Engineer
Union of Concerned Scientists