All Things NuclearAll Things Nuclear http://allthingsnuclear.org Insights on Science and Security Wed, 15 Nov 2017 11:00:59 +0000 en-US hourly 1 http://allthingsnuclear.org/wp-content/uploads/2016/01/cropped-favicon-32x32.png All Things Nuclear http://allthingsnuclear.org 32 32 UCS to Nuclear Regulatory Commission: Big THANKS! http://allthingsnuclear.org/dlochbaum/thanks-to-nrc http://allthingsnuclear.org/dlochbaum/thanks-to-nrc#comments Wed, 15 Nov 2017 11:00:59 +0000 http://allthingsnuclear.org/?p=14991 This spring, I ran into Mike Weber, Director of the Office of Nuclear Regulatory Research for the Nuclear Regulatory Commission (NRC), at a break during a Commission briefing. The Office of Research hosts a series of seminars which sometimes include presentations by external stakeholders. Read More

]]>
This spring, I ran into Mike Weber, Director of the Office of Nuclear Regulatory Research for the Nuclear Regulatory Commission (NRC), at a break during a Commission briefing. The Office of Research hosts a series of seminars which sometimes include presentations by external stakeholders. I asked Mike if it would be possible for me to make a presentation as part of that series.

I explained that I’d made presentations during annual inspector conferences in NRC’s Regions I, II, and III in recent years and would appreciate the opportunity to reach out to the seminars’ audience. Mike commented that he’d heard positive feedback from my regional presentations and would welcome my presentation as part of their seminars. Mike tasked Mark Henry Salley and Felix Gonzalez from the Research staff to work out arrangements with me. The seminar was scheduled for September 19, 2017, in the auditorium of the Two White Flint North offices at NRC headquarters. I appreciate Mike, Mark, and Felix providing me the opportunity I sought to convey a message I truly wanted to deliver.

The title of my presentation at the seminar was “The Other Sides of the Coins.” The NRC subsequently made my presentation slides publicly available in ADAMS, their online digital library.

As I pointed out during my opening remarks, the NRC staff most often hears or reads my statements critical of how the agency did this or didn’t do that. My presentation that day focused on representative positive outcomes achieved by the NRC. For that presentation that day, my whine list was blank by design. Instead, I talked about the other sides of my usual two cents’ worth.

I summarized eight positive outcomes achieved by the NRC and listed five other positive outcomes. I emphasized that these were representative positive outcomes and far from an unabridged accounting. I told the audience members that I fully expected they would be reminded of other positive outcomes they were involved in as I covered the few during my presentation. Rather than feeling slighted, I hoped they would feel acknowledged and appreciated by extension.

One of the eight positive outcomes I summarized was the inadequate flooding protection identified by NRC inspectors at the Fort Calhoun nuclear plant in Nebraska. The NRC issued a preliminary Yellow finding—the second highest severity in its Green, White, Yellow, and Red classification system—in July 2010 for the flood protection deficiencies. To help put that Yellow finding in context, the NRC issued 827 findings during 2010: 816 Green, 9 White, and 2 Yellow. It was hardly a routine, run of the mill issuance.

The plant’s owner formally contested the preliminary Yellow finding, contending among other things that Fort Calhoun had operated for nearly 30 years with its flood protective measures, so they must be sufficient. The owner admitted that some upgrades might be appropriate, but contended that the finding should be Green, not Yellow.

The NRC seriously considered the owner’s appeal and revisited its finding and its severity determination. The NRC reached the same conclusion and issued the final Yellow finding in October 2010. The NRC then monitored the owner’s efforts to remedy the flood protection deficiencies.

The NRC’s findings and, more importantly, the owner’s fixes certainly came in handy when Fort Calhoun (the sandbagged dry spot in the lower right corner of Figure 3) literally became an island in the Missouri River in June 2011.

Recall that the NRC inspectors identified flood protection deficiencies nearly 8 months before the Fukushima nuclear plant in Japan experienced three reactor meltdowns due to flooding. Rather than waiting for the horses to trot away before closing the barn door, the NRC acted to close an open door to protect the horses before they faced harm. Kudos!

The real reason for my presentation in September and my commentary now is to acknowledge the efforts of the NRC staff. My concluding slide pointed out that tens of millions of Americans live within 50 miles of operating nuclear power plants and tens of thousands of Americans work at these operating plants. The efforts of the NRC staff make these Americans safer and more secure. I observed that the NRC staff deserved big thanks for their efforts and my final slide attempted to symbolically convey our appreciation. (The thanks were way bigger on the large projection screen in the auditorium. To replicate that experience, lean forward until your face is mere inches away from your screen.)

]]>
http://allthingsnuclear.org/dlochbaum/thanks-to-nrc/feed 4
Whose Finger Is on the Button? Nuclear Launch Authority in the United States and Other Nations http://allthingsnuclear.org/emacdonald/whose-finger-on-the-button http://allthingsnuclear.org/emacdonald/whose-finger-on-the-button#comments Mon, 13 Nov 2017 16:41:51 +0000 http://allthingsnuclear.org/?p=15002 Throughout the 2016 presidential campaign, and perhaps even more since Trump’s election, the media discovered a newfound interest in the minutiae of US nuclear policy. One question in particular has been asked over and over—can the president, with no one else to concur or even advise, order the use of US nuclear weapons? Read More

]]>
Throughout the 2016 presidential campaign, and perhaps even more since Trump’s election, the media discovered a newfound interest in the minutiae of US nuclear policy. One question in particular has been asked over and over—can the president, with no one else to concur or even advise, order the use of US nuclear weapons? Most people have been shocked and somewhat horrified to find that there is a simple answer—yes.

Starting a nuclear war shouldn’t be easy

The president has the sole authority to order a nuclear strike—either a first strike or one in response to an attack. Although there are people involved in the process of transmitting and executing this order who could physically delay or refuse to carry it out, they have no legal basis for doing so, and it is far from clear what would happen if they tried.

This belated realization (the system has been in place since the early Cold War) has prompted some ideas for ways to change things, including legislation restricting the president’s ability to order a nuclear first strike without a declaration of war by Congress. But more often it has prompted concern—and sometimes outrage—without a clear idea of how to fix the problem.

It may be useful to ask how other nuclear-armed states approach the problem of making a decision about the use of their nuclear weapons. How does the US compare to Russia, China, and other nuclear-armed states? Are there existing systems that rely on multiple people to order the use of nuclear weapons that the US might learn from?

To try to answer these questions, our new issue brief compiles information on the systems that other nuclear-armed states have in place to order the use of their weapons. While information is necessarily limited, and some of these systems may not completely correspond to what would happen in a true crisis, they still provide useful information about what these countries think is important when making a decision about the use of nuclear weapons. And, in most cases, that includes some form of check on the power of any single individual to order the use of these weapons by him or herself.

The current US process for deciding to use nuclear weapons is unnecessarily risky in its reliance on the judgment of a single individual. There are viable alternatives to sole presidential authority, and it is past time for the US to establish a new process that requires the involvement of multiple decision-makers to authorize the use of nuclear weapons. An investigation of how this decision works in other nuclear-armed states provides a good place to start.

 

]]>
http://allthingsnuclear.org/emacdonald/whose-finger-on-the-button/feed 2
Grand Gulf: Three Nuclear Safety Miscues in Mississippi Warranting NRC’s Attention http://allthingsnuclear.org/dlochbaum/grand-gulf-three-nuclear-safety-miscues http://allthingsnuclear.org/dlochbaum/grand-gulf-three-nuclear-safety-miscues#comments Wed, 08 Nov 2017 11:00:25 +0000 http://allthingsnuclear.org/?p=14982 The Nuclear Regulatory Commission (NRC) reacted to a trio of miscues at the Grand Gulf nuclear plant in Mississippi by sending a special inspection team to investigate. While none of the events had adverse nuclear safety consequences, the NRC team identified significantly poor performance by the operators in all three. Read More

]]>
The Nuclear Regulatory Commission (NRC) reacted to a trio of miscues at the Grand Gulf nuclear plant in Mississippi by sending a special inspection team to investigate. While none of the events had adverse nuclear safety consequences, the NRC team identified significantly poor performance by the operators in all three. The recurring performance shortfalls instill little confidence that the operators would perform successfully in event of a design basis or beyond design basis accident.

The Events

Three events prompted the NRC to dispatch a special inspection team to Grand Gulf:

(1) failure to recognize that reactor power fluctuating up and down by more than 10% during troubleshooting of a control system malfunction in June 2016 exceeded a longstanding safety criterion calling for immediate shutdown,

(2) failure to recognize in September 2016 that the backup reactor cooling system relied upon when the primary cooling system broke was unable to function if needed, and

(3) failure to understand how a control system worked on September 27, 2016, resulting in the uncontrolled and undesired addition of nearly 24,000 gallons of water to the reactor vessel.

(1) June 2016 Reactor Power Oscillation Miscue

Figure 1 shows the main steam system for a typical boiling water reactor like Grand Gulf. The reactor vessel is not shown but is located off its left side. Heat produced by the reactor core boils water. Four pipes transport the steam from the reactor vessel to the turbine. The steam spins the turbine which is connected to a generator (off the right side of Figure 1) to make electricity.

Fig. 1 (Source: Nuclear Regulatory Commission)

Periodically, operators reduce the reactor power level to about 65% power and test the turbine stop valves (labeled SV in Figure 1). The stop valves are fully open when the turbine is in service, but are designed to rapidly close automatically if a turbine problem is detected. When the reactor is operating above about 30 percent power, closure of the stop valves triggers the automatic shutdown of the reactor. Below about 30 percent power, the main steam bypass valves (shown in the lower left of Figure 1) open to allow the steam flow to the main condenser should the stop valves close.

Downstream of the turbine stop valves are the turbine control valves (labeled CV in Figure 1.) The control valves are partially open when the turbine is in service. The control valves are automatically re-positioned by the electro-hydraulic control (labeled EHC) system as the operators increase or decrease the reactor power level. Additionally, the EHC system automatically opens the three control valves in the other steam pipes more fully when the stop valve in one steam pipe closes. The EHC system and the control valve response time is designed to minimize the pressure transient experienced in the reactor vessel when the steam flow pathways change.

The test involves the operators closing each stop valve to verify these safety features function properly. During testing on June 17, 2016, however, unexpected outcomes were encountered. The EHC system failed to properly reposition the control valves in the other lines when a stop valve was closed, and later when it was re-opened. The control system glitch caused the reactor power level to increase and decrease between 63% and 76%.

Water flowing through the core of a boiling water reactor is heated to the boiling point. By design, the formation of steam bubbles during boiling acts like a brake on the reactor’s power level. Atoms splitting within the reactor core release heat. The splitting atoms also release neutrons, subcomponents of the atoms. The neutrons can interact with other atoms to cause them to split in what is termed a nuclear chain reaction. The neutrons emitted by splitting atoms have high energy and high speed. The neutrons get slowed down by colliding with water molecules. While fast neutrons can cause atoms to split, slower neutrons perform this role significantly better.

The EHC system problems caused the turbine control valves to open wider and close more than was necessary to handle the steam flow. Turbine control valves opened wider than necessary lowered the pressure inside the reactor vessel, allowing more steam bubbles to form. With fewer water molecules around to slow down the fast neutrons, more neutrons went places other than interacting with atoms to cause more fissions. The reactor power level dropped as the neutron chain reaction rate slowed.

When turbine control valves closed more than necessary, the pressure inside the reactor vessel increased. The higher pressure collapsed steam bubbles and made it harder for new bubbles to form. With more water molecules around, more neutrons interacted with atoms to cause more fissions. The reactor power level increased as the neutron chain reaction rate quickened.

Workers performed troubleshooting of the EHC system problems for 40 minutes. The reactor power level fluctuated between 63% and 76% as the turbine control valves closed too much and then opened too much. Finally, a monitoring system detected the undesired power fluctuations and automatically tripped the reactor, causing all the control rods to rapidly insert into the reactor core and stop the nuclear chain reaction.

The NRC’s special inspection team reported that the control room operators failed to realize that the 10% power swings exceeded a safety criterion that called for the immediate shut down of the reactor. Following a reactor power level instability event at the LaSalle nuclear plant in Illinois in March 1988, Grand Gulf and other boiling water reactors revised operating procedures in response to an NRC mandate to require reactors to be promptly shut down when the reactor power level oscillated by 10% or more.

EHC system problems causing unwanted and uncontrolled turbine control valve movements had been experienced eight times in the prior three years. Operators wrote condition reports about the problems, but no steps had been taken to identify the cause and correct it.

Consequences

Due to the intervention by the system triggering the automatic reactor scram, this event did not result in fuel damage or release of radioactive materials exceeding normal, routine releases. But that outcome was achieved despite the operators’ efforts but because of them. The operators’ training and procedures should have caused them to manually shut down the reactor when its power level swung up and down by more than 10%. Fortunately, the plant’s protective features intervened to remedy their poor judgement.

(2) September 2016 Backup Reactor Cooling System Miscue

On September 4, 2016, the operators declared residual heat removal (RHR) pump A (circled in red in the lower middle portion of Figure 2) to be inoperable after it failed a periodic test. The pump was one of three RHR pumps that can provide makeup cooling water to the reactor vessel in case of an accident. RHR pumps A and B can also be used to cool the water within the reactor vessel during non-accident conditions. Grand Gulf’s operating license only permitted the unit to continue running for a handful of days with RHR pump A inoperable. So, the operators shut down the reactor on September 8 to repair the pump.

The operating license required two methods of cooling the water within the reactor vessel during shut down conditions. RHR pump B functioned as one of the methods. The operators took credit for the alternate decay heat removal (ADHR) system as the second method. The ADHR system is shown towards the upper right of Figure 2. It features two pumps that can take water from the reactor vessel, route it through heat exchangers, and return the cooled water to the reactor vessel. The ADHR system’s heat exchangers are supplied with cooling water from the plant service water (PSW) system. Warmed water from the reactor vessel flows through hundreds of metal tubes within the ADHR heat exchangers. Heat conducted through the tube walls gets carried away by the PSW system.

By September 22, workers had replaced RHR pump A and successfully tested the replacement. The following day, operators attempted to place the ADHR system in service prior to removing RHR pump B from service. They discovered that all the PSW valves (circle in red in the upper right portion of Figure 2) to the ADHR heat exchangers were closed. With these valves closed, the ADHR pumps would only take warm water from the reactor vessel, route it through the ADHR heat exchangers, and return the warm water back to the reactor vessel without being cooled.

The operating license required workers to check each day that both reactor water cooling systems were available during shut down. Each day between September 9 and 22, workers performed this check via a paperwork exercise. No one ever walked out into the plant to verify that the ADHR pumps were still there and that the PSW valves were still open.

The NRC team determined that workers closed the PSW valves to the ADHR heat exchangers on August 10 to perform maintenance on the ADHR system. The maintenance work was completed on August 15, but the valves were mistakenly not re-opened until September 23 after being belatedly discovered to be mis-positioned.

Consequences

Improperly relying on the ADHR system in this event had no adverse nuclear safety consequences. It was relied upon was a backup to the primary reactor cooling system which successfully performed that safety function. Had the primary system failed, the ADHR system would not have been able to take over that function as quickly as intended. Fortunately, the ADHR system’s vulnerability was not exploited.

(3) September 2016 Reactor Vessel Overfilling Miscue

On September 24, Grand Gulf was in what is called long cycle cleanup mode. Water within the condenser hotwell (upper right portion of Figure 3) was being sent by the condensate pumps through filter demineralizers and downstream feedwater heaters before recycling back to the condenser via the startup recirculation line. A closed valve prevented this water from flowing into the reactor vessel. Long cycle cleanup mode allows the filter demineralizers to remove particles and dissolved ions from the water. Water purity is important in boiling water reactors because any impurities tend to collect within the reactor vessel rather than being carried away with the steam leaving the vessel. The water in the condenser hotwell is the water used over and over again in boiling water reactors to make the steam that spins the turbine-generator.

Fig. 3 (Source: Nuclear Regulatory Commission)

Workers were restoring RHR pump B to its standby alignment following testing. The procedure they used directed them to open the closed feedwater valve. This valve was controlled by three pushbuttons in the control room: OPEN, CLOSE, and STOP. As soon as this valve began opening, water started flowing into the reactor vessel rather than being returned to the condenser.

The operator twice depressed the CLOSE pushbutton wanting very much for the valve to re-close. But this valve was designed to travel to the fully opened position after the OPEN pushbutton was depressed and travel to the fully closed position after the CLOSE pushbutton was depressed. By design, the valve would not change direction until after it had completed its full travel.

Unless the STOP pushbutton was depressed. The STOP pushbutton, as implied by its label, caused the valve’s movement to stop. Once stopped, depressing the CLOSE pushbutton would close the valve and depressing the OPEN pushbutton would open it.

According to the NRC’s special inspection team, “operations personnel did not understand the full function of the operating modes of [the] valve.” No operating procedure directed the operators to use the STOP button. Training in the control room simulator never covered the role of the STOP button because it was not mentioned in any operating procedures.

Not able to use the installed control system to its advantage, the operator waited until the valve traveled fully open before getting it to fully re-close. But the valve is among the largest and slowest valves in the plant—more like an elephant than a cheetah in its speed.

During the time the valve was open, an estimated 24,000 gallons of water overfilled the reactor vessel. As shown in Figure 4, the vessel’s normal level is about 33 inches above instrument zero, or about 201 inches above the top of the reactor core. The 24,000 gallons filled the reactor vessel to 151 inches above instrument zero.

Fig. 4 (Source: Nuclear Regulatory Commission)

Consequences

The overfilling event had no adverse nuclear safety consequences (unless revealing procedure inadequacies, insufficient training, and performance shortcomings count.)

NRC Sanctions

The NRC’s special inspection team identified three violations of regulatory requirements. One violation involved inadequate procedures for the condensate and feedwater systems that resulted in the reactor vessel overfilling event on September 24.

Another violation involved crediting the ADHR system for complying with an operating license requirement between September 9 and 22 despite its being unable to perform the necessary reactor water cooling role due to closed valves in the plant service water supply to the ADHR heat exchangers.

The third violation involved inadequate verification of the ADHR system availability between September 9 and 22. Workers failed to properly verify the system’s availability and had merely assumed it was a ready backup.

UCS Perspective

Th trilogy of miscues, goofs, and mistakes that prompted the NRC to dispatch a special inspection team have a common thread. Okay, two common threads since all three happened at Grand Gulf. All three miscues reflected very badly on the operations department.

During the June power fluctuations miscue, the operators should have manually scrammed the reactor, but failed to do so. In addition, operators had experienced turbine control system problems eight times in the prior three years and initiated reports intended to identify the causes of the problems and remedy them. The maintenance department could have, and should have, reacted to these reports earlier. But the operations department could have, and should have, insisted on the recurring problems getting fixed rather than meekly adding to the list of unresolved problem reports.

During the September backup cooling system miscue, many operators over nearly two weeks had many opportunities to notice that the ADHR system would not perform as needed due to mispositioned valves. The maintenance department could have, and should have, not set a trap for the operators by leaving the valves closed when maintenance work was completed. But the operators are the only workers at the plant licensed by the NRC to ensure regulatory requirements intended to protect the public are met. They failed that legal obligation again and again between September 9 and 22.

During the September reactor vessel overfilling event, the operators failed to recognize that opening the feedwater valve while in long cycle cleanup mode would send water into the reactor vessel. That’s a fundamental mistake that’s nearly impossible to justify. The operators then compounded that mistake by failing to properly use the installed control system to mitigate the event. They simply did not understand how the three pushbutton controls worked and thus were unable to use them properly.

The poor operator performance that is the common thread among the trio of problems examined by the NRC’s special inspection team inspire little to no confidence that their performance will be any better during a design basis or beyond design basis event.

]]>
http://allthingsnuclear.org/dlochbaum/grand-gulf-three-nuclear-safety-miscues/feed 2
Scientists to Congress: The Iran Deal is a Keeper http://allthingsnuclear.org/lgronlund/scientists-letter-on-iran http://allthingsnuclear.org/lgronlund/scientists-letter-on-iran#respond Tue, 31 Oct 2017 15:12:22 +0000 http://allthingsnuclear.org/?p=14976 The July 2015 Iran Deal, which places strict, verified restrictions on Iran’s nuclear activities, is again under attack by President Trump. This time he’s kicked responsibility over to Congress to “fix” the agreement and promised that if Congress fails to do so, he will withdraw from it. Read More

]]>
The July 2015 Iran Deal, which places strict, verified restrictions on Iran’s nuclear activities, is again under attack by President Trump. This time he’s kicked responsibility over to Congress to “fix” the agreement and promised that if Congress fails to do so, he will withdraw from it.

As the New York Times reported, in response to this development over 90 prominent scientists sent a letter to leading members of Congress yesterday urging them to support the Iran Deal—making the case that continued US participation will enhance US security.

Many of these scientists also signed a letter strongly supporting the Iran Deal to President Obama in August 2015, as well as a letter to President-elect Trump in January. In all three cases, the first signatory is Richard L. Garwin, a long-standing UCS board member who helped develop the H-bomb as a young man and has since advised the government on all matters of security issues. Last year, he was awarded a Presidential Medal of Freedom.

What’s the Deal?

Diplomats announcing the framework of the JCPOA in 2015 (Source: US Dept. of State)

If President Trump did pull out of the agreement, what would that mean? First, the Joint Comprehensive Plan of Action (JCPoA) (as it is formally named) is not an agreement between just Iran and the US—but also includes China, France, Germany, Russia, the UK, and the European Union. So the agreement will continue—unless Iran responds by quitting as well. (More on that later.)

The Iran Deal is not a treaty, and did not require Senate ratification. Instead, the United States participates in the JCPoA by presidential action. However, Congress wanted to get into the act and passed The Iran Agreement Review Act of 2015, which requires the president to certify every 90 days that Iran remains in compliance.

President Trump has done so twice, but declined to do so this month and instead called for Congress—and US allies—to work with the administration “to address the deal’s many serious flaws.” Among those supposed flaws is that the deal covering Iran’s nuclear activities does not also cover its missile activities!

According to President Trump’s October 13 remarks:

Key House and Senate leaders are drafting legislation that would amend the Iran Nuclear Agreement Review Act to strengthen enforcement, prevent Iran from developing an inter– —this is so totally important—an intercontinental ballistic missile, and make all restrictions on Iran’s nuclear activity permanent under US law.

The Reality

First, according to the International Atomic Energy Agency, which verifies the agreement, Iran remains in compliance. This was echoed by Norman Roule, who retired this month after working at the CIA for three decades. He served as the point person for US intelligence on Iran under multiple administrations. He told an NPR interviewer, “I believe we can have confidence in the International Atomic Energy Agency’s efforts.”

Second, the Iran Deal was the product of several years of negotiations. Not surprisingly, recent statements by the United Kingdom, France, Germany, the European Union, and Iran make clear that they will not agree to renegotiate the agreement. It just won’t happen. US allies are highly supportive of the Iran Deal.

Third, Congress can change US law by amending the Iran Nuclear Agreement Review Act, but this will have no effect on the terms of the Iran Deal. This may be a face-saving way for President Trump to stay with the agreement—for now. However, such amendments will lay the groundwork for a future withdrawal and give credence to President Trump’s claims that the agreement is a “bad deal.” That’s why the scientists urged Congress to support the Iran Deal as it is.

The End of a Good Deal?

If President Trump pulls out of the Iran Deal and reimposes sanctions against Iran, our allies will urge Iran to stay with the deal. But Iran has its own hardliners who want to leave the deal—and a US withdrawal is exactly what they are hoping for.

If Iran leaves the agreement, President Trump will have a lot to answer for. Here is an agreement that significantly extends the time it would take for Iran to produce enough material for a nuclear weapon, and that would give the world an alarm if they started to do so. For the United States to throw that out the window would be deeply irresponsible. It would not just undermine its own security, but that of Iran’s neighbors and the rest of the world.

Congress should do all it can to prevent this outcome. The scientists sent their letter to Senators Corker and Cardin, who are the Chairman and Ranking Member of the Senate Foreign Relations Committee, and to Representatives Royce and Engel, who are the Chairman and Ranking Member of the House Foreign Affairs Committee, because these men have a special responsibility on issues like these.

Let’s hope these four men will do what’s needed to prevent the end of a good deal—a very good deal.

]]>
http://allthingsnuclear.org/lgronlund/scientists-letter-on-iran/feed 0
Grand Gulf: Emergency Pump’s Broken Record and Missing Record http://allthingsnuclear.org/dlochbaum/grand-gulf-emergency-pumps-broken-record http://allthingsnuclear.org/dlochbaum/grand-gulf-emergency-pumps-broken-record#comments Tue, 31 Oct 2017 10:00:20 +0000 http://allthingsnuclear.org/?p=14967 The Grand Gulf Nuclear Station located about 20 miles south of Vicksburg, Mississippi is a boiling water reactor with a Mark III containment that was licensed to operate by the Nuclear Regulatory Commission (NRC) in November 1984. It recently set a dubious record. Read More

]]>
The Grand Gulf Nuclear Station located about 20 miles south of Vicksburg, Mississippi is a boiling water reactor with a Mark III containment that was licensed to operate by the Nuclear Regulatory Commission (NRC) in November 1984. It recently set a dubious record.

The Mark III containment is a pressure-suppression containment type. It features a large amount of water in its pressure suppression pool and upper containment pool. In case of an accident, energy released into containment gets absorbed by this water, thus lessening the pressurization of the atmosphere within containment. The “energy sponge” role allows the Mark III containment to be smaller, and less expensive, than the non-pressure suppression containment structure that would be needed to handle an accident.

Fig. 1 (Source: Nuclear Regulatory Commission)

The emergency core cooling systems (ECCS) reside in a structure adjacent to the containment building. The ECCS for Grand Gulf consist of the high pressure core spray (HPCS) pump, the low pressure core spray (LPCS) pump, and three residual heat removal (RHR). The preferred source of water for the HPCS pump is the condensate storage tank (CST), although it can also draw water from the suppression pool within containment. The other ECCS pumps get their water from the suppression pool.

One of the RHR pumps (RHR Pump C) serves a single function, albeit an important one called the low pressure coolant injection (LPCI) function. When a large pipe connected to the reactor vessel breaks and drains cooling water rapidly from the vessel, RHR Pump C quickly provides a lot of water to replace the lost water and cool the reactor core.

The other two RHR pumps (RHR Pumps A and B) can perform safety functions in addition to the LPCI role. Each of these RHR pumps can be aligned to route water through a pair of heat exchangers. When in use, the heat exchangers cool down the RHR water.

RHR Pumps A and B can be used to cool the water within the reactor vessel. In what is called the shutdown cooling (SDC) mode, RHR Pump A or B takes water from the reactor vessel, routes this water through the pair of heat exchangers, and returns the cooled water to the reactor vessel.

Similarly, RHR Pumps A and B can use used to cool the water within the suppression pool. RHR Pump A or B draws water from the suppression pool, routes this water through the heat exchangers, and returns the cooled water to the suppression pool.

Finally, RHR Pumps A and B can be used to cool the atmosphere within the containment structure. RHR Pump A or B can take water from the suppression pool and discharge it through carwash styled sprinkler nozzles mounted to the inside surfaces of the containment’s upper walls and roof.

Given the varied safety roles played by RHR Pumps A and B, the operating license for Grand Gulf only permits the reactor to continue running for up to 7 days when either pump is unavailable. Workers started the 7-day shutdown clock on August 22, 2017, after declaring RHR Pump A to be inoperable. The ECCS pumps are tested periodically to demonstrate their capabilities. RHR Pump A failed to operate within its design band during testing. The pump was supposed to be able to deliver at least a flow rate of 7,756 gallon per minute for a differential pressure of at least 131 pounds per square inch differential across the pump. The differential pressure was too low when the pump delivered the specified flow rate. A higher differential pressure was required to demonstrate that the pump could also supply the necessary flow rate under more challenging accident conditions.

Before the clock ran out, workers shut down the Grand Gulf reactor on August 29. Workers replaced RHR Pump A and restarted the reactor on October 1, 2017.

It is rare that a boiling water reactor has to shut down for a month or longer to replace a broken RHR pump. The last time it happened in the United States was a year ago. Workers shut down the reactor on September 8, 2016, after an RHR pump failed testing on September 4. The RHR pump was unable to achieve the specified differential pressure and flow rate at the same time. Workers could throttle valves to satisfy the differential pressure criterion, but the flow rate was too low. Or, workers could reposition the throttle valves to obtain the specified flow rate, but the differential pressure was too low. The RHR pump was replaced and the reactor restarted on January 29, 2017.

The reactor—Grand Gulf.

The failed pump—RHR Pump A.

The “solution”—replace the failed pump.

UCS Perspective

Grand Gulf has experienced two failures and subsequent replacements of RHR Pump since the summer of 2016. That’s two more RHR pump replacements than the rest of the U.S. boiling water reactor fleet tallied during the same period. Call Guinness—Grand Gulf may have broken the world record for most RHR pump broken in a year!

Records are made to be broken, not RHR pumps.

The company’s report to the NRC about the most recent RHR Pump A failure dutifully noted that the same pump had failed and been replaced a year earlier, but claimed that corrective action could not have prevented this year’s failure of the pump. Maybe the same RHR pump broken twice within a year for two entirely unrelated reasons. The Easter bunny, the tooth fairy, and Santa Claus all agree that it’s at least possible.

On October 31, 2016, the NRC announced it was sending a special inspection team to Grand Gulf to investigate the failure of RHR Pump A and other problems.  The NRC’s press release concluded with this sentence: “An inspection report documenting the team’s findings will be publicly available within 45 days of the end of the inspection.”

As of October 24, 2017, no such inspection report has been made publicly available. Call Guinness—the NRC may have broken the world record for the longest special inspection ever!

Grand Gulf was restarted on January 29, 2017, 90 days after the NRC announced it was sending a special inspection team to investigate a series of safety problems. The inspection report should have been publicly available as promised to allay public concerns that the numerous safety problems that caused Grand Gulf to remain shut down for four months had been fixed.

On June 29, 2017—241 days after the NRC announced the special inspection report—I emailed the NRC’s Executive Director for Operations inquiring about the status of this overdue report.

On October 2, 2017—95 days after my inquiry—the NRC’s Executive Director for Operations emailed me a response. He indicated that the onsite portion of the special inspection was completed on November 4, 2016, and that the inspection report “should be issued within the next few weeks.”

The NRC promised to issue the special inspection report around December 19, 2016, when the inspection ended.

The NRC promises to value transparency.

The NRC should either stop making promises or start delivering results. Promises aren’t made to be broken, either. That’s what RHR pumps are for, at least in Mississippi.

Fig. 3 (Source: Kaja Bilek Flickr photo)

 

]]>
http://allthingsnuclear.org/dlochbaum/grand-gulf-emergency-pumps-broken-record/feed 1
Update: Turkey Point Fire and Explosion http://allthingsnuclear.org/dlochbaum/update-turkey-point http://allthingsnuclear.org/dlochbaum/update-turkey-point#comments Thu, 26 Oct 2017 10:00:18 +0000 http://allthingsnuclear.org/?p=14951 An earlier commentary described how workers installing a fire retardant wrap around electrical cables inside Switchgear Room 3A at the Turkey Point nuclear plant in Florida inadvertently triggered an explosion and fire that blew open the fire door between the room and adjacent Switchgear Room 3B. Read More

]]>
An earlier commentary described how workers installing a fire retardant wrap around electrical cables inside Switchgear Room 3A at the Turkey Point nuclear plant in Florida inadvertently triggered an explosion and fire that blew open the fire door between the room and adjacent Switchgear Room 3B.

I submitted a request under the Freedom of Information Act (FOIA) for all pictures and videos obtained by the special inspection team dispatched by the NRC to Turkey Point to investigate this event. The NRC provide me 70 color pictures in response to my request. This post updates the earlier commentary with some of those pictures.

The workers installing the fire retardant wrap cut the material in the hallway outside the switchgear rooms, but trimmed the material to fit as they put it in place. The trimming process created small carbon pieces. Ventilation fans blowing air within the switchgear room carried the carbon fiber debris around. The picture taken inside Switchgear Room 3A after the event show some of the carbon fiber debris on the floor along with debris caused by the fire and explosion (Fig. 1).

Some of the carbon fiber debris found its way inside metal panels containing energized electrical equipment. The debris created a pathway for electrical current to arc to nearby metal bolts. The bolts had been installed backwards, resulting in their ends being a little closer to energized electrical lines than intended. The electrical current was 4,160 volts, so it was quite a powerful spark as it arced to an undesired location (Fig. 2).

Law enforcement officers sometimes use Tasers to subdue a suspect. Taser guns fire two dart-like electrodes into the body to deliver an electric shock that momentarily incapacitates a person. The nuclear Taser at Turkey Point triggered an explosion and fire. The picture shows damage to a metal panel from the High Energy Arc Fault (HEAF) (Fig. 3).

Fortunately, there was not much combustible material within the switchgear room to sustain a fire for long. Fig. 4 shows some of the fire and smoke damage inside the switchgear room.

The primary consequence from the explosion and fire in Switchgear Room 3A was damage to Fire Door 070-3 to adjacent Switchgear Room 3B. The Unit 3 reactor at Turkey Point has two switchgear rooms containing power supplies and controls for plant equipment. The fire door’s function is to prevent a fire in either room from affecting equipment in the adjacent room to minimize the loss of equipment (Fig. 5).

The metal fire door had a three-hour rating, meaning it was designed to remain intact even when exposed to the heat from a fire lasting up to three hours. The plant’s design assumed that a fire would be extinguished within that time. The plant’s design had also considered the forces caused by a HEAF event, but only looked at components within three feet of the arc. The fire door was more than 14 feet from the arc, but apparently was not aware of the 3-feet assumption (Fig. 6).

The force of the explosion pressed so hard against the fire door that it broke the latch and popped the door wide open. The fire door was more than 14 feet from the arc (even farther away after the explosion), but apparently was not aware of the 3-feet assumption (Fig. 7).

I don’t have a picture of the fire door and its latch pre-explosion, but this closeup of the door’s latching mechanism suggests the magnitude of the force applied to popping it open. This picture also suggests the need to go back and revisit the 3-feet rule (Fig. 8).

The explosion and fire triggered the automatic shutdown of the Unit 3 reactor. The Shift Manager declared an Alert, the least serious of the NRC’s four emergency classifications, due to the explosion and fire affecting equipment within Switchgear Room 3A. Workers called the local fire department for assistance with the fire and a worker injured by the explosion. This picture of the operations log noted some of the major events during the first 90 minutes of the event (Fig. 9).

UCS Perspective

The earlier commentary explained that two minor events occurred the month before the explosion and fire. In each of those events, carbon fiber debris from workers trimming material inside the switchgear room landed on electrical breakers and caused them to open unexpectedly and unwanted. But those warnings were ignored and the practice continued until a more serious event occurred.

This HEAF event is also a warning. It failed a barrier installed to prevent an event in one switchgear room from affecting equipment in the adjacent room. It had been assumed that a HEAF event could only affect components within 3 feet, yet the damaged door was more than 14 feet away. If the assumption now shown to be patently false does not lead to re-evaluations and necessary upgrades, shame on the nuclear industry and the NRC for not heeding this very clear, unambiguous warning.

]]>
http://allthingsnuclear.org/dlochbaum/update-turkey-point/feed 1
Why NRC Nuclear Safety Inspections are Necessary: Indian Point http://allthingsnuclear.org/dlochbaum/nrc-safety-inspections-indian-point http://allthingsnuclear.org/dlochbaum/nrc-safety-inspections-indian-point#respond Mon, 23 Oct 2017 10:00:04 +0000 http://allthingsnuclear.org/?p=14919 This is the second in a series of commentaries about the vital role nuclear safety inspections conducted by the Nuclear Regulatory Commission (NRC) play in protecting the public. The initial commentary described how NRC inspectors discovered that limits on the maximum allowable control room air temperature at the Columbia Generating Station in Washington had been improperly relaxed by the plant’s owner. Read More

]]>
This is the second in a series of commentaries about the vital role nuclear safety inspections conducted by the Nuclear Regulatory Commission (NRC) play in protecting the public. The initial commentary described how NRC inspectors discovered that limits on the maximum allowable control room air temperature at the Columbia Generating Station in Washington had been improperly relaxed by the plant’s owner. This commentary describes a more recent finding by NRC inspectors about an improper safety assessment of a leaking cooling water system pipe on Entergy’s Unit 3 reactor at Indian Point outside New York City.

Indian Point Unit 3: Leak Before Break

On February 3, 2017, the NRC issued Indian Point a Green finding for a violation of Appendix B to 10 CFR Part 50. Specifically, the owner failed to perform an adequate operability review per its procedures after workers discovered water leaking from a service water system pipe.

On April 27, 2016, workers found water leaking from the pipe downstream of the strainer for service water (SW) pump 31. As shown in Figure 1, SW pump 31 is one of six service water pumps located within the intake structure alongside the Hudson River. The six SW pumps are arranged in two sets of three pumps. Figure 1 shows SW pumps 31, 32, and 33 aligned to provide water drawn from the Hudson River to essential (i.e, safety and emergency) components within Unit 3. SW pumps 34, 35, and 36 are aligned to provide cooling water to non-essential equipment within Unit 3.

Fig. 1 (Source: Nuclear Regulatory Commission Plant Information Book) (click to enlarge)

Each SW pump is designed to deliver 6,000 gallons of flow. During normal operation, one SW pump can handle the essential loads while two SW pumps are needed for the non-essential loads. Under accident conditions, two SW pumps are needed to cool the essential equipment. The onsite emergency diesel generators can power either of the sets of three pumps, but not both simultaneously. If the set of SW pumps aligned to the essential equipment aren’t getting the job done, workers can open/close valves and electrical breakers to reconfigure the second set of three SW pumps to the essential equipment loops.

Because river water can have stuff in it that could clog some of the coolers for essential equipment, each SW pump has a strainer that attempts to remove as much debris as possible from the water. The leak discovered on April 27, 2016, was in the piping between the discharge check valve for SW pump 31 and its strainer. An arrow points to this piping section in Figure 1. The strainers were installed in openings called pits in the thick concrete floor of the intake structure. Water from the leaking pipe flowed into the pit housing the strainer for SW pump 31.

The initial leak rate was modest—estimated to be about one-eighth of a gallon per minute. The leak was similar to other pinhole leaks that had occurred in the concrete-lined, carbon steel SW pipes. The owner began daily checks on the leakage and prepared an operability determination. Basically, “operability determinations” are used within the nuclear industry when safety equipment is found to be impaired or degraded. The operability determination for the service water pipe leak concluded that the impairment did not prevent the SW pumps from fulfilling their required safety function. The operability determination relied on a sump pump located at the bottom of the strainer pit transferring the leaking water out of the pit before the water flooded and submerged safety components.

The daily checks instituted by the owner included workers recording the leak rate and assessing whether it had significantly increased. But the checks were against the previous day’s leak rate rather than the initial leak rate. By September 18, 2016, the leakage had steadily increased by a factor of 64 to 8 gallons per minute. But the daily incremental increases were small enough that they kept workers from finding the overall increase to be significant.

The daily check on October 15, 2016, found the pump room flooded to a depth of several inches. The leak rate was now estimated to be 20 gallons per minute. And the floor drain in the strainer pit was clogged (ironic, huh?) impairing the ability of its sump pump to remove the water. Workers placed temporary sump pumps in the room to remove the flood water and cope with the insignificantly higher leak rate. On October 17, workers installed a clamp on the pipe that reduced the leakage to less than one gallon per minute.

The operability determination was revised in response to concerns expressed by the NRC inspectors. The NRC inspectors were not satisfied by the revised operability determination. It continued to rely on the strainer pit sump pump removing the leaking water. But that sump pump was not powered from the emergency diesel generator and thus would not remove water should offsite power become unavailable. Step 5.6.4 of procedure EN-OP-14, “Operability Determination Process,” stated “If the Operability is based on the use or availability of other equipment, it must be verified that the equipment is capable of performing the function utilized in the evaluation.”

The operability determination explicitly stated that no compensatory measures or operator manual actions were needed to handle the leak, but the situation clearly required both compensatory measures and operator manual actions.

The NRC inspectors found additional deficiencies in the revised operability determination. The NRC inspectors calculated that a 20 gallon per minute leak rate coupled with an unavailable strainer pit sump pump would flood the room to a depth of three feet in three hours. There are no flood alarms in the room and the daily checks might not detect flooding until the level rose to three feet. At that level, water would submerge and potentially disable the vacuum breakers for the SW pumps. Proper vacuum breaker operation could be needed to successfully restart the SW pumps.

The NRC inspectors calculated that the 20 gallon per minute leak rate without remediation would flood the room to the level of the control cabinets for the strainers in 10 hours. The submerged control cabinets could disable the strainers, leading to blocked cooling water flow to essential equipment.

The NRC inspects calculated that the 20 gallon per minute leak rate without remediation would completely fill the room in about 29 hours, or only slightly longer than the daily check interval.

Flooding to depths of 3 feet, 10 feet, and the room’s ceiling affected all six SW pumps. Thus, the flooding represented a common mode threat that could disable the entire service water system. In turn, all safety equipment shown in Figure 2 no longer cooled by the disabled service water system could also be disabled. The NRC estimated that the flooding risk was about 5×10-6 per reactor year, solidly in the Green finding band.

Fig. 2 (Source: Nuclear Regulatory Commission Plant Information Book) (click to enlarge)

UCS Perspective

“Leak before break” is a longstanding nuclear safety philosophy. Books have been written about it (well, at least one report has been written and may even have been read.)  The NRC’s approval of a leak before break analysis can allow the owner of an existing nuclear power reactor to remove pipe whip restraints and jet impingement barriers. Such hardware guarded against the sudden rupture of a pipe filled with high pressure fluid from damaging safety equipment in the area. The leak before break analyses can provide the NRC with sufficient confidence that piping degradation will be detected by observed leakage with remedial actions taken before the pipe fails catastrophically. More than a decade ago, the NRC issued a Knowledge Management document on the leak before break philosophy and acceptable methods of analyzing, monitoring, and responding to piping degradation.

This incident at Indian Point illustrated an equally longstanding nuclear safety practice of “leak before break.” In this case, the leak was indeed followed by a break. But the break was not the failure of the piping but failure of the owner to comply with federal safety regulations. Pipe breaks are bad. Regulation breaks are bad. Deciding which is worse is like trying to decide which eye one wants to be poked in. None is far better than either.

As with the prior Columbia Generating Station case study, this Indian Point case study illustrates the vital role that NRC’s enforcement efforts plays in nuclear safety. Even after NRC inspectors voiced clear concerns about the improperly evaluated service water system pipe leak, Entergy failed to properly evaluate the situation, thus violating federal safety regulations. To be fair to Entergy, the company was probably doing its best, but in recent years, Entergy’s best has been far below nuclear industry average performance levels.

The NRC’s ROP is the public’s best protection against hazards caused by aging nuclear power reactors, shrinking maintenance budgets, emerging sabotage threats, and Entergy. Replacing the NRC’s engineering inspections with self-assessments by Entergy would lessen the effectiveness of that protective shield.

The NRC must continue to protect the public to the best of its ability. Delegating safety checks to owners like Entergy is inconsistent with that important mission.

]]>
http://allthingsnuclear.org/dlochbaum/nrc-safety-inspections-indian-point/feed 0
Xi’s China http://allthingsnuclear.org/gkulacki/xis-china http://allthingsnuclear.org/gkulacki/xis-china#comments Fri, 20 Oct 2017 10:39:17 +0000 http://allthingsnuclear.org/?p=14929 What’s happening in China? The US consensus seems to be that President Xi Jinping is upending the place. Yet, midway through an expected ten-year term China’s communist party general secretary delivered a report to the 19th Party Congress that reiterated all the language, ideas and policies that the Chinese communists have used to govern the country since the mid-1980s. Read More

]]>
What’s happening in China? The US consensus seems to be that President Xi Jinping is upending the place. Yet, midway through an expected ten-year term China’s communist party general secretary delivered a report to the 19th Party Congress that reiterated all the language, ideas and policies that the Chinese communists have used to govern the country since the mid-1980s. The most remarkable thing about Xi’s China is that it hasn’t changed at all.

Chinese Communist Party General Secretary Xi Jinping addresses the 19th Party Congress

China remains a socialist country. Xi’s not only proud of that, he’s confident that continuing to follow the socialist road will put China on the right side of history. What makes his tenure at the top seem different is that he’s unapologetically elevated ideology over policy. In Chairman Mao’s parlance, Xi is a little more red than expert.

But that doesn’t mean he’s changed Chinese policy. Internationally, Xi reported China remains open to the outside world. Domestically, his government remains committed to economic and political reform. It may not be the kind of openness or the type of reform US officials hoped for, but US expectations for China have always been based on a different view of history. Even after the Chinese leadership used lethal military force to suppress nationwide public demonstrations in June of 1989, most US observers still believed that international engagement, market economics and the rise of the Chinese middle class would eventually lead to the fall of the Chinese Communist Party (CCP) and the emergence of a multi-party Chinese democracy. Instead, if Xi’s report is to be believed, Chinese socialism has emerged from the crucible of Tiananmen Square stronger than it was before.

Continuity and Change in Communist China

The last time China really changed was when Mao died. Mao believed that global revolution was right around the corner and that China was ready for a rapid transformation to communism. The leaders who inherited the party in Mao’s wake, especially Deng Xiaoping, saw the world and China’s place within it very differently. At home, China was only in the beginning stages of a transformation to socialism that would take a very long time. And as the party set about engineering that incremental transformation, China would need to engage the world as it was rather than imagining they would change it. Deng told his comrades they needed to be humble as they worked to fulfill their Chinese socialist dream to modernize the country and restore Chinese influence in the world.

Xi Jinping’s report does not stray too far from that advice. China’s made a lot of progress since Deng died twenty years ago, but it is still, according to Xi, in the early stages of a long-term transformation to socialism. China’s progress may have elevated its position in the world, and given China a greater say in international governance, but there is nothing in Xi’s report about China leading a movement to upend the global status quo.

Xi does believe that Chinese socialism can set an example for the rest of the world to follow, and that more active Chinese participation can help transform the international order. As a committed Marxist, Xi should believe an eventual transition to a socialist global order is inevitable. But in the short term, Xi’s China appears squarely focused on the fifth of humanity that lives within its borders, where good governance is at a crossroads, crippled by endemic corruption rooted in the attitudes and behavior of party cadres who’ve lost the faith. Xi’s project, if you take his party congress report at face value, seems to be to save Chinese socialism and consolidate its gains, not to change it.

Implications for the United States

Is a consolidated and internationally persuasive Chinese socialism a threat to the United States? Unfortunately, that’s a question many US analysts and officials are no longer inclined to address. During the Maoist era, when China was “more red than expert,” there was greater US interest in the content of Chinese socialism. Today, US observers tend to view the CCP leadership’s repeated recitations of its socialist principles and practices as propaganda masking personal or national ambitions.

US commentaries on Xi’s speech reflect this. Most of them interpret Xi’s campaign against corruption as a personal quest to consolidate power rather than a campaign to save Chinese socialism. Instead of taking Xi and his recent predecessors at their word and seeing the principal aim of their post-1980s efforts as the achievement of a “moderate level of prosperity” for China‘s 1.4 billion, many US observers see this as an attempt to hide the CCP’s real aim, which they believe is kicking the United States out of Asia and supplanting US dominance of the region. For Americans, the contest between the United States and China is perceived as an historic struggle between rising and falling national powers rather than competing ideologies.

If Xi is a budding dictator leading a nationalist political organization focused on replacing the United States at the top of a global hierarchy then US policy makers should be concerned. But what if the Chinese dream articulated in Xi’s report to the 19th Party Congress is a fair representation of the CCP’s ambitions? Should the United States be alarmed? The answer is not obvious and the question seems to deserve greater consideration.

]]>
http://allthingsnuclear.org/gkulacki/xis-china/feed 1
Why NRC Nuclear Safety Inspections are Necessary: Columbia Generating Station http://allthingsnuclear.org/dlochbaum/why-nrc-inspections-are-necessary-columbia http://allthingsnuclear.org/dlochbaum/why-nrc-inspections-are-necessary-columbia#comments Tue, 17 Oct 2017 10:00:21 +0000 http://allthingsnuclear.org/?p=14907 The Nuclear Regulatory Commission (NRC) adopted its Reactor Oversight Process (ROP) in 2000. The ROP is far superior to the oversight processes previously employed by the NRC. Among its many virtues, the NRC treats the ROP as a work in progress, meaning that agency routinely re-assesses the ROP and makes necessary adjustments. Read More

]]>
The Nuclear Regulatory Commission (NRC) adopted its Reactor Oversight Process (ROP) in 2000. The ROP is far superior to the oversight processes previously employed by the NRC. Among its many virtues, the NRC treats the ROP as a work in progress, meaning that agency routinely re-assesses the ROP and makes necessary adjustments.

Earlier this year, the NRC initiated a formal review of its engineering inspections with the goal of making them more efficient and more effective. During a public meeting on October 11, 2017, the NRC working group conducting the review outlined some changes to the engineering inspections that would essentially cover the same ground but with an estimated 8 to 15 percent reduction in person-hours (the engineering inspections and suggested revisions are listed on slide 7 of the NRC’s presentation). Basically, the NRC working group suggested repackaging the inspections so as to be able to examine the same number of items, but in fewer inspection trips.

The nuclear industry sees a different way to accomplish the efficiency and effectiveness gains sought by the NRC’s review effort—they propose to eliminate the NRC’s engineering inspections and replace them with self-assessments. The industry would mail the results from the self-assessments to the NRC for their reading pleasure.

UCS is wary of self-assessments by industry in lieu of NRC inspections. On one hand, statistics might show that self-assessments increase safety just as a community firing all its law enforcement officers would see a statistical decrease in arrests, suggesting a lower crime rate. I have been researching the records publicly available in ADAMS to compare the industry’s track record for finding latent safety problems with the NRC’s track record to see whether replacing NRC’s inspections with industry self-assessments could cause nuclear safety to go off-track.

This commentary is the first in a series that convinces us that the NRC’s engineering inspections are necessary for nuclear safety and that public health and safety will be compromised by replacing them with self-assessments by industry.

Columbia Generating Station: Not so Cool Safety Moves

The Columbia Generating Station is a boiling water reactor owned by Energy Northwest and located 12 miles northwest of Richland, Washington. The Washington Public Power Supply System (the original name of the plant’s owner) submitted a Preliminary Safety Analysis Report (PSAR) for the Washington Nuclear Project Unit 2 (the original name for the reactor) to the Atomic Energy Commission (AEC, the original name of the nuclear regulator) in February 1973.

The PSAR described the proposed design of the plant and associated safety studies that demonstrated compliance with regulatory requirements. The PSAR described the two systems intended to cool the control room during normal operation and during postulated accidents. The control room heating, ventilation, and air conditioning (HVAC) would use chillers within the Radwaste Building HVAC system during normal operation. Because the Radwaste Building HVAC system is not designed to withstand earthquake forces or remain running when offsite power is unavailable, it cannot be credited with performing this role during accident conditions. So, the Standby Service Water system was proposed to cool the control room during accidents. The Standby Service Water system features pumps, pipes, and valves that recirculate water between a large cooling pond and safety equipment within the plant. Two independent sets, called divisions in the figure, are used to enhance reliability of this safety function (Fig. 1).

Fig. 1 (Source: Energy Northwest modified by UCS)

The PSAR indicated that for worst-case design conditions of 77°F cooling pond water temperature and 105°F outside air temperature, the Standby Service Water system would prevent the air temperature within the control room from exceeding 104°F. The AEC/NRC expressed concern that such warm control room temperatures could impair both human and equipment performance.

The owner resolved the regulator’s concerns by committing to installing two Seismic Category I emergency chillers for the control room HVAC system (Fig. 2). The emergency chillers were fully redundant such that one emergency chiller alone could maintain the air temperature inside the control room from exceeding 78°F during an accident. The NRC issued an operating license for the Columbia Generating Station on April 13, 1984, with License Condition 2.C.(21) that required the two emergency chillers to be operable by May 31, 1984. In November 1984, the owner revised the PSAR (now called the Final Safety Analysis Report or FSAR) to describe the emergency chillers and their role in keeping the control room air temperature from exceeding 78°F.

Fig. 2 (Source: Energy Northwest)

In September 1989, the owner revised the FSAR to change the control room air temperature limit to 85°F. The owner determined that this change did not require prior NRC review and approval. The NRC later disagreed with this self-imposed temperature relaxation.

In May 1998, the owner revised the FSAR to change the control room air temperature limit from 85°F to 85°F effective (see below). Once again, the owner determined that this change did not require prior NRC review and approval. And again, the NRC later disagreed with this self-imposed temperature limit relaxation.

“Effective temperature” is based on a combination of wet-bulb and dry-bulb temperatures. The original 75°F and initial 85°F limits were based solely on dry-bulb temperatures. The 85°F effective temperature allowed dry-bulb temperatures of up to 105°F—higher than the control room air temperature expressly rejected by the regulator. The owner made this change without seeking NRC’s approval because it was considered an editorial change. The NRC later determined that this temperature limit relaxation was not an editorial change.

Because the Standby Service Water system alone could maintain the dry-bulb temperature inside the control room at or below 104°F and the revised limit was now 105°F, the owner implemented another change—also unreviewed and unapproved by the NRC—eliminating the need for the emergency chillers to perform any safety role during postulated accidents. The NRC issued a Severity Level IV non-cited violation on April 23, 103, for the owner relaxing the control room air temperature limit without prior NRC approval.

The following month, the owner notified the NRC about deficiencies in the test periodically conducted to demonstrate the adequacy of the Standby Service Water system to cool the control room during accident conditions. When the test deficiencies were remedied and the corrected test performed, one of the two Standby Service Water system trains failed. Workers determined that the tubes within the control room cooler units had become degraded due to the buildup of scale on the inside tube surfaces and the collection of sediment in the lower region of the units. Routine testing of the control room cooler units had been discontinued 16 years earlier.

So, around the same time that the owner improperly decided that the emergency chillers were no longer needed to cool the control room during accidents, it discontinued proper testing of the Standby Service Water system that it thought would perform this role during accidents. Maybe it was another editorial change that discontinued the tests.

On November 12, 2015, the NRC issued a Green finding for a violation of Criterion III, “Design Control,” of Appendix B to 10 CFR Part 50. The NRC inspectors found that the emergency chillers, as designed and governed by operating procedures, would not maintain the air temperature inside the control room below 85°F under accident conditions. The vendor manual for the emergency chillers stated that the STOP-RESET pushbutton had to be depressed after a power interruption because the chillers would not automatically restart. But the operating procedures failed to have the operators perform this necessary step.

On December 22, 2015, Energy Northwest contested the NRC’s finding. The owner stated, in writing, that “There are no design basis requirements to maintain the control room temperature at less than or equal to 85°F at all times for all accident scenarios” [boldfacing in original]. The owner further requested that the NRC conduct a backfit analysis per 10 CFR 50.109 before imposing these “new” regulatory requirements.

By letter dated June 10, 2016, the NRC responded to the owner’s appeal. The NRC carefully considered the owner’s arguments and delineated why it was rejecting each one. The NRC concluded “…it cannot be concluded that the system function as described in the current design basis can be achieved.”

On May 3, 2016 (perhaps sensing that its appeal would not be successful), the owner met with the NRC to discuss a pending license amendment request that would resolve the concerns about the emergency chillers. As shown in the figure, the two emergency chillers sit side-by-side in the same room vulnerable to a common mode, like a fire, disabling them both (Fig. 3). But the chillers are seismically qualified and redundant, consistent with the original commitment to install them. The pending license amendment request would reconcile departures from two NRC General Design Criteria and justify the use of manual vice automatic actions to place the chillers in service.

Fig. 3 (Source: Energy Northwest)

UCS Perspective

Under the Atomic Energy Act as amended, the NRC is tasked with establishing and enforcing regulations to protect workers and the public from the inherent hazards from nuclear power reactor operation.

Owners are responsible for conforming with applicable regulatory requirements. In this case, the owner made a series of changes that resulted in the plant not conforming with applicable regulatory requirements for the air temperature within the control room. But there’s no evidence suggesting that the owner knew that the changes were illegal yet made them anyway hoping not to get caught. Nevertheless, ignorance of the law is still not a valid excuse. The public is not adequately protected when safety regulations are not met, regardless of whether the violations are intentional or inadvertent.

This case study illustrates the vital role that NRC’s enforcement efforts plays in nuclear safety. The soundest safety regulation in the world serves little use unless owners abide by it. The NRCs inspection efforts either verify that owners are abiding by safety regulations or identify shortfalls. Self-assessments by owners are more likely to sustain mis-interpretations and misunderstandings than to flush out safety problems.

The NRC’s ROP is the public’s best protection against hazards caused by aging nuclear power reactors, shrinking maintenance budgets, and emerging sabotage threats. Replacing the NRC’s engineering inspections with self-assessments by the owners would lessen the effectiveness of that protective shield.

The NRC must continue to protect the public to the best of its ability. Delegating safety checks to owners is inconsistent with that important mission.

]]>
http://allthingsnuclear.org/dlochbaum/why-nrc-inspections-are-necessary-columbia/feed 1
No, Missile Defense Will Not Work 97% of the Time http://allthingsnuclear.org/lgrego/missile-defense-will-not-work-97-percent http://allthingsnuclear.org/lgrego/missile-defense-will-not-work-97-percent#comments Sat, 14 Oct 2017 03:26:53 +0000 http://allthingsnuclear.org/?p=14902 In an October 11 interview on Fox News, President Trump claimed:

We have missiles that can knock out a missile in the air 97 percent of the time. If you send two of them, they are going to get knocked down. Read More

]]>
In an October 11 interview on Fox News, President Trump claimed:

We have missiles that can knock out a missile in the air 97 percent of the time. If you send two of them, they are going to get knocked down.

This is not true. At least not in any relevant way.

The only homeland missile defense system is the Ground-based Midcourse Defense (GMD) system, which I’ve written plenty about here in these pages, and have co-authored a recent report about. If you’ve been following along, you’ll know the president’s statement was clearly untrue.  I’ll explain why.

What does the actual test record show?

The GMD interceptors have succeeded in destroying the target in nine out of 18 tests since 1999 (50%).  They have destroyed their target in four out of 10 tries (40%) since the GMD system was nominally deployed in 2004. They have destroyed their target in two of the last five tests (40%).

So there is no basis to expect it to work any better than 40 to 50% of the time even under the most generous and easiest conditions—former Pentagon testing agency director Phil Coyle calls the test conditions so far as “scripted for success.”

While the test record says something about the GMD’s capabilities under scripted conditions, the real world will be more complex and challenging. The Pentagon’s highest testing official assessed in 2014 that the test program was “insufficient to demonstrate that an operationally useful capability exists.” More on this later.

But for sake of argument, say the “single shot kill probability” has been determined via tests to be 40 to 50% in those optimistic conditions. Because reliability is low, the US would fire multiple interceptors at the missile to try to boost the system’s effectiveness. Using four-on-one targeting, and a 40 to 50% chance that a given interceptor would work, this leads to a 6 to 13% chance that the warhead gets through.

Real-world conditions

But this isn’t the right question. If it came down to a nuclear attack, would North Korea send just a single missile, and choose the most convenient conditions? That seems unlikely. Let’s say the salvo is five incoming missiles. In that case, with an interceptor kill probability of 40 to 50%, using four interceptors on each missile, the probability that one warhead gets through is 28 to 50%. Uncomfortably high.

I could not stress more that this is a best-case scenario. It assumes that:

1) Failures are uncorrelated and not, e.g., a design flaw common to all interceptors, such as the guidance system issues that took nearly a decade to diagnose and fix,

2) The intercept attempts take place under simplified conditions and that the system is not being stressed as it would in a real-world situation, and

3) The system successfully identified the five real targets from among decoys. If the system cannot distinguish decoys from the real targets, it will have to engage them all, quickly depleting the interceptor inventory. These do not need to be the Ferraris of decoys to be an issue. Some of the GMD intercept tests have included decoys, but all of those have been designed to be easily distinguished from the target warhead.

In short, one can construct situations under which missile defense might destroy missiles: a small salvo of missiles sent without countermeasures and under the limited range of conditions under which the system has been tested. The problem is that these are not by any stretch the most *likely* situations. A potential adversary has every incentive to make the attack as difficult as possible to intercept if he is going to initiate World War Three.

Note that even if the president were instead talking about one of the missile defense systems that has a better and more complete test record, such as THAAD, the issues with not having been tested in operationally realistic conditions is the same. And because THAAD defends against shorter-range missiles from North Korea, which are cheaper and more plentiful, it has the additional issue that it may be overwhelmed even if it is able to discriminate between decoys and real targets. There just may be too many targets.

Why is this dangerous?

The best-case scenario is that President Trump is trying to avoid a confrontation by allowing himself to save face: he has declared that North Korea must not be able to threaten the US mainland with nuclear-armed missiles. Or that he hopes such statements would help dissuade North Korea from considering an attack.

Certainly worse than this is the possibility that Trump actually believes that strategic missile defense provides credible protection and he has not been advised correctly. One hopes he is provided accurate information by stewards of these programs, although at least in public, government official often describe the GMD system as much more capable than it has been demonstrated to be.

This is dangerous, because common sense would say that if we have spent $40 billion on a missile defense system that the US has claimed has been “operational” for going on fifteen years, it must “work.” But it doesn’t. Look at the test record.

The problem is that believing missile defense works when it doesn’t can lead you to take actions that make you need it, and then it can’t help you.

]]>
http://allthingsnuclear.org/lgrego/missile-defense-will-not-work-97-percent/feed 1