UCS Blog - All Things Nuclear (Nuclear Power Safety)

Empty Pipe Dreams at Palo Verde

Regulation and Nuclear Plant Safety #3

In July 2004, Nuclear Regulatory Commission (NRC) inspectors at the Waterford nuclear plant in Louisiana discovered that a portion of piping in a standby emergency system that would provide makeup water to cool the reactor in event of an emergency had been kept emptied of water, jeopardizing the ability to prevent core damage. This finding was shared with owners of similar reactors across the country. Days later, workers at the Palo Verde nuclear plant in Arizona discovered that sections of the emergency system piping for all three reactors was being deliberately emptied of water. The company tried arguing that there was no written requirement that water be maintained inside the emergency water makeup piping. The NRC disagreed and issued the company a yellow finding for the violations, the second most serious infraction in the agency’s color-coded system. The NRC also issued a $50,000 fine for an improper procedure change in 1992 that caused workers to deliberately drain water from this piping.

Water-less in Waterford

NRC inspectors at the Waterford nuclear plant outside New Orleans, Louisiana during the week of July 12, 2004, reviewed a report on a problem identified by workers on April 18, 1999. The problem was that air collected within piping of the containment spray system during normal operation. During an accident in which a pipe ruptures and drains cooling water onto the containment floor, the design initially calls for emergency pumps to automatically start and transfer makeup water from a large storage tank into the reactor vessel. Before this tank empties, workers re-position valves to have the pumps instead draw water from the containment sump, which collects the water spilled from the broken pipe. Following the swap-over, the emergency pumps would pull water from pipes partially filled with air.

The problem report had been dispositioned in 1999 as being acceptable as-is based on engineering judgement that the slope of the pipes and the low velocity of water flow through the pipes would enable air bubbles to travel against the flow and be released inside containment. When the NRC inspectors challenged the robustness of this assessment, the owner hired a consultant who conducted analytical modeling of the system during a postulated accident that showed the air within the piping would not prevent the safety function from being fulfilled.

The NRC inspectors noted that the reactor’s safety studies assumed that the piping was filled with water when the accident began and that another system had been installed at the plant for the purpose of keeping this piping full of water. The NRC issued a green finding, the least serious of the agency’s four color-coded sanction levels, for operating the reactor outside the bounds of its safety studies.

Equally Dry in Arizona

Workers at Waterford notified their counterparts at the Palo Verde nuclear plant west of Phoenix, Arizona on July 22, 2004, about the NRC’s discovery. On July 28, workers at Palo Verde determined that a significant portion of the suction piping for the containment spray, low-pressure safety injection, and high-pressure safety injection pumps for all three reactors was empty of water. These emergency pumps have two sources of water for use mitigating an accident. Initially, the pumps pull water from the Refueling Water Tank. The piping this tank and the pumps was filled with water, as was the section of piping to a check valve in the second water source—the containment sump.

The piping between the inside and outside containment isolation valves and between the outside containment isolation valve and the check valve held no water. A change made to a testing procedure on November 16, 1992, had workers close the two containment isolation valves and drain the water from these piping sections. When the volume of water in the Refueling Water Tank dropped to about the 10 percent level, the low-pressure safety injection pump would be turned off automatically and valve repositioned to supply water to the containment spray and high-pressure safety injection pumps from the containment sump.

The theory behind this design is that if the contents of the Refueling Water Tank do not restore the reactor vessel water level to the desired point, there must be a pathway for water to drain from the vessel. If so, that water will flow by gravity to the containment sump where it can be recycled through the reactor vessel to sustain adequate cooling of the reactor core. The high-pressure and low-pressure injection pumps supply makeup water to the reactor vessel; the containment spray pump causes water to be spray within the containment structure to reduce its pressure and temperature.

Fig. 1 (Source: Nuclear Regulatory Commission)

Coming Up Empty at Palo Verde, Again

By the afternoon of July 29, the engineering staff at Palo Verde concluded that the emptied piping sections could prevent the containment spray and high-pressure safety injection systems from performing their safety functions during an accident. (The low-pressure safety injection system was not affected because its pump gets turned off before suction from the containment sump through the empty pipes is established.) They entered the problem into the plant’s corrective action program.

On the morning of July 30, the operations department at Palo Verde learned about the problem from the corrective action report. That evening, the operations department determined that the containment spray and high-pressure safety injection systems could perform their safety functions provided that operators manually open the inside containment isolation valve during an accident. Opening this valve would re-fill the largest volume of the intentionally drained piping sections.

The owner notified the NRC about the problem on July 31. Between August 1 and 4, workers took steps to refill the emptied piping sections on all three reactors.

The NRC dispatched a special inspection team to Palo Verde to investigate the causes and corrective actions of this problem. The special inspection team was onsite August 23-27 and issued its report on January 5, 2005. The team made four findings: (1) operating the reactors with the piping sections drained of water contrary to assumptions in safety studies, (2) untimely notification of operations by engineering of a problem potentially affecting safety system operability, (3) inadequate evaluation of replacing automatic accident responses with manual actions, and (4) inadequate evaluation of a 1992 revision to a testing procedure that had workers drain the piping sections when the test was completed.

Palo Verde Pleads Its Case

The company contested the NRC’s findings and requested a meeting with the agency to present its case. That meeting was conducted in the NRC’s Region IV offices in Arlington, Texas on February 17, 2005. The NRC provided a phone bridge for this meeting and I called into it. The company reported that there had never been a procedural requirement to fill the piping sections with water, implying therefore was it was not improper then to revise a procedure in 1992 to drain water from the sections. The company further reported that the technical specifications issued by the NRC with the reactor operating licenses only required verifying that the piping on the discharge side of the pumps be filled with water but said nothing about the contents of the piping on the suction side (perhaps implying that this silence permitted piping sections to be filled with air, helium, jawbreakers, cement, or anything they desired.)

The owner also described full-scale testing using transparent plexiglass piping to show what was happening inside that it had performed as part of that it called the most expensive engineering analysis in the plant’s history. The company even showed a video from this testing (although the video was a wee bit hard to see via the phone bridge). When the owner completed its presentation, an NRC senior manager (whom I believe was Bruce Mallett, then Regional Administrator of NRC Region IV) remarked that the video and testing only convinced him that the pumps in the scale model would not cavitate; they told him little about performance in the real plant.

The NRC Puts Palo Verde in Its Place

That statement pretty much telegraphed the NRCs final answer on the matter. On April 8, 2005, the NRC issued a yellow finding, the second most serious in the agency’s four color-coded classifications, for operating the three reactors with safety system piping sections emptied of water and a $50,000 fine for the inadequate safety evaluation for the 1992 procedure change that had workers drain water from the piping after testing.

The company paid a far larger price. The NRC’s special inspection team investigation into this event and an NRC augmented inspection team investigation into all three reactors tripping on June 14, 2004, focused more NRC attention to the plant. More and more NRC inspectors identified more and more safety problems. In little time, Palo Verde went from all three reactors solidly in Column 1 of the Action Matrix within the NRC’s Reactor Oversight Process to Units 1 and 3 being in Column 3 and Unit 3 being in Column 4—the lowest safety performance rating in the country. It took over four years for the safety shortcomings to be remedied and all three reactors returned to Column 1. The cost of “volunteering” for more NRC scrutiny cost considerably more than the $50,000 fine.

Fig. 2 (Source: Union of Concerned Scientists)

The NRC Goes Big

NRC inspectors discovered a safety problem at Waterford. That discovery revealed a similar problem at Palo Verde. NRC inspectors determined the problem at Palo Verde to reflect systemic problems. The NRC’s responses remedied the specific problem at Waterford and the wider problems at Palo Verde.

But the NRC did not stop after these worthy regulatory achievements. They went big. Packaging the Palo Verde problem with other recent miscues, the NRC issued Bulletin 2008-01, “Managing Gas Accumulation in Emergency Core Cooling, Decay Heat Removal, and Containment Spray Systems,” to the owners of all U.S. operating reactors. It required owners to takes steps to ensure that safety systems at their plants did not have and were not likely to develop safety system impairments like that found at Palo Verde.

UCS Perspective

From the discovery at Waterford to the issuance of Bulletin 2008-01, the NRC exhibited just right regulation.

NRC inspectors found that workers knew about air collecting in piping but had not properly analyzed it. The ensuing analysis concluded that the air would not have prevented fulfilment of the necessary safety function. Despite that conclusion, the NRC issued a Green finding because public health was being protected more by luck than skill until the degraded condition was properly evaluated.

Whereas air was unintentionally collecting in piping at Waterford, workers followed procedures to drain water from safety system piping at Palo Verde and didn’t respond to the problem in a timely and effective manner. The NRC swung a bigger regulatory hammer.

The NRC then sought to avoid the problem across the U.S. fleet by issuing Bulletin 2008-01.

Some might contend that these events really reflect under-regulation by the NRC. After all, the air accumulation problem was first identified at Waterford in 1999 and not challenged by the NRC until 2004. The procedure was revised in 1999 to drain water from pipes at Palo Verde, but the NRC didn’t realize it until 2004. The Waterford and Palo Verde discoveries in 2004 joined by similar discoveries before then and afterwards didn’t prompt the NRC to cast a wider safety net until 2008. How can just right regulation entail such lengthy periods between creation of safety problems and their resolutions?

Blame the game and not its players. The NRC does not have the resources to inspect every corrective action report or review every procedure revision. Instead, the NRC audits samples. There’s no evidence that NRC inspectors looked at records at Waterford and Palo Verde prior to 2004 but missed seeing the problems or that NRC inspectors should have looked at these records but failed to do so.

As for the “delay” in getting Bulletin 2008-01 out, consider the adverse implications of a prompter response. Had the NRC issued the bulletin the day after the discovery at Waterford, owners would have been directed to look at the potential for air unintentionally collecting in piping. Since workers were intentionally draining water from piping at Palo Verde per an approved (albeit flawed) procedure, they would not have detected and corrected unintentional accumulation. By cultivating a number of similar events, the NRC required owners evaluate and manage a broader suite of potential problems—well worth the wait.

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Three Mile Island Intruder

Regulation and Nuclear Plant Safety #2

A man recently released from a hospital where he had been treated for mental health issues drove his mother’s station wagon into—literally—the Three Mile Island nuclear plant near Harrisburg, Pennsylvania at 6:53 am on February 7, 1993. Workers responded to the unauthorized entry by locking the doors to the control room and declaring a Site Area Emergency—the second most serious emergency of the Nuclear Regulatory Commission’s (NRC’s) four classifications. The intruder was found more than four hours later hiding in the turbine building.

Less than three weeks later while the NRC was still evaluating the unauthorized entry of a vehicle into Three Mile Island, a rental truck loaded with explosives was detonated in the parking area beneath the North Tower of the World Trade Center in New York City. The NRC revised its security regulations to better protect nuclear plants against unauthorized vehicle entries and vehicle bombs.

Fig. 1 (Source: President’s Commission on the Accident at Three Mile Island)

The Scene

As suggested by its name, the Three Mile Island (TMI) nuclear plant is located on an island. This specific island is in the Susquehanna River as it flows southeasterly from Harrisburg, Pennsylvania. TMI is best known for the worst nuclear power plant accident, so far, in U.S. history. On March 28, 1979, the Unit 2 reactor at TMI experienced a partial meltdown of its nuclear core. The damaged Unit 2 reactor never restarted, but the Unit 1 reactor restarted a few years later and operated at 100 percent power on the morning of February 7, 1993.

At 5:30 am that Sunday morning, security officers opened the gates for the access bridge on the north end of the island (the upper left side of Figure 1). The night shift security personnel turned over duties to the oncoming dayshift crew at 6:00 am. Other dayshift workers and non-shift workers reporting for duty used the north bridge to drive onto the island.

The Party Crasher

At 6:53 am, a vehicle turned off Pennsylvania Route 441 onto the two-lane road to the north bridge. The vehicle continued past the North Gate guard house without stopping to show a badge authorizing access to the island and proceeded at an estimated 35 to 40 miles per hour in the outbound lane across the north bridge. The gates were still opened, so nothing impeded the vehicle’s unauthorized entry.

The vehicle slowed to 15 to 20 miles per hour as it exited the bridge and approached the plant. The night shift operations shift foreman who was in the parking out on his way home after being relieved from duty heard a crashing sound as the vehicle drove through Gate 1 into the protected area around the plant. The protected area detection system alerted security personnel to the gate-crasher.

The vehicle continued for another 189 feet until it smashed into the corrugated aluminum roll-up door at the northeast corner of the turbine building. The vehicle, with a portion of the roll-up door adorning its roof, travelled another 63 feet inside the turbine building until it struck a large container for radioactive waste. The impact slid the container about six feet across the floor.

Fig. 2 (Source: Department of Energy)

The off-duty operations shift foreman went to the Processing Center (where individuals enter and exit the plant’s protected area) and called the control room to report “A guy just went through the fence and roll-up door. This is not a drill. Lock the doors to the control room.” The shift supervisor who answered the call in the control room did not recognize the excited voice and did not hear much of the warning message. Moments later, a security officer entered the control room and announced, “This is not a drill, someone crashed through Gate 1 and then drove into the auxiliary boiler door.” (Basically the same message, but when it’s delivered in person by someone toting a gun, it tends to be better heard and heeded.) The control room is located within the control building adjacent to the turbine building.

Fig. 3 (Source: Nuclear Regulatory Commission NUREG-1485)

The Game of Hide & Seek

At 7:02 am, security officers approached the vehicle in the turbine building. The headlights were on, the engine was off, the driver’s side door was open, but no one was found in or around the vehicle. The security officers retreated because the vehicle could contain explosives.

At 7:07 am, the operations shift supervisor declared a Site Area Emergency. The NRC has four emergency classifications–Unusual Event, Alert, Site Area Emergency, and General Emergency.

At 7:11 am, the Central Alarm Station operator at TMI notified the NRC’s Operations Center about the situation and emergency declaration.

At 7:16 am, the operations shift foreman at TMI began notifying local and state officials about the emergency declaration. He used telephones in the control room instead of the automated notification system because it was in an office outside the locked control room doors.

At 7:23 am, the emergency director at TMI (who was also the operations shift supervisor) called the NRC via the Emergency Notification System telephone. The NRC asked that a direct telephone line to the plant be kept open.

At 7:33 am, the Pennsylvania State Police notified the Middletown Police Department about the security event at TMI. Middletown police officers arrived at the plant at 7:37 am.

At 8:30 am, workers removed restrictions on telephones at the plant. During weekends, the telephone system at the plant prevented many telephones, including some used for emergency response, from dialing offsite.

At 9:00 am, an explosive ordinance disposal unit from the U.S. Army surveyed the vehicle and observed no suspicious packages, containers, or wires.

At 9:28 am, the control room doors were unlocked to allow two workers to enter the shift supervisor’s office and activate the pagers to summon the emergency responders.

At 9:37 am, the NRC resident inspector, a representative of the state’s Bureau of Radiation Protection, and a company public affairs person with an armed escort walked through the turbine building and entered the control building.

At 10:20 am, the explosive ordinance disposal unit completed a more thorough search of the vehicle and found no bomb or “explosive paraphernalia.”

At 10:22 am, site security officers and Pennsylvania State Police officers begin searching for the intruder.

Fig. 4 (Source: Nuclear Regulatory Commission NUREG-1485)

At 10:34 am, security personnel regrouped after completing the first search of the turbine building. Their search efforts had been hampered by dimly-lit areas inside the turbine building. To aid in future searches of darkened places, the team was given a flashlight.

At 10:36 am, the Emergency Director at TMI briefed the security team on the potential effects of using firearms in the turbine building (i.e., what could happen if bullets strike things other than intruder.)

At 10:40 am, the flashlight-equipped security team began a second search of the condenser pit area within the turbine building.

At 10:57 am, the security team found the intruder hiding in a dark area adjacent to a main condenser waterbox. The Pennsylvania State Police took custody of the intruder.

Fig. 5 (Source: Nuclear Regulatory Commission NUREG-1485)

At 11:10 am, the explosive ordinance disposal unit completed a more detailed search of the vehicle and still found no bomb.

At 11:30 am, the explosive ordinance disposal units completed a search of the vehicle using an explosive detection dog. The dog didn’t find a bomb either.

At 11:45 am, the Pennsylvania State Police left the plant site with the intruder.

At 2:39 pm, cadets from the Pennsylvania State Police Academy arrive at the site by bus to search the entire island.

At 4:25 pm, the Site Area Emergency declaration was terminated.

The Intruder

The intruder was identified as a 31-year-old Caucasian male approximately 6 feet 1 inches tall and weighing 140 pounds with thick, black, shoulder-length hair and a heavy beard. At the time, he lived with his mother in a rural community northwest of Harrisburg about 56 miles from TMI.

The man had been admitted to hospitals at least three times for treatment of depression. The most recent hospitalization before this event had been an involuntary admission on January 18, 1993. He had been released on January 22.
The Earlier Intruder

This was not the first time that an unauthorized person had driven onto the island. At around 4:25 pm on April 23, 1980, a watchman at the North Gate observed a vehicle whiz by without stopping and reported the trespassing to the roving security patrol. A security alert was declared, the Pennsylvania State Police were contacted, and an extensive search begun. About four hours later, the trespasser was identified as a plant worker. The worker had been on the island, departed in his vehicle via the North Gate, and returned shortly afterwards. The worker said he’d not stopped on re-entering the site because he believed the watchman would know he was returning.

The Earliest Intruder

That was not the first time that an unauthorized person had driven onto the island, either. At 6:50 pm on January 27, 1976, a vehicle drove past the North Gate without stopping. Fifteen minutes later, a construction worker reported seeing someone climbing the security fence around the protected area. Twenty minutes later, workers called security to report hearing someone singing near the top of the reactor building. At 8:00 pm, the security officer at the North Gate who saw the vehicle whiz by him entering the island saw that same vehicle whiz by him leaving the island. The Pennsylvania State Police tracked down the individual from the vehicle’s license tag. The individual was voluntarily admitted into a local mental hospital. (Might as well admit him—he’d sneak in anyway.)

The NRC “Intruders”

The NRC dispatched an Incident Investigation Team (IIT) to TMI following the unauthorized entry. The IIT consisted of ten members supported by six technical staffers. The IIT identified several factors which impaired the response to the intrusion, including:

  • There was no vehicle at the North Gate for security officers to use to pursue and intercept the unauthorized vehicle.
  • The response was delayed by the time it took security personnel to obtain weapons from isolated storage locations.
  • The search-and-clear efforts were poorly coordinated, delaying searches in some areas. In addition, security officers were not posted after some areas were cleared to ensure those areas remained clear.
  • The reluctance of some security officers to use response weapons could have placed them at a disadvantage had they confronted an intruder equipped with design basis threat weaponry.
  • The plant’s security personnel searched for explosive materials before the explosives ordinance disposal unit arrived, but they had received no training on recognizing explosives. (Note: When I toured TMI after 9/11, the security manager conducting the tour told us that security officers are required to search incoming vehicles for bombs, but they have received no training on what a bomb looks like.)
  • While flashlights were stored in the security “ready room,” they were not retrieved and used during the initial search of the turbine building.
  • The company conducted quarterly security response drills in the three levels of the Unit 2 turbine building, which is significantly different from the six levels within the Unit 1 turbine building where the real event transpired.

The Drive to More Secure Nuclear Plants

Five hundred and forty (540). That’s how many days elapsed between someone driving into the TMI turbine building and the NRC putting upgraded security regulations on the street.

The NRC had considered security threats posed by vehicles prior to February 7, 1993. For example, in a paper (SECY-86-101) to the Commissioners dated March 31, 1986, the NRC staff noted that the chain link fences surrounding protected areas of nuclear plants would not prevent a vehicle from crashing through. But the staff concluded that prompt response by armed security officers would mitigate any fence-crashers.

The Nuclear Control Institute (NCI) and the Committee to Bridge the Gap (CBG) jointly submitted a petition for rulemaking dated January 11, 1991, to the NRC seeking to upgrade the regulations on nuclear plant security to include protection against explosive-laded vehicles and boats. On June 11, 1991, the NRC denied the rulemaking petition on the grounds “that there has been no change in the domestic threat since the design basis threat was adopted [in 1979] that would justify a change in the design basis threat.”

The events of February 1993 prompted the NRC to reconsider earlier decisions. The NRC noted “The bombing at the World Trade Center demonstrated that a large explosive device could be assembled, delivered to a public area, and detonated in the United States without advance intelligence” and that “The unauthorized intrusion at the Three Mile Island nuclear power station demonstrated that a vehicle could be used to gain quick access to the protected area at a nuclear power plant” (Federal Register, page 58805, November 4, 1993.)

The NRC conducted a Commission briefing on the re-evaluation of the design basis threat of nuclear plant sabotage on April 22, 1993. The NRC held a public meeting on better protection against vehicle intrusion and vehicle bombs on May 10, 1993. The NRC issued a draft rule titled “Protection Against Malevolent Use of Vehicles at Nuclear Power Plants” for public comment on November 4, 1993. And the NRC issued the final rule on August 1, 1994.

The upgraded rule required owners to evaluate their plants for potential damage from detonation of a vehicle laden with explosives and then either install barriers preventing vehicles from getting close enough to cause harm or provide structures protecting vital equipment from blast effects.

Fig. 6 (Source: Nuclear Regulatory Commission)

UCS Perspective

In reviewing momentous events for possible candidates in this series, this event appeared unquestionably to fall into the “just right regulation” bin. It ultimately found its way into that bin, but it became a bank shot rather than the swish or slam-dunk it initially appeared to be.

Slightly more than two years before the TMI intrusion, two non-governmental organizations petitioned the NRC to update its regulations to require protection against vehicle bombs. The NRC took only five months to deny that petition on grounds the perceived threat was really no threat.

Slightly less than 18 months after the TMI intrusion, the NRC revised its regulations to require protection against vehicle bombs.

A strong argument could be made that the NRC had sufficient cause in 1991 to update its regulations. After all, the TMI intrusion and the World Trade Center truck bombing were the very kinds of threats cited by NCI and CBG in their petition and became the leading reasons cited by NRC in 1994 for the revised regulations. This compelling argument could readily persuade an impartial jury to place this event in the “under-regulation” bin.

The counter argument would point out that the NRC addressed the petitioners’ concerns one-by-one. For example, the petitioners identified rise of State-sponsored terrorism as evidence of the need for upgraded security requirements. The NRC responded to this concern contending that unrest has been experienced in other parts of the world, it hasn’t happened here. The NRC also observed that it relies on U.S. intelligence efforts to identify, and thwart, larger coordinated attacks.

In issuing upgraded security regulations on August 1, 1994, the NRC explicitly conceded that it had denied the NCI/CBG petition seeking that outcome just three years earlier. The NRC noted that “The vehicle bomb attack on the World Trade Center represented a significant change to the domestic threat environment that changed many of the points used in denying the petition and eroded the basis for concluding that vehicle bombs could be excluded from any consideration of the domestic threat environment.”

Because the NRC did not stick by its 1991 denial and took steps after the events of February 1993 to better protect nuclear power plants—and more importantly, the people who work in them and live around them—from sabotage using vehicles, this event goes into the “just right regulation” bin. It would never make it into the “just perfect regulation” bin, but also does not deserve to fall into the “under-regulation” bin.

There’s more than a hint of the Nielsen Ratings Commission (NRC) and media spotlight effect described in the Role of Regulation #1 commentary. The NCI and CBG petition garnered trade press coverage. The TMI intruder event garnered local coverage. The World Trade Center bombing days later received international media coverage for weeks. That’s a powerful spotlight helping the NRC see the need for better protection against vehicle bombs.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

NRC’s Reprisal Study Reveals Safety Agency Has a Chilled Work Environment

In January 2018, the NRC circulated within the agency a 100-page report  titled “Study of Reprisal and Chilling Effect for Raising Mission-Related Concerns and Differing Views at the NRC.” The report was authored by Renee Pedersen, who had managed the NRC’s Differing Professional Opinion (DPO) and non-concurrence programs for many years before retiring from the agency at the end of that month. These programs enable NRC staffers to register differing views with agency positions or plans and to have those views formally evaluated.

This is an issue I follow closely. I issued a report and blog post last year titled “The Nuclear Regulatory Commission and Safety Culture: Do As I Say, Not As I Do” examining evidence that prompted the NRC to intervene about safety culture problems at U.S. nuclear power plants and comparable evidence strongly suggesting that the agency had the same, if not worse, signs of trouble. These products updated a theme discussed in a November 2014 blog post.

After hearing about the reprisal study and its contents from several NRC staffers, I submitted a request under the Freedom of Information Act (FOIA) for it on February 1, 2018.

On June 27, the NRC emailed me the reprisals study. Well, they emailed me a redacted version of the reprisals study. Certain information was blocked out in the released report on alleged grounds that its disclosure would compromise the anonymity of NRC staffers. The study compiled results from several surveys of the NRC’s work force—those conducted every three years by the NRC’s Office of the Inspector General, those conducted annually by the Federal Employee Viewpoint Surveys, and those conducted by the NRC’s Office of Enforcement. The first two types of surveys involved the entire NRC work force and typically had nearly 80 percent response rates; the third type of surveys went out to a much smaller subset of the NRC’s work force—those individuals who had filed DPOs and non-concurrences.

Figure 1 is the heavily-redacted Page 58 from the Reprisals Study. It showed (or would have shown but for the redactions) the responses to the 2013 and 2016 surveys of NRC staff who had initiated DPOs.

Fig. 1 (Source: NRC record obtained by UCS via FOIA)

Typically, it’s hard to contest the redaction of information for any purported reason without seeing the information to see whether it indeed justifies withholding.

But it’s easy to contest the redaction when you’re able to see the information being withheld. Figure 2 is the entirely unredacted Page 58 from the Reprisals Study.

Fig. 2 (Source: Confidential, anonymous UCS source(s))

So, no NRC staffer is identified by the unredacted information. The unredacted information does strongly suggest that nine individuals responded to the 2013 survey questions (i.e., 1 out of 9 equals 11%, 2 out of 9 equals 22%). The unredacted information does not suggest how many individuals responded to the 2016 survey (unless it was only one) since there were 100% or 0% response rates for every question. Okay, another solid clue resides in NRC’s online electronic library, ADAMS. NRC staff initiating DPOs can elect to make the final DPO package publicly available in ADAMS. The NRC numbers DPOs sequentially: the first one is DPO-yyyy-001, the fifth one is DPO-yyyy-005 and so on. It doesn’t take a concerned scientist long to figure out from ADAMS about how many DPOs are filed each year and thus how many DPO initiators are being surveyed (clue—fewer than a dozen each year.)

Page 58 is part of Appendix D to the Reprisals Study. The first sentence of Appendix D stated: “OE [Office of Enforcement] conducted two anonymous voluntary surveys to employees who submitted non-concurrences and DPOs.” So, the survey results were submitted voluntarily and provided anonymously (i.e., Response A could not be linked to any specific member of the DPO and non-concurrence author universe.)

So, case closed on whether or not disclosure of anonymous responses submitted voluntarily could reveal personal privacy information or compromise any one’s anonymity. UCS has formally appealed this bogus rationale by the NRC and requested that the illegally redacted information be released publicly.

What Does the Reprisal Study Reveal?

The unredacted and “outed” redacted portions of the Reprisals Study make it crystal clear that the NRC has a chilled work environment. Several safety culture terms are defined beginning on page 7 of the Reprisals Study. Two of those definitions are quoted verbatim, including the boldfacing in the original text, from the study:

Chilling Effect is a condition that occurs when an event, interaction, inaction, decision, or policy change results in a perception that the raising of a mission-related concern or differing view to management is being suppressed, is discouraged, or will result in reprisal

Chilled Work Environment is a condition where the chilling effect is not isolated (e.g., multiple individuals, functional groups, shift crews, or levels of workers within the organization are affected

Note that a “chilling effect” is defined not as the actual, irrefutable, uncontestable, unmistakable reality that raising a differing review will result in reprisal, but merely the perception of such an adverse outcome. But page 6 of the Reprisals Study stated that “reprisal is a case in which perception is as important as reality” [boldface in original text.]

And note that a “chilled work environment” exists with the perception that voicing differing views will result in reprisal is not isolated to a single worker.

Look at Figure 2 again. The chart at its top reveals that 100 percent of the responses in 2016 felt experiencing a negative consequence for having filed a DPO. The chart at its bottom shows that respondents felt they experienced reprisals of various forms.

Figure 2 constitutes prima facie evidence of a chilling effect within the NRC—at least one worker felt that filing a DPO had negative consequences. I have ample reason to believe that Figure 2 also constitutes prima facie evidence of a chilled work environment within the NRC because more than one worker reported this feeling. I have had private communications with more than one DPO filer who told me they responded to the survey indicating they experienced negative consequences. But Figure 2 alone does not prove a chilled work environment, since the 2016 data could reflect 100% responses from a sole individual.

Other portions of the study provide compelling evidence that a chilled work environment exists at the NRC. The study shows that in the 2015 survey:

  • Only 64% of employees said they believed the NRC “has established a climate where truth can be taken up the chain of command without fear of reprisal”
  • Only 68% of employees said they “can raise any concern without fear of retaliation”
  • Only 77% said “it is safe to speak up in the NRC”
  • 20% of the employees indicated “they had heard of someone with the last year who experienced a negative reaction for having raised a mission-related differing view”

While it is commendable that the surveys suggest that the NRC’s workplace is thawing over time, global warming seems to be significantly outpacing the agency’s workplace warming. The 2015 numbers are totally unacceptable. The NRC has come down hard and heavy when nuclear plant sites have smaller segments of their work forces fearful of voicing safety concerns. (See our 2017 report for example after example of the NRC intervening for much smaller pockets of fear and reluctance.)

Ms. Pedersen also consulted with the NRC’s Office of the Inspector General, Office of the Chief Human Capital Officer, Office of General Counsel and Office of Small Business and Civil Rights as well as the National Treasury Employees Union that represents many NRC workers and found “it appears that five reports of reprisal may have occurred in the last three years.” The study quoted from the April 24, 2017, NTEU newsletter: “We continue to hear about employees being afraid to raise issues for fear of retaliation as well as from employees who feel they have been retaliated against for raising concerns, including safety concerns.”

UCS Perspective

By its own definition, the NRC considers a chilling effect to exist when there’s the perception that raising a differing view can result in reprisal. By its own data, that perception exists within the NRC’s work force.

By its own definition, the NRC considers a chilled work environment to exist when a chilling effect involves multiple workers. By its own data, a chilled work environment exists within the NRC.

By its own words and actions, the NRC has an intolerance for chilled work environments at nuclear power plants.

By its own inactions, the NRC has a tolerance for their own workers being chilled.

Americans deserve better from this federal agency. Their safety is in the hands of NRC’s inspectors, reviewers, managers, and staffers and those workers must feel free to raise those hands if they have safety concerns.

Equally important, NRC workers deserve better from their agency. These are talented and dedicated professionals who voice concerns because it is the right thing to do. When they do the right thing, the NRC simply must stop doing the wrong thing in response.

The good news is that the NRC knows how to remedy chilled work environments. They have been requiring those remedies be taken at nuclear plant site after nuclear plant site.

The bad news is that the NRC seems unwilling or unable to thaw out its own chilled work environment.

Final point (for now): I joined UCS in the fall of 1996. I suspected that I would hear from nuclear plant workers about safety concerns they had raised but which had not been satisfactorily resolved or which they feared raising. And my suspicions have been proven valid. But what I neither suspected nor imagined was that I would hear from NRC workers for the same reasons. But each and every year that I’ve worked for UCS, except for one, I have received more contacts from NRC workers than from all nuclear plant work forces combined. Evidently, the NRC has the largest nuclear refrigerator in the country.

Rather than “chill out,” the NRC needs to “thaw out.” Too much chillin’ going on.

Flooding at Nine Mile Point

Regulation and Nuclear Power Safety #1

In July 1981, water flooded the Radwaste Processing Building containing highly radioactive waste for Unit 1 at the Nine Mile Point nuclear plant in upstate New York. The flood tipped over 55-gallon metal drums filled with highly radioactive material. The spilled contents contaminated the building’s basement such that workers would receive a lethal radiation dose in about an hour. The Unit 1 reactor had been shut down for over two years and was receiving heightened oversight attention when the Nuclear Regulatory Commission (NRC) investigated the matter. But the NRC was reacting to a television news report about the hazardous condition rather than acting upon its own oversight efforts. The media spotlight resulted in this long over-looked hazard finally being remedied.

The Headline

The headline looked good—the NRC was probing a secret spill on Nine Mile Point Unit 1. The article accompanying the headline explained that the NRC had dispatched inspectors to the site a day after learning about the spill. On its surface, it had the appearance of timely response by the regulator.

Fig. 1 (Source: The Ithaca Journal, August 23, 1989)

The Rest of the Story

Famed newscaster Paul Harvey had a long-running radio program called The Rest of the Story in which he revealed the information behind the headlines. Here’s the rest of this story.

WIXT News Channel 9 reported on August 22, 1989, that the Radwaste Processing Building at Nine Mile Point had been inaccessible for nearly a decade due to high radiation levels. The TV station based its account on a March 1989 report by the Institute of Nuclear Power Operations (INPO). INPO reported that many of the 150 metal drums containing highly radioactive waste had been tipped over by the rising flood waters in the building.

The drums contained materials from filter/demineralizer units used at the plant to remove radioactivity from water systems. The filter/demineralizer units are very effective in removing radioactivity from the water. In doing so, the filter elements and the demineralizer resin beads collected radioactive particles, concentrating the radioactivity to very high levels. Some contents from the tipped-over drums mixed with the flood water. The area was contaminated at radiation levels ranging up to 400 rem per hour. At that rate, an individual would receive a lethal dose in about an hour.

The plant’s owner notified the NRC by letter dated October 30, 1981, that it had discharged 21,100 gallons of radioactively contaminated water into Lake Ontario because the tanks for storing such water were full and they did not want to add more volume to the flooded waste storage building.

While there is some talk now about “draining the swamp,” the owner took steps during the 1980s to “preserve the swamp” inside this inaccessible building. Concerned that allowing the flood water to evaporate away, turning radioactive slime into radioactive dust that might contaminate the entire building instead of just its basement, the owner kept the basement floor covered with several inches of water.

By letter dated September 10, 1987, the plant’s owner paid a $2,500 fine imposed by the NRC on August 13, 1987, for its improper handling of radioactive materials. Federal regulations do not allow packages containment radioactive material to be shipped if the radiation level on the outer surface of the packages exceeds 0.2 rem per hour. But the owner sent two packages containing radioactively contaminated equipment to the Brunswick nuclear plant in North Carolina with radiation levels on their outer surfaces of 1.5 and 1.8 rem per hour.

On July 18, 1988, McGraw-Hill’s Inside N.R.C. reported that the NRC had moved Nine Mile Point Unit 1 to the top of the agency’s list of problem plants and would be issuing a Confirmatory Action Letter to the owner forbidding Unit 1 from restarting without the NRC’s permission. Unit 1 had shut down in January 1988 for a scheduled refueling outage with plans to restart in mid-August until the NRC changed those plans.  Inside N.R.C. reported that an NRC senior manager told the Commissioners during a July 13, 1988, briefing about the agency’s concerns about “the inability of the utility to diagnose and correct problems” and that the NRC’s response would be to “generally increase oversight of the unit.”

The Post-Standard in Syracuse reported on May 25, 1989, that the NRC issued Nine Mile Point low ratings. It reported that a company spokesperson “believes the new [NRC] report contained the lowest cumulative rating … received since the NRC begin issuing these types of reports in the 1970s.”

So, the NRC was giving Nine Mile Point extra scrutiny in 1988 and 1989 for known safety problems, including improper handling of radioactive materials.

Inside N.R.C. reported on August 28, 1989, that the NRC dispatched an Augmented Inspection Team (AIT) to Nine Mile Point on August 23 after media accounts based on the March 1989 INPO report. An NRC spokesperson told Inside N.R.C. that at least one of the NRC’s resident inspectors at Nine Mile Point reviewed a draft of the INPO report long before August 1989. Why hadn’t the NRC responded to the problem before seeing it on the TV? The NRC spokesperson was quoted as saying “That’s part of what they’re [the AIT] trying to determine now—what if anything was passed on.”

Inside N.R.C. reported on September 11, 1989, that the NRC AIT concluded that the company may have violated federal safety regulations in the late 1970s when “it converted a solid waste storage building into a low-level waste tank without informing the agency.” Inside N.R.C. stated that no NRC personnel went into the waste building during the AIT examination of the flooded waste building, quoting an NRC spokesperson as saying, “We didn’t think it was necessary for anybody to take the risk.” Speaking about risk, an NRC senior manager during a press conference at the plant on August 28, 1989, stated, “We have found no improper endangerment of the public or workers at the reactor.” So, either the NRC could not find improper endangerment because it was on the other side of the door, or the NRC found it was proper endangerment.

The Palladium Times reported on October 3, 1989, that the leader of the NRC AIT stated that “If there’s a radiological event that costs more than $2,000, they would have had to notify us.” The paper reported that the company was “preparing to clean up the material at an estimated cost of $1.5 million.”

The Charges

Company officials met with NRC representatives on October 30, 1989, to discuss violations identified by the NRC AIT. The NRC summary of the meeting reported, “The licensee began their presentation by stating that, except for the apparent violations, the findings noted in NRC Inspection Report 50-220/89-80 were essentially correct.” Company officials contested the violations cited by the NRC on grounds that “Actual Property Damage Less Than $2,000” and that the waste “building was used in accordance with its design.” The company outlined its plans to use a robot to enter the lethal Radwaste Processing Building in early 1990 and mitigate the mess. The company told the NRC that its robot would save about 100 person-rem of radiation exposure to non-robotic (i.e., human) workers.

The Conviction

The NRC issued a Severity III violation, the third most severe of the four sanction levels used at the time, to the company on February 23, 1990, for violating federal regulations. Specifically, the company failed to evaluate the intentional overflowing of liquid radioactive storage tanks in July 1981 and flooding the waste storage building floor, as required by regulation 10 CFR 50.59. The NRC indicated that a fine would normally be imposed along with the Severity Level III infraction, but was being waived in this case due to the “major management changes [that] have been made during the extended outage because of your past inability to identify and correct problems.”

The Parole

The NRC staff briefed its Commissioners on May 14, 1990, about the readiness of Nine Mile Point Unit 1 to restart. Many items on the “To Do” list had been completed, but some yet remained The NRC approved restart on Friday, July 27, 1990. After being shut down for about two and a half years, the Unit 1 reactor was restarted on July 29, 1990.

UCS Perspective

I often say and write that NRC really stands for Nielsen Ratings Commission. Too often, it doesn’t matter what the regulations say, doesn’t matter whether it’s right or wrong, and doesn’t matter if it’s safe or unsafe—what matters is the media spotlight. When the spotlight is off, wrong seems right, illegal seems legal, and unsafe looks like safe enough. When the spotlight gets turned on, darkness becomes brigthness and right morphs into wrong. This case epitomizes the appropriateness of that moniker.

Fig. 2 (Source: Pixabay)

The owner informed the NRC in writing in October 1981 that it had released radioactively contaminated water into Lake Ontario rather than deepen the flooded basement of the waste storage building. The NRC did nothing.

High radiation levels rendered the Radwaste Processing Building inaccessible for most of the 1980s. The NRC did nothing.

The NRC sanctioned the owner in 1987 for improperly handling radioactive materials. The NRC did nothing about the handling of the radioactive materials that rendered a building inaccessible.

The NRC reviewed a draft INPO report in early 1989 that blasted the company for mishandling the flooded waste storage building problem. The NRC did nothing.

The NRC issued the plant its lowest performance ratings ever in May 1989. The NRC did nothing about the flooded waste storage building.

Is the NRC to blame for the decade of doing nothing?

Nope. It’s the media’s fault.

Had the media turned its spotlight on the July 1981 release of radioactive liquid into Lake Ontario and the flooding of the waste storage building’s basement, the NRC would have done something.

Had the media turned its spotlight during the 1980s on the building made inaccessible by spilt radioactive material, the NRC would have done something.

Had the media turned its spotlight on the company’s handling of other radioactive materials in 1987, the NRC would have done something.

Had the media turned its spotlight on the company’s abysmal ratings in May 1989, the NRC would have done something.

When the media turned its spotlight on INPO scathing report in August 1989, the NRC did something.

So, if the media had only spotlighted the problem at the plant sooner, it might not have taken nearly a decade for this problem to get fixed.

But the NRC has inspectors assigned full-time to each operating nuclear plant whereas the media is not allowed, except under rare special circumstances, to venture inside the plants’ security fences. Thus, the media has much better justification for taking so long to turn on its spotlight than the NRC has for needing the spotlight in the first (second) (third) (fourth) place.

Consequently, this case represents under-regulation by the NRC.

Postscript: The NRC has made several changes to its oversight processes since the 1980s that make it less likely, but not impossible, for under-regulation of this nature to be repeated. After the Millstone saga in the mid 1990s, the NRC replaced the ratings system it used at Nine Mile Point and elsewhere in the 1980s with its Reactor Oversight Process (ROP). The old ratings system enabled conditions at Nine Mile Point to deteriorate to the point where Unit 1 had to remain shut down for over two years until enough of the safety problems had been remedied to permit its restart. Dozens of other reactors had to remain shut down for over a year while safety problems were corrected. Since the ROP was adopted in 2000, only two reactors have been mired in such protracted outages. The ROP is better at flagging problems sooner, allowing them to be corrected before they build up to epidemic proportions. After the Davis-Besse debacle in 2002, the NRC tweaked the ROP to require its inspectors at each site to review every problem report written. While most problems do not require further NRC engagement, this review makes it less likely that a building rendered inaccessible due to very high radiation levels will escape the agency’s notice and response.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Role of Regulation in Nuclear Plant Safety: A New Series of Posts

President Trump seeks to lessen the economic burden from excessive regulation. The Nuclear Regulatory Commission (NRC) initiated Project AIM before the 2016 elections seeking to right-size the agency and position it to become more adaptive to shifting needs in the future. And the nuclear industry launched its Delivering the Nuclear Promise campaign seeking productivity and efficiency gains to enable nuclear power to compete better against natural gas and other sources of electricity.

In light of these concurrent efforts, we will be reviewing momentous events in nuclear history and posting a series of commentaries on the role of regulation in nuclear plant safety. The objective is to better understand under-regulation and over-regulation to better define “Goldilocks” regulation—regulation that is neither too lax nor too onerous, but just right. That better understanding will enable us to engage the NRC more effectively as the agency pursues Project AIM and the industry tries to deliver on its promise.

Searching for Goldilocks

We will be reviewing “momentous events” with the expectation of examining times when regulation played too little a role as well times when regulation played too large a role. If we are lucky, we will examine events from all three bins—regulation too lax, regulation just right, and regulation overly stringent. Lessons from all three bins will yield the best understanding of what traps to avoid as well as what practices to emulate for the “just right” bin to become more and more popular in the future.

We have a working list of events that will hopefully populate all three bins. While we will not draft the commentaries or bin an event until after reviewing the relevant records, the events likely to fall into the “too lax” bin include the 1979 accident at Three Mile Island, the mid 1990s Millstone, Salem and Cooper problems, and the 2011 accident at Fukushima.

Events likely to fall into the “undue burden” bin include the August 1991 Site Area Emergency declared at Nine Mile Point following a transformer failure, the 1998 Towers Perrin report, and the semi-annual reports by the NRC’s Office of the Inspector General.

And events likely to fall into the “just right” bin include March 1990 station blackout at Vogtle, the September 1997 discovery of and recovery from containment problems at DC Cook, and the flood protection deficiencies identified at Fort Calhoun in 2010 whose remedies sure came in handy during the flood the plant experienced in June 2011.

While we may have reported on or blogged about some of these events already, the perspective is slightly different now. Before, we may have explained how event A resulted in regulatory requirements x, y, and z. Now, we will strive to determine whether there was sufficient awareness prior to the event for these requirements to already have been put in place (i.e, lax regulation), a knee-jerk reaction imposing more regulatory requirements than necessary (i.e., over-regulation), or a prudent reaction to a reasonably unavoidable event (i.e., just right regulation).

The list of potential events for this series contains nearly four dozen candidates. Other candidates may emerge during the reviews. We do not anticipate posting commentaries until every candidate is crossed off the list. Instead, we will continue the series until all three bins are populated with sufficient events to shed meaningful insights on the proper role of regulation in nuclear plant safety. Upon reaching this point, we intend to discontinue the series and share the findings and observations from our reviews in a post and/or report.

High Energy Arc Faults and the Nuclear Plant Fire Protection IOU

Last year, we posted a commentary and an update about a high energy arc fault (HEAF) event that occurred at the Turkey Point nuclear plant in Florida. The update included color photographs obtained from the Nuclear Regulatory Commission (NRC) via a Freedom of Information Act request showing the damage wrought by the explosion and ensuing fire. Neither the HEAF event or its extensive damage surprised the NRC—they had been researching this fire hazard for several years. While the NRC has long known about this fire hazard, its resolution remains unknown. Meanwhile, Americans are protected from this hazard by an IOU. The sooner this IOU is closed out, the better that Americans in jeopardy will be really and truly protected.

What is a HEAF?

The Nuclear Energy Agency (NEA), which has coordinated international HEAF research efforts for several years, defines HEAF this way: “An arc is a very intense abnormal discharge of electrons between two electrodes that are carrying an electrical current. Since arcing is not usually a desirable occurrence, it is described as an arcing fault.”

Nuclear power plants generate electricity and use electricity to power in-plant equipment. The electricity flows through cables or metal bars, called buses. An arc occurs when electricity jumps off the intended pathway to a nearby metal cabinet or tray.

Electricity is provided at different voltages or energy levels for different needs. Home and office receptacles provide 120-volt current. Nuclear power plants commonly have higher voltage electrical circuits carrying 480-volt, 4,160-volt, and 6,900-volt current for motors of different sizes. And while main generators at nuclear plants typically produced electricity at 22,000 volts, onsite transformers step up the voltage to 345,000 volts or higher for more efficient flow along the transmission lines of the offsite power grid.

How is the Risk from HEAF Events Managed?

Consistent with the overall defense-in-depth approach to nuclear safety, HEAF events are managed by measures intended to prevent their occurrence backed by additional measures intended to minimize consequences should they occur.

Preventative measures include restrictions on handling of electrical cables during installation. Limits on how much cables can be bent and twisted, and on forces applied when cables are pulled through wall penetrations seek to keep cable insulation intact as a barrier against arcs. Other preventative measures seek to limit the duration of the arc through detection of the fault and automatic opening of a breaker to stop the flow of electrical current through the cables (essentially turning the arc off).

Mitigative measures include establishing zones of influence (ZOI) around energized equipment that controls the amount of damage resulting from a HEAF event. Figure 1 illustrates this concept using an electrical cabinet as the example Electrical cabinets are metal boxes containing breakers, relays, and other electrical control devices. Current fire protection regulatory requirements impose a 3-foot ZOI around electrical cabinets and an 18-inch ZOI above them. Anything within the cabinet and associated ZOI is assumed to be damaged by the energy released during a HEAF event. Sufficient equipment must be located outside the affected cabinet and its ZOI to survive the event and adequately cool the reactor core to prevent meltdown.

Fig. 1 (Source: Nuclear Regulatory Commission)

Even with these preventative and mitigative measures, NEA recognized the hazard that HEAF events poses when it wrote in a May 2017 report: “The electrical disturbance initiating the HEAF often causes loss of essential electrical power and the physical damage and products of combustion provide significant challenges to the operators and fire brigade members handling the emergency. It is clear that HEAFs present one of the most risk significant and challenging fire scenarios that a [nuclear power plant] will face.”

What is the Problem with HEAF Risk Management?

Actual HEAF events have shown that the preventative and mitigative measures intended to manage the hazard have shortcomings and weaknesses. For example, arcs have sometimes remained energized far longer than assumed, enabling the errant electricity to wreak more havoc.

Additionally, HEAF events have damaged components far outside the assumed zones of influence, such as in the Turkey Point event from March 2017. In other words, the HEAF hazard is larger than its defenses.

How is the HEAF Risk Management Problem Being Resolved?

On March 11, 2011, an earthquake offshore of Japan and the tsunami it spawned led to the meltdown of three reactors at the Fukushima Daiichi nuclear plant. That earthquake also caused a HEAF event at the Onagawa nuclear plant in Japan. The ground motion from the earthquake prevented an electrical circuit breaker from opening to limit the duration of the arc. The HEAF event damaged equipment and started a fire (Fig. 2). Because the fire brigade could not enter the room due to heat and smoke, the fire blazed for seven hours until it had consumed all available fuel. As an NRC fire protection engineer commented in April 2018, “If Fukushima wasn’t occurring, this is probably what would have been in the news headlines.” Onogawa was bad. Fukushima was just worse.

Fig. 2 (Source: Nuclear Regulatory Commission)

Research initiated in Japan following the Onagawa HEAF event sought to define the factors affecting the severity of the events. Because the problem was not confined to nuclear power plants in Japan, other countries collaborated with the Japanese researchers in pursuit of a better understanding of, and better protection for, HEAF events.

The NRC participated in a series of 26 tests conducted between 2014 and 2016 using different types of electrical panels, bus bar materials, arc durations, electrical current voltages, and other factors. The results from the tests enabled the NRC to take two steps.

First, the NRC entered HEAF events into the agency’s generic issues program in August 2017. In a related second step, the NRC formally made the owners of all operating US nuclear power plants aware of this testing program and its results via an information notice also issued in August 2017. The NRC has additionally shared its HEAF information with plant owners during the past three Regulatory Information Conferences and several other public meetings and workshops.

The NRC plans a second series of tests to more fully define the conditions that contribute to the severity of HEAF events.

How Are HEAF Events Tested?

Test 23 during the Phase I program subjected a 480-volt electrical cabinet with aluminum bus material to an arc lasting 7.196 seconds. Figure 3 shows the electrical cabinet with its panel doors opened prior to the test. A pointer on the left side of the picture shows the location where the arc was intentionally caused.

Fig. 3 (Source: Nuclear Energy Agency)

To induce an arc for the test, a wire was wrapped around all three phases of the 480-volt alternating current connectors within one of the cabinet’s panels as shown in Figure 4. On the right edge of the picture is a handswitch used to connect or disconnect electrical power flowing into the cabinet via these buses to in-plant electrical loads.

Fig. 4 (Source: Nuclear Energy Agency)

Instrumentation racks and cameras were positioned around the cabinet being tested. The racks included instruments measuring the temperature and pressure radiating from the cabinet during the HEAF event. High-speed, high definition cameras recorded the progression of the event while infrared cameras captured its thermal signature. A ventilation hood positioned over the cabinet connected to a duct with an exhaust fan conducted smoke away from the area to help the cameras see what was happening. More importantly, the ventilation duct contained instruments measuring the heat energy and byproducts released during the event.

Fig. 5 (Source: Nuclear Regulatory Commission)

What Are the HEAF Test Results?

For a DVD containing reports on the HEAF testing conducted between 2014 and 2016 as well as videos from the 26 tests conducted during that period, send an email with your name and address to RES_DRA_FRBQnrc.gov. Much of the information in this commentary comes from materials on the DVD the NRC mailed me in response to my request.

Test 4 in the Phase I Program subjected a 480-volt electrical cabinet with aluminum bus material to an arc lasting only 0.009 seconds (i.e., 9 milliseconds). The short duration arc had minimal consequences, entirely missed if one blinks at the wrong time while watching the video. This HEAF event did not damage components within the electrical cabinet, yet alone any components outside the 3-foot zone of influence around it.

Test 3 in the Phase I Program subjected a 480-volt electrical cabinet with copper bus material to an arc lasting 8.138 seconds. The longer duration arc produced greater consequences than in Test 4. But the video shows that the consequences are largely confined to the cabinet and zone of influence.

Test 23 in the Phase I Program subjected a 480-volt electrical cabinet with aluminum bus material to an arc lasting 7.196 seconds. The voltage level and arc duration for Test 23 were essentially identical to that for Test 3, but the consequences were significantly different. Aluminum behaved differently than copper during the HEAF event, essentially fueling the explosion and ensuing fire. As a result, the damage within the cabinet, zone of influence, and even beyond the 3-foot zone of influence was much greater. For example, some of the instruments on the rack positioned just outside the 3-foot zone of influence were vaporized.

Until debris from the event obscured the lens of a camera positioned many feet outside the 3-foot zone of influence, a side view of the Test 23 HEAF event showed it was a bigger and badder event than the HEAF event in Test 3 and the HEAF event in Test 4.

Figure 6 shows the electrical cabinet with its panel doors open after Test 23. The cabinet clearly looks different from its pre-test appearance (see Figure 4). But this view does not tell the entire story.

Fig. 6 (Source: Nuclear Energy Agency)

Figure 7 shows the left side of the electrical cabinet after Test 23. The rear upper left corner of the cabinet is missing. It was burned and/or blown away by the HEAF event. The cabinet is made of metal, not wood, plastic, or ice. The missing cabinet corner is compelling testimony to the energy released during HEAF events.

Fig. 7 (Source: Nuclear Energy Agency

Tests 3, 4 and 23 all featured electrical cabinets supplied with 480-volt power.

Tests 4 and 23 each featured aluminum bus material. Test 4 had negligible consequences while Test 23 had significant consequences, attesting to the role played by arc duration. The arc lasted 0.009 seconds in Test 4 while it lasted 7.196 seconds in Test 23.

Tests 3 and 23 featured arcs lasting approximately 8 seconds. Test 23 caused substantially greater damage within the electrical cabinet and beyond the 3-foot zone of influence due to the presence of aluminum rather than copper materials.

How Vulnerable Are US Nuclear Plants to HEAF Events?

The Phase I series of tests revealed that HEAF events depend on the voltage level, the conducting material (i.e., copper, iron, or aluminum), and the arc duration. The higher the voltage, the greater the amount of aluminum, and the longer the arc duration, the greater the consequences from HEAF events.

The NRC received results in 2017 from an industry survey of US nuclear plants. The survey showed that the plants have electrical circuits with voltage levels of 480, 4160, 6900, and 22000 volts. The survey also showed that while some plants did not have electrical circuits with components plated with aluminum, many did.

As to arc durations, actual HEAF events at US plants have involved arc durations longer than the 8 seconds used in Tests 3 and 23. The May 2000 event at Diablo Canyon lasted 11 seconds. The March 2010 event at HB Robinson last 8 to 12 seconds. And the June 2011 event at Fort Calhoun last 42 seconds and likely would have lasted even longer had operators not intervened by manually opening an electrical breaker to end the event.

So, many US nuclear plants have all the ingredients necessary for really nasty HEAF events.

What Might the Fixes Entail?

The testing program results to date suggest a tiered approach to the HEAF event solution. Once the key factors (i.e., combinations of voltage levels, materials, and arc durations) are definitively established, they can be used to screen out configurations within the plant where a HEAF event cannot compromise safety margins. For example, a high voltage electrical cabinet with aluminum bus material and suspect arc duration limiters might need no remedies if it is located sufficiently far away from safety components that its HEAF vaporization carries only economic rather than safety implications. Similarly, configurations with voltage levels and materials that remain bound by the current assumptions like the 3-foot zone of influence would require no remedies.

When a configuration cannot be screened out, the remedy might vary. In some cases, it might involve providing more reliable, quick-acting fault detection and isolation systems that limit the duration of the arc. In other cases, replacing aluminum buses with copper or iron buses might be a suitable remedy. And the fix might be simply installing a protective wall between an electrical cabinet and safety equipment.

Further HEAF testing will expand knowledge of the problem, thus more fully informing the decisions about effective solutions.

UCS Perspective

It has been known for many years now that HEAF events could cause wider damage than currently assumed in designing and applying fire protection measures. As a result, a fire could damage primary safety systems and their backups—the very outcome the fire protection regulatory requirements are intended to prevent.

This is normally the time and spot where I chastise the NRC for dragging its feet in resolving this known safety hazard. But while years have passed since the HEAF hazard flag was first raised, the NRC’s feet have been busy. For while it was known that HEAF events could cause greater damage than previously realized, it was not known what factors played what roles in determining the severity of HEAF events and the damage they inflict. The NRC joined regulatory counterparts worldwide in efforts designed to fill in these information gaps. That knowledge was vitally needed to ensure that a real fix, rather than an ineffective band-aid fix, was applied.

That research took time to plan and conduct. And further research is needed to fully define the problem to find its proper solution. In the meantime, the NRC has been very forthcoming with plant owners and the public about its concerns and associated learnings to date.

While the NRC’s efforts to better understand HEAF events may be justified, it’s worth remembering that the agency’s intentions and plans are little more than IOUs to the millions of Americans living close to vulnerable nuclear plants. IOUs provide zero protection. The NRC needs to wrap up its studies ASAP and turn the IOUs into genuine protection.

Made in Chattanooga

What do the Arkansas Nuclear One Unit 2, Beaver Valley Unit 1, Beaver Valley Unit 2, Big Rock Point, Callaway, Calvert Cliffs Unit 1, Calvert Cliffs Unit 2, Catawba Unit 2, Comanche Peak Unit 1, Comanche Peak Unit 2, Connecticut Yankee, Cooper, Diablo Canyon Unit 1, Diablo Canyon Unit 2, Donald C. Cook Unit 1, Edwin I. Hatch Unit 1, Edwin I. Hatch Unit 2, Fort Calhoun, HB Robinson, Indian Point Unit 1, Indian Point Unit 2, Indian Point Unit 3, James A. FitzPatrick, Joseph M. Farley Unit 1, Joseph M. Farley Unit 2, Fermi Unit 2, Kewaunee, LaSalle Unit 1, Maine Yankee, Marble Hill, McGuire Unit 1, Millstone Unit 1, Millstone Unit 2, Millstone Unit 3, Nine Mile Point Unit 1, Oyster Creek, Palisades, Palo Verde Unit 1, Palo Verde Unit 2, Palo Verde Unit 3, Pilgrim, Point Beach Unit 2, Salem Unit 1, Salem Unit 2, San Onofre Unit 1, San Onofre Unit 2, San Onofre Unit 3, Seabrook, South Texas Project Unit 1, South Texas Project Unit 2, St. Lucie Unit 1, St. Lucie Unit 2, Vogtle Unit 1, Vogtle Unit 2, Waterford, and Wolf Creek nuclear power reactors have in common?

True, they are all mentioned in this same question. But the subject commonality has a broader dimension.

Also true, they are all located on planet earth. But the subject commonality has a narrower dimension.

Hint: Check out the title of this commentary.

Yes, the reactor vessels for all these nuclear plants, and many others worldwide, were manufactured by Combustion Engineering at their factory in Chattanooga, Tennessee.

Indeed, the Chattanooga factory made the vessels for boiling water reactors like FitzPatrick and Pilgrim, for Westinghouse pressurized water reactors like Diablo Canyon and Indian Point and for Combustion Engineering pressurized water reactors like Palo Verde and Waterford.

In the days before FedEx, how did reactor vessels made in the hills of east Tennessee get to so many locations coast to coast? The Tennessee River winds through Chattanooga and empties into the Mississippi River. Whenever possible, the reactor vessels were lifted onto barges in Chattanooga and floated to the plant sites. For example, the Unit 1 reactor vessel for the Nine Mile Point nuclear plant in Oswego, New York took the scenic route down the Tennessee River, up the Mississippi River, up the Illinois River, across four of the five Great Lakes.

Fig. 1 (Source: Daily Standard (October 7, 1966))

It took 29 days for Pilgrim’s reactor vessel to make the 3,587-mile journey down the Tennessee and Mississippi Rivers, across the Gulf of Mexico and along the Atlantic coast to Plymouth, Massachusetts. (The plant is scheduled to permanently shut down by June 2019. On behalf of my fellow citizens of Chattanooga, the current owner should check out the “No Return” provision in the contract.)

Fig. 2 (Source: UPI Telephoto published in News Journal (March 4, 1970))

The Unit 1 reactor vessel for the San Onofre Nuclear Generating Station in southern California began its 2,000-mile journey on a barge, was transferred onto a freighter for passage through the Panama Canal, was transferred back onto a barge, and then loaded onto a train car for delivery to the site.

Fig. 3 (Source: Daily Republican (April 23, 1965))

Not all the journeys were event-free. The Unit 3 reactor vessel for the Indian Point nuclear plant in Buchanan, New York was dropped on January 12, 1971, as it was being unloaded at the plant. Well, it was not actually dropped. It underwent an “unscheduled descent during its installation” at the plant. An overhead crane rated for 175-tons was being used to lift the 456-ton package of reactor vessel and shipping rig. Somehow, the motor for the 175-ton rated crane became overheated as it was lifting the 456-ton load. The 456-ton load had been raised from its original horizontal configuration to nearly the vertical (i.e., 90°) position when the lift was halted to let the overheated crane motor cool down. The 175-ton crane’s hoist failed, dropping the load—or letting the load make its unscheduled descent back to the horizontal position.

Fig. 4 (Source: Oak Ridge National Laboratory)

Scientists from Oak Ridge, representatives of Combustion Engineering in Chattanooga, and workers from Westinghouse huddled to determine whether the unscheduled descent of the reactor vessel resulted in its unscheduled dis-use. They reviewed results from magnetic particle and ultrasonic examinations and concluded the vessel could be used.

Scientists from the Oak Ridge National Laboratory traveled to Buchanan to view the Unit 3 reactor vessel. They heard contradictory accounts as to the position of the reactor vessel when it began its unscheduled descent. Some eyewitnesses said the vessel and rig were about three feet off the ground. Others insisted it was not off the ground at all. Similarly, the scientists received varying accounts of how long it took the vessel to complete its unscheduled decent. Some eyewitnesses reported the descent took 15 seconds. Others claimed the descent went on for nearly 60 seconds. The discrepancies might be attributed to the eyewitnesses making unscheduled departures from the vicinity.

UCS Perspective

UCS has staffed a remote office in Chattanooga for the past eight years. At the time, we knew the city was the location for the International Towing Museum, but did not realize that the city played such a prominent role in the development of nuclear power reactors in the United States. And as if making tow trucks and reactor vessels was not enough, but Moon Pies were invented in Chattanooga in 1917.

Chattanooga also has the offices for the Nuclear Division of the Tennessee Valley Authority (TVA), with TVA’s Sequoyah Nuclear Plant within sight of downtown. Chattanooga also has the Nuclear Regulatory Commission’s Technical Training Center as well as a Westinghouse training facility.

But Chattanooga no longer makes reactor vessels. Combustion Engineering scaled back manufacturing at the factory as demand for nuclear components dwindled in the U.S. and abroad. In 2007, the nearly idled manufacturing plant was acquired by French-based Alstom with intentions to make components to support the nuclear renaissance. The factory did not need a first shift, yet alone a second or third shift, to handle all the non-orders for reactor vessels and other nuclear plant parts. The factory closed shop in 2016.

But don’t despair. Chattanooga still makes Moon Pies and tow trucks.

NRC Cherry-Picking in the Post-Fukushima Era: A Case Study

In the late 1960s, the Atomic Energy Commission (AEC), the forerunner of the NRC, paid the very companies that designed nuclear reactors—Westinghouse and General Electric (GE)—to test the efficacy of their own emergency cooling systems.

In the event of an accident in which a reactor loses water, uncovering the fuel rods—called a “loss-of-coolant accident”—these systems inject water back into the reactor in an attempt to prevent a meltdown. The tests that Westinghouse and GE performed were named the Full Length Emergency Cooling Heat Transfer (FLECHT) tests. The FLECHT tests simulated fuel rods undergoing a loss-of-coolant accident. The tests were intended to be as realistic as possible: bundles of 12-foot-tall rods, simulating fuel rods, were electrically heated up to reactor-accident temperatures and then inundated with cooling water.

Several of the tests were geared toward assessing how well the outer casing of fuel rods, called “cladding,” would endure in accident conditions. The cladding of fuel rods is primarily zirconium, a silver-colored metal. After the injection of water in an accident, hot-zirconium cladding is intended to endure the thermal shock of swift re-submergence and cooling. The cladding must not be stressed to its failure point. It is crucial that the fuel cladding perform well in an accident because it is a barrier preventing the release of highly radioactive materials into the exterior environment.

Figure 1. Source: Westinghouse)

Robert Leyse, my father, a nuclear engineer employed by Westinghouse, conducted a number of the FLECHT tests. On December 11, 1970, one of those tests, designated as Run 9573, had unexpected results. In Run 9573, a section of the test bundle’s zirconium cladding essentially caught on fire. The cladding burned in steam—then, when cooled, shattered like overheated glass doused with cold water.

Mr. Leyse instructed a lab assistant to take photographs of the destroyed test bundle, one of which is displayed as Figure 1. In a report on the FLECHT tests that Mr. Leyse coauthored, Westinghouse referred to the severely burnt, shattered section as the “severe damage zone” and noted that “the remainder of the [test] bundle was in excellent condition.”

Westinghouse’s FLECHT data is nearly 50 years old yet it is still highly regarded. The AEC used some of the FLECHT data to establish regulations that remain in place to this day. Westinghouse’s report on the FLECHT tests states that data from the first 18 seconds of Run 9573—before the cladding caught fire—is valid.

Concern over the extent zirconium burns in reactor accidents

In 2009, I submitted a rulemaking petition (PRM-50-93), requesting new regulations intended to improve public and plant worker safety. PRM-50-93 contends industry and NRC computer safety models under-predict the extent zirconium fuel cladding burns in steam. In more technical terms, the petition alleges models under-predict the rates at which zirconium chemically reacts with steam in a reactor accident. I buttressed my claims by citing data from FLECHT Run 9573 and other experiments conducted with bundles of zirconium cladding.

The zirconium-steam reaction produces zirconium dioxide, hydrogen, and heat. In a serious accident, the rate of the zirconium-steam reaction increases as local cladding temperatures increase within the reactor core. As the reaction speeds up, more and more heat is generated; in turn, the additional heat increases the rate of the reaction, potentially leading to thermal runaway and a meltdown.

It is problematic that the zirconium-steam reaction generates hundreds of kilograms of explosive hydrogen gas in a meltdown. In the Fukushima Daiichi accident—in which three reactors melted down—hydrogen leaked out of reactors’ containments and detonated, blowing apart reactor buildings. The release of radioactive material prompted the evacuation of tens of thousands of people and rendered a large area of land uninhabitable.

A “high priority”

In 2010, the NRC said its technical analysis of my 2009 rulemaking petition (PRM-50-93) was a “high priority.” Then, in 2011, the agency issued a press release announcing it intended to “increase transparency” in its petition review process by releasing preliminary evaluations of PRM-50-93. The announcement said the final decision on the petition would “not be issued until after the NRC Commissioners…considered all staff recommendations and evaluations.”

As part of the preliminary technical analysis of PRM-50-93, the NRC staff conducted computer simulations of FLECHT Run 9573. They compared the results of their simulations to data Westinghouse reported. However, there is a major problem with the staff’s simulations. They did not simulate the section of the test bundle that ignited. (Or if they did simulate that section, they decided not to release their findings.)

By way of an analogy: what the NRC staff did would be like simulating a forest fire and omitting trees reduced to ash and only simulating those that had been singed. After doing such a bogus simulation one might try to argue that trees actually do not burn down in forest fires. The staff basically did just that. They used the results of their simulations to argue that models of the zirconium-steam reaction are not flawed—that reaction rates are not under-predicted.

On January 31, 2013, I gave a presentation to the five commissioners who were heading the NRC at the time. They invited me to present my views in a meeting addressing public participation in the NRC’s rulemaking process. They apparently wanted my insights, because, in 2007, I raised a safety issue in a rulemaking petition (PRM-50-84) that they decided to incorporate into one of their regulations. I had pointed out that computer safety models neglected to simulate a phenomenon affecting the performance of fuel rods in a loss-of-coolant accident.

In my presentation, I criticized the staff’s computer simulations of FLECHT Run 9573. I said: “You cannot do legitimate computer simulations of an experiment that [caught on fire] by not actually modeling the section of the test bundle that [caught on fire].” In the Q and A session, Commissioner William Magwood assured me that he and the other commissioners would instruct the staff “to follow up on” my comments, including my criticism of the staff’s simulations of Run 9573. Then, five weeks after the meeting, Annette Vietti-Cook, Secretary of the Commission, instructed the staff to “consider and respond” to my comments on its review of PRM-50-93.

I hoped the staff would promptly conduct and report on legitimate computer simulations of FLECHT Run 9573. Instead, in March 2013, the staff restated that their prior, incomplete simulations of Run 9573 over-predicted the extent that zirconium burns in steam, indicating computer safety models are beyond adequate.

In November 2015, after I made a series of additional complaints, with help from Dave Lochbaum of the Union of Concerned Scientists, Aby Mohseni, Deputy Director of the NRC’s Division of Policy and Rulemaking, disclosed results of computer simulations of FLECHT Run 9573 including the section of the test bundle that ignited. The simulations drastically under-predict temperatures Westinghouse reported for that section.

The NRC’s severe-damage-zone computer simulations of Run 9573

The NRC’s severe-damage-zone computer simulations predicted cladding and steam temperatures for the FLECHT Run 9573 test bundle, at the 7-foot elevation, at 18 seconds into the experiment. (The severe damage zone was approximately 16 inches long, centered at the 7-foot elevation of the 12-foot-tall test bundle.)

The highest cladding temperature the severe-damage-zone simulations of Run 9573 predicted is 2,350°F, at the 7-foot elevation, at 18 seconds. Westinghouse reported that at 18.2 seconds into Run 9573, cladding temperatures by the 7-foot elevation exceeded 2,500°F. Cladding temperatures by the 7-foot elevation were not directly measured by thermocouples (temperature-measuring devices); however, Westinghouse reported that electrical heaters installed in the cladding began to fail at 18.2 seconds, by the 7-foot elevation, after local cladding temperatures reached higher than 2,500°F. Hence, even considering the time difference of a 0.2 second, one can infer that the severe-damage-zone simulations of Run 9573 under-predicted the cladding temperature by a margin of more than 100°F (at the section of the test bundle that ignited).

(Note that there is a time difference of a 0.2 second between the time the NRC picked for its simulations of Run 9573 and the time that the electrical heaters began to fail in the experiment. In the staff’s incomplete simulations of Run 9573—reported in the staff’s preliminary evaluations of PRM-50-93—the highest predicted cladding temperature is 2,417.5°F, at the 6-foot elevation, at 18 seconds. And the highest predicted cladding temperature increase rate is 29°F per second, at the 6-foot elevation, at 18 seconds. From these predictions we can infer that—although the value has not been reported—the highest predicted cladding temperature increase rate would be approximately 29°F per second or less, at the 7-foot elevation, at 18 seconds.)

In Run 9573, at the 7-foot elevation, the heat generated by the zirconium-steam reaction radiated to the local environment, heating the steam in proximity. The highest steam temperature the NRC’s severe-damage-zone simulations of Run 9573 predicted is 2,055°F, at the 7-foot elevation, at 18 seconds. Westinghouse reported that at 16 seconds into Run 9573, a steam-probe thermocouple mounted at the 7-foot elevation directly recorded steam temperatures that exceeded 2,500°F. And a Westinghouse memorandum (included as Appendix I of PRM-50-93) stated that after 12 seconds, the steam-probe thermocouple recorded “an extremely rapid rate of temperature rise (over 300°F/sec).” (Who knows how high the local steam temperatures actually were at 18 seconds; they were likely hundreds of degrees Fahrenheit higher than 2,500°F.) Hence, the severe-damage-zone simulations of Run 9573 under-predicted the steam temperature by a margin of more than 400°F (by the section of the test bundle that ignited).

The fact the NRC’s severe-damage-zone simulations under-predict cladding and steam temperatures that occurred in Run 9573 is powerful evidence indicating models under-predict the zirconium-steam reaction rates that occur in reactor accidents.

Qualifying power level increases for reactors

Since the 1970s, the NRC has approved more than 150 power level increases (termed “power uprates”) for reactors in the US fleet, enabling them to generate more and more electricity. An important part of qualifying a power uprate is to provide assurance with computer simulations that emergency systems would be able to prevent a meltdown if there were a loss-of-coolant accident at the proposed, higher power level.

A computer simulation is supposed to over-predict the severity of a potential nuclear accident. A margin of safety is established when a reactor’s power level is qualified by a “conservative” simulation—one that overcompensates. Meltdowns are less likely to occur if the reactor operates at a safe power level, providing a sufficient safety margin.

The extent zirconium burns at high temperatures has a major impact on the progression and outcome of a reactor accident. If zirconium-steam reaction rates are under-predicted by computer safety models, they will also under-predict the severity of potential reactor accidents. And, if power uprates have been qualified by models under-predicting the severity of potential accidents, it is likely power levels of reactors have been set too high and emergency cooling systems might not be able to prevent a meltdown in the event of a loss-of-coolant accident.

A petition review process of beyond eight years (with cherry-picking)

The NRC staff’s technical analysis of my 2009 rulemaking petition (PRM-50-93) was completed on March 18, 2016, but was not made publicly available until March 5, 2018, nearly two years later. The technical analysis signals an intention to deny PRM-50-93. It concludes with the statement: “Each of the petition’s key presumptions was investigated in detail. … The petition fails to provide any new information that supports a rule change. The NRC staff does not agree with the petition’s assertions, and concludes that revisions to [NRC regulations] or other related guidance are not necessary.”

Interestingly, a NRC staff e-mail, released in response to a Freedom of Information Act request, reveals that in August 2015—seven months before their technical analysis was completed—the staff already planned to deny PRM-50-93. At that time, the staff intended to announce their denial in August 2016.

The 2016 technical analysis of PRM-50-93 fails to discuss or even mention the results of the computer simulation of FLECHT Run 9573 that Mr. Mohseni disclosed in November 2015. Certain staff members appear intent on denying PRM-50-93 to the extent that they’re willing to make false statements and omit evidence lending support to the petition’s allegations. They appear determined to bury the fact their own computer simulation underpredicts, by a large margin, temperatures Westinghouse reported for the section of the Run 9573 test bundle that ignited.

The staff members who conducted the 2016 technical analysis of PRM-50-93 did not comply with the commissioners who directed them, in January 2013, to “consider and respond” to my criticisms of their simulation of Run 9573. The 2016 technical analysis has a section titled “Issues Raised at the Public Commission Meeting in January 2013;” however, that section fails to discuss the simulation results Mr. Mohseni disclosed in November 2015.

In April 2014, I submitted over 50 pages of comments alleging the staff’s preliminary evaluations of PRM-50-93 have numerous errors as well as misrepresentations of material I discussed to support my arguments. In my opinion, the 2016 technical analysis has the same shortcomings. I suspect that portions of the technical analysis have been conducted in bad faith. Perhaps certain staff members fear enacting the regulations I requested would force utilities to lower the power levels of reactors.

As a member of the public, who spent months writing PRM-50-93, I personally resent the way certain staff members disrespect science and efforts of the public to participate in the NRC’s rulemaking process. (The NRC gives lip service to encouraging public participation. Its website boasts that the agency is “committed to providing opportunities for the public to participate meaningfully in the NRC’s decision-making process.”) Even worse, much worse, their cynical actions undermine public safety.

In a written decision, D.C. Circuit appeals court judges said it was “nothing less than egregious” when a federal agency took longer than six years to review a rulemaking petition. The NRC has been reviewing PRM-50-93 for longer than eight years—procrastinating as well as cherry-picking.

UCS perspective

[What follows was written by Dave Lochbaum, Director of the Nuclear Safety Project at the Union of Concerned Scientists]

I (Dave Lochbaum) invited Mark Leyse to prepare this commentary. I more than monitored Mark’s efforts—I had several phone conversations with him about his research and its implications. I also reviewed and commented on several of his draft petitions and submissions.

Mark unselfishly devoted untold hours researching this safety issue and painstakingly crafting his petition. He did not express vague safety concerns in his petition. On the contrary, his concerns were described in excruciating detail with dozens of citations to source documents. (Reflective of that focused effort, Mark’s draft of this commentary contained 33 footnotes citing sources and page numbers, supporting his 2,300-plus words of text. I converted the footnotes to embedded links, losing chapter and verse in the process. Anyone wanting the specific page numbers can email me for them.)

Toward the end of his commentary, Mark expresses his personal resentment over the way the NRC handled his concerns. It is not my petition, but I also resent how the NRC handled, or mis-handled, Mark’s sincere safety concerns. He made very specific points that are solidly documented. The NRC refuted his concerns with vague, ill-supported claims. If Mark’s safety concerns are unfounded, the NRC must find a way to conclusively prove it. “Nuh-uh” is an unacceptable way to dismiss a nuclear safety concern.

In addition to handling Mark’s safety concerns shoddily from a technical standpoint, the NRC mistreated his concerns process-wise. Among other things, Mark asked the NRC staff to explain why it had not conducted a complete computer simulation of Westinghouse’s experiment, FLECHT Run 9573. The NRC refused to answer his questions, contending that its process did not allow it to release interim information to him. I protested to the NRC on Mark’s behalf, pointing out case after case where the NRC had routinely provided interim information about rulemaking petitions to plant owners. I asked why the NRC’s process treated members of the public one way and plant owners a completely different way. Their subterfuge exposed, the NRC “suddenly” found itself able to provide Mark with interim information, or at least selective portions of that information.

The NRC completed its technical analysis of Mark’s petition in March 2016 but withheld that information from him and the public for two years. The NRC would not withhold similar information from plant owners for two years. The NRC must play fair and stop being so cozy with the industry it sometimes regulates.

If how the NRC handled Mark’s petition is the agency at its best, we need a new agency. These antics are simply unacceptable.

The “Race” to Resolve the Boiling Water Reactor Safety Limit Problem

General Electric (GE) informed the Nuclear Regulatory Commission (NRC) in March 2005 that its computer analyses of a depressurization event for boiling water reactors (BWRs) non-conservatively assumed the transient would be terminated by the automatic trips of the main turbine and reactor on high water level in the reactor vessel. GE’s updated computer studies revealed that one of four BWR safety limits could be violated before another automatic response terminated the event.

Over the ensuring decade-plus, owners of 28 of the 34 BWRs operating in the US applied for and received the NRC’s permission to fix the problem. But it’s not clear why the NRC allowed this known safety problem, which could allow nuclear fuel to become damaged, to linger for so long or why the other six BWRs have yet to resolve the problem. UCS has asked the NRC’s Inspector General to look into why and how the NRC tolerated this safety problem affecting so many reactors for so long.

BWR Transient Analyses

The depressurization transient in question is the “pressure regulator fails open” (PRFO) event. For BWRs, the pressure regulator positions the bypass valves (BPV in Figure 1) and control valves (CV) for the main turbine as necessary to maintain a constant pressure at the turbine inlet.

When the reactor is shut down or operating at low power, the control valves are fully closed and the bypass valves are partially opened as necessary to maintain the specified pressure. When the turbine/generator is placed online, the bypass valves are closed and the control valves are partially opened to maintain the specified inlet pressure. As the operators increase the power level of the reactor and send more steam towards the turbine, the pressure regulator senses this change and opens the control valves wider to accept the higher steam flow and maintain the constant inlet pressure.

Fig. 1 (Source: Nuclear Regulatory Commission, annotated by UCS)

If the sensor monitoring turbine inlet pressure provides a false high value to the pressure regulator or an electronic circuit card within the regulator fails, the pressure regulator can send signals that fully open the bypass valves and the control valves. This is called a “pressure regulator fails open” (PRFO) event. The pressure inside the reactor vessel rapidly decreases as the opened bypass and control valves accept more steam flow. Similar to how the fluid inside a shaken bottle of soda rises to and out the top when the cap is removed (but for different physical reasons), the water level inside the BWR vessel rises as the pressure decreases.

The water level is normally about 10 feet above the top of the reactor core. When the water level rises about 2 feet above normal, sensors will automatically trip the main turbine. When the reactor power level is above about 30 percent of full power, the turbine trip will trigger the automatic shut down of the reactor. The control rods will fully insert into the reactor core within a handful of seconds to stop the nuclear chain reaction and terminate the PRFO event.

The Race to Automatic Reactor Shut Down

The reactor depressurization during a PRFO event above 30 percent power actually starts two races to automatically shut down the reactor. One race ends when high vessel level trips the turbine which in turn trips the reactor. The second race is when low pressure in the reactor vessel triggers the automatic closure of the main steam isolation valves (MSIV in Figure 1). As soon as sensors detect the MSIVs closing, the reactor is automatically shut down.

BWRs do not actually stage PRFO events to see what parameter wins the reactor shut down race. Instead, computer analyses are performed of postulated PRFO events. The computer codes initially used by GE had the turbine trip on high water level winning the race. GE’s latest code shows MSIV closure on low reactor vessel pressure winning the race.

The New Race Winner and the Old Race Loser

The computer analyses are performed for reasons other than picking the winner of the reactor shut down race. The analyses are performed to verify that regulatory requirements will be met. When the winner of the PRFO event reactor shut down race was correctly determined, the computer analyses showed that one of four BWR safety limits could be violated.

Figure 2 shows the four safety limits for typical BWRs. The safety limits are contained within the technical specifications issued by the NRC as appendices to reactor operating licenses. GE’s latest computer analyses of the PRFO event revealed that the reactor pressure could decrease below 785 pounds per square inch gauge (psig) before the reactor power level dropped below 25 percent—thus violating Safety Limit 2.1.1.1. The earlier computer analyses non-conservatively assumed that reactor shut down would be triggered by high water level, reducing reactor power level below 25 percent before the reactor pressure decreased below 785 psig.

Fig. 2 (Source: Nuclear Regulatory Commission)

Safety Limit 2.1.1.1 supports Safety Limit 2.1.1.2. Safety Limit 2.1.1.2 requires the Minimum Critical Power Ratio (MCPR) limit to be met whenever reactor pressure is above 785 psig and the flow rate trough the reactor core is above 10 percent of rated flow. The MCPR limit protects the fuel from being damaged by insufficient cooling during transients, including PRFO events. The MCPR limit keeps the power output from individual fuel bundles from exceeding the amount that can be carried away during transients.

As in picking reactor shut down race winners, BWRs do not slowly increase fuel bundle powers until damage begins, then back it down a smidgen or two. Computer analyses of transients also model fuel performance. The results from the computer analyses establish MCPR limits that guard against fuel damage during transients.

The computer analyses examine transients from a wide, but not infinite, range of operating conditions. Safety Limit 2.1.1.1 defines the boundaries for some of the transient analyses. Because Safety Limit 2.1.1.1 does not permit the reactor power level to exceed 25 percent when the reactor vessel pressure is less than 785 psig, the computer analyses performed to establish the MCPR limit in Safety Limit 2.1.1.2 do not include an analysis of a PRFO event for high power/low pressure conditions.

Thus, the problem reported by GE in March 2005 was not that a PRFO event could violate Safety Limit 2.1.1.1 and result in damaged fuel. Rather, the problem was that if Safety Limit 2.1.1.1 was violated, the MCPR limit established in Safety Limit 2.1.1.2 to protect against fuel damage could no longer be relied upon. Fuel damage may, or may not occur, as a result of a PRFO event. Maybe, maybe not is not prudent risk management.

The Race to Resolve the BWR Safety Limit Problem

The technical specifications allow up to two hours to remedy a MCPR limit violation; otherwise the reactor power level must be reduced to less than 25 percent within the next four hours. This short time frame implies that the race to resolve the BWR Safety Limit problem would be a dash rather than a marathon.

Fig. 3 (Source: Nuclear Regulatory Commission)

The nuclear industry submitted a request to the NRC on July 18, 2006, asking that the agency merely revise the bases for the BWR technical specifications to allow safety limits to be momentarily violated. The NRC denied this request on August 27, 2007, on grounds that it was essentially illegal and unsafe:

Standard Technical Specifications, Section 5.5.14(b)(1), “Technical Specifications (TS) Bases Control Program,” states that licensees may make changes to Bases without prior NRC approval, provided the changes do not involve a change in the TS incorporated in the license. The proposed change to the TS Bases has the effect of relaxing, and hence, changing, the TS Safety Limit. An exception to a stated TS safety limit must be made in the TS and not in the TS Bases. In addition,  a potential exists that the requested change in the TS Bases could have an adverse effect on maintaining the reactor core safety limits specified in the Technical Specifications, and thus, may result in violation of the stated requirements. Therefore, from a regulatory standpoint, the proposed change to the TS Bases is not acceptable. [emphasis added]

and

… the staff is concerned that in some depressurization events which occur at or near full power, there may be enough bundle stored energy to cause some fuel damage. If a reactor scram does not occur automatically, the operator may have insufficient time to recognize the condition and to take the appropriate actions to bring the reactor to a safe configuration. [emphasis added]

In April 2012, the nuclear industry abandoned efforts to convince the NRC to hand wave away the BWR safety limit problem and recommended that owners submit license amendment requests to the NRC to really and truly resolve the problem.

Forget the Tortoise and the Hare—the Snail “Wins” the Race

On December 31, 2012, nearly ten years after GE reported the problem, the owner of two BWRs submitted a license amendment request to the NRC seeking to resolve the problem. The NRC issued the amendment on December 8, 2014. Table 1 shows the “race” to fix this problem at the 34 BWRs operating in the US.

Table 1: License Amendments to Resolve BWR Safety Limit Problem Reactor License Amendment Request License Amendment Original Reactor  Pressure Revised Reactor  Pressure Susquehanna Units 1 and 2 12/31/2012 12/08/2014 785 psig 557 psig Monticello 03/11/2013 11/25/2014 785 psig 686 psig Pilgrim 04/05/2013 03/12/2015 785 psig 685 psig River Bend 05/28/2013 12/11/2014 785 psig 685 psig FitzPatrick 10/08/2013 02/09/2015 785 psig 685 psig Hatch Units 1 and 2 03/24/2014 10/20/2014 785 psig 685 psig Browns Ferry Units 1, 2, and 3 12/11/2014 12/16/2015 785 psig 585 psig Duane Arnold 08/06/2015 08/18/2016 785 psig 686 psig Clinton 08/18/2015 05/11/2016 785 psig 700 psia Dresden Units 2 and 3 08/18/2015 05/11/2016 785 psig 685 psig Quad Cities Units 1 and 2 08/18/2015 05/11/2016 785 psig 685 psig LaSalle Units 1 and 2 11/19/2015 08/23/2016 785 psig 700 psia Peach Bottom Units 2 and 3 12/15/2015 04/27/2016 785 psig 700 psia Limerick Units 1 and 2 01/15/2016 11/21/2016 785 psig 700 psia Columbia Generating Station 07/12/2016 06/27/2017 785 psig 686 psig Nine Mile Point Unit 1 08/01/2016 11/29/2016 785 psig 700 psia Oyster Creek 08/01/2016 11/29/2016 785 psig 700 psia Perry 11/01/2016 06/19/2017 785 psig 686 psig Nine Mile Point Unit 2 12/13/2016 10/31/2017 785 psig 700 psia Brunswick Units 1 and 2 None found None found 785 psig Not revised Cooper None found None found 785 psig Not revised Fermi Unit 2 None found None found 785 psig Not revised Grand Gulf None found None found 785 psig Not revised Hope Creek None found None found 785 psig Not revised

 

UCS Perspective

BWR Safety Limits 2.1.1.1 and 2.1.1.2 provide reasonable assurance that nuclear fuel will not be damaged during design bases transients. In March 2005, GE notified the NRC that a computer analysis glitch undermined that assurance.

The technical specifications issued by the NRC allow BWRs to operate above 25 percent power for up to six hours when the MCPR limit is violated. GE’s report did not reveal the MCPR limit to be violated at any BWR; but it stated that the computer methods used to establish the MCPR limits were flawed.

There are only four BWR safety limits. After learning that one of the few BWR safety limits could be violated and determining that fuel could be damaged as a result, the NRC monitored the glacial pace of the resolution of this safety problem. And six of the nation’s BWRs have not yet taken the cure. Two of those BWRs (Brunswick Units 1 and 2) do not have GE fuel and thus may not be susceptible to this problem. But Cooper, Fermi Unit 2, and Hope Creek have GE fuel. It is not clear why their owners have not yet implemented the solution.

The NRC is currently examining how to implement transformational changes to become able to fast track safety innovations. I hope those efforts enable the NRC to resolve safety problems in less than a decade; way, way less than a decade. Races to resolve reactor safety problems must become sprints and no longer leisurely paced strolls. Americans deserve better.

UCS asked the NRC’s Inspector General to look into how the NRC mis-handled the resolution of the BWR safety limit problem. The agency can, and must, do better and the Inspector General can help the agency improve.

Commendable Nuclear Safety Catch at the Susquehanna Nuclear Plant

The owner of the two boiling water reactors (BWRs) at the Susquehanna Steam Electric Station in northeastern Pennsylvania notified the Nuclear Regulatory Commission (NRC) on April 2, 2018, that workers’ mistakes rendered an emergency core cooling system on Unit 1 vulnerable to being disabled by an earthquake at the same time that another emergency core cooling system was out of service for work on its power supply system. This is good news—not in having two safety systems impaired while the reactor operated, but in how quickly the problem was detected and corrected.

Fig. 1 (Source: Nuclear Regulatory Commission)

The Emergency Core Cooling Systems

Susquehanna Unit 1 is a model BWR/4 reactor with a Mark II containment design that was placed into commercial operation in June 1983. In case of an accident that drains cooling water from the reactor vessel, Unit 1 is equipped with an array of emergency core cooling system (ECCS) pumps that will automatically start and provide makeup water. The ECCS include one steam-driven high pressure coolant injection (HPCI) pump, four motor-driven low pressure coolant injection (LPCI) pumps, and more motor-driven core spray (CS) pumps. The LPCI and CS pumps are split into two divisions of two LPCI pumps and two CS pumps each. Each division is powered from separate electrical buses, backed by separate emergency diesel generators, to increase the chances that enough pumps survive whatever challenge is experienced to provide adequate makeup cooling water flow for the reactor core.

The Situation

During the early afternoon of December 1, 2017, workers moved pipe sections into the room housing the Division II core spray pumps and staged this material on the floor as close as six inches from one of the two air conditioning units for the room.

At 7:48 am on December 2, the power supply to the Division II low pressure coolant injection pumps was removed from service to enable its voltage regulator to be replaced.

The Problem

At 10:30 am on December 3, an operator noticed that the materials staged in the core spray pump room were not seismically restrained and were close to one of the room’s air conditioning unit. The Operations department conservatively assumed that an earthquake could case the pipe sections to move into and damage the air conditioning unit. If that occurred, the heat from the running core spray pump motors could warm the room above the temperature that electrical equipment was qualified to endure. The Operations department declared the Division II core spray pumps inoperable due to their potential loss in event of an earthquake.

The Unit 1 operation license allowed the Division II low pressure coolant injection pumps to be out of service for up to 7 days while the reactor continued operating. This allowed outage time relied on other ECCS pumps being available in case an accident happened. The discovery that the Division II core spray pumps were also inoperable undermined that reliance. The operating license for Unit 1 required the reactor to be shut down within 7 hours with both the Division II low pressure coolant injection and core spray pumps inoperable.

The Solution

At 1:35 pm on December 3, the Division II low pressure coolant injection pumps were restored to operable following replacement of the voltage regulator on their power supply. Their restoration ended the need for the reactor to be shut down and returned the unit to the need to restore the Division II core spray pumps to service within 5 days (the 7-day clock started on December 1).

Around 4:00 pm on December 3, workers completed the removal of the pipe sections from the Division II core spray pump room. Doing so ended the need to shut down the reactor as all ECCS pumps were restored to service.

The Armchair Viewpoint

The Engineering department analyzed the temperature in the Division II core spray pump room with both motor-driven core spray pumps running and only one of two air conditioning units in the room operating. The second air conditioning unit was assumed not to be running due to damage from the pipe sections hitting it during an earthquake. The engineering analysis concluded that the room temperature would have remained below the temperatures used to qualify safety components in the room and that the core spray pumps would have performed their safety function successfully.

UCS Perspective

The staging of the replacement pipe sections without seismic restraints in the Division II core spray pump rooms near its air conditioning unit could have resulted in an air conditioning unit becoming damaged during an earthquake. That potential vulnerability was not recognized the next day when the Division II low pressure coolant injection pumps were taken out of service for maintenance to their power supply. The defense-in-depth approach to nuclear safety gets undermined when multiple layers are missing and/or impaired concurrently.

It would have been better had the pipe sections not been staged improperly or had that mistake been identified before it was compounded by the intentional disabling of additional ECCS pumps the next day. But dozens of activities are ongoing each and every day at a nuclear power plant. And materials temporary stored in the core spray pump room—a confined area infrequently accessed by workers on a daily basis—made detection of their improper configuration less than readily evident.

The mistake was identified by the Operations department less than two days after it was made and a day after it was compounded by taking other ECCS pumps out of service. It would have been easy not to have discovered the subtle mistake, but it was found. Once found, it would have been easy to presume that the core spray pumps would have functioned despite the potential loss of one of two air conditioning units in the room. But the Operations department lacked an analysis to support that presumption and declared the pumps inoperable. That conservative call accelerated the solution to the problem. Within about 185 minutes, the low pressure coolant injection pumps were restored to service. And within 330 minutes, the pipe sections were removed to eliminate the potential hazard to the air conditioning unit in the core spray pump room. The Operations department handled this matter very well. The Operations department handled this matter very well.

Defense-in-depth is frequently discussed in terms of equipment—two redundant pumps provided when only one needs to run for the necessary safety function to be fulfilled. This case illustrates how defense-in-depth also has an important role to play in human performance reliability. The Maintenance department placed the pipe sections in the core spray pump room. They should have stored the material properly, but failed to do so. The Operations department caught the mistake and caused it to be promptly remedied. And the Engineering department reviewed the mistake to determine its safety significance.

This event also reveals an unintended consequence from defense-in-depth applied to human performance reliability—when the first defense-in-depth layer succeeds, backup layers are not tested. Here, the first layer failed but the second and third layers came through. The next best thing to perfection is having a highly reliable first layer backed by a highly reliable second layer backed by a highly reliable third layer and so on.

Nuclear Regulatory Commission SAGging?

The Screen Actors Guild (SAG) is part of a labor union that represents nearly 160,000 actors and others in America. I don’t know how many NRC senior managers are SAG members, but with more and more individuals acting as senior managers for longer and longer periods, SAG may need to open an office in Rockville, Maryland where NRC is headquartered.

Figure 1 shows the NRC’s organization chart as of March 1, 2018. At the top are the five Commissioners, or rather the three Commissioners because two Commission positions have been vacant for over a year. Below the Commissioners are the 29 senior NRC managers. Of those 29 senior managers, the seven managers circled in red are only acting in those roles. Some have been acting at it for a long time. Fred Brown has been acting as the Director of the Office of New Reactors for over a year while Brian Holian has been acting as the Director of the Office of Nuclear Reactor Regulation since July 1, 2017. And Victor McCree, the NRC’s Executive Director for Operations (EDO), announced he will be retiring on June 30, 2018. The casting calls for an EDO actor have not yet been announced.

Fig. 1  Red boxes indicate acting or missing managers. (Source: NRC annotated by UCS)

Why Does it Matter?

Who commands more respect:

  • A full-time teacher or a substitute?
  • A real doctor or someone who stayed at Holiday Inn Express last night?
  • A parent or a babysitter?
  • A sheriff or a mall cop (Paul Blart excepted)?
  • A bona fide manager or an acting manager?

An acting manager can tackle the job as if it is a permanent one. But will she or he truly expend as much effort on long term tasks as someone who will be in that same job when those tasks are conducted?

Even if the acting manager performs the job as fully and capably as someone in the position for real, will her or his subordinates really raise longer term matters or will they simply wait until the real boss takes over?

A non-acting manager “owns” the job and can devote all her or his skills and attention to every aspect of that job. And staff can follow non-acting leaders without being distracted by the temptation to tolerate supervision until the real boss reports for duty.

What Does It Take to Stop the Acting?

The President nominates and the Senate confirms NRC Commissioners. So, the two empty Commissioner seats are up to the President and Senate to fill—you know, the folks unable to pass real budgets and who rely instead on serial “acting” budgetary measures. The other 29 positions on Figure 1 can be filled by the NRC itself without Presidential or Congressional involvement.

The Commission, or a majority thereof, fill the positions explicitly defined in the Atomic Energy Act. These positions include the EDO and the Directors of the Office of New Reactors and Nuclear Reactor Regulation. The EDO fills the remaining positions. For example, the NRC announced on January 2, 2018, that K. Steven West had been appointed Regional Administrator for Region III, replacing Cynthia D. Pederson who retired on December 30, 2017 (three days earlier).

Mr. West had been the Acting Director of the Office of Nuclear Security and Incident Response since July 2017 when Brian Holian became the Acting Director of the Office of Nuclear Reactor Regulation. After Mr. West got his permanent assignment, Brian McDermott was named to become the new Acting Director of NSIR. Since Mr. McDermott filled in for Acting Director West who was filling in for real Director Holian, perhaps Mr. McDermott is Acting Acting Director of NSIR.

UCS Perspective

Despite how many NRC senior managers have been acting at their positions for so long, they should probably not become SAG members. SAG represents actors and others in the entertainment industry. The NRC’s musical chairs is neither entertaining to play nor to watch.

The NRC filled Ms. Pederson’s position as Regional Administrator within three days of her retirement with a permanent, not Acting, Regional Administrator. So, the NRC can fill senior management positions expeditiously without needing actors. Despite this proven ability, 24 percent of the NRC’s top 29 management positions are filled by actors. So, the NRC can do better but has chosen—for reasons unknown—not to do so.

The NRC needs to stop acting so much, Otherwise, will the last non-actor please turn out the lights on the way out the door.

Nuclear Regulatory Commission’s Safety Dashbored

Who says the Nuclear Regulatory Commission does not have a delightful sense of humor?

Not me. Not anymore. Not after stumbling across the NRC’s Generic Issues Dashboard on its website.

The Dashboard page shows the status of three open generic issues. I look at two of them here.

GI204: Flooding of nuclear sites

Generic Issue (GI) 204 was initiated due to concerns that failure of dams upriver from nuclear power plants could flood the sites and disable emergency systems needed to prevent reactor core damage. The NRC staff completed a screening analysis in July 2011 and formally accepted GI-204 in February 2012, nine months after flooding at Fukushima Daiichi caused the three reactors operating at the time to melt down.

So, what’s the status of the resolution of this generic issue six years later? Dashboard, please.

Fig. 1 (Source: Nuclear Regulatory Commission)

A whopping 13.1% of the affected reactors have implemented the fixes. That’s a racy rate of over 2% per year sustained for six whole years!

How many of the affected reactors have completed all the effort needed to resolve this safety issues? Three—South Texas Project Units 1 and 2 and Callaway.

But that’s a recent generic issue. Let’s examine an older generic issue.

GI-191: Debris accumulation

GI-191 was identified in September 1996 and was assigned High priority by June 28, 1999, with a target resolution of September 2001. GI-191 affected all the 69 pressurized water reactors operating in the U.S. at the time.

If a pipe connected to the reactor vessel broke, the fluid jetting out of the pipe ends would scour insulation off piping, coatings off equipment, and even paint off walls. This debris would then be carried by the water to the basement of the containment building where it could collect in the sump. The emergency pumps for PWRs draw water from the containment sump. The amount of debris transported to the sump could block the flow to the emergency pumps, disabling both reactor core cooling and containment cooling.

Fig. 2 (Source: Nuclear Regulatory Commission SECY-99-185)

So, what’s the status of this High priority generic issue more than 16 years after its target resolution date of September 2001? Dashboard, please.

Fig. 3 (Source: Nuclear Regulatory Commission)

Less than half of the affected reactors have reportedly implemented the fixes to this High priority safety problem more than two decades after it was identified. And the NRC has verified the adequacy of the fixes at less than 35 percent of the affected reactors. And for all we know, the NRC is taking credit for the issue no longer being unresolved at PWRs like Crystal River 3, Kewaunee, San Onofre Units 2 and 3, and Fort Calhoun that have permanently shut down since GI-191 became a High priority or the statistics would reflect even worse.

UCS Perspective

Dashboard? Very funny. Not very accurate, but very amusing.

Come on. A safety problem afflicting more than half the nation’s nuclear power reactors that remains unresolved at most of them more than two decades later cannot be monitored by anything having “Dash” in its title. Unless “Dash” is paired with a verb that prevents any one from inferring that swiftness is involved.

Like “DashBored.”

DashBored might better convey the NRC’s efforts—they started out really and truly wanting to quickly resolve these known safety problems to protect the American public from unduly elevated risks, but then they got bored. Something else came up, like certifying new reactor designs and approving 20-year extensions to the operating licenses of problem-plagued reactors.

The dashboard of a competent nuclear safety regulator would not show known safety problems to remain unresolved for so long.