UCS Blog - All Things Nuclear (text only)

No, Space-Based Missile Defense Will Not Cost Only $20 Billion. (Spoiler: That’s only the launch costs.)

Space-based missile defense is a terrible idea. It is expensive and straightforwardly defeated, and it is dangerous and destabilizing. (If you haven’t watched it, please do take a look at this video and web feature UCS just produced. It helps to see these arguments visually.)

But knowledgeable people say it’s not so expensive!

At a recent event hosted by the Missile Defense Advocacy, Under Secretary of Defense for Research and Engineering Mike Griffin calculated the cost to “put up” an interceptor layer. Given how Griffin talked about it, you may be forgiven for thinking he means this is the full cost of a space-based missile defense system—rather than just the cost of launching the interceptors into space. Here’s what Griffin said:

I’ll close by noting that I am very, very, very, very tired of people who say that we cannot afford it. Let me offer just a trial balloon kind of a number. I get tired of hearing how it would cost, you know, 100 or more billion dollars to put up a space-based interceptor layer. If I use as a reasonable, an entirely reasonable number based on experience of $20,000 per kilogram delivered FOB low orbit, and if I were to say that I would be content with a layer of 1,000 interceptors, which seems to me like a lot, and each of them weighs a metric ton—1,000 kilograms—which would seem to me like a lot, then the entire cost of that would be $20 billion.

Read the fine print

You will notice that what Griffin is estimating is only the launch costs for a set of 1,000 interceptors weighing a ton each. I don’t disagree with his arithmetic. But he is not estimating the full cost of developing and building a space-based missile defense system—he is in fact leaving out the majority of the costs of the system.

Griffin does not include in his estimate:

  • the cost of building the interceptors themselves
  • the cost of research and development for the interceptors
  • the cost of building supporting sensors and ground stations for operating 1,000 satellites
  • the operating costs for the system
  • sustainment costs: expected lifetimes for interceptors are 5 to 8 years, so you’d need to send up 125-200 new interceptors per year, on average, to keep a 1,000 satellite constellation healthy.

This also sets aside the fact that the total mass of interceptors needed on orbit is quite sensitive to assumptions such as how many missiles the system is expected to counter, whether those missiles are solid- or liquid-fueled, and the amount of decision time required—conditions that are explored in studies such as those coordinated by the American Physical Society in 2003 and the National Academies of Sciences, Engineering & Medicine in 2012.

The National Academies study concluded that the life cycle costs for even an “austere and limited-capability” set of 650 satellites would be at least $300 billion in 2010 dollars, or 10 times more expensive than other missile defense options they examined. This estimate included the costs that Griffin did not, which are clearly substantial.

(NB: We recently wrote about why a different misunderstanding in circulation is wrong: the suggestion that a small constellation would protect against long-range missiles.)

Ok, so it probably is expensive. Are we worried about destabilizing and dangerous?

Putting interceptors in space will almost certainly provoke a reaction from potential adversaries, be it development of similar weapons, attacks on these interceptors, or an adjustment in their nuclear posture to compensate. None of these actions would improve US or global security.

At the MDAA event Griffin was asked “what do we say to China and Russia?” to allay concerns and avoid conflicts over such a system. Dr. Griffin is not particularly worried about it. He responded:

…somewhere well down on my priority list is caring about what other people think. And we just cannot afford to do that, and by creating a world—by creating a geopolitical policy environment where those kinds of considerations are surfaced, by even allowing ourselves to be drawn into that discussion we do ourselves and our allies and partners a disfavor.

However, also on the panel was Undersecretary for Policy John Rood. Rood noted that Griffin’s job is developing technology and quickly indicated that his own job was looking at just such policy issues, saying:

We do spend a lot of time concerning ourselves with those questions.

And when pressed on the issue that space-based interceptors would present an offensive capability, Undersecretary Rood said that:

…those are bridges yet to be crossed some time away given the level of sort of examination we’ve given the question thus far.

What is the key argument?

Our skepticism about space-based boost-phase missile defense gets mischaracterized, so to be clear: The problem is not that a showstopper technical issue makes hit-to-kill from space unachievable.

But even if the hit-to-kill interceptors worked perfectly, the system would not provide reliable defense since it could be straightforwardly defeated or overwhelmed. At the same time, the system would be very expensive, and a waste of resources that could be much better used elsewhere. And it would be destabilizing and dangerous. (Click here for more details.)

Fatal Accident at Arkansas Nuclear One

 Role of Regulation in Nuclear Plant Safety #11

The Fatal Accident

As described in Fission Stories #139 and illustrated in Fission Stories #181, a temporary crane removing a component weighing 525 tons on March 31, 2013, in the turbine building of the Unit 1 reactor at Arkansas Nuclear One near Russellville, AR collapsed. The dropped load struck the turbine building floor with considerable force, then rolled and fell through an opening to cause further damage on a lower floor. One worker was killed and eight others injured by the accident.

Hundreds of pictures of the dropped load and the damage it inflicted have been released. Figure 1 shows the structural steel beams and concrete floor damaged when the load struck the turbine deck. Towards the camera from the bent beam is the opening that the load then plunged through.

Fig. 1 (Source: Nuclear Regulatory Commission)

Figure 2 shows the dropped load (the cylindrical red object) resting on the hauler it damaged. Section of the collapsed crane and portions of the damaged building lie on the hauler and load.

Fig. 2 (<Role of Regulation 11 Figure 2.jpg> Source: Nuclear Regulatory Commission)

The Unit 1 reactor had been shut down a week earlier for refueling. The vibrations from the heavy load impacting the turbine deck and the damage from the load crashing 30 feet onto the floor below disconnected Unit 1 from the offsite power grid and caused loss of cooling for the irradiated fuel in the reactor core and spent fuel pool. The emergency diesel generators automatically started to restore power to emergency equipment. The station blackout diesel generator was disabled because its connecting cables to both units were severed. Workers ran temporary cables to restore power to non-emergency equipment from the offsite power grid and portable diesel generators. The emergency diesel generators ran for six days until normal supplies from the offsite power grid were recovered.

The Unit 2 reactor was operating at full power at the time. The vibrations caused the electrical breaker for power supply to reactor coolant pump B to open. The loss of reactor coolant pump B triggered an automatic shutdown of Unit 2. The dropped load had ruptured an 8-inch diameter fire suppression system header. Water pouring from the broken ends of the pipe flooded areas of the turbine building with tens of thousands of gallons. It took workers about 45 minutes to turn off pumps and close valves to stop the flow of water from the broken pipe. The internal flooding caused a short circuit and explosion inside an electrical cabinet about 93 minutes after the drop that disabled one of the two offsite power connections for Unit 2. The consequences from the partial loss of power included a water hammer in the feedwater heaters and the operators using natural circulation to cool down the reactor for the first time in the reactor’s 30-plus year lifetime.

The Initial Regulatory Response

The Nuclear Regulatory Commission (NRC) dispatched an Augmented Inspection Team (AIT) to investigate the fatal accident. The AIT’s report, issued on June 7, 2013, identified ten issues requiring additional consideration. For a year after the fatal accident, both reactors at Arkansas Nuclear One remained in Column 1 of the NRC’s Action Matrix reflecting performance meeting or exceeding safety standards as the NRC pondered what to do with what it knew.

The Belated Regulatory Response

One week shy of the accident’s anniversary, the NRC proposed issuing one Red finding for the Unit 1 problems and one Yellow finding for the Unit 2 problems.

The proposed Unit 1 Red finding resulted primarily from the chances that the two emergency diesel generators failed. The accident disconnected the unit from its normal offsite power sources for six days. The accident disabled the station blackout diesel generator. The unavailability of offsite power disabled the instrument air system. Without instrument air, the two emergency diesel generators had air tanks with sufficient capacity for about ten start attempts. Had the emergency diesel generators not successfully started before this air reserve was exhausted, the unit would have entered a station blackout condition. At the time, the decay heat from the reactor core would have heated the reactor vessel water to boiling in 11 hours and the water boiled away would have uncovered the reactor core in 96 hours.

Based on standard human reliability analysis (HRA) values for workers diagnosing problems and likelihood of successfully implementing contingency measures within the necessary time frames, the NRC calculated the conditional core damage probability for Unit 1 to be 3.8×10-4 per year, or one meltdown every 2,632 years. That seems like a remote risk, but the chances of a tsunami inundating the site and causing a meltdown at Fukushima Daiichi—which had been estimated to be about one such event in 3,500 years—before March 11, 2011, beat those odds.

A similar risk analysis was performed for Unit 2. The proposed Unit 2 Yellow finding resulted primarily from the calculated risk that the reactor lost the normal feedwater, auxiliary feedwater, and emergency feedwater systems and that workers could not establish once-through cooling of the core. The NRC estimated the chances of these outcomes occurring concurrently to be 2.8×10-5 per year, or one such meltdown every 35,714 years.

The Owner Rejects the Regulatory Proposals

On May 1, 2014, the owner met with the NRC to dispute the agency’s ciphering and associated color selections. The owner described four independent means for workers to have cooled the Unit 1 reactor core and averted meltdown. While none of these means was absolutely guaranteed, the owner calculated the chance that all four failed to prevent meltdown to be 4.8×10-6 per year, or one meltdown every 208,333 years. If so, this risk corresponds to a White rather than Red finding as proposed.

The owner also disputed the NRC’s ciphering of the Unit 2 risk. The owner’s math put the risk of meltdown at 1.8×10-6 per year, or one meltdown every 555,556 years. If so, this risk corresponds to a White rather than Yellow finding as proposed.

The Modified Belated Regulatory Response

Two weeks after the AIT report’s anniversary, the NRC issued its final answer on the AIT’s findings, issuing Yellow findings for the Unit 1 and 2 problems. And only then did the NRC move both reactors into Column 3 of the Action Matrix.

The NRC revised its initial assessment of the risk of meltdown of the Unit 1 reactor. The owner contended that it would take 115 hours, not the 96 hours assumed by the NRC, for an uncooled reactor to boil away enough water to become uncovered and damaged. Applying the longer core uncovery time reduced the meltdown risk from 3.8×10-4 per year to 2.6×10-4 per year, or one meltdown every 3,846 years. The NRC issued the Yellow finding based on its revised risk assessment.

The NRC stood behind its initial assessment of the risk of meltdown of the Unit 2 reactor. The owner sought credit for manual actions taken by workers to restore components to service. The NRC felt that the owner was very optimistic about workers being able to complete the many steps in time due to increased stress levels of workers tackling darkness, debris, and flood waters resulting from the accident. The NRC retained the Yellow finding based on not revising its risk assessment.

The Rest of the Regulatory Response, Delayed Additionally

Nearly two years after the accident, the NRC issued another Yellow finding for inadequate floor protection measures that became evident during the accident. The collection of Yellow findings let the NRC moved the plant into Column 4. The NRC did not return Arkansas Nuclear One to Column 1 until the summer of 2018.

UCS Perspective

Had this been a regulatory race involving the NRC, a sloth, a snail, and a tortoise, the NRC would have finished a distant fourth. The NRC’s Reactor Oversight Process provides performance ratings that dictate appropriate levels of oversight every quarter. A home pregnancy test that provides an indication one year later is no less useless than an NRC Augmented Inspection Team’s investigation of a fatal accident yielding decisions a year or two later. “Justice delayed is justice denied” was coined for lengthy moments like this one.

But the injustice stemming from the NRC’s foot-dragging deliberations is overshadowed by the injustice of its long overdue verdict. The verdict was two Yellow findings for in-plant power impairments caused by the dropped load and associated flooding. That verdict depended on the NRC’s assessment of the chances that workers could deploy contingency measures to offset the equipment disabled by the event in time to prevent overheating of the reactor core.

That verdict is contrary to most verdicts reached by the NRC when assessing similar situations. Here’s but a very tiny sampling of the typical verdicts issued by the NRC for power impairments:

Assuming that the overwhelming majority of its verdicts have been correct (or at least, less wrong), then the atypical harshness of the Yellow findings at Arkansas Nuclear One reflects over-regulation by the NRC.

Blame the Game, Not Its Players

Jeff Mitman from NRC headquarters and David Loveless from NRC’s Region IV performed the risk assessments for the Arkansas Nuclear One accident. I have known both men for several years and found them to be among the many dedicated, talented staff at the NRC. I cannot contend that Mitman and Loveless erred when assessing the Unit 1 and 2 risks as high as they did.

Instead, the risk assessment tools they were forced to use are little more than nuclear Ouija boards lacking precision and repeatability. Plant workers using the same risk assessment tools derived “answers” that differed by about a factor of 100.

Imagine using a scale that provided your weight plus or minus a factor of 100. If you weighed 150 pounds, that scale could tell you one day that you weighed 1 ½ pounds and the next day that you weighed 15,000 pounds.

Imagine driving a car with a speedometer reporting your speed plus or minus a factor of 100. Traveling along at 55 mph, it might show you nearly stopped or zipping along at 5,500 mph.

Imagine using an ATM that told you your checking account balance plus or minus a factor of 100. If you had $1,000 in the account, you’d relish the days it revealed you had $100,000 to spend and be glum when it said you only had $10.

Imagine using a risk analysis tool that gave you risk results plus or minus a factor of 100. You can sense what it must be like to be Mitman or Loveless seeking to put some situation in rational context.

Stores do not sell imprecise scales, speedometers, and ATMs because no one in their right minds and few with the wrong minds would buy them.

So why is the NRC forcing its dedicated, talented staff to use imprecise risk assessment tools to make “risk-informed” regulatory decisions?

Why indeed.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Clinton Power Station: Even More Power Problems

The Clinton Power Station is located 23 miles southeast of Bloomington, Illinois and has one General Electric boiling water reactor with a Mark III containment that began operating in 1987.

In December 2017, the Nuclear Regulatory Commission (NRC) dispatched a Special Inspection Team to the plant to investigate a transformer failure that prompted the operators to manually scram the reactor. That event nearly duplicated a transformer failure/manual scram event that happened at Clinton in December 2013.

The ink had scarcely dried on the NRC’s special inspection report when Clinton experienced yet another electrical power problem. Some progress has been made—this time it did not involve a transformer failure causing the reactor to be shut down. This time, the reactor was already shut down when the power problem began. This time, the failures involved several workers over several days failing to follow several procedures to disable an emergency power supply. This time as in the past, the NRC dispatched a special inspection team to figure out what when wrong.

Entering a Refueling Outage

The operators shut down Clinton on April 30, 2018, to enter an outage during which the reactor would be refueled. When the reactor is running, nearly the entire array of emergency equipment must be operable except for brief periods of time. During refueling, the list of emergency equipment required to remain operable is shortened, providing opportunities for components to be tested, inspected, and repaired as necessary.

The operators tripped the main generator on April 30 as part of the reactor shut down process. When the generator was online, the electricity it produced went through the main transformers to the 345-kilovolt switchyard where transmission lines provided it to the offsite power grid. The generator’s output also flowed through the Unit Auxiliary Transformers to supply in-plant electrical needs. As shown in Figure 1, this supply to in-plant loads was unavailable with the main generator offline.

Fig. 1 (Source: NRC, color annotations by UCS)

On May 5, workers de-energized the Emergency Reserve Auxiliary Transformer (ERAT) shown on the left side of Figure 1 to support planned maintenance. Power for in-plant loads came from the 345-kilovolt switchyard through the Reserve Auxiliary Transformer (RAT).

At 9:36 pm on May 9, workers closed an electrical breaker to restore power from the RAT to 4.16-kilovolt Bus 1B1. Bus 1B1 had been removed from service for maintenance on it and the equipment powered from it. Emergency diesel generator 1B (EDG 1B) provided the backup power to Bus 1B1 in event power from the main generator and offsite grid were lost. During the planned outage of Bus 1B1, EDG 1B had been intentionally disabled to prevent it from starting. This measure protects workers from contacting energized equipment if EDG 1B started unexpectedly.

Bus 1A1 remained in service during the time Bus 1B1 was unavailable. Bus 1A1 was also supplied with offsite power from the RAT, with EDG 1A in standby to provide backup power if needed. Safety equipment powered from Bus 1A1 cooled the reactor core and could provide makeup water if necessary.

Entering an Unsafe Condition

When power to Bus 1B1 was restored, procedures called for its backup power supply—EDG 1B—to be returned to service. A worker was sent out to place EDG 1B back in service. The emergency diesel generators (EDGs) are normally maintained in standby. Should power from the offsite power grid or accident occur, the EDGs are designed to start up, reach speed, and begin supplying electrical power to their respective buses with a little more than ten seconds. To enable the large diesel engines to perform such rapid feats, the EDGs are equipped with support systems. One support system maintains the lubricating oil warmed. The start air system supplies compressed air to help the engine shaft begin spinning. Another support system supplies cooling water to protect a running diesel engine from damage caused by overhearing.

Because the cooling water system for EDG 1B was not yet returned to service, a supervisor directed the worker to keep the start air valves closed. The restoration procedure called for these valves to be opened and later checked to ensure they were open. But the supervisor was concerned that an inadvertent start of EDG 1B might damage it from overheating. EDG 1B was partially restored to service on May 9.

Late in the evening of May 10, a second supervisor directed a second worker to conduct another partial restoration of EDG 1B. The fuses for the lubricating oil system had been pulled. The worker reinserted the fuses to return the lubricating oil system for EDG 1B to service.

The second supervisor turned over duties to a third supervisor before the second worker completed the assigned partial restoration. Due to miscommunication, the third supervisor thought that all the EDG 1B restoration tasks had been completed. EDG 1B was declared back in service at 2:30 am on May 11.

EDG 1B may have been declared in service, but it was incapable of running because both its start air valves were closed. At that moment, it did not compromise safety because EDG 1A and the safety equipment it supplied were still available and that’s all that was required per regulations.

Safety was compromised at 11:28 pm on May 13 when the reactor core cooling pump supplied from Bus 1A1 was removed from service and the reactor core cooling pump supplied from Bus 1B1 placed in operation. Bus 1B1 was supplied with offsite power through the RAT. But if the transformer failed or the offsite power grid lost, the disabled EDG 1B would not have stepped in to save the day.

Safety was further compromised at 12:30 am on May 14 when Bus 1A1 was de-energized and all the safety equipment it supplied rendered useless.

Had the offsite power grid been lost or the RAT failed, Bus 1B1 and all the equipment it supplied would have been de-energized. Bus 1A1 and all the equipment it supplied was intentionally de-energized. And Bus 1C1, backed by EDG 1C, was energized. But it’s primary safety component, the High Pressure Core Spray system, was unavailable due to ongoing maintenance. The plant was in a vulnerable situation expressly forbidden by its operating license requirements.

Fig. 2 (Source: NRC, color annotations by UCS)

Restoring a Safe Condition

At 3:03 pm on May 17, a worker conducting routine shift rounds found the start air valves for EDG 1B closed and notified the control room operators. The EDG restoration procedure was performed—in its entirety—to really and truly restore EDG 1B to service and achieve compliance with regulatory requirements.

NRC Findings and Sanctions

The NRC special inspection team determined that EDG 1B had been inoperable for over six days without the owner’s awareness. The NRC team additionally determined that for more than three days—from May 14 through May 17—a loss of the offsite power grid would have plunged the plant into a station blackout.

While a station blackout condition doomed three reactors at Fukushima Daiichi to meltdowns, the NRC team identified three ways for workers to have responded to a station blackout at Clinton avert such an outcome. First, they could have discovered the closed start air valves and opened them to recover EDG 1B. Second, they could have started EDG 1C and cross-connected it to re-energize Bus 1B1. While EDG 1C has smaller capacity than EDG 1B, it had sufficient capacity to handle the loads needed during refueling. Third, they could have deployed the FLEX equipment added after Fukushima to cool the reactor core.

The NRC team calculated that had a station blackout occurred, it would have taken about five hours for the loss of cooling to heat up the water in the reactor vessel to the boiling point and that it would have taken about another twelve hours for water to boil away to uncover the reactor core and cause damage. Approximating this timeline helps the NRC assess how likely it would have been for workers to successfully intervene and avert disaster.

The NRC team also identified factors lessening confidence that workers would successfully intervene. The NRC team reported that five different workers entered the room housing EDG 1B a total of twelve times during the period it was disabled for the express purpose of ensuing things were okay. The NRC team observed that the start air valves were located at about knee-level and had been secured in the closed position with long black plastic straps. The NRC team also noted that there were two air pressure gauges both reading zero—a clear indication that there was no start air pressure available for EDG 1B. The NRC team interviewed workers, but never learned why so many workers tasked with looking for signs of trouble overlooked so many signs of trouble so many times.

The NRC issued one Green finding for failing to notice that the EDG 1B start air valves were closed.

The NRC also issued a finding with a significance yet to be determined for the multiple failures to follow procedures that led to the start air valves for EDG 1B remaining closed.

UCS Perspective

The failures by the supervisors and workers can be explained, but not excused.

Like most U.S. nuclear power reactors, Clinton typically shuts down for refueling every 18 or 24 months. The refueling outages last about a month. Thus, Clinton runs about 95 percent of the time and refuels only about 5 percent of the time.

When the reactor was running, safety equipment like the EDGs was routinely removed from service, tested and/or repaired, and returned to service. Similarly, workers conducted rounds—walkdowns of plant areas looking for off-normal conditions—every shift of every day.

During refueling, the same restoration and rounds procedures are used for the same purposes, but under significantly different conditions. When the reactor is running, most safety systems are in service making it easier to concentrate on the tiny subset taken out of service. And it’s easier to spot when something is off-normal.

Many safety systems are removed from service concurrently during refueling. Restoring safety systems to service during refueling is complicated when support systems have not yet been restored to service. Performing rounds is complicated by so many systems and components being out of their normal condition that distinguishing acceptable off-normal from improper off-normal becomes challenging. So, it can be understood how trained and dedicated workers with good intentions can fail to rise to the challenge periodically.

This event illustrates two important safety truths: (1) despite best efforts, things can go wrong, and (2) the way to make best efforts better is to extract lessons learnable from near misses and implement effective fixes.

This event did not involve any actual loss of power to safety equipment or loss of reactor core cooling. This event did involve an increased potential for these losses.

The plant owner and the NRC took this increased potential seriously and examined why it had happened. Those examinations will identify barriers that failed and suggest upgrades to existing barriers or additional barriers to lessen the chances that a potential, or actual, event occurs.

On one hand, Clinton can be said to have dodged a bullet this time. On the other hand, the owner and NRC examining this near miss will help make Clinton—and other reactors—more bulletproof.

Vogtle and Hatch: Have Cost Over-Runs Undermined Safety Performance?

In August 2018, Georgia Power announced raised its estimate of the construction costs for its 45.7% share of the two new reactors being constructed at the Vogtle nuclear plant by $1.1 billion from $7.3 billion to $8.4 billion. Assuming the company lacked warehouses stuffed with money, the cost over-run raised an important question: has the hemorrhaging budget for constructing Vogtle Units 3 and 4 taken funding or distracted management attention away from the company’s operating reactors—Vogtle Units 1 and 2 and Hatch Units 1 and 2—and undermined their nuclear safety performance?

If asked, Georgia Power would certainly say “nope.” Because the company cannot forecast the cost of building reactors within a billion dollars or so, their skill at forecasting the necessary cost of operating reactors is questionable, at best. In other words, I didn’t ask Georgia Power.

Instead, I examined two data sets that provide more reliable insights on whether cost over-runs on Vogtle Units 3 and 4 have undermined safety performance of the company’s operating reactors. One data set was the quarterly performance ratings issued by the Nuclear Regulatory Commission (NRC) for every operating reactor in the country. The other data set was the reactor power levels reported each day by reactor owners to the NRC.

NRC Performance Ratings

In 2000, the NRC began assessing performance of every operating reactor every quarter using a combination of violations of regulatory requirements identified by NRC inspectors and about 24 performance indicators. When performance meets expectations, the NRC’s findings (if any) are green and the performance indicators are green. The further performance drops below expectations, the colors move from green to white to yellow to red.

Each quarter, the NRC uses the findings and indicators to place each operating reactor into one of five columns of its Action Matrix. When all expectations are met, reactors are placed in Column 1. As performance drops, reactors are moved into Columns 2, 3, 4, and 5. More than 80 percent of the time, NRC has placed reactors in Column 1. So, performance warranting a move out of Column 1 has been experienced, but most often avoided.

The NRC’s quarterly performance ratings between 2012 and the first half of 2018 for the operating reactors at Hatch and Vogtle are shown in Figure 1. Both the Hatch reactors remained in Column 1 the entire time. The two operating reactors at Vogtle dropped into Column 2 for a total of 8 of the 26 quarters. The good news is that Georgia Power was able to remedy the performance shortcomings to return the Vogtle reactors to Column 1. The bad news is that the Vogtle reactors are underperforming the U.S. nuclear fleet. The typical U.S. reactor received Column 1 performance ratings over 80 percent of the time. The Vogtle reactors were in Column 1 less than 70 percent of the time from 2012 onward.

Fig. 1 (Source: Union of Concerned Scientists)

Daily Reactor Power Levels

Each day, plant owners report the power levels their reactors are operating at. The NRC archives the reports and posts the daily reactor power levels over the past 365 days on its website. I used this data to plot the daily power levels reported for the Hatch Unit 1 and 2 reactors between 2014 and 2018 in Figure 2. The refueling outages conducted over this period are easy to spot—they are the wider white gaps preceded by a few days of gradually decreasing reactor power levels. Refueling outages commonly last three to four weeks. Figure 2 also shows a few other shorter outages and power reductions, especially on Unit 1.

Fig. 2 (Source: Union of Concerned Scientists)

Figure 3 shows the daily power levels for the Vogtle Unit 1 and 2 reactors between 2014 and 2018. Again, refueling outages, non-refueling outages, and power reductions are evident in the plots.

Fig. 3 (Source: Union of Concerned Scientists)

The plots of daily reactor power levels may appear as insightful as the squiggles and blips are an EKG screen. To help put the plots for the Hatch and Vogtle reactors in context, the daily power levels for the Pilgrim reactor over the same time period are plotted in Figure 4. During most of this time, Pilgrim resided in Column 4. No reactor in the United States received lower performance ratings from the NRC during this period than Pilgrim.

Fig. 4 (Source: Union of Concerned Scientists)

What’s the difference between good performing reactors and Pilgrim? Pilgrim has fewer big blue rectangular blocks of operating at full power. Ideally, a reactor should run at 100 percent power from refueling outage to refueling outage, with only short-duration power reduction every quarter for testing. The more that the solid blue rectangles between refueling outages are splintered by unplanned shut downs and unwanted power reductions, the less ideally a reactor is operating.

UCS Perspective

The NRC’s quarterly performance ratings suggest the financial and management resources poured into the cost over-runs on Vogtle Units 3 and 4 have not undermined safety performance at Hatch Units 1 and 2.

The NRC’s quarterly performance ratings for Vogtle Units 1 and 2 paint a slightly different picture. Whereas the average U.S. reactor received Column 1 ratings from the NRC over 80 percent of the time, the Vogtle reactors got Column 1 ratings less than 70 percent of the time in recent years. But this situation is tempered by both reactors currently receiving Column 1 ratings. The Vogtle reactors under-performed the U.S. fleet, but not by a troubling extent.

The daily reactor power levels for the Hatch and Vogtle reactors also suggest that performance has not been appreciably undermined. The data do not suggest that the Hatch and Vogtle reactors have the performance shortcomings reflected by the daily reactor power levels for the Pilgrim reactor—the worst performing reactor per the NRC’s ratings—over the same period.

The NRC’s quarterly performance ratings are the public’s safety net. Insufficient budgets, inadequate management attention, aging equipment, and other causes can lead to lowered performance ratings. Lower performance ratings increase NRC oversight. The early detection and correction of performance shortcomings prevents problems from growing to epidemic proportions that invite disaster.

Unfortunately, the NRC is contemplating changes to its quarterly performance ratings and mandated responses that could cut holes in the public’s safety net. As nuclear plants age and their maintenance budgets shrink, the NRC needs to strengthen rather than weaken the most reliable tool it uses to protect public health and safety—timely, reliable and accurate performance ratings.

Breaking Containment at Crystal River 3

Role of Regulation in Nuclear Plant Safety #10

The Crystal River 3 pressurized water reactor in Florida was shut down in September 2009 for refueling. During the refueling outage, the original steam generators were scheduled to be replaced. The Nuclear Regulatory Commission (NRC) was reviewing the owner’s application to extend the reactor operating license for another 20 years. The replacement steam generators would enable the reactor to operate through the end of its current operating license period as well as to the end of a renewed license.

But those plans changed drastically when the process of cutting an opening in the concrete containment wall for the steam generator replacement inflicted extensive damage to the concrete. When the cost of fixing the broken containment rose too high, the owner opted to permanently shut down the facility before its original operating license expired.

Background

Crystal River 3 is located on the western coast of Florida and featured a pressurized water reactor (PWR) designed by Babcock & Wilcox. The NRC issued the reactor operating license on December 3, 1976.

Refueling Outage and Steam Generator Replacements

Operators shut down the reactor on September 26, 2009, to begin the plant’s 16th refueling outage. Workers planned to replace the steam generators during the outage. The original steam generators were wearing out and were to be replaced with steam generators made from materials more resistant to wear and tear. Since the first steam generator replacements more than two decades earlier, so many PWRs had performed this exercise that it was almost routine.

Figure 1 shows a simplified side view of the containment structure at Crystal River 3. The reactor core is the green rectangle within the capsule-shaped reactor vessel. The reactor vessel is flanked by the two larger steam generators. In front of the steam generator on the right is the pressurizer. The vertical portion of containment is a cylinder about 137 feet in diameter.

Fig. 1 (Source: Progress Energy)

The containment at Crystal River 3 was a 3-D post-tensioned concrete cylinder with a steel liner. The 0.475-inch thick steel liner formed the inner surface of the containment wall. Behind it were 42-inch thick concrete walls and a 36-inch thick concrete dome. Embedded in the concrete walls were 5.25-inch round tendons encased within metal sleeves. These tendons functioned like reinforcing bands—workers tightened, or tensioned, them to give the concrete wall additional strength against the internal pressure that could occur during an accident. This containment design was used for more than half of the PWRs operating in the United States.

The containment featured a large round opening called the equipment hatch. Figure 2 shows the equipment hatch in late November 1972 during plant construction. The concrete has not yet been poured in that section of containment, so the metal reinforcing bars and horizontal tendon sleeves (the vertical rows of white dots on either side of the equipment hatch) embedded in the concrete are visible.

 

Fig. 2 (Source: Progress Energy)

Because the original steam generators were expected to last throughout the 40-year operating life of the reactor, the equipment hatch was not large enough for the steam generators to be removed intact. They could have been cut up into sections and slices removed through the equipment hatch. But the equipment hatch was also too small for the replacement steam generators to enter intact. Cutting them up into sections was not an option. Plan B involved cutting an opening approximately 25-feet by 27-feet through the containment concrete wall and liner above the equipment hatch as shown in Figure 3.

Fig. 3 (Source: Progress Energy)

The Butterfly Defect

The operators began reducing the reactor power level at 7:03 pm on September 25, 2009, to enter the refueling outage. They shut down the reactor at 12:29 am September 26. They continued cooling the reactor water down over the next few hours and entered Refueling mode at 4:51 pm that afternoon. Seven minutes later, the contractor hired to cut through the containment wall was authorized to begin that work. An early step involved loosening and removing the horizontal tendons from the containment wall in the region where the opening would be cut.

On September 30, workers began using high-pressure water—at pressures up to 25,000 pounds per square inch—to cut and remove the concrete from an 8-feet wide by 6-feet tall test section of the concrete containment wall. Full-scale removal of the concrete began at 4:30 am on October 1. Workers installed a debris chute to carry away the excavated concrete and water.

About 5:00 am on October 2, the concrete cutting and removal work was halted because an obstruction in the debris chute caused water to spill. Workers noticed water streaming from a crack in the containment wall below and to the right of the new opening. Investigation into this unexpected waterfall identified a vertical crack in the concrete between the tendon sleeves and interior liner.

Fig. 4 (Source: Progress Energy)

It was not a tiny crack. It was visible along all four edges of the square opening cut through the containment wall. The defect in the concrete was termed delamination.

Fig. 5 (Source: Progress Energy)

Workers drilled dozens of bore holes into the containment wall supplemented by impulse response testing (essentially ultrasonic probing of the wall to look for voids within the concrete) to map out the extent of the delamination. Figure 6 shows that the delamination area resembled a butterfly, extending far beyond the crack around the steam generator replacement (SGR) opening. Figure 6 also shows the horizontal tendons loosened and removed because of the opening in blue while the tendons left tensioned are shown in red.

Fig. 6 (Source: Progress Energy)

The NRC Dispatches its Crack Inspection Team

The NRC formed a Special Inspection Team on October 13, 2009, to go to Crystal River 3 and investigate the containment damage. Because the reactor was shut down, the damage did not pose an immediate safety hazard. But the NRC recognized that the damage might have generic implications as other owners cut through containments for steam generator and reactor vessel head replacements. In addition, the NRC needed to understand the extent of the damage to ensure the containment was properly restored before the reactor restarted.

Delamination Déjà vu

The NRC team reported that the Crystal River 3 containment experienced concrete delamination about a year after the tendons had been initially tightened. In April 1976, electricians were drilling into the outer surface of the containment dome to secure anchors for the conduit they were installing. In certain areas, the anchors would not hold. Investigation found a region of about 105-feet in diameter where the concrete had delaminated. The delamination affected about 15 inches of the 36-inch thick concrete dome, with the maximum gap between layers being about two inches wide. Cracks were not evident on the inner or outer surfaces of the dome, but workers reported a “springiness” when walking across the dome’s delamination region. The degraded concrete was removed and replaced with the standard, non-springy kind.

Containment concrete delamination also occurred during construction at the Turkey Point nuclear plant in Florida in June 1970 and at the Unit 2 reactor at the Kaiga nuclear plant in India in May 1994.

Causes of the Concrete Cracking

The plant’s owner formed a team to determine the cause for the cracking experienced in fall 2009. The team developed a list of 75 potential causes and then evaluated each candidate. 67 suspects were dismissed due to lack of evidence. The remaining eight potential causes were determined to have conspired to cause the delamination—had any single factor been absent, the delamination would likely not have occurred.

The Crystal River 3 containment design featured higher stresses than most other designs. The concrete used in the containment met design specifications, but with considerably less margin than normal. And the sequencing used to loosen the tendons prior to cutting the steam generator replacement opening resulted in high localized stresses that exacerbated the design and material conditions to cause cracking.

NRC Sanctions

The NRC imposed no sanctions following the investigation by its Special Inspection Team. The team determined that the containment was damaged after the reactor entered the Refueling mode. In that mode, containment integrity was not required. The equipment hatch is wide open much of the time during Refueling mode, so having a damaged section of containment wall above that large opening did not violate regulatory requirements.

NRC Nuclear Fleet Outreach

The NRC’s Generic Communications program is its means for conveying operating experience to plant owners. The program uses Information Notices to provide warnings and updates about safety problems and Generic Letters and Bulletins to also require owners to take steps intended to prevent a common problem from rippling across the reactor fleet. While it is not uncommon for the NRC to send out at least an Information Notice to owners about problems like that experienced at Crystal River 3, the NRC did not exercise this option in this case. The NRC did post information to its website about the problem and made a presentation about the Special Inspection Team sent to the plant during the annual Regulatory Information Conference in March 2010.

The NRC’s Office of Nuclear Regulatory Research issued NUREG/CR-7208, “Study on Post Tensioning Methods,” in November 2015. While far from a treatise on what caused the delamination at Crystal River 3, it shed considerable insight on the analysis of stresses impacted on concrete structures when the embedded tendons are tightened.

Delamination to Defueled to Decommissioning

The plant’s owner made several attempts to repair the damaged concrete containment wall, but the efforts proven unsuccessful. During the efforts, workers completed offloading all the fuel assemblies from the reactor vessel into the spent fuel pool on May 29, 2011. After another repair failed, the company decided to permanently shut down the facility rather than undertake the cost—and uncertain outcome—of yet another attempt. On February 5, 2013, the company announced that the reactor had been permanently shut down and would transition into decommissioning.

UCS Perspective

This event reflects just right regulation by the NRC.

The NRC dispatched a Special Inspection Team to investigate the cause and corrective actions for the concrete degradation at Crystal River 3 even though the problem had no adverse safety implications for the reactor in refueling mode.

Had the NRC not done so or delayed doing so, any potential generic implications that adversely affected safety at operating reactors might have been missed. While no such implications were found, it’s far better to have looked for them and not found them than to have not looked for them and had them “surprise” us later.

Had the NRC not done so or delated doing so, the agency would not have clearly understood the cause of the concrete degradation in order to make informed decisions about the effectiveness of repairs. Restart of the plant would have been delayed as the NRC belatedly sought to acquire that awareness, or restart of the plant would have happened lacking the NRC’s independent verification that proper safety levels had been restored. The former would have placed an undue economic burden on the owner; the latter would have placed an undue risk burden on workers and the public.

But the NRC took just the right actions at just the right time to properly oversee safety at the plant. The owner’s decision to permanently retire rather than repair the plant without the NRC’s thumb on either side of the scales.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Naughty and Nice Nuclear Nappers

Role of Regulation in Nuclear Plant Safety 9

The Peach Bottom Atomic Power Station in Delta, Pennsylvania is known for its tireless workers. They stop working long before getting tired and nap while on duty. The Nuclear Regulatory Commission (NRC) treated the nuclear nappers as naughty in 1987 but as nice in 2007. The reason for such disparate handling of the same problem isn’t apparent. Maybe if I took a nap it would come to me in a dream.

Peach Bottom is home to three reactors. Unit 1 was a high temperature gas-cooled reactor that got its operating license in January 1966 and was permanently shut down in October 1974. Units 2 and 3 are boiling water reactors that began operating in 1974.

Naughty Nuclear Nappers in 1987

On March 31, 1987, the NRC ordered both operating reactors at Peach Bottom to be shut down. The NRC had received allegations that control room operators were routinely sleeping in the control room. Victor Stello, the NRC’s Executive Director for Operations, wrote in the order:

… it is apparent that the licensee, through its enforcement history and from what has been developed by the ongoing investigation, knew or should have known of the unwillingness or inability of its operations staff to comply with Commission requirements, and has been unable to implement effective corrective action. Consequently, the NRC lacks reasonable assurance that the facility will be operated in a manner to assure that the health and safety of the public will be protected. Pending the development of other relevant information, I am unable to determine that there is reasonable assurance that the facility will be operated in a manner to assure that the health and safety of the public will be protected. Accordingly, I have determined that continued operation of the facility is an immediate threat to the public health and safety.

Fig. 1 (Source: CBS Evening News, March 31, 1987)

Nucleonics Week reported on August 18, 1988, that the NRC proposed a then-record $1,250,000 fine on the company and fines ranging from $500 to $1,000 for 33 of the plant’s 36 licensed operators for the nuclear naps. The remaining three operators were cited for violating federal regulations, but not fined.

The NRC issued amendments to the operating licenses for Peach Bottom Units 2 and 3 on March 22, 1989, to add limits on how many hours the operators could work. The added requirements limited hours worked in any 24-hour period to 16, 24 hours worked in any 48-hour period, and 60 hours in any week. The amendment wasn’t clear whether hours sleeping on duty counted against the limits or not.

Unit 2 remained shut down until May 22, 1989, while Unit 3 remained shut down until December 11, 1989. The outages lasted longer than two years not to let the operators get plenty of rest but to remedy the many problems caused by the same inadequate management oversight that condoned operators sleeping in the control rooms.

Nice Nuclear Nappers in 2007

On March 27, 2007, the NRC received allegations that individuals working for the contract firm providing security at Peach Bottom were routinely sleeping in the “ready room” and that management of the security contractor and the plant owner knew about it. (The “ready room” is where armed responders wait. When security force personnel in another room monitoring video cameras and sensors detect unauthorized intruder(s), the armed responders are deployed to deter the intrusion.)

On April 30, 2007, the NRC wrote the plant owner a letter asking whether security officers were inattentive on duty. On May 30, 2007, the owner wrote back to the NRC saying that security officers were properly attentive, and that additional radio checks and periodic post checks were being instituted to boost and sustain that attentiveness level.

In mid-June 2007, a security officer informed security management about his videotapes showing fellow security officers still sleeping on duty. In late June 2007, the security officer was instructed by security management to stop videotaping sleeping security officers. On August 22, 2007, NRC inspectors confirmed that security officers were attentive while on duty.

On September 10, 2007, WCBS-TV (New York City) broadcast videos of security officers sleeping at Peach Bottom on June 9, June 20, and August 10, 2007. On September 17, 2007, the security officer who reported sleeping security officers to security management, plant management, and the NRC was suspended due to “trustworthiness concerns.”

Fig. 2 (Source: CNN Situation Room, September 2007)

The ensuing NRC investigation commended the company’s handling of the situation and reported:

Overall, Security Plan implementation provided assurance that the health and safety of the public was adequately protected at all times. Notwithstanding, the security officer inattentiveness adversely impacted elements of the defense-in-depth security strategy. In addition, actions by security guard force supervision were not effective in ensuring that unacceptable security officer behavior was promptly identified and properly addressed.

The NRC asked other owners on December 12, 2007, about their ways and means for maintaining security officers who were bright-eyed or bushy-tailed (not both, both attributes would not have passed the backfit rule) while protecting nuclear power plants. The NRC’s mandate clearly resulted from the nuclear nappers at Peach Bottom, but it did not mention the incidents, the company’s name, or the plant’s name for unknown reasons.

The NRC did not order either Peach Bottom reactor to reduce power, yet alone shut down.

The NRC did not fine the company, Exelon, or the napping security officers.

Instead, the NRC issued a White finding to the company on February 12, 2008, for the inattentive security officers. If you ever had to have a bad report card signed by your parents or paid a nickel for an overdue library book, you suffered a harsher sanction than NRC imposed for the nice nuclear nappers.

UCS Perspective

There were two sequences involving nuclear nappers at Peach Bottom. The series leading up to the March 1987 shutdown order did not involve an operator nodding off, but rather a deliberate practice of sleeping on duty with management’s awareness and tolerance.

The series leading up to the February 2008 White finding also did not involve one security officer nodding off at his or her post, but rather a sustained practice of sleeping on duty with management’s awareness and tolerance.

Clearly, the NRC considered the nuclear nappers to be naughty in one case and nice in the other.

Such disparate regulatory response to the same underlying situation means that one series represented over-regulation and the other was under-regulation. My vote on which goes where should be obvious. I’ll leave it up to the reader to place the 1987 series into either the under-regulation or over-regulation bin, with the 2007 series going into the other bin.

Two wrongs still don’t make a right, so these two cases cannot be melded into one just-right regulation story. That just wouldn’t be right.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

How to Think about Space-Based Missile Defense

The idea of space-based missile defense system has been around for more than 30 years. There are at least two reasons for its continuing appeal.

The first is that it is seen as a global system that could defend against missile launches from anywhere in the world.

The second is the attraction of intercepting long-range ballistic missiles during their “boost phase”—the few minutes when their engines are burning. Hitting a missile while it is burning sidesteps the difficulty of evading decoys and other countermeasures that missiles can release during midcourse phase after their engines shut off. Defenses that are intended to intercept during midcourse phase, like the US Ground-based Midcourse Defense and Aegis systems, are highly susceptible to countermeasures.

But for an interceptor to be able to reach a missile during the short boost phase, it must be stationed close to where the missile is launched—which is the motivation for putting interceptors in orbit so they can pass over the launch site.

However, the reality of space-based defenses is not so appealing.

Technical studies (for example, by the American Physical Society (APS) (2004) and National Academies of Science and Engineering (2012)) show that even a system with many hundreds of space-based interceptors would not provide an effective defense—in part because the interceptor constellation would be vulnerable to anti-satellite weapons and to being overwhelmed by a salvo of missile launches.

Yet it would be extremely expensive. The National Academy study concluded that a space-based boost-phase missile defense would cost 10 times more than any terrestrial alternative. It said that even an “austere and limited-capability” system would cost at least $300 billion.

These problems are intrinsic to the system because of the physics of operating in space. A few diagrams can make clear why—see below.

Basics, and Implications

The technology does not exist for space-based lasers powerful enough for missile defense, so the defense systems being discussed would use kinetic interceptors that would accelerate out of orbit and physically collide with a missile. Since a missile’s boost phase lasts only a few minutes, in order to reach the missile the interceptors need to be in low-altitude orbits (typically 300 to 500 km (200 to 300 miles)) that pass over the launch site.

Fig. 1. An orbit lies in a plane that passes through the center of the Earth. The angle between that plane and the plane that contains the equator is called the “inclination” of the orbit. The “ground track” of an orbit is the line of points on the Earth directly below the satellite. (Source)

The fact that the interceptors are in low-altitude orbits has three important implications:

  1. The system needs a very large number of interceptors in orbit: An interceptor can’t sit over one location on Earth (the orbit that allows satellites to appear stationary over a point on the ground is 100 times higher—in the geostationary band—which is much too far away). Instead, to remain in orbit the interceptor constantly moves at very high speed (25 times the speed of a jet); at this speed it circles the Earth in about 90 minutes. As a result, it spends very little time over any particular spot on the Earth.

That means the system needs many interceptors in orbit so that one moves into position as the one in front of it moves out of position. As I show below, 300 to 400 interceptors are needed in orbit just to cover North Korea, and 1,000 or more for global defense coverage.

  1. An adversary will know where the interceptors are at all times: At these low altitudes, the interceptors can be easily tracked by an adversary, who can then calculate where they will be in the future since objects in orbit move in a predictable way. An adversary will therefore also know where there are any holes in the defense coverage. A defense with predictable holes in it is not an effective defense.

Fig. 2. Even a 1,200 km (750 mile) range missile could lift an anti-satellite weapon high enough to attack a space-based interceptor in a 300 to 500 km altitude orbit.

  1. The interceptors will be vulnerable to attack from low-cost ground-based weapons: To launch objects into orbit you need to lift them to high altitude AND accelerate them to very high orbital speed. That requires a large space-launch rocket and is very expensive, which contributes to the high cost of creating a large constellation of interceptors in space.

However, firing an anti-satellite (ASAT) weapon at an interceptor as it passes overhead just requires lifting the ASAT to the altitude of interceptor, and that can be done with a relatively cheap short-range or medium-range missile. Interceptors orbiting at 300 to 500 km would easily be within range of the Chinese DF-21D missile. Figure 2 shows that even a missile like a North Korean Nodong or Iranian Shahab 3 fired vertically could reach high enough altitudes to attack these interceptors if these countries developed or acquired ASAT capability to put on them.

Estimating the Number of Space-based Interceptors to Cover North Korea

This section shows why the physics of space-based boost-phase interceptors requires such a large constellation.

For a system optimized to defend against launches from North Korea, a space-based interceptor would be in an orbit like the white one in Figure 3, which is inclined at 45o to the equator and can carry the interceptor over North Korea.

Fig. 3. The white circle is the ground track of an interceptor orbit that is inclined at 45o to the equator (red circle).

Figure 4 shows missile trajectories (yellow lines) from North Korea to the east and west coasts of the United States. The yellow circle shows the region in which a space-based interceptor traveling on the white orbit could intercept a missile below it. This circle is 1,600 km (1,000 miles) in diameter, which assumes a very capable interceptor in a low-altitude orbit against liquid-fueled missiles like North Korea has. Against solid-fueled missiles, which would typically have a shorter burn times, the circle would be smaller.

Fig. 4. The white curve is the ground track of the interceptor’s orbit. The yellow circle is the region in which the interceptor could reach a missile launched below it. The circle is 1,600 km in diameter, which assumes δV = 4 km/s for the interceptor, in line with the assumptions in the APS and National Academies studies.

The interceptor moves rapidly in orbit, circling the Earth in about 90 minutes. That means the yellow circle will only be over North Korea for 3.5 minutes. To keep an interceptor over North Korea at all times there must be other interceptors in the orbit (black dashed circles) that move into place when the ones in front of them move out of place (Fig. 5).

Fig. 5. As the interceptor moves in orbit, the yellow circle will not stay over North Korea and additional interceptors—indicated here by the black dashed circles—must be in position to take its place.

To have constant coverage over North Korea, there must be interceptors all around the orbit. In the case shown here, it takes 25 interceptors to fill up this orbit so that one of them is always over some part of North Korea. Since you would want overlap between the circles, you would need more than that—probably 40 to 50 interceptors in the orbit.

So far we have taken into account the motion of the interceptor in its orbit but not the fact that the Earth is rotating under this orbit. Three and a half hours after the situation shown in Figure 5 North Korea will have moved 4,000 km (2,500 miles) east. The interceptors on this orbit will no longer be able to reach missiles launched from North Korea: Figure 6 shows that the yellow circle no longer contains any part of the missile trajectories. That means the system would need seven or eight orbits spaced around the Earth, each with 40 to 50 interceptors, so that interceptors on these other orbits will be over North Korea as the Earth rotates.

Fig. 6. Three and a half hours later than the situation shown in Figure 5, the Earth will have rotated under the orbit and the interceptor in the yellow circle will no longer be able to reach missiles launched from North Korea toward the United States.

Figure 7 shows eight equally spaced orbits (white lines) for a constellation optimized to cover North Korea, with a total of 300 to 400 interceptor satellites. That constellation, however, would only give constant coverage over latitudes near North Korea (red dot). Below about 35o latitude there would be big gaps in the coverage through which a country could fire a missile. And the constellation gives no coverage at all above about 55o latitude, which includes almost all of Russia (Fig. 8).

Fig. 7. Eight orbits (white lines) making up a constellation to cover North Korea.

Fig. 8. This figure shows the ground coverage (gray areas) of interceptor satellites in a constellation using equally spaced orbital planes with 45° inclination, assuming the interceptors can defend an area 1,600 km in diameter. The two dark lines are the ground tracks of two of the interceptors in neighboring planes. As the gray areas show, this constellation can provide complete ground coverage for areas between about 30° and 50° latitude (both north and south), less coverage below 30°, and no coverage above about 55°.

Achieving more global coverage would require a constellation of 1,000 or more interceptor satellites. Figure 9 shows a constellation of 24 orbits with inclinations of 65o. With 40 to 50 interceptor satellites per orbit, this system would have a total of 960 to 1,200 satellites.

Such a system would still only be able to engage a few missiles fired in a volley from the same place. It would give thin coverage at all latitudes between 70 degrees north and south, assuming a boost-phase interceptor that could defend an area shown by the yellow circle in Figure 2.

Fig 9. This figure shows a constellation of 24 orbits with inclinations of 65o. With 40 to 50 interceptor satellites per orbit, this system would have a total of 960 to 1,200 satellites and could give thin coverage of the Earth between 70o north and south latitude. The yellow circle is the area one interceptor could cover, which we assume is 1,600 km in diameter, as in Figures 4-6.

Two final notes:

  1. It doesn’t make sense to put midcourse interceptors in space: midcourse interceptors do not need to be close to the launch site, and deploying them in space leads to a very expensive system compared to ground-based systems.
  2. For a geographically small country bordered by water—in particular, North Korea—boost phase intercepts may be possible from from air-borne drones or ships, which are options currently being researched.

For more on space-based defenses, click here.

Anticipated Transient Without Scram

Role of Regulation in Nuclear Plant Safety #8

In the mid-1960s, the nuclear safety regulator raised concerns about the reliability of the system relied upon to protect the public in event of a reactor transient. If that system failed—or failed again since it had already failed—the reactor core could be severely damaged (as it had during that prior failure.) The nuclear industry resisted the regulator’s efforts to manage this risk. Throughout the 1970s, the regulator and industry pursued non-productive exchange of study and counter-study. Then the system failed again—three times—in June 1980 and twice more in February 1983. The regulator adopted the Anticipated Transient Without Scram rule in June 1984. But it was too little, too late—the hazard it purported to manage had already been alleviated via other means.

Anticipated Transients

Nuclear power reactors are designed to protect workers and members of the public should anticipated transients and credible accidents occur. Nuclear Energy Activist Toolkit #17 explained the difference between transients and accidents. Anticipated transients include the failure of a pump while running and the inadvertent closure of a valve that interrupts the flow of makeup water to the reactor vessel.

The design responses to some anticipated transients involve automatic reductions of the reactor power level. Anticipated transients upset the balance achieved during steady state reactor operation—the automatic power reductions make it easier to restore balance and end the transient.

Scram

For other transients and for transients where power reductions do not successfully restore balance, the reactor protection system is designed to automatically insert control rods that stop the nuclear chain reaction. This rapid insertion of control rods is called “scram” or “reactor trip” in the industry. Nuclear Energy Activist Toolkit #11 described the role of the reactor protection system.

Scram was considered to be the ultimate solution to any transient problems. Automatic power reductions and other automatic actions might mitigate a transient such that scram is not necessary. But if invoked, scram ended any transient and placed the reactor in a safe condition—or so it was believed.

Anticipated Transient Without Scram (ATWS)

Dr. Stephen H. Hanauer, was appointed to the NRC’s Advisory Committee on Reactor Safeguards (ACRS) in 1965. (Actually, the ACRS was part of the Atomic Energy Commission (AEC) in those days. The Nuclear Regulatory Commission (NRC) did not exist until formed in 1975 when the Energy Reorganization Act split the AEC into the NRC and what today is the Department of Energy.) During reviews of applications for reactor operating licenses in 1966 and 1967, Hanauer advocated separating instrumentation systems used to control the reactor from the instrumentation systems used to protect it (i.e., trigger automatic scrams.) Failure of this common system caused an accident on November 18, 1958, at the High Temperature Reactor Experiment No. 3 in Idaho.

The nuclear industry and its proponents downplayed the concerns on grounds that the chances of an accident were so small and the reliability of the mitigation systems so high that safety was good enough. Dr. Alvin Weinburg, Director of the Oak Ridge National Laboratory, and Dr. Chauncey Starr, Dean of Engineering at UCLA, publicly contended that the chances of a serious reactor accident were similar to that of a jet airliner plunging into Yankee Stadium during a World Series game.

In February 1969, E. P. Epler, a consultant to the ACRS, pointed out that common cause failure could impair the reactor protection system and prevent the scram from occurring. The AEC undertook two efforts in response to the observation: (1) examine mechanisms and associated likelihoods that a scram would not happen when needed, and (2) evaluate the consequences of anticipated transients without scrams (ATWS).

The AEC published WASH-1270, “Technical Report on Anticipated Transients Without Scram,” in September 1973. Among other things, this report established the objective that the chances of an ATWS event leading to serious offsite consequences should be less than 1×10-7 per reactor-year. For a fleet of 100 reactors, meeting that objective translates into once ATWS accident every 100,000 years—fairly low risk.

The AEC had the equivalent of a speed limit sign but lacked speedometers or radar guns. Some argued that existing designs had failure rates as high as 1×10-3 per reactor-year—10,000 times higher than the safety objective. Others argued that the existing designs had failures rates considerably lower than 1×10-7 per reactor-year. The lack of riskometers and risk guns fostered a debate that pre-dated the “tastes great, less filling” debate fabricated years later to sell Miller Lite beer.

An article titled “ATWS—Impact of a Nonproblem,” that appeared in the March 1977 issue of the EPRI Journal summarized the industry’s perspective (beyond the clue in the title):

ATWS is an initialism for anticipated transient without scram. In Nuclear Regulatory Commissionese it refers to a scenario in which an anticipated incident causes the reactor to undergo a transient. Such a transient would require the reactor protection system (RPS) to initiate a scram (rapid insertion) of the control rods to shut down the reactor, but for some reason the scram does not occur. … Scenarios are useful tools. They are used effectively by writers of fiction, the media, and others to guide the thinking process.

Two failures to scram has already occurred (in addition to the HTRE-3 failure). The boiling water reactor at the Kahl nuclear plant in Germany experienced a failure in 1963 and the N-reactor at Hanford in Washington had a failure in 1970. The article suggested that scram failures should be excluded from the scram reliability statistical analysis, observing that “One need not rely on data alone to make an estimate of the statistical properties of the RPS.” As long as scenarios exist, one doesn’t need statistics getting in the way.

The NRC formed an ATWS task force in March 1977 to end, or at least focus, the non-productive debate that had been going on since WASH-1270 was published. The task force’s work was documented in NREG-0460, “Anticipated Transients Without Scram for Light Water Reactors,” issued in April 1978. The objective was revised from 1×10-7 per reactor-year to 1×10-6 per reactor-year.

Believe it or not, but somehow changing the safety objective without developing the means to objectively gauge performance towards meeting it did not end or even appreciably change it. Now, some argued that existing designs had failure rates as high as 1×10-3 per reactor-year—1,000 times higher than the safety objective. Others argued that the existing designs had failures rates considerably lower than 1×10-6 per reactor-year. The 1970s ended without resolution to the safety problem that arose more than a decade earlier.

The Browns Ferry ATWS, ATWS, and ATWS

On June 28, 1980, operators reduced the power level on the Unit 3 boiling water reactor (BWR) at the Browns Ferry Nuclear Plant in Alabama to 35 percent and depressed the two pushbuttons to initiate a manual scram. All 185 control rods should have fully inserted into the reactor core within seconds to terminate the nuclear chain reaction. But 76 control rods remained partially withdrawn and the reactor continued operating, albeit at an even lower power level. Six minutes later, an operator depressed the two pushbuttons again. But 59 control rods remained partially withdrawn after the second ATWS. Two minutes later, the operator depressed the pushbuttons again. But 47 control rods remained partially withdrawn after the third ATWS. Six minutes later, an automatic scram occurred that resulted in all 185 control rods being fully inserted into the reactor core. It took four tries and nearly 15 minutes, but the reactor core was shut down. Fission Stories #107 described the ATWSs in more detail.

In BWRs, control rods are moved using hydraulic pistons. Water is supplied to one side of the piston and vented from the other side with the differential pressure causing the control rod to move. During a scram, the water vents to a large metal pipe and tank called the scram discharge volume. While never proven conclusively, it is generally accepted that something blocked the flow of vented water into the scram discharge volume. Flow blockage would have reduced the differential pressure across the hydraulic pistons and impeded control rod insertions. The scram discharge volume itself drains into the reactor building sump. The sump was found to contain considerable debris. But because it collects water from many places, none of the debris could be specifically identified as having once blocked flow into the scram discharge volume.

Although each control rod had its own hydraulic piston, the hydraulic pistons for half the control rods vented to the same scram discharge volume. The common mode failure of flow blockage impaired the scram function for half the control rods.

The NRC issued Bulletin 80-17, “Failure of 76 of 185 Controls Rods to Fully Insert During a Scram at a BWR,” on July 3, 1980, with Supplement 1 on July 18, 1980, Supplement 2 on July 22, 1980, Supplement 3 on August 22, 1980, Supplement 4 on December 18, 1980, and Supplement 5 on February 2, 1981, compelling plant owners to take interim and long-term measures to prevent what didn’t happen at Browns Ferry Unit 3—a successful scram on the first try—from not happening at their facilities.

ATWS – Actual Tack Without Stalling

On November 19, 1981, the NRC published a proposed ATWS rule in the Federal Register for public comment. One could argue that the debates that filled the 1970s laid the foundation for this proposed rule and the June 1980 ATWSs at Browns Ferry played no role in this step or its timing. That’d be one scenario.

The Salem ATWS and ATWS

During startup on February 25, 1983, following a refueling outage, low water level in one of the steam generators on the Unit 1 pressurized water reactor at the Salem nuclear plant triggered an automatic scram signal to the two reactor trip breakers. Had either breaker functioned, all the control rods would have rapidly inserted into the reactor core. But both breakers failed. The operators manually tripped the reactor 25 seconds later. The following day, NRC inspectors discovered that an automatic scram signal had also happened during an attempted startup on February 22, 1983. The reactor trip breakers failed to function. The operators had manually tripped the reactor. The reactor was restarted two days later without noticing, and correcting, the reactor trip breaker failures. Fission Stories #106 described the ATWSs in more detail.

In PWRs, control rods move via gravity during a scram. They are withdrawn upward from the reactor core and held fully or partially withdrawn by electro-magnets. The reactor trip breakers stop the flow of electricity to the electro-magnets, which releases the control rods to allow gravity to drop them into the reactor core. Investigators determined that the proper signal went to the reactor trip breakers on February 22 and 25, but the reactor trip breakers failed to open to stop the electrical supply to the electro-magnets. Improper maintenance of the breakers essentially transformed oil used to lubricated moving parts into glue binding those parts in place—in the wrong places on February 22 and 25, 1983.

The Salem Unit 1 reactor had two reactor trip breakers. Opening of either reactor trip breaker would have scrammed the reactor. The common mode failure of the same improper maintenance practices on both breakers prevented them both from functioning when needed, twice.

The NRC issued Bulletin 83-01, “Failure of Reactor Trip Breakers (Westinghouse DB-50) to Open on Automatic Trip Signal,” on February 25, 1983, Bulletin 83-04, “Failure of Undervoltage Trip Function of Reactor Trip Breakers,” on March 11, 1983, and Bulletin 83-08, “Electrical Circuit Breakers with Undervoltage Trip in Safety-Related Applications Other Than the Reactor Trip System,” on December 28, 1983, compelling plant owners to take interim and long-term measures to prevent failures like those experienced on Salem Unit 1.

ATWS Scoreboard: Brown Ferry 3, Salem 2

ATWS – Actual Text Without Semantics

The NRC published the final ATWS rule adopted on June 26, 1984, or slightly over 15 years after the ACRS consultant wrote that scrams might not happen when desired due to common mode failures. The final rule was issued less than four years after a common mode failure caused multiple ATWS events at Browns Ferry and about 18 months after a common mode failure caused multiple ATWS events at Salem. The semantics of the non-productive debates of the Seventies gave way to actual action in the Eighties.

UCS Perspective

The NRC issued NUREG-1780, “Regulatory Effectiveness of the Anticipated Transient Without Scram Rule,” in September 2003. The NRC “concluded that the ATWS rule was effective in reducing ATWS risk and that the cost of implementing the rule was reasonable.” But that report relied on bona-fide performance gains achieved apart from the ATWS rule and which would have been achieved without the rule. For example, the average reactor scrammed 8 times in 1980. That scram frequency dropped to less than an average of two scrams per reactor per year by 1992.

Fig. 1 (Source: Nuclear Regulatory Commission)

The ATWS rule did not trigger this reduction or accelerate the rate of reduction. The reduction resulted from the normal physical process, often called the bathtub curve due to its shape. As procedure glitches, training deficiencies, and equipment malfunctions were weeded out, their fixes lessened the recurrence rate of problems resulting in scrams. I bought a Datsun 210 in 1980. That acquisition had about as much to do with the declining reactor scram rate since then as the NRC’s ATWS rule had.

There has been an improvement in the reliability of the scram function since 1980. But again, that improvement was achieved independently from the ATWS rule. The Browns Ferry and Salem ATWS event prompted the NRC to mandate via a series of bulletins that owners take steps to reduce the potential for common mode failures. Actions taken in response to those non-rule-related mandates improved the reliability of the scram function more than the ATWS rule measures.

If the AWTS rule had indeed made nuclear plants appreciably safer, then it would represent under-regulation by the NRC. After all, the question of the need for additional safety arose in the 1960s. If the ATWS rule truly made reactors safer, then the “lost decade” of the 1970s is inexcusable. The ATWS rule should have been enacted in 1974 instead of 1984 if it was really needed for adequate protection of public health and safety.

But the ATWS rule enacted in 1984 did little to improve safety that wasn’t been achieved via other means. The 1980 and 1983 ATWS near-miss events at Browns Ferry and Salem might have been averted by an ATWS rule enacted a decade earlier. Once they happened, the fixes they triggered fleet-wide precluded the need for an ATWS rule. So, the ATWs rule was too little, too late.

The AEC/NRC and nuclear industry expended considerable effort during the 1970s not resolving the AWTS issue—effort that could better have been applied resolving other safety issues more rapidly.

ATWS becomes the first Role of Regulation commentary to fall into the “over-regulation” bin. UCS has no established plan for how this series will play out. ATWS initially appeared to be an “under-regulation” case, but research steered it elsewhere.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Obstruction of Injustice: Making Mountains out of Molehills at the Cooper Nuclear Plant

The initial commentary in this series of posts described how a three-person panel formed by the Nuclear Regulatory Commission (NRC) to evaluate concerns raised by an NRC worker concluded that the agency violated its procedures, policies, and practices by closing out a safety issue and returning the Columbia Generating Station to normal regulatory oversight without proper justification.

I had received the non-public report by the panel in the mail. That envelope actually contained multiple panel reports. This commentary addresses a second report from another three-person panel. None of the members of this panel served on the Columbia Generating Station panel. Whereas that panel investigated contentions that NRC improperly dismissed safety concerns, this panel investigated contentions that the NRC improperly sanctioned Cooper for issues that did not violate any federal regulations or requirements. This panel also substantiated the contentions and concluded that the NRC lacked justification for its actions. When will the injustices end?

Mountains at Cooper

The NRC conducted its Problem Identification and Resolution inspection at the Cooper nuclear plant in Brownville, Nebraska June 12 through June 29, 2017. The report dated August 7, 2017, for this inspection identified five violations of regulatory requirements.

An NRC staffer subsequently submitted a Differing Professional Opinion (DPO) contending that the violations were inappropriate. The basis for this contention was that there were no regulatory requirements applicable to the issues; thus, an owner could not possibly violate a non-existent requirement.

Molehills at Cooper

Per procedure, the NRC formed a three-person panel to evaluate the contentions raised in the DPO. The DPO Panel evaluated the five violations cited in the August 7, 2017, inspection report.

Fig. 1 (Source: Unknown)

  • Molehill #1: The inspection report included a GREEN finding for a violation of Criterion XVI in Appendix B to 10 CFR Part 50. Appendix B contains 18 quality assurance requirements. Criterion XVI requires owners to identify conditions adverse to quality (e.g., component failures, procedure deficiencies, equipment malfunctions, material defects, etc.) and fix them in a timely and effective manner. The DPO Panel “…determined that this issue does not represent a violation of 10 CFR 50 Appendix B, Criterion XVI, inasmuch as the licensee identified the cause and implemented corrective actions to preclude repetition.” In other words, one cannot violate a regulation when doing precisely what the regulation says to do.
  • Molehill #2: The inspection report included a GREEN finding for a violation of a technical specification requirement to provide evaluations of degraded components in a timely manner. The DPO Panel “…concluded that this issue does not represent a violation of regulatory requirements.” This is a slightly different molehill. Molehill #1 involved not violating a requirement when one does exactly what the requirements says. Molehill #2 involved not violating a requirement that simply does not exist. A different kind of molehill, but a molehill nonetheless.
  • Molehill #3: The inspection report included another GREEN finding for another violation of Criterion XVI in Appendix B to 10 CFR Part 50. Appendix B. This time, the report contended that the plant owner failed to promptly identify adverse quality trends. The DPO Panel “concluded that monitoring for trends is not a requirement of Criterion XVI,” reprising Molehill #2.
  • Mountain #1: The inspection report included another GREEN finding for failure to monitor emergency diesel generator performance shortcomings as required by the Maintenance Rule. The DPO Panel “…determined that the violation was correct as written and should not be retracted.” As my grandfather often said, even a blind squirrel finds an acorn every now and then.
  • Molehill #4: The inspection report included a Severity Level IV violation for violating 10 CFR Part 21 by not reporting a substantial safety hazard. The DPO Panel discovered that the substantial safety hazard was indeed reported to the NRC by the owner within specified time frames. The owner submitted a Licensee Event Report per 10 CFR 50.72. 10 CFR Part 21 and NRC’s internal procedures explicitly allows owners to forego submitting a duplicate report when they have reported the substantial safety hazard via 10 CFR 50.72. The DPO Panel recommended that “…consideration be given to retracting the violation … because it had no impact on the ability of the NRC to provide regulatory oversight.”

The DPO Panel wrote in the cover letter transmitting their report to the NRC Region IV Regional Administrator:

After considerable review effort, the Panel disagreed, at least in part, with the conclusions documented in the Cooper Nuclear Station Problem Identification and Resolution Inspection Report for four of the five findings.

The DPO Panel report was dated April 13, 2018. As of August 8, 2018, I could find no evidence that NRC Region IV has either remedied the miscues identified by the DPO originator and confirmed by the DPO Panel, or explained why sanctioning plant owners for following regulations is justified.

UCS Perspective

 At Columbia Generation Station, NRC Region IV made a molehill out of a mountain by finding, and then overlooking, that the plant owner’s efforts were “grossly inadequate” (quoting that DPO Panel’s conclusion).

At Cooper Nuclear Station, NRC Region IV made mountains out of molehills by sanctioning the owner for violating non-existent requirements or for doing precisely what the regulations required.

Two half-hearted (substitute any other body part desired, although “elbow” doesn’t work so well) efforts don’t make one whole-hearted outcome. These two wrongs do not average out to average just right regulation.

NRC Region IV must be fixed. It must be made to see mountains as mountains and molehills and molehills. Confusing the two is unacceptable.

Mountains and molehills (M&Ms). M&Ms should be a candy treat and not a regulatory trick.

NOTE: NRC Region IV’s deplorable performance at Columbia and Cooper might have remained undetected and uncorrected but for the courage and conviction of NRC staffer(s) who put career(s) on the line by formally contesting the agency’s actions. When submitting DPOs, the originators have the option of making the final DPO package publicly available or not. In these two cases, I received the DPO Panel reports before the DPOs were closed. I do not know the identity of the DPO originator(s) and do not know whether the person(s) opted to make the final DPO packages (which consist of the original DPO, the DPO Panel report, and the agency’s final decision on the DPO issues) public or not. If the DPO originator(s) wanted to keep the DPO packages non-public, I betrayed that choice by posting the DPO Panel reports. If that’s the case, I apologize to the DPO originator(s). While my intentions were good, I would have abided by personal choice had I had any way to discern what it was.

Either way, it is hoped that putting a spotlight on the issues has positive outcomes in these two DPOs as well as in lessening the need for future DPOs and posts about obstruction of injustice.

24 Space-Based Missile Defense Satellites Cannot Defend Against ICBMs

Articles citing a classified 2011 report by the Institute for Defense Analysis (IDA) have mistakenly suggested the report finds that a constellation of only 24 satellites can be used for space-based boost-phase missile defense.

This finding would be in contrast to many other studies that have shown that a space-based boost-phase missile defense system would require hundreds of interceptors in orbit to provide thin coverage of a small country like North Korea, and a thousand or more to provide thin coverage over larger regions of the Earth.

A 2011 letter from Missile Defense Agency (MDA) Director Patrick O’Reilly providing answers to questions by then-Senator Jon Kyl clarifies that the 24-satelllite constellation discussed in the IDA study is not a boost-phase missile defense system, but is instead a midcourse system designed to engage anti-ship missiles:

The system discussed by IDA appears to be a response to concerns about anti-ship ballistic missiles that China is reported to be developing. It would have far too few satellites for boost-phase defense against missiles from even North Korean, and certainly from a more sophisticated adversary.

The MDA letter says the 24 satellites might carry four interceptors each. Adding interceptors to the satellites does not fix the coverage problem, however: If one of the four interceptors is out of range, all the interceptors are out of range, since they move through orbit together. As described below, the coverage of a space-based system depends on the number of satellites and how they are arranged in orbit, as well as the ability of the interceptors they carry to reach the threat in time.

While this configuration would place four interceptors over some parts of the Earth, it would leave very large gaps in the coverage between the satellites. An attacker could easily track the satellites to know when none were overhead, and then launch missiles through the gaps. As a result, a defense constellation with gaps would realistically provide no defense.

(The IDA report is “Space Base Interceptor (SBI) Element of Ballistic Missile Defense: Review of 2011 SBI Report,” Institute for Defense Analyses, Dr. James D. Thorne, February 29, 2016.)

Why boost phase?

The advantage of intercepting during a ballistic missile’s boost phase—the first three to five minutes of flight when its engines are burning—is destroying the missile before it releases decoys and other countermeasures that greatly complicate intercepting during the subsequent midcourse phase, when the missile’s warhead is coasting through the vacuum of space. Because boost phase is short, interceptors must be close enough to the launch site of target missiles to be able to reach them during that time. This is the motivation for putting interceptors in low Earth orbits—with altitudes of a few hundred kilometers—that periodically pass over the missile’s launch site.

The fact that the interceptors must reach a boosting missile with a few minutes limits how far the interceptor can be from the launching missile and still be effective. This short time therefore limits the size of the region a given interceptor can cover to several hundred kilometers.

An interceptor satellite in low Earth orbit cannot sit over one point on the Earth, but instead circles the Earth on its orbit. This means an interceptor that is within range of a missile launch site at one moment will quickly move out of range. As a result, having even one interceptor in the right place at the right time requires a large constellation of satellites so that as one interceptor moves out of range another one moves into range.

Multiple technical studies have shown that a space-based boost phase defense would require hundreds or thousands of orbiting satellites carrying interceptors, even to defend against a few missiles. A 2012 study by the National Academies of Science and Engineering found that space-based boost phase missile defense would cost 10 times as much as any ground-based alternative, with a price tag of $300 billion for an “austere” capability to counter a few North Korean missiles.

Designing the system instead to attack during the longer midcourse phase significantly increases the time available for the interceptor to reach its target and therefore increases the distance the interceptor can be from a launch and still get there in time. This increases the size of the region an interceptor can cover—up to several thousand kilometers (see below). Doing so reduces the number of interceptors required in the constellation from hundreds to dozens.

However, intercepting in midcourse negates the rationale for putting interceptors in space in the first place, which is being close enough to the launch site to attempt boost phase intercepts. Defending ships against anti-ship missiles would be done much better and more cheaply from the surface.

Calculation of Constellation Size

Figure 1 shows how to visualize a system intended to defend against anti-ship missiles during their midcourse phases. Consider an interceptor designed for midcourse defense on an orbit (white curve) that carries it over China (the red curve is the equator). If the interceptor is fired out of its orbit shortly after detection of the launch of an anti-ship missile with a range of about 2,000 km, it would have about 13 minutes to intercept before the missile re-entered the atmosphere. In those 13 minutes, the interceptor could travel a distance of about 3,000 km, which is the radius of the yellow circle. (This assumes δV = 4 km/s for the interceptor, in line with the assumptions in the National Academies of Science and Engineering study.)

The yellow circle therefore shows the size of the area this space-based midcourse interceptor could in principle defend against such an anti-ship missile.

Fig. 1.  The yellow circle shows the coverage area of a midcourse interceptor, as described in the post; it has a radius of 3,000 km. The dotted black circle shows the coverage area of a boost-phase interceptor; it has a radius of 800 km.

However, the interceptor satellite must be moving rapidly to stay in orbit. Orbital velocity is 7.6 km/s at an altitude of 500 km. In less than 15 minutes the interceptor and the region it can defend will have moved more than 6,000 km along its orbit (the white line), and will no longer be able protect against missiles in the yellow circle in Figure 1.

To ensure an interceptor is always in the right place to defend that region, there must be multiple satellites in the same orbit so that one satellite moves into position to defend the region when the one in front of it moves out of position. For the situation described above and shown in Figure 1, that requires seven or eight satellites in the orbit.

At the same time, the Earth is rotating under the orbits. After a few hours, China will no longer lie under this orbit, so to give constant interceptor coverage of this region, there must be interceptors in additional orbits that will pass over China after the Earth has rotated. Each of these orbits must also contain seven or eight interceptor satellites. For the case shown here, only two additional orbits are required (the other two white curves in Figure 1).

Eight satellites in each of these three orbits gives a total of 24 satellites in the constellation to maintain coverage of one or perhaps two satellites in view of the sea east of China at all times. This constellation and could therefore only defend against a small number of anti-ship missiles fired essentially simultaneously. Defending against more missiles would require a larger constellation.

If the interceptors are instead designed for boost-phase rather than midcourse defense, the area each interceptor could defend is much smaller. An interceptor with the same speed as the one described above could only reach out about 800 km during the boost time of a long-range missile; this is shown by the dashed black circle in Figure 1.

In this case, the interceptor covering a particular launch site will move out range of that site very quickly—in about three and a half minutes. Maintaining one or two satellites over a launch site at these latitudes will therefore require 40 to 50 satellites in each of seven or eight orbits, for a total of 300 to 400 satellites.

The system described—40 to 50 satellites in each of seven or eight orbits—would only provide continuous coverage against launches in a narrow band of latitude, for example, over North Korea if the inclination of the orbits was 45 degrees (Fig. 2). For parts of the Earth between about 30 degrees north and south latitude there would be significant holes in the coverage. For areas above about 55 degrees north latitude, there would be no coverage. Broader coverage to include continuous coverage at other latitudes would require two to three times that many satellites—1,000 or more.

As discussed above, defending against more than one or two nearly simultaneous launches would require a much larger constellation.

Fig. 2. The figure shows the ground coverage (gray areas) of interceptor satellites in seven equally spaced orbital planes with inclination of 45°, assuming the satellites can reach laterally 800 km as they de-orbit. The two dark lines are the ground tracks of two of the satellites in neighboring planes. This constellation can provide complete ground coverage for areas between about 30° and 50° latitude (both north and south), less coverage below 30°, and no coverage above about 55°.

For additional comments on the IDA study, see Part 2 of this post.

More Comments on the IDA Boost-Phase Missile Defense Study

Part 1 of this post discusses one aspect of the 2011 letter from Missile Defense Agency (MDA) to then-Senator Kyl about the IDA study of space-based missile defense. The letter raises several additional issues, which I comment on here.

  1. Vulnerability of missile defense satellites to anti-satellite (ASAT) attack

To be able to reach missiles shortly after launch, space-based interceptors (SBI) must be in low-altitude orbits; typical altitudes discussed are 300 to 500 km. At the low end of this range atmospheric drag is high enough to give very short orbital lifetimes for the SBI unless they carry fuel to actively compensate for the drag. That may not be needed for orbits near 500 km.

Interceptors at these low altitudes can be easily tracked using ground-based radars and optical telescopes. They can also be reached with relatively cheap short-range and medium-range missiles; if these missiles carry homing kill vehicles, such as those used for ground-based midcourse missile defenses, they could be used to destroy the space-based interceptors. Just before a long-range missile attack, an adversary could launch an anti-satellite attack on the space-based interceptors to punch a hole in the defense constellation through which the adversary could then launch a long-range missile.

Alternately, an adversary that did not want to allow the United States to deploy space-based missile defense could shoot space-based interceptors down shortly after they were deployed.

The IDA report says that the satellites could be designed to defend themselves against such attacks. How might that work?

Since the ASAT interceptor would be lighter and more maneuverable than the SBI, the satellite could not rely on maneuvering to avoid being destroyed.

A satellite carrying a single interceptor could not defend itself by attacking the ASAT, for two reasons. First, the boost phase of a short- or medium-range missile is much shorter than that of a long-range missile, and would be too short for an interceptor designed for boost-phase interception to engage. Second, even if the SBI was designed to have sensors to allow intercept in midcourse as well as boost phase, using the SBI to defend against the ASAT weapon would remove the interceptor from orbit and the ASAT weapon would have done its job by removing the working SBI from the constellation. A workable defensive strategy would require at least two interceptors in each position, one to defend against ASAT weapons and one to perform the missile defense mission.

The IDA report assumes the interceptor satellites it describes to defend ships would each carry four interceptors. If the system is meant to have defense against ASAT attacks, some of the four interceptors must be designed for midcourse intercepts. The satellite could carry at most three such interceptors, since at least one interceptor must be designed for the boost-phase mission of the defense. If an adversary wanted to punch a hole in the constellation, it could launch four ASAT weapons at the satellite and overwhelm the defending interceptors (recall that the ASAT weapons are launched on relatively cheap short- or medium-range missiles).

In addition, an ASAT attack could well be successful even if the ASAT was hit by an interceptor. If an interceptor defending the SBI hit an approaching ASAT it would break the ASAT into a debris cloud that would follow the trajectory of the original center of mass of the ASAT. If this intercept happened after the ASAT weapon’s course was set to collide with the satellite, the debris cloud would continue in that direction. If debris from this cloud hit the satellite it would very likely destroy it.

  1. Multiple interceptors per satellite

It is important to keep in mind that adding multiple interceptors to a defense satellite greatly increases the satellite’s mass, which increases its launch cost and overall cost.

The vast majority of the mass of a space-based interceptor is the fuel needed to accelerate the interceptor out of its orbit and to maneuver to hit the missile (the missile is itself maneuvering since it is during its boost phase, when it is accelerating and steering). For example, the American Physical Society’s study assumes the empty kill vehicle of the interceptor (the sensor, thrusters, valves, etc) is only 60 kg, but the fueled interceptor would have a mass of more than 800 kg.

Adding a second interceptor to the defense satellite would add another 800 kg to the overall mass. A satellite with four interceptors and a “garage” that included the solar panels and communication equipment could have a total mass of three to four tons.

  1. Space debris creation

Senator Kyl asked the MDA to comment on whether space-based missile defense would create “significant permanent orbital debris.” The MDA answer indicated that at least for one mechanism of debris creation (that of an intercept of a long-range missile), the system could be designed to not generate long-lived debris.

However, there are at least three different potential debris-creating mechanisms to consider:

  • Intercepting a missile with an SBI

When two compact objects collide at very high speed, the objects break into two expanding clouds of debris that follow the trajectories of the center of mass of the original objects. In this case the debris cloud from the interceptor will likely have a center of mass speed greater than Earth escape velocity (11.2 km/s) and most of the debris will therefore not go into orbit or fall back to Earth. Debris from the missile will be on a suborbital trajectory; it will fall back to Earth and not create persistent debris.

  • Using an SBI as an anti-satellite weapon

If equipped with an appropriate sensor, the space-based interceptor could home on and destroy satellites. Because of the high interceptor speed needed for boost phase defense, the SBI could reach satellites not only in low Earth orbits (LEO), but also those in semi-synchronous orbits (navigation satellites) and in geosynchronous orbits (communication and early warning satellites). Destroying a satellite on orbit could add huge amounts of persistent debris to these orbits.

At altitudes above about 800 km, where most LEO satellites orbit, the debris from a destroyed satellite would remain in orbit for decades or centuries. The lifetime of debris in geosynchronous and semi-synchronous orbits is essentially infinite.

China’s ASAT test in 2007 created more than 3,000 pieces of debris that have been tracked from the ground—these make up more than 20% of the total tracked debris in LEO. The test also created hundreds of thousands of additional pieces of debris that are too small to be tracked (smaller than about 5 cm) but that can still damage or destroy objects they hit because of their high speed.

Yet the satellite destroyed in the 2007 test had a mass of less than a ton. If a ten-ton satellite—for example, a spy satellite—were destroyed, it could create more than half a million pieces of debris larger than 1 cm in size. This one event could more than double the total amount of large debris in LEO, which would greatly increase the risk of damage to satellites.

  • Destroying an SBI with a ground-based ASAT weapon

As discussed above, an adversary might attack a space-based interceptor with a ground-based kinetic ASAT weapon. Assuming the non-fuel mass of the SBI (with garage) is 300 kg, the destruction of the satellite could create more than 50,000 orbiting objects larger than 5 mm in size.

If the SBI was orbiting at an altitude of between 400 and 500 km, the lifetime of most of these objects will be short so this debris would not be considered to be persistent. However, the decay from orbit of this debris would result in an increase in the flux of debris passing through the orbit of the International Space Station (ISS), which circles the Earth at an altitude of about 400 km. Because the ISS orbits at a low altitude, it is in a region with little debris since the residual atmospheric density causes debris to decay quickly. As a result, the additional debris from the SBI passing through this region can represent a significant increase.

In particular, if the SBI were in a 500-km orbit, the destruction of a single SBI could increase the flux of debris larger than 5 mm at the altitude of the ISS by more than 10% for three to four months (at low solar activity) or two to three months at high solar activity. An actual attack might, of course, involve destroying more than one SBI, which would increase this flux.

Pipe Rupture at Surry Nuclear Plant Kills Four Workers

Role of Regulation in Nuclear Plant Safety #7

Both reactors at the Surry nuclear plant near Williamsburg, Virginia operated at full power on December 9, 1986. Around 2:20 pm, a valve in a pipe between a steam generator on Unit 2 and its turbine inadvertently closed due to a re-assembly error following recent maintenance. The valve’s closure resulted in a low water level inside the steam generator, which triggered the automatic shutdown of the Unit 2 reactor. The rapid change from steady state operation at full power to zero power caused a transient as systems adjusted to the significantly changed conditions. About 40 seconds after the reactor trip, a bend in the pipe going to one of the feedwater pumps ruptured. The pressurized water jetting from the broken pipe flashed to steam. Several workers in the vicinity were seriously burned by the hot vapor. Over the next week, four workers died from the injuries.

Fig. 1 (Source: Washington Times, February 3, 1987)

While such a tragic accident cannot yield good news, the headline for a front-page article in the Washington Times newspaper about the accident (Fig. 1) widened the bad news to include the Nuclear Regulatory Commission (NRC), too.

The Event

The Surry Power Station has two pressurized water reactors (PWRs) designed by Westinghouse. Each PWR had a reactor vessel, three steam generators, and three reactor coolant pumps located inside a large, dry containment structure. Unit 1 went into commercial operation in December 1972 and Unit 2 followed in June 1973.

Steam flowed through pipes from the steam generators to the main turbine shown in the upper right corner of Figure 2. Steam exited the main turbine into the condenser where it was cooled down and converted back into water. The pumps of the condensate and feedwater systems recycled the water back to the steam generators.

Fig. 2 (Source: Nuclear Regulatory Commission NUREG-1150)

Figure 2 also illustrates the many emergency systems that are standby mode during reactor operation. On the left-hand side of Figure 2 are the safety systems that provide makeup water to the reactor vessel and cooling water to the containment during an accident. In the lower right-hand corner is the auxiliary feedwater (AFW) system that steps in should the condensate and feedwater systems need help.

The condensate and feedwater systems are non-safety systems. They are needed for the reactor to make electricity. But the AFW system and other emergency systems function during accidents to cool the reactor core. Consequently, these are safety systems.

Both reactors at Surry operated at full power on Tuesday December 9, 1986. At approximately 2:20 pm that afternoon, the main steam trip valve (within the red rectangle in Figure 2) in the pipe between steam generator 2C inside containment and the main turbine closed unexpectedly.

Subsequent investigation determined that the valve had been improperly re-assembled following recent maintenance, enabling it to close without either a control signal nor need to do so.

The valve’s closure led to a low water level inside steam generator 2C. By design, this condition triggered the automatic insertion of control rods into the reactor core. The balance between the steam flows leaving the steam generators and feedwater flows into them was upset by the stoppage of flow through one steam line and the rapid drop from full power to zero power. The perturbations from that transient caused the pipe to feedwater pump 2A to rupture (location approximated by the red cross in Figure 1) about 40 seconds later.

Figure 3 shows a closeup of the condensate and feedwater systems showing where the pipe ruptured. The condensate and condensate booster pumps are off the upper right side of the figure. Water from the condensate system flowed through feedwater heaters where steam extracted from the main turbine pre-warmed it to about 370°F en route to the steam generators. This 24-inch diameter piping (called a header) supplied the 18-in diameter pipes to feedwater pumps 2A and 2B. The supply pipe to feedwater pump 2A featured a T-connection to the header while a reducer connected the header to the 18-inch supply line to feedwater pump 2B. Water exiting the feedwater pumps passed through feedwater heaters for additional pre-warming before going to the steam generators inside containment.

Fig 3 (Source: Nuclear Regulatory Commission NUREG/CR-5632)

Water spewing from the broken pipe had already passed through the condensate and condensate booster pumps and some of the feedwater heaters. Its 370°F temperature was well above 212°F, but the 450 pounds per square inch pressure inside the pipe kept it from boiling. As this hot pressurized water left the pipe, the lower pressure let it flash to steam. The steam vapor burned several workers in the area. Four workers died from their injuries over the next week.

As the steam vapor cooled, it condensed back into water. Water entered a computer card reader controlling access through a door about 50 feet away, shorting out the card reader system for the entire plant. Security personnel were posted at key doors to facilitate workers responding to the event until the card reader system was restored about 20 minutes later.

Water also seeped into a fire protection control panel and caused short circuits. Water sprayed from 68 fire suppression sprinkler heads. Some of this water flowed under the door into the cable tray room and leaked through seals around floor penetrations to drip onto panels in the control room below.

Water also seeped into the control panel to actuate the carbon dioxide fire suppression system in the cable tray rooms. An operator was trapped in the stairwell behind the control room. He was unable to exit the area due to doors locked closed by the failed card reader system. Experiencing trouble breathing as carbon dioxide filled the space, he escaped when an operator inside the control room heard his pounding on the door and opened it.

Figure 4 shows the section of piping that ruptured. The rupture occurred at a 90-degree bend in the 18-inch diameter pipe. Evaluations concluded that years of turbulent water flow through the piping gradually wore away the pipe’s metal wall, thinning it via a process called erosion/corrosion to the point where it was no longer able to withstand the pressure pulsations caused by the reactor trip. The plant owner voluntarily shut down the Unit 1 reactor on December 10 to inspect its piping for erosion/corrosion wear.

Fig. 4 (Source Nuclear Regulatory Commission 1987 Annual Report

Pre-Event Actions (and Inactions?)

The article accompanying the darning headline above described how the NRC staff produced a report in June 1984—more than two years before the fatal accident—warning about the pipe rupture hazard and criticizing the agency for taking no steps to manage the known risk. The article further explained that the NRC’s 1984 report was in response to a 1982 event at the Oconee nuclear plant in South Carolina where an eroded steam pipe had ruptured.

Indeed, the NRC’s Office for Analysis and Evaluation of Operational Data (AEOD) issued a report (AEOD/EA 16) titled “Erosion in Nuclear Power Plants” on June 11, 1984. The last sentence on page two stated “Data suggest that pipe ruptures may pose personnel (worker) safety issues.”

Indeed, a 24-inch diameter pipe that supplied steam to a feedwater heater on the Unit 2 reactor at Oconee had ruptured on June 28, 1982. Two workers in the vicinity suffered steam burns which required in hospitalization overnight. Like at Surry, the pipe ruptured at a 90-degree bend (elbow) due to erosion of the metal wall over time. There was a maintenance program at Oconee that periodically examined the piping ultrasonically.

That monitoring program identified pipe wall thinning of two elbows on Unit 3 in 1980 that were replaced. Monitoring performed in March 1982 on Unit 2 identified substantial erosion in the piping elbow that ruptured three months later. But the thinning was accepted because it was less than the company’s criterion for replacement. It’s not been determined whether prolonged operation at reduced power between March and June 1982 caused more rapid wear than anticipated or whether the ultrasonic inspection in March 1982 may have missed the thinnest wall thickness.

Post-Event Actions

The NRC dispatched an Augmented Inspection Team (AIT) to the Surry site to investigate the causes, consequences, and corrective actions. The AIT included a metallurgist and a water-hammer expert. Seven days after the fatal accident, the NRC issued Information Notice 86-106, “Feedwater Line Break,” to plant owners. The NRC issued the AIT report on February 10, 1987. The NRC issued Supplement 1 on February 13, 1987, and Supplement 2 on March 18, 1987, to Information Notice 86-108.

The NRC did more than warn owners about the safety hazard. On July 9, 1987, the NRC issued Bulletin 87-01, “Thinning of Pipe Walls in Nuclear Power Plants,” to plant owners. The NRC required owners to respond within 60 days about the codes and standards which safety-related and non-safety-related piping in the condensate and feedwater systems were designed and fabricated to as well as the programs in place to monitor this piping for wall thinning due to erosion/corrosion.

And the NRC issued Information Notice 88-17 to plant owners on April 22, 1988, summarizing the responses the agency received in response to Bulletin 87-01

UCS Perspective

Eleven days after a non-safety-related pipe ruptured on Oconee Unit 2, the NRC issued Information Notice 82-22, “Failures in Turbine Exhaust Lines,” to all plant owners about that event.

The June 1984 AEOD report was released publicly. The NRC’s efforts did call the nuclear industry’s attention to the matter as evidenced by a report titled “Erosion/Corrosion in Nuclear Plant Steam Piping: Causes and Inspection Program Guidelines” issued in April; 1985 by the Electric Power Research Institute.

Days before the NRC issued the AEOD report, the agency issued Information Notice 84-41, “IGSCC [Intragranular Stress Corrosion Cracking] in BWR [Boiling Water Reactor] Plants,” to plant owners about cracks discovered in safety system piping at Pilgrim and Browns Ferry.

As the Washington Times accurately reported, the NRC knew in the early 1980s that piping in safety and non-safety systems was vulnerable to degradation. The NRC focused on degradation of safety system piping, but also warned owners about degradation of non-safety system piping. The fatal accident at Surry in December 1986 resulted in the NRC expanding efforts it had required owners take for safety system piping to also cover piping in non-safety systems.

The NRC could have required owners fight the piping degradation in safety systems and non-safety systems concurrently. But history is full of wars fought on two fronts being lost. Instead of undertaking this risk, the NRC triaged the hazard. It initially focused on safety system piping and then followed up on non-safety system piping.

Had the NRC totally ignored the vulnerability of non-safety system piping to erosion/corrosion until the accident at Surry, this event would reflect under-regulation.

Had the NRC compelled owners to address piping degradation in safety and non-safety systems concurrently, this event would reflect over-regulation.

By pursuing resolution of all known hazards in a timely manner, this event reflects just right regulation.

Postscript: The objective of this series of commentaries is to draw lessons from the past that can, and should, inform future decisions. Such a lesson from this event involves the distinction between safety and non-safety systems. The nuclear industry often views that distinction as also being a virtual wall between what the NRC can and cannot monitor.

As this event and others like it demonstrate, the NRC must not turn its back on non-safety system issues. How non-safety systems are maintained can provide meaningful insights on maintenance of safety systems. Unnecessary or avoidable failures of non-safety systems can challenge performance of safety systems. So, while it is important that the NRC not allocate too much attention to non-safety systems, driving that attention to zero will have adverse nuclear safety implications. As some wise organization has suggested, the NRC should not allocate too little attention or too much attention to non-safety systems, but the just right amount.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Obstruction of Injustice: Columbia Generating Station Whitewash

There’s been abundant talk recently about obstruction of justice—who may or may not have impeded this or that investigation. Rather than chime in on a bad thing, obstruction of justice, this commentary advocates a good thing—obstruction of injustice. There’s an injustice involving the Columbia Generating Station in Washington that desperately needs obstructing.

Raising the White Flag

The NRC dispatched a Special Inspection Team to the Columbia Generating Station in Richland, Washington in late 2016 after a package containing radioactive materials was improperly shipped from the plant facility to an offsite facility. The NRC team identified nine violations of federal regulations for handling and transport of radioactive materials, the most serious warranting a White finding in the agency’s Green, White, Yellow, and Red classification scheme. This White finding moved the Columbia Generating Station into Column 2 of the Reactor Oversight Process’s Action Matrix in the first quarter of 2017.

Columbia Generating Station would remain in Column 2 until the first of two things happened: (1) the NRC determined that the problems resulting in the improper transport of radioactive materials were found and fixed justifying a return to Column 1, or (2) additional problems were identified that warranted relocation into Columns 3 or 4.

Check that: There’s a third thing that happened to improperly transport Columbia Generating Station back into Column 1—the injustice that needed obstructing.

Raising the Whitewash

After the plant owner notified the NRC that the causes of the radioactive material mishandling had been cured, the NRC sent a team to the site in late 2017 to determine if that was the case. On January 30, 2018, the NRC reported that its investigation confirmed that the problems had been resolved and returned the Columbia Generating Station to Column 1 and routine regulatory oversight after closing out the White finding.

In response, an NRC staffer submitted a Differing Professional Opinion (DPO) contending “that the decision to close the WHITE finding was not supported by the inspection report details.” The DPO originator provided two dozen very specific reasons for the contention.

The NRC formed a three-person panel to investigate the DPO. The DPO Panel issued its report on June 28, 2018, to the Regional Administrator in NRC Region IV (Fig. 1).

Fig. 1 (Source: Unkown)

The DPO recommended that the NRC either re-open the WHITE finding or revise the January 30, 2018, report to include an explanation for why it was closed even though the problems resulting in the WHITE finding had not been remedied.

In other words, the DPO Panel agreed with the contention raised by the DPO originator. En route, the DPO Panel substantiated 20 of the 24 specific reasons provided by originator.

Detailing the Whitewash

On July 21, 2017, another DPO Panel released a report validating 18 concerns raised by the DPO originator with how the NRC allowed Palo Verde Unit 3 to continue operating with a broken backup power generator far longer than permitted by the law, established policies, and common sense. Despite agreeing with essentially every concern raised by the DPO originator in that case, the DPO Panel somehow concluded the NRC had properly let Palo Verde continue to operate.

This time, the DPO Panel also agreed with the DPO originator’s concerns and also agreed with the DPO originator’s conclusion that the NRC had acted improperly. To quote the DPO Panel:

…the Panel concluded that NRC Inspection Report 05000397/2017-011, dated January 30, 2018 (ML18032A754), does not depict all the bases to support the conclusion that the objectives of the IP [inspection procedure] were met and thus does not support closure of the WHITE finding.”

A common thread among the DPO originator’s concerns was the Root Cause Evaluation (RCE) developed by the plant owner for the problems resulting in the WHITE finding. The RCE’s role is to identify the causes for the problems. Once the causes are identified, appropriate remedies can be applied. When the RCS identifies the wrong cause(s) and/or fails to identify all the right causes, the remedies cannot be sufficient. Through interviews with NRC staff involved in the inspection and its review of materials collected during the inspection, the DPO Panel reported “… a belief by the 95001 inspection team and other NRC staff with oversight of this inspection that the licensee’s written root cause evaluation (RCE), even in its seventh revision, was poorly written and lacked documentation of all the actions taken in response to this event.”

In case this verbiage was too subtle, the DPO Panel later wrote that “… the licensee’s “documented” RCE was grossly inadequate, which was confirmed through interviews by the Panel” [emphasis added].

And the DPO Panel stated “… the root cause evaluation could not have been focused on the right issue and the resulting corrective actions may not be all inclusive.”

Later the DPO Panel reported “… it is not clear how the inspectors concluded that what the licensee did was acceptable.”

A few paragraphs later, the DPO Panel stated “…the Panel could not understand the rationale for finding the licensee’s extent of condition review appropriate.”

A few more paragraphs later, the DPO panel reported “What appears confusing is that interviewees told the Panel that the licensee’s written RCE was grossly inadequate, yet the inspectors were able to accept it as adequate, without requiring the licensee to address the discrepancies through a revised RCE.”

Later on that page, “The Panel found that the report does not discuss the licensee’s corrective actions.” The inspection team found the root cause evaluation “grossly inadequate” and did not even mention the corrective actions the RCE was supposed to trigger.

The DPO Panel reported “… the inspectors concluded that the licensee met the inspection objectives of IP 95001. However, this appears to the Panel to be a leap of (documentation) faith that appears counter to the inspection requirements and guidance of IP 95001 as well as IMC [inspection manual chapter] 0611.”

Still not out of bricks, the DPO Panel concluded “It is difficult to imagine that the licensee’s definition of the problem statement, extent of condition and cause, and corrective actions are appropriate.”

The DPO Panel also stated “…the Panel can only conclude that the 95001 report justified closure of the WHITE finding based on significant verbal information that was not contained in the final RCE and not discussed in the 95001 report.”

That’s contrary to the NRC’s purported Principles of Good Regulation—Independence, Openness, Efficiency, Clarity, and Reliability, unless they are like a menu and Region IV is on a diet skipping some of the items.

As noted above, these findings led the DPO Panel to recommend that the NRC either re-open the WHITE finding or revise the January 30, 2018, report to explain why it was closed even though the problems resulting in the WHITE finding had not been remedied. So far, the NRC has done neither.

UCS Perspective

This situation is truly appalling. And that’s an understatement.

The NRC identified nine violations of federal regulatory requirements in how this plant owner was handling and transporting radioactive materials. Not satisfied by this demonstrated poor performance, the NRC properly issued a WHITE finding and moved the reactor into Column 2 of the ROP’s Action matrix where additional regulatory oversight was applied.

By procedure and standard practice, the WHITE finding is to remain open until a subsequent NRC inspection determines its cause(s) to have been identified and corrected.

Yet, the NRC inspectors found the root cause evaluation by the owner to be “grossly inadequate.”

And the NRC inspectors did not mention the corrective actions taken in response to the “grossly inadequate” root cause evaluation.

So, the NRC closed the WHITE finding—an injustice plain and simple as amply documented by the DPO Panel.

Where’s obstruction of injustice when it’s needed?

The DPO Panel found it “difficult to imagine” that the plant owner’s efforts were appropriate without “a leap of faith.” This is not like fantasy football, fantasy baseball, or fantasy NASCAR. Fantasy nuclear safety regulation is an injustice to be obstructed. If NRC Region IV wants to go to Fantasyland, I’ll consider buying them a ticket to Disneyland. (One-way, of course.)

The NRC’s Office of the Inspector General should investigate how the agency wandered so far away from its procedures, practices, and purported principles.

The NRC Chairman, Commissioners, and senior managers should figure out what is going terribly awry in NRC Region IV. If for no other reason than to obstruct Region IV’s injustices from corrupting the other NRC regions.

Americans deserve obstruction of injustice when it comes to nuclear safety, not fantasy nuclear safety regulation.

Opposition to Trump’s New Low-Yield Nuclear Warhead

And the “consensus” on rebuilding the US nuclear stockpile

The Trump administration’s program to deploy a new, low-yield variant of the W76 warhead carried by U.S. submarine-launched ballistic missiles has faced relatively strong opposition in Congress, with almost all Democrats and several Republicans supporting legislation to eliminate or curb the program.

Indeed, the low-yield warhead is clearly outside the “bipartisan consensus” that supporters have often claimed exists for the Obama administration’s 30-year, $1.7 trillion program to maintain and replace the entire U.S. nuclear stockpile and its supporting infrastructure. Importantly, as I’ll get to later, such a consensus never really existed in the first place.

Congressional roadblocks  

Two Pantex production technicians work on a W76 while a co-worker reads the procedure step-by-step. (Photo NNSA)

But let’s start with the new warhead. The attempts to stop it have been noteworthy. A list of most of the votes and amendments on the low-yield option can be found here. Although the final FY19 National Defense Authorization Act (NDAA) that the Senate passed yesterday approves the low-yield warhead, the Appropriations committees—on a bipartisan basis—have generally funded the program but also consistently sought more information on it.

Most recently, on June 28, the Senate Appropriations Committee approved by voice vote an amendment from Sen. Jeff Merkley (D-OR) that would prohibit deployment of the proposed new warhead until Secretary of Defense James Mattis provides Congress with a report that details the implications of fielding it. The Department of Energy (DOE) would still be able to produce the low-yield variant, work that would take place as a part of the ongoing Life Extension Program for the W76 warhead that is scheduled to be completed in Fiscal Year 2019. The W76 warheads have a yield of 100 kilotons; the lower-yield variant will have a yield of 6-7 kilotons.

If nothing else changes, Defense Secretary Mattis should be able to produce the required report in time for deployment to proceed. Although the Navy’s precise timing for deployment is classified, officials have hinted that it should not take more than a year or two. In other words, if the program proceeds as planned, the new warhead could be deployed while President Trump is still in office. Fielding a new weapon in three years or less would be remarkably fast.

But note that phrase “if nothing else changes.” An election is going to happen. There is a chance that Democrats could take the House and (less likely) the Senate. If so, then deployment of the low-yield warhead – and perhaps more pieces of the enormous nuclear rebuilding plan – could come into question.

A rapid response to Trump’s warhead plan

The proposal for the low-yield warhead was included in the Trump administration’s Nuclear Posture Review (NPR), one of two “supplements” to the already ambitious program to revamp the entire nuclear arsenal developed by the Obama administration. (The second supplement is a nuclear-armed sea-launched cruise missile that is many years off.)  The NPR described the first supplement as a “near-term” effort to “modify a small number of existing SLBM warheads to provide a low-yield option.”

Democratic opposition to the proposal was swift. When a near-final version of the NPR was leaked to the press in January 2018, sixteen senators wrote a letter to President Trump expressing opposition to the low-yield warhead.

More recently, in May, broader opposition emerged when more than 30 former officials, including former defense secretary William Perry, former secretary of state George Shultz, and former vice chairman of the Joint Chiefs of Staff Gen. James Cartwright (USMC Ret.) wrote a bipartisan letter to Congress calling the new warhead “dangerous, unjustified, and redundant.”

Shortly after that letter was sent, 188 members of the House, including all but seven Democrats and five Republicans, voted in favor of an amendment to the annual NDAA that would have withheld half the funding for the low-yield warhead until Secretary Mattis submitted a report to Congress assessing the program’s impacts on strategic stability and options to reduce the risk of miscalculation. While the amendment failed, it is notable that, in addition to overwhelming Democratic support, five Republicans voted for it.

Then in June, an amendment to the House Energy & Water Development Appropriations Act showed even stronger opposition to the low-yield warhead. Rep. Barbara Lee (D-CA) proposed eliminating all the funding for DOE’s work on the program, in effect killing it outright. This much more aggressive approach received 177 votes, including all but 15 Democrats. Moreover, this vote came after Rep. Lee succeeded in getting the Appropriations Committee to include language requiring Mattis to submit a report on “the plan, rationale, costs, and implications” of the new warhead.

While the Senate has not had any votes on the low-yield warhead on the floor, several Democrats have attempted to cut or fence money for the program in both the Appropriations and Armed Services Committees, culminating in the successful effort by Senator Merkley to prohibit deployment until Secretary Mattis produces a report about the implications of doing so, as highlighted above.

Indeed, both the Senate and House appropriations committees expressed concern that the administration has not provided enough information to make an informed decision about the new weapon.

Will the “bipartisan consensus” unravel?

In the House, it’s clear that a “bipartisan consensus” does not exist for the Obama program to revamp the arsenal, at least not for the program in its entirety. While the recent vote against the Trump administration’s low-yield warhead reflected almost unified opposition to a new weapon by the Democrats, there was similar opposition to the planned Long-Range Stand-Off (LRSO) weapon – the new nuclear-armed air-launched cruise missile – even though it was put forward by the Obama administration.  In 2014, 179 House members voted to eliminate funding for the program, including all but 18 Democrats. More recent votes to cut the program back have also enjoyed strong Democratic support.

On the other side of Congress, it has been several years since the Senate has had a floor vote on any nuclear weapons program, so it is harder to judge the level of support for revamping the entire arsenal. Notably, Sen. Jack Reed, the ranking member on the Senate Armed Services Committee, has generally voiced support for the Obama administration’s plan to date. But this year, he led an attempt in the Armed Services Committee to fence funding for deployment of the low-yield warhead, an effort that failed along party lines but became the model for the successful Merkley amendment in the Appropriations committee, on which Sen. Reed also serves. In addition, Sen. Reed also supported a separate Merkley amendment in the Appropriations Committee to eliminate all funding for the low-yield warhead, an attempt that failed largely along party lines.

Clearly, the low-yield warhead is not a part of any “bipartisan consensus.” The question becomes whether the debate over it could be the tipping point that leads to more concerted opposition to some of the new weapons systems in the larger plan, including the LRSO.

That question takes on increased salience when one considers the possibility that Democrats could take the House in elections this fall. While the low-yield warhead likely will be produced in Fiscal Year 2019, its deployment could become a major battle in the new Congress. If that is the case, the supposed “bipartisan consensus” in support of the Obama administration’s plan to replace the entire U.S. nuclear arsenal with a suite of new warheads and delivery vehicles could potentially come unraveled.

Containment Design Flaw at DC Cook Nuclear Plant

Role of Regulation in Nuclear Plant Safety #6

Both reactors at the DC Cook nuclear plant in Michigan shut down in September 1997 until a containment design flaw identified by a Nuclear Regulatory Commission (NRC) inspection team could be fixed. An entirely different safety problem reported to the NRC in August 1995 at an entirely different nuclear reactor began toppling dominoes until many safety problems at both nuclear plants, as well as safety problems at many other plants, were found and fixed.

First Stone Cast onto the Waters

On August 21, 1995, George Galatis, then an engineer working for Northeast Utilities (NU), and We The People, a non-profit organization founded by Stephen B. Comley Sr. in Rowley, Massachusetts, petitioned the NRC to take enforcement actions because irradiated fuel was being handled contrary to regulatory requirements during refueling outages on the Unit 1 reactor at the Millstone Power Station in Waterford, Connecticut.

Ripples Across Connecticut

The NRC’s investigations, aided by a concurrent inquiry by the NRC’s Office of the Inspector General, substantiated the allegations and also revealed the potential for similar problems to exist at Millstone Units 2 and 3 and at Haddam Neck, the other nuclear reactors operated by NU in Connecticut. The NRC issued Information Notice No. 96-17 to nuclear plant owners in March 1996 about the problems they found at Millstone and Haddam Neck. The owner permanently shut down the Millstone Unit 1 and Haddam Neck reactors rather than pay for the many safety fixes that were needed, but restarted Millstone Unit 2 and Unit 3 following the year-plus outages it took for their safety margins to be restored.

Ripples Across the Country

The NRC sent letters to plant owners in October 1996 requiring them to respond, under oath, about measures in-place and planned to ensure: (1) applicable boundaries are well-defined and available, and (2) reactors operate within the legal boundaries. In other words, prove to the NRC that other reactors were not like the NU reactors were.

The NRC backed up their letter writing safety campaign by forming three NRC-led teams of engineers contracted from architect-engineer (AE) firms (e.g., Bechtel, Stone & Webster, Burns & Roe) to visit plants and evaluate safety systems against applicable regulatory requirements. The NRC’s Frank Gillespie managed the AE team inspection effort. The NRC issued Information Notice No. 98-22 in June 1998 about the results from the 16 AE inspections conducted to that time. Numerous safety problems were identified and summarized by the NRC, including ones that caused both reactors at the DC Cook nuclear plant to be shut down in September 1997.

Ripplin’ in Michigan

The AE inspection team sent to the DC Cook nuclear plant in Michigan was led by NRC’s John Thompson and backed by five consultants from the Stone & Webster Engineering Corporation.

Sidebar: UCS typically does not identify NRC individuals by name as we have here for Gillespie and Thompson. But both received unfair criticisms from a NRC senior manager for performing their jobs well. Gillespie, for example, told me that the manager yelled at him, “We didn’t send teams out there to find safety problems!” NRC workers doing their jobs well deserve praise, not reprisals. Thanks Frank and John for jobs very well done. The senior manager will go unnamed and unthanked for a job not done so well.

DC Cook had two Westinghouse four-loop pressurized water reactors (PWRs) with ice condenser containments. Unit 1 went into commercial operation in August 1975 and Unit 2 followed in July 1978. The NRC team identified a design flaw that could have caused a reactor core meltdown under certain loss of coolant accident (LOCA) conditions.

A LOCA occurs when a pipe connected to the PWR vessel (reddish capsule in the lower center of Figure 1) breaks. The water inside a PWR vessel is at such high pressure that it does not boil even when heated to over 500°F. When a pipe breaks, high pressure water jets out of the broken ends into containment. The lower pressure inside containment causes the water to flash to steam.

Fig. 1 (Source: American Electric Power July 12, 1997, presentation to the NRC)

In ice condenser containments like those at DC Cook, the steam discharged into containment forces open doors at the bottom of the ice condenser vaults. As shown by the red arrow on the left side of Figure 1, the steam flows upward through baskets filled with ice. Most, if not all, of the steam is cooled down and turned back into water. The condensed steam and melted ice drops down to the lower sections of containment. Any uncondensed steam vapor along with any air pulled along by the steam flows out from the top of the ice condenser into the upper portion of containment.

Emergency pumps and large water storage tanks not shown in Figure 1 initially replace the cooling water lost via the broken pipe. The emergency pumps transfer water from the storage tanks to the reactor vessel, where some of it pours out of the broken pipe into containment.

The size of the broken pipe determines how fast cooling water escapes into containment. A pipe with a diameter less than about 2-inches causes what is called a small-break LOCA. A medium-break LOCA results from a pipe up to about 4-inches round while a large-break LOCA occurs when larger pipes rupture.

Before the storage tanks empty, the emergency pumps are re-aligned to take water from the active sump area within containment. The condensed steam and melted ice collects in the active sump. The emergency pumps pull water from the active sump and supply it to the reactor vessel where it cools the reactor core. Water spilling from the broken pipe ends finds its way back to the active sump for recycling.

The NRC’s AE inspection team identified a problem in the containment’s design for small-break LOCAs. The condensed steam and melted ice flows into the pipe annulus (the region shown in Figure 2 between the outer containment wall and the crane wall inside containment) and into the reactor cavity. The water level in the pipe annulus must rise to nearly 21 feet above the floor before water could flow through a hole drilled in the crane wall into the active sump. The water level in the reactor cavity must rise even farther above its floor before water could flow through a hole drilled in the pedestal wall into the active sump.

Fig. 2 (Source: American Electric Power July 12, 1997, presentation to the NRC)

For medium-break and large-break LOCAs, the large amount of steam discharged into containment flooded both these volumes and then the active sump long before the storage tanks emptied and the emergency pumps swapped over to draw water from the active sump. Thus, there was seamless supply of makeup cooling water to the vessel to prevent overheating damage.

But for small-break LOCAs, the storage tanks might empty before enough water filled the active sump. In that case, the flow of makeup cooling water could be interrupted and the reactor core might overheat and meltdown.

Calmed Waters in Michigan

The owner fixed the problem by drilling holes through lower sections of the crane and pedestal walls. These holes allowed water to fill the active sump in plenty of time for use by the emergency pumps for all LOCA scenarios. Once this and other safety problems were remedied (and a $500,000 fine paid), both reactors at DC Cook restarted.

UCS Perspective

The event in this case is the August 1995 notification to the NRC that the Millstone Unit 1 reactor was being operated outside its safety boundaries and the regulatory ripples caused by that notification that led to the identification and correction of containment flaws at DC Cook. For that event sequence, the NRC response reflected just right regulation.

The NRC asked and answered whether the August 1995 allegations were valid—finding that they were.

Once the initial allegation was substantiated, the NRC asked and answered whether that kind of problem also affected other reactors operated by the same owner—finding that it did.

Once the extent-of-condition determined that multiple reactors operated by the same owner were affected, the NRC asked and answered whether similar kinds of problems could also affect other reactors operated by other owners—finding that they did.

In seeking the answer to that broader extent-of-condition question, the NRC AE inspection team identified a subtle design flaw that had escaped detection for two decades. And slightly over two years elapsed between the NRC’s initial notification and both reactors at DC Cook being shut down to fix the design flaw. While neither a blink of an eye nor a frenetic pace, that’s a pretty reasonable timeline given the number of steps needed and taken between these endpoints.

Had the NRC put the blinders on after receiving the allegations about Millstone Unit 1 and not considered whether similar problems compromised safety at other reactors, this event would have fallen into the under-regulation bin.

Had the NRC jumped to the conclusion after receiving the allegations about Millstone Unit 1 that all other reactors were likely afflicted with comparable, or worse, safety problems and ordered all shut down until proven affliction-free, this event would have fallen into the over-regulation bin.

By putting the Millstone Unit 1 allegations in proper context in a timely manner, the NRC demonstrated just-right regulation.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Flooding at a Florida Nuclear Plant

Role of Regulation in Nuclear Plant Safety #5

St. Lucie Unit 1 began operating in 1976. From the beginning, it was required by federal regulations to be protected against flooding from external hazards. After flooding in 2011 led to the meltdown of three reactors at Fukushima Dai-ichi in Japan, the NRC ordered owners to walk down their plants in 2012 to verify conformance with flood protection requirements and remedy all shortcomings. The owner of St. Lucie Unit 1 told the NRC that only one minor deficiency had been identified and it was fixed.

But heavy rainfall in January 2014 flooded the Unit 1 reactor auxiliary building with 50,000 gallons through flood barriers that had been missing since at least 1982. Unit 1 became as wet as the owner’s damp assurances and the NRC’s soggy oversight efforts.

Fig. 1 (Source: NRC Flickr)

Parade of Flood Protection Promises

Operators achieved the first criticality, or sustained nuclear chain reaction, of the Unit 1 reactor core at the St. Lucie nuclear plant located about miles southeast of Ft. Pierce, Florida at 8:30 am on April 22, 1976. Federal regulations adopted more than five years earlier required the plant to be protected against natural phenomena. The Atomic Energy Commission (AEC), forerunner to today’s Nuclear Regulatory Commission (NRC), issued guidance in August 1973 that explicitly informed nuclear plant owners and applicants that the natural phenomena to be protected against included heavy local precipitation.

En route to the AEC issuing an operating license for Unit 1 on March 1, 1976, the owner submitted a Preliminary Safety Analysis Report and later a Final Safety Analysis Report, now called the Updated Final Safety Analysis Report (UFSAR), describing the design features and operational procedures that demonstrated conformance with all applicable regulatory requirements such as flood protection. The design bases external flood was a Probable Maximum Hurricane (PMH) while the design bases internal flood was the postulated rupture of a 14-inch diameter low pressure safety injection system pipe. The analyses summarized in the UFSAR reported the flooding rates, flooding depths needed to submerge and disable safety components, alarms alerting workers to the flooding situation, and response actions and associated times for workers to intervene and successfully mitigate a flooding event.

In December 1993, the owner submitted an Individual Plant Examination (IPE) of St. Lucie to the NRC in response to the agency’s mandate in Generic Letter 88-20 for an assessment of vulnerabilities to severe accidents. The owner revisited several potential internal flooding scenarios (e.g., postulated rupture of various tanks filled with water or liquid and break of a component cooling water system pipe that drains all 78,000 gallons of water into the reactor auxiliary building). The conclusions were that the scenarios would either not result in flooding damage to safety components or that flood-damaged safety component(s) so unlikely to lead to reactor core damage as to be accepted with no additional protective measures taken.

On March 11, 2011, an earthquake off the coast of Japan triggered a tsunami wave that overwhelmed the protective sea wall at the Fukushima Dai-ichi nuclear plant. The earthquake disabled the offsite electrical power grid for the plant; the tsunami flood waters disabled the backup power supplies. Although the Pacific Ocean was literally a stone’s throw away, the complete loss of electrical power left workers unable to supply cooling water to the reactor cores of the three units that had been operating at the time; all three cores overheated and melted.

Among the reactions by the NRC was a temporary instruction for its inspectors to use to verify whether U.S. reactors were properly protected against earthquake and flooding hazards. The NRC’s inspections supplemented similar efforts voluntarily undertaken by nuclear plant owners. On May 13, 2011, the NRC  reported on the inspection conducted at St. Lucie per the post-Fukushima temporary instruction. NRC inspectors reviewed the UFSAR for flooding hazards and associated protective features and response procedures. NRC inspectors reviewed the flood protection walkdowns performed by plant workers and conducted their own walkdowns. The NRC reported “No significant deficiencies were identified.” The report did indicate that workers found one potentially degraded flood barrier, but had initiated paperwork to investigate it further and remedy it as applicable.

On March 12, 2012, the NRC ordered the owners of all operating U.S. nuclear plants to undertake more comprehensive flooding and earthquake walkdowns and re-assessments. The owner of St. Lucie submitted its flooding walkdown report to the NRC on November 27, 2012. The owner stated that “The flooding walkdowns verified that permanent structures, systems, components (SSCs), portable flood mitigation equipment, and the procedures needed to install and or operate them during a flood are acceptable and capable of performing their design function as credited in the current licensing basis” with but one exception—some missing and degraded conduit seals were found in electrical manholes connected to the reactor auxiliary buildings on Unit 1 and Unit 2. The conduits are metal tubes containing electrical cables. The seals fill the gaps where the conduits pass through the reactor auxiliary building’s concrete wall. The owner reported that the configuration had been restored to full compliance with regulatory requirements.

The owner reported to the NRC on December 27, 2012, the results of its evaluation of the missing and degraded conduit seals. The NRC was told that the electrical manholes have 4-inch and 1.5-inch diameter drain lines to the storm water system. In the event of site flooding due to a storm, water could flow through these drain lines into the electrical manholes. When the water filled the manholes to a certain depth, water would flow through the missing and degraded conduit seals into the reactor auxiliary building and disable components needed for safe shutdown of the reactor. The owner reported that the conduit seals had been missing since original construction in the 1970s. This potential hazard no longer existed because the missing and degraded conduit seals had been corrected.

The NRC evaluated the missing and degraded conduit seals reported by the owner via its November 27 and December 27 submittals. On April 25, 2013, the NRC issued its report for its evaluation. The NRC noted:

The licensee’s design basis does not allow for any external leakage into safety-related buildings during a PMH. Unit 1 UFSAR section 3.4.4, states in part, that “All external building penetrations are waterproofed and/or flood protected to preclude the failure of safety related system or component due to external flooding.”

Even though the flood protection deficiency existed for over three decades before being found and fixed, the NRC elected to impose no sanction for violating federal safety regulations.

The NRC reported on July 30, 2013, about additional walkdowns its inspectors made of the Unit 1 and 2 reactor auxiliary buildings. The NRC inspectors also reviewed documents in the owner’s corrective action and work order databases for weather-related problems that could result in site flooding. No problems were found.

Raining on the Promise Parade

On January 9, 2014, it rained on St. Lucie. A culvert in the storm water drain system obstructed by debris caused rain water to pool around the reactor auxiliary building instead of being carried away. Rain water leaked into the reactor auxiliary building via two electrical conduits that lacked the proper flood barriers. A video obtained by UCS via the Freedom of Information Act (FOIA) shows water pouring from an electrical junction box mounted on the inside wall of the Unit 1 reactor auxiliary building. (We don’t have a video of this location before the flood, but we know that it wasn’t nearly as wet and noisy.)

Fig. 2 (Source: Video obtained by UCS through the FOIA)

An estimated 50,000 gallons of water flooded Unit 1. Workers periodically manipulated valves to allow flood water to drain into the emergency core cooling system (ECCS) pump room sumps where it was transferred to an outdoor collection tank. Their efforts successfully prevented any safety components from being disabled and Unit 1 continuing operating through the rainfall.

When the dust dried, workers found four other electrical conduits that lacked proper flood barriers. The six conduits passed through the reactor auxiliary building wall below the design bases flood elevation. Consequently, they should have been equipped with flood barriers, but the required barriers had not been provided. These six conduits were not part of the plant’s original design, but had been installed via modifications implemented in 1978 and 1982.

The NRC issued a White finding, the second least serious among its Green, White, Yellow and Red classification scheme, on November 19, 2014, for two violations of regulatory requirements:

[F]rom November 26, 2012, until January 9, 2014, the licensee failed to promptly identify and correct conditions adverse to quality involving missing external flood barriers in the Unit 1 reactor auxiliary building (RAB). Specifically, the licensee performed flooding walkdowns in response to the NRC’s “Request for Information Pursuant to Title 10 of the Code of Federal Regulations 50.54(f)” … and failed to identify missing internal flood barriers on six conduits that penetrated the Unit 1 RAB wall below the design basis external flood elevation. This condition was identified when the site experienced a period of unusually heavy rainfall on January 9, 2014, and approximately 50,000 gallons of water entered the … RAB through two of the six degraded conduits in the ECCS pipe tunnel.

and

[F]rom 1978 and 1982 until 2014, the licensee failed to translate the design basis associated with external flood protection into specifications, drawings, procedures and instructions. Specifically, permanent change modifications (PCM) 77272, “Primary Water Degassifier and Transfer Pump” and PCM 80105, “Waste Monitor Tank Addition,” implemented in 1978 and 1982 respectively, added six power supply conduits in the emergency core cooling system (ECCS) pipe tunnel that penetrated the Unit 1 RAB wall below the design basis external flood elevation and did not include internal flood barriers to protect safety-related equipment from the effects of a design basis external flood event.

In other words, the owner violated federal regulations in 1978 and 1982 by not providing flood barriers with the installed conduit and re-violated federal regulations in 2012 by not finding the flood barriers missing when commanded by NRC to do so after Fukushima.

UCS Perspective

In the letter transmitting the White finding to the plant’s owner, NRC noted that the severity of the two violations of federal regulations would normally have also resulted in a $70,000 fine, but explained:

Because your facility has not been the subject of escalated enforcement actions within the last two years, the NRC considered whether credit was warranted for Corrective Action in accordance with the civil penalty assessment process in Section 2.3.4 of the Enforcement Policy. … Therefore, to encourage prompt identification and comprehensive correction of violations, and in recognition of the absence of previous escalated enforcement action, I have been authorized, after consultation with the Director, Office of Enforcement, not to propose a civil penalty in this case.

What?

Because your facility has not been the subject of escalated enforcement actions within the last two years” is largely because the owner violated federal regulations by not finding, fixing, and reporting the missing flood barriers on the six electrical conduits that factored in the January 9, 2014, flooding event. So, the reason the owner has a clean slate over the past two years is because the owner violated federal regulations two years ago that would otherwise have uncleaned that slate. Who says crime doesn’t pay?

“…to encourage prompt identification and comprehensive correction of violations” ignores a key fact—the NRC does not need to “encourage” owners to do these things. A federal regulation, specifically Appendix B to 10 CFR Part 50, requires owners to find and fix problems in a timely and effective manner. Thus, the NRC does not need to encourage owners; it merely needs to enforce regulatory requirements.

Is the White finding without the usual (and entirely appropriate) $70,000 fine a slap on the wrist of this owner?

I don’t know. But I do know that it is a slap in the face of the many plant owners who took the NRC’s order seriously by doing a thorough job of walking down their plants for flooding and earthquake vulnerabilities and remedying all deficiencies (not just a token one or two).

By “encouraging” owners who perform badly, the NRC is discouraging owners who perform well. It takes time and effort (i.e., MONEY) to do it right and saves time and effort (i.e., MONEY) to do it wrong. The NRC must discourage wrong-doing and encourage right-doing. All the NRC need do is merely enforce its regulations instead of meekly encouraging violators of safety regulations. If the NRC cannot or will not enforce safety regulations, then like Elvis it should leave the building.

For over 30 years, St. Lucie operated without flood barriers it was required by federal regulations to have. After flooding melted three reactors at Fukushima, the NRC ordered St. Lucie’s owner in 2012 to take extra steps to ensure required flood protection measures were adequate. The owner informed the NRC in November 2012 that only one deficiency had been found and it had been remedied. Rainfall in January 2014 revealed several other deficiencies. The owner, once again, claimed that all deficiencies have now been remedied.

Maybe the owner is finally right about flood protection at St. Lucie. Maybe not. What is entirely certain is that St. Lucie is adequately protected against flooding—unless a flood happens. That flood might reveal still more deficiencies for the NRC to “encourage” the owner to promptly find and comprehensively fix (assuming the reactor still hasn’t melted down.)

The only reason this event goes into the “under-regulation” bin is that there are no lower bins for it.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Yankee Rowe and Reactor Vessel Safety

Role of Regulation in Nuclear Plant Safety #4

The Yankee Rowe nuclear plant in Massachusetts was a forerunner in the industry pursuing extensions to the original 40-year operating license. But its run for a longer lifetime was derailed when Nuclear Regulatory Commission (NRC) engineers discovered that the plant might not meet current safety requirements. Unable to convince the NRC that the requirements were satisfied after a year of trying, the owner opted to permanently retire the plant after only 31 years of operation.

Yankee Rowe’s History

The Yankee Atomic Electric Company (YAEC) was formed on November 30, 1953, as a joint venture of ten utility companies in New England. On June 6, 1956, YAEC signed the first contract in the Atomic Energy Commission’s (AEC’s) Power Reactor Demonstration Program. This program sought to build and operate a variety of nuclear power reactors, with partial government financing, to advance the country’s nuclear power technology development. Construction began on February 28, 1958, and was completed on May 31, 1960. Electricity generated by the plant was first connected to the offsite power grid on November 10, 1960. YAEC placed the plant in commercial operation on July 1, 1961.

Yankee Rowe featured a four-loop pressurized water reactor (PWR) designed by Westinghouse. The core had a power limit of 485 megawatts thermal but was upgraded to 600 megawatts in 1963. For comparison, the Westinghouse AP-1000 pressurized water reactor under construction in Georgia has a power limit of 3,400 megawatts, nearly six times higher.

Yankee Rowe was shut down on October 1, 1991, due to the NRC’s concerns about the integrity of the reactor vessel. The company notified the NRC by letter dated February 27, 1992, that it had decided to permanently shut down the plant rather than continue the effort and expense of trying to resolve the NRC’s concerns.

Over its 31-year lifetime, Yankee Rowe operated at an average capacity of nearly 74 percent—nothing to write home about considering today’s 90-plus percent capacity factors but a good achievement for its era.

Reactor Vessel’s Role

The reactor vessel for Yankee Rowe was manufactured by Babcock & Wilcox at their factory in Barberton, Ohio. Figure 1 shows the reactor vessel after arriving at the plant before it was lifted into a vertical position and raised into the containment sphere. The containment sphere also houses the four reactor coolant system loops, with each loop consisting of a steam generator and reactor coolant pump.

Fig. 1 (Source: Periscope Film)

The defense-in-depth nuclear safety philosophy employs multiple layers. If one emergency diesel generator is needed to power safety equipment during an accident, then two or more are installed to increase the likelihood that one gets that job done. That approach is replicated across the array of core cooling systems, emergency ventilation systems, and so on.

The reactor vessel is one of the very few defense-in-depth exceptions. Failure of the reactor vessel could drain cooling water faster than the emergency pumps can supply makeup. The entire reactor core is loaded into a metal vessel whose failure has no backup and no assured mitigation. Why? The principle follows Andrew Carnegie’s advice: “Put all your eggs in one basket and then watch that basket.” The reactor vessel gets watched a lot. (Yes, Virginia, sometimes a watched pot does boil.)

Reactor Operating Licenses and License Renewal

The NRC published a notice in the Federal Register on November 6, 1986, soliciting comments about regulatory changes to enable nuclear plants to operate beyond their initial 40-year operating license periods. The NRC sought comments on the duration of extended operation as well as the criteria to be used in deciding whether extension requests should be granted.

In April 1989, the General Accounting Office (GAO) issued a report on license renewal. Congress tasked GAO to examine nuclear plant aging after a worn-out pipe ruptured at the Surry nuclear plant in Virginia and killed four workers. GAO reported that the NRC licensed reactors for operation up to 40 years, but neither the Atomic Energy Act or NRC’s regulations provided for an extension or renewal of the operating licenses. The Department of Energy (DOE) and the Electric Power Research Institute (EPRI) found interest among nuclear plant owners for possibly extending plant lifetimes, depending on what NRC required to obtain that authorization.

The Monticello nuclear plant in Minnesota and Yankee Rowe became the lead boiling water reactor (BWR) and PWR for the DOE, EPRI, and NRC to examine and define a license renewal process. The reactor operating license for Yankee Rowe was initially slated to expire on November 4, 1997. The NRC approved on June 8, 1988, an extension to July 9, 2000. (Because the NRC had not yet issued a regulation for renewing or extending reactor operating licenses, “extensions” of the operating license for Yankee Rowe and several other reactors really did not lengthen the 40-year term of the initial license. Instead, they redefined when the 40-year clock started. Sometimes, that clock started when the reactor vessel was set in place, even though it was several more years before construction was completed and the atom splitting started.)

The NRC pursued a rulemaking process that culminated in the issuance of the Nuclear Power Plant License Renewal final rule on December 13, 1991. While the NRC now had a license renewal rule, it no longer had the lead PWR pursuing license renewal. The owner had voluntarily shut down Yankee Rowe on October 1, 1991, after receiving word that the NRC staff would be recommending to its Commission that the reactor be shut down. The reactor never restarted.

The NRC lost both its lead license renewal plants. After seeing license reprise result in license demise for Yankee Rowe, the owner of Monticello informed the NRC that it put license renewal efforts on hold.

Fig. 2 (Source: Nuclear Regulatory Commission Flickr Gallery)

Reactor Vessel Embrittlement

Yankee Rowe’s reactor vessel was made of metal. Metal expands when it is heated and contracts when it is cooled. During routine operation, the rate at which the reactor power is increased and decreased is controlled to limit the metal’s temperature change to less than or equal to 100°F per hour. This limit minimizes internal stresses as metal parts expand and contract to avoid cracking.

The temperature change limit does not apply during accidents. If a pipe connected to the reactor vessel breaks and drains cooling water, the emergency pumps do not slowly add makeup water to keep the metal from cooling down too quickly. The pumps supply lots of makeup water to prevent the fuel rods from hearing up too much.

The reactor vessels are designed to go from steady state operation at over 500°F to sudden exposure to makeup water as cool as 40°F. Termed “pressurized thermal shock,” it’s not an exposure the reactor vessel is expected to encounter often. But it is a sudden, rapid temperature change the reactor vessel is required to be capable of enduring at least once.

The reactor vessel’s capability to withstand pressurized thermal shock lessens with time. The bombardment of the metal by neutrons during reactor operation—termed reactor vessel embrittlement—hastens the degradation.

Yankee Rowe’s Achilles Heel

It didn’t take long to identify the reactor vessel as the limiting component at Yankee Rowe. The company evaluated a 20-year period past the original 40-year operating license for the reactor, considering the accumulated embrittlement and other degradation factors such as the anticipated number of times the vessel cycles between “cold” conditions during outages and “hot” conditions during full power operation. The company’s evaluations concluded that sufficient margin would remain until at least the year 2020.

The NRC staff did not agree with the company’s assessment. Pryor Randall, an engineer in NRC’s mechanical engineering branch, penned a memo dated September 11, 1990, to Tom Murley, then the Director of the NRC’s Office of Nuclear Reactor Regulation, stating:

Perhaps it is time to quit being polite in our rejection of the licensee’s estimates…. They have been told on more than one occasion that their basis was unacceptable. Our expert consultant, Professor Odette, addressed their arguments in point-by-point fashion and found them to be without merit. I will state here for the record that the licensee’s arguments that coarse grain size negates the effects of irradiation-temperature and nickel content are sophistry, a subtle, tricky, superficially plausible, but generally fallacious method of reasoning.

Without even looking up the highfalutin words, the NRC staff clearly wasn’t buying the company’s claim that Yankee Rowe’s reactor vessel was good to run until 2020.

Predicting the future involves uncertainties. Making matters worse was the fact that Yankee Rowe’s past also contained many uncertainties. Little metal pieces called specimens had been installed inside the reactor vessel. The plan was to periodically remove the specimens for testing. The results would reveal how many neutrons impacted the metal and how much embrittlement this caused. The specimens would allow the computer models to be calibrated to more closely match actual conditions of the reactor vessel. But workers removed all the specimens in 1965 after flow-induced vibration broke two specimens loose. Lacking information from analysis of specimens, the owner instead fetched data from specimens taken out of the BR3 nuclear reactor in Belgium. (Picture being in a hospital where the medical staff loses your charts and relies on charts from a patient down the hall that’s nearly the same age and almost the same gender.)

Additionally, the manufacturing process for the Yankee Rowe reactor vessel was somewhat unique in that it involved keeping the metal plates at higher temperatures than normally experienced as they were formed into shape. As a result, the grain sizes of the metal were larger than normal. The formulae and methods used by the NRC and industry to predict the effects of embrittlement were based on metals with normal grain sizes. The lack of specimens left researchers without solid means to tailor the methods to fit Yankee Rowe’s unique metallurgy.

The paucity of actual data forced researchers to fill information gaps with assumptions. Certain assumptions led to results showing the vessel would last forever. Other assumptions produced results showing that the vessel lacked the required safety margin right then.

UCS Joins the Fray

The debate waged on. UCS partnered with the New England Coalition on Nuclear Pollution (NECNP) to petition the NRC on June 4, 1991, seeking immediate shut down of Yankee Rowe until it was known, rather than merely being debatable, that the reactor was safe.

On July 31, 1991, the NRC denied the petition on grounds “… that continued operation … will not pose an undue risk to the public health and safety.” However, the NRC conditioned its denial: “In no event will plant operation beyond April 15, 1992, be permitted until these uncertainties have been resolved.” Somehow, the reactor that posed no undue risk became an undue risk 259 days later.

The NRC’s decision churned the waters it sought to calm. Until this decision, the matter had been a “he said/she said” debate involving factors like metal grain sizes, nickel content, Charpy V-notch tests, and other mind-numbing parameters. But no reasonable person accepts that a reactor plenty safe today magically becomes unsafe in the near future. They get that the reactor isn’t safe today, either. The fallacy of the NRC’s decision prompted Congress members, state officials, and newspapers to rail against it.

Fig. 3 (Source: Brattleboro Reformer)

The NRC’s denial of the UCS/NECNP petition also ordered Yankee Rowe’s owner to submit its plan by August 26, 1991, for resolving uncertainties in the reactor vessel integrity debate. The NRC told the owner that it wanted “a reduction in the probability of vessel failure of a factor of 5 to 10 and will accept a mix of hardware modifications, human resource allocations, and operating procedure modifications.” The owner submitted its report to the NRC on August 26, 1991. The owner informed the NRC that its plan reduced the chances of reactor vessel failure by a factor of 20.

It did not take the NRC staff very long to grade the plan. On September 30, 1991, the NRC staff informed the Chairman and Commissioners of its assessment. The NRC staff conducted its own analyses and reported that its results matched those from the owner in some cases. But the staff also reported, “…for cases when the main coolant pumps do not run [and therefore do not mix the cool incoming water with the hot water inside the vessel], the thermal-hydraulic response was found by both the staff and the licensee to increase the likelihood of vessel failure by a factor of two.”

The staff noted that the owner had assumed “a very high [main coolant] pump reliability factor (greater than 99%). With this reliability factor, the Commission’s goal would be achieved. … Without demonstration of high pump reliability under SBLOCA [small-break loss of coolant accident] conditions, the Commission’s desired factor of 5 to 10 cannot be confirmed.” Thus, the staff recommended “that the Yankee Rowe Nuclear Power Station be shut down until the NRC is satisfied that the YNPS pressure vessel has adequate margins against failure during operation.”

Informed about this staff position which would be discussed during a Commission meeting scheduled for October 2, 1991, the owner voluntarily shut down the reactor on October 1. The fight was over. UCS lost the petition battle but won the reactor safety campaign.

Fig. 4 (Source: New York Times)

UCS Perspective

It would be tempting to place this event into the “under-regulation” bin on grounds that NRC would not have attained this outcome absent pressure from UCS, Congress, the media, state officials, and others. The New York Times cited UCS’s efforts as “making a difference” in this matter.

But the NRC was also getting pressured by the plant’s owner, the industry, and other members of Congress to accept that the reactor had sufficient margin to continue operating. The NRC acted as far more than a nuclear jury, merely listening to both sides argue their cases and then rendering a verdict.

Recall that an NRC engineer, Pryor Randall, went on record forcefully opposing the company’s contentions that the reactor vessel still had ample margin to safety requirements. His efforts factored significantly in the arguments put forth (or recycled) in the petition. It is commendable that NRC’s engineers demonstrate courage in their convictions.

Note that the Commission did not just deny the UCS/NECNP petition. The Commission also required the owner to provide its plan for reducing the risk of reactor vessel failure by a factor of 5 to 10. While ruling that the petitioners had not demonstrated that the reactor was unsafe, they implicitly conceded that the owner had not demonstrated that the reactor was adequately safe. The Commission ordered the owner to submit its demonstration plan.

Recall that the NRC staff did not meekly accept the owner’s contention that its plan reduced the chance of vessel failure by a factor of 20. The NRC staff challenged the assumptions made by the owner en route to that contention and found the analysis to have fallen short of the Commission’s stated objective.

The NRC’s role in this matter was not that of a nuclear jury. Its role was that of a nuclear regulator. It was actively engaged in the process and considered input from various stakeholders. It did not accept the charges levied by UCS/NECNP at face value, nor it did blindly accept the assurances provided by the owner. Consequently, this event deserves to be in the “just right regulation” bin. Newspapers like the Monitor in Concord, New Hampshire seemed to have recognized this outcome, too.

Fig. 5 (Source: Concord Monitor)

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Empty Pipe Dreams at Palo Verde

Regulation and Nuclear Plant Safety #3

In July 2004, Nuclear Regulatory Commission (NRC) inspectors at the Waterford nuclear plant in Louisiana discovered that a portion of piping in a standby emergency system that would provide makeup water to cool the reactor in event of an emergency had been kept emptied of water, jeopardizing the ability to prevent core damage. This finding was shared with owners of similar reactors across the country. Days later, workers at the Palo Verde nuclear plant in Arizona discovered that sections of the emergency system piping for all three reactors was being deliberately emptied of water. The company tried arguing that there was no written requirement that water be maintained inside the emergency water makeup piping. The NRC disagreed and issued the company a yellow finding for the violations, the second most serious infraction in the agency’s color-coded system. The NRC also issued a $50,000 fine for an improper procedure change in 1992 that caused workers to deliberately drain water from this piping.

Water-less in Waterford

NRC inspectors at the Waterford nuclear plant outside New Orleans, Louisiana during the week of July 12, 2004, reviewed a report on a problem identified by workers on April 18, 1999. The problem was that air collected within piping of the containment spray system during normal operation. During an accident in which a pipe ruptures and drains cooling water onto the containment floor, the design initially calls for emergency pumps to automatically start and transfer makeup water from a large storage tank into the reactor vessel. Before this tank empties, workers re-position valves to have the pumps instead draw water from the containment sump, which collects the water spilled from the broken pipe. Following the swap-over, the emergency pumps would pull water from pipes partially filled with air.

The problem report had been dispositioned in 1999 as being acceptable as-is based on engineering judgement that the slope of the pipes and the low velocity of water flow through the pipes would enable air bubbles to travel against the flow and be released inside containment. When the NRC inspectors challenged the robustness of this assessment, the owner hired a consultant who conducted analytical modeling of the system during a postulated accident that showed the air within the piping would not prevent the safety function from being fulfilled.

The NRC inspectors noted that the reactor’s safety studies assumed that the piping was filled with water when the accident began and that another system had been installed at the plant for the purpose of keeping this piping full of water. The NRC issued a green finding, the least serious of the agency’s four color-coded sanction levels, for operating the reactor outside the bounds of its safety studies.

Equally Dry in Arizona

Workers at Waterford notified their counterparts at the Palo Verde nuclear plant west of Phoenix, Arizona on July 22, 2004, about the NRC’s discovery. On July 28, workers at Palo Verde determined that a significant portion of the suction piping for the containment spray, low-pressure safety injection, and high-pressure safety injection pumps for all three reactors was empty of water. These emergency pumps have two sources of water for use mitigating an accident. Initially, the pumps pull water from the Refueling Water Tank. The piping this tank and the pumps was filled with water, as was the section of piping to a check valve in the second water source—the containment sump.

The piping between the inside and outside containment isolation valves and between the outside containment isolation valve and the check valve held no water. A change made to a testing procedure on November 16, 1992, had workers close the two containment isolation valves and drain the water from these piping sections. When the volume of water in the Refueling Water Tank dropped to about the 10 percent level, the low-pressure safety injection pump would be turned off automatically and valve repositioned to supply water to the containment spray and high-pressure safety injection pumps from the containment sump.

The theory behind this design is that if the contents of the Refueling Water Tank do not restore the reactor vessel water level to the desired point, there must be a pathway for water to drain from the vessel. If so, that water will flow by gravity to the containment sump where it can be recycled through the reactor vessel to sustain adequate cooling of the reactor core. The high-pressure and low-pressure injection pumps supply makeup water to the reactor vessel; the containment spray pump causes water to be spray within the containment structure to reduce its pressure and temperature.

Fig. 1 (Source: Nuclear Regulatory Commission)

Coming Up Empty at Palo Verde, Again

By the afternoon of July 29, the engineering staff at Palo Verde concluded that the emptied piping sections could prevent the containment spray and high-pressure safety injection systems from performing their safety functions during an accident. (The low-pressure safety injection system was not affected because its pump gets turned off before suction from the containment sump through the empty pipes is established.) They entered the problem into the plant’s corrective action program.

On the morning of July 30, the operations department at Palo Verde learned about the problem from the corrective action report. That evening, the operations department determined that the containment spray and high-pressure safety injection systems could perform their safety functions provided that operators manually open the inside containment isolation valve during an accident. Opening this valve would re-fill the largest volume of the intentionally drained piping sections.

The owner notified the NRC about the problem on July 31. Between August 1 and 4, workers took steps to refill the emptied piping sections on all three reactors.

The NRC dispatched a special inspection team to Palo Verde to investigate the causes and corrective actions of this problem. The special inspection team was onsite August 23-27 and issued its report on January 5, 2005. The team made four findings: (1) operating the reactors with the piping sections drained of water contrary to assumptions in safety studies, (2) untimely notification of operations by engineering of a problem potentially affecting safety system operability, (3) inadequate evaluation of replacing automatic accident responses with manual actions, and (4) inadequate evaluation of a 1992 revision to a testing procedure that had workers drain the piping sections when the test was completed.

Palo Verde Pleads Its Case

The company contested the NRC’s findings and requested a meeting with the agency to present its case. That meeting was conducted in the NRC’s Region IV offices in Arlington, Texas on February 17, 2005. The NRC provided a phone bridge for this meeting and I called into it. The company reported that there had never been a procedural requirement to fill the piping sections with water, implying therefore was it was not improper then to revise a procedure in 1992 to drain water from the sections. The company further reported that the technical specifications issued by the NRC with the reactor operating licenses only required verifying that the piping on the discharge side of the pumps be filled with water but said nothing about the contents of the piping on the suction side (perhaps implying that this silence permitted piping sections to be filled with air, helium, jawbreakers, cement, or anything they desired.)

The owner also described full-scale testing using transparent plexiglass piping to show what was happening inside that it had performed as part of that it called the most expensive engineering analysis in the plant’s history. The company even showed a video from this testing (although the video was a wee bit hard to see via the phone bridge). When the owner completed its presentation, an NRC senior manager (whom I believe was Bruce Mallett, then Regional Administrator of NRC Region IV) remarked that the video and testing only convinced him that the pumps in the scale model would not cavitate; they told him little about performance in the real plant.

The NRC Puts Palo Verde in Its Place

That statement pretty much telegraphed the NRCs final answer on the matter. On April 8, 2005, the NRC issued a yellow finding, the second most serious in the agency’s four color-coded classifications, for operating the three reactors with safety system piping sections emptied of water and a $50,000 fine for the inadequate safety evaluation for the 1992 procedure change that had workers drain water from the piping after testing.

The company paid a far larger price. The NRC’s special inspection team investigation into this event and an NRC augmented inspection team investigation into all three reactors tripping on June 14, 2004, focused more NRC attention to the plant. More and more NRC inspectors identified more and more safety problems. In little time, Palo Verde went from all three reactors solidly in Column 1 of the Action Matrix within the NRC’s Reactor Oversight Process to Units 1 and 3 being in Column 3 and Unit 3 being in Column 4—the lowest safety performance rating in the country. It took over four years for the safety shortcomings to be remedied and all three reactors returned to Column 1. The cost of “volunteering” for more NRC scrutiny cost considerably more than the $50,000 fine.

Fig. 2 (Source: Union of Concerned Scientists)

The NRC Goes Big

NRC inspectors discovered a safety problem at Waterford. That discovery revealed a similar problem at Palo Verde. NRC inspectors determined the problem at Palo Verde to reflect systemic problems. The NRC’s responses remedied the specific problem at Waterford and the wider problems at Palo Verde.

But the NRC did not stop after these worthy regulatory achievements. They went big. Packaging the Palo Verde problem with other recent miscues, the NRC issued Bulletin 2008-01, “Managing Gas Accumulation in Emergency Core Cooling, Decay Heat Removal, and Containment Spray Systems,” to the owners of all U.S. operating reactors. It required owners to takes steps to ensure that safety systems at their plants did not have and were not likely to develop safety system impairments like that found at Palo Verde.

UCS Perspective

From the discovery at Waterford to the issuance of Bulletin 2008-01, the NRC exhibited just right regulation.

NRC inspectors found that workers knew about air collecting in piping but had not properly analyzed it. The ensuing analysis concluded that the air would not have prevented fulfilment of the necessary safety function. Despite that conclusion, the NRC issued a Green finding because public health was being protected more by luck than skill until the degraded condition was properly evaluated.

Whereas air was unintentionally collecting in piping at Waterford, workers followed procedures to drain water from safety system piping at Palo Verde and didn’t respond to the problem in a timely and effective manner. The NRC swung a bigger regulatory hammer.

The NRC then sought to avoid the problem across the U.S. fleet by issuing Bulletin 2008-01.

Some might contend that these events really reflect under-regulation by the NRC. After all, the air accumulation problem was first identified at Waterford in 1999 and not challenged by the NRC until 2004. The procedure was revised in 1999 to drain water from pipes at Palo Verde, but the NRC didn’t realize it until 2004. The Waterford and Palo Verde discoveries in 2004 joined by similar discoveries before then and afterwards didn’t prompt the NRC to cast a wider safety net until 2008. How can just right regulation entail such lengthy periods between creation of safety problems and their resolutions?

Blame the game and not its players. The NRC does not have the resources to inspect every corrective action report or review every procedure revision. Instead, the NRC audits samples. There’s no evidence that NRC inspectors looked at records at Waterford and Palo Verde prior to 2004 but missed seeing the problems or that NRC inspectors should have looked at these records but failed to do so.

As for the “delay” in getting Bulletin 2008-01 out, consider the adverse implications of a prompter response. Had the NRC issued the bulletin the day after the discovery at Waterford, owners would have been directed to look at the potential for air unintentionally collecting in piping. Since workers were intentionally draining water from piping at Palo Verde per an approved (albeit flawed) procedure, they would not have detected and corrected unintentional accumulation. By cultivating a number of similar events, the NRC required owners evaluate and manage a broader suite of potential problems—well worth the wait.

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Three Mile Island Intruder

Regulation and Nuclear Plant Safety #2

A man recently released from a hospital where he had been treated for mental health issues drove his mother’s station wagon into—literally—the Three Mile Island nuclear plant near Harrisburg, Pennsylvania at 6:53 am on February 7, 1993. Workers responded to the unauthorized entry by locking the doors to the control room and declaring a Site Area Emergency—the second most serious emergency of the Nuclear Regulatory Commission’s (NRC’s) four classifications. The intruder was found more than four hours later hiding in the turbine building.

Less than three weeks later while the NRC was still evaluating the unauthorized entry of a vehicle into Three Mile Island, a rental truck loaded with explosives was detonated in the parking area beneath the North Tower of the World Trade Center in New York City. The NRC revised its security regulations to better protect nuclear plants against unauthorized vehicle entries and vehicle bombs.

Fig. 1 (Source: President’s Commission on the Accident at Three Mile Island)

The Scene

As suggested by its name, the Three Mile Island (TMI) nuclear plant is located on an island. This specific island is in the Susquehanna River as it flows southeasterly from Harrisburg, Pennsylvania. TMI is best known for the worst nuclear power plant accident, so far, in U.S. history. On March 28, 1979, the Unit 2 reactor at TMI experienced a partial meltdown of its nuclear core. The damaged Unit 2 reactor never restarted, but the Unit 1 reactor restarted a few years later and operated at 100 percent power on the morning of February 7, 1993.

At 5:30 am that Sunday morning, security officers opened the gates for the access bridge on the north end of the island (the upper left side of Figure 1). The night shift security personnel turned over duties to the oncoming dayshift crew at 6:00 am. Other dayshift workers and non-shift workers reporting for duty used the north bridge to drive onto the island.

The Party Crasher

At 6:53 am, a vehicle turned off Pennsylvania Route 441 onto the two-lane road to the north bridge. The vehicle continued past the North Gate guard house without stopping to show a badge authorizing access to the island and proceeded at an estimated 35 to 40 miles per hour in the outbound lane across the north bridge. The gates were still opened, so nothing impeded the vehicle’s unauthorized entry.

The vehicle slowed to 15 to 20 miles per hour as it exited the bridge and approached the plant. The night shift operations shift foreman who was in the parking out on his way home after being relieved from duty heard a crashing sound as the vehicle drove through Gate 1 into the protected area around the plant. The protected area detection system alerted security personnel to the gate-crasher.

The vehicle continued for another 189 feet until it smashed into the corrugated aluminum roll-up door at the northeast corner of the turbine building. The vehicle, with a portion of the roll-up door adorning its roof, travelled another 63 feet inside the turbine building until it struck a large container for radioactive waste. The impact slid the container about six feet across the floor.

Fig. 2 (Source: Department of Energy)

The off-duty operations shift foreman went to the Processing Center (where individuals enter and exit the plant’s protected area) and called the control room to report “A guy just went through the fence and roll-up door. This is not a drill. Lock the doors to the control room.” The shift supervisor who answered the call in the control room did not recognize the excited voice and did not hear much of the warning message. Moments later, a security officer entered the control room and announced, “This is not a drill, someone crashed through Gate 1 and then drove into the auxiliary boiler door.” (Basically the same message, but when it’s delivered in person by someone toting a gun, it tends to be better heard and heeded.) The control room is located within the control building adjacent to the turbine building.

Fig. 3 (Source: Nuclear Regulatory Commission NUREG-1485)

The Game of Hide & Seek

At 7:02 am, security officers approached the vehicle in the turbine building. The headlights were on, the engine was off, the driver’s side door was open, but no one was found in or around the vehicle. The security officers retreated because the vehicle could contain explosives.

At 7:07 am, the operations shift supervisor declared a Site Area Emergency. The NRC has four emergency classifications–Unusual Event, Alert, Site Area Emergency, and General Emergency.

At 7:11 am, the Central Alarm Station operator at TMI notified the NRC’s Operations Center about the situation and emergency declaration.

At 7:16 am, the operations shift foreman at TMI began notifying local and state officials about the emergency declaration. He used telephones in the control room instead of the automated notification system because it was in an office outside the locked control room doors.

At 7:23 am, the emergency director at TMI (who was also the operations shift supervisor) called the NRC via the Emergency Notification System telephone. The NRC asked that a direct telephone line to the plant be kept open.

At 7:33 am, the Pennsylvania State Police notified the Middletown Police Department about the security event at TMI. Middletown police officers arrived at the plant at 7:37 am.

At 8:30 am, workers removed restrictions on telephones at the plant. During weekends, the telephone system at the plant prevented many telephones, including some used for emergency response, from dialing offsite.

At 9:00 am, an explosive ordinance disposal unit from the U.S. Army surveyed the vehicle and observed no suspicious packages, containers, or wires.

At 9:28 am, the control room doors were unlocked to allow two workers to enter the shift supervisor’s office and activate the pagers to summon the emergency responders.

At 9:37 am, the NRC resident inspector, a representative of the state’s Bureau of Radiation Protection, and a company public affairs person with an armed escort walked through the turbine building and entered the control building.

At 10:20 am, the explosive ordinance disposal unit completed a more thorough search of the vehicle and found no bomb or “explosive paraphernalia.”

At 10:22 am, site security officers and Pennsylvania State Police officers begin searching for the intruder.

Fig. 4 (Source: Nuclear Regulatory Commission NUREG-1485)

At 10:34 am, security personnel regrouped after completing the first search of the turbine building. Their search efforts had been hampered by dimly-lit areas inside the turbine building. To aid in future searches of darkened places, the team was given a flashlight.

At 10:36 am, the Emergency Director at TMI briefed the security team on the potential effects of using firearms in the turbine building (i.e., what could happen if bullets strike things other than intruder.)

At 10:40 am, the flashlight-equipped security team began a second search of the condenser pit area within the turbine building.

At 10:57 am, the security team found the intruder hiding in a dark area adjacent to a main condenser waterbox. The Pennsylvania State Police took custody of the intruder.

Fig. 5 (Source: Nuclear Regulatory Commission NUREG-1485)

At 11:10 am, the explosive ordinance disposal unit completed a more detailed search of the vehicle and still found no bomb.

At 11:30 am, the explosive ordinance disposal units completed a search of the vehicle using an explosive detection dog. The dog didn’t find a bomb either.

At 11:45 am, the Pennsylvania State Police left the plant site with the intruder.

At 2:39 pm, cadets from the Pennsylvania State Police Academy arrive at the site by bus to search the entire island.

At 4:25 pm, the Site Area Emergency declaration was terminated.

The Intruder

The intruder was identified as a 31-year-old Caucasian male approximately 6 feet 1 inches tall and weighing 140 pounds with thick, black, shoulder-length hair and a heavy beard. At the time, he lived with his mother in a rural community northwest of Harrisburg about 56 miles from TMI.

The man had been admitted to hospitals at least three times for treatment of depression. The most recent hospitalization before this event had been an involuntary admission on January 18, 1993. He had been released on January 22.
The Earlier Intruder

This was not the first time that an unauthorized person had driven onto the island. At around 4:25 pm on April 23, 1980, a watchman at the North Gate observed a vehicle whiz by without stopping and reported the trespassing to the roving security patrol. A security alert was declared, the Pennsylvania State Police were contacted, and an extensive search begun. About four hours later, the trespasser was identified as a plant worker. The worker had been on the island, departed in his vehicle via the North Gate, and returned shortly afterwards. The worker said he’d not stopped on re-entering the site because he believed the watchman would know he was returning.

The Earliest Intruder

That was not the first time that an unauthorized person had driven onto the island, either. At 6:50 pm on January 27, 1976, a vehicle drove past the North Gate without stopping. Fifteen minutes later, a construction worker reported seeing someone climbing the security fence around the protected area. Twenty minutes later, workers called security to report hearing someone singing near the top of the reactor building. At 8:00 pm, the security officer at the North Gate who saw the vehicle whiz by him entering the island saw that same vehicle whiz by him leaving the island. The Pennsylvania State Police tracked down the individual from the vehicle’s license tag. The individual was voluntarily admitted into a local mental hospital. (Might as well admit him—he’d sneak in anyway.)

The NRC “Intruders”

The NRC dispatched an Incident Investigation Team (IIT) to TMI following the unauthorized entry. The IIT consisted of ten members supported by six technical staffers. The IIT identified several factors which impaired the response to the intrusion, including:

  • There was no vehicle at the North Gate for security officers to use to pursue and intercept the unauthorized vehicle.
  • The response was delayed by the time it took security personnel to obtain weapons from isolated storage locations.
  • The search-and-clear efforts were poorly coordinated, delaying searches in some areas. In addition, security officers were not posted after some areas were cleared to ensure those areas remained clear.
  • The reluctance of some security officers to use response weapons could have placed them at a disadvantage had they confronted an intruder equipped with design basis threat weaponry.
  • The plant’s security personnel searched for explosive materials before the explosives ordinance disposal unit arrived, but they had received no training on recognizing explosives. (Note: When I toured TMI after 9/11, the security manager conducting the tour told us that security officers are required to search incoming vehicles for bombs, but they have received no training on what a bomb looks like.)
  • While flashlights were stored in the security “ready room,” they were not retrieved and used during the initial search of the turbine building.
  • The company conducted quarterly security response drills in the three levels of the Unit 2 turbine building, which is significantly different from the six levels within the Unit 1 turbine building where the real event transpired.

The Drive to More Secure Nuclear Plants

Five hundred and forty (540). That’s how many days elapsed between someone driving into the TMI turbine building and the NRC putting upgraded security regulations on the street.

The NRC had considered security threats posed by vehicles prior to February 7, 1993. For example, in a paper (SECY-86-101) to the Commissioners dated March 31, 1986, the NRC staff noted that the chain link fences surrounding protected areas of nuclear plants would not prevent a vehicle from crashing through. But the staff concluded that prompt response by armed security officers would mitigate any fence-crashers.

The Nuclear Control Institute (NCI) and the Committee to Bridge the Gap (CBG) jointly submitted a petition for rulemaking dated January 11, 1991, to the NRC seeking to upgrade the regulations on nuclear plant security to include protection against explosive-laded vehicles and boats. On June 11, 1991, the NRC denied the rulemaking petition on the grounds “that there has been no change in the domestic threat since the design basis threat was adopted [in 1979] that would justify a change in the design basis threat.”

The events of February 1993 prompted the NRC to reconsider earlier decisions. The NRC noted “The bombing at the World Trade Center demonstrated that a large explosive device could be assembled, delivered to a public area, and detonated in the United States without advance intelligence” and that “The unauthorized intrusion at the Three Mile Island nuclear power station demonstrated that a vehicle could be used to gain quick access to the protected area at a nuclear power plant” (Federal Register, page 58805, November 4, 1993.)

The NRC conducted a Commission briefing on the re-evaluation of the design basis threat of nuclear plant sabotage on April 22, 1993. The NRC held a public meeting on better protection against vehicle intrusion and vehicle bombs on May 10, 1993. The NRC issued a draft rule titled “Protection Against Malevolent Use of Vehicles at Nuclear Power Plants” for public comment on November 4, 1993. And the NRC issued the final rule on August 1, 1994.

The upgraded rule required owners to evaluate their plants for potential damage from detonation of a vehicle laden with explosives and then either install barriers preventing vehicles from getting close enough to cause harm or provide structures protecting vital equipment from blast effects.

Fig. 6 (Source: Nuclear Regulatory Commission)

UCS Perspective

In reviewing momentous events for possible candidates in this series, this event appeared unquestionably to fall into the “just right regulation” bin. It ultimately found its way into that bin, but it became a bank shot rather than the swish or slam-dunk it initially appeared to be.

Slightly more than two years before the TMI intrusion, two non-governmental organizations petitioned the NRC to update its regulations to require protection against vehicle bombs. The NRC took only five months to deny that petition on grounds the perceived threat was really no threat.

Slightly less than 18 months after the TMI intrusion, the NRC revised its regulations to require protection against vehicle bombs.

A strong argument could be made that the NRC had sufficient cause in 1991 to update its regulations. After all, the TMI intrusion and the World Trade Center truck bombing were the very kinds of threats cited by NCI and CBG in their petition and became the leading reasons cited by NRC in 1994 for the revised regulations. This compelling argument could readily persuade an impartial jury to place this event in the “under-regulation” bin.

The counter argument would point out that the NRC addressed the petitioners’ concerns one-by-one. For example, the petitioners identified rise of State-sponsored terrorism as evidence of the need for upgraded security requirements. The NRC responded to this concern contending that unrest has been experienced in other parts of the world, it hasn’t happened here. The NRC also observed that it relies on U.S. intelligence efforts to identify, and thwart, larger coordinated attacks.

In issuing upgraded security regulations on August 1, 1994, the NRC explicitly conceded that it had denied the NCI/CBG petition seeking that outcome just three years earlier. The NRC noted that “The vehicle bomb attack on the World Trade Center represented a significant change to the domestic threat environment that changed many of the points used in denying the petition and eroded the basis for concluding that vehicle bombs could be excluded from any consideration of the domestic threat environment.”

Because the NRC did not stick by its 1991 denial and took steps after the events of February 1993 to better protect nuclear power plants—and more importantly, the people who work in them and live around them—from sabotage using vehicles, this event goes into the “just right regulation” bin. It would never make it into the “just perfect regulation” bin, but also does not deserve to fall into the “under-regulation” bin.

There’s more than a hint of the Nielsen Ratings Commission (NRC) and media spotlight effect described in the Role of Regulation #1 commentary. The NCI and CBG petition garnered trade press coverage. The TMI intruder event garnered local coverage. The World Trade Center bombing days later received international media coverage for weeks. That’s a powerful spotlight helping the NRC see the need for better protection against vehicle bombs.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

NRC’s Reprisal Study Reveals Safety Agency Has a Chilled Work Environment

In January 2018, the NRC circulated within the agency a 100-page report  titled “Study of Reprisal and Chilling Effect for Raising Mission-Related Concerns and Differing Views at the NRC.” The report was authored by Renee Pedersen, who had managed the NRC’s Differing Professional Opinion (DPO) and non-concurrence programs for many years before retiring from the agency at the end of that month. These programs enable NRC staffers to register differing views with agency positions or plans and to have those views formally evaluated.

This is an issue I follow closely. I issued a report and blog post last year titled “The Nuclear Regulatory Commission and Safety Culture: Do As I Say, Not As I Do” examining evidence that prompted the NRC to intervene about safety culture problems at U.S. nuclear power plants and comparable evidence strongly suggesting that the agency had the same, if not worse, signs of trouble. These products updated a theme discussed in a November 2014 blog post.

After hearing about the reprisal study and its contents from several NRC staffers, I submitted a request under the Freedom of Information Act (FOIA) for it on February 1, 2018.

On June 27, the NRC emailed me the reprisals study. Well, they emailed me a redacted version of the reprisals study. Certain information was blocked out in the released report on alleged grounds that its disclosure would compromise the anonymity of NRC staffers. The study compiled results from several surveys of the NRC’s work force—those conducted every three years by the NRC’s Office of the Inspector General, those conducted annually by the Federal Employee Viewpoint Surveys, and those conducted by the NRC’s Office of Enforcement. The first two types of surveys involved the entire NRC work force and typically had nearly 80 percent response rates; the third type of surveys went out to a much smaller subset of the NRC’s work force—those individuals who had filed DPOs and non-concurrences.

Figure 1 is the heavily-redacted Page 58 from the Reprisals Study. It showed (or would have shown but for the redactions) the responses to the 2013 and 2016 surveys of NRC staff who had initiated DPOs.

Fig. 1 (Source: NRC record obtained by UCS via FOIA)

Typically, it’s hard to contest the redaction of information for any purported reason without seeing the information to see whether it indeed justifies withholding.

But it’s easy to contest the redaction when you’re able to see the information being withheld. Figure 2 is the entirely unredacted Page 58 from the Reprisals Study.

Fig. 2 (Source: Confidential, anonymous UCS source(s))

So, no NRC staffer is identified by the unredacted information. The unredacted information does strongly suggest that nine individuals responded to the 2013 survey questions (i.e., 1 out of 9 equals 11%, 2 out of 9 equals 22%). The unredacted information does not suggest how many individuals responded to the 2016 survey (unless it was only one) since there were 100% or 0% response rates for every question. Okay, another solid clue resides in NRC’s online electronic library, ADAMS. NRC staff initiating DPOs can elect to make the final DPO package publicly available in ADAMS. The NRC numbers DPOs sequentially: the first one is DPO-yyyy-001, the fifth one is DPO-yyyy-005 and so on. It doesn’t take a concerned scientist long to figure out from ADAMS about how many DPOs are filed each year and thus how many DPO initiators are being surveyed (clue—fewer than a dozen each year.)

Page 58 is part of Appendix D to the Reprisals Study. The first sentence of Appendix D stated: “OE [Office of Enforcement] conducted two anonymous voluntary surveys to employees who submitted non-concurrences and DPOs.” So, the survey results were submitted voluntarily and provided anonymously (i.e., Response A could not be linked to any specific member of the DPO and non-concurrence author universe.)

So, case closed on whether or not disclosure of anonymous responses submitted voluntarily could reveal personal privacy information or compromise any one’s anonymity. UCS has formally appealed this bogus rationale by the NRC and requested that the illegally redacted information be released publicly.

What Does the Reprisal Study Reveal?

The unredacted and “outed” redacted portions of the Reprisals Study make it crystal clear that the NRC has a chilled work environment. Several safety culture terms are defined beginning on page 7 of the Reprisals Study. Two of those definitions are quoted verbatim, including the boldfacing in the original text, from the study:

Chilling Effect is a condition that occurs when an event, interaction, inaction, decision, or policy change results in a perception that the raising of a mission-related concern or differing view to management is being suppressed, is discouraged, or will result in reprisal

Chilled Work Environment is a condition where the chilling effect is not isolated (e.g., multiple individuals, functional groups, shift crews, or levels of workers within the organization are affected

Note that a “chilling effect” is defined not as the actual, irrefutable, uncontestable, unmistakable reality that raising a differing review will result in reprisal, but merely the perception of such an adverse outcome. But page 6 of the Reprisals Study stated that “reprisal is a case in which perception is as important as reality” [boldface in original text.]

And note that a “chilled work environment” exists with the perception that voicing differing views will result in reprisal is not isolated to a single worker.

Look at Figure 2 again. The chart at its top reveals that 100 percent of the responses in 2016 felt experiencing a negative consequence for having filed a DPO. The chart at its bottom shows that respondents felt they experienced reprisals of various forms.

Figure 2 constitutes prima facie evidence of a chilling effect within the NRC—at least one worker felt that filing a DPO had negative consequences. I have ample reason to believe that Figure 2 also constitutes prima facie evidence of a chilled work environment within the NRC because more than one worker reported this feeling. I have had private communications with more than one DPO filer who told me they responded to the survey indicating they experienced negative consequences. But Figure 2 alone does not prove a chilled work environment, since the 2016 data could reflect 100% responses from a sole individual.

Other portions of the study provide compelling evidence that a chilled work environment exists at the NRC. The study shows that in the 2015 survey:

  • Only 64% of employees said they believed the NRC “has established a climate where truth can be taken up the chain of command without fear of reprisal”
  • Only 68% of employees said they “can raise any concern without fear of retaliation”
  • Only 77% said “it is safe to speak up in the NRC”
  • 20% of the employees indicated “they had heard of someone with the last year who experienced a negative reaction for having raised a mission-related differing view”

While it is commendable that the surveys suggest that the NRC’s workplace is thawing over time, global warming seems to be significantly outpacing the agency’s workplace warming. The 2015 numbers are totally unacceptable. The NRC has come down hard and heavy when nuclear plant sites have smaller segments of their work forces fearful of voicing safety concerns. (See our 2017 report for example after example of the NRC intervening for much smaller pockets of fear and reluctance.)

Ms. Pedersen also consulted with the NRC’s Office of the Inspector General, Office of the Chief Human Capital Officer, Office of General Counsel and Office of Small Business and Civil Rights as well as the National Treasury Employees Union that represents many NRC workers and found “it appears that five reports of reprisal may have occurred in the last three years.” The study quoted from the April 24, 2017, NTEU newsletter: “We continue to hear about employees being afraid to raise issues for fear of retaliation as well as from employees who feel they have been retaliated against for raising concerns, including safety concerns.”

UCS Perspective

By its own definition, the NRC considers a chilling effect to exist when there’s the perception that raising a differing view can result in reprisal. By its own data, that perception exists within the NRC’s work force.

By its own definition, the NRC considers a chilled work environment to exist when a chilling effect involves multiple workers. By its own data, a chilled work environment exists within the NRC.

By its own words and actions, the NRC has an intolerance for chilled work environments at nuclear power plants.

By its own inactions, the NRC has a tolerance for their own workers being chilled.

Americans deserve better from this federal agency. Their safety is in the hands of NRC’s inspectors, reviewers, managers, and staffers and those workers must feel free to raise those hands if they have safety concerns.

Equally important, NRC workers deserve better from their agency. These are talented and dedicated professionals who voice concerns because it is the right thing to do. When they do the right thing, the NRC simply must stop doing the wrong thing in response.

The good news is that the NRC knows how to remedy chilled work environments. They have been requiring those remedies be taken at nuclear plant site after nuclear plant site.

The bad news is that the NRC seems unwilling or unable to thaw out its own chilled work environment.

Final point (for now): I joined UCS in the fall of 1996. I suspected that I would hear from nuclear plant workers about safety concerns they had raised but which had not been satisfactorily resolved or which they feared raising. And my suspicions have been proven valid. But what I neither suspected nor imagined was that I would hear from NRC workers for the same reasons. But each and every year that I’ve worked for UCS, except for one, I have received more contacts from NRC workers than from all nuclear plant work forces combined. Evidently, the NRC has the largest nuclear refrigerator in the country.

Rather than “chill out,” the NRC needs to “thaw out.” Too much chillin’ going on.

Pages