UCS Blog - All Things Nuclear, Nuclear Power Safety - Latest 2

Nuclear Reactor Fuel Safety: The Waiting Gain

Nuclear power reactors spilt atoms to release energy used to generate electricity. Many of the byproducts formed when atoms split are unstable (radioactive) and release particles or gamma rays in search of stability. These radioactive emissions produce energy. Whether in the core of an operating reactor, in the core of a shutdown reactor, in the spent fuel pool after discharge from a reactor core, or in dry storage after offloading from a spent fuel pool, the energy released from nuclear reactor fuel must be removed before it damages the fuel from overheating. This commentary describes the energy levels associated with nuclear fuel in various locations at various times to illustrate the factors that affect the associated hazard levels.

Nuclear Fuel Locations

The San Onofre nuclear plant near San Clemente, California is used to describe the nuclear reactor fuel locations and energy levels for this commentary. San Onofre has been permanently shut down, but data from when its reactors operated and for the spent fuel remaining onsite represent conditions at nuclear plants across the country.

Figure 1 is an aerial view of San Onofre Units 2 and 3 during their construction in 1980. The reactor cores resided within the reactor containment domes—robust structures made from thick reinforced concrete. Each unit had a spent fuel pool housed within its own Fuel Handling Building, an industrial-grade structure designed not to fall down when the wind blows or ground shakes.

Figure 1 (Source: Source: Nuclear Regulatory Commission)

Figure 2 is an aerial view of the dry storage locations at San Onofre. Concrete vaults stored metal canisters of spent fuel assemblies from Unit 1 in horizontal vaults. The owner opted to place metal canisters of spent fuel assemblies from Units 2 and 3 in vertical vaults within an unground concrete slab. The dry storage area is on the plant site. The Unit 2 and 3 buildings are off the picture to the right.

Figure 2 (Source: Southern California Edison presentation, November 2, 2017)

Nuclear Fuel Energy Levels

Table 1 provides information on the energy levels of nuclear reactor fuel under various conditions for San Onofre Unit 3. Its reactor core contained 217 fuel assemblies. The reactor was licensed to operate at power levels up to 3,438 Megawatts thermal (Mwt). When operating at full power, the average fuel assembly generated 15.8 Mwt. When operators flipped switches to rapidly insert control rods that interrupted the nuclear chain reaction, the reactor might be shut down but the decay of unstable fission byproducts continued to produce about six percent of the core’s output at full power. The average fuel assembly released just under 1 Mwt minutes after a reactor shut down from full power. As fission byproducts decayed, the radioactive emissions continued to release energy at steadily decreasing amounts. Fifteen days after a reactor shut down from full power, the power level of an average fuel assembly dropped to 0.41 Mwt.

The Unit 3 spent fuel pool was licensed to hold up to 1,542 fuel assemblies. After the plant was permanently shut down and all fuel assemblies were offloaded from the reactor core, the Unit 3 spent fuel pool contained 1,350 fuel assemblies. The Unit 3 spent fuel pool had two limits on decay heat from the spent fuel it held. The maximum limit of 15.035 Mwt assumed the entire reactor core was offloaded into the spent fuel pool as quickly as allowed by the license in addition to the decay heat from the rest of the spent fuel in the pool. The normal limit of 7.239 Mwt applied to times when only a portion of the reactor core was discharged to the spent fuel pool during refueling and replaced with new fuel assemblies.

The owner calculated the actual decay heat load in the Unit 3 spent fuel pool at various times since permanent shut down of the plant. The actual decay heat load was 0.953 Mwt at the end of 2013 and has steadily declined since then.

The owner is transferring fuel assemblies from the Unit 3 spent fuel pool into the underground dry storage vaults using Multi-Purpose Canisters holding up to 37 assemblies (MPC-37). Each MPC-37 canister is certified for storing up to 37 spent fuel assemblies with a maximum total decay heat load of 0.037 Mwt. The canisters being loaded at San Onofre have actual decay heat loads of about 0.028 Mwt.

The fifth column of Table 1 compares the relative power levels of fuel in various locations to the power level in an MPC-37 loaded to the maximum limit. The power level of the reactor core at full power is nearly 93,000 times higher than that in the MPC-37.

The sixth column of Table 1 shows the power level of the average fuel assembly in the spent fuel pool to roughly equal the power level of a fuel assembly in the MPC-37. While the fifth column shows that the individual fuel assembly power levels are about the same, the larger inventory of fuel assemblies in the spent fuel pool yields a higher overall power (energy) level.

Table 1. (Source: Union of Concerned Scientists)

Nuclear Fuel Amounts

The third column of Table 1 provides the inventories of fuel assemblies in the reactor core and spent fuel pool in terms of number of equivalent MPC-37 canisters. It would take about six MPC-37 canisters to hold the fuel assemblies from one reactor core. It would take more than 36 MPC-37 canisters to store the fuel assemblies from the Unit 3 spent fuel pool before the current loading campaign began. Thus, the spent fuel pool contained about six reactor cores’ worth of fuel assemblies while the reactor core contained about six MPC-37’s worth of fuel assemblies.

Nuclear Fuel Populations

Table 2 provides the information on energy levels of nuclear reactor fuel for San Onofre Unit 2. The results are identical to Unit 3’s information for the reactor core and MPC-37 cases, and very similar for the spent fuel pool case.

Table 2 contains information on a few additional conditions for Unit 2 than presented for Unit 3. I estimated the inventory and heat load in the Unit 2 spent fuel pool after 5, 10, 15, 20, 25, and 30 MPC-37s had been loaded. This analysis shows that while the average fuel assembly energy level (column 6) remains the same, the overall energy level (column 4) in the spent fuel pools decreases as fuel assemblies are transferred into dry storage.

Table 2 (Source: Union of Concerned Scientists)

To help put the fuel assembly relative power data in context, three additional columns are provided in Table 2. These columns linked the populations of three nearby cities to the power levels relative to the MPC-37 maximum power level (i.e., the column 5 data). As the power levels decreased when the reactor was shut down, fuel offloaded to the spent fuel pool, and fuel transferred into dry storage, the population levels were reduced by the same percentage.

All but one person (I think it’s Amy although it might be Earl) must depart San Clemente to match the reduction in power level from full power to MPC-37 storage.

 UCS Perspective

Tables 1 and 2 illustrate the relative hazards of nuclear fuel in reactor cores, spent fuel pools, and dry storage. Nuclear fuel in the reactor core, even in the core of a shutdown reactor, has a significantly higher energy level than when in the spent fuel pool or dry storage. The higher energy level has two associated hazard implications. First, it translates into less time to successfully intervene to prevent fuel damage when cooling is lost or impaired. Second, it provides a larger catalyst or engine to expel radioactive materials from damaged fuel. Risk is defined as the product of the probability of an accident times its consequences. The first factor affects the probability of an accident while the second factor affects its consequences. Combined, these factors can cause risk to increase.

Nuclear fuel in spent fuel pools has lower energy levels than when in reactor cores. The average fuel assembly energy levels are lower than the maximum energy level permitted in a MPC-37 canister. But the associated inventories indicate why spent fuel pools have higher risks than dry storage. The collective higher energy levels in spent fuel pools once again translate into less time to respond should cooling be lost or impaired. And the larger inventory of fuel assemblies emits a larger radioactive cloud should intervention fail.

Nuclear fuel in dry storage represents the least amount of fuel at the lowest energy level. If cooling is lost or impaired, more time is available to successfully intervene and less nasty spread gets out when efforts fail. But fuel in dry storage is far from absolutely safe. If it were even close to being so safe, the US would not be spending billions of dollars looking for, but not yet finding, a geological repository that can isolate this hazardous material from people and the environment for at least 10,000 years into the future.

Dry storage is the safest and securest way to manage nuclear fuel risks today. However, the more of the 10,000-year period we waste looking for a geological repository, the less competent and responsible we reveal ourselves to be.

We can do better. And not just because it would be hard for us to mess this mess up any worse than we’ve mismanaged so far.

Fatal Accident at Arkansas Nuclear One

 Role of Regulation in Nuclear Plant Safety #11

The Fatal Accident

As described in Fission Stories #139 and illustrated in Fission Stories #181, a temporary crane removing a component weighing 525 tons on March 31, 2013, in the turbine building of the Unit 1 reactor at Arkansas Nuclear One near Russellville, AR collapsed. The dropped load struck the turbine building floor with considerable force, then rolled and fell through an opening to cause further damage on a lower floor. One worker was killed and eight others injured by the accident.

Hundreds of pictures of the dropped load and the damage it inflicted have been released. Figure 1 shows the structural steel beams and concrete floor damaged when the load struck the turbine deck. Towards the camera from the bent beam is the opening that the load then plunged through.

Fig. 1 (Source: Nuclear Regulatory Commission)

Figure 2 shows the dropped load (the cylindrical red object) resting on the hauler it damaged. Section of the collapsed crane and portions of the damaged building lie on the hauler and load.

Fig. 2 (<Role of Regulation 11 Figure 2.jpg> Source: Nuclear Regulatory Commission)

The Unit 1 reactor had been shut down a week earlier for refueling. The vibrations from the heavy load impacting the turbine deck and the damage from the load crashing 30 feet onto the floor below disconnected Unit 1 from the offsite power grid and caused loss of cooling for the irradiated fuel in the reactor core and spent fuel pool. The emergency diesel generators automatically started to restore power to emergency equipment. The station blackout diesel generator was disabled because its connecting cables to both units were severed. Workers ran temporary cables to restore power to non-emergency equipment from the offsite power grid and portable diesel generators. The emergency diesel generators ran for six days until normal supplies from the offsite power grid were recovered.

The Unit 2 reactor was operating at full power at the time. The vibrations caused the electrical breaker for power supply to reactor coolant pump B to open. The loss of reactor coolant pump B triggered an automatic shutdown of Unit 2. The dropped load had ruptured an 8-inch diameter fire suppression system header. Water pouring from the broken ends of the pipe flooded areas of the turbine building with tens of thousands of gallons. It took workers about 45 minutes to turn off pumps and close valves to stop the flow of water from the broken pipe. The internal flooding caused a short circuit and explosion inside an electrical cabinet about 93 minutes after the drop that disabled one of the two offsite power connections for Unit 2. The consequences from the partial loss of power included a water hammer in the feedwater heaters and the operators using natural circulation to cool down the reactor for the first time in the reactor’s 30-plus year lifetime.

The Initial Regulatory Response

The Nuclear Regulatory Commission (NRC) dispatched an Augmented Inspection Team (AIT) to investigate the fatal accident. The AIT’s report, issued on June 7, 2013, identified ten issues requiring additional consideration. For a year after the fatal accident, both reactors at Arkansas Nuclear One remained in Column 1 of the NRC’s Action Matrix reflecting performance meeting or exceeding safety standards as the NRC pondered what to do with what it knew.

The Belated Regulatory Response

One week shy of the accident’s anniversary, the NRC proposed issuing one Red finding for the Unit 1 problems and one Yellow finding for the Unit 2 problems.

The proposed Unit 1 Red finding resulted primarily from the chances that the two emergency diesel generators failed. The accident disconnected the unit from its normal offsite power sources for six days. The accident disabled the station blackout diesel generator. The unavailability of offsite power disabled the instrument air system. Without instrument air, the two emergency diesel generators had air tanks with sufficient capacity for about ten start attempts. Had the emergency diesel generators not successfully started before this air reserve was exhausted, the unit would have entered a station blackout condition. At the time, the decay heat from the reactor core would have heated the reactor vessel water to boiling in 11 hours and the water boiled away would have uncovered the reactor core in 96 hours.

Based on standard human reliability analysis (HRA) values for workers diagnosing problems and likelihood of successfully implementing contingency measures within the necessary time frames, the NRC calculated the conditional core damage probability for Unit 1 to be 3.8×10-4 per year, or one meltdown every 2,632 years. That seems like a remote risk, but the chances of a tsunami inundating the site and causing a meltdown at Fukushima Daiichi—which had been estimated to be about one such event in 3,500 years—before March 11, 2011, beat those odds.

A similar risk analysis was performed for Unit 2. The proposed Unit 2 Yellow finding resulted primarily from the calculated risk that the reactor lost the normal feedwater, auxiliary feedwater, and emergency feedwater systems and that workers could not establish once-through cooling of the core. The NRC estimated the chances of these outcomes occurring concurrently to be 2.8×10-5 per year, or one such meltdown every 35,714 years.

The Owner Rejects the Regulatory Proposals

On May 1, 2014, the owner met with the NRC to dispute the agency’s ciphering and associated color selections. The owner described four independent means for workers to have cooled the Unit 1 reactor core and averted meltdown. While none of these means was absolutely guaranteed, the owner calculated the chance that all four failed to prevent meltdown to be 4.8×10-6 per year, or one meltdown every 208,333 years. If so, this risk corresponds to a White rather than Red finding as proposed.

The owner also disputed the NRC’s ciphering of the Unit 2 risk. The owner’s math put the risk of meltdown at 1.8×10-6 per year, or one meltdown every 555,556 years. If so, this risk corresponds to a White rather than Yellow finding as proposed.

The Modified Belated Regulatory Response

Two weeks after the AIT report’s anniversary, the NRC issued its final answer on the AIT’s findings, issuing Yellow findings for the Unit 1 and 2 problems. And only then did the NRC move both reactors into Column 3 of the Action Matrix.

The NRC revised its initial assessment of the risk of meltdown of the Unit 1 reactor. The owner contended that it would take 115 hours, not the 96 hours assumed by the NRC, for an uncooled reactor to boil away enough water to become uncovered and damaged. Applying the longer core uncovery time reduced the meltdown risk from 3.8×10-4 per year to 2.6×10-4 per year, or one meltdown every 3,846 years. The NRC issued the Yellow finding based on its revised risk assessment.

The NRC stood behind its initial assessment of the risk of meltdown of the Unit 2 reactor. The owner sought credit for manual actions taken by workers to restore components to service. The NRC felt that the owner was very optimistic about workers being able to complete the many steps in time due to increased stress levels of workers tackling darkness, debris, and flood waters resulting from the accident. The NRC retained the Yellow finding based on not revising its risk assessment.

The Rest of the Regulatory Response, Delayed Additionally

Nearly two years after the accident, the NRC issued another Yellow finding for inadequate floor protection measures that became evident during the accident. The collection of Yellow findings let the NRC moved the plant into Column 4. The NRC did not return Arkansas Nuclear One to Column 1 until the summer of 2018.

UCS Perspective

Had this been a regulatory race involving the NRC, a sloth, a snail, and a tortoise, the NRC would have finished a distant fourth. The NRC’s Reactor Oversight Process provides performance ratings that dictate appropriate levels of oversight every quarter. A home pregnancy test that provides an indication one year later is no less useless than an NRC Augmented Inspection Team’s investigation of a fatal accident yielding decisions a year or two later. “Justice delayed is justice denied” was coined for lengthy moments like this one.

But the injustice stemming from the NRC’s foot-dragging deliberations is overshadowed by the injustice of its long overdue verdict. The verdict was two Yellow findings for in-plant power impairments caused by the dropped load and associated flooding. That verdict depended on the NRC’s assessment of the chances that workers could deploy contingency measures to offset the equipment disabled by the event in time to prevent overheating of the reactor core.

That verdict is contrary to most verdicts reached by the NRC when assessing similar situations. Here’s but a very tiny sampling of the typical verdicts issued by the NRC for power impairments:

Assuming that the overwhelming majority of its verdicts have been correct (or at least, less wrong), then the atypical harshness of the Yellow findings at Arkansas Nuclear One reflects over-regulation by the NRC.

Blame the Game, Not Its Players

Jeff Mitman from NRC headquarters and David Loveless from NRC’s Region IV performed the risk assessments for the Arkansas Nuclear One accident. I have known both men for several years and found them to be among the many dedicated, talented staff at the NRC. I cannot contend that Mitman and Loveless erred when assessing the Unit 1 and 2 risks as high as they did.

Instead, the risk assessment tools they were forced to use are little more than nuclear Ouija boards lacking precision and repeatability. Plant workers using the same risk assessment tools derived “answers” that differed by about a factor of 100.

Imagine using a scale that provided your weight plus or minus a factor of 100. If you weighed 150 pounds, that scale could tell you one day that you weighed 1 ½ pounds and the next day that you weighed 15,000 pounds.

Imagine driving a car with a speedometer reporting your speed plus or minus a factor of 100. Traveling along at 55 mph, it might show you nearly stopped or zipping along at 5,500 mph.

Imagine using an ATM that told you your checking account balance plus or minus a factor of 100. If you had $1,000 in the account, you’d relish the days it revealed you had $100,000 to spend and be glum when it said you only had $10.

Imagine using a risk analysis tool that gave you risk results plus or minus a factor of 100. You can sense what it must be like to be Mitman or Loveless seeking to put some situation in rational context.

Stores do not sell imprecise scales, speedometers, and ATMs because no one in their right minds and few with the wrong minds would buy them.

So why is the NRC forcing its dedicated, talented staff to use imprecise risk assessment tools to make “risk-informed” regulatory decisions?

Why indeed.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Clinton Power Station: Even More Power Problems

The Clinton Power Station is located 23 miles southeast of Bloomington, Illinois and has one General Electric boiling water reactor with a Mark III containment that began operating in 1987.

In December 2017, the Nuclear Regulatory Commission (NRC) dispatched a Special Inspection Team to the plant to investigate a transformer failure that prompted the operators to manually scram the reactor. That event nearly duplicated a transformer failure/manual scram event that happened at Clinton in December 2013.

The ink had scarcely dried on the NRC’s special inspection report when Clinton experienced yet another electrical power problem. Some progress has been made—this time it did not involve a transformer failure causing the reactor to be shut down. This time, the reactor was already shut down when the power problem began. This time, the failures involved several workers over several days failing to follow several procedures to disable an emergency power supply. This time as in the past, the NRC dispatched a special inspection team to figure out what when wrong.

Entering a Refueling Outage

The operators shut down Clinton on April 30, 2018, to enter an outage during which the reactor would be refueled. When the reactor is running, nearly the entire array of emergency equipment must be operable except for brief periods of time. During refueling, the list of emergency equipment required to remain operable is shortened, providing opportunities for components to be tested, inspected, and repaired as necessary.

The operators tripped the main generator on April 30 as part of the reactor shut down process. When the generator was online, the electricity it produced went through the main transformers to the 345-kilovolt switchyard where transmission lines provided it to the offsite power grid. The generator’s output also flowed through the Unit Auxiliary Transformers to supply in-plant electrical needs. As shown in Figure 1, this supply to in-plant loads was unavailable with the main generator offline.

Fig. 1 (Source: NRC, color annotations by UCS)

On May 5, workers de-energized the Emergency Reserve Auxiliary Transformer (ERAT) shown on the left side of Figure 1 to support planned maintenance. Power for in-plant loads came from the 345-kilovolt switchyard through the Reserve Auxiliary Transformer (RAT).

At 9:36 pm on May 9, workers closed an electrical breaker to restore power from the RAT to 4.16-kilovolt Bus 1B1. Bus 1B1 had been removed from service for maintenance on it and the equipment powered from it. Emergency diesel generator 1B (EDG 1B) provided the backup power to Bus 1B1 in event power from the main generator and offsite grid were lost. During the planned outage of Bus 1B1, EDG 1B had been intentionally disabled to prevent it from starting. This measure protects workers from contacting energized equipment if EDG 1B started unexpectedly.

Bus 1A1 remained in service during the time Bus 1B1 was unavailable. Bus 1A1 was also supplied with offsite power from the RAT, with EDG 1A in standby to provide backup power if needed. Safety equipment powered from Bus 1A1 cooled the reactor core and could provide makeup water if necessary.

Entering an Unsafe Condition

When power to Bus 1B1 was restored, procedures called for its backup power supply—EDG 1B—to be returned to service. A worker was sent out to place EDG 1B back in service. The emergency diesel generators (EDGs) are normally maintained in standby. Should power from the offsite power grid or accident occur, the EDGs are designed to start up, reach speed, and begin supplying electrical power to their respective buses with a little more than ten seconds. To enable the large diesel engines to perform such rapid feats, the EDGs are equipped with support systems. One support system maintains the lubricating oil warmed. The start air system supplies compressed air to help the engine shaft begin spinning. Another support system supplies cooling water to protect a running diesel engine from damage caused by overhearing.

Because the cooling water system for EDG 1B was not yet returned to service, a supervisor directed the worker to keep the start air valves closed. The restoration procedure called for these valves to be opened and later checked to ensure they were open. But the supervisor was concerned that an inadvertent start of EDG 1B might damage it from overheating. EDG 1B was partially restored to service on May 9.

Late in the evening of May 10, a second supervisor directed a second worker to conduct another partial restoration of EDG 1B. The fuses for the lubricating oil system had been pulled. The worker reinserted the fuses to return the lubricating oil system for EDG 1B to service.

The second supervisor turned over duties to a third supervisor before the second worker completed the assigned partial restoration. Due to miscommunication, the third supervisor thought that all the EDG 1B restoration tasks had been completed. EDG 1B was declared back in service at 2:30 am on May 11.

EDG 1B may have been declared in service, but it was incapable of running because both its start air valves were closed. At that moment, it did not compromise safety because EDG 1A and the safety equipment it supplied were still available and that’s all that was required per regulations.

Safety was compromised at 11:28 pm on May 13 when the reactor core cooling pump supplied from Bus 1A1 was removed from service and the reactor core cooling pump supplied from Bus 1B1 placed in operation. Bus 1B1 was supplied with offsite power through the RAT. But if the transformer failed or the offsite power grid lost, the disabled EDG 1B would not have stepped in to save the day.

Safety was further compromised at 12:30 am on May 14 when Bus 1A1 was de-energized and all the safety equipment it supplied rendered useless.

Had the offsite power grid been lost or the RAT failed, Bus 1B1 and all the equipment it supplied would have been de-energized. Bus 1A1 and all the equipment it supplied was intentionally de-energized. And Bus 1C1, backed by EDG 1C, was energized. But it’s primary safety component, the High Pressure Core Spray system, was unavailable due to ongoing maintenance. The plant was in a vulnerable situation expressly forbidden by its operating license requirements.

Fig. 2 (Source: NRC, color annotations by UCS)

Restoring a Safe Condition

At 3:03 pm on May 17, a worker conducting routine shift rounds found the start air valves for EDG 1B closed and notified the control room operators. The EDG restoration procedure was performed—in its entirety—to really and truly restore EDG 1B to service and achieve compliance with regulatory requirements.

NRC Findings and Sanctions

The NRC special inspection team determined that EDG 1B had been inoperable for over six days without the owner’s awareness. The NRC team additionally determined that for more than three days—from May 14 through May 17—a loss of the offsite power grid would have plunged the plant into a station blackout.

While a station blackout condition doomed three reactors at Fukushima Daiichi to meltdowns, the NRC team identified three ways for workers to have responded to a station blackout at Clinton avert such an outcome. First, they could have discovered the closed start air valves and opened them to recover EDG 1B. Second, they could have started EDG 1C and cross-connected it to re-energize Bus 1B1. While EDG 1C has smaller capacity than EDG 1B, it had sufficient capacity to handle the loads needed during refueling. Third, they could have deployed the FLEX equipment added after Fukushima to cool the reactor core.

The NRC team calculated that had a station blackout occurred, it would have taken about five hours for the loss of cooling to heat up the water in the reactor vessel to the boiling point and that it would have taken about another twelve hours for water to boil away to uncover the reactor core and cause damage. Approximating this timeline helps the NRC assess how likely it would have been for workers to successfully intervene and avert disaster.

The NRC team also identified factors lessening confidence that workers would successfully intervene. The NRC team reported that five different workers entered the room housing EDG 1B a total of twelve times during the period it was disabled for the express purpose of ensuing things were okay. The NRC team observed that the start air valves were located at about knee-level and had been secured in the closed position with long black plastic straps. The NRC team also noted that there were two air pressure gauges both reading zero—a clear indication that there was no start air pressure available for EDG 1B. The NRC team interviewed workers, but never learned why so many workers tasked with looking for signs of trouble overlooked so many signs of trouble so many times.

The NRC issued one Green finding for failing to notice that the EDG 1B start air valves were closed.

The NRC also issued a finding with a significance yet to be determined for the multiple failures to follow procedures that led to the start air valves for EDG 1B remaining closed.

UCS Perspective

The failures by the supervisors and workers can be explained, but not excused.

Like most U.S. nuclear power reactors, Clinton typically shuts down for refueling every 18 or 24 months. The refueling outages last about a month. Thus, Clinton runs about 95 percent of the time and refuels only about 5 percent of the time.

When the reactor was running, safety equipment like the EDGs was routinely removed from service, tested and/or repaired, and returned to service. Similarly, workers conducted rounds—walkdowns of plant areas looking for off-normal conditions—every shift of every day.

During refueling, the same restoration and rounds procedures are used for the same purposes, but under significantly different conditions. When the reactor is running, most safety systems are in service making it easier to concentrate on the tiny subset taken out of service. And it’s easier to spot when something is off-normal.

Many safety systems are removed from service concurrently during refueling. Restoring safety systems to service during refueling is complicated when support systems have not yet been restored to service. Performing rounds is complicated by so many systems and components being out of their normal condition that distinguishing acceptable off-normal from improper off-normal becomes challenging. So, it can be understood how trained and dedicated workers with good intentions can fail to rise to the challenge periodically.

This event illustrates two important safety truths: (1) despite best efforts, things can go wrong, and (2) the way to make best efforts better is to extract lessons learnable from near misses and implement effective fixes.

This event did not involve any actual loss of power to safety equipment or loss of reactor core cooling. This event did involve an increased potential for these losses.

The plant owner and the NRC took this increased potential seriously and examined why it had happened. Those examinations will identify barriers that failed and suggest upgrades to existing barriers or additional barriers to lessen the chances that a potential, or actual, event occurs.

On one hand, Clinton can be said to have dodged a bullet this time. On the other hand, the owner and NRC examining this near miss will help make Clinton—and other reactors—more bulletproof.

Vogtle and Hatch: Have Cost Over-Runs Undermined Safety Performance?

In August 2018, Georgia Power announced raised its estimate of the construction costs for its 45.7% share of the two new reactors being constructed at the Vogtle nuclear plant by $1.1 billion from $7.3 billion to $8.4 billion. Assuming the company lacked warehouses stuffed with money, the cost over-run raised an important question: has the hemorrhaging budget for constructing Vogtle Units 3 and 4 taken funding or distracted management attention away from the company’s operating reactors—Vogtle Units 1 and 2 and Hatch Units 1 and 2—and undermined their nuclear safety performance?

If asked, Georgia Power would certainly say “nope.” Because the company cannot forecast the cost of building reactors within a billion dollars or so, their skill at forecasting the necessary cost of operating reactors is questionable, at best. In other words, I didn’t ask Georgia Power.

Instead, I examined two data sets that provide more reliable insights on whether cost over-runs on Vogtle Units 3 and 4 have undermined safety performance of the company’s operating reactors. One data set was the quarterly performance ratings issued by the Nuclear Regulatory Commission (NRC) for every operating reactor in the country. The other data set was the reactor power levels reported each day by reactor owners to the NRC.

NRC Performance Ratings

In 2000, the NRC began assessing performance of every operating reactor every quarter using a combination of violations of regulatory requirements identified by NRC inspectors and about 24 performance indicators. When performance meets expectations, the NRC’s findings (if any) are green and the performance indicators are green. The further performance drops below expectations, the colors move from green to white to yellow to red.

Each quarter, the NRC uses the findings and indicators to place each operating reactor into one of five columns of its Action Matrix. When all expectations are met, reactors are placed in Column 1. As performance drops, reactors are moved into Columns 2, 3, 4, and 5. More than 80 percent of the time, NRC has placed reactors in Column 1. So, performance warranting a move out of Column 1 has been experienced, but most often avoided.

The NRC’s quarterly performance ratings between 2012 and the first half of 2018 for the operating reactors at Hatch and Vogtle are shown in Figure 1. Both the Hatch reactors remained in Column 1 the entire time. The two operating reactors at Vogtle dropped into Column 2 for a total of 8 of the 26 quarters. The good news is that Georgia Power was able to remedy the performance shortcomings to return the Vogtle reactors to Column 1. The bad news is that the Vogtle reactors are underperforming the U.S. nuclear fleet. The typical U.S. reactor received Column 1 performance ratings over 80 percent of the time. The Vogtle reactors were in Column 1 less than 70 percent of the time from 2012 onward.

Fig. 1 (Source: Union of Concerned Scientists)

Daily Reactor Power Levels

Each day, plant owners report the power levels their reactors are operating at. The NRC archives the reports and posts the daily reactor power levels over the past 365 days on its website. I used this data to plot the daily power levels reported for the Hatch Unit 1 and 2 reactors between 2014 and 2018 in Figure 2. The refueling outages conducted over this period are easy to spot—they are the wider white gaps preceded by a few days of gradually decreasing reactor power levels. Refueling outages commonly last three to four weeks. Figure 2 also shows a few other shorter outages and power reductions, especially on Unit 1.

Fig. 2 (Source: Union of Concerned Scientists)

Figure 3 shows the daily power levels for the Vogtle Unit 1 and 2 reactors between 2014 and 2018. Again, refueling outages, non-refueling outages, and power reductions are evident in the plots.

Fig. 3 (Source: Union of Concerned Scientists)

The plots of daily reactor power levels may appear as insightful as the squiggles and blips are an EKG screen. To help put the plots for the Hatch and Vogtle reactors in context, the daily power levels for the Pilgrim reactor over the same time period are plotted in Figure 4. During most of this time, Pilgrim resided in Column 4. No reactor in the United States received lower performance ratings from the NRC during this period than Pilgrim.

Fig. 4 (Source: Union of Concerned Scientists)

What’s the difference between good performing reactors and Pilgrim? Pilgrim has fewer big blue rectangular blocks of operating at full power. Ideally, a reactor should run at 100 percent power from refueling outage to refueling outage, with only short-duration power reduction every quarter for testing. The more that the solid blue rectangles between refueling outages are splintered by unplanned shut downs and unwanted power reductions, the less ideally a reactor is operating.

UCS Perspective

The NRC’s quarterly performance ratings suggest the financial and management resources poured into the cost over-runs on Vogtle Units 3 and 4 have not undermined safety performance at Hatch Units 1 and 2.

The NRC’s quarterly performance ratings for Vogtle Units 1 and 2 paint a slightly different picture. Whereas the average U.S. reactor received Column 1 ratings from the NRC over 80 percent of the time, the Vogtle reactors got Column 1 ratings less than 70 percent of the time in recent years. But this situation is tempered by both reactors currently receiving Column 1 ratings. The Vogtle reactors under-performed the U.S. fleet, but not by a troubling extent.

The daily reactor power levels for the Hatch and Vogtle reactors also suggest that performance has not been appreciably undermined. The data do not suggest that the Hatch and Vogtle reactors have the performance shortcomings reflected by the daily reactor power levels for the Pilgrim reactor—the worst performing reactor per the NRC’s ratings—over the same period.

The NRC’s quarterly performance ratings are the public’s safety net. Insufficient budgets, inadequate management attention, aging equipment, and other causes can lead to lowered performance ratings. Lower performance ratings increase NRC oversight. The early detection and correction of performance shortcomings prevents problems from growing to epidemic proportions that invite disaster.

Unfortunately, the NRC is contemplating changes to its quarterly performance ratings and mandated responses that could cut holes in the public’s safety net. As nuclear plants age and their maintenance budgets shrink, the NRC needs to strengthen rather than weaken the most reliable tool it uses to protect public health and safety—timely, reliable and accurate performance ratings.

Breaking Containment at Crystal River 3

Role of Regulation in Nuclear Plant Safety #10

The Crystal River 3 pressurized water reactor in Florida was shut down in September 2009 for refueling. During the refueling outage, the original steam generators were scheduled to be replaced. The Nuclear Regulatory Commission (NRC) was reviewing the owner’s application to extend the reactor operating license for another 20 years. The replacement steam generators would enable the reactor to operate through the end of its current operating license period as well as to the end of a renewed license.

But those plans changed drastically when the process of cutting an opening in the concrete containment wall for the steam generator replacement inflicted extensive damage to the concrete. When the cost of fixing the broken containment rose too high, the owner opted to permanently shut down the facility before its original operating license expired.

Background

Crystal River 3 is located on the western coast of Florida and featured a pressurized water reactor (PWR) designed by Babcock & Wilcox. The NRC issued the reactor operating license on December 3, 1976.

Refueling Outage and Steam Generator Replacements

Operators shut down the reactor on September 26, 2009, to begin the plant’s 16th refueling outage. Workers planned to replace the steam generators during the outage. The original steam generators were wearing out and were to be replaced with steam generators made from materials more resistant to wear and tear. Since the first steam generator replacements more than two decades earlier, so many PWRs had performed this exercise that it was almost routine.

Figure 1 shows a simplified side view of the containment structure at Crystal River 3. The reactor core is the green rectangle within the capsule-shaped reactor vessel. The reactor vessel is flanked by the two larger steam generators. In front of the steam generator on the right is the pressurizer. The vertical portion of containment is a cylinder about 137 feet in diameter.

Fig. 1 (Source: Progress Energy)

The containment at Crystal River 3 was a 3-D post-tensioned concrete cylinder with a steel liner. The 0.475-inch thick steel liner formed the inner surface of the containment wall. Behind it were 42-inch thick concrete walls and a 36-inch thick concrete dome. Embedded in the concrete walls were 5.25-inch round tendons encased within metal sleeves. These tendons functioned like reinforcing bands—workers tightened, or tensioned, them to give the concrete wall additional strength against the internal pressure that could occur during an accident. This containment design was used for more than half of the PWRs operating in the United States.

The containment featured a large round opening called the equipment hatch. Figure 2 shows the equipment hatch in late November 1972 during plant construction. The concrete has not yet been poured in that section of containment, so the metal reinforcing bars and horizontal tendon sleeves (the vertical rows of white dots on either side of the equipment hatch) embedded in the concrete are visible.

 

Fig. 2 (Source: Progress Energy)

Because the original steam generators were expected to last throughout the 40-year operating life of the reactor, the equipment hatch was not large enough for the steam generators to be removed intact. They could have been cut up into sections and slices removed through the equipment hatch. But the equipment hatch was also too small for the replacement steam generators to enter intact. Cutting them up into sections was not an option. Plan B involved cutting an opening approximately 25-feet by 27-feet through the containment concrete wall and liner above the equipment hatch as shown in Figure 3.

Fig. 3 (Source: Progress Energy)

The Butterfly Defect

The operators began reducing the reactor power level at 7:03 pm on September 25, 2009, to enter the refueling outage. They shut down the reactor at 12:29 am September 26. They continued cooling the reactor water down over the next few hours and entered Refueling mode at 4:51 pm that afternoon. Seven minutes later, the contractor hired to cut through the containment wall was authorized to begin that work. An early step involved loosening and removing the horizontal tendons from the containment wall in the region where the opening would be cut.

On September 30, workers began using high-pressure water—at pressures up to 25,000 pounds per square inch—to cut and remove the concrete from an 8-feet wide by 6-feet tall test section of the concrete containment wall. Full-scale removal of the concrete began at 4:30 am on October 1. Workers installed a debris chute to carry away the excavated concrete and water.

About 5:00 am on October 2, the concrete cutting and removal work was halted because an obstruction in the debris chute caused water to spill. Workers noticed water streaming from a crack in the containment wall below and to the right of the new opening. Investigation into this unexpected waterfall identified a vertical crack in the concrete between the tendon sleeves and interior liner.

Fig. 4 (Source: Progress Energy)

It was not a tiny crack. It was visible along all four edges of the square opening cut through the containment wall. The defect in the concrete was termed delamination.

Fig. 5 (Source: Progress Energy)

Workers drilled dozens of bore holes into the containment wall supplemented by impulse response testing (essentially ultrasonic probing of the wall to look for voids within the concrete) to map out the extent of the delamination. Figure 6 shows that the delamination area resembled a butterfly, extending far beyond the crack around the steam generator replacement (SGR) opening. Figure 6 also shows the horizontal tendons loosened and removed because of the opening in blue while the tendons left tensioned are shown in red.

Fig. 6 (Source: Progress Energy)

The NRC Dispatches its Crack Inspection Team

The NRC formed a Special Inspection Team on October 13, 2009, to go to Crystal River 3 and investigate the containment damage. Because the reactor was shut down, the damage did not pose an immediate safety hazard. But the NRC recognized that the damage might have generic implications as other owners cut through containments for steam generator and reactor vessel head replacements. In addition, the NRC needed to understand the extent of the damage to ensure the containment was properly restored before the reactor restarted.

Delamination Déjà vu

The NRC team reported that the Crystal River 3 containment experienced concrete delamination about a year after the tendons had been initially tightened. In April 1976, electricians were drilling into the outer surface of the containment dome to secure anchors for the conduit they were installing. In certain areas, the anchors would not hold. Investigation found a region of about 105-feet in diameter where the concrete had delaminated. The delamination affected about 15 inches of the 36-inch thick concrete dome, with the maximum gap between layers being about two inches wide. Cracks were not evident on the inner or outer surfaces of the dome, but workers reported a “springiness” when walking across the dome’s delamination region. The degraded concrete was removed and replaced with the standard, non-springy kind.

Containment concrete delamination also occurred during construction at the Turkey Point nuclear plant in Florida in June 1970 and at the Unit 2 reactor at the Kaiga nuclear plant in India in May 1994.

Causes of the Concrete Cracking

The plant’s owner formed a team to determine the cause for the cracking experienced in fall 2009. The team developed a list of 75 potential causes and then evaluated each candidate. 67 suspects were dismissed due to lack of evidence. The remaining eight potential causes were determined to have conspired to cause the delamination—had any single factor been absent, the delamination would likely not have occurred.

The Crystal River 3 containment design featured higher stresses than most other designs. The concrete used in the containment met design specifications, but with considerably less margin than normal. And the sequencing used to loosen the tendons prior to cutting the steam generator replacement opening resulted in high localized stresses that exacerbated the design and material conditions to cause cracking.

NRC Sanctions

The NRC imposed no sanctions following the investigation by its Special Inspection Team. The team determined that the containment was damaged after the reactor entered the Refueling mode. In that mode, containment integrity was not required. The equipment hatch is wide open much of the time during Refueling mode, so having a damaged section of containment wall above that large opening did not violate regulatory requirements.

NRC Nuclear Fleet Outreach

The NRC’s Generic Communications program is its means for conveying operating experience to plant owners. The program uses Information Notices to provide warnings and updates about safety problems and Generic Letters and Bulletins to also require owners to take steps intended to prevent a common problem from rippling across the reactor fleet. While it is not uncommon for the NRC to send out at least an Information Notice to owners about problems like that experienced at Crystal River 3, the NRC did not exercise this option in this case. The NRC did post information to its website about the problem and made a presentation about the Special Inspection Team sent to the plant during the annual Regulatory Information Conference in March 2010.

The NRC’s Office of Nuclear Regulatory Research issued NUREG/CR-7208, “Study on Post Tensioning Methods,” in November 2015. While far from a treatise on what caused the delamination at Crystal River 3, it shed considerable insight on the analysis of stresses impacted on concrete structures when the embedded tendons are tightened.

Delamination to Defueled to Decommissioning

The plant’s owner made several attempts to repair the damaged concrete containment wall, but the efforts proven unsuccessful. During the efforts, workers completed offloading all the fuel assemblies from the reactor vessel into the spent fuel pool on May 29, 2011. After another repair failed, the company decided to permanently shut down the facility rather than undertake the cost—and uncertain outcome—of yet another attempt. On February 5, 2013, the company announced that the reactor had been permanently shut down and would transition into decommissioning.

UCS Perspective

This event reflects just right regulation by the NRC.

The NRC dispatched a Special Inspection Team to investigate the cause and corrective actions for the concrete degradation at Crystal River 3 even though the problem had no adverse safety implications for the reactor in refueling mode.

Had the NRC not done so or delayed doing so, any potential generic implications that adversely affected safety at operating reactors might have been missed. While no such implications were found, it’s far better to have looked for them and not found them than to have not looked for them and had them “surprise” us later.

Had the NRC not done so or delated doing so, the agency would not have clearly understood the cause of the concrete degradation in order to make informed decisions about the effectiveness of repairs. Restart of the plant would have been delayed as the NRC belatedly sought to acquire that awareness, or restart of the plant would have happened lacking the NRC’s independent verification that proper safety levels had been restored. The former would have placed an undue economic burden on the owner; the latter would have placed an undue risk burden on workers and the public.

But the NRC took just the right actions at just the right time to properly oversee safety at the plant. The owner’s decision to permanently retire rather than repair the plant without the NRC’s thumb on either side of the scales.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Naughty and Nice Nuclear Nappers

Role of Regulation in Nuclear Plant Safety 9

The Peach Bottom Atomic Power Station in Delta, Pennsylvania is known for its tireless workers. They stop working long before getting tired and nap while on duty. The Nuclear Regulatory Commission (NRC) treated the nuclear nappers as naughty in 1987 but as nice in 2007. The reason for such disparate handling of the same problem isn’t apparent. Maybe if I took a nap it would come to me in a dream.

Peach Bottom is home to three reactors. Unit 1 was a high temperature gas-cooled reactor that got its operating license in January 1966 and was permanently shut down in October 1974. Units 2 and 3 are boiling water reactors that began operating in 1974.

Naughty Nuclear Nappers in 1987

On March 31, 1987, the NRC ordered both operating reactors at Peach Bottom to be shut down. The NRC had received allegations that control room operators were routinely sleeping in the control room. Victor Stello, the NRC’s Executive Director for Operations, wrote in the order:

… it is apparent that the licensee, through its enforcement history and from what has been developed by the ongoing investigation, knew or should have known of the unwillingness or inability of its operations staff to comply with Commission requirements, and has been unable to implement effective corrective action. Consequently, the NRC lacks reasonable assurance that the facility will be operated in a manner to assure that the health and safety of the public will be protected. Pending the development of other relevant information, I am unable to determine that there is reasonable assurance that the facility will be operated in a manner to assure that the health and safety of the public will be protected. Accordingly, I have determined that continued operation of the facility is an immediate threat to the public health and safety.

Fig. 1 (Source: CBS Evening News, March 31, 1987)

Nucleonics Week reported on August 18, 1988, that the NRC proposed a then-record $1,250,000 fine on the company and fines ranging from $500 to $1,000 for 33 of the plant’s 36 licensed operators for the nuclear naps. The remaining three operators were cited for violating federal regulations, but not fined.

The NRC issued amendments to the operating licenses for Peach Bottom Units 2 and 3 on March 22, 1989, to add limits on how many hours the operators could work. The added requirements limited hours worked in any 24-hour period to 16, 24 hours worked in any 48-hour period, and 60 hours in any week. The amendment wasn’t clear whether hours sleeping on duty counted against the limits or not.

Unit 2 remained shut down until May 22, 1989, while Unit 3 remained shut down until December 11, 1989. The outages lasted longer than two years not to let the operators get plenty of rest but to remedy the many problems caused by the same inadequate management oversight that condoned operators sleeping in the control rooms.

Nice Nuclear Nappers in 2007

On March 27, 2007, the NRC received allegations that individuals working for the contract firm providing security at Peach Bottom were routinely sleeping in the “ready room” and that management of the security contractor and the plant owner knew about it. (The “ready room” is where armed responders wait. When security force personnel in another room monitoring video cameras and sensors detect unauthorized intruder(s), the armed responders are deployed to deter the intrusion.)

On April 30, 2007, the NRC wrote the plant owner a letter asking whether security officers were inattentive on duty. On May 30, 2007, the owner wrote back to the NRC saying that security officers were properly attentive, and that additional radio checks and periodic post checks were being instituted to boost and sustain that attentiveness level.

In mid-June 2007, a security officer informed security management about his videotapes showing fellow security officers still sleeping on duty. In late June 2007, the security officer was instructed by security management to stop videotaping sleeping security officers. On August 22, 2007, NRC inspectors confirmed that security officers were attentive while on duty.

On September 10, 2007, WCBS-TV (New York City) broadcast videos of security officers sleeping at Peach Bottom on June 9, June 20, and August 10, 2007. On September 17, 2007, the security officer who reported sleeping security officers to security management, plant management, and the NRC was suspended due to “trustworthiness concerns.”

Fig. 2 (Source: CNN Situation Room, September 2007)

The ensuing NRC investigation commended the company’s handling of the situation and reported:

Overall, Security Plan implementation provided assurance that the health and safety of the public was adequately protected at all times. Notwithstanding, the security officer inattentiveness adversely impacted elements of the defense-in-depth security strategy. In addition, actions by security guard force supervision were not effective in ensuring that unacceptable security officer behavior was promptly identified and properly addressed.

The NRC asked other owners on December 12, 2007, about their ways and means for maintaining security officers who were bright-eyed or bushy-tailed (not both, both attributes would not have passed the backfit rule) while protecting nuclear power plants. The NRC’s mandate clearly resulted from the nuclear nappers at Peach Bottom, but it did not mention the incidents, the company’s name, or the plant’s name for unknown reasons.

The NRC did not order either Peach Bottom reactor to reduce power, yet alone shut down.

The NRC did not fine the company, Exelon, or the napping security officers.

Instead, the NRC issued a White finding to the company on February 12, 2008, for the inattentive security officers. If you ever had to have a bad report card signed by your parents or paid a nickel for an overdue library book, you suffered a harsher sanction than NRC imposed for the nice nuclear nappers.

UCS Perspective

There were two sequences involving nuclear nappers at Peach Bottom. The series leading up to the March 1987 shutdown order did not involve an operator nodding off, but rather a deliberate practice of sleeping on duty with management’s awareness and tolerance.

The series leading up to the February 2008 White finding also did not involve one security officer nodding off at his or her post, but rather a sustained practice of sleeping on duty with management’s awareness and tolerance.

Clearly, the NRC considered the nuclear nappers to be naughty in one case and nice in the other.

Such disparate regulatory response to the same underlying situation means that one series represented over-regulation and the other was under-regulation. My vote on which goes where should be obvious. I’ll leave it up to the reader to place the 1987 series into either the under-regulation or over-regulation bin, with the 2007 series going into the other bin.

Two wrongs still don’t make a right, so these two cases cannot be melded into one just-right regulation story. That just wouldn’t be right.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Anticipated Transient Without Scram

Role of Regulation in Nuclear Plant Safety #8

In the mid-1960s, the nuclear safety regulator raised concerns about the reliability of the system relied upon to protect the public in event of a reactor transient. If that system failed—or failed again since it had already failed—the reactor core could be severely damaged (as it had during that prior failure.) The nuclear industry resisted the regulator’s efforts to manage this risk. Throughout the 1970s, the regulator and industry pursued non-productive exchange of study and counter-study. Then the system failed again—three times—in June 1980 and twice more in February 1983. The regulator adopted the Anticipated Transient Without Scram rule in June 1984. But it was too little, too late—the hazard it purported to manage had already been alleviated via other means.

Anticipated Transients

Nuclear power reactors are designed to protect workers and members of the public should anticipated transients and credible accidents occur. Nuclear Energy Activist Toolkit #17 explained the difference between transients and accidents. Anticipated transients include the failure of a pump while running and the inadvertent closure of a valve that interrupts the flow of makeup water to the reactor vessel.

The design responses to some anticipated transients involve automatic reductions of the reactor power level. Anticipated transients upset the balance achieved during steady state reactor operation—the automatic power reductions make it easier to restore balance and end the transient.

Scram

For other transients and for transients where power reductions do not successfully restore balance, the reactor protection system is designed to automatically insert control rods that stop the nuclear chain reaction. This rapid insertion of control rods is called “scram” or “reactor trip” in the industry. Nuclear Energy Activist Toolkit #11 described the role of the reactor protection system.

Scram was considered to be the ultimate solution to any transient problems. Automatic power reductions and other automatic actions might mitigate a transient such that scram is not necessary. But if invoked, scram ended any transient and placed the reactor in a safe condition—or so it was believed.

Anticipated Transient Without Scram (ATWS)

Dr. Stephen H. Hanauer, was appointed to the NRC’s Advisory Committee on Reactor Safeguards (ACRS) in 1965. (Actually, the ACRS was part of the Atomic Energy Commission (AEC) in those days. The Nuclear Regulatory Commission (NRC) did not exist until formed in 1975 when the Energy Reorganization Act split the AEC into the NRC and what today is the Department of Energy.) During reviews of applications for reactor operating licenses in 1966 and 1967, Hanauer advocated separating instrumentation systems used to control the reactor from the instrumentation systems used to protect it (i.e., trigger automatic scrams.) Failure of this common system caused an accident on November 18, 1958, at the High Temperature Reactor Experiment No. 3 in Idaho.

The nuclear industry and its proponents downplayed the concerns on grounds that the chances of an accident were so small and the reliability of the mitigation systems so high that safety was good enough. Dr. Alvin Weinburg, Director of the Oak Ridge National Laboratory, and Dr. Chauncey Starr, Dean of Engineering at UCLA, publicly contended that the chances of a serious reactor accident were similar to that of a jet airliner plunging into Yankee Stadium during a World Series game.

In February 1969, E. P. Epler, a consultant to the ACRS, pointed out that common cause failure could impair the reactor protection system and prevent the scram from occurring. The AEC undertook two efforts in response to the observation: (1) examine mechanisms and associated likelihoods that a scram would not happen when needed, and (2) evaluate the consequences of anticipated transients without scrams (ATWS).

The AEC published WASH-1270, “Technical Report on Anticipated Transients Without Scram,” in September 1973. Among other things, this report established the objective that the chances of an ATWS event leading to serious offsite consequences should be less than 1×10-7 per reactor-year. For a fleet of 100 reactors, meeting that objective translates into once ATWS accident every 100,000 years—fairly low risk.

The AEC had the equivalent of a speed limit sign but lacked speedometers or radar guns. Some argued that existing designs had failure rates as high as 1×10-3 per reactor-year—10,000 times higher than the safety objective. Others argued that the existing designs had failures rates considerably lower than 1×10-7 per reactor-year. The lack of riskometers and risk guns fostered a debate that pre-dated the “tastes great, less filling” debate fabricated years later to sell Miller Lite beer.

An article titled “ATWS—Impact of a Nonproblem,” that appeared in the March 1977 issue of the EPRI Journal summarized the industry’s perspective (beyond the clue in the title):

ATWS is an initialism for anticipated transient without scram. In Nuclear Regulatory Commissionese it refers to a scenario in which an anticipated incident causes the reactor to undergo a transient. Such a transient would require the reactor protection system (RPS) to initiate a scram (rapid insertion) of the control rods to shut down the reactor, but for some reason the scram does not occur. … Scenarios are useful tools. They are used effectively by writers of fiction, the media, and others to guide the thinking process.

Two failures to scram has already occurred (in addition to the HTRE-3 failure). The boiling water reactor at the Kahl nuclear plant in Germany experienced a failure in 1963 and the N-reactor at Hanford in Washington had a failure in 1970. The article suggested that scram failures should be excluded from the scram reliability statistical analysis, observing that “One need not rely on data alone to make an estimate of the statistical properties of the RPS.” As long as scenarios exist, one doesn’t need statistics getting in the way.

The NRC formed an ATWS task force in March 1977 to end, or at least focus, the non-productive debate that had been going on since WASH-1270 was published. The task force’s work was documented in NREG-0460, “Anticipated Transients Without Scram for Light Water Reactors,” issued in April 1978. The objective was revised from 1×10-7 per reactor-year to 1×10-6 per reactor-year.

Believe it or not, but somehow changing the safety objective without developing the means to objectively gauge performance towards meeting it did not end or even appreciably change it. Now, some argued that existing designs had failure rates as high as 1×10-3 per reactor-year—1,000 times higher than the safety objective. Others argued that the existing designs had failures rates considerably lower than 1×10-6 per reactor-year. The 1970s ended without resolution to the safety problem that arose more than a decade earlier.

The Browns Ferry ATWS, ATWS, and ATWS

On June 28, 1980, operators reduced the power level on the Unit 3 boiling water reactor (BWR) at the Browns Ferry Nuclear Plant in Alabama to 35 percent and depressed the two pushbuttons to initiate a manual scram. All 185 control rods should have fully inserted into the reactor core within seconds to terminate the nuclear chain reaction. But 76 control rods remained partially withdrawn and the reactor continued operating, albeit at an even lower power level. Six minutes later, an operator depressed the two pushbuttons again. But 59 control rods remained partially withdrawn after the second ATWS. Two minutes later, the operator depressed the pushbuttons again. But 47 control rods remained partially withdrawn after the third ATWS. Six minutes later, an automatic scram occurred that resulted in all 185 control rods being fully inserted into the reactor core. It took four tries and nearly 15 minutes, but the reactor core was shut down. Fission Stories #107 described the ATWSs in more detail.

In BWRs, control rods are moved using hydraulic pistons. Water is supplied to one side of the piston and vented from the other side with the differential pressure causing the control rod to move. During a scram, the water vents to a large metal pipe and tank called the scram discharge volume. While never proven conclusively, it is generally accepted that something blocked the flow of vented water into the scram discharge volume. Flow blockage would have reduced the differential pressure across the hydraulic pistons and impeded control rod insertions. The scram discharge volume itself drains into the reactor building sump. The sump was found to contain considerable debris. But because it collects water from many places, none of the debris could be specifically identified as having once blocked flow into the scram discharge volume.

Although each control rod had its own hydraulic piston, the hydraulic pistons for half the control rods vented to the same scram discharge volume. The common mode failure of flow blockage impaired the scram function for half the control rods.

The NRC issued Bulletin 80-17, “Failure of 76 of 185 Controls Rods to Fully Insert During a Scram at a BWR,” on July 3, 1980, with Supplement 1 on July 18, 1980, Supplement 2 on July 22, 1980, Supplement 3 on August 22, 1980, Supplement 4 on December 18, 1980, and Supplement 5 on February 2, 1981, compelling plant owners to take interim and long-term measures to prevent what didn’t happen at Browns Ferry Unit 3—a successful scram on the first try—from not happening at their facilities.

ATWS – Actual Tack Without Stalling

On November 19, 1981, the NRC published a proposed ATWS rule in the Federal Register for public comment. One could argue that the debates that filled the 1970s laid the foundation for this proposed rule and the June 1980 ATWSs at Browns Ferry played no role in this step or its timing. That’d be one scenario.

The Salem ATWS and ATWS

During startup on February 25, 1983, following a refueling outage, low water level in one of the steam generators on the Unit 1 pressurized water reactor at the Salem nuclear plant triggered an automatic scram signal to the two reactor trip breakers. Had either breaker functioned, all the control rods would have rapidly inserted into the reactor core. But both breakers failed. The operators manually tripped the reactor 25 seconds later. The following day, NRC inspectors discovered that an automatic scram signal had also happened during an attempted startup on February 22, 1983. The reactor trip breakers failed to function. The operators had manually tripped the reactor. The reactor was restarted two days later without noticing, and correcting, the reactor trip breaker failures. Fission Stories #106 described the ATWSs in more detail.

In PWRs, control rods move via gravity during a scram. They are withdrawn upward from the reactor core and held fully or partially withdrawn by electro-magnets. The reactor trip breakers stop the flow of electricity to the electro-magnets, which releases the control rods to allow gravity to drop them into the reactor core. Investigators determined that the proper signal went to the reactor trip breakers on February 22 and 25, but the reactor trip breakers failed to open to stop the electrical supply to the electro-magnets. Improper maintenance of the breakers essentially transformed oil used to lubricated moving parts into glue binding those parts in place—in the wrong places on February 22 and 25, 1983.

The Salem Unit 1 reactor had two reactor trip breakers. Opening of either reactor trip breaker would have scrammed the reactor. The common mode failure of the same improper maintenance practices on both breakers prevented them both from functioning when needed, twice.

The NRC issued Bulletin 83-01, “Failure of Reactor Trip Breakers (Westinghouse DB-50) to Open on Automatic Trip Signal,” on February 25, 1983, Bulletin 83-04, “Failure of Undervoltage Trip Function of Reactor Trip Breakers,” on March 11, 1983, and Bulletin 83-08, “Electrical Circuit Breakers with Undervoltage Trip in Safety-Related Applications Other Than the Reactor Trip System,” on December 28, 1983, compelling plant owners to take interim and long-term measures to prevent failures like those experienced on Salem Unit 1.

ATWS Scoreboard: Brown Ferry 3, Salem 2

ATWS – Actual Text Without Semantics

The NRC published the final ATWS rule adopted on June 26, 1984, or slightly over 15 years after the ACRS consultant wrote that scrams might not happen when desired due to common mode failures. The final rule was issued less than four years after a common mode failure caused multiple ATWS events at Browns Ferry and about 18 months after a common mode failure caused multiple ATWS events at Salem. The semantics of the non-productive debates of the Seventies gave way to actual action in the Eighties.

UCS Perspective

The NRC issued NUREG-1780, “Regulatory Effectiveness of the Anticipated Transient Without Scram Rule,” in September 2003. The NRC “concluded that the ATWS rule was effective in reducing ATWS risk and that the cost of implementing the rule was reasonable.” But that report relied on bona-fide performance gains achieved apart from the ATWS rule and which would have been achieved without the rule. For example, the average reactor scrammed 8 times in 1980. That scram frequency dropped to less than an average of two scrams per reactor per year by 1992.

Fig. 1 (Source: Nuclear Regulatory Commission)

The ATWS rule did not trigger this reduction or accelerate the rate of reduction. The reduction resulted from the normal physical process, often called the bathtub curve due to its shape. As procedure glitches, training deficiencies, and equipment malfunctions were weeded out, their fixes lessened the recurrence rate of problems resulting in scrams. I bought a Datsun 210 in 1980. That acquisition had about as much to do with the declining reactor scram rate since then as the NRC’s ATWS rule had.

There has been an improvement in the reliability of the scram function since 1980. But again, that improvement was achieved independently from the ATWS rule. The Browns Ferry and Salem ATWS event prompted the NRC to mandate via a series of bulletins that owners take steps to reduce the potential for common mode failures. Actions taken in response to those non-rule-related mandates improved the reliability of the scram function more than the ATWS rule measures.

If the AWTS rule had indeed made nuclear plants appreciably safer, then it would represent under-regulation by the NRC. After all, the question of the need for additional safety arose in the 1960s. If the ATWS rule truly made reactors safer, then the “lost decade” of the 1970s is inexcusable. The ATWS rule should have been enacted in 1974 instead of 1984 if it was really needed for adequate protection of public health and safety.

But the ATWS rule enacted in 1984 did little to improve safety that wasn’t been achieved via other means. The 1980 and 1983 ATWS near-miss events at Browns Ferry and Salem might have been averted by an ATWS rule enacted a decade earlier. Once they happened, the fixes they triggered fleet-wide precluded the need for an ATWS rule. So, the ATWs rule was too little, too late.

The AEC/NRC and nuclear industry expended considerable effort during the 1970s not resolving the AWTS issue—effort that could better have been applied resolving other safety issues more rapidly.

ATWS becomes the first Role of Regulation commentary to fall into the “over-regulation” bin. UCS has no established plan for how this series will play out. ATWS initially appeared to be an “under-regulation” case, but research steered it elsewhere.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Obstruction of Injustice: Making Mountains out of Molehills at the Cooper Nuclear Plant

The initial commentary in this series of posts described how a three-person panel formed by the Nuclear Regulatory Commission (NRC) to evaluate concerns raised by an NRC worker concluded that the agency violated its procedures, policies, and practices by closing out a safety issue and returning the Columbia Generating Station to normal regulatory oversight without proper justification.

I had received the non-public report by the panel in the mail. That envelope actually contained multiple panel reports. This commentary addresses a second report from another three-person panel. None of the members of this panel served on the Columbia Generating Station panel. Whereas that panel investigated contentions that NRC improperly dismissed safety concerns, this panel investigated contentions that the NRC improperly sanctioned Cooper for issues that did not violate any federal regulations or requirements. This panel also substantiated the contentions and concluded that the NRC lacked justification for its actions. When will the injustices end?

Mountains at Cooper

The NRC conducted its Problem Identification and Resolution inspection at the Cooper nuclear plant in Brownville, Nebraska June 12 through June 29, 2017. The report dated August 7, 2017, for this inspection identified five violations of regulatory requirements.

An NRC staffer subsequently submitted a Differing Professional Opinion (DPO) contending that the violations were inappropriate. The basis for this contention was that there were no regulatory requirements applicable to the issues; thus, an owner could not possibly violate a non-existent requirement.

Molehills at Cooper

Per procedure, the NRC formed a three-person panel to evaluate the contentions raised in the DPO. The DPO Panel evaluated the five violations cited in the August 7, 2017, inspection report.

Fig. 1 (Source: Unknown)

  • Molehill #1: The inspection report included a GREEN finding for a violation of Criterion XVI in Appendix B to 10 CFR Part 50. Appendix B contains 18 quality assurance requirements. Criterion XVI requires owners to identify conditions adverse to quality (e.g., component failures, procedure deficiencies, equipment malfunctions, material defects, etc.) and fix them in a timely and effective manner. The DPO Panel “…determined that this issue does not represent a violation of 10 CFR 50 Appendix B, Criterion XVI, inasmuch as the licensee identified the cause and implemented corrective actions to preclude repetition.” In other words, one cannot violate a regulation when doing precisely what the regulation says to do.
  • Molehill #2: The inspection report included a GREEN finding for a violation of a technical specification requirement to provide evaluations of degraded components in a timely manner. The DPO Panel “…concluded that this issue does not represent a violation of regulatory requirements.” This is a slightly different molehill. Molehill #1 involved not violating a requirement when one does exactly what the requirements says. Molehill #2 involved not violating a requirement that simply does not exist. A different kind of molehill, but a molehill nonetheless.
  • Molehill #3: The inspection report included another GREEN finding for another violation of Criterion XVI in Appendix B to 10 CFR Part 50. Appendix B. This time, the report contended that the plant owner failed to promptly identify adverse quality trends. The DPO Panel “concluded that monitoring for trends is not a requirement of Criterion XVI,” reprising Molehill #2.
  • Mountain #1: The inspection report included another GREEN finding for failure to monitor emergency diesel generator performance shortcomings as required by the Maintenance Rule. The DPO Panel “…determined that the violation was correct as written and should not be retracted.” As my grandfather often said, even a blind squirrel finds an acorn every now and then.
  • Molehill #4: The inspection report included a Severity Level IV violation for violating 10 CFR Part 21 by not reporting a substantial safety hazard. The DPO Panel discovered that the substantial safety hazard was indeed reported to the NRC by the owner within specified time frames. The owner submitted a Licensee Event Report per 10 CFR 50.72. 10 CFR Part 21 and NRC’s internal procedures explicitly allows owners to forego submitting a duplicate report when they have reported the substantial safety hazard via 10 CFR 50.72. The DPO Panel recommended that “…consideration be given to retracting the violation … because it had no impact on the ability of the NRC to provide regulatory oversight.”

The DPO Panel wrote in the cover letter transmitting their report to the NRC Region IV Regional Administrator:

After considerable review effort, the Panel disagreed, at least in part, with the conclusions documented in the Cooper Nuclear Station Problem Identification and Resolution Inspection Report for four of the five findings.

The DPO Panel report was dated April 13, 2018. As of August 8, 2018, I could find no evidence that NRC Region IV has either remedied the miscues identified by the DPO originator and confirmed by the DPO Panel, or explained why sanctioning plant owners for following regulations is justified.

UCS Perspective

 At Columbia Generation Station, NRC Region IV made a molehill out of a mountain by finding, and then overlooking, that the plant owner’s efforts were “grossly inadequate” (quoting that DPO Panel’s conclusion).

At Cooper Nuclear Station, NRC Region IV made mountains out of molehills by sanctioning the owner for violating non-existent requirements or for doing precisely what the regulations required.

Two half-hearted (substitute any other body part desired, although “elbow” doesn’t work so well) efforts don’t make one whole-hearted outcome. These two wrongs do not average out to average just right regulation.

NRC Region IV must be fixed. It must be made to see mountains as mountains and molehills and molehills. Confusing the two is unacceptable.

Mountains and molehills (M&Ms). M&Ms should be a candy treat and not a regulatory trick.

NOTE: NRC Region IV’s deplorable performance at Columbia and Cooper might have remained undetected and uncorrected but for the courage and conviction of NRC staffer(s) who put career(s) on the line by formally contesting the agency’s actions. When submitting DPOs, the originators have the option of making the final DPO package publicly available or not. In these two cases, I received the DPO Panel reports before the DPOs were closed. I do not know the identity of the DPO originator(s) and do not know whether the person(s) opted to make the final DPO packages (which consist of the original DPO, the DPO Panel report, and the agency’s final decision on the DPO issues) public or not. If the DPO originator(s) wanted to keep the DPO packages non-public, I betrayed that choice by posting the DPO Panel reports. If that’s the case, I apologize to the DPO originator(s). While my intentions were good, I would have abided by personal choice had I had any way to discern what it was.

Either way, it is hoped that putting a spotlight on the issues has positive outcomes in these two DPOs as well as in lessening the need for future DPOs and posts about obstruction of injustice.

Pipe Rupture at Surry Nuclear Plant Kills Four Workers

Role of Regulation in Nuclear Plant Safety #7

Both reactors at the Surry nuclear plant near Williamsburg, Virginia operated at full power on December 9, 1986. Around 2:20 pm, a valve in a pipe between a steam generator on Unit 2 and its turbine inadvertently closed due to a re-assembly error following recent maintenance. The valve’s closure resulted in a low water level inside the steam generator, which triggered the automatic shutdown of the Unit 2 reactor. The rapid change from steady state operation at full power to zero power caused a transient as systems adjusted to the significantly changed conditions. About 40 seconds after the reactor trip, a bend in the pipe going to one of the feedwater pumps ruptured. The pressurized water jetting from the broken pipe flashed to steam. Several workers in the vicinity were seriously burned by the hot vapor. Over the next week, four workers died from the injuries.

Fig. 1 (Source: Washington Times, February 3, 1987)

While such a tragic accident cannot yield good news, the headline for a front-page article in the Washington Times newspaper about the accident (Fig. 1) widened the bad news to include the Nuclear Regulatory Commission (NRC), too.

The Event

The Surry Power Station has two pressurized water reactors (PWRs) designed by Westinghouse. Each PWR had a reactor vessel, three steam generators, and three reactor coolant pumps located inside a large, dry containment structure. Unit 1 went into commercial operation in December 1972 and Unit 2 followed in June 1973.

Steam flowed through pipes from the steam generators to the main turbine shown in the upper right corner of Figure 2. Steam exited the main turbine into the condenser where it was cooled down and converted back into water. The pumps of the condensate and feedwater systems recycled the water back to the steam generators.

Fig. 2 (Source: Nuclear Regulatory Commission NUREG-1150)

Figure 2 also illustrates the many emergency systems that are standby mode during reactor operation. On the left-hand side of Figure 2 are the safety systems that provide makeup water to the reactor vessel and cooling water to the containment during an accident. In the lower right-hand corner is the auxiliary feedwater (AFW) system that steps in should the condensate and feedwater systems need help.

The condensate and feedwater systems are non-safety systems. They are needed for the reactor to make electricity. But the AFW system and other emergency systems function during accidents to cool the reactor core. Consequently, these are safety systems.

Both reactors at Surry operated at full power on Tuesday December 9, 1986. At approximately 2:20 pm that afternoon, the main steam trip valve (within the red rectangle in Figure 2) in the pipe between steam generator 2C inside containment and the main turbine closed unexpectedly.

Subsequent investigation determined that the valve had been improperly re-assembled following recent maintenance, enabling it to close without either a control signal nor need to do so.

The valve’s closure led to a low water level inside steam generator 2C. By design, this condition triggered the automatic insertion of control rods into the reactor core. The balance between the steam flows leaving the steam generators and feedwater flows into them was upset by the stoppage of flow through one steam line and the rapid drop from full power to zero power. The perturbations from that transient caused the pipe to feedwater pump 2A to rupture (location approximated by the red cross in Figure 1) about 40 seconds later.

Figure 3 shows a closeup of the condensate and feedwater systems showing where the pipe ruptured. The condensate and condensate booster pumps are off the upper right side of the figure. Water from the condensate system flowed through feedwater heaters where steam extracted from the main turbine pre-warmed it to about 370°F en route to the steam generators. This 24-inch diameter piping (called a header) supplied the 18-in diameter pipes to feedwater pumps 2A and 2B. The supply pipe to feedwater pump 2A featured a T-connection to the header while a reducer connected the header to the 18-inch supply line to feedwater pump 2B. Water exiting the feedwater pumps passed through feedwater heaters for additional pre-warming before going to the steam generators inside containment.

Fig 3 (Source: Nuclear Regulatory Commission NUREG/CR-5632)

Water spewing from the broken pipe had already passed through the condensate and condensate booster pumps and some of the feedwater heaters. Its 370°F temperature was well above 212°F, but the 450 pounds per square inch pressure inside the pipe kept it from boiling. As this hot pressurized water left the pipe, the lower pressure let it flash to steam. The steam vapor burned several workers in the area. Four workers died from their injuries over the next week.

As the steam vapor cooled, it condensed back into water. Water entered a computer card reader controlling access through a door about 50 feet away, shorting out the card reader system for the entire plant. Security personnel were posted at key doors to facilitate workers responding to the event until the card reader system was restored about 20 minutes later.

Water also seeped into a fire protection control panel and caused short circuits. Water sprayed from 68 fire suppression sprinkler heads. Some of this water flowed under the door into the cable tray room and leaked through seals around floor penetrations to drip onto panels in the control room below.

Water also seeped into the control panel to actuate the carbon dioxide fire suppression system in the cable tray rooms. An operator was trapped in the stairwell behind the control room. He was unable to exit the area due to doors locked closed by the failed card reader system. Experiencing trouble breathing as carbon dioxide filled the space, he escaped when an operator inside the control room heard his pounding on the door and opened it.

Figure 4 shows the section of piping that ruptured. The rupture occurred at a 90-degree bend in the 18-inch diameter pipe. Evaluations concluded that years of turbulent water flow through the piping gradually wore away the pipe’s metal wall, thinning it via a process called erosion/corrosion to the point where it was no longer able to withstand the pressure pulsations caused by the reactor trip. The plant owner voluntarily shut down the Unit 1 reactor on December 10 to inspect its piping for erosion/corrosion wear.

Fig. 4 (Source Nuclear Regulatory Commission 1987 Annual Report

Pre-Event Actions (and Inactions?)

The article accompanying the darning headline above described how the NRC staff produced a report in June 1984—more than two years before the fatal accident—warning about the pipe rupture hazard and criticizing the agency for taking no steps to manage the known risk. The article further explained that the NRC’s 1984 report was in response to a 1982 event at the Oconee nuclear plant in South Carolina where an eroded steam pipe had ruptured.

Indeed, the NRC’s Office for Analysis and Evaluation of Operational Data (AEOD) issued a report (AEOD/EA 16) titled “Erosion in Nuclear Power Plants” on June 11, 1984. The last sentence on page two stated “Data suggest that pipe ruptures may pose personnel (worker) safety issues.”

Indeed, a 24-inch diameter pipe that supplied steam to a feedwater heater on the Unit 2 reactor at Oconee had ruptured on June 28, 1982. Two workers in the vicinity suffered steam burns which required in hospitalization overnight. Like at Surry, the pipe ruptured at a 90-degree bend (elbow) due to erosion of the metal wall over time. There was a maintenance program at Oconee that periodically examined the piping ultrasonically.

That monitoring program identified pipe wall thinning of two elbows on Unit 3 in 1980 that were replaced. Monitoring performed in March 1982 on Unit 2 identified substantial erosion in the piping elbow that ruptured three months later. But the thinning was accepted because it was less than the company’s criterion for replacement. It’s not been determined whether prolonged operation at reduced power between March and June 1982 caused more rapid wear than anticipated or whether the ultrasonic inspection in March 1982 may have missed the thinnest wall thickness.

Post-Event Actions

The NRC dispatched an Augmented Inspection Team (AIT) to the Surry site to investigate the causes, consequences, and corrective actions. The AIT included a metallurgist and a water-hammer expert. Seven days after the fatal accident, the NRC issued Information Notice 86-106, “Feedwater Line Break,” to plant owners. The NRC issued the AIT report on February 10, 1987. The NRC issued Supplement 1 on February 13, 1987, and Supplement 2 on March 18, 1987, to Information Notice 86-108.

The NRC did more than warn owners about the safety hazard. On July 9, 1987, the NRC issued Bulletin 87-01, “Thinning of Pipe Walls in Nuclear Power Plants,” to plant owners. The NRC required owners to respond within 60 days about the codes and standards which safety-related and non-safety-related piping in the condensate and feedwater systems were designed and fabricated to as well as the programs in place to monitor this piping for wall thinning due to erosion/corrosion.

And the NRC issued Information Notice 88-17 to plant owners on April 22, 1988, summarizing the responses the agency received in response to Bulletin 87-01

UCS Perspective

Eleven days after a non-safety-related pipe ruptured on Oconee Unit 2, the NRC issued Information Notice 82-22, “Failures in Turbine Exhaust Lines,” to all plant owners about that event.

The June 1984 AEOD report was released publicly. The NRC’s efforts did call the nuclear industry’s attention to the matter as evidenced by a report titled “Erosion/Corrosion in Nuclear Plant Steam Piping: Causes and Inspection Program Guidelines” issued in April; 1985 by the Electric Power Research Institute.

Days before the NRC issued the AEOD report, the agency issued Information Notice 84-41, “IGSCC [Intragranular Stress Corrosion Cracking] in BWR [Boiling Water Reactor] Plants,” to plant owners about cracks discovered in safety system piping at Pilgrim and Browns Ferry.

As the Washington Times accurately reported, the NRC knew in the early 1980s that piping in safety and non-safety systems was vulnerable to degradation. The NRC focused on degradation of safety system piping, but also warned owners about degradation of non-safety system piping. The fatal accident at Surry in December 1986 resulted in the NRC expanding efforts it had required owners take for safety system piping to also cover piping in non-safety systems.

The NRC could have required owners fight the piping degradation in safety systems and non-safety systems concurrently. But history is full of wars fought on two fronts being lost. Instead of undertaking this risk, the NRC triaged the hazard. It initially focused on safety system piping and then followed up on non-safety system piping.

Had the NRC totally ignored the vulnerability of non-safety system piping to erosion/corrosion until the accident at Surry, this event would reflect under-regulation.

Had the NRC compelled owners to address piping degradation in safety and non-safety systems concurrently, this event would reflect over-regulation.

By pursuing resolution of all known hazards in a timely manner, this event reflects just right regulation.

Postscript: The objective of this series of commentaries is to draw lessons from the past that can, and should, inform future decisions. Such a lesson from this event involves the distinction between safety and non-safety systems. The nuclear industry often views that distinction as also being a virtual wall between what the NRC can and cannot monitor.

As this event and others like it demonstrate, the NRC must not turn its back on non-safety system issues. How non-safety systems are maintained can provide meaningful insights on maintenance of safety systems. Unnecessary or avoidable failures of non-safety systems can challenge performance of safety systems. So, while it is important that the NRC not allocate too much attention to non-safety systems, driving that attention to zero will have adverse nuclear safety implications. As some wise organization has suggested, the NRC should not allocate too little attention or too much attention to non-safety systems, but the just right amount.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

Obstruction of Injustice: Columbia Generating Station Whitewash

There’s been abundant talk recently about obstruction of justice—who may or may not have impeded this or that investigation. Rather than chime in on a bad thing, obstruction of justice, this commentary advocates a good thing—obstruction of injustice. There’s an injustice involving the Columbia Generating Station in Washington that desperately needs obstructing.

Raising the White Flag

The NRC dispatched a Special Inspection Team to the Columbia Generating Station in Richland, Washington in late 2016 after a package containing radioactive materials was improperly shipped from the plant facility to an offsite facility. The NRC team identified nine violations of federal regulations for handling and transport of radioactive materials, the most serious warranting a White finding in the agency’s Green, White, Yellow, and Red classification scheme. This White finding moved the Columbia Generating Station into Column 2 of the Reactor Oversight Process’s Action Matrix in the first quarter of 2017.

Columbia Generating Station would remain in Column 2 until the first of two things happened: (1) the NRC determined that the problems resulting in the improper transport of radioactive materials were found and fixed justifying a return to Column 1, or (2) additional problems were identified that warranted relocation into Columns 3 or 4.

Check that: There’s a third thing that happened to improperly transport Columbia Generating Station back into Column 1—the injustice that needed obstructing.

Raising the Whitewash

After the plant owner notified the NRC that the causes of the radioactive material mishandling had been cured, the NRC sent a team to the site in late 2017 to determine if that was the case. On January 30, 2018, the NRC reported that its investigation confirmed that the problems had been resolved and returned the Columbia Generating Station to Column 1 and routine regulatory oversight after closing out the White finding.

In response, an NRC staffer submitted a Differing Professional Opinion (DPO) contending “that the decision to close the WHITE finding was not supported by the inspection report details.” The DPO originator provided two dozen very specific reasons for the contention.

The NRC formed a three-person panel to investigate the DPO. The DPO Panel issued its report on June 28, 2018, to the Regional Administrator in NRC Region IV (Fig. 1).

Fig. 1 (Source: Unkown)

The DPO recommended that the NRC either re-open the WHITE finding or revise the January 30, 2018, report to include an explanation for why it was closed even though the problems resulting in the WHITE finding had not been remedied.

In other words, the DPO Panel agreed with the contention raised by the DPO originator. En route, the DPO Panel substantiated 20 of the 24 specific reasons provided by originator.

Detailing the Whitewash

On July 21, 2017, another DPO Panel released a report validating 18 concerns raised by the DPO originator with how the NRC allowed Palo Verde Unit 3 to continue operating with a broken backup power generator far longer than permitted by the law, established policies, and common sense. Despite agreeing with essentially every concern raised by the DPO originator in that case, the DPO Panel somehow concluded the NRC had properly let Palo Verde continue to operate.

This time, the DPO Panel also agreed with the DPO originator’s concerns and also agreed with the DPO originator’s conclusion that the NRC had acted improperly. To quote the DPO Panel:

…the Panel concluded that NRC Inspection Report 05000397/2017-011, dated January 30, 2018 (ML18032A754), does not depict all the bases to support the conclusion that the objectives of the IP [inspection procedure] were met and thus does not support closure of the WHITE finding.”

A common thread among the DPO originator’s concerns was the Root Cause Evaluation (RCE) developed by the plant owner for the problems resulting in the WHITE finding. The RCE’s role is to identify the causes for the problems. Once the causes are identified, appropriate remedies can be applied. When the RCS identifies the wrong cause(s) and/or fails to identify all the right causes, the remedies cannot be sufficient. Through interviews with NRC staff involved in the inspection and its review of materials collected during the inspection, the DPO Panel reported “… a belief by the 95001 inspection team and other NRC staff with oversight of this inspection that the licensee’s written root cause evaluation (RCE), even in its seventh revision, was poorly written and lacked documentation of all the actions taken in response to this event.”

In case this verbiage was too subtle, the DPO Panel later wrote that “… the licensee’s “documented” RCE was grossly inadequate, which was confirmed through interviews by the Panel” [emphasis added].

And the DPO Panel stated “… the root cause evaluation could not have been focused on the right issue and the resulting corrective actions may not be all inclusive.”

Later the DPO Panel reported “… it is not clear how the inspectors concluded that what the licensee did was acceptable.”

A few paragraphs later, the DPO Panel stated “…the Panel could not understand the rationale for finding the licensee’s extent of condition review appropriate.”

A few more paragraphs later, the DPO panel reported “What appears confusing is that interviewees told the Panel that the licensee’s written RCE was grossly inadequate, yet the inspectors were able to accept it as adequate, without requiring the licensee to address the discrepancies through a revised RCE.”

Later on that page, “The Panel found that the report does not discuss the licensee’s corrective actions.” The inspection team found the root cause evaluation “grossly inadequate” and did not even mention the corrective actions the RCE was supposed to trigger.

The DPO Panel reported “… the inspectors concluded that the licensee met the inspection objectives of IP 95001. However, this appears to the Panel to be a leap of (documentation) faith that appears counter to the inspection requirements and guidance of IP 95001 as well as IMC [inspection manual chapter] 0611.”

Still not out of bricks, the DPO Panel concluded “It is difficult to imagine that the licensee’s definition of the problem statement, extent of condition and cause, and corrective actions are appropriate.”

The DPO Panel also stated “…the Panel can only conclude that the 95001 report justified closure of the WHITE finding based on significant verbal information that was not contained in the final RCE and not discussed in the 95001 report.”

That’s contrary to the NRC’s purported Principles of Good Regulation—Independence, Openness, Efficiency, Clarity, and Reliability, unless they are like a menu and Region IV is on a diet skipping some of the items.

As noted above, these findings led the DPO Panel to recommend that the NRC either re-open the WHITE finding or revise the January 30, 2018, report to explain why it was closed even though the problems resulting in the WHITE finding had not been remedied. So far, the NRC has done neither.

UCS Perspective

This situation is truly appalling. And that’s an understatement.

The NRC identified nine violations of federal regulatory requirements in how this plant owner was handling and transporting radioactive materials. Not satisfied by this demonstrated poor performance, the NRC properly issued a WHITE finding and moved the reactor into Column 2 of the ROP’s Action matrix where additional regulatory oversight was applied.

By procedure and standard practice, the WHITE finding is to remain open until a subsequent NRC inspection determines its cause(s) to have been identified and corrected.

Yet, the NRC inspectors found the root cause evaluation by the owner to be “grossly inadequate.”

And the NRC inspectors did not mention the corrective actions taken in response to the “grossly inadequate” root cause evaluation.

So, the NRC closed the WHITE finding—an injustice plain and simple as amply documented by the DPO Panel.

Where’s obstruction of injustice when it’s needed?

The DPO Panel found it “difficult to imagine” that the plant owner’s efforts were appropriate without “a leap of faith.” This is not like fantasy football, fantasy baseball, or fantasy NASCAR. Fantasy nuclear safety regulation is an injustice to be obstructed. If NRC Region IV wants to go to Fantasyland, I’ll consider buying them a ticket to Disneyland. (One-way, of course.)

The NRC’s Office of the Inspector General should investigate how the agency wandered so far away from its procedures, practices, and purported principles.

The NRC Chairman, Commissioners, and senior managers should figure out what is going terribly awry in NRC Region IV. If for no other reason than to obstruct Region IV’s injustices from corrupting the other NRC regions.

Americans deserve obstruction of injustice when it comes to nuclear safety, not fantasy nuclear safety regulation.

Containment Design Flaw at DC Cook Nuclear Plant

Role of Regulation in Nuclear Plant Safety #6

Both reactors at the DC Cook nuclear plant in Michigan shut down in September 1997 until a containment design flaw identified by a Nuclear Regulatory Commission (NRC) inspection team could be fixed. An entirely different safety problem reported to the NRC in August 1995 at an entirely different nuclear reactor began toppling dominoes until many safety problems at both nuclear plants, as well as safety problems at many other plants, were found and fixed.

First Stone Cast onto the Waters

On August 21, 1995, George Galatis, then an engineer working for Northeast Utilities (NU), and We The People, a non-profit organization founded by Stephen B. Comley Sr. in Rowley, Massachusetts, petitioned the NRC to take enforcement actions because irradiated fuel was being handled contrary to regulatory requirements during refueling outages on the Unit 1 reactor at the Millstone Power Station in Waterford, Connecticut.

Ripples Across Connecticut

The NRC’s investigations, aided by a concurrent inquiry by the NRC’s Office of the Inspector General, substantiated the allegations and also revealed the potential for similar problems to exist at Millstone Units 2 and 3 and at Haddam Neck, the other nuclear reactors operated by NU in Connecticut. The NRC issued Information Notice No. 96-17 to nuclear plant owners in March 1996 about the problems they found at Millstone and Haddam Neck. The owner permanently shut down the Millstone Unit 1 and Haddam Neck reactors rather than pay for the many safety fixes that were needed, but restarted Millstone Unit 2 and Unit 3 following the year-plus outages it took for their safety margins to be restored.

Ripples Across the Country

The NRC sent letters to plant owners in October 1996 requiring them to respond, under oath, about measures in-place and planned to ensure: (1) applicable boundaries are well-defined and available, and (2) reactors operate within the legal boundaries. In other words, prove to the NRC that other reactors were not like the NU reactors were.

The NRC backed up their letter writing safety campaign by forming three NRC-led teams of engineers contracted from architect-engineer (AE) firms (e.g., Bechtel, Stone & Webster, Burns & Roe) to visit plants and evaluate safety systems against applicable regulatory requirements. The NRC’s Frank Gillespie managed the AE team inspection effort. The NRC issued Information Notice No. 98-22 in June 1998 about the results from the 16 AE inspections conducted to that time. Numerous safety problems were identified and summarized by the NRC, including ones that caused both reactors at the DC Cook nuclear plant to be shut down in September 1997.

Ripplin’ in Michigan

The AE inspection team sent to the DC Cook nuclear plant in Michigan was led by NRC’s John Thompson and backed by five consultants from the Stone & Webster Engineering Corporation.

Sidebar: UCS typically does not identify NRC individuals by name as we have here for Gillespie and Thompson. But both received unfair criticisms from a NRC senior manager for performing their jobs well. Gillespie, for example, told me that the manager yelled at him, “We didn’t send teams out there to find safety problems!” NRC workers doing their jobs well deserve praise, not reprisals. Thanks Frank and John for jobs very well done. The senior manager will go unnamed and unthanked for a job not done so well.

DC Cook had two Westinghouse four-loop pressurized water reactors (PWRs) with ice condenser containments. Unit 1 went into commercial operation in August 1975 and Unit 2 followed in July 1978. The NRC team identified a design flaw that could have caused a reactor core meltdown under certain loss of coolant accident (LOCA) conditions.

A LOCA occurs when a pipe connected to the PWR vessel (reddish capsule in the lower center of Figure 1) breaks. The water inside a PWR vessel is at such high pressure that it does not boil even when heated to over 500°F. When a pipe breaks, high pressure water jets out of the broken ends into containment. The lower pressure inside containment causes the water to flash to steam.

Fig. 1 (Source: American Electric Power July 12, 1997, presentation to the NRC)

In ice condenser containments like those at DC Cook, the steam discharged into containment forces open doors at the bottom of the ice condenser vaults. As shown by the red arrow on the left side of Figure 1, the steam flows upward through baskets filled with ice. Most, if not all, of the steam is cooled down and turned back into water. The condensed steam and melted ice drops down to the lower sections of containment. Any uncondensed steam vapor along with any air pulled along by the steam flows out from the top of the ice condenser into the upper portion of containment.

Emergency pumps and large water storage tanks not shown in Figure 1 initially replace the cooling water lost via the broken pipe. The emergency pumps transfer water from the storage tanks to the reactor vessel, where some of it pours out of the broken pipe into containment.

The size of the broken pipe determines how fast cooling water escapes into containment. A pipe with a diameter less than about 2-inches causes what is called a small-break LOCA. A medium-break LOCA results from a pipe up to about 4-inches round while a large-break LOCA occurs when larger pipes rupture.

Before the storage tanks empty, the emergency pumps are re-aligned to take water from the active sump area within containment. The condensed steam and melted ice collects in the active sump. The emergency pumps pull water from the active sump and supply it to the reactor vessel where it cools the reactor core. Water spilling from the broken pipe ends finds its way back to the active sump for recycling.

The NRC’s AE inspection team identified a problem in the containment’s design for small-break LOCAs. The condensed steam and melted ice flows into the pipe annulus (the region shown in Figure 2 between the outer containment wall and the crane wall inside containment) and into the reactor cavity. The water level in the pipe annulus must rise to nearly 21 feet above the floor before water could flow through a hole drilled in the crane wall into the active sump. The water level in the reactor cavity must rise even farther above its floor before water could flow through a hole drilled in the pedestal wall into the active sump.

Fig. 2 (Source: American Electric Power July 12, 1997, presentation to the NRC)

For medium-break and large-break LOCAs, the large amount of steam discharged into containment flooded both these volumes and then the active sump long before the storage tanks emptied and the emergency pumps swapped over to draw water from the active sump. Thus, there was seamless supply of makeup cooling water to the vessel to prevent overheating damage.

But for small-break LOCAs, the storage tanks might empty before enough water filled the active sump. In that case, the flow of makeup cooling water could be interrupted and the reactor core might overheat and meltdown.

Calmed Waters in Michigan

The owner fixed the problem by drilling holes through lower sections of the crane and pedestal walls. These holes allowed water to fill the active sump in plenty of time for use by the emergency pumps for all LOCA scenarios. Once this and other safety problems were remedied (and a $500,000 fine paid), both reactors at DC Cook restarted.

UCS Perspective

The event in this case is the August 1995 notification to the NRC that the Millstone Unit 1 reactor was being operated outside its safety boundaries and the regulatory ripples caused by that notification that led to the identification and correction of containment flaws at DC Cook. For that event sequence, the NRC response reflected just right regulation.

The NRC asked and answered whether the August 1995 allegations were valid—finding that they were.

Once the initial allegation was substantiated, the NRC asked and answered whether that kind of problem also affected other reactors operated by the same owner—finding that it did.

Once the extent-of-condition determined that multiple reactors operated by the same owner were affected, the NRC asked and answered whether similar kinds of problems could also affect other reactors operated by other owners—finding that they did.

In seeking the answer to that broader extent-of-condition question, the NRC AE inspection team identified a subtle design flaw that had escaped detection for two decades. And slightly over two years elapsed between the NRC’s initial notification and both reactors at DC Cook being shut down to fix the design flaw. While neither a blink of an eye nor a frenetic pace, that’s a pretty reasonable timeline given the number of steps needed and taken between these endpoints.

Had the NRC put the blinders on after receiving the allegations about Millstone Unit 1 and not considered whether similar problems compromised safety at other reactors, this event would have fallen into the under-regulation bin.

Had the NRC jumped to the conclusion after receiving the allegations about Millstone Unit 1 that all other reactors were likely afflicted with comparable, or worse, safety problems and ordered all shut down until proven affliction-free, this event would have fallen into the over-regulation bin.

By putting the Millstone Unit 1 allegations in proper context in a timely manner, the NRC demonstrated just-right regulation.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.