UCS Blog - All Things Nuclear, Nuclear Power Safety - Latest 2

Commendable Nuclear Safety Catch at the Susquehanna Nuclear Plant

The owner of the two boiling water reactors (BWRs) at the Susquehanna Steam Electric Station in northeastern Pennsylvania notified the Nuclear Regulatory Commission (NRC) on April 2, 2018, that workers’ mistakes rendered an emergency core cooling system on Unit 1 vulnerable to being disabled by an earthquake at the same time that another emergency core cooling system was out of service for work on its power supply system. This is good news—not in having two safety systems impaired while the reactor operated, but in how quickly the problem was detected and corrected.

Fig. 1 (Source: Nuclear Regulatory Commission)

The Emergency Core Cooling Systems

Susquehanna Unit 1 is a model BWR/4 reactor with a Mark II containment design that was placed into commercial operation in June 1983. In case of an accident that drains cooling water from the reactor vessel, Unit 1 is equipped with an array of emergency core cooling system (ECCS) pumps that will automatically start and provide makeup water. The ECCS include one steam-driven high pressure coolant injection (HPCI) pump, four motor-driven low pressure coolant injection (LPCI) pumps, and more motor-driven core spray (CS) pumps. The LPCI and CS pumps are split into two divisions of two LPCI pumps and two CS pumps each. Each division is powered from separate electrical buses, backed by separate emergency diesel generators, to increase the chances that enough pumps survive whatever challenge is experienced to provide adequate makeup cooling water flow for the reactor core.

The Situation

During the early afternoon of December 1, 2017, workers moved pipe sections into the room housing the Division II core spray pumps and staged this material on the floor as close as six inches from one of the two air conditioning units for the room.

At 7:48 am on December 2, the power supply to the Division II low pressure coolant injection pumps was removed from service to enable its voltage regulator to be replaced.

The Problem

At 10:30 am on December 3, an operator noticed that the materials staged in the core spray pump room were not seismically restrained and were close to one of the room’s air conditioning unit. The Operations department conservatively assumed that an earthquake could case the pipe sections to move into and damage the air conditioning unit. If that occurred, the heat from the running core spray pump motors could warm the room above the temperature that electrical equipment was qualified to endure. The Operations department declared the Division II core spray pumps inoperable due to their potential loss in event of an earthquake.

The Unit 1 operation license allowed the Division II low pressure coolant injection pumps to be out of service for up to 7 days while the reactor continued operating. This allowed outage time relied on other ECCS pumps being available in case an accident happened. The discovery that the Division II core spray pumps were also inoperable undermined that reliance. The operating license for Unit 1 required the reactor to be shut down within 7 hours with both the Division II low pressure coolant injection and core spray pumps inoperable.

The Solution

At 1:35 pm on December 3, the Division II low pressure coolant injection pumps were restored to operable following replacement of the voltage regulator on their power supply. Their restoration ended the need for the reactor to be shut down and returned the unit to the need to restore the Division II core spray pumps to service within 5 days (the 7-day clock started on December 1).

Around 4:00 pm on December 3, workers completed the removal of the pipe sections from the Division II core spray pump room. Doing so ended the need to shut down the reactor as all ECCS pumps were restored to service.

The Armchair Viewpoint

The Engineering department analyzed the temperature in the Division II core spray pump room with both motor-driven core spray pumps running and only one of two air conditioning units in the room operating. The second air conditioning unit was assumed not to be running due to damage from the pipe sections hitting it during an earthquake. The engineering analysis concluded that the room temperature would have remained below the temperatures used to qualify safety components in the room and that the core spray pumps would have performed their safety function successfully.

UCS Perspective

The staging of the replacement pipe sections without seismic restraints in the Division II core spray pump rooms near its air conditioning unit could have resulted in an air conditioning unit becoming damaged during an earthquake. That potential vulnerability was not recognized the next day when the Division II low pressure coolant injection pumps were taken out of service for maintenance to their power supply. The defense-in-depth approach to nuclear safety gets undermined when multiple layers are missing and/or impaired concurrently.

It would have been better had the pipe sections not been staged improperly or had that mistake been identified before it was compounded by the intentional disabling of additional ECCS pumps the next day. But dozens of activities are ongoing each and every day at a nuclear power plant. And materials temporary stored in the core spray pump room—a confined area infrequently accessed by workers on a daily basis—made detection of their improper configuration less than readily evident.

The mistake was identified by the Operations department less than two days after it was made and a day after it was compounded by taking other ECCS pumps out of service. It would have been easy not to have discovered the subtle mistake, but it was found. Once found, it would have been easy to presume that the core spray pumps would have functioned despite the potential loss of one of two air conditioning units in the room. But the Operations department lacked an analysis to support that presumption and declared the pumps inoperable. That conservative call accelerated the solution to the problem. Within about 185 minutes, the low pressure coolant injection pumps were restored to service. And within 330 minutes, the pipe sections were removed to eliminate the potential hazard to the air conditioning unit in the core spray pump room. The Operations department handled this matter very well. The Operations department handled this matter very well.

Defense-in-depth is frequently discussed in terms of equipment—two redundant pumps provided when only one needs to run for the necessary safety function to be fulfilled. This case illustrates how defense-in-depth also has an important role to play in human performance reliability. The Maintenance department placed the pipe sections in the core spray pump room. They should have stored the material properly, but failed to do so. The Operations department caught the mistake and caused it to be promptly remedied. And the Engineering department reviewed the mistake to determine its safety significance.

This event also reveals an unintended consequence from defense-in-depth applied to human performance reliability—when the first defense-in-depth layer succeeds, backup layers are not tested. Here, the first layer failed but the second and third layers came through. The next best thing to perfection is having a highly reliable first layer backed by a highly reliable second layer backed by a highly reliable third layer and so on.

Nuclear Regulatory Commission SAGging?

The Screen Actors Guild (SAG) is part of a labor union that represents nearly 160,000 actors and others in America. I don’t know how many NRC senior managers are SAG members, but with more and more individuals acting as senior managers for longer and longer periods, SAG may need to open an office in Rockville, Maryland where NRC is headquartered.

Figure 1 shows the NRC’s organization chart as of March 1, 2018. At the top are the five Commissioners, or rather the three Commissioners because two Commission positions have been vacant for over a year. Below the Commissioners are the 29 senior NRC managers. Of those 29 senior managers, the seven managers circled in red are only acting in those roles. Some have been acting at it for a long time. Fred Brown has been acting as the Director of the Office of New Reactors for over a year while Brian Holian has been acting as the Director of the Office of Nuclear Reactor Regulation since July 1, 2017. And Victor McCree, the NRC’s Executive Director for Operations (EDO), announced he will be retiring on June 30, 2018. The casting calls for an EDO actor have not yet been announced.

Fig. 1  Red boxes indicate acting or missing managers. (Source: NRC annotated by UCS)

Why Does it Matter?

Who commands more respect:

  • A full-time teacher or a substitute?
  • A real doctor or someone who stayed at Holiday Inn Express last night?
  • A parent or a babysitter?
  • A sheriff or a mall cop (Paul Blart excepted)?
  • A bona fide manager or an acting manager?

An acting manager can tackle the job as if it is a permanent one. But will she or he truly expend as much effort on long term tasks as someone who will be in that same job when those tasks are conducted?

Even if the acting manager performs the job as fully and capably as someone in the position for real, will her or his subordinates really raise longer term matters or will they simply wait until the real boss takes over?

A non-acting manager “owns” the job and can devote all her or his skills and attention to every aspect of that job. And staff can follow non-acting leaders without being distracted by the temptation to tolerate supervision until the real boss reports for duty.

What Does It Take to Stop the Acting?

The President nominates and the Senate confirms NRC Commissioners. So, the two empty Commissioner seats are up to the President and Senate to fill—you know, the folks unable to pass real budgets and who rely instead on serial “acting” budgetary measures. The other 29 positions on Figure 1 can be filled by the NRC itself without Presidential or Congressional involvement.

The Commission, or a majority thereof, fill the positions explicitly defined in the Atomic Energy Act. These positions include the EDO and the Directors of the Office of New Reactors and Nuclear Reactor Regulation. The EDO fills the remaining positions. For example, the NRC announced on January 2, 2018, that K. Steven West had been appointed Regional Administrator for Region III, replacing Cynthia D. Pederson who retired on December 30, 2017 (three days earlier).

Mr. West had been the Acting Director of the Office of Nuclear Security and Incident Response since July 2017 when Brian Holian became the Acting Director of the Office of Nuclear Reactor Regulation. After Mr. West got his permanent assignment, Brian McDermott was named to become the new Acting Director of NSIR. Since Mr. McDermott filled in for Acting Director West who was filling in for real Director Holian, perhaps Mr. McDermott is Acting Acting Director of NSIR.

UCS Perspective

Despite how many NRC senior managers have been acting at their positions for so long, they should probably not become SAG members. SAG represents actors and others in the entertainment industry. The NRC’s musical chairs is neither entertaining to play nor to watch.

The NRC filled Ms. Pederson’s position as Regional Administrator within three days of her retirement with a permanent, not Acting, Regional Administrator. So, the NRC can fill senior management positions expeditiously without needing actors. Despite this proven ability, 24 percent of the NRC’s top 29 management positions are filled by actors. So, the NRC can do better but has chosen—for reasons unknown—not to do so.

The NRC needs to stop acting so much, Otherwise, will the last non-actor please turn out the lights on the way out the door.

Nuclear Regulatory Commission’s Safety Dashbored

Who says the Nuclear Regulatory Commission does not have a delightful sense of humor?

Not me. Not anymore. Not after stumbling across the NRC’s Generic Issues Dashboard on its website.

The Dashboard page shows the status of three open generic issues. I look at two of them here.

GI204: Flooding of nuclear sites

Generic Issue (GI) 204 was initiated due to concerns that failure of dams upriver from nuclear power plants could flood the sites and disable emergency systems needed to prevent reactor core damage. The NRC staff completed a screening analysis in July 2011 and formally accepted GI-204 in February 2012, nine months after flooding at Fukushima Daiichi caused the three reactors operating at the time to melt down.

So, what’s the status of the resolution of this generic issue six years later? Dashboard, please.

Fig. 1 (Source: Nuclear Regulatory Commission)

A whopping 13.1% of the affected reactors have implemented the fixes. That’s a racy rate of over 2% per year sustained for six whole years!

How many of the affected reactors have completed all the effort needed to resolve this safety issues? Three—South Texas Project Units 1 and 2 and Callaway.

But that’s a recent generic issue. Let’s examine an older generic issue.

GI-191: Debris accumulation

GI-191 was identified in September 1996 and was assigned High priority by June 28, 1999, with a target resolution of September 2001. GI-191 affected all the 69 pressurized water reactors operating in the U.S. at the time.

If a pipe connected to the reactor vessel broke, the fluid jetting out of the pipe ends would scour insulation off piping, coatings off equipment, and even paint off walls. This debris would then be carried by the water to the basement of the containment building where it could collect in the sump. The emergency pumps for PWRs draw water from the containment sump. The amount of debris transported to the sump could block the flow to the emergency pumps, disabling both reactor core cooling and containment cooling.

Fig. 2 (Source: Nuclear Regulatory Commission SECY-99-185)

So, what’s the status of this High priority generic issue more than 16 years after its target resolution date of September 2001? Dashboard, please.

Fig. 3 (Source: Nuclear Regulatory Commission)

Less than half of the affected reactors have reportedly implemented the fixes to this High priority safety problem more than two decades after it was identified. And the NRC has verified the adequacy of the fixes at less than 35 percent of the affected reactors. And for all we know, the NRC is taking credit for the issue no longer being unresolved at PWRs like Crystal River 3, Kewaunee, San Onofre Units 2 and 3, and Fort Calhoun that have permanently shut down since GI-191 became a High priority or the statistics would reflect even worse.

UCS Perspective

Dashboard? Very funny. Not very accurate, but very amusing.

Come on. A safety problem afflicting more than half the nation’s nuclear power reactors that remains unresolved at most of them more than two decades later cannot be monitored by anything having “Dash” in its title. Unless “Dash” is paired with a verb that prevents any one from inferring that swiftness is involved.

Like “DashBored.”

DashBored might better convey the NRC’s efforts—they started out really and truly wanting to quickly resolve these known safety problems to protect the American public from unduly elevated risks, but then they got bored. Something else came up, like certifying new reactor designs and approving 20-year extensions to the operating licenses of problem-plagued reactors.

The dashboard of a competent nuclear safety regulator would not show known safety problems to remain unresolved for so long.

Fukushima’s Nuclear Safety Dividend at Surry Nuclear Plant

On March 11, 2011, a large earthquake with an epicenter a few miles off the northeastern shores of Japan spawned a tsunami that inundated the Fukushima Daiichi nuclear plant. The earthquake disconnected the plant from the offsite power grid. The tsunami disabled the onsite emergency diesel generators. Deprived of electricity for emergency systems, the reactor cores for Units 1, 2 and 3 overheated and melted down.

On March 12, 2012, the Nuclear Regulatory Committee (NRC) ordered owners of US nuclear power plants to develop and implement mitigation strategies to reduce the vulnerabilities of their facilities to extreme earthquakes and floods. While the specific measures varied from plant to plant, the mitigating strategies generally involved portable pumps, portable generators, cables, hoses, and hauling equipment (called FLEX equipment) and associated procedures for workers to use should permanently installed equipment become disabled.

While the NRC’s order and the industry’s FLEX equipment were intended to reduce vulnerabilities to hazards over and above those deemed credible when the nuclear plants were designed and licensed, Dominion Energy has figured out how to use the new equipment to lessen old risks at its Surry nuclear plant, thus reaping a nuclear safety dividend from its Fukushima investment.

Surry’s Internal Flooding Risk

The Surry Power Station is located about 17 miles northwest of Newport News, Virginia. The nuclear plant has two three-loop pressurized water reactors designed by Westinghouse. Each unit can supply 838 megawatts of electricity to the offsite power grid. Unit 1 commenced commercial operation in December 1972 and Unit 2 followed in May 1973.

Fig. 1 (Source: Dominion Energy)

The large white rectangular structures in the center of Figure 1 are the turbine buildings with the two reactor containments on the left. The turbine buildings contain the turbine generators used to make electricity. The turbine buildings also house the emergency switchgear rooms that route electricity from the offsite power grid, onsite emergency diesel generators, and onsite battery banks to safety equipment throughout the plant.

It has long been recognized that a large risk of reactor core damage at Surry was an internal flood that caused water to enter the switchgear rooms and disable their electricity distribution capabilities. Figure 2 shows that this internal flooding risk constituted 47% of the overall risk of reactor core damage at Surry, or nearly equal to all other hazards combined (CDF refers to core damage frequency).

Fig. 2 (Source: Dominion Energy)

If water from an internal flood enters the switchgear room and disables the supply of electricity to safety equipment, Surry has turbine driven auxiliary feedwater (TDAFW) pumps that would continue to provide makeup water to the steam generators so that decay heat produced by the shut-down reactor cores would be removed. The TDAFW pumps are powered by steam produced by the reactor core’s decay heat in the steam generators.

But the TDAFW pumps could be deprived of their automatic control system during an internal flooding event and the event could also disable the instruments that workers need to manually control the pumps. If the TDAFW pumps overfill the steam generators due to inadequate control of their flow rates, the steam flow for the pumps would be stopped which in turn halts the removal of decay heat from the reactor cores. If cooling cannot be restored in time, meltdown happens.

The turbine buildings are filled with pipes transporting water here, there and everywhere. Some pipes move water from the intake canal shown on the right in the photograph through the condensers beneath the main turbines and return it to the discharge canal appearing to the left of the reactor containment domes. Other pipes carry cooling water to equipment within the turbine buildings. And other pipes recycle water from the condensers to the steam generators located within the reactor containments.

The internal flooding hazard involves one of these pipes breaking and flooding the turbine building with water until a valve can be closed to isolate the break or a pump turned off to stop the flow. Depending on which pipe broke and how long it took to stop water pouring from its broken ends, the turbine building will be flooded to a certain depth. Figure 3 shows a dyke installed in the turbine building outside the doors to the emergency switchgear room for protection against internal flooding.

Fig. 3 (Source: Dominion Energy)

Dominion Energy built a concrete building at Surry and filled it with FLEX equipment as part of its response to the NRC’s mitigating strategies order. Figure 4 shows some of the FLEX equipment housed within this new building.

Fig. 4 (Source: Dominion Energy)

Surry’s Internal Flooding Risk Reduction

The NRC’s order and Dominion Energy’s FLEX equipment were intended to reduce the vulnerability of Surry to hazards posed by earthquakes and external floods more severe than anticipated when the plant was designed and licensed. Permanently installed equipment mitigate anticipated internal and external hazards; FLEX provides workers alternative means to cope with greater hazards.

Dominion Energy developed the capability for its FLEX equipment to also lessen the internal flooding risk. A Remote Monitoring Panel (RMP) was installed at Surry in response to the fire protection regulations imposed by the NRC in 1980. If a fire forced workers to abandon the main control room, they would relocate to the RMP which had switches and instruments needed to cool the reactor cores.

Dominion Energy modified the RMP to enable the FLEX equipment to provide power for its controls and instruments. If an internal flooding event disabled the electricity distribution from the switchgear rooms, workers could connect FLEX equipment to the RMP and increase their chances of successfully cooling the reactor cores until permanently installed systems could take back over that role. Figure 5 shows that the FLEX equipment significantly reduces the internal flooding and station blackout risks. Because these pose the two largest risks of core damage at Surry, reducing them also reduces the overall core damage risk, and by more than a smidgen or even two smidgens.

Fig. 5 (Source: Union of Concerned Scientists based on data from Dominion Energy)

UCS Perspective

Dominion Energy achieved a safety two-fer—the equipment procured to reduce Surry’s vulnerability to external hazards has also been able to reduce the plant’s risk from internal hazards.

UCS applauds this approach to nuclear safety. The FLEX equipment did not replace existing equipment; it supplemented it. In this way, workers are provided more options and thus given greater chances of successfully intervening to prevent bad outcomes.

We remain concerned—not specifically at Surry or by Dominion Energy but more generally—that FLEX will be used to justify increased risks. As a hypothetical example, suppose someone’s flood protection dyke broke when workers accidentally rammed it with an equipment cart. Justifying not fixing the broken flood barrier because of the FLEX safety net would be disappointing.

Similarly, justifying the elimination of inspections of pipes inside the turbine building for signs of degradation by reliance on the FLEX safety net would also be disappointing. The inspections detect degraded pipes for their replacement before they rupture, thereby reducing the need for a reliable safety net.

Drivers of vehicles equipped with airbags should not justify driving while intoxicated or blindfolded or both citing the airbags as their safety net. That’s a safety not rather than a safety net.

Why NRC Nuclear Safety Inspections are Necessary: Vogtle

This is the third in a series of commentaries about the vital role nuclear safety inspections conducted by the Nuclear Regulatory Commission (NRC) play in protecting the public. This commentary describes how NRC inspectors discovered inadequate flooding protection at the Vogtle nuclear plant near Waynesboro, Georgia despite a prior warning notice.

The first commentary described how NRC inspectors discovered that limits on the maximum allowable control room air temperature at the Columbia Generating Station in Washington had been improperly relaxed by the plant’s owner. The second commentary described how NRC inspectors uncovered an improper safety assessment of a leaking cooling water system pipe on the Unit 3 reactor at Indian Point outside New York City.

Turning Back the Clock

Last century, the NRC issued a warning to nuclear plant owners about the possible submergence of electrical cables located above the estimated flood levels. The NRC’s warning informed owners about a March 20, 1989, event in which the Clinton nuclear plant in Illinois inadvertently drained water into the drywell flooding it to a depth of four inches. Workers discovered that water got into electrical junction boxes located more than four inches above the drywell floor.

Electrical junction boxes house connections of electrical cables. Figure 1 shows water pouring from an electrical junction box at the Fort Calhoun nuclear plant in Nebraska during a flood in June 2011.

Fig. 1 (Source: Nuclear Regulatory Commission)

The NRC’s 1989 warning pointed out that moisture could get into electrical junction boxes various ways—from condensation of steam released from a broken pipe, actuation of overhead fire sprinklers, etc. If the junction boxes lack drain holes, water could accumulate within the boxes to submerge and disable electrical cables.

Workers at Vogtle reviewed the NRC’s warning and determined it was applicable to their plant. A work order was written to require that all electrical junction boxes containing safety-related cables had drain holes.

Stopping the Clock

The work order was closed out on January 25, 1990. Typically, closing out a work order written to correct a safety problem means that work to solve the problem has been completed. But not this time.

Setting off the Clock Alarm

In late 2017, NRC inspectors examined junction box 2BTJB0486 at Vogtle. They observed that the junction box lacked a drain hole and later determined that the cables and connections inside the box were not qualified for submergence in water. The NRC issued a Green finding for the failure to properly protect electrical equipment from the environmental conditions it could experience.

UCS Perspective

The NRC’s inspectors did not examine every junction box at Vogtle. The NRC conducts audits of a few items to gain insights about the condition of the broader universe of items. During this inspection, the NRC examined a whopping total of seven components, only one being a junction box. So, the NRC looked at one junction box and found it deficient. What does that say about the rest of the junction boxes at Vogtle?

Nothing. Maybe other boxes have holes. Maybe they don’t. Maybe is maybe adequate protection of public health and safety. Maybe not.

Workers at Vogtle wrote a work order to check on other junction boxes. In other words, they repeated the same step taken following the NRC’s 1989 warning to respond to the NRC’s 2018 finding that the 1989 response was woefully deficient.

The bad news is that the electrical junction box at Vogtle did not have even a tiny hole in it.

The worse news is that the corrective action program at Vogtle has a big hole in it.

NRC’s Project Aim: Off-target?

A handful of years ago, there was talk about nearly three dozen new reactors being ordered and built in the United States. During oversight hearings, Members of Congress queried the Members of the Nuclear Regulatory Commission on efforts underway and planned to ensure the agency would be ready to handle this anticipated flood of new reactor applications without impeding progress. Those efforts included creating the Office of New Reactors and hiring new staffers to review the applications and inspect the reactors under construction.

Receding Tide

The anticipated three dozen applications for new reactors morphed into four actual applications, two of which have since been cancelled. The tsunami of new reactor applications turned out to be a little ripple, at best.

The tide also turned for the existing fleet of reactors. Unfavorable economics led to the closures of several reactors and the announced closures of several other reactors in the near future.

The majority of the NRC’s annual budget is funded through fees collected from its licensees. For example, in fiscal year 2017 the owner of an operating reactor paid $4,308,000 for the NRC’s basic oversight efforts. For extra NRC attention (such as supplemental inspections when reactor performance dropped below par and for reviews of license renewal applications), the NRC charged $263 per hour.

Still, the lack of upsizing from new reactors and abundance of downsizing from existing reactors meant that NRC would have fewer licensees from whom to collect funds.

Enter Project Aim

The NRC launched Project AIM in June 2014 with the intention of “right-sizing” the agency while retaining the skill sets necessary to perform its vital mission. Project Aim identified 150 items that could be eliminated or performed more cost-effectively. Collectively, these measures were estimated to save over $40 million.

Fig. 1 (Source: Nuclear Regulatory Commission)

Project Aim Targets

Item 59 was among the highest cost-saving measures identified by Project Aim. It terminated research activities on risk assessments of fire hazards for an estimated savings of $935,000. The NRC adopted risk-informed fire protection regulations in 2004 to complement the fire protection regulations adopted by the NRC in 1980 in response to the disastrous fire at the Browns Ferry Nuclear Plant in Alabama. The fire research supported risk assessment improvements to better manage the fire hazards—or would have done so had it not been stopped.

Item 61 was also a high dollar cost-saving measure. It eliminated the development of new methods, models and tools needed to incorporate digital instrumentation and control (I&C) systems into probabilistic risk assessments (PRAs) with an estimated savings of $735,000. Nuclear power reactors were originally equipped with analog I&C systems (which significantly lessened the impact of the Y2K rollover problem). As analog I&C systems become more obsolete, plant owners are replacing them with new-fangled digital I&C systems. Digital I&C systems fail in different ways and at different rates than analog I&C systems and the research was intended to enable the PRAs to better model the emerging reality.

Item 62 eliminated development of methods, models, tools, and data needed to evaluate the transport of radioactive materials released during severe accidents into aquatic environments. For example, the 2011 severe accident at Fukushima involved radioactive releases to the Pacific Ocean via means not clearly understood. This cost-saving measure seems to preserve that secret.

Fig. 2 (Source: Nuclear Regulatory Commission)

Project Aim Off Target?

The need to reduce costs is genuine. Where oh where could savings of $935,000 come if not from killing the fire research efforts? Perhaps the Office of Management and Budget (OMB) has the answer. On May 11, 2012, OMB issued Memorandum M-12-12 that capped the amount federal agencies spent on conferences at $500,000. This OMB action pre-dated Project Aim, but seems consistent with the project’s fiscal responsibility objectives.

But the NRC opts not to abide by the OMB directive. Instead, the NRC Chairman signs a waiver allowing the NRC to spend far more than the OMB limit on its annual Regulatory Information Conferences (RICs). How much does the RIC cost? In 2017, the RIC cost the NRC $932,315.39—nearly double the OMB limit and almost exactly equal to the amount fire research would have cost.

987 persons outside the NRC attended the RIC in 2017. So, the NRC spent roughly $944.60 per outsider at the RIC last year. But don’t fixate on that amount. Whether the NRC had spent $1,000,000 per person or $1 per person, the RIC did not make a single American safer or more secure. (It also did not make married Americans safer or more secure, either.)

Eliminating the RIC would save the NRC nearly a million dollars each year. That savings could fund the fire research this year, which really does make single and married Americans safer. And next year savings could fund the development of digital I&C risk assessment methods to better manage the deployment of these systems throughout the nuclear fleet. And the savings the following year could fund research into transport of radioactive materials during severe accidents.

Fig. 3 (Source: Nuclear Regulatory Commission)

If the cliché “knowledge is power” holds any weight, then stopping fire research, development of digital I&C risk assessment methods, and many other activities leaves the NRC powerless to properly manage the associated risks.

RIC and risk? Nope, non-RIC and lower risk.

Clinton Power Station: Déjà vu Transformer Problems

The Clinton Power Station located 23 miles southeast of Bloomington, Illinois has one General Electric boiling water reactor with a Mark III containment that began operating in 1987.

On December 8, 2013, an electrical fault on a power transformer stopped the flow of electricity to some equipment with the reactor operating near full power. The de-energized equipment caused conditions within the plant to degrade. A few minutes later, the control room operators manually scrammed the reactor per procedures in response to the deteriorating conditions. The NRC dispatched a special inspection team to investigate the cause and its corrective actions.

On December 9, 2017, an electrical fault on a power transformer stopped the flow of electricity to some equipment with the reactor operating near full power. The de-energized equipment caused conditions within the plant to degrade. A few minutes later, the control room operators manually scrammed the reactor per procedures in response to the deteriorating conditions. The NRC dispatched a special inspection team to investigate the cause and its corrective actions. The NRC’s special inspection team issued its report on January 29, 2018.

Same reactor. Same month. Nearly the same day. Same transformer. Same problem. Same outcome. Same NRC response.

Coincidence? Nope. When one does nothing to solve a problem, one invites the problem back. And problems accept the invitations too often.

Setting the Stage(s)

The Clinton reactor was operating near full power on December 8, 2013, and on December 9, 2017. The electricity produced by the main generator (red circle labeled MAIN GEN in Figure 1) at 22 kilovolts (KV) flowed through the main transformers that upped the voltage to 345 KV (345,000 volts) for the transmission lines emanating from the switchyard to carry to residential and industrial customers. Some of the electricity also flowed through the Unit Auxiliary Transformers 1A and 1B that reduced the voltage to 6.9 and 4.16 KV (4,160 volts) for use by plant equipment.

The emergency equipment installed at Clinton to mitigate accidents is subdivided into three divisions. The emergency equipment was in standby mode before things happened. The Division 1 emergency equipment is supplied electrical power from 4,160-volt bus 1A1 (shown in red in Figure 1). This safety bus can be powered from the main generator when the unit is online, from the offsite power grid when the unit is offline, or from emergency diesel generator 1A (shown in green) if none of the other supplies is available. The Divisions 2 and 3 emergency equipment is similarly supplied power from 4,160-volt buses 1B1 and 1C1 respectively, each with three sources of power.

Fig.1 (Source: Clinton Individual Plant Examination Report (1992))

The three buses also provided power to transformers that reduced the voltage down to 480 volts for distribution via the 480-volt buses. For example, 4,160-volt bus 1A1 supplied 480-volt buses A and 1A.

Stage Struck (Twice)

On December 8, 2013, and again on December 9, 2017, an electrical fault on one of the 480-volt auxiliary transformers caused the supply breaker (shown in purple in Figure 2) from 4,160-volt bus 1A1 to open per design. This breaker is normally manually opened and closed by workers to control in-plant power distribution. But this breaker will automatically open to prevent an electrical transient from rippling through the lines to corrupt other equipment.

When the breaker opened, the flow of electricity to 480-volt buses A and 1A stopped, as did the supply of electricity from these 480-volt buses to emergency equipment. It didn’t matter whether electricity from the offsite power grid, the main generator, or emergency diesel generator 1A was supplied to 4,160-volt bus 1A1; no electricity flowed to the 480-volt buses with this electrical breaker open.

Fig. 2 (Source: Clinton Individual Plant Examination Report (1992))

The loss of 480-volt buses A and 1A interrupted the flow of electricity to emergency equipment but did not affect power to non-safety equipment. Consequently, the reactor continued operating near full power.

The emergency equipment powered from 480-volt buses A and 1A included the containment isolation valve on the pipe supplying compressed air to equipment inside the containment building. This valve is designed to fail-safe in the closed position; thus, in response to the loss of power, it closed.

Among the equipment inside containment needing compressed air were the hydraulic control units for the control rod drive (CRD) system (shown in orange in Figure 3). The control rods are positioned using water pistons. Supply water to one side of the piston while venting water from the other side creates a differential pressure causing the control rod to move. Reversing the sides that get water and get vented causes the control rod to move in the opposite direction. Compressed air keeps two scram valves for each control rod closed against coiled springs. Without the compressed air pressure, the springs force the scram valves to open. When the scram valves open, high pressure water is supplied below the pistons while water from above the pistons is vented. As a result, the control rods fully insert into the reactor core within a handful of seconds to stop the nuclear chain reaction.

Fig. 3 (Source: Nuclear Regulatory Commission)

Ten minutes after the electrical breaker opened on December 8, 2013, an alarm in the control room sounded to alert the operators about low pressure in the compressed air system. The operators followed procedures and responded to the alarm by manually scramming the reactor.

Four minutes after the electrical breaker opened on December 9, 2017, an alarm in the control room sounded to alert the operators about low pressure in the compressed air system. Two minutes later, other alarms sounded to inform the operators that some of the control rods were moving into the reactor core. They manually scrammed the reactor. (The timing difference between the two events is explained by the amounts of air leaking from piping inside containment and by the operation of pneumatically controlled components inside containment that depleted air from the isolated piping.)

The event had additional complications. The loss of power disabled: (1) the low pressure core spray system, (2) one of the two residual heat removal trains, the reactor core isolation cooling system, and the normal ventilation system for the fuel handling building (the structure on the left side of Figure 3). These losses were to be expected – subdividing the emergency equipment into three divisions and then losing all the power to that division de-energizes about one-third of the emergency equipment.

Fortunately, the loss of some emergency equipment in this case was tolerable because there was no emergency for the equipment to mitigate. The operators used non-safety equipment powered from the offsite grid and some of the emergency equipment from Divisions 2 and 3 to safely shut down the reactor. The operators anticipated that the loss of compressed air to equipment inside containment would eventually cause the main steam isolation valves to close, taking away the normal means of removing decay heat from the reactor core. The operators opened other valves before the main steam isolation valves close to provide an alternate means of sustaining this heat removal path. About 30 hours after the event began, the operators placed the reactor into a cold shut down mode, within the time frame established by the plant’s safety studies.

Staging a Repeat Performance

Workers replaced the failed Division 1 transformer following the December 2013 event. Clinton has five safety-related and 24 non-safety-related 4,160-volt to 480-volt transformers, including the one that failed in 2013. Following the 2013 failure, a plan was developed to install windows in the transformer cabinets to allow the temperature of the windings inside to be monitored using infrared detectors. Rising temperatures would indicate winding degradation which could lead to failure of the transformer.

But the planned installation of the infrared detection systems was canceled because the transformers were already equipped with thermocouples that could be used to detect degradation. Then the owner stopped monitoring the transformer thermocouples in 2015.

Plan B (or C?) involved developing a procedure for Doble testing of these 29 transformers that would trend performance and detect degradation. The Doble testing was identified in October 2016 as a Corrective Action to Prevent Recurrence (CAPR) from the 2013 transformer failure event. The Doble testing procedure was issued on November 18, 2016.

Clinton was shut down on May 8, 2017, for a refueling outage. The activities scheduled during the refueling outage included performing the Doble testing on the Division 2 4,160-volt to 480-volt transformers. But that work was canceled because it was estimated to extend the length of the refueling outage by three whole days. So, Clinton restarted on May 29, 2017, without the Doble testing being conducted. As noted by the NRC special inspection team dispatched to Clinton following the repeat event in 2017: “…the inspectors determined that revising the model work orders [i.e., the Doble test procedure] alone was not a CAPR. In order for the CAPR to be considered implemented, the licensee needed to complete actual Doble testing of the transformers.”

The NRC’s special inspection team also identified a glitch with how some of the non-safety-related transformers were handled within the preventative maintenance program. A company procedure required components whose failure would result in a reactor scram to be included in the preventative maintenance program to lessen the likelihood of failures (and more importantly, costly scrams). In response to NRC’s questions, workers stated that three of the non-safety-related transformers could fail and cause a reactor scram, but that these transformers were not covered by the preventative maintenance program.

Plan C (or D?) now calls for replacing all five safety-related transformers: the two Division 2 transformers in 2018 and the single Division 3 transformer in 2021. The two Division 1 transformers have already been replaced following their failures. A decision whether to replace the 24 non-safety-related transformers awaits a determination about seeking a 20-year extension to the reactor’s operating license.

NRC Sanctions

The NRC’s special inspection team identified two findings both characterized as Green in the agency’s green, white, yellow and red classification system.

One finding was the violation of 10 CFR Part 50, Appendix B, Criterion XVI, “Corrective Actions,” for failing to implement measures to preclude repetition of a significant condition adverse to quality. Specifically, the fixes identified by the owner following the December 2013 transformer failure were not implemented, enabling the December 2017 transformer to fail.

The other finding was the failure to follow procedures for placing equipment within the preventative maintenance program. Per procedure, three of the non-safety-related transformers should have been covered by the preventative maintenance program but were not.

UCS Perspective

Glass half-full: Clinton started operating in 1987 and didn’t experience a 4,160-volt to 480-volt transformer failure until late 2013. Apparently, transformer failures are exceedingly rare events such that lightning won’t strike twice.

Glass half-empty: All the aging transformers at Clinton were over 25 years old and heading towards, if not already in, the wear out region of the bathtub curve. Lightning may not strike twice, but an aging jackhammer strikes lots of times (until it breaks).

Could another untested, unreplaced aging transformer fail at Clinton? You bet your glass.

Fig. 4 (Source: Nuclear Regulatory Commission)

Benny Hill Explains the NRC Approach to Nuclear Safety

The Nuclear Regulatory Commission’s safety regulations require that nuclear reactors be designed to protect the public from postulated accidents, such as the rupture of pipes that would limit the flow of cooling water to the reactor. These regulations include General Design Criteria 34 and 35 in Appendix A to 10 CFR Part 50.

Emergency diesel generators (EDGs) are important safety systems since they provide electricity to emergency equipment if outside power is cut off to the plant—another postulated accident. This electricity, for example, would allow pumps to continue to send cooling water to the reactor vessel to prevent overheating damage to the core. So the NRC has requirements that limit how long a reactor can continue operating without one of its two EDGs under different conditions. The shortest period is 3 days while the longest period is 14 days.

An All Things Nuclear commentary in July 2017 described how the NRC allowed the Unit 3 reactor at the Palo Verde nuclear plant in Arizona to operate for up to 62 days with one of its EDGs broken, but had denied the Unit 1 reactor at the DC Cook nuclear plant in Michigan permission to operate for up to 65 days with one of its two EDGs broken. It was easy to understand why the NRC denied the request for DC Cook Unit 1 (i.e., 65 days is more than the 14-day safety limit). It was not easy to understand why the NRC granted the request for Palo Verde Unit 3 (i.e., 62 days is also more than the 14-day safety limit).

The NRC also granted a request on November 26, 2017, for the Unit 1 and 2 reactors at the Brunswick nuclear plant in North Carolina to operate for up to 30 days with one EDG broken.

NRC Inspection Findings and Sanctions 2001-2016

UCS examined times between 2001 and 2016 when NRC inspectors identified violations of federal safety regulations and the sanctions imposed by the agency for these safety violations. The purpose of this exercise was to understand the NRC’s position on EDGs and the safety implications of an EDG being inoperable.

As shown in Figure 1, NRC inspectors recorded 12,610 findings over this 16-year period, an average of 788 findings each year. The NRC characterized the safety significance of its findings using a green, white, yellow and red color-code with green representing findings having low safety significance and red assigned to findings with high safety significance. The NRC determined that fewer than 2% of its findings (242 in all) warranted a white, yellow, or red finding (“greater-than-green”).

Fig. 1 (Source: Union of Concerned Scientists)

NRC Greater-than-Green Inspection Findings and Sanctions 2001-2016

UCS reviewed ALL the greater-than-green findings issued by the NRC between 2001 and 2016 to determine what safety problems most concerned the agency over those years. Figure 2 shows the greater-than-green findings issued by the NRC binned by the applicable safety system or process. Emergency planning violations accounted for 22% of the greater-than-green findings over this period—the greatest single category. Other categories are shown in increasing percentages clockwise around the pie chart.

The 32 EDG greater-than-green findings between 2001 and 2016 constituted the second highest tally of such findings over this 16-year period—an average of two greater-than-green EDG findings per year. The NRC issued one Yellow and 31 White findings for EDG violations.

Fig. 2 (Source: Union of Concerned Scientists)

NRC Greater-than-Green EDG Inspection Findings and Sanctions 2001-2016

UCS reviewed all enforcement letters issued by the NRC for all 32 EDG greater-than-green findings to determine what parameters—particularly the length of time the EDG was unavailable—factored into the NRC concluding the findings had elevated safety implications. Several of the greater-than-green findings issued by the NRC involved EDGs being unavailable for less than the 62 days that the NRC permitted Palo Verde Unit 3 to continue operating with an EDG broken. For example:

  • The NRC issued a Yellow finding on August 3. 2007, because Kewuanee (WI) operated for 50 days with one EDG impaired by a fuel oil leak.
  • The NRC issued a White finding on September 19, 2013, because HB Robinson (SC) operated for 36 days with inadequate engine cooling for an EDG.
  • The NRC issued a White finding on June 2, 2004, because Brunswick (NC) operated for 30 days with an impaired jacket water cooling system for one EDG.
  • The NRC issued a White finding on April 15, 2005, because Fort Calhoun (NE) operated for 29 days for approximately 29 days with an inoperable EDG.
  • The NRC issued a White finding on December 7, 2010, because HB Robinson (SC) operated for 26 days with an impaired output breaker on one EDG.
  • The NRC issued a White finding on March 28, 2014, because Waterford (LA) operated for 25 days with inadequate ventilation for one EDG.
  • The NRC issued a White finding on December 18, 2013, because Duane Arnold (IA) operated for 22 days with inadequate lubricating oil cooling for one EDG.
  • The NRC issued a White finding on February 29, 2008, because Comanche Peak (TX) operated for 20 days with one EDG inoperable.
  • The NRC issued a White finding on December 7, 2007, because Fort Calhoun (NE) operated for 14 days with one EDG inoperable.
  • The NRC issued a White finding on April 20, 2007, because Brunswick (NC) operated for 9 days with an impaired lubricating oil system for one EDG.
  • The NRC issued a White finding on August 17, 2007, because Cooper (NE) operated for 5 days with a defective circuit card in the control system for one EDG.

NRC’s Cognitive Dissonance

The NRC issued 32 greater-than-green findings between 2001 and 2016 because inoperable or impaired EDGs increased the chances that an accident could endanger the public and the environment. As the list above illustrates, many of the NRC’s findings involved EDGs being disabled for 29 days or less.

Yet in 2017, the NRC intentionally permitted Palo Verde and Brunswick to continue operating for up to 62 and 30 days respectively.

If operating a nuclear reactor for 5, 9, 14, 20, 22, 26, or 29 days with an impaired EDG constitutes a violation of federal safety regulations warranting a rare greater-than-green finding based on the associated elevated risk to public health and safety, how can operating a reactor for 30 or 62 days NOT expose the public to elevated, and undue, risk?

Benny Hill to the Rescue

Fig. 3 (Source: www.alchetron.com)

Benny Hill was a British comedian who hosted a long-running television show between 1969 and 1989. On one of his shows, Benny observed that: “The odds against there being a bomb on a plane are a million to one, and against two bombs a million times a million to one.” Hence, Benny suggested that to be protected against being blown out of the sky: “Next time you fly, cut the odds and take a bomb” with you.

NRC’s allowing Palo Verde and Brunswick to operate for over 29 days with a broken EDG essentially takes Benny’s advice to take a bomb on board an airplane. Deliberately taking a risk significantly reduces the random risk.

But Benny’s suggestion was intended as a joke, not as prudent (or even imprudent) public policy.

So, while I’ll posthumously (him, not me) thank Benny Hill for much amusing entertainment, I’ll thank the NRC not to follow his advice and to refrain from exposing more communities to undue, elevated risk from nuclear power reactors operating for extended periods with broken EDGs.