UCS Blog - All Things Nuclear, Nuclear Power Safety - Latest 2

NRC’s Project Aim: Off-target?

A handful of years ago, there was talk about nearly three dozen new reactors being ordered and built in the United States. During oversight hearings, Members of Congress queried the Members of the Nuclear Regulatory Commission on efforts underway and planned to ensure the agency would be ready to handle this anticipated flood of new reactor applications without impeding progress. Those efforts included creating the Office of New Reactors and hiring new staffers to review the applications and inspect the reactors under construction.

Receding Tide

The anticipated three dozen applications for new reactors morphed into four actual applications, two of which have since been cancelled. The tsunami of new reactor applications turned out to be a little ripple, at best.

The tide also turned for the existing fleet of reactors. Unfavorable economics led to the closures of several reactors and the announced closures of several other reactors in the near future.

The majority of the NRC’s annual budget is funded through fees collected from its licensees. For example, in fiscal year 2017 the owner of an operating reactor paid $4,308,000 for the NRC’s basic oversight efforts. For extra NRC attention (such as supplemental inspections when reactor performance dropped below par and for reviews of license renewal applications), the NRC charged $263 per hour.

Still, the lack of upsizing from new reactors and abundance of downsizing from existing reactors meant that NRC would have fewer licensees from whom to collect funds.

Enter Project Aim

The NRC launched Project AIM in June 2014 with the intention of “right-sizing” the agency while retaining the skill sets necessary to perform its vital mission. Project Aim identified 150 items that could be eliminated or performed more cost-effectively. Collectively, these measures were estimated to save over $40 million.

Fig. 1 (Source: Nuclear Regulatory Commission)

Project Aim Targets

Item 59 was among the highest cost-saving measures identified by Project Aim. It terminated research activities on risk assessments of fire hazards for an estimated savings of $935,000. The NRC adopted risk-informed fire protection regulations in 2004 to complement the fire protection regulations adopted by the NRC in 1980 in response to the disastrous fire at the Browns Ferry Nuclear Plant in Alabama. The fire research supported risk assessment improvements to better manage the fire hazards—or would have done so had it not been stopped.

Item 61 was also a high dollar cost-saving measure. It eliminated the development of new methods, models and tools needed to incorporate digital instrumentation and control (I&C) systems into probabilistic risk assessments (PRAs) with an estimated savings of $735,000. Nuclear power reactors were originally equipped with analog I&C systems (which significantly lessened the impact of the Y2K rollover problem). As analog I&C systems become more obsolete, plant owners are replacing them with new-fangled digital I&C systems. Digital I&C systems fail in different ways and at different rates than analog I&C systems and the research was intended to enable the PRAs to better model the emerging reality.

Item 62 eliminated development of methods, models, tools, and data needed to evaluate the transport of radioactive materials released during severe accidents into aquatic environments. For example, the 2011 severe accident at Fukushima involved radioactive releases to the Pacific Ocean via means not clearly understood. This cost-saving measure seems to preserve that secret.

Fig. 2 (Source: Nuclear Regulatory Commission)

Project Aim Off Target?

The need to reduce costs is genuine. Where oh where could savings of $935,000 come if not from killing the fire research efforts? Perhaps the Office of Management and Budget (OMB) has the answer. On May 11, 2012, OMB issued Memorandum M-12-12 that capped the amount federal agencies spent on conferences at $500,000. This OMB action pre-dated Project Aim, but seems consistent with the project’s fiscal responsibility objectives.

But the NRC opts not to abide by the OMB directive. Instead, the NRC Chairman signs a waiver allowing the NRC to spend far more than the OMB limit on its annual Regulatory Information Conferences (RICs). How much does the RIC cost? In 2017, the RIC cost the NRC $932,315.39—nearly double the OMB limit and almost exactly equal to the amount fire research would have cost.

987 persons outside the NRC attended the RIC in 2017. So, the NRC spent roughly $944.60 per outsider at the RIC last year. But don’t fixate on that amount. Whether the NRC had spent $1,000,000 per person or $1 per person, the RIC did not make a single American safer or more secure. (It also did not make married Americans safer or more secure, either.)

Eliminating the RIC would save the NRC nearly a million dollars each year. That savings could fund the fire research this year, which really does make single and married Americans safer. And next year savings could fund the development of digital I&C risk assessment methods to better manage the deployment of these systems throughout the nuclear fleet. And the savings the following year could fund research into transport of radioactive materials during severe accidents.

Fig. 3 (Source: Nuclear Regulatory Commission)

If the cliché “knowledge is power” holds any weight, then stopping fire research, development of digital I&C risk assessment methods, and many other activities leaves the NRC powerless to properly manage the associated risks.

RIC and risk? Nope, non-RIC and lower risk.

Clinton Power Station: Déjà vu Transformer Problems

The Clinton Power Station located 23 miles southeast of Bloomington, Illinois has one General Electric boiling water reactor with a Mark III containment that began operating in 1987.

On December 8, 2013, an electrical fault on a power transformer stopped the flow of electricity to some equipment with the reactor operating near full power. The de-energized equipment caused conditions within the plant to degrade. A few minutes later, the control room operators manually scrammed the reactor per procedures in response to the deteriorating conditions. The NRC dispatched a special inspection team to investigate the cause and its corrective actions.

On December 9, 2017, an electrical fault on a power transformer stopped the flow of electricity to some equipment with the reactor operating near full power. The de-energized equipment caused conditions within the plant to degrade. A few minutes later, the control room operators manually scrammed the reactor per procedures in response to the deteriorating conditions. The NRC dispatched a special inspection team to investigate the cause and its corrective actions. The NRC’s special inspection team issued its report on January 29, 2018.

Same reactor. Same month. Nearly the same day. Same transformer. Same problem. Same outcome. Same NRC response.

Coincidence? Nope. When one does nothing to solve a problem, one invites the problem back. And problems accept the invitations too often.

Setting the Stage(s)

The Clinton reactor was operating near full power on December 8, 2013, and on December 9, 2017. The electricity produced by the main generator (red circle labeled MAIN GEN in Figure 1) at 22 kilovolts (KV) flowed through the main transformers that upped the voltage to 345 KV (345,000 volts) for the transmission lines emanating from the switchyard to carry to residential and industrial customers. Some of the electricity also flowed through the Unit Auxiliary Transformers 1A and 1B that reduced the voltage to 6.9 and 4.16 KV (4,160 volts) for use by plant equipment.

The emergency equipment installed at Clinton to mitigate accidents is subdivided into three divisions. The emergency equipment was in standby mode before things happened. The Division 1 emergency equipment is supplied electrical power from 4,160-volt bus 1A1 (shown in red in Figure 1). This safety bus can be powered from the main generator when the unit is online, from the offsite power grid when the unit is offline, or from emergency diesel generator 1A (shown in green) if none of the other supplies is available. The Divisions 2 and 3 emergency equipment is similarly supplied power from 4,160-volt buses 1B1 and 1C1 respectively, each with three sources of power.

Fig.1 (Source: Clinton Individual Plant Examination Report (1992))

The three buses also provided power to transformers that reduced the voltage down to 480 volts for distribution via the 480-volt buses. For example, 4,160-volt bus 1A1 supplied 480-volt buses A and 1A.

Stage Struck (Twice)

On December 8, 2013, and again on December 9, 2017, an electrical fault on one of the 480-volt auxiliary transformers caused the supply breaker (shown in purple in Figure 2) from 4,160-volt bus 1A1 to open per design. This breaker is normally manually opened and closed by workers to control in-plant power distribution. But this breaker will automatically open to prevent an electrical transient from rippling through the lines to corrupt other equipment.

When the breaker opened, the flow of electricity to 480-volt buses A and 1A stopped, as did the supply of electricity from these 480-volt buses to emergency equipment. It didn’t matter whether electricity from the offsite power grid, the main generator, or emergency diesel generator 1A was supplied to 4,160-volt bus 1A1; no electricity flowed to the 480-volt buses with this electrical breaker open.

Fig. 2 (Source: Clinton Individual Plant Examination Report (1992))

The loss of 480-volt buses A and 1A interrupted the flow of electricity to emergency equipment but did not affect power to non-safety equipment. Consequently, the reactor continued operating near full power.

The emergency equipment powered from 480-volt buses A and 1A included the containment isolation valve on the pipe supplying compressed air to equipment inside the containment building. This valve is designed to fail-safe in the closed position; thus, in response to the loss of power, it closed.

Among the equipment inside containment needing compressed air were the hydraulic control units for the control rod drive (CRD) system (shown in orange in Figure 3). The control rods are positioned using water pistons. Supply water to one side of the piston while venting water from the other side creates a differential pressure causing the control rod to move. Reversing the sides that get water and get vented causes the control rod to move in the opposite direction. Compressed air keeps two scram valves for each control rod closed against coiled springs. Without the compressed air pressure, the springs force the scram valves to open. When the scram valves open, high pressure water is supplied below the pistons while water from above the pistons is vented. As a result, the control rods fully insert into the reactor core within a handful of seconds to stop the nuclear chain reaction.

Fig. 3 (Source: Nuclear Regulatory Commission)

Ten minutes after the electrical breaker opened on December 8, 2013, an alarm in the control room sounded to alert the operators about low pressure in the compressed air system. The operators followed procedures and responded to the alarm by manually scramming the reactor.

Four minutes after the electrical breaker opened on December 9, 2017, an alarm in the control room sounded to alert the operators about low pressure in the compressed air system. Two minutes later, other alarms sounded to inform the operators that some of the control rods were moving into the reactor core. They manually scrammed the reactor. (The timing difference between the two events is explained by the amounts of air leaking from piping inside containment and by the operation of pneumatically controlled components inside containment that depleted air from the isolated piping.)

The event had additional complications. The loss of power disabled: (1) the low pressure core spray system, (2) one of the two residual heat removal trains, the reactor core isolation cooling system, and the normal ventilation system for the fuel handling building (the structure on the left side of Figure 3). These losses were to be expected – subdividing the emergency equipment into three divisions and then losing all the power to that division de-energizes about one-third of the emergency equipment.

Fortunately, the loss of some emergency equipment in this case was tolerable because there was no emergency for the equipment to mitigate. The operators used non-safety equipment powered from the offsite grid and some of the emergency equipment from Divisions 2 and 3 to safely shut down the reactor. The operators anticipated that the loss of compressed air to equipment inside containment would eventually cause the main steam isolation valves to close, taking away the normal means of removing decay heat from the reactor core. The operators opened other valves before the main steam isolation valves close to provide an alternate means of sustaining this heat removal path. About 30 hours after the event began, the operators placed the reactor into a cold shut down mode, within the time frame established by the plant’s safety studies.

Staging a Repeat Performance

Workers replaced the failed Division 1 transformer following the December 2013 event. Clinton has five safety-related and 24 non-safety-related 4,160-volt to 480-volt transformers, including the one that failed in 2013. Following the 2013 failure, a plan was developed to install windows in the transformer cabinets to allow the temperature of the windings inside to be monitored using infrared detectors. Rising temperatures would indicate winding degradation which could lead to failure of the transformer.

But the planned installation of the infrared detection systems was canceled because the transformers were already equipped with thermocouples that could be used to detect degradation. Then the owner stopped monitoring the transformer thermocouples in 2015.

Plan B (or C?) involved developing a procedure for Doble testing of these 29 transformers that would trend performance and detect degradation. The Doble testing was identified in October 2016 as a Corrective Action to Prevent Recurrence (CAPR) from the 2013 transformer failure event. The Doble testing procedure was issued on November 18, 2016.

Clinton was shut down on May 8, 2017, for a refueling outage. The activities scheduled during the refueling outage included performing the Doble testing on the Division 2 4,160-volt to 480-volt transformers. But that work was canceled because it was estimated to extend the length of the refueling outage by three whole days. So, Clinton restarted on May 29, 2017, without the Doble testing being conducted. As noted by the NRC special inspection team dispatched to Clinton following the repeat event in 2017: “…the inspectors determined that revising the model work orders [i.e., the Doble test procedure] alone was not a CAPR. In order for the CAPR to be considered implemented, the licensee needed to complete actual Doble testing of the transformers.”

The NRC’s special inspection team also identified a glitch with how some of the non-safety-related transformers were handled within the preventative maintenance program. A company procedure required components whose failure would result in a reactor scram to be included in the preventative maintenance program to lessen the likelihood of failures (and more importantly, costly scrams). In response to NRC’s questions, workers stated that three of the non-safety-related transformers could fail and cause a reactor scram, but that these transformers were not covered by the preventative maintenance program.

Plan C (or D?) now calls for replacing all five safety-related transformers: the two Division 2 transformers in 2018 and the single Division 3 transformer in 2021. The two Division 1 transformers have already been replaced following their failures. A decision whether to replace the 24 non-safety-related transformers awaits a determination about seeking a 20-year extension to the reactor’s operating license.

NRC Sanctions

The NRC’s special inspection team identified two findings both characterized as Green in the agency’s green, white, yellow and red classification system.

One finding was the violation of 10 CFR Part 50, Appendix B, Criterion XVI, “Corrective Actions,” for failing to implement measures to preclude repetition of a significant condition adverse to quality. Specifically, the fixes identified by the owner following the December 2013 transformer failure were not implemented, enabling the December 2017 transformer to fail.

The other finding was the failure to follow procedures for placing equipment within the preventative maintenance program. Per procedure, three of the non-safety-related transformers should have been covered by the preventative maintenance program but were not.

UCS Perspective

Glass half-full: Clinton started operating in 1987 and didn’t experience a 4,160-volt to 480-volt transformer failure until late 2013. Apparently, transformer failures are exceedingly rare events such that lightning won’t strike twice.

Glass half-empty: All the aging transformers at Clinton were over 25 years old and heading towards, if not already in, the wear out region of the bathtub curve. Lightning may not strike twice, but an aging jackhammer strikes lots of times (until it breaks).

Could another untested, unreplaced aging transformer fail at Clinton? You bet your glass.

Fig. 4 (Source: Nuclear Regulatory Commission)

Benny Hill Explains the NRC Approach to Nuclear Safety

The Nuclear Regulatory Commission’s safety regulations require that nuclear reactors be designed to protect the public from postulated accidents, such as the rupture of pipes that would limit the flow of cooling water to the reactor. These regulations include General Design Criteria 34 and 35 in Appendix A to 10 CFR Part 50.

Emergency diesel generators (EDGs) are important safety systems since they provide electricity to emergency equipment if outside power is cut off to the plant—another postulated accident. This electricity, for example, would allow pumps to continue to send cooling water to the reactor vessel to prevent overheating damage to the core. So the NRC has requirements that limit how long a reactor can continue operating without one of its two EDGs under different conditions. The shortest period is 3 days while the longest period is 14 days.

An All Things Nuclear commentary in July 2017 described how the NRC allowed the Unit 3 reactor at the Palo Verde nuclear plant in Arizona to operate for up to 62 days with one of its EDGs broken, but had denied the Unit 1 reactor at the DC Cook nuclear plant in Michigan permission to operate for up to 65 days with one of its two EDGs broken. It was easy to understand why the NRC denied the request for DC Cook Unit 1 (i.e., 65 days is more than the 14-day safety limit). It was not easy to understand why the NRC granted the request for Palo Verde Unit 3 (i.e., 62 days is also more than the 14-day safety limit).

The NRC also granted a request on November 26, 2017, for the Unit 1 and 2 reactors at the Brunswick nuclear plant in North Carolina to operate for up to 30 days with one EDG broken.

NRC Inspection Findings and Sanctions 2001-2016

UCS examined times between 2001 and 2016 when NRC inspectors identified violations of federal safety regulations and the sanctions imposed by the agency for these safety violations. The purpose of this exercise was to understand the NRC’s position on EDGs and the safety implications of an EDG being inoperable.

As shown in Figure 1, NRC inspectors recorded 12,610 findings over this 16-year period, an average of 788 findings each year. The NRC characterized the safety significance of its findings using a green, white, yellow and red color-code with green representing findings having low safety significance and red assigned to findings with high safety significance. The NRC determined that fewer than 2% of its findings (242 in all) warranted a white, yellow, or red finding (“greater-than-green”).

Fig. 1 (Source: Union of Concerned Scientists)

NRC Greater-than-Green Inspection Findings and Sanctions 2001-2016

UCS reviewed ALL the greater-than-green findings issued by the NRC between 2001 and 2016 to determine what safety problems most concerned the agency over those years. Figure 2 shows the greater-than-green findings issued by the NRC binned by the applicable safety system or process. Emergency planning violations accounted for 22% of the greater-than-green findings over this period—the greatest single category. Other categories are shown in increasing percentages clockwise around the pie chart.

The 32 EDG greater-than-green findings between 2001 and 2016 constituted the second highest tally of such findings over this 16-year period—an average of two greater-than-green EDG findings per year. The NRC issued one Yellow and 31 White findings for EDG violations.

Fig. 2 (Source: Union of Concerned Scientists)

NRC Greater-than-Green EDG Inspection Findings and Sanctions 2001-2016

UCS reviewed all enforcement letters issued by the NRC for all 32 EDG greater-than-green findings to determine what parameters—particularly the length of time the EDG was unavailable—factored into the NRC concluding the findings had elevated safety implications. Several of the greater-than-green findings issued by the NRC involved EDGs being unavailable for less than the 62 days that the NRC permitted Palo Verde Unit 3 to continue operating with an EDG broken. For example:

  • The NRC issued a Yellow finding on August 3. 2007, because Kewuanee (WI) operated for 50 days with one EDG impaired by a fuel oil leak.
  • The NRC issued a White finding on September 19, 2013, because HB Robinson (SC) operated for 36 days with inadequate engine cooling for an EDG.
  • The NRC issued a White finding on June 2, 2004, because Brunswick (NC) operated for 30 days with an impaired jacket water cooling system for one EDG.
  • The NRC issued a White finding on April 15, 2005, because Fort Calhoun (NE) operated for 29 days for approximately 29 days with an inoperable EDG.
  • The NRC issued a White finding on December 7, 2010, because HB Robinson (SC) operated for 26 days with an impaired output breaker on one EDG.
  • The NRC issued a White finding on March 28, 2014, because Waterford (LA) operated for 25 days with inadequate ventilation for one EDG.
  • The NRC issued a White finding on December 18, 2013, because Duane Arnold (IA) operated for 22 days with inadequate lubricating oil cooling for one EDG.
  • The NRC issued a White finding on February 29, 2008, because Comanche Peak (TX) operated for 20 days with one EDG inoperable.
  • The NRC issued a White finding on December 7, 2007, because Fort Calhoun (NE) operated for 14 days with one EDG inoperable.
  • The NRC issued a White finding on April 20, 2007, because Brunswick (NC) operated for 9 days with an impaired lubricating oil system for one EDG.
  • The NRC issued a White finding on August 17, 2007, because Cooper (NE) operated for 5 days with a defective circuit card in the control system for one EDG.

NRC’s Cognitive Dissonance

The NRC issued 32 greater-than-green findings between 2001 and 2016 because inoperable or impaired EDGs increased the chances that an accident could endanger the public and the environment. As the list above illustrates, many of the NRC’s findings involved EDGs being disabled for 29 days or less.

Yet in 2017, the NRC intentionally permitted Palo Verde and Brunswick to continue operating for up to 62 and 30 days respectively.

If operating a nuclear reactor for 5, 9, 14, 20, 22, 26, or 29 days with an impaired EDG constitutes a violation of federal safety regulations warranting a rare greater-than-green finding based on the associated elevated risk to public health and safety, how can operating a reactor for 30 or 62 days NOT expose the public to elevated, and undue, risk?

Benny Hill to the Rescue

Fig. 3 (Source: www.alchetron.com)

Benny Hill was a British comedian who hosted a long-running television show between 1969 and 1989. On one of his shows, Benny observed that: “The odds against there being a bomb on a plane are a million to one, and against two bombs a million times a million to one.” Hence, Benny suggested that to be protected against being blown out of the sky: “Next time you fly, cut the odds and take a bomb” with you.

NRC’s allowing Palo Verde and Brunswick to operate for over 29 days with a broken EDG essentially takes Benny’s advice to take a bomb on board an airplane. Deliberately taking a risk significantly reduces the random risk.

But Benny’s suggestion was intended as a joke, not as prudent (or even imprudent) public policy.

So, while I’ll posthumously (him, not me) thank Benny Hill for much amusing entertainment, I’ll thank the NRC not to follow his advice and to refrain from exposing more communities to undue, elevated risk from nuclear power reactors operating for extended periods with broken EDGs.

Like Bonnie Tyler, NRC is Holding Out for a HERO

In Nuclear Energy Activist Toolkit #47, I summarized the regulations and practices developed to handle emergencies at nuclear power plants. While that commentary primarily focused on the response at the stricken plant site, it did mention that nuclear workers are required to notify the Nuclear Regulatory Commission (NRC) promptly following any declaration of an emergency condition. The NRC staffs its Operations Center 24 hours a day, 365 days a year to receive and process emergency notifications.

In late September 2017, I was made aware that the NRC was not staffing its Operations Center with the number of qualified individuals as mandated by its procedures. Specifically, NRC Management Directive 8.2, “Incident Response Program,” dictates that the Operations Center be staffed with at least two individuals: one qualified as a Headquarters Operations Officer (HOO) and one qualified as a Headquarters Emergency Response Officer (HERO). The HOO is primarily responsible for responding to a nuclear plant emergency while the HERO provides administrative support such as interagency communications.

I learned that the NRC Operations Center was instead often being staffed with only one person qualified as a HOO and a second person tasked with a “life support” role. In other words, the “life support” person would summon help in case the HOO keeled over from a heart attack or spilt hot coffee on sensitive body parts.

Fig. 1 (Source: Joe Haupt Flickr photo)

I wrote to Bernard Stapleton, who heads the NRC’s incident response effort, on October 3, 2017, inquiring about the Operations Center staffing levels. The NRC’s response was both rapid and thorough.

A conference call was conducted on October 12, 2017, between me and Steve West, Acting Director of the NRC’s Office of Nuclear Security and Incident Response, and members of his staff, Bern Stapleton and Bo Pham. They informed me that it had been a challenge for the agency to staff the Operations Center in summer and fall 2017 with qualified HEROs due to several watch standers taking other positions within the NRC and a temporary hiring freeze imposed after the unanticipated termination of the construction of two new reactors at the Summer nuclear plant in South Carolina.

The former reason made sense as individuals with these skills seek promotions. The latter reason made sense as the NRC sought to find new positions for its staff members formerly assigned to the Summer project. The one-two punch of qualified persons leaving and the replacement pipeline being temporary shut off prevented the Operations Center from always being staffed with an individual HERO qualified. The Operations Center always had a HOO; it sometimes lacked a HERO.

They told me that two persons had recently been hired to fill the empty positions on the Operations Center staffing chart and those new hires would be undergoing training to achieve HERO qualifications. In addition, they told me about initiatives to qualify NRC staff outside of the Operations Center section to provide a larger cushion against future staffing challenges. The larger pool of qualified watch standers would have the collateral benefit of expanding the skill sets of individuals not assigned full-time to the Operations Center.

The NRC followed up on the conference call by sending me a letter dated November 16, 2017, documenting our conversation.

UCS Perspective

It would be better for everyone if the NRC had always been able to staff its Operations Center with individuals qualified as HOOs and HEROs. But the downside from problem-free conditions is the challenge in determining whether they are due more to luck than skill. How an organization responds to problems often provides more meaningful insights than a period of problem-free performance. On the other hand, an organization really, really good at responding to problems might reflect way too much experience having problems.

In this case, the NRC did not attempt to downplay or excuse the Operations Center staffing problems. Instead, they explained how the problems came about, what measures were being taken in the interim period, and what steps were planned to resolve the matter in the long term.

In other words, the NRC skillfully responded to the bad luck that had left the Operations Center short-handed for a while.

UCS to Nuclear Regulatory Commission: Big THANKS!

This spring, I ran into Mike Weber, Director of the Office of Nuclear Regulatory Research for the Nuclear Regulatory Commission (NRC), at a break during a Commission briefing. The Office of Research hosts a series of seminars which sometimes include presentations by external stakeholders. I asked Mike if it would be possible for me to make a presentation as part of that series.

I explained that I’d made presentations during annual inspector conferences in NRC’s Regions I, II, and III in recent years and would appreciate the opportunity to reach out to the seminars’ audience. Mike commented that he’d heard positive feedback from my regional presentations and would welcome my presentation as part of their seminars. Mike tasked Mark Henry Salley and Felix Gonzalez from the Research staff to work out arrangements with me. The seminar was scheduled for September 19, 2017, in the auditorium of the Two White Flint North offices at NRC headquarters. I appreciate Mike, Mark, and Felix providing me the opportunity I sought to convey a message I truly wanted to deliver.

Fig. 1 (Source: Union of Concerned Scientists)

The title of my presentation at the seminar was “The Other Sides of the Coins.” The NRC subsequently made my presentation slides publicly available in ADAMS, their online digital library.

As I pointed out during my opening remarks, the NRC staff most often hears or reads my statements critical of how the agency did this or didn’t do that. My presentation that day focused on representative positive outcomes achieved by the NRC. For that presentation that day, my whine list was blank by design. Instead, I talked about the other sides of my usual two cents’ worth.

Fig. 2 (Source: Union of Concerned Scientists)

I summarized eight positive outcomes achieved by the NRC and listed five other positive outcomes. I emphasized that these were representative positive outcomes and far from an unabridged accounting. I told the audience members that I fully expected they would be reminded of other positive outcomes they were involved in as I covered the few during my presentation. Rather than feeling slighted, I hoped they would feel acknowledged and appreciated by extension.

One of the eight positive outcomes I summarized was the inadequate flooding protection identified by NRC inspectors at the Fort Calhoun nuclear plant in Nebraska. The NRC issued a preliminary Yellow finding—the second highest severity in its Green, White, Yellow, and Red classification system—in July 2010 for the flood protection deficiencies. To help put that Yellow finding in context, the NRC issued 827 findings during 2010: 816 Green, 9 White, and 2 Yellow. It was hardly a routine, run of the mill issuance.

The plant’s owner formally contested the preliminary Yellow finding, contending among other things that Fort Calhoun had operated for nearly 30 years with its flood protective measures, so they must be sufficient. The owner admitted that some upgrades might be appropriate, but contended that the finding should be Green, not Yellow.

The NRC seriously considered the owner’s appeal and revisited its finding and its severity determination. The NRC reached the same conclusion and issued the final Yellow finding in October 2010. The NRC then monitored the owner’s efforts to remedy the flood protection deficiencies.

The NRC’s findings and, more importantly, the owner’s fixes certainly came in handy when Fort Calhoun (the sandbagged dry spot in the lower right corner of Figure 3) literally became an island in the Missouri River in June 2011.

Recall that the NRC inspectors identified flood protection deficiencies nearly 8 months before the Fukushima nuclear plant in Japan experienced three reactor meltdowns due to flooding. Rather than waiting for the horses to trot away before closing the barn door, the NRC acted to close an open door to protect the horses before they faced harm. Kudos!

Fig. 3 (Source: Union of Concerned Scientists)

The real reason for my presentation in September and my commentary now is to acknowledge the efforts of the NRC staff. My concluding slide pointed out that tens of millions of Americans live within 50 miles of operating nuclear power plants and tens of thousands of Americans work at these operating plants. The efforts of the NRC staff make these Americans safer and more secure. I observed that the NRC staff deserved big thanks for their efforts and my final slide attempted to symbolically convey our appreciation. (The thanks were way bigger on the large projection screen in the auditorium. To replicate that experience, lean forward until your face is mere inches away from your screen.)

Fig. 4 (Source: Union of Concerned Scientists)

Grand Gulf: Three Nuclear Safety Miscues in Mississippi Warranting NRC’s Attention

The Nuclear Regulatory Commission (NRC) reacted to a trio of miscues at the Grand Gulf nuclear plant in Mississippi by sending a special inspection team to investigate. While none of the events had adverse nuclear safety consequences, the NRC team identified significantly poor performance by the operators in all three. The recurring performance shortfalls instill little confidence that the operators would perform successfully in event of a design basis or beyond design basis accident.

The Events

Three events prompted the NRC to dispatch a special inspection team to Grand Gulf:

(1) failure to recognize that reactor power fluctuating up and down by more than 10% during troubleshooting of a control system malfunction in June 2016 exceeded a longstanding safety criterion calling for immediate shutdown,

(2) failure to recognize in September 2016 that the backup reactor cooling system relied upon when the primary cooling system broke was unable to function if needed, and

(3) failure to understand how a control system worked on September 27, 2016, resulting in the uncontrolled and undesired addition of nearly 24,000 gallons of water to the reactor vessel.

(1) June 2016 Reactor Power Oscillation Miscue

Figure 1 shows the main steam system for a typical boiling water reactor like Grand Gulf. The reactor vessel is not shown but is located off its left side. Heat produced by the reactor core boils water. Four pipes transport the steam from the reactor vessel to the turbine. The steam spins the turbine which is connected to a generator (off the right side of Figure 1) to make electricity.

Fig. 1 (Source: Nuclear Regulatory Commission)

Periodically, operators reduce the reactor power level to about 65% power and test the turbine stop valves (labeled SV in Figure 1). The stop valves are fully open when the turbine is in service, but are designed to rapidly close automatically if a turbine problem is detected. When the reactor is operating above about 30 percent power, closure of the stop valves triggers the automatic shutdown of the reactor. Below about 30 percent power, the main steam bypass valves (shown in the lower left of Figure 1) open to allow the steam flow to the main condenser should the stop valves close.

Downstream of the turbine stop valves are the turbine control valves (labeled CV in Figure 1.) The control valves are partially open when the turbine is in service. The control valves are automatically re-positioned by the electro-hydraulic control (labeled EHC) system as the operators increase or decrease the reactor power level. Additionally, the EHC system automatically opens the three control valves in the other steam pipes more fully when the stop valve in one steam pipe closes. The EHC system and the control valve response time is designed to minimize the pressure transient experienced in the reactor vessel when the steam flow pathways change.

The test involves the operators closing each stop valve to verify these safety features function properly. During testing on June 17, 2016, however, unexpected outcomes were encountered. The EHC system failed to properly reposition the control valves in the other lines when a stop valve was closed, and later when it was re-opened. The control system glitch caused the reactor power level to increase and decrease between 63% and 76%.

Water flowing through the core of a boiling water reactor is heated to the boiling point. By design, the formation of steam bubbles during boiling acts like a brake on the reactor’s power level. Atoms splitting within the reactor core release heat. The splitting atoms also release neutrons, subcomponents of the atoms. The neutrons can interact with other atoms to cause them to split in what is termed a nuclear chain reaction. The neutrons emitted by splitting atoms have high energy and high speed. The neutrons get slowed down by colliding with water molecules. While fast neutrons can cause atoms to split, slower neutrons perform this role significantly better.

The EHC system problems caused the turbine control valves to open wider and close more than was necessary to handle the steam flow. Turbine control valves opened wider than necessary lowered the pressure inside the reactor vessel, allowing more steam bubbles to form. With fewer water molecules around to slow down the fast neutrons, more neutrons went places other than interacting with atoms to cause more fissions. The reactor power level dropped as the neutron chain reaction rate slowed.

When turbine control valves closed more than necessary, the pressure inside the reactor vessel increased. The higher pressure collapsed steam bubbles and made it harder for new bubbles to form. With more water molecules around, more neutrons interacted with atoms to cause more fissions. The reactor power level increased as the neutron chain reaction rate quickened.

Workers performed troubleshooting of the EHC system problems for 40 minutes. The reactor power level fluctuated between 63% and 76% as the turbine control valves closed too much and then opened too much. Finally, a monitoring system detected the undesired power fluctuations and automatically tripped the reactor, causing all the control rods to rapidly insert into the reactor core and stop the nuclear chain reaction.

The NRC’s special inspection team reported that the control room operators failed to realize that the 10% power swings exceeded a safety criterion that called for the immediate shut down of the reactor. Following a reactor power level instability event at the LaSalle nuclear plant in Illinois in March 1988, Grand Gulf and other boiling water reactors revised operating procedures in response to an NRC mandate to require reactors to be promptly shut down when the reactor power level oscillated by 10% or more.

EHC system problems causing unwanted and uncontrolled turbine control valve movements had been experienced eight times in the prior three years. Operators wrote condition reports about the problems, but no steps had been taken to identify the cause and correct it.

Consequences

Due to the intervention by the system triggering the automatic reactor scram, this event did not result in fuel damage or release of radioactive materials exceeding normal, routine releases. But that outcome was achieved despite the operators’ efforts but because of them. The operators’ training and procedures should have caused them to manually shut down the reactor when its power level swung up and down by more than 10%. Fortunately, the plant’s protective features intervened to remedy their poor judgement.

(2) September 2016 Backup Reactor Cooling System Miscue

On September 4, 2016, the operators declared residual heat removal (RHR) pump A (circled in red in the lower middle portion of Figure 2) to be inoperable after it failed a periodic test. The pump was one of three RHR pumps that can provide makeup cooling water to the reactor vessel in case of an accident. RHR pumps A and B can also be used to cool the water within the reactor vessel during non-accident conditions. Grand Gulf’s operating license only permitted the unit to continue running for a handful of days with RHR pump A inoperable. So, the operators shut down the reactor on September 8 to repair the pump.

Fig. 2 (Source: Nuclear Regulatory Commission)

The operating license required two methods of cooling the water within the reactor vessel during shut down conditions. RHR pump B functioned as one of the methods. The operators took credit for the alternate decay heat removal (ADHR) system as the second method. The ADHR system is shown towards the upper right of Figure 2. It features two pumps that can take water from the reactor vessel, route it through heat exchangers, and return the cooled water to the reactor vessel. The ADHR system’s heat exchangers are supplied with cooling water from the plant service water (PSW) system. Warmed water from the reactor vessel flows through hundreds of metal tubes within the ADHR heat exchangers. Heat conducted through the tube walls gets carried away by the PSW system.

By September 22, workers had replaced RHR pump A and successfully tested the replacement. The following day, operators attempted to place the ADHR system in service prior to removing RHR pump B from service. They discovered that all the PSW valves (circle in red in the upper right portion of Figure 2) to the ADHR heat exchangers were closed. With these valves closed, the ADHR pumps would only take warm water from the reactor vessel, route it through the ADHR heat exchangers, and return the warm water back to the reactor vessel without being cooled.

The operating license required workers to check each day that both reactor water cooling systems were available during shut down. Each day between September 9 and 22, workers performed this check via a paperwork exercise. No one ever walked out into the plant to verify that the ADHR pumps were still there and that the PSW valves were still open.

The NRC team determined that workers closed the PSW valves to the ADHR heat exchangers on August 10 to perform maintenance on the ADHR system. The maintenance work was completed on August 15, but the valves were mistakenly not re-opened until September 23 after being belatedly discovered to be mis-positioned.

Consequences

Improperly relying on the ADHR system in this event had no adverse nuclear safety consequences. It was relied upon was a backup to the primary reactor cooling system which successfully performed that safety function. Had the primary system failed, the ADHR system would not have been able to take over that function as quickly as intended. Fortunately, the ADHR system’s vulnerability was not exploited.

(3) September 2016 Reactor Vessel Overfilling Miscue

On September 24, Grand Gulf was in what is called long cycle cleanup mode. Water within the condenser hotwell (upper right portion of Figure 3) was being sent by the condensate pumps through filter demineralizers and downstream feedwater heaters before recycling back to the condenser via the startup recirculation line. A closed valve prevented this water from flowing into the reactor vessel. Long cycle cleanup mode allows the filter demineralizers to remove particles and dissolved ions from the water. Water purity is important in boiling water reactors because any impurities tend to collect within the reactor vessel rather than being carried away with the steam leaving the vessel. The water in the condenser hotwell is the water used over and over again in boiling water reactors to make the steam that spins the turbine-generator.

Fig. 3 (Source: Nuclear Regulatory Commission)

Workers were restoring RHR pump B to its standby alignment following testing. The procedure they used directed them to open the closed feedwater valve. This valve was controlled by three pushbuttons in the control room: OPEN, CLOSE, and STOP. As soon as this valve began opening, water started flowing into the reactor vessel rather than being returned to the condenser.

The operator twice depressed the CLOSE pushbutton wanting very much for the valve to re-close. But this valve was designed to travel to the fully opened position after the OPEN pushbutton was depressed and travel to the fully closed position after the CLOSE pushbutton was depressed. By design, the valve would not change direction until after it had completed its full travel.

Unless the STOP pushbutton was depressed. The STOP pushbutton, as implied by its label, caused the valve’s movement to stop. Once stopped, depressing the CLOSE pushbutton would close the valve and depressing the OPEN pushbutton would open it.

According to the NRC’s special inspection team, “operations personnel did not understand the full function of the operating modes of [the] valve.” No operating procedure directed the operators to use the STOP button. Training in the control room simulator never covered the role of the STOP button because it was not mentioned in any operating procedures.

Not able to use the installed control system to its advantage, the operator waited until the valve traveled fully open before getting it to fully re-close. But the valve is among the largest and slowest valves in the plant—more like an elephant than a cheetah in its speed.

During the time the valve was open, an estimated 24,000 gallons of water overfilled the reactor vessel. As shown in Figure 4, the vessel’s normal level is about 33 inches above instrument zero, or about 201 inches above the top of the reactor core. The 24,000 gallons filled the reactor vessel to 151 inches above instrument zero.

Fig. 4 (Source: Nuclear Regulatory Commission)

Consequences

The overfilling event had no adverse nuclear safety consequences (unless revealing procedure inadequacies, insufficient training, and performance shortcomings count.)

NRC Sanctions

The NRC’s special inspection team identified three violations of regulatory requirements. One violation involved inadequate procedures for the condensate and feedwater systems that resulted in the reactor vessel overfilling event on September 24.

Another violation involved crediting the ADHR system for complying with an operating license requirement between September 9 and 22 despite its being unable to perform the necessary reactor water cooling role due to closed valves in the plant service water supply to the ADHR heat exchangers.

The third violation involved inadequate verification of the ADHR system availability between September 9 and 22. Workers failed to properly verify the system’s availability and had merely assumed it was a ready backup.

UCS Perspective

Th trilogy of miscues, goofs, and mistakes that prompted the NRC to dispatch a special inspection team have a common thread. Okay, two common threads since all three happened at Grand Gulf. All three miscues reflected very badly on the operations department.

During the June power fluctuations miscue, the operators should have manually scrammed the reactor, but failed to do so. In addition, operators had experienced turbine control system problems eight times in the prior three years and initiated reports intended to identify the causes of the problems and remedy them. The maintenance department could have, and should have, reacted to these reports earlier. But the operations department could have, and should have, insisted on the recurring problems getting fixed rather than meekly adding to the list of unresolved problem reports.

During the September backup cooling system miscue, many operators over nearly two weeks had many opportunities to notice that the ADHR system would not perform as needed due to mispositioned valves. The maintenance department could have, and should have, not set a trap for the operators by leaving the valves closed when maintenance work was completed. But the operators are the only workers at the plant licensed by the NRC to ensure regulatory requirements intended to protect the public are met. They failed that legal obligation again and again between September 9 and 22.

During the September reactor vessel overfilling event, the operators failed to recognize that opening the feedwater valve while in long cycle cleanup mode would send water into the reactor vessel. That’s a fundamental mistake that’s nearly impossible to justify. The operators then compounded that mistake by failing to properly use the installed control system to mitigate the event. They simply did not understand how the three pushbutton controls worked and thus were unable to use them properly.

The poor operator performance that is the common thread among the trio of problems examined by the NRC’s special inspection team inspire little to no confidence that their performance will be any better during a design basis or beyond design basis event.

Grand Gulf: Emergency Pump’s Broken Record and Missing Record

The Grand Gulf Nuclear Station located about 20 miles south of Vicksburg, Mississippi is a boiling water reactor with a Mark III containment that was licensed to operate by the Nuclear Regulatory Commission (NRC) in November 1984. It recently set a dubious record.

The Mark III containment is a pressure-suppression containment type. It features a large amount of water in its pressure suppression pool and upper containment pool. In case of an accident, energy released into containment gets absorbed by this water, thus lessening the pressurization of the atmosphere within containment. The “energy sponge” role allows the Mark III containment to be smaller, and less expensive, than the non-pressure suppression containment structure that would be needed to handle an accident.

Fig. 1 (Source: Nuclear Regulatory Commission)

The emergency core cooling systems (ECCS) reside in a structure adjacent to the containment building. The ECCS for Grand Gulf consist of the high pressure core spray (HPCS) pump, the low pressure core spray (LPCS) pump, and three residual heat removal (RHR). The preferred source of water for the HPCS pump is the condensate storage tank (CST), although it can also draw water from the suppression pool within containment. The other ECCS pumps get their water from the suppression pool.

One of the RHR pumps (RHR Pump C) serves a single function, albeit an important one called the low pressure coolant injection (LPCI) function. When a large pipe connected to the reactor vessel breaks and drains cooling water rapidly from the vessel, RHR Pump C quickly provides a lot of water to replace the lost water and cool the reactor core.

The other two RHR pumps (RHR Pumps A and B) can perform safety functions in addition to the LPCI role. Each of these RHR pumps can be aligned to route water through a pair of heat exchangers. When in use, the heat exchangers cool down the RHR water.

RHR Pumps A and B can be used to cool the water within the reactor vessel. In what is called the shutdown cooling (SDC) mode, RHR Pump A or B takes water from the reactor vessel, routes this water through the pair of heat exchangers, and returns the cooled water to the reactor vessel.

Similarly, RHR Pumps A and B can use used to cool the water within the suppression pool. RHR Pump A or B draws water from the suppression pool, routes this water through the heat exchangers, and returns the cooled water to the suppression pool.

Finally, RHR Pumps A and B can be used to cool the atmosphere within the containment structure. RHR Pump A or B can take water from the suppression pool and discharge it through carwash styled sprinkler nozzles mounted to the inside surfaces of the containment’s upper walls and roof.

Fig. 2 (Source: Nuclear Regulatory Commission)

Given the varied safety roles played by RHR Pumps A and B, the operating license for Grand Gulf only permits the reactor to continue running for up to 7 days when either pump is unavailable. Workers started the 7-day shutdown clock on August 22, 2017, after declaring RHR Pump A to be inoperable. The ECCS pumps are tested periodically to demonstrate their capabilities. RHR Pump A failed to operate within its design band during testing. The pump was supposed to be able to deliver at least a flow rate of 7,756 gallon per minute for a differential pressure of at least 131 pounds per square inch differential across the pump. The differential pressure was too low when the pump delivered the specified flow rate. A higher differential pressure was required to demonstrate that the pump could also supply the necessary flow rate under more challenging accident conditions.

Before the clock ran out, workers shut down the Grand Gulf reactor on August 29. Workers replaced RHR Pump A and restarted the reactor on October 1, 2017.

It is rare that a boiling water reactor has to shut down for a month or longer to replace a broken RHR pump. The last time it happened in the United States was a year ago. Workers shut down the reactor on September 8, 2016, after an RHR pump failed testing on September 4. The RHR pump was unable to achieve the specified differential pressure and flow rate at the same time. Workers could throttle valves to satisfy the differential pressure criterion, but the flow rate was too low. Or, workers could reposition the throttle valves to obtain the specified flow rate, but the differential pressure was too low. The RHR pump was replaced and the reactor restarted on January 29, 2017.

The reactor—Grand Gulf.

The failed pump—RHR Pump A.

The “solution”—replace the failed pump.

UCS Perspective

Grand Gulf has experienced two failures and subsequent replacements of RHR Pump since the summer of 2016. That’s two more RHR pump replacements than the rest of the U.S. boiling water reactor fleet tallied during the same period. Call Guinness—Grand Gulf may have broken the world record for most RHR pump broken in a year!

Records are made to be broken, not RHR pumps.

The company’s report to the NRC about the most recent RHR Pump A failure dutifully noted that the same pump had failed and been replaced a year earlier, but claimed that corrective action could not have prevented this year’s failure of the pump. Maybe the same RHR pump broken twice within a year for two entirely unrelated reasons. The Easter bunny, the tooth fairy, and Santa Claus all agree that it’s at least possible.

On October 31, 2016, the NRC announced it was sending a special inspection team to Grand Gulf to investigate the failure of RHR Pump A and other problems.  The NRC’s press release concluded with this sentence: “An inspection report documenting the team’s findings will be publicly available within 45 days of the end of the inspection.”

As of October 24, 2017, no such inspection report has been made publicly available. Call Guinness—the NRC may have broken the world record for the longest special inspection ever!

Grand Gulf was restarted on January 29, 2017, 90 days after the NRC announced it was sending a special inspection team to investigate a series of safety problems. The inspection report should have been publicly available as promised to allay public concerns that the numerous safety problems that caused Grand Gulf to remain shut down for four months had been fixed.

On June 29, 2017—241 days after the NRC announced the special inspection report—I emailed the NRC’s Executive Director for Operations inquiring about the status of this overdue report.

On October 2, 2017—95 days after my inquiry—the NRC’s Executive Director for Operations emailed me a response. He indicated that the onsite portion of the special inspection was completed on November 4, 2016, and that the inspection report “should be issued within the next few weeks.”

The NRC promised to issue the special inspection report around December 19, 2016, when the inspection ended.

The NRC promises to value transparency.

The NRC should either stop making promises or start delivering results. Promises aren’t made to be broken, either. That’s what RHR pumps are for, at least in Mississippi.

Fig. 3 (Source: Kaja Bilek Flickr photo)