All Things NuclearAll Things Nuclear https://allthingsnuclear.org Insights on Science and Security Thu, 16 Aug 2018 10:00:31 +0000 en-US hourly 1 https://allthingsnuclear.org/wp-content/uploads/2016/01/cropped-favicon-32x32.png All Things Nuclear https://allthingsnuclear.org 32 32 Anticipated Transient Without Scram https://allthingsnuclear.org/dlochbaum/anticipated-transient-without-scram https://allthingsnuclear.org/dlochbaum/anticipated-transient-without-scram#comments Thu, 16 Aug 2018 10:00:31 +0000 https://allthingsnuclear.org/?p=15944 Role of Regulation in Nuclear Plant Safety #8

In the mid-1960s, the nuclear safety regulator raised concerns about the reliability of the system relied upon to protect the public in event of a reactor transient. If that system failed—or failed again since it had already failed—the reactor core could be severely damaged (as it had during that prior failure.) The nuclear industry resisted the regulator’s efforts to manage this risk. Read More

]]>
Role of Regulation in Nuclear Plant Safety #8

In the mid-1960s, the nuclear safety regulator raised concerns about the reliability of the system relied upon to protect the public in event of a reactor transient. If that system failed—or failed again since it had already failed—the reactor core could be severely damaged (as it had during that prior failure.) The nuclear industry resisted the regulator’s efforts to manage this risk. Throughout the 1970s, the regulator and industry pursued non-productive exchange of study and counter-study. Then the system failed again—three times—in June 1980 and twice more in February 1983. The regulator adopted the Anticipated Transient Without Scram rule in June 1984. But it was too little, too late—the hazard it purported to manage had already been alleviated via other means.

Anticipated Transients

Nuclear power reactors are designed to protect workers and members of the public should anticipated transients and credible accidents occur. Nuclear Energy Activist Toolkit #17 explained the difference between transients and accidents. Anticipated transients include the failure of a pump while running and the inadvertent closure of a valve that interrupts the flow of makeup water to the reactor vessel.

The design responses to some anticipated transients involve automatic reductions of the reactor power level. Anticipated transients upset the balance achieved during steady state reactor operation—the automatic power reductions make it easier to restore balance and end the transient.

Scram

For other transients and for transients where power reductions do not successfully restore balance, the reactor protection system is designed to automatically insert control rods that stop the nuclear chain reaction. This rapid insertion of control rods is called “scram” or “reactor trip” in the industry. Nuclear Energy Activist Toolkit #11 described the role of the reactor protection system.

Scram was considered to be the ultimate solution to any transient problems. Automatic power reductions and other automatic actions might mitigate a transient such that scram is not necessary. But if invoked, scram ended any transient and placed the reactor in a safe condition—or so it was believed.

Anticipated Transient Without Scram (ATWS)

Dr. Stephen H. Hanauer, was appointed to the NRC’s Advisory Committee on Reactor Safeguards (ACRS) in 1965. (Actually, the ACRS was part of the Atomic Energy Commission (AEC) in those days. The Nuclear Regulatory Commission (NRC) did not exist until formed in 1975 when the Energy Reorganization Act split the AEC into the NRC and what today is the Department of Energy.) During reviews of applications for reactor operating licenses in 1966 and 1967, Hanauer advocated separating instrumentation systems used to control the reactor from the instrumentation systems used to protect it (i.e., trigger automatic scrams.) Failure of this common system caused an accident on November 18, 1958, at the High Temperature Reactor Experiment No. 3 in Idaho.

The nuclear industry and its proponents downplayed the concerns on grounds that the chances of an accident were so small and the reliability of the mitigation systems so high that safety was good enough. Dr. Alvin Weinburg, Director of the Oak Ridge National Laboratory, and Dr. Chauncey Starr, Dean of Engineering at UCLA, publicly contended that the chances of a serious reactor accident were similar to that of a jet airliner plunging into Yankee Stadium during a World Series game.

In February 1969, E. P. Epler, a consultant to the ACRS, pointed out that common cause failure could impair the reactor protection system and prevent the scram from occurring. The AEC undertook two efforts in response to the observation: (1) examine mechanisms and associated likelihoods that a scram would not happen when needed, and (2) evaluate the consequences of anticipated transients without scrams (ATWS).

The AEC published WASH-1270, “Technical Report on Anticipated Transients Without Scram,” in September 1973. Among other things, this report established the objective that the chances of an ATWS event leading to serious offsite consequences should be less than 1×10-7 per reactor-year. For a fleet of 100 reactors, meeting that objective translates into once ATWS accident every 100,000 years—fairly low risk.

The AEC had the equivalent of a speed limit sign but lacked speedometers or radar guns. Some argued that existing designs had failure rates as high as 1×10-3 per reactor-year—10,000 times higher than the safety objective. Others argued that the existing designs had failures rates considerably lower than 1×10-7 per reactor-year. The lack of riskometers and risk guns fostered a debate that pre-dated the “tastes great, less filling” debate fabricated years later to sell Miller Lite beer.

An article titled “ATWS—Impact of a Nonproblem,” that appeared in the March 1977 issue of the EPRI Journal summarized the industry’s perspective (beyond the clue in the title):

ATWS is an initialism for anticipated transient without scram. In Nuclear Regulatory Commissionese it refers to a scenario in which an anticipated incident causes the reactor to undergo a transient. Such a transient would require the reactor protection system (RPS) to initiate a scram (rapid insertion) of the control rods to shut down the reactor, but for some reason the scram does not occur. … Scenarios are useful tools. They are used effectively by writers of fiction, the media, and others to guide the thinking process.

Two failures to scram has already occurred (in addition to the HTRE-3 failure). The boiling water reactor at the Kahl nuclear plant in Germany experienced a failure in 1963 and the N-reactor at Hanford in Washington had a failure in 1970. The article suggested that scram failures should be excluded from the scram reliability statistical analysis, observing that “One need not rely on data alone to make an estimate of the statistical properties of the RPS.” As long as scenarios exist, one doesn’t need statistics getting in the way.

The NRC formed an ATWS task force in March 1977 to end, or at least focus, the non-productive debate that had been going on since WASH-1270 was published. The task force’s work was documented in NREG-0460, “Anticipated Transients Without Scram for Light Water Reactors,” issued in April 1978. The objective was revised from 1×10-7 per reactor-year to 1×10-6 per reactor-year.

Believe it or not, but somehow changing the safety objective without developing the means to objectively gauge performance towards meeting it did not end or even appreciably change it. Now, some argued that existing designs had failure rates as high as 1×10-3 per reactor-year—1,000 times higher than the safety objective. Others argued that the existing designs had failures rates considerably lower than 1×10-6 per reactor-year. The 1970s ended without resolution to the safety problem that arose more than a decade earlier.

The Browns Ferry ATWS, ATWS, and ATWS

On June 28, 1980, operators reduced the power level on the Unit 3 boiling water reactor (BWR) at the Browns Ferry Nuclear Plant in Alabama to 35 percent and depressed the two pushbuttons to initiate a manual scram. All 185 control rods should have fully inserted into the reactor core within seconds to terminate the nuclear chain reaction. But 76 control rods remained partially withdrawn and the reactor continued operating, albeit at an even lower power level. Six minutes later, an operator depressed the two pushbuttons again. But 59 control rods remained partially withdrawn after the second ATWS. Two minutes later, the operator depressed the pushbuttons again. But 47 control rods remained partially withdrawn after the third ATWS. Six minutes later, an automatic scram occurred that resulted in all 185 control rods being fully inserted into the reactor core. It took four tries and nearly 15 minutes, but the reactor core was shut down. Fission Stories #107 described the ATWSs in more detail.

In BWRs, control rods are moved using hydraulic pistons. Water is supplied to one side of the piston and vented from the other side with the differential pressure causing the control rod to move. During a scram, the water vents to a large metal pipe and tank called the scram discharge volume. While never proven conclusively, it is generally accepted that something blocked the flow of vented water into the scram discharge volume. Flow blockage would have reduced the differential pressure across the hydraulic pistons and impeded control rod insertions. The scram discharge volume itself drains into the reactor building sump. The sump was found to contain considerable debris. But because it collects water from many places, none of the debris could be specifically identified as having once blocked flow into the scram discharge volume.

Although each control rod had its own hydraulic piston, the hydraulic pistons for half the control rods vented to the same scram discharge volume. The common mode failure of flow blockage impaired the scram function for half the control rods.

The NRC issued Bulletin 80-17, “Failure of 76 of 185 Controls Rods to Fully Insert During a Scram at a BWR,” on July 3, 1980, with Supplement 1 on July 18, 1980, Supplement 2 on July 22, 1980, Supplement 3 on August 22, 1980, Supplement 4 on December 18, 1980, and Supplement 5 on February 2, 1981, compelling plant owners to take interim and long-term measures to prevent what didn’t happen at Browns Ferry Unit 3—a successful scram on the first try—from not happening at their facilities.

ATWS – Actual Tack Without Stalling

On November 19, 1981, the NRC published a proposed ATWS rule in the Federal Register for public comment. One could argue that the debates that filled the 1970s laid the foundation for this proposed rule and the June 1980 ATWSs at Browns Ferry played no role in this step or its timing. That’d be one scenario.

The Salem ATWS and ATWS

During startup on February 25, 1983, following a refueling outage, low water level in one of the steam generators on the Unit 1 pressurized water reactor at the Salem nuclear plant triggered an automatic scram signal to the two reactor trip breakers. Had either breaker functioned, all the control rods would have rapidly inserted into the reactor core. But both breakers failed. The operators manually tripped the reactor 25 seconds later. The following day, NRC inspectors discovered that an automatic scram signal had also happened during an attempted startup on February 22, 1983. The reactor trip breakers failed to function. The operators had manually tripped the reactor. The reactor was restarted two days later without noticing, and correcting, the reactor trip breaker failures. Fission Stories #106 described the ATWSs in more detail.

In PWRs, control rods move via gravity during a scram. They are withdrawn upward from the reactor core and held fully or partially withdrawn by electro-magnets. The reactor trip breakers stop the flow of electricity to the electro-magnets, which releases the control rods to allow gravity to drop them into the reactor core. Investigators determined that the proper signal went to the reactor trip breakers on February 22 and 25, but the reactor trip breakers failed to open to stop the electrical supply to the electro-magnets. Improper maintenance of the breakers essentially transformed oil used to lubricated moving parts into glue binding those parts in place—in the wrong places on February 22 and 25, 1983.

The Salem Unit 1 reactor had two reactor trip breakers. Opening of either reactor trip breaker would have scrammed the reactor. The common mode failure of the same improper maintenance practices on both breakers prevented them both from functioning when needed, twice.

The NRC issued Bulletin 83-01, “Failure of Reactor Trip Breakers (Westinghouse DB-50) to Open on Automatic Trip Signal,” on February 25, 1983, Bulletin 83-04, “Failure of Undervoltage Trip Function of Reactor Trip Breakers,” on March 11, 1983, and Bulletin 83-08, “Electrical Circuit Breakers with Undervoltage Trip in Safety-Related Applications Other Than the Reactor Trip System,” on December 28, 1983, compelling plant owners to take interim and long-term measures to prevent failures like those experienced on Salem Unit 1.

ATWS Scoreboard: Brown Ferry 3, Salem 2

ATWS – Actual Text Without Semantics

The NRC published the final ATWS rule adopted on June 26, 1984, or slightly over 15 years after the ACRS consultant wrote that scrams might not happen when desired due to common mode failures. The final rule was issued less than four years after a common mode failure caused multiple ATWS events at Browns Ferry and about 18 months after a common mode failure caused multiple ATWS events at Salem. The semantics of the non-productive debates of the Seventies gave way to actual action in the Eighties.

UCS Perspective

The NRC issued NUREG-1780, “Regulatory Effectiveness of the Anticipated Transient Without Scram Rule,” in September 2003. The NRC “concluded that the ATWS rule was effective in reducing ATWS risk and that the cost of implementing the rule was reasonable.” But that report relied on bona-fide performance gains achieved apart from the ATWS rule and which would have been achieved without the rule. For example, the average reactor scrammed 8 times in 1980. That scram frequency dropped to less than an average of two scrams per reactor per year by 1992.

The ATWS rule did not trigger this reduction or accelerate the rate of reduction. The reduction resulted from the normal physical process, often called the bathtub curve due to its shape. As procedure glitches, training deficiencies, and equipment malfunctions were weeded out, their fixes lessened the recurrence rate of problems resulting in scrams. I bought a Datsun 210 in 1980. That acquisition had about as much to do with the declining reactor scram rate since then as the NRC’s ATWS rule had.

There has been an improvement in the reliability of the scram function since 1980. But again, that improvement was achieved independently from the ATWS rule. The Browns Ferry and Salem ATWS event prompted the NRC to mandate via a series of bulletins that owners take steps to reduce the potential for common mode failures. Actions taken in response to those non-rule-related mandates improved the reliability of the scram function more than the ATWS rule measures.

If the AWTS rule had indeed made nuclear plants appreciably safer, then it would represent under-regulation by the NRC. After all, the question of the need for additional safety arose in the 1960s. If the ATWS rule truly made reactors safer, then the “lost decade” of the 1970s is inexcusable. The ATWS rule should have been enacted in 1974 instead of 1984 if it was really needed for adequate protection of public health and safety.

But the ATWS rule enacted in 1984 did little to improve safety that wasn’t been achieved via other means. The 1980 and 1983 ATWS near-miss events at Browns Ferry and Salem might have been averted by an ATWS rule enacted a decade earlier. Once they happened, the fixes they triggered fleet-wide precluded the need for an ATWS rule. So, the ATWs rule was too little, too late.

The AEC/NRC and nuclear industry expended considerable effort during the 1970s not resolving the AWTS issue—effort that could better have been applied resolving other safety issues more rapidly.

ATWS becomes the first Role of Regulation commentary to fall into the “over-regulation” bin. UCS has no established plan for how this series will play out. ATWS initially appeared to be an “under-regulation” case, but research steered it elsewhere.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

]]>
https://allthingsnuclear.org/dlochbaum/anticipated-transient-without-scram/feed 1
Obstruction of Injustice: Making Mountains out of Molehills at the Cooper Nuclear Plant https://allthingsnuclear.org/dlochbaum/injustice-at-cooper https://allthingsnuclear.org/dlochbaum/injustice-at-cooper#respond Mon, 13 Aug 2018 10:00:10 +0000 https://allthingsnuclear.org/?p=15932 The initial commentary in this series of posts described how a three-person panel formed by the Nuclear Regulatory Commission (NRC) to evaluate concerns raised by an NRC worker concluded that the agency violated its procedures, policies, and practices by closing out a safety issue and returning the Columbia Generating Station to normal regulatory oversight without proper justification. Read More

]]>
The initial commentary in this series of posts described how a three-person panel formed by the Nuclear Regulatory Commission (NRC) to evaluate concerns raised by an NRC worker concluded that the agency violated its procedures, policies, and practices by closing out a safety issue and returning the Columbia Generating Station to normal regulatory oversight without proper justification.

I had received the non-public report by the panel in the mail. That envelope actually contained multiple panel reports. This commentary addresses a second report from another three-person panel. None of the members of this panel served on the Columbia Generating Station panel. Whereas that panel investigated contentions that NRC improperly dismissed safety concerns, this panel investigated contentions that the NRC improperly sanctioned Cooper for issues that did not violate any federal regulations or requirements. This panel also substantiated the contentions and concluded that the NRC lacked justification for its actions. When will the injustices end?

Mountains at Cooper

The NRC conducted its Problem Identification and Resolution inspection at the Cooper nuclear plant in Brownville, Nebraska June 12 through June 29, 2017. The report dated August 7, 2017, for this inspection identified five violations of regulatory requirements.

An NRC staffer subsequently submitted a Differing Professional Opinion (DPO) contending that the violations were inappropriate. The basis for this contention was that there were no regulatory requirements applicable to the issues; thus, an owner could not possibly violate a non-existent requirement.

Molehills at Cooper

Per procedure, the NRC formed a three-person panel to evaluate the contentions raised in the DPO. The DPO Panel evaluated the five violations cited in the August 7, 2017, inspection report.

Fig. 1 (Source: Unknown)

  • Molehill #1: The inspection report included a GREEN finding for a violation of Criterion XVI in Appendix B to 10 CFR Part 50. Appendix B contains 18 quality assurance requirements. Criterion XVI requires owners to identify conditions adverse to quality (e.g., component failures, procedure deficiencies, equipment malfunctions, material defects, etc.) and fix them in a timely and effective manner. The DPO Panel “…determined that this issue does not represent a violation of 10 CFR 50 Appendix B, Criterion XVI, inasmuch as the licensee identified the cause and implemented corrective actions to preclude repetition.” In other words, one cannot violate a regulation when doing precisely what the regulation says to do.
  • Molehill #2: The inspection report included a GREEN finding for a violation of a technical specification requirement to provide evaluations of degraded components in a timely manner. The DPO Panel “…concluded that this issue does not represent a violation of regulatory requirements.” This is a slightly different molehill. Molehill #1 involved not violating a requirement when one does exactly what the requirements says. Molehill #2 involved not violating a requirement that simply does not exist. A different kind of molehill, but a molehill nonetheless.
  • Molehill #3: The inspection report included another GREEN finding for another violation of Criterion XVI in Appendix B to 10 CFR Part 50. Appendix B. This time, the report contended that the plant owner failed to promptly identify adverse quality trends. The DPO Panel “concluded that monitoring for trends is not a requirement of Criterion XVI,” reprising Molehill #2.
  • Mountain #1: The inspection report included another GREEN finding for failure to monitor emergency diesel generator performance shortcomings as required by the Maintenance Rule. The DPO Panel “…determined that the violation was correct as written and should not be retracted.” As my grandfather often said, even a blind squirrel finds an acorn every now and then.
  • Molehill #4: The inspection report included a Severity Level IV violation for violating 10 CFR Part 21 by not reporting a substantial safety hazard. The DPO Panel discovered that the substantial safety hazard was indeed reported to the NRC by the owner within specified time frames. The owner submitted a Licensee Event Report per 10 CFR 50.72. 10 CFR Part 21 and NRC’s internal procedures explicitly allows owners to forego submitting a duplicate report when they have reported the substantial safety hazard via 10 CFR 50.72. The DPO Panel recommended that “…consideration be given to retracting the violation … because it had no impact on the ability of the NRC to provide regulatory oversight.”

The DPO Panel wrote in the cover letter transmitting their report to the NRC Region IV Regional Administrator:

After considerable review effort, the Panel disagreed, at least in part, with the conclusions documented in the Cooper Nuclear Station Problem Identification and Resolution Inspection Report for four of the five findings.

The DPO Panel report was dated April 13, 2018. As of August 8, 2018, I could find no evidence that NRC Region IV has either remedied the miscues identified by the DPO originator and confirmed by the DPO Panel, or explained why sanctioning plant owners for following regulations is justified.

UCS Perspective

 At Columbia Generation Station, NRC Region IV made a molehill out of a mountain by finding, and then overlooking, that the plant owner’s efforts were “grossly inadequate” (quoting that DPO Panel’s conclusion).

At Cooper Nuclear Station, NRC Region IV made mountains out of molehills by sanctioning the owner for violating non-existent requirements or for doing precisely what the regulations required.

Two half-hearted (substitute any other body part desired, although “elbow” doesn’t work so well) efforts don’t make one whole-hearted outcome. These two wrongs do not average out to average just right regulation.

NRC Region IV must be fixed. It must be made to see mountains as mountains and molehills and molehills. Confusing the two is unacceptable.

Mountains and molehills (M&Ms). M&Ms should be a candy treat and not a regulatory trick.

NOTE: NRC Region IV’s deplorable performance at Columbia and Cooper might have remained undetected and uncorrected but for the courage and conviction of NRC staffer(s) who put career(s) on the line by formally contesting the agency’s actions. When submitting DPOs, the originators have the option of making the final DPO package publicly available or not. In these two cases, I received the DPO Panel reports before the DPOs were closed. I do not know the identity of the DPO originator(s) and do not know whether the person(s) opted to make the final DPO packages (which consist of the original DPO, the DPO Panel report, and the agency’s final decision on the DPO issues) public or not. If the DPO originator(s) wanted to keep the DPO packages non-public, I betrayed that choice by posting the DPO Panel reports. If that’s the case, I apologize to the DPO originator(s). While my intentions were good, I would have abided by personal choice had I had any way to discern what it was.

Either way, it is hoped that putting a spotlight on the issues has positive outcomes in these two DPOs as well as in lessening the need for future DPOs and posts about obstruction of injustice.

]]>
https://allthingsnuclear.org/dlochbaum/injustice-at-cooper/feed 0
24 Space-Based Missile Defense Satellites Cannot Defend Against ICBMs https://allthingsnuclear.org/dwright/24-space-based-interceptors https://allthingsnuclear.org/dwright/24-space-based-interceptors#respond Fri, 10 Aug 2018 11:41:11 +0000 https://allthingsnuclear.org/?p=15876 Articles citing a classified 2011 report by the Institute for Defense Analysis (IDA) have mistakenly suggested the report finds that a constellation of only 24 satellites can be used for space-based boost-phase missile defense.

This finding would be in contrast to many other studies that have shown that a space-based boost-phase missile defense system would require hundreds of interceptors in orbit to provide thin coverage of a small country like North Korea, and a thousand or more to provide thin coverage over larger regions of the Earth. Read More

]]>
Articles citing a classified 2011 report by the Institute for Defense Analysis (IDA) have mistakenly suggested the report finds that a constellation of only 24 satellites can be used for space-based boost-phase missile defense.

This finding would be in contrast to many other studies that have shown that a space-based boost-phase missile defense system would require hundreds of interceptors in orbit to provide thin coverage of a small country like North Korea, and a thousand or more to provide thin coverage over larger regions of the Earth.

A 2011 letter from Missile Defense Agency (MDA) Director Patrick O’Reilly providing answers to questions by then-Senator Jon Kyl clarifies that the 24-satelllite constellation discussed in the IDA study is not a boost-phase missile defense system, but is instead a midcourse system designed to engage anti-ship missiles:

The system discussed by IDA appears to be a response to concerns about anti-ship ballistic missiles that China is reported to be developing. It would have far too few satellites for boost-phase defense against missiles from even North Korean, and certainly from a more sophisticated adversary.

The MDA letter says the 24 satellites might carry four interceptors each. Adding interceptors to the satellites does not fix the coverage problem, however: If one of the four interceptors is out of range, all the interceptors are out of range, since they move through orbit together. As described below, the coverage of a space-based system depends on the number of satellites and how they are arranged in orbit, as well as the ability of the interceptors they carry to reach the threat in time.

While this configuration would place four interceptors over some parts of the Earth, it would leave very large gaps in the coverage between the satellites. An attacker could easily track the satellites to know when none were overhead, and then launch missiles through the gaps. As a result, a defense constellation with gaps would realistically provide no defense.

(The IDA report is “Space Base Interceptor (SBI) Element of Ballistic Missile Defense: Review of 2011 SBI Report,” Institute for Defense Analyses, Dr. James D. Thorne, February 29, 2016.)

Why boost phase?

The advantage of intercepting during a ballistic missile’s boost phase—the first three to five minutes of flight when its engines are burning—is destroying the missile before it releases decoys and other countermeasures that greatly complicate intercepting during the subsequent midcourse phase, when the missile’s warhead is coasting through the vacuum of space. Because boost phase is short, interceptors must be close enough to the launch site of target missiles to be able to reach them during that time. This is the motivation for putting interceptors in low Earth orbits—with altitudes of a few hundred kilometers—that periodically pass over the missile’s launch site.

The fact that the interceptors must reach a boosting missile with a few minutes limits how far the interceptor can be from the launching missile and still be effective. This short time therefore limits the size of the region a given interceptor can cover to several hundred kilometers.

An interceptor satellite in low Earth orbit cannot sit over one point on the Earth, but instead circles the Earth on its orbit. This means an interceptor that is within range of a missile launch site at one moment will quickly move out of range. As a result, having even one interceptor in the right place at the right time requires a large constellation of satellites so that as one interceptor moves out of range another one moves into range.

Multiple technical studies have shown that a space-based boost phase defense would require hundreds or thousands of orbiting satellites carrying interceptors, even to defend against a few missiles. A 2012 study by the National Academies of Science and Engineering found that space-based boost phase missile defense would cost 10 times as much as any ground-based alternative, with a price tag of $300 billion for an “austere” capability to counter a few North Korean missiles.

Designing the system instead to attack during the longer midcourse phase significantly increases the time available for the interceptor to reach its target and therefore increases the distance the interceptor can be from a launch and still get there in time. This increases the size of the region an interceptor can cover—up to several thousand kilometers (see below). Doing so reduces the number of interceptors required in the constellation from hundreds to dozens.

However, intercepting in midcourse negates the rationale for putting interceptors in space in the first place, which is being close enough to the launch site to attempt boost phase intercepts. Defending ships against anti-ship missiles would be done much better and more cheaply from the surface.

Calculation of Constellation Size

Figure 1 shows how to visualize a system intended to defend against anti-ship missiles during their midcourse phases. Consider an interceptor designed for midcourse defense on an orbit (white curve) that carries it over China (the red curve is the equator). If the interceptor is fired out of its orbit shortly after detection of the launch of an anti-ship missile with a range of about 2,000 km, it would have about 13 minutes to intercept before the missile re-entered the atmosphere. In those 13 minutes, the interceptor could travel a distance of about 3,000 km, which is the radius of the yellow circle. (This assumes δV = 4 km/s for the interceptor, in line with the assumptions in the National Academies of Science and Engineering study.)

The yellow circle therefore shows the size of the area this space-based midcourse interceptor could in principle defend against such an anti-ship missile.

Fig. 1.  The yellow circle shows the coverage area of a midcourse interceptor, as described in the post; it has a radius of 3,000 km. The dotted black circle shows the coverage area of a boost-phase interceptor; it has a radius of 800 km.

However, the interceptor satellite must be moving rapidly to stay in orbit. Orbital velocity is 7.6 km/s at an altitude of 500 km. In less than 15 minutes the interceptor and the region it can defend will have moved more than 6,000 km along its orbit (the white line), and will no longer be able protect against missiles in the yellow circle in Figure 1.

To ensure an interceptor is always in the right place to defend that region, there must be multiple satellites in the same orbit so that one satellite moves into position to defend the region when the one in front of it moves out of position. For the situation described above and shown in Figure 1, that requires seven or eight satellites in the orbit.

At the same time, the Earth is rotating under the orbits. After a few hours, China will no longer lie under this orbit, so to give constant interceptor coverage of this region, there must be interceptors in additional orbits that will pass over China after the Earth has rotated. Each of these orbits must also contain seven or eight interceptor satellites. For the case shown here, only two additional orbits are required (the other two white curves in Figure 1).

Eight satellites in each of these three orbits gives a total of 24 satellites in the constellation to maintain coverage of one or perhaps two satellites in view of the sea east of China at all times. This constellation and could therefore only defend against a small number of anti-ship missiles fired essentially simultaneously. Defending against more missiles would require a larger constellation.

If the interceptors are instead designed for boost-phase rather than midcourse defense, the area each interceptor could defend is much smaller. An interceptor with the same speed as the one described above could only reach out about 800 km during the boost time of a long-range missile; this is shown by the dashed black circle in Figure 1.

In this case, the interceptor covering a particular launch site will move out range of that site very quickly—in about three and a half minutes. Maintaining one or two satellites over a launch site at these latitudes will therefore require 40 to 50 satellites in each of seven or eight orbits, for a total of 300 to 400 satellites.

The system described—40 to 50 satellites in each of seven or eight orbits—would only provide continuous coverage against launches in a narrow band of latitude, for example, over North Korea if the inclination of the orbits was 45 degrees (Fig. 2). For parts of the Earth between about 30 degrees north and south latitude there would be significant holes in the coverage. For areas above about 55 degrees north latitude, there would be no coverage. Broader coverage to include continuous coverage at other latitudes would require two to three times that many satellites—1,000 or more.

As discussed above, defending against more than one or two nearly simultaneous launches would require a much larger constellation.

Fig. 2. The figure shows the ground coverage (gray areas) of interceptor satellites in seven equally spaced orbital planes with inclination of 45°, assuming the satellites can reach laterally 800 km as they de-orbit. The two dark lines are the ground tracks of two of the satellites in neighboring planes. This constellation can provide complete ground coverage for areas between about 30° and 50° latitude (both north and south), less coverage below 30°, and no coverage above about 55°.

For additional comments on the IDA study, see Part 2 of this post.

]]>
https://allthingsnuclear.org/dwright/24-space-based-interceptors/feed 0
More Comments on the IDA Boost-Phase Missile Defense Study https://allthingsnuclear.org/dwright/comments-on-ida-study https://allthingsnuclear.org/dwright/comments-on-ida-study#comments Fri, 10 Aug 2018 11:40:50 +0000 https://allthingsnuclear.org/?p=15885 Part 1 of this post discusses one aspect of the 2011 letter from Missile Defense Agency (MDA) to then-Senator Kyl about the IDA study of space-based missile defense. The letter raises several additional issues, which I comment on here.

  1. Vulnerability of missile defense satellites to anti-satellite (ASAT) attack

To be able to reach missiles shortly after launch, space-based interceptors (SBI) must be in low-altitude orbits; typical altitudes discussed are 300 to 500 km. Read More

]]>
Part 1 of this post discusses one aspect of the 2011 letter from Missile Defense Agency (MDA) to then-Senator Kyl about the IDA study of space-based missile defense. The letter raises several additional issues, which I comment on here.

  1. Vulnerability of missile defense satellites to anti-satellite (ASAT) attack

To be able to reach missiles shortly after launch, space-based interceptors (SBI) must be in low-altitude orbits; typical altitudes discussed are 300 to 500 km. At the low end of this range atmospheric drag is high enough to give very short orbital lifetimes for the SBI unless they carry fuel to actively compensate for the drag. That may not be needed for orbits near 500 km.

Interceptors at these low altitudes can be easily tracked using ground-based radars and optical telescopes. They can also be reached with relatively cheap short-range and medium-range missiles; if these missiles carry homing kill vehicles, such as those used for ground-based midcourse missile defenses, they could be used to destroy the space-based interceptors. Just before a long-range missile attack, an adversary could launch an anti-satellite attack on the space-based interceptors to punch a hole in the defense constellation through which the adversary could then launch a long-range missile.

Alternately, an adversary that did not want to allow the United States to deploy space-based missile defense could shoot space-based interceptors down shortly after they were deployed.

The IDA report says that the satellites could be designed to defend themselves against such attacks. How might that work?

Since the ASAT interceptor would be lighter and more maneuverable than the SBI, the satellite could not rely on maneuvering to avoid being destroyed.

A satellite carrying a single interceptor could not defend itself by attacking the ASAT, for two reasons. First, the boost phase of a short- or medium-range missile is much shorter than that of a long-range missile, and would be too short for an interceptor designed for boost-phase interception to engage. Second, even if the SBI was designed to have sensors to allow intercept in midcourse as well as boost phase, using the SBI to defend against the ASAT weapon would remove the interceptor from orbit and the ASAT weapon would have done its job by removing the working SBI from the constellation. A workable defensive strategy would require at least two interceptors in each position, one to defend against ASAT weapons and one to perform the missile defense mission.

The IDA report assumes the interceptor satellites it describes to defend ships would each carry four interceptors. If the system is meant to have defense against ASAT attacks, some of the four interceptors must be designed for midcourse intercepts. The satellite could carry at most three such interceptors, since at least one interceptor must be designed for the boost-phase mission of the defense. If an adversary wanted to punch a hole in the constellation, it could launch four ASAT weapons at the satellite and overwhelm the defending interceptors (recall that the ASAT weapons are launched on relatively cheap short- or medium-range missiles).

In addition, an ASAT attack could well be successful even if the ASAT was hit by an interceptor. If an interceptor defending the SBI hit an approaching ASAT it would break the ASAT into a debris cloud that would follow the trajectory of the original center of mass of the ASAT. If this intercept happened after the ASAT weapon’s course was set to collide with the satellite, the debris cloud would continue in that direction. If debris from this cloud hit the satellite it would very likely destroy it.

  1. Multiple interceptors per satellite

It is important to keep in mind that adding multiple interceptors to a defense satellite greatly increases the satellite’s mass, which increases its launch cost and overall cost.

The vast majority of the mass of a space-based interceptor is the fuel needed to accelerate the interceptor out of its orbit and to maneuver to hit the missile (the missile is itself maneuvering since it is during its boost phase, when it is accelerating and steering). For example, the American Physical Society’s study assumes the empty kill vehicle of the interceptor (the sensor, thrusters, valves, etc) is only 60 kg, but the fueled interceptor would have a mass of more than 800 kg.

Adding a second interceptor to the defense satellite would add another 800 kg to the overall mass. A satellite with four interceptors and a “garage” that included the solar panels and communication equipment could have a total mass of three to four tons.

  1. Space debris creation

Senator Kyl asked the MDA to comment on whether space-based missile defense would create “significant permanent orbital debris.” The MDA answer indicated that at least for one mechanism of debris creation (that of an intercept of a long-range missile), the system could be designed to not generate long-lived debris.

However, there are at least three different potential debris-creating mechanisms to consider:

  • Intercepting a missile with an SBI

When two compact objects collide at very high speed, the objects break into two expanding clouds of debris that follow the trajectories of the center of mass of the original objects. In this case the debris cloud from the interceptor will likely have a center of mass speed greater than Earth escape velocity (11.2 km/s) and most of the debris will therefore not go into orbit or fall back to Earth. Debris from the missile will be on a suborbital trajectory; it will fall back to Earth and not create persistent debris.

  • Using an SBI as an anti-satellite weapon

If equipped with an appropriate sensor, the space-based interceptor could home on and destroy satellites. Because of the high interceptor speed needed for boost phase defense, the SBI could reach satellites not only in low Earth orbits (LEO), but also those in semi-synchronous orbits (navigation satellites) and in geosynchronous orbits (communication and early warning satellites). Destroying a satellite on orbit could add huge amounts of persistent debris to these orbits.

At altitudes above about 800 km, where most LEO satellites orbit, the debris from a destroyed satellite would remain in orbit for decades or centuries. The lifetime of debris in geosynchronous and semi-synchronous orbits is essentially infinite.

China’s ASAT test in 2007 created more than 3,000 pieces of debris that have been tracked from the ground—these make up more than 20% of the total tracked debris in LEO. The test also created hundreds of thousands of additional pieces of debris that are too small to be tracked (smaller than about 5 cm) but that can still damage or destroy objects they hit because of their high speed.

Yet the satellite destroyed in the 2007 test had a mass of less than a ton. If a ten-ton satellite—for example, a spy satellite—were destroyed, it could create more than half a million pieces of debris larger than 1 cm in size. This one event could more than double the total amount of large debris in LEO, which would greatly increase the risk of damage to satellites.

  • Destroying an SBI with a ground-based ASAT weapon

As discussed above, an adversary might attack a space-based interceptor with a ground-based kinetic ASAT weapon. Assuming the non-fuel mass of the SBI (with garage) is 300 kg, the destruction of the satellite could create more than 50,000 orbiting objects larger than 5 mm in size.

If the SBI was orbiting at an altitude of between 400 and 500 km, the lifetime of most of these objects will be short so this debris would not be considered to be persistent. However, the decay from orbit of this debris would result in an increase in the flux of debris passing through the orbit of the International Space Station (ISS), which circles the Earth at an altitude of about 400 km. Because the ISS orbits at a low altitude, it is in a region with little debris since the residual atmospheric density causes debris to decay quickly. As a result, the additional debris from the SBI passing through this region can represent a significant increase.

In particular, if the SBI were in a 500-km orbit, the destruction of a single SBI could increase the flux of debris larger than 5 mm at the altitude of the ISS by more than 10% for three to four months (at low solar activity) or two to three months at high solar activity. An actual attack might, of course, involve destroying more than one SBI, which would increase this flux.

]]>
https://allthingsnuclear.org/dwright/comments-on-ida-study/feed 1
Pipe Rupture at Surry Nuclear Plant Kills Four Workers https://allthingsnuclear.org/dlochbaum/pipe-rupture-at-surry https://allthingsnuclear.org/dlochbaum/pipe-rupture-at-surry#respond Thu, 09 Aug 2018 10:00:12 +0000 https://allthingsnuclear.org/?p=15917 Role of Regulation in Nuclear Plant Safety #7

Both reactors at the Surry nuclear plant near Williamsburg, Virginia operated at full power on December 9, 1986. Around 2:20 pm, a valve in a pipe between a steam generator on Unit 2 and its turbine inadvertently closed due to a re-assembly error following recent maintenance. Read More

]]>
Role of Regulation in Nuclear Plant Safety #7

Both reactors at the Surry nuclear plant near Williamsburg, Virginia operated at full power on December 9, 1986. Around 2:20 pm, a valve in a pipe between a steam generator on Unit 2 and its turbine inadvertently closed due to a re-assembly error following recent maintenance. The valve’s closure resulted in a low water level inside the steam generator, which triggered the automatic shutdown of the Unit 2 reactor. The rapid change from steady state operation at full power to zero power caused a transient as systems adjusted to the significantly changed conditions. About 40 seconds after the reactor trip, a bend in the pipe going to one of the feedwater pumps ruptured. The pressurized water jetting from the broken pipe flashed to steam. Several workers in the vicinity were seriously burned by the hot vapor. Over the next week, four workers died from the injuries.

Fig. 1 (Source: Washington Times, February 3, 1987)

While such a tragic accident cannot yield good news, the headline for a front-page article in the Washington Times newspaper about the accident (Fig. 1) widened the bad news to include the Nuclear Regulatory Commission (NRC), too.

The Event

The Surry Power Station has two pressurized water reactors (PWRs) designed by Westinghouse. Each PWR had a reactor vessel, three steam generators, and three reactor coolant pumps located inside a large, dry containment structure. Unit 1 went into commercial operation in December 1972 and Unit 2 followed in June 1973.

Steam flowed through pipes from the steam generators to the main turbine shown in the upper right corner of Figure 2. Steam exited the main turbine into the condenser where it was cooled down and converted back into water. The pumps of the condensate and feedwater systems recycled the water back to the steam generators.

Fig. 2 (Source: Nuclear Regulatory Commission NUREG-1150)

Figure 2 also illustrates the many emergency systems that are standby mode during reactor operation. On the left-hand side of Figure 2 are the safety systems that provide makeup water to the reactor vessel and cooling water to the containment during an accident. In the lower right-hand corner is the auxiliary feedwater (AFW) system that steps in should the condensate and feedwater systems need help.

The condensate and feedwater systems are non-safety systems. They are needed for the reactor to make electricity. But the AFW system and other emergency systems function during accidents to cool the reactor core. Consequently, these are safety systems.

Both reactors at Surry operated at full power on Tuesday December 9, 1986. At approximately 2:20 pm that afternoon, the main steam trip valve (within the red rectangle in Figure 2) in the pipe between steam generator 2C inside containment and the main turbine closed unexpectedly.

Subsequent investigation determined that the valve had been improperly re-assembled following recent maintenance, enabling it to close without either a control signal nor need to do so.

The valve’s closure led to a low water level inside steam generator 2C. By design, this condition triggered the automatic insertion of control rods into the reactor core. The balance between the steam flows leaving the steam generators and feedwater flows into them was upset by the stoppage of flow through one steam line and the rapid drop from full power to zero power. The perturbations from that transient caused the pipe to feedwater pump 2A to rupture (location approximated by the red cross in Figure 1) about 40 seconds later.

Figure 3 shows a closeup of the condensate and feedwater systems showing where the pipe ruptured. The condensate and condensate booster pumps are off the upper right side of the figure. Water from the condensate system flowed through feedwater heaters where steam extracted from the main turbine pre-warmed it to about 370°F en route to the steam generators. This 24-inch diameter piping (called a header) supplied the 18-in diameter pipes to feedwater pumps 2A and 2B. The supply pipe to feedwater pump 2A featured a T-connection to the header while a reducer connected the header to the 18-inch supply line to feedwater pump 2B. Water exiting the feedwater pumps passed through feedwater heaters for additional pre-warming before going to the steam generators inside containment.

Fig 3 (Source: Nuclear Regulatory Commission NUREG/CR-5632)

Water spewing from the broken pipe had already passed through the condensate and condensate booster pumps and some of the feedwater heaters. Its 370°F temperature was well above 212°F, but the 450 pounds per square inch pressure inside the pipe kept it from boiling. As this hot pressurized water left the pipe, the lower pressure let it flash to steam. The steam vapor burned several workers in the area. Four workers died from their injuries over the next week.

As the steam vapor cooled, it condensed back into water. Water entered a computer card reader controlling access through a door about 50 feet away, shorting out the card reader system for the entire plant. Security personnel were posted at key doors to facilitate workers responding to the event until the card reader system was restored about 20 minutes later.

Water also seeped into a fire protection control panel and caused short circuits. Water sprayed from 68 fire suppression sprinkler heads. Some of this water flowed under the door into the cable tray room and leaked through seals around floor penetrations to drip onto panels in the control room below.

Water also seeped into the control panel to actuate the carbon dioxide fire suppression system in the cable tray rooms. An operator was trapped in the stairwell behind the control room. He was unable to exit the area due to doors locked closed by the failed card reader system. Experiencing trouble breathing as carbon dioxide filled the space, he escaped when an operator inside the control room heard his pounding on the door and opened it.

Figure 4 shows the section of piping that ruptured. The rupture occurred at a 90-degree bend in the 18-inch diameter pipe. Evaluations concluded that years of turbulent water flow through the piping gradually wore away the pipe’s metal wall, thinning it via a process called erosion/corrosion to the point where it was no longer able to withstand the pressure pulsations caused by the reactor trip. The plant owner voluntarily shut down the Unit 1 reactor on December 10 to inspect its piping for erosion/corrosion wear.

Fig. 4 (Source Nuclear Regulatory Commission 1987 Annual Report

Pre-Event Actions (and Inactions?)

The article accompanying the darning headline above described how the NRC staff produced a report in June 1984—more than two years before the fatal accident—warning about the pipe rupture hazard and criticizing the agency for taking no steps to manage the known risk. The article further explained that the NRC’s 1984 report was in response to a 1982 event at the Oconee nuclear plant in South Carolina where an eroded steam pipe had ruptured.

Indeed, the NRC’s Office for Analysis and Evaluation of Operational Data (AEOD) issued a report (AEOD/EA 16) titled “Erosion in Nuclear Power Plants” on June 11, 1984. The last sentence on page two stated “Data suggest that pipe ruptures may pose personnel (worker) safety issues.”

Indeed, a 24-inch diameter pipe that supplied steam to a feedwater heater on the Unit 2 reactor at Oconee had ruptured on June 28, 1982. Two workers in the vicinity suffered steam burns which required in hospitalization overnight. Like at Surry, the pipe ruptured at a 90-degree bend (elbow) due to erosion of the metal wall over time. There was a maintenance program at Oconee that periodically examined the piping ultrasonically.

That monitoring program identified pipe wall thinning of two elbows on Unit 3 in 1980 that were replaced. Monitoring performed in March 1982 on Unit 2 identified substantial erosion in the piping elbow that ruptured three months later. But the thinning was accepted because it was less than the company’s criterion for replacement. It’s not been determined whether prolonged operation at reduced power between March and June 1982 caused more rapid wear than anticipated or whether the ultrasonic inspection in March 1982 may have missed the thinnest wall thickness.

Post-Event Actions

The NRC dispatched an Augmented Inspection Team (AIT) to the Surry site to investigate the causes, consequences, and corrective actions. The AIT included a metallurgist and a water-hammer expert. Seven days after the fatal accident, the NRC issued Information Notice 86-106, “Feedwater Line Break,” to plant owners. The NRC issued the AIT report on February 10, 1987. The NRC issued Supplement 1 on February 13, 1987, and Supplement 2 on March 18, 1987, to Information Notice 86-108.

The NRC did more than warn owners about the safety hazard. On July 9, 1987, the NRC issued Bulletin 87-01, “Thinning of Pipe Walls in Nuclear Power Plants,” to plant owners. The NRC required owners to respond within 60 days about the codes and standards which safety-related and non-safety-related piping in the condensate and feedwater systems were designed and fabricated to as well as the programs in place to monitor this piping for wall thinning due to erosion/corrosion.

And the NRC issued Information Notice 88-17 to plant owners on April 22, 1988, summarizing the responses the agency received in response to Bulletin 87-01

UCS Perspective

Eleven days after a non-safety-related pipe ruptured on Oconee Unit 2, the NRC issued Information Notice 82-22, “Failures in Turbine Exhaust Lines,” to all plant owners about that event.

The June 1984 AEOD report was released publicly. The NRC’s efforts did call the nuclear industry’s attention to the matter as evidenced by a report titled “Erosion/Corrosion in Nuclear Plant Steam Piping: Causes and Inspection Program Guidelines” issued in April; 1985 by the Electric Power Research Institute.

Days before the NRC issued the AEOD report, the agency issued Information Notice 84-41, “IGSCC [Intragranular Stress Corrosion Cracking] in BWR [Boiling Water Reactor] Plants,” to plant owners about cracks discovered in safety system piping at Pilgrim and Browns Ferry.

As the Washington Times accurately reported, the NRC knew in the early 1980s that piping in safety and non-safety systems was vulnerable to degradation. The NRC focused on degradation of safety system piping, but also warned owners about degradation of non-safety system piping. The fatal accident at Surry in December 1986 resulted in the NRC expanding efforts it had required owners take for safety system piping to also cover piping in non-safety systems.

The NRC could have required owners fight the piping degradation in safety systems and non-safety systems concurrently. But history is full of wars fought on two fronts being lost. Instead of undertaking this risk, the NRC triaged the hazard. It initially focused on safety system piping and then followed up on non-safety system piping.

Had the NRC totally ignored the vulnerability of non-safety system piping to erosion/corrosion until the accident at Surry, this event would reflect under-regulation.

Had the NRC compelled owners to address piping degradation in safety and non-safety systems concurrently, this event would reflect over-regulation.

By pursuing resolution of all known hazards in a timely manner, this event reflects just right regulation.

Postscript: The objective of this series of commentaries is to draw lessons from the past that can, and should, inform future decisions. Such a lesson from this event involves the distinction between safety and non-safety systems. The nuclear industry often views that distinction as also being a virtual wall between what the NRC can and cannot monitor.

As this event and others like it demonstrate, the NRC must not turn its back on non-safety system issues. How non-safety systems are maintained can provide meaningful insights on maintenance of safety systems. Unnecessary or avoidable failures of non-safety systems can challenge performance of safety systems. So, while it is important that the NRC not allocate too much attention to non-safety systems, driving that attention to zero will have adverse nuclear safety implications. As some wise organization has suggested, the NRC should not allocate too little attention or too much attention to non-safety systems, but the just right amount.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

]]>
https://allthingsnuclear.org/dlochbaum/pipe-rupture-at-surry/feed 0
Obstruction of Injustice: Columbia Generating Station Whitewash https://allthingsnuclear.org/dlochbaum/columbia-station-whitewash https://allthingsnuclear.org/dlochbaum/columbia-station-whitewash#comments Wed, 08 Aug 2018 10:00:14 +0000 https://allthingsnuclear.org/?p=15910 There’s been abundant talk recently about obstruction of justice—who may or may not have impeded this or that investigation. Rather than chime in on a bad thing, obstruction of justice, this commentary advocates a good thing—obstruction of injustice. There’s an injustice involving the Columbia Generating Station in Washington that desperately needs obstructing. Read More

]]>
There’s been abundant talk recently about obstruction of justice—who may or may not have impeded this or that investigation. Rather than chime in on a bad thing, obstruction of justice, this commentary advocates a good thing—obstruction of injustice. There’s an injustice involving the Columbia Generating Station in Washington that desperately needs obstructing.

Raising the White Flag

The NRC dispatched a Special Inspection Team to the Columbia Generating Station in Richland, Washington in late 2016 after a package containing radioactive materials was improperly shipped from the plant facility to an offsite facility. The NRC team identified nine violations of federal regulations for handling and transport of radioactive materials, the most serious warranting a White finding in the agency’s Green, White, Yellow, and Red classification scheme. This White finding moved the Columbia Generating Station into Column 2 of the Reactor Oversight Process’s Action Matrix in the first quarter of 2017.

Columbia Generating Station would remain in Column 2 until the first of two things happened: (1) the NRC determined that the problems resulting in the improper transport of radioactive materials were found and fixed justifying a return to Column 1, or (2) additional problems were identified that warranted relocation into Columns 3 or 4.

Check that: There’s a third thing that happened to improperly transport Columbia Generating Station back into Column 1—the injustice that needed obstructing.

Raising the Whitewash

After the plant owner notified the NRC that the causes of the radioactive material mishandling had been cured, the NRC sent a team to the site in late 2017 to determine if that was the case. On January 30, 2018, the NRC reported that its investigation confirmed that the problems had been resolved and returned the Columbia Generating Station to Column 1 and routine regulatory oversight after closing out the White finding.

In response, an NRC staffer submitted a Differing Professional Opinion (DPO) contending “that the decision to close the WHITE finding was not supported by the inspection report details.” The DPO originator provided two dozen very specific reasons for the contention.

The NRC formed a three-person panel to investigate the DPO. The DPO Panel issued its report on June 28, 2018, to the Regional Administrator in NRC Region IV (Fig. 1).

Fig. 1 (Source: Unkown)

The DPO recommended that the NRC either re-open the WHITE finding or revise the January 30, 2018, report to include an explanation for why it was closed even though the problems resulting in the WHITE finding had not been remedied.

In other words, the DPO Panel agreed with the contention raised by the DPO originator. En route, the DPO Panel substantiated 20 of the 24 specific reasons provided by originator.

Detailing the Whitewash

On July 21, 2017, another DPO Panel released a report validating 18 concerns raised by the DPO originator with how the NRC allowed Palo Verde Unit 3 to continue operating with a broken backup power generator far longer than permitted by the law, established policies, and common sense. Despite agreeing with essentially every concern raised by the DPO originator in that case, the DPO Panel somehow concluded the NRC had properly let Palo Verde continue to operate.

This time, the DPO Panel also agreed with the DPO originator’s concerns and also agreed with the DPO originator’s conclusion that the NRC had acted improperly. To quote the DPO Panel:

…the Panel concluded that NRC Inspection Report 05000397/2017-011, dated January 30, 2018 (ML18032A754), does not depict all the bases to support the conclusion that the objectives of the IP [inspection procedure] were met and thus does not support closure of the WHITE finding.”

A common thread among the DPO originator’s concerns was the Root Cause Evaluation (RCE) developed by the plant owner for the problems resulting in the WHITE finding. The RCE’s role is to identify the causes for the problems. Once the causes are identified, appropriate remedies can be applied. When the RCS identifies the wrong cause(s) and/or fails to identify all the right causes, the remedies cannot be sufficient. Through interviews with NRC staff involved in the inspection and its review of materials collected during the inspection, the DPO Panel reported “… a belief by the 95001 inspection team and other NRC staff with oversight of this inspection that the licensee’s written root cause evaluation (RCE), even in its seventh revision, was poorly written and lacked documentation of all the actions taken in response to this event.”

In case this verbiage was too subtle, the DPO Panel later wrote that “… the licensee’s “documented” RCE was grossly inadequate, which was confirmed through interviews by the Panel” [emphasis added].

And the DPO Panel stated “… the root cause evaluation could not have been focused on the right issue and the resulting corrective actions may not be all inclusive.”

Later the DPO Panel reported “… it is not clear how the inspectors concluded that what the licensee did was acceptable.”

A few paragraphs later, the DPO Panel stated “…the Panel could not understand the rationale for finding the licensee’s extent of condition review appropriate.”

A few more paragraphs later, the DPO panel reported “What appears confusing is that interviewees told the Panel that the licensee’s written RCE was grossly inadequate, yet the inspectors were able to accept it as adequate, without requiring the licensee to address the discrepancies through a revised RCE.”

Later on that page, “The Panel found that the report does not discuss the licensee’s corrective actions.” The inspection team found the root cause evaluation “grossly inadequate” and did not even mention the corrective actions the RCE was supposed to trigger.

The DPO Panel reported “… the inspectors concluded that the licensee met the inspection objectives of IP 95001. However, this appears to the Panel to be a leap of (documentation) faith that appears counter to the inspection requirements and guidance of IP 95001 as well as IMC [inspection manual chapter] 0611.”

Still not out of bricks, the DPO Panel concluded “It is difficult to imagine that the licensee’s definition of the problem statement, extent of condition and cause, and corrective actions are appropriate.”

The DPO Panel also stated “…the Panel can only conclude that the 95001 report justified closure of the WHITE finding based on significant verbal information that was not contained in the final RCE and not discussed in the 95001 report.”

That’s contrary to the NRC’s purported Principles of Good Regulation—Independence, Openness, Efficiency, Clarity, and Reliability, unless they are like a menu and Region IV is on a diet skipping some of the items.

As noted above, these findings led the DPO Panel to recommend that the NRC either re-open the WHITE finding or revise the January 30, 2018, report to explain why it was closed even though the problems resulting in the WHITE finding had not been remedied. So far, the NRC has done neither.

UCS Perspective

This situation is truly appalling. And that’s an understatement.

The NRC identified nine violations of federal regulatory requirements in how this plant owner was handling and transporting radioactive materials. Not satisfied by this demonstrated poor performance, the NRC properly issued a WHITE finding and moved the reactor into Column 2 of the ROP’s Action matrix where additional regulatory oversight was applied.

By procedure and standard practice, the WHITE finding is to remain open until a subsequent NRC inspection determines its cause(s) to have been identified and corrected.

Yet, the NRC inspectors found the root cause evaluation by the owner to be “grossly inadequate.”

And the NRC inspectors did not mention the corrective actions taken in response to the “grossly inadequate” root cause evaluation.

So, the NRC closed the WHITE finding—an injustice plain and simple as amply documented by the DPO Panel.

Where’s obstruction of injustice when it’s needed?

The DPO Panel found it “difficult to imagine” that the plant owner’s efforts were appropriate without “a leap of faith.” This is not like fantasy football, fantasy baseball, or fantasy NASCAR. Fantasy nuclear safety regulation is an injustice to be obstructed. If NRC Region IV wants to go to Fantasyland, I’ll consider buying them a ticket to Disneyland. (One-way, of course.)

The NRC’s Office of the Inspector General should investigate how the agency wandered so far away from its procedures, practices, and purported principles.

The NRC Chairman, Commissioners, and senior managers should figure out what is going terribly awry in NRC Region IV. If for no other reason than to obstruct Region IV’s injustices from corrupting the other NRC regions.

Americans deserve obstruction of injustice when it comes to nuclear safety, not fantasy nuclear safety regulation.

]]>
https://allthingsnuclear.org/dlochbaum/columbia-station-whitewash/feed 1
Opposition to Trump’s New Low-Yield Nuclear Warhead https://allthingsnuclear.org/syoung/opposition-to-trumps-new-low-yield-nuclear-warhead https://allthingsnuclear.org/syoung/opposition-to-trumps-new-low-yield-nuclear-warhead#respond Thu, 02 Aug 2018 18:43:31 +0000 https://allthingsnuclear.org/?p=15900 And the “consensus” on rebuilding the US nuclear stockpile

The Trump administration’s program to deploy a new, low-yield variant of the W76 warhead carried by U.S. submarine-launched ballistic missiles has faced relatively strong opposition in Congress, with almost all Democrats and several Republicans supporting legislation to eliminate or curb the program. Read More

]]>
And the “consensus” on rebuilding the US nuclear stockpile

The Trump administration’s program to deploy a new, low-yield variant of the W76 warhead carried by U.S. submarine-launched ballistic missiles has faced relatively strong opposition in Congress, with almost all Democrats and several Republicans supporting legislation to eliminate or curb the program.

Indeed, the low-yield warhead is clearly outside the “bipartisan consensus” that supporters have often claimed exists for the Obama administration’s 30-year, $1.7 trillion program to maintain and replace the entire U.S. nuclear stockpile and its supporting infrastructure. Importantly, as I’ll get to later, such a consensus never really existed in the first place.

Congressional roadblocks  

Two Pantex production technicians work on a W76 while a co-worker reads the procedure step-by-step. (Photo NNSA)

But let’s start with the new warhead. The attempts to stop it have been noteworthy. A list of most of the votes and amendments on the low-yield option can be found here. Although the final FY19 National Defense Authorization Act (NDAA) that the Senate passed yesterday approves the low-yield warhead, the Appropriations committees—on a bipartisan basis—have generally funded the program but also consistently sought more information on it.

Most recently, on June 28, the Senate Appropriations Committee approved by voice vote an amendment from Sen. Jeff Merkley (D-OR) that would prohibit deployment of the proposed new warhead until Secretary of Defense James Mattis provides Congress with a report that details the implications of fielding it. The Department of Energy (DOE) would still be able to produce the low-yield variant, work that would take place as a part of the ongoing Life Extension Program for the W76 warhead that is scheduled to be completed in Fiscal Year 2019. The W76 warheads have a yield of 100 kilotons; the lower-yield variant will have a yield of 6-7 kilotons.

If nothing else changes, Defense Secretary Mattis should be able to produce the required report in time for deployment to proceed. Although the Navy’s precise timing for deployment is classified, officials have hinted that it should not take more than a year or two. In other words, if the program proceeds as planned, the new warhead could be deployed while President Trump is still in office. Fielding a new weapon in three years or less would be remarkably fast.

But note that phrase “if nothing else changes.” An election is going to happen. There is a chance that Democrats could take the House and (less likely) the Senate. If so, then deployment of the low-yield warhead – and perhaps more pieces of the enormous nuclear rebuilding plan – could come into question.

A rapid response to Trump’s warhead plan

The proposal for the low-yield warhead was included in the Trump administration’s Nuclear Posture Review (NPR), one of two “supplements” to the already ambitious program to revamp the entire nuclear arsenal developed by the Obama administration. (The second supplement is a nuclear-armed sea-launched cruise missile that is many years off.)  The NPR described the first supplement as a “near-term” effort to “modify a small number of existing SLBM warheads to provide a low-yield option.”

Democratic opposition to the proposal was swift. When a near-final version of the NPR was leaked to the press in January 2018, sixteen senators wrote a letter to President Trump expressing opposition to the low-yield warhead.

More recently, in May, broader opposition emerged when more than 30 former officials, including former defense secretary William Perry, former secretary of state George Shultz, and former vice chairman of the Joint Chiefs of Staff Gen. James Cartwright (USMC Ret.) wrote a bipartisan letter to Congress calling the new warhead “dangerous, unjustified, and redundant.”

Shortly after that letter was sent, 188 members of the House, including all but seven Democrats and five Republicans, voted in favor of an amendment to the annual NDAA that would have withheld half the funding for the low-yield warhead until Secretary Mattis submitted a report to Congress assessing the program’s impacts on strategic stability and options to reduce the risk of miscalculation. While the amendment failed, it is notable that, in addition to overwhelming Democratic support, five Republicans voted for it.

Then in June, an amendment to the House Energy & Water Development Appropriations Act showed even stronger opposition to the low-yield warhead. Rep. Barbara Lee (D-CA) proposed eliminating all the funding for DOE’s work on the program, in effect killing it outright. This much more aggressive approach received 177 votes, including all but 15 Democrats. Moreover, this vote came after Rep. Lee succeeded in getting the Appropriations Committee to include language requiring Mattis to submit a report on “the plan, rationale, costs, and implications” of the new warhead.

While the Senate has not had any votes on the low-yield warhead on the floor, several Democrats have attempted to cut or fence money for the program in both the Appropriations and Armed Services Committees, culminating in the successful effort by Senator Merkley to prohibit deployment until Secretary Mattis produces a report about the implications of doing so, as highlighted above.

Indeed, both the Senate and House appropriations committees expressed concern that the administration has not provided enough information to make an informed decision about the new weapon.

Will the “bipartisan consensus” unravel?

In the House, it’s clear that a “bipartisan consensus” does not exist for the Obama program to revamp the arsenal, at least not for the program in its entirety. While the recent vote against the Trump administration’s low-yield warhead reflected almost unified opposition to a new weapon by the Democrats, there was similar opposition to the planned Long-Range Stand-Off (LRSO) weapon – the new nuclear-armed air-launched cruise missile – even though it was put forward by the Obama administration.  In 2014, 179 House members voted to eliminate funding for the program, including all but 18 Democrats. More recent votes to cut the program back have also enjoyed strong Democratic support.

On the other side of Congress, it has been several years since the Senate has had a floor vote on any nuclear weapons program, so it is harder to judge the level of support for revamping the entire arsenal. Notably, Sen. Jack Reed, the ranking member on the Senate Armed Services Committee, has generally voiced support for the Obama administration’s plan to date. But this year, he led an attempt in the Armed Services Committee to fence funding for deployment of the low-yield warhead, an effort that failed along party lines but became the model for the successful Merkley amendment in the Appropriations committee, on which Sen. Reed also serves. In addition, Sen. Reed also supported a separate Merkley amendment in the Appropriations Committee to eliminate all funding for the low-yield warhead, an attempt that failed largely along party lines.

Clearly, the low-yield warhead is not a part of any “bipartisan consensus.” The question becomes whether the debate over it could be the tipping point that leads to more concerted opposition to some of the new weapons systems in the larger plan, including the LRSO.

That question takes on increased salience when one considers the possibility that Democrats could take the House in elections this fall. While the low-yield warhead likely will be produced in Fiscal Year 2019, its deployment could become a major battle in the new Congress. If that is the case, the supposed “bipartisan consensus” in support of the Obama administration’s plan to replace the entire U.S. nuclear arsenal with a suite of new warheads and delivery vehicles could potentially come unraveled.

]]>
https://allthingsnuclear.org/syoung/opposition-to-trumps-new-low-yield-nuclear-warhead/feed 0
Containment Design Flaw at DC Cook Nuclear Plant https://allthingsnuclear.org/dlochbaum/containment-flaw-at-dc-cook https://allthingsnuclear.org/dlochbaum/containment-flaw-at-dc-cook#respond Thu, 02 Aug 2018 10:00:08 +0000 https://allthingsnuclear.org/?p=15891 Role of Regulation in Nuclear Plant Safety #6

Both reactors at the DC Cook nuclear plant in Michigan shut down in September 1997 until a containment design flaw identified by a Nuclear Regulatory Commission (NRC) inspection team could be fixed. An entirely different safety problem reported to the NRC in August 1995 at an entirely different nuclear reactor began toppling dominoes until many safety problems at both nuclear plants, as well as safety problems at many other plants, were found and fixed. Read More

]]>
Role of Regulation in Nuclear Plant Safety #6

Both reactors at the DC Cook nuclear plant in Michigan shut down in September 1997 until a containment design flaw identified by a Nuclear Regulatory Commission (NRC) inspection team could be fixed. An entirely different safety problem reported to the NRC in August 1995 at an entirely different nuclear reactor began toppling dominoes until many safety problems at both nuclear plants, as well as safety problems at many other plants, were found and fixed.

First Stone Cast onto the Waters

On August 21, 1995, George Galatis, then an engineer working for Northeast Utilities (NU), and We The People, a non-profit organization founded by Stephen B. Comley Sr. in Rowley, Massachusetts, petitioned the NRC to take enforcement actions because irradiated fuel was being handled contrary to regulatory requirements during refueling outages on the Unit 1 reactor at the Millstone Power Station in Waterford, Connecticut.

Ripples Across Connecticut

The NRC’s investigations, aided by a concurrent inquiry by the NRC’s Office of the Inspector General, substantiated the allegations and also revealed the potential for similar problems to exist at Millstone Units 2 and 3 and at Haddam Neck, the other nuclear reactors operated by NU in Connecticut. The NRC issued Information Notice No. 96-17 to nuclear plant owners in March 1996 about the problems they found at Millstone and Haddam Neck. The owner permanently shut down the Millstone Unit 1 and Haddam Neck reactors rather than pay for the many safety fixes that were needed, but restarted Millstone Unit 2 and Unit 3 following the year-plus outages it took for their safety margins to be restored.

Ripples Across the Country

The NRC sent letters to plant owners in October 1996 requiring them to respond, under oath, about measures in-place and planned to ensure: (1) applicable boundaries are well-defined and available, and (2) reactors operate within the legal boundaries. In other words, prove to the NRC that other reactors were not like the NU reactors were.

The NRC backed up their letter writing safety campaign by forming three NRC-led teams of engineers contracted from architect-engineer (AE) firms (e.g., Bechtel, Stone & Webster, Burns & Roe) to visit plants and evaluate safety systems against applicable regulatory requirements. The NRC’s Frank Gillespie managed the AE team inspection effort. The NRC issued Information Notice No. 98-22 in June 1998 about the results from the 16 AE inspections conducted to that time. Numerous safety problems were identified and summarized by the NRC, including ones that caused both reactors at the DC Cook nuclear plant to be shut down in September 1997.

Ripplin’ in Michigan

The AE inspection team sent to the DC Cook nuclear plant in Michigan was led by NRC’s John Thompson and backed by five consultants from the Stone & Webster Engineering Corporation.

Sidebar: UCS typically does not identify NRC individuals by name as we have here for Gillespie and Thompson. But both received unfair criticisms from a NRC senior manager for performing their jobs well. Gillespie, for example, told me that the manager yelled at him, “We didn’t send teams out there to find safety problems!” NRC workers doing their jobs well deserve praise, not reprisals. Thanks Frank and John for jobs very well done. The senior manager will go unnamed and unthanked for a job not done so well.

DC Cook had two Westinghouse four-loop pressurized water reactors (PWRs) with ice condenser containments. Unit 1 went into commercial operation in August 1975 and Unit 2 followed in July 1978. The NRC team identified a design flaw that could have caused a reactor core meltdown under certain loss of coolant accident (LOCA) conditions.

A LOCA occurs when a pipe connected to the PWR vessel (reddish capsule in the lower center of Figure 1) breaks. The water inside a PWR vessel is at such high pressure that it does not boil even when heated to over 500°F. When a pipe breaks, high pressure water jets out of the broken ends into containment. The lower pressure inside containment causes the water to flash to steam.

Fig. 1 (Source: American Electric Power July 12, 1997, presentation to the NRC)

In ice condenser containments like those at DC Cook, the steam discharged into containment forces open doors at the bottom of the ice condenser vaults. As shown by the red arrow on the left side of Figure 1, the steam flows upward through baskets filled with ice. Most, if not all, of the steam is cooled down and turned back into water. The condensed steam and melted ice drops down to the lower sections of containment. Any uncondensed steam vapor along with any air pulled along by the steam flows out from the top of the ice condenser into the upper portion of containment.

Emergency pumps and large water storage tanks not shown in Figure 1 initially replace the cooling water lost via the broken pipe. The emergency pumps transfer water from the storage tanks to the reactor vessel, where some of it pours out of the broken pipe into containment.

The size of the broken pipe determines how fast cooling water escapes into containment. A pipe with a diameter less than about 2-inches causes what is called a small-break LOCA. A medium-break LOCA results from a pipe up to about 4-inches round while a large-break LOCA occurs when larger pipes rupture.

Before the storage tanks empty, the emergency pumps are re-aligned to take water from the active sump area within containment. The condensed steam and melted ice collects in the active sump. The emergency pumps pull water from the active sump and supply it to the reactor vessel where it cools the reactor core. Water spilling from the broken pipe ends finds its way back to the active sump for recycling.

The NRC’s AE inspection team identified a problem in the containment’s design for small-break LOCAs. The condensed steam and melted ice flows into the pipe annulus (the region shown in Figure 2 between the outer containment wall and the crane wall inside containment) and into the reactor cavity. The water level in the pipe annulus must rise to nearly 21 feet above the floor before water could flow through a hole drilled in the crane wall into the active sump. The water level in the reactor cavity must rise even farther above its floor before water could flow through a hole drilled in the pedestal wall into the active sump.

Fig. 2 (Source: American Electric Power July 12, 1997, presentation to the NRC)

For medium-break and large-break LOCAs, the large amount of steam discharged into containment flooded both these volumes and then the active sump long before the storage tanks emptied and the emergency pumps swapped over to draw water from the active sump. Thus, there was seamless supply of makeup cooling water to the vessel to prevent overheating damage.

But for small-break LOCAs, the storage tanks might empty before enough water filled the active sump. In that case, the flow of makeup cooling water could be interrupted and the reactor core might overheat and meltdown.

Calmed Waters in Michigan

The owner fixed the problem by drilling holes through lower sections of the crane and pedestal walls. These holes allowed water to fill the active sump in plenty of time for use by the emergency pumps for all LOCA scenarios. Once this and other safety problems were remedied (and a $500,000 fine paid), both reactors at DC Cook restarted.

UCS Perspective

The event in this case is the August 1995 notification to the NRC that the Millstone Unit 1 reactor was being operated outside its safety boundaries and the regulatory ripples caused by that notification that led to the identification and correction of containment flaws at DC Cook. For that event sequence, the NRC response reflected just right regulation.

The NRC asked and answered whether the August 1995 allegations were valid—finding that they were.

Once the initial allegation was substantiated, the NRC asked and answered whether that kind of problem also affected other reactors operated by the same owner—finding that it did.

Once the extent-of-condition determined that multiple reactors operated by the same owner were affected, the NRC asked and answered whether similar kinds of problems could also affect other reactors operated by other owners—finding that they did.

In seeking the answer to that broader extent-of-condition question, the NRC AE inspection team identified a subtle design flaw that had escaped detection for two decades. And slightly over two years elapsed between the NRC’s initial notification and both reactors at DC Cook being shut down to fix the design flaw. While neither a blink of an eye nor a frenetic pace, that’s a pretty reasonable timeline given the number of steps needed and taken between these endpoints.

Had the NRC put the blinders on after receiving the allegations about Millstone Unit 1 and not considered whether similar problems compromised safety at other reactors, this event would have fallen into the under-regulation bin.

Had the NRC jumped to the conclusion after receiving the allegations about Millstone Unit 1 that all other reactors were likely afflicted with comparable, or worse, safety problems and ordered all shut down until proven affliction-free, this event would have fallen into the over-regulation bin.

By putting the Millstone Unit 1 allegations in proper context in a timely manner, the NRC demonstrated just-right regulation.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

]]>
https://allthingsnuclear.org/dlochbaum/containment-flaw-at-dc-cook/feed 0
Flooding at a Florida Nuclear Plant https://allthingsnuclear.org/dlochbaum/flooding-at-a-florida-nuclear-plant https://allthingsnuclear.org/dlochbaum/flooding-at-a-florida-nuclear-plant#respond Thu, 26 Jul 2018 10:00:42 +0000 https://allthingsnuclear.org/?p=15868 Role of Regulation in Nuclear Plant Safety #5

St. Lucie Unit 1 began operating in 1976. From the beginning, it was required by federal regulations to be protected against flooding from external hazards. After flooding in 2011 led to the meltdown of three reactors at Fukushima Dai-ichi in Japan, the NRC ordered owners to walk down their plants in 2012 to verify conformance with flood protection requirements and remedy all shortcomings. Read More

]]>
Role of Regulation in Nuclear Plant Safety #5

St. Lucie Unit 1 began operating in 1976. From the beginning, it was required by federal regulations to be protected against flooding from external hazards. After flooding in 2011 led to the meltdown of three reactors at Fukushima Dai-ichi in Japan, the NRC ordered owners to walk down their plants in 2012 to verify conformance with flood protection requirements and remedy all shortcomings. The owner of St. Lucie Unit 1 told the NRC that only one minor deficiency had been identified and it was fixed.

But heavy rainfall in January 2014 flooded the Unit 1 reactor auxiliary building with 50,000 gallons through flood barriers that had been missing since at least 1982. Unit 1 became as wet as the owner’s damp assurances and the NRC’s soggy oversight efforts.

Fig. 1 (Source: NRC Flickr)

Parade of Flood Protection Promises

Operators achieved the first criticality, or sustained nuclear chain reaction, of the Unit 1 reactor core at the St. Lucie nuclear plant located about miles southeast of Ft. Pierce, Florida at 8:30 am on April 22, 1976. Federal regulations adopted more than five years earlier required the plant to be protected against natural phenomena. The Atomic Energy Commission (AEC), forerunner to today’s Nuclear Regulatory Commission (NRC), issued guidance in August 1973 that explicitly informed nuclear plant owners and applicants that the natural phenomena to be protected against included heavy local precipitation.

En route to the AEC issuing an operating license for Unit 1 on March 1, 1976, the owner submitted a Preliminary Safety Analysis Report and later a Final Safety Analysis Report, now called the Updated Final Safety Analysis Report (UFSAR), describing the design features and operational procedures that demonstrated conformance with all applicable regulatory requirements such as flood protection. The design bases external flood was a Probable Maximum Hurricane (PMH) while the design bases internal flood was the postulated rupture of a 14-inch diameter low pressure safety injection system pipe. The analyses summarized in the UFSAR reported the flooding rates, flooding depths needed to submerge and disable safety components, alarms alerting workers to the flooding situation, and response actions and associated times for workers to intervene and successfully mitigate a flooding event.

In December 1993, the owner submitted an Individual Plant Examination (IPE) of St. Lucie to the NRC in response to the agency’s mandate in Generic Letter 88-20 for an assessment of vulnerabilities to severe accidents. The owner revisited several potential internal flooding scenarios (e.g., postulated rupture of various tanks filled with water or liquid and break of a component cooling water system pipe that drains all 78,000 gallons of water into the reactor auxiliary building). The conclusions were that the scenarios would either not result in flooding damage to safety components or that flood-damaged safety component(s) so unlikely to lead to reactor core damage as to be accepted with no additional protective measures taken.

On March 11, 2011, an earthquake off the coast of Japan triggered a tsunami wave that overwhelmed the protective sea wall at the Fukushima Dai-ichi nuclear plant. The earthquake disabled the offsite electrical power grid for the plant; the tsunami flood waters disabled the backup power supplies. Although the Pacific Ocean was literally a stone’s throw away, the complete loss of electrical power left workers unable to supply cooling water to the reactor cores of the three units that had been operating at the time; all three cores overheated and melted.

Among the reactions by the NRC was a temporary instruction for its inspectors to use to verify whether U.S. reactors were properly protected against earthquake and flooding hazards. The NRC’s inspections supplemented similar efforts voluntarily undertaken by nuclear plant owners. On May 13, 2011, the NRC  reported on the inspection conducted at St. Lucie per the post-Fukushima temporary instruction. NRC inspectors reviewed the UFSAR for flooding hazards and associated protective features and response procedures. NRC inspectors reviewed the flood protection walkdowns performed by plant workers and conducted their own walkdowns. The NRC reported “No significant deficiencies were identified.” The report did indicate that workers found one potentially degraded flood barrier, but had initiated paperwork to investigate it further and remedy it as applicable.

On March 12, 2012, the NRC ordered the owners of all operating U.S. nuclear plants to undertake more comprehensive flooding and earthquake walkdowns and re-assessments. The owner of St. Lucie submitted its flooding walkdown report to the NRC on November 27, 2012. The owner stated that “The flooding walkdowns verified that permanent structures, systems, components (SSCs), portable flood mitigation equipment, and the procedures needed to install and or operate them during a flood are acceptable and capable of performing their design function as credited in the current licensing basis” with but one exception—some missing and degraded conduit seals were found in electrical manholes connected to the reactor auxiliary buildings on Unit 1 and Unit 2. The conduits are metal tubes containing electrical cables. The seals fill the gaps where the conduits pass through the reactor auxiliary building’s concrete wall. The owner reported that the configuration had been restored to full compliance with regulatory requirements.

The owner reported to the NRC on December 27, 2012, the results of its evaluation of the missing and degraded conduit seals. The NRC was told that the electrical manholes have 4-inch and 1.5-inch diameter drain lines to the storm water system. In the event of site flooding due to a storm, water could flow through these drain lines into the electrical manholes. When the water filled the manholes to a certain depth, water would flow through the missing and degraded conduit seals into the reactor auxiliary building and disable components needed for safe shutdown of the reactor. The owner reported that the conduit seals had been missing since original construction in the 1970s. This potential hazard no longer existed because the missing and degraded conduit seals had been corrected.

The NRC evaluated the missing and degraded conduit seals reported by the owner via its November 27 and December 27 submittals. On April 25, 2013, the NRC issued its report for its evaluation. The NRC noted:

The licensee’s design basis does not allow for any external leakage into safety-related buildings during a PMH. Unit 1 UFSAR section 3.4.4, states in part, that “All external building penetrations are waterproofed and/or flood protected to preclude the failure of safety related system or component due to external flooding.”

Even though the flood protection deficiency existed for over three decades before being found and fixed, the NRC elected to impose no sanction for violating federal safety regulations.

The NRC reported on July 30, 2013, about additional walkdowns its inspectors made of the Unit 1 and 2 reactor auxiliary buildings. The NRC inspectors also reviewed documents in the owner’s corrective action and work order databases for weather-related problems that could result in site flooding. No problems were found.

Raining on the Promise Parade

On January 9, 2014, it rained on St. Lucie. A culvert in the storm water drain system obstructed by debris caused rain water to pool around the reactor auxiliary building instead of being carried away. Rain water leaked into the reactor auxiliary building via two electrical conduits that lacked the proper flood barriers. A video obtained by UCS via the Freedom of Information Act (FOIA) shows water pouring from an electrical junction box mounted on the inside wall of the Unit 1 reactor auxiliary building. (We don’t have a video of this location before the flood, but we know that it wasn’t nearly as wet and noisy.)

Fig. 2 (Source: Video obtained by UCS through the FOIA)

An estimated 50,000 gallons of water flooded Unit 1. Workers periodically manipulated valves to allow flood water to drain into the emergency core cooling system (ECCS) pump room sumps where it was transferred to an outdoor collection tank. Their efforts successfully prevented any safety components from being disabled and Unit 1 continuing operating through the rainfall.

When the dust dried, workers found four other electrical conduits that lacked proper flood barriers. The six conduits passed through the reactor auxiliary building wall below the design bases flood elevation. Consequently, they should have been equipped with flood barriers, but the required barriers had not been provided. These six conduits were not part of the plant’s original design, but had been installed via modifications implemented in 1978 and 1982.

The NRC issued a White finding, the second least serious among its Green, White, Yellow and Red classification scheme, on November 19, 2014, for two violations of regulatory requirements:

[F]rom November 26, 2012, until January 9, 2014, the licensee failed to promptly identify and correct conditions adverse to quality involving missing external flood barriers in the Unit 1 reactor auxiliary building (RAB). Specifically, the licensee performed flooding walkdowns in response to the NRC’s “Request for Information Pursuant to Title 10 of the Code of Federal Regulations 50.54(f)” … and failed to identify missing internal flood barriers on six conduits that penetrated the Unit 1 RAB wall below the design basis external flood elevation. This condition was identified when the site experienced a period of unusually heavy rainfall on January 9, 2014, and approximately 50,000 gallons of water entered the … RAB through two of the six degraded conduits in the ECCS pipe tunnel.

and

[F]rom 1978 and 1982 until 2014, the licensee failed to translate the design basis associated with external flood protection into specifications, drawings, procedures and instructions. Specifically, permanent change modifications (PCM) 77272, “Primary Water Degassifier and Transfer Pump” and PCM 80105, “Waste Monitor Tank Addition,” implemented in 1978 and 1982 respectively, added six power supply conduits in the emergency core cooling system (ECCS) pipe tunnel that penetrated the Unit 1 RAB wall below the design basis external flood elevation and did not include internal flood barriers to protect safety-related equipment from the effects of a design basis external flood event.

In other words, the owner violated federal regulations in 1978 and 1982 by not providing flood barriers with the installed conduit and re-violated federal regulations in 2012 by not finding the flood barriers missing when commanded by NRC to do so after Fukushima.

UCS Perspective

In the letter transmitting the White finding to the plant’s owner, NRC noted that the severity of the two violations of federal regulations would normally have also resulted in a $70,000 fine, but explained:

Because your facility has not been the subject of escalated enforcement actions within the last two years, the NRC considered whether credit was warranted for Corrective Action in accordance with the civil penalty assessment process in Section 2.3.4 of the Enforcement Policy. … Therefore, to encourage prompt identification and comprehensive correction of violations, and in recognition of the absence of previous escalated enforcement action, I have been authorized, after consultation with the Director, Office of Enforcement, not to propose a civil penalty in this case.

What?

Because your facility has not been the subject of escalated enforcement actions within the last two years” is largely because the owner violated federal regulations by not finding, fixing, and reporting the missing flood barriers on the six electrical conduits that factored in the January 9, 2014, flooding event. So, the reason the owner has a clean slate over the past two years is because the owner violated federal regulations two years ago that would otherwise have uncleaned that slate. Who says crime doesn’t pay?

“…to encourage prompt identification and comprehensive correction of violations” ignores a key fact—the NRC does not need to “encourage” owners to do these things. A federal regulation, specifically Appendix B to 10 CFR Part 50, requires owners to find and fix problems in a timely and effective manner. Thus, the NRC does not need to encourage owners; it merely needs to enforce regulatory requirements.

Is the White finding without the usual (and entirely appropriate) $70,000 fine a slap on the wrist of this owner?

I don’t know. But I do know that it is a slap in the face of the many plant owners who took the NRC’s order seriously by doing a thorough job of walking down their plants for flooding and earthquake vulnerabilities and remedying all deficiencies (not just a token one or two).

By “encouraging” owners who perform badly, the NRC is discouraging owners who perform well. It takes time and effort (i.e., MONEY) to do it right and saves time and effort (i.e., MONEY) to do it wrong. The NRC must discourage wrong-doing and encourage right-doing. All the NRC need do is merely enforce its regulations instead of meekly encouraging violators of safety regulations. If the NRC cannot or will not enforce safety regulations, then like Elvis it should leave the building.

For over 30 years, St. Lucie operated without flood barriers it was required by federal regulations to have. After flooding melted three reactors at Fukushima, the NRC ordered St. Lucie’s owner in 2012 to take extra steps to ensure required flood protection measures were adequate. The owner informed the NRC in November 2012 that only one deficiency had been found and it had been remedied. Rainfall in January 2014 revealed several other deficiencies. The owner, once again, claimed that all deficiencies have now been remedied.

Maybe the owner is finally right about flood protection at St. Lucie. Maybe not. What is entirely certain is that St. Lucie is adequately protected against flooding—unless a flood happens. That flood might reveal still more deficiencies for the NRC to “encourage” the owner to promptly find and comprehensively fix (assuming the reactor still hasn’t melted down.)

The only reason this event goes into the “under-regulation” bin is that there are no lower bins for it.

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

]]>
https://allthingsnuclear.org/dlochbaum/flooding-at-a-florida-nuclear-plant/feed 0
Yankee Rowe and Reactor Vessel Safety https://allthingsnuclear.org/dlochbaum/yankee-rowe-and-reactor-vessel-safety https://allthingsnuclear.org/dlochbaum/yankee-rowe-and-reactor-vessel-safety#respond Thu, 19 Jul 2018 10:00:47 +0000 https://allthingsnuclear.org/?p=15858 Role of Regulation in Nuclear Plant Safety #4

The Yankee Rowe nuclear plant in Massachusetts was a forerunner in the industry pursuing extensions to the original 40-year operating license. But its run for a longer lifetime was derailed when Nuclear Regulatory Commission (NRC) engineers discovered that the plant might not meet current safety requirements. Read More

]]>
Role of Regulation in Nuclear Plant Safety #4

The Yankee Rowe nuclear plant in Massachusetts was a forerunner in the industry pursuing extensions to the original 40-year operating license. But its run for a longer lifetime was derailed when Nuclear Regulatory Commission (NRC) engineers discovered that the plant might not meet current safety requirements. Unable to convince the NRC that the requirements were satisfied after a year of trying, the owner opted to permanently retire the plant after only 31 years of operation.

Yankee Rowe’s History

The Yankee Atomic Electric Company (YAEC) was formed on November 30, 1953, as a joint venture of ten utility companies in New England. On June 6, 1956, YAEC signed the first contract in the Atomic Energy Commission’s (AEC’s) Power Reactor Demonstration Program. This program sought to build and operate a variety of nuclear power reactors, with partial government financing, to advance the country’s nuclear power technology development. Construction began on February 28, 1958, and was completed on May 31, 1960. Electricity generated by the plant was first connected to the offsite power grid on November 10, 1960. YAEC placed the plant in commercial operation on July 1, 1961.

Yankee Rowe featured a four-loop pressurized water reactor (PWR) designed by Westinghouse. The core had a power limit of 485 megawatts thermal but was upgraded to 600 megawatts in 1963. For comparison, the Westinghouse AP-1000 pressurized water reactor under construction in Georgia has a power limit of 3,400 megawatts, nearly six times higher.

Yankee Rowe was shut down on October 1, 1991, due to the NRC’s concerns about the integrity of the reactor vessel. The company notified the NRC by letter dated February 27, 1992, that it had decided to permanently shut down the plant rather than continue the effort and expense of trying to resolve the NRC’s concerns.

Over its 31-year lifetime, Yankee Rowe operated at an average capacity of nearly 74 percent—nothing to write home about considering today’s 90-plus percent capacity factors but a good achievement for its era.

Reactor Vessel’s Role

The reactor vessel for Yankee Rowe was manufactured by Babcock & Wilcox at their factory in Barberton, Ohio. Figure 1 shows the reactor vessel after arriving at the plant before it was lifted into a vertical position and raised into the containment sphere. The containment sphere also houses the four reactor coolant system loops, with each loop consisting of a steam generator and reactor coolant pump.

Fig. 1 (Source: Periscope Film)

The defense-in-depth nuclear safety philosophy employs multiple layers. If one emergency diesel generator is needed to power safety equipment during an accident, then two or more are installed to increase the likelihood that one gets that job done. That approach is replicated across the array of core cooling systems, emergency ventilation systems, and so on.

The reactor vessel is one of the very few defense-in-depth exceptions. Failure of the reactor vessel could drain cooling water faster than the emergency pumps can supply makeup. The entire reactor core is loaded into a metal vessel whose failure has no backup and no assured mitigation. Why? The principle follows Andrew Carnegie’s advice: “Put all your eggs in one basket and then watch that basket.” The reactor vessel gets watched a lot. (Yes, Virginia, sometimes a watched pot does boil.)

Reactor Operating Licenses and License Renewal

The NRC published a notice in the Federal Register on November 6, 1986, soliciting comments about regulatory changes to enable nuclear plants to operate beyond their initial 40-year operating license periods. The NRC sought comments on the duration of extended operation as well as the criteria to be used in deciding whether extension requests should be granted.

In April 1989, the General Accounting Office (GAO) issued a report on license renewal. Congress tasked GAO to examine nuclear plant aging after a worn-out pipe ruptured at the Surry nuclear plant in Virginia and killed four workers. GAO reported that the NRC licensed reactors for operation up to 40 years, but neither the Atomic Energy Act or NRC’s regulations provided for an extension or renewal of the operating licenses. The Department of Energy (DOE) and the Electric Power Research Institute (EPRI) found interest among nuclear plant owners for possibly extending plant lifetimes, depending on what NRC required to obtain that authorization.

The Monticello nuclear plant in Minnesota and Yankee Rowe became the lead boiling water reactor (BWR) and PWR for the DOE, EPRI, and NRC to examine and define a license renewal process. The reactor operating license for Yankee Rowe was initially slated to expire on November 4, 1997. The NRC approved on June 8, 1988, an extension to July 9, 2000. (Because the NRC had not yet issued a regulation for renewing or extending reactor operating licenses, “extensions” of the operating license for Yankee Rowe and several other reactors really did not lengthen the 40-year term of the initial license. Instead, they redefined when the 40-year clock started. Sometimes, that clock started when the reactor vessel was set in place, even though it was several more years before construction was completed and the atom splitting started.)

The NRC pursued a rulemaking process that culminated in the issuance of the Nuclear Power Plant License Renewal final rule on December 13, 1991. While the NRC now had a license renewal rule, it no longer had the lead PWR pursuing license renewal. The owner had voluntarily shut down Yankee Rowe on October 1, 1991, after receiving word that the NRC staff would be recommending to its Commission that the reactor be shut down. The reactor never restarted.

The NRC lost both its lead license renewal plants. After seeing license reprise result in license demise for Yankee Rowe, the owner of Monticello informed the NRC that it put license renewal efforts on hold.

Fig. 2 (Source: Nuclear Regulatory Commission Flickr Gallery)

Reactor Vessel Embrittlement

Yankee Rowe’s reactor vessel was made of metal. Metal expands when it is heated and contracts when it is cooled. During routine operation, the rate at which the reactor power is increased and decreased is controlled to limit the metal’s temperature change to less than or equal to 100°F per hour. This limit minimizes internal stresses as metal parts expand and contract to avoid cracking.

The temperature change limit does not apply during accidents. If a pipe connected to the reactor vessel breaks and drains cooling water, the emergency pumps do not slowly add makeup water to keep the metal from cooling down too quickly. The pumps supply lots of makeup water to prevent the fuel rods from hearing up too much.

The reactor vessels are designed to go from steady state operation at over 500°F to sudden exposure to makeup water as cool as 40°F. Termed “pressurized thermal shock,” it’s not an exposure the reactor vessel is expected to encounter often. But it is a sudden, rapid temperature change the reactor vessel is required to be capable of enduring at least once.

The reactor vessel’s capability to withstand pressurized thermal shock lessens with time. The bombardment of the metal by neutrons during reactor operation—termed reactor vessel embrittlement—hastens the degradation.

Yankee Rowe’s Achilles Heel

It didn’t take long to identify the reactor vessel as the limiting component at Yankee Rowe. The company evaluated a 20-year period past the original 40-year operating license for the reactor, considering the accumulated embrittlement and other degradation factors such as the anticipated number of times the vessel cycles between “cold” conditions during outages and “hot” conditions during full power operation. The company’s evaluations concluded that sufficient margin would remain until at least the year 2020.

The NRC staff did not agree with the company’s assessment. Pryor Randall, an engineer in NRC’s mechanical engineering branch, penned a memo dated September 11, 1990, to Tom Murley, then the Director of the NRC’s Office of Nuclear Reactor Regulation, stating:

Perhaps it is time to quit being polite in our rejection of the licensee’s estimates…. They have been told on more than one occasion that their basis was unacceptable. Our expert consultant, Professor Odette, addressed their arguments in point-by-point fashion and found them to be without merit. I will state here for the record that the licensee’s arguments that coarse grain size negates the effects of irradiation-temperature and nickel content are sophistry, a subtle, tricky, superficially plausible, but generally fallacious method of reasoning.

Without even looking up the highfalutin words, the NRC staff clearly wasn’t buying the company’s claim that Yankee Rowe’s reactor vessel was good to run until 2020.

Predicting the future involves uncertainties. Making matters worse was the fact that Yankee Rowe’s past also contained many uncertainties. Little metal pieces called specimens had been installed inside the reactor vessel. The plan was to periodically remove the specimens for testing. The results would reveal how many neutrons impacted the metal and how much embrittlement this caused. The specimens would allow the computer models to be calibrated to more closely match actual conditions of the reactor vessel. But workers removed all the specimens in 1965 after flow-induced vibration broke two specimens loose. Lacking information from analysis of specimens, the owner instead fetched data from specimens taken out of the BR3 nuclear reactor in Belgium. (Picture being in a hospital where the medical staff loses your charts and relies on charts from a patient down the hall that’s nearly the same age and almost the same gender.)

Additionally, the manufacturing process for the Yankee Rowe reactor vessel was somewhat unique in that it involved keeping the metal plates at higher temperatures than normally experienced as they were formed into shape. As a result, the grain sizes of the metal were larger than normal. The formulae and methods used by the NRC and industry to predict the effects of embrittlement were based on metals with normal grain sizes. The lack of specimens left researchers without solid means to tailor the methods to fit Yankee Rowe’s unique metallurgy.

The paucity of actual data forced researchers to fill information gaps with assumptions. Certain assumptions led to results showing the vessel would last forever. Other assumptions produced results showing that the vessel lacked the required safety margin right then.

UCS Joins the Fray

The debate waged on. UCS partnered with the New England Coalition on Nuclear Pollution (NECNP) to petition the NRC on June 4, 1991, seeking immediate shut down of Yankee Rowe until it was known, rather than merely being debatable, that the reactor was safe.

On July 31, 1991, the NRC denied the petition on grounds “… that continued operation … will not pose an undue risk to the public health and safety.” However, the NRC conditioned its denial: “In no event will plant operation beyond April 15, 1992, be permitted until these uncertainties have been resolved.” Somehow, the reactor that posed no undue risk became an undue risk 259 days later.

The NRC’s decision churned the waters it sought to calm. Until this decision, the matter had been a “he said/she said” debate involving factors like metal grain sizes, nickel content, Charpy V-notch tests, and other mind-numbing parameters. But no reasonable person accepts that a reactor plenty safe today magically becomes unsafe in the near future. They get that the reactor isn’t safe today, either. The fallacy of the NRC’s decision prompted Congress members, state officials, and newspapers to rail against it.

Fig. 3 (Source: Brattleboro Reformer)

The NRC’s denial of the UCS/NECNP petition also ordered Yankee Rowe’s owner to submit its plan by August 26, 1991, for resolving uncertainties in the reactor vessel integrity debate. The NRC told the owner that it wanted “a reduction in the probability of vessel failure of a factor of 5 to 10 and will accept a mix of hardware modifications, human resource allocations, and operating procedure modifications.” The owner submitted its report to the NRC on August 26, 1991. The owner informed the NRC that its plan reduced the chances of reactor vessel failure by a factor of 20.

It did not take the NRC staff very long to grade the plan. On September 30, 1991, the NRC staff informed the Chairman and Commissioners of its assessment. The NRC staff conducted its own analyses and reported that its results matched those from the owner in some cases. But the staff also reported, “…for cases when the main coolant pumps do not run [and therefore do not mix the cool incoming water with the hot water inside the vessel], the thermal-hydraulic response was found by both the staff and the licensee to increase the likelihood of vessel failure by a factor of two.”

The staff noted that the owner had assumed “a very high [main coolant] pump reliability factor (greater than 99%). With this reliability factor, the Commission’s goal would be achieved. … Without demonstration of high pump reliability under SBLOCA [small-break loss of coolant accident] conditions, the Commission’s desired factor of 5 to 10 cannot be confirmed.” Thus, the staff recommended “that the Yankee Rowe Nuclear Power Station be shut down until the NRC is satisfied that the YNPS pressure vessel has adequate margins against failure during operation.”

Informed about this staff position which would be discussed during a Commission meeting scheduled for October 2, 1991, the owner voluntarily shut down the reactor on October 1. The fight was over. UCS lost the petition battle but won the reactor safety campaign.

Fig. 4 (Source: New York Times)

UCS Perspective

It would be tempting to place this event into the “under-regulation” bin on grounds that NRC would not have attained this outcome absent pressure from UCS, Congress, the media, state officials, and others. The New York Times cited UCS’s efforts as “making a difference” in this matter.

But the NRC was also getting pressured by the plant’s owner, the industry, and other members of Congress to accept that the reactor had sufficient margin to continue operating. The NRC acted as far more than a nuclear jury, merely listening to both sides argue their cases and then rendering a verdict.

Recall that an NRC engineer, Pryor Randall, went on record forcefully opposing the company’s contentions that the reactor vessel still had ample margin to safety requirements. His efforts factored significantly in the arguments put forth (or recycled) in the petition. It is commendable that NRC’s engineers demonstrate courage in their convictions.

Note that the Commission did not just deny the UCS/NECNP petition. The Commission also required the owner to provide its plan for reducing the risk of reactor vessel failure by a factor of 5 to 10. While ruling that the petitioners had not demonstrated that the reactor was unsafe, they implicitly conceded that the owner had not demonstrated that the reactor was adequately safe. The Commission ordered the owner to submit its demonstration plan.

Recall that the NRC staff did not meekly accept the owner’s contention that its plan reduced the chance of vessel failure by a factor of 20. The NRC staff challenged the assumptions made by the owner en route to that contention and found the analysis to have fallen short of the Commission’s stated objective.

The NRC’s role in this matter was not that of a nuclear jury. Its role was that of a nuclear regulator. It was actively engaged in the process and considered input from various stakeholders. It did not accept the charges levied by UCS/NECNP at face value, nor it did blindly accept the assurances provided by the owner. Consequently, this event deserves to be in the “just right regulation” bin. Newspapers like the Monitor in Concord, New Hampshire seemed to have recognized this outcome, too.

Fig. 5 (Source: Concord Monitor)

* * *

UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.

]]>
https://allthingsnuclear.org/dlochbaum/yankee-rowe-and-reactor-vessel-safety/feed 0