As described in a recent All Things Nuclear commentary, one of the two emergency diesel generators (EDGs) for the Unit 3 reactor at the Palo Verde Nuclear Generation Station in Arizona was severely damaged during a test run on December 15, 2016. The operating license issued by the Nuclear Regulatory Commission (NRC) allowed the reactor to continue running for up to 10 days with one EDG out of service. Because the extensive damage required far longer than the 10 days provided in the operating license to repair, the owner asked the NRC for permission to continue operating Unit 3 for up to 62 days with only one EDG available. The NRC approved that request on January 4, 2017.
The NRC’s approval contradicted four other agency decisions on virtually the same issue.
Two of the four decisions also involved the Palo Verde reactors, so it’s not a case of the underlying requirements varying. And one of the four decisions was made afterwards, so it’s not a case of the underlying requirements changing over time. UCS requested that Hubert Bell, the NRC’s Inspector General, have his office investigate these five NRC decisions to determine whether they are consistent with regulations, policies, and practices and, if not, identify gaps that the NRC staff needs to close in order to make better decisions more often in the future.
Emergency Diesel Generator Safety Role
NRC’s safety regulations, specifically General Design Criteria 34 and 35 in Appendix A to 10 CFR Part 50, require that nuclear power reactors be designed to protect the public from postulated accidents such as the rupture of the largest diameter pipe connected to the reactor vessel that causes cooling water to rapidly drain away and impedes the flow of makeup cooling water. For reliability, an array of redundant emergency pumps—most powered by electricity but a few steam-driven—are installed. Reliability also requires redundant sources of electricity for these emergency pumps. At least two transmission lines must connect the reactor to its offsite electrical power grid and at least two onsite source of backup electrical power must be provided. Emergency diesel generators are the onsite backup power sources at every U.S. nuclear power plant except one (Oconee in South Carolina which relies on backup power from generators at a nearby hydroelectric dam).
Because, as the March 2011 earthquake in Japan demonstrated at Fukushima, all of the multiple connections to the offsite power grid could be disabled for the same reason, the NRC’s safety regulations require that postulated accidents be mitigated relying solely on emergency equipment powered from the onsite backup power sources. If electricity from the offsite power grid is available, workers are encouraged to use it. But the reactor must be designed to cope with accidents assuming that offsite power is not available.
The NRC’s safety regulations further require that reactors cope with postulated accidents assuming offsite power is not available and that one additional safety system malfunction or single operator mistake impairs the response. This single failure provision is the reason that Palo Verde and other U.S. nuclear power reactors have two or more EDGs per reactor.
Should a pipe connected to the reactor vessel break when offsite power is unavailable and a single failure disables one EDG, the remaining EDG(s) are designed to automatically startup and connect to in-plant electrical circuit within seconds. The array of motor-driven emergency pumps are then designed to automatically start and begin supplying makeup cooling water to the reactor vessel within a few more seconds. Computer studies are run to confirm that sufficient makeup flow is provided in time to prevent the reactor core from getting overheated and damaged.
Palo Verde: 62-Day EDG Outage Time Basis
In the safety evaluation issued with the January 4, 2017, amendment, the NRC staff wrote “Offsite power sources, and one train of onsite power source would continue to be available for the scenario of a loss-of-coolant-accident.” That statement contradicted NRC’s statements previously made about Palo Verde and DC Cook and subsequently made about the regulations themselves. Futhermore, this statement pretended that the regulations in General Design Criteria 34 and 35 simply do not exist.
Palo Verde: 2006 Precedent
On December 5, 2006, the NRC issued an amendment to the operating licenses for Palo Verde Units 1, 2, and 3 extending the EDG allowed outage time to 10 days from its original 72 hour limit. In the safety evaluation issued for this 2006 amendment, the NRC staff explicitly linked the reactor’s response to a loss of coolant accident with concurrent loss of offsite power:
During plant operation with both EDGs operable, if a LOOP [loss of offsite power] occurs, the ESF [engineered safeguards or emergency system] electrical loads are automatically and sequentially loaded to the EDGs in sufficient time to provide for safe reactor shutdown or to mitigate the consequences of a design-basis accident (DBA) such as a loss-of-coolant accident (LOCA).
Palo Verde: 2007 Precedent
On February 21, 2007, the NRC issued a White inspection finding for one of the EDGs on Palo Verde Unit 3 being non-functional for 18 days while the reactor operated (exceeding the 10 day allowed outage time provided by the December 2006 amendment.) The NRC determined the EDG impairment actually existed for a total of 58 days. The affected EDG was successfully tested 40 days into that period. Workers discovered a faulty part in the EDG 18 days later. The NRC assumed the EDG was non-functional between its last successful test run and replacement of the faulty part. Originally, the NRC staff estimated that the affected EDG has a 75 percent chance of successfully starting during the initial 40 days and a 0 percent chance of successfully starting during the final 18 days. Based on those assumptions, the NRC determined the risk to approach the White/Yellow inspection finding threshold. The owner contested the NRC’s preliminary assessment. The NRC’s final assessment and associated White inspection finding only considered the EDG’s unavailability during the final 18 days.
Somehow, the same NRC that estimated a risk rising to the White level for an EDG being unavailable for 18 days and a risk rising to the White/Yellow level for an additional 40 days of the EDG being impaired by 25 percent concluded that an EDG being unavailable for 62 days now had risk of Green or less. The inconsistency makes no sense. And it makes little safety.
DC Cook: 2015 Precedent
One of the two EDGs for the Unit 1 reactor at the DC Cook nuclear plant in Michigan was severely damaged during a test run on May 21, 2015. The owner applied to the NRC for a one-time amendment to the operating license to allow the reactor to continue running for up to 65 days while the EDG was repaired and restored to service.
The NRC asked the owner how the reactor would respond to a loss of coolant accident with a concurrent loss of offsite power and the single failure of the remaining EDG. In other words, the NRC asked how the reactor would comply with federal safety regulations.
The owner shut down the Unit 1 reactor and restarted it on July 29, 2015, after repairing its broken EDG.
Rulemaking: 2017 Subsequent
On January 26, 2017, the NRC staff asked their Chairman and Commissioners for permission to terminate a rulemaking effort initiated in 2008 seeking to revise federal regulations to decouple LOOP from LOCA. The NRC staff explained that their work to date had identified numerous safety issues about decoupling LOOP from LOCA. Rather than put words in the NRC’s mouth, I’ll quote from the NRC staff’s paper: “The NRC staff determined that these issues would need to be adequately addressed in order to complete a regulatory basis that could support a proposed LOOP/LOCA rulemaking. To complete a fully developed regulatory basis for the LOOP/LOCA rulemaking, the NRC staff would need to ensure that these areas of uncertainty are adequately addressed as part of the rulemaking activity.”
It’s baffling how the numerous issues that had to be resolved before the NRC staff could complete a regulatory basis for the LOOP/LOCA rulemaking would not also have to resolved before the NRC would approve running a reactor for months assuming that a LOOP/LOCA could not occur.
4 out of 5 Ain’t Safe Enough
In deciding whether a loss of offsite power event could be unlinked from a postulated loss of coolant accident, the NRC answered “no” four out of five times.
Four out of five may be enough when it comes to dentists who recommend sugarless gum, but it’s not nearly save enough when the lives of millions of Americans are at stake.
We are hopeful that the Inspector General will help the NRC do better in the future.