The Nuclear Regulatory Commission (NRC) adopted its Reactor Oversight Process (ROP) in 2000. The ROP is far superior to the oversight processes previously employed by the NRC. Among its many virtues, the NRC treats the ROP as a work in progress, meaning that agency routinely re-assesses the ROP and makes necessary adjustments.
Earlier this year, the NRC initiated a formal review of its engineering inspections with the goal of making them more efficient and more effective. During a public meeting on October 11, 2017, the NRC working group conducting the review outlined some changes to the engineering inspections that would essentially cover the same ground but with an estimated 8 to 15 percent reduction in person-hours (the engineering inspections and suggested revisions are listed on slide 7 of the NRC’s presentation). Basically, the NRC working group suggested repackaging the inspections so as to be able to examine the same number of items, but in fewer inspection trips.
The nuclear industry sees a different way to accomplish the efficiency and effectiveness gains sought by the NRC’s review effort—they propose to eliminate the NRC’s engineering inspections and replace them with self-assessments. The industry would mail the results from the self-assessments to the NRC for their reading pleasure.
UCS is wary of self-assessments by industry in lieu of NRC inspections. On one hand, statistics might show that self-assessments increase safety just as a community firing all its law enforcement officers would see a statistical decrease in arrests, suggesting a lower crime rate. I have been researching the records publicly available in ADAMS to compare the industry’s track record for finding latent safety problems with the NRC’s track record to see whether replacing NRC’s inspections with industry self-assessments could cause nuclear safety to go off-track.
This commentary is the first in a series that convinces us that the NRC’s engineering inspections are necessary for nuclear safety and that public health and safety will be compromised by replacing them with self-assessments by industry.
Columbia Generating Station: Not so Cool Safety Moves
The Columbia Generating Station is a boiling water reactor owned by Energy Northwest and located 12 miles northwest of Richland, Washington. The Washington Public Power Supply System (the original name of the plant’s owner) submitted a Preliminary Safety Analysis Report (PSAR) for the Washington Nuclear Project Unit 2 (the original name for the reactor) to the Atomic Energy Commission (AEC, the original name of the nuclear regulator) in February 1973.
The PSAR described the proposed design of the plant and associated safety studies that demonstrated compliance with regulatory requirements. The PSAR described the two systems intended to cool the control room during normal operation and during postulated accidents. The control room heating, ventilation, and air conditioning (HVAC) would use chillers within the Radwaste Building HVAC system during normal operation. Because the Radwaste Building HVAC system is not designed to withstand earthquake forces or remain running when offsite power is unavailable, it cannot be credited with performing this role during accident conditions. So, the Standby Service Water system was proposed to cool the control room during accidents. The Standby Service Water system features pumps, pipes, and valves that recirculate water between a large cooling pond and safety equipment within the plant. Two independent sets, called divisions in the figure, are used to enhance reliability of this safety function (Fig. 1).
The PSAR indicated that for worst-case design conditions of 77°F cooling pond water temperature and 105°F outside air temperature, the Standby Service Water system would prevent the air temperature within the control room from exceeding 104°F. The AEC/NRC expressed concern that such warm control room temperatures could impair both human and equipment performance.
The owner resolved the regulator’s concerns by committing to installing two Seismic Category I emergency chillers for the control room HVAC system (Fig. 2). The emergency chillers were fully redundant such that one emergency chiller alone could maintain the air temperature inside the control room from exceeding 78°F during an accident. The NRC issued an operating license for the Columbia Generating Station on April 13, 1984, with License Condition 2.C.(21) that required the two emergency chillers to be operable by May 31, 1984. In November 1984, the owner revised the PSAR (now called the Final Safety Analysis Report or FSAR) to describe the emergency chillers and their role in keeping the control room air temperature from exceeding 78°F.
In September 1989, the owner revised the FSAR to change the control room air temperature limit to 85°F. The owner determined that this change did not require prior NRC review and approval. The NRC later disagreed with this self-imposed temperature relaxation.
In May 1998, the owner revised the FSAR to change the control room air temperature limit from 85°F to 85°F effective (see below). Once again, the owner determined that this change did not require prior NRC review and approval. And again, the NRC later disagreed with this self-imposed temperature limit relaxation.
“Effective temperature” is based on a combination of wet-bulb and dry-bulb temperatures. The original 75°F and initial 85°F limits were based solely on dry-bulb temperatures. The 85°F effective temperature allowed dry-bulb temperatures of up to 105°F—higher than the control room air temperature expressly rejected by the regulator. The owner made this change without seeking NRC’s approval because it was considered an editorial change. The NRC later determined that this temperature limit relaxation was not an editorial change.
Because the Standby Service Water system alone could maintain the dry-bulb temperature inside the control room at or below 104°F and the revised limit was now 105°F, the owner implemented another change—also unreviewed and unapproved by the NRC—eliminating the need for the emergency chillers to perform any safety role during postulated accidents. The NRC issued a Severity Level IV non-cited violation on April 23, 103, for the owner relaxing the control room air temperature limit without prior NRC approval.
The following month, the owner notified the NRC about deficiencies in the test periodically conducted to demonstrate the adequacy of the Standby Service Water system to cool the control room during accident conditions. When the test deficiencies were remedied and the corrected test performed, one of the two Standby Service Water system trains failed. Workers determined that the tubes within the control room cooler units had become degraded due to the buildup of scale on the inside tube surfaces and the collection of sediment in the lower region of the units. Routine testing of the control room cooler units had been discontinued 16 years earlier.
So, around the same time that the owner improperly decided that the emergency chillers were no longer needed to cool the control room during accidents, it discontinued proper testing of the Standby Service Water system that it thought would perform this role during accidents. Maybe it was another editorial change that discontinued the tests.
On November 12, 2015, the NRC issued a Green finding for a violation of Criterion III, “Design Control,” of Appendix B to 10 CFR Part 50. The NRC inspectors found that the emergency chillers, as designed and governed by operating procedures, would not maintain the air temperature inside the control room below 85°F under accident conditions. The vendor manual for the emergency chillers stated that the STOP-RESET pushbutton had to be depressed after a power interruption because the chillers would not automatically restart. But the operating procedures failed to have the operators perform this necessary step.
On December 22, 2015, Energy Northwest contested the NRC’s finding. The owner stated, in writing, that “There are no design basis requirements to maintain the control room temperature at less than or equal to 85°F at all times for all accident scenarios” [boldfacing in original]. The owner further requested that the NRC conduct a backfit analysis per 10 CFR 50.109 before imposing these “new” regulatory requirements.
By letter dated June 10, 2016, the NRC responded to the owner’s appeal. The NRC carefully considered the owner’s arguments and delineated why it was rejecting each one. The NRC concluded “…it cannot be concluded that the system function as described in the current design basis can be achieved.”
On May 3, 2016 (perhaps sensing that its appeal would not be successful), the owner met with the NRC to discuss a pending license amendment request that would resolve the concerns about the emergency chillers. As shown in the figure, the two emergency chillers sit side-by-side in the same room vulnerable to a common mode, like a fire, disabling them both (Fig. 3). But the chillers are seismically qualified and redundant, consistent with the original commitment to install them. The pending license amendment request would reconcile departures from two NRC General Design Criteria and justify the use of manual vice automatic actions to place the chillers in service.
UCS Perspective
Under the Atomic Energy Act as amended, the NRC is tasked with establishing and enforcing regulations to protect workers and the public from the inherent hazards from nuclear power reactor operation.
Owners are responsible for conforming with applicable regulatory requirements. In this case, the owner made a series of changes that resulted in the plant not conforming with applicable regulatory requirements for the air temperature within the control room. But there’s no evidence suggesting that the owner knew that the changes were illegal yet made them anyway hoping not to get caught. Nevertheless, ignorance of the law is still not a valid excuse. The public is not adequately protected when safety regulations are not met, regardless of whether the violations are intentional or inadvertent.
This case study illustrates the vital role that NRC’s enforcement efforts plays in nuclear safety. The soundest safety regulation in the world serves little use unless owners abide by it. The NRCs inspection efforts either verify that owners are abiding by safety regulations or identify shortfalls. Self-assessments by owners are more likely to sustain mis-interpretations and misunderstandings than to flush out safety problems.
The NRC’s ROP is the public’s best protection against hazards caused by aging nuclear power reactors, shrinking maintenance budgets, and emerging sabotage threats. Replacing the NRC’s engineering inspections with self-assessments by the owners would lessen the effectiveness of that protective shield.
The NRC must continue to protect the public to the best of its ability. Delegating safety checks to owners is inconsistent with that important mission.