Role of Regulation in Nuclear Plant Safety #8
In the mid-1960s, the nuclear safety regulator raised concerns about the reliability of the system relied upon to protect the public in event of a reactor transient. If that system failed—or failed again since it had already failed—the reactor core could be severely damaged (as it had during that prior failure.) The nuclear industry resisted the regulator’s efforts to manage this risk. Throughout the 1970s, the regulator and industry pursued non-productive exchange of study and counter-study. Then the system failed again—three times—in June 1980 and twice more in February 1983. The regulator adopted the Anticipated Transient Without Scram rule in June 1984. But it was too little, too late—the hazard it purported to manage had already been alleviated via other means.
Nuclear power reactors are designed to protect workers and members of the public should anticipated transients and credible accidents occur. Nuclear Energy Activist Toolkit #17 explained the difference between transients and accidents. Anticipated transients include the failure of a pump while running and the inadvertent closure of a valve that interrupts the flow of makeup water to the reactor vessel.
The design responses to some anticipated transients involve automatic reductions of the reactor power level. Anticipated transients upset the balance achieved during steady state reactor operation—the automatic power reductions make it easier to restore balance and end the transient.
For other transients and for transients where power reductions do not successfully restore balance, the reactor protection system is designed to automatically insert control rods that stop the nuclear chain reaction. This rapid insertion of control rods is called “scram” or “reactor trip” in the industry. Nuclear Energy Activist Toolkit #11 described the role of the reactor protection system.
Scram was considered to be the ultimate solution to any transient problems. Automatic power reductions and other automatic actions might mitigate a transient such that scram is not necessary. But if invoked, scram ended any transient and placed the reactor in a safe condition—or so it was believed.
Anticipated Transient Without Scram (ATWS)
Dr. Stephen H. Hanauer, was appointed to the NRC’s Advisory Committee on Reactor Safeguards (ACRS) in 1965. (Actually, the ACRS was part of the Atomic Energy Commission (AEC) in those days. The Nuclear Regulatory Commission (NRC) did not exist until formed in 1975 when the Energy Reorganization Act split the AEC into the NRC and what today is the Department of Energy.) During reviews of applications for reactor operating licenses in 1966 and 1967, Hanauer advocated separating instrumentation systems used to control the reactor from the instrumentation systems used to protect it (i.e., trigger automatic scrams.) Failure of this common system caused an accident on November 18, 1958, at the High Temperature Reactor Experiment No. 3 in Idaho.
The nuclear industry and its proponents downplayed the concerns on grounds that the chances of an accident were so small and the reliability of the mitigation systems so high that safety was good enough. Dr. Alvin Weinburg, Director of the Oak Ridge National Laboratory, and Dr. Chauncey Starr, Dean of Engineering at UCLA, publicly contended that the chances of a serious reactor accident were similar to that of a jet airliner plunging into Yankee Stadium during a World Series game.
In February 1969, E. P. Epler, a consultant to the ACRS, pointed out that common cause failure could impair the reactor protection system and prevent the scram from occurring. The AEC undertook two efforts in response to the observation: (1) examine mechanisms and associated likelihoods that a scram would not happen when needed, and (2) evaluate the consequences of anticipated transients without scrams (ATWS).
The AEC published WASH-1270, “Technical Report on Anticipated Transients Without Scram,” in September 1973. Among other things, this report established the objective that the chances of an ATWS event leading to serious offsite consequences should be less than 1×10-7 per reactor-year. For a fleet of 100 reactors, meeting that objective translates into once ATWS accident every 100,000 years—fairly low risk.
The AEC had the equivalent of a speed limit sign but lacked speedometers or radar guns. Some argued that existing designs had failure rates as high as 1×10-3 per reactor-year—10,000 times higher than the safety objective. Others argued that the existing designs had failures rates considerably lower than 1×10-7 per reactor-year. The lack of riskometers and risk guns fostered a debate that pre-dated the “tastes great, less filling” debate fabricated years later to sell Miller Lite beer.
An article titled “ATWS—Impact of a Nonproblem,” that appeared in the March 1977 issue of the EPRI Journal summarized the industry’s perspective (beyond the clue in the title):
ATWS is an initialism for anticipated transient without scram. In Nuclear Regulatory Commissionese it refers to a scenario in which an anticipated incident causes the reactor to undergo a transient. Such a transient would require the reactor protection system (RPS) to initiate a scram (rapid insertion) of the control rods to shut down the reactor, but for some reason the scram does not occur. … Scenarios are useful tools. They are used effectively by writers of fiction, the media, and others to guide the thinking process.
Two failures to scram has already occurred (in addition to the HTRE-3 failure). The boiling water reactor at the Kahl nuclear plant in Germany experienced a failure in 1963 and the N-reactor at Hanford in Washington had a failure in 1970. The article suggested that scram failures should be excluded from the scram reliability statistical analysis, observing that “One need not rely on data alone to make an estimate of the statistical properties of the RPS.” As long as scenarios exist, one doesn’t need statistics getting in the way.
The NRC formed an ATWS task force in March 1977 to end, or at least focus, the non-productive debate that had been going on since WASH-1270 was published. The task force’s work was documented in NREG-0460, “Anticipated Transients Without Scram for Light Water Reactors,” issued in April 1978. The objective was revised from 1×10-7 per reactor-year to 1×10-6 per reactor-year.
Believe it or not, but somehow changing the safety objective without developing the means to objectively gauge performance towards meeting it did not end or even appreciably change it. Now, some argued that existing designs had failure rates as high as 1×10-3 per reactor-year—1,000 times higher than the safety objective. Others argued that the existing designs had failures rates considerably lower than 1×10-6 per reactor-year. The 1970s ended without resolution to the safety problem that arose more than a decade earlier.
The Browns Ferry ATWS, ATWS, and ATWS
On June 28, 1980, operators reduced the power level on the Unit 3 boiling water reactor (BWR) at the Browns Ferry Nuclear Plant in Alabama to 35 percent and depressed the two pushbuttons to initiate a manual scram. All 185 control rods should have fully inserted into the reactor core within seconds to terminate the nuclear chain reaction. But 76 control rods remained partially withdrawn and the reactor continued operating, albeit at an even lower power level. Six minutes later, an operator depressed the two pushbuttons again. But 59 control rods remained partially withdrawn after the second ATWS. Two minutes later, the operator depressed the pushbuttons again. But 47 control rods remained partially withdrawn after the third ATWS. Six minutes later, an automatic scram occurred that resulted in all 185 control rods being fully inserted into the reactor core. It took four tries and nearly 15 minutes, but the reactor core was shut down. Fission Stories #107 described the ATWSs in more detail.
In BWRs, control rods are moved using hydraulic pistons. Water is supplied to one side of the piston and vented from the other side with the differential pressure causing the control rod to move. During a scram, the water vents to a large metal pipe and tank called the scram discharge volume. While never proven conclusively, it is generally accepted that something blocked the flow of vented water into the scram discharge volume. Flow blockage would have reduced the differential pressure across the hydraulic pistons and impeded control rod insertions. The scram discharge volume itself drains into the reactor building sump. The sump was found to contain considerable debris. But because it collects water from many places, none of the debris could be specifically identified as having once blocked flow into the scram discharge volume.
Although each control rod had its own hydraulic piston, the hydraulic pistons for half the control rods vented to the same scram discharge volume. The common mode failure of flow blockage impaired the scram function for half the control rods.
The NRC issued Bulletin 80-17, “Failure of 76 of 185 Controls Rods to Fully Insert During a Scram at a BWR,” on July 3, 1980, with Supplement 1 on July 18, 1980, Supplement 2 on July 22, 1980, Supplement 3 on August 22, 1980, Supplement 4 on December 18, 1980, and Supplement 5 on February 2, 1981, compelling plant owners to take interim and long-term measures to prevent what didn’t happen at Browns Ferry Unit 3—a successful scram on the first try—from not happening at their facilities.
ATWS – Actual Tack Without Stalling
On November 19, 1981, the NRC published a proposed ATWS rule in the Federal Register for public comment. One could argue that the debates that filled the 1970s laid the foundation for this proposed rule and the June 1980 ATWSs at Browns Ferry played no role in this step or its timing. That’d be one scenario.
The Salem ATWS and ATWS
During startup on February 25, 1983, following a refueling outage, low water level in one of the steam generators on the Unit 1 pressurized water reactor at the Salem nuclear plant triggered an automatic scram signal to the two reactor trip breakers. Had either breaker functioned, all the control rods would have rapidly inserted into the reactor core. But both breakers failed. The operators manually tripped the reactor 25 seconds later. The following day, NRC inspectors discovered that an automatic scram signal had also happened during an attempted startup on February 22, 1983. The reactor trip breakers failed to function. The operators had manually tripped the reactor. The reactor was restarted two days later without noticing, and correcting, the reactor trip breaker failures. Fission Stories #106 described the ATWSs in more detail.
In PWRs, control rods move via gravity during a scram. They are withdrawn upward from the reactor core and held fully or partially withdrawn by electro-magnets. The reactor trip breakers stop the flow of electricity to the electro-magnets, which releases the control rods to allow gravity to drop them into the reactor core. Investigators determined that the proper signal went to the reactor trip breakers on February 22 and 25, but the reactor trip breakers failed to open to stop the electrical supply to the electro-magnets. Improper maintenance of the breakers essentially transformed oil used to lubricated moving parts into glue binding those parts in place—in the wrong places on February 22 and 25, 1983.
The Salem Unit 1 reactor had two reactor trip breakers. Opening of either reactor trip breaker would have scrammed the reactor. The common mode failure of the same improper maintenance practices on both breakers prevented them both from functioning when needed, twice.
The NRC issued Bulletin 83-01, “Failure of Reactor Trip Breakers (Westinghouse DB-50) to Open on Automatic Trip Signal,” on February 25, 1983, Bulletin 83-04, “Failure of Undervoltage Trip Function of Reactor Trip Breakers,” on March 11, 1983, and Bulletin 83-08, “Electrical Circuit Breakers with Undervoltage Trip in Safety-Related Applications Other Than the Reactor Trip System,” on December 28, 1983, compelling plant owners to take interim and long-term measures to prevent failures like those experienced on Salem Unit 1.
ATWS Scoreboard: Brown Ferry 3, Salem 2
ATWS – Actual Text Without Semantics
The NRC published the final ATWS rule adopted on June 26, 1984, or slightly over 15 years after the ACRS consultant wrote that scrams might not happen when desired due to common mode failures. The final rule was issued less than four years after a common mode failure caused multiple ATWS events at Browns Ferry and about 18 months after a common mode failure caused multiple ATWS events at Salem. The semantics of the non-productive debates of the Seventies gave way to actual action in the Eighties.
The NRC issued NUREG-1780, “Regulatory Effectiveness of the Anticipated Transient Without Scram Rule,” in September 2003. The NRC “concluded that the ATWS rule was effective in reducing ATWS risk and that the cost of implementing the rule was reasonable.” But that report relied on bona-fide performance gains achieved apart from the ATWS rule and which would have been achieved without the rule. For example, the average reactor scrammed 8 times in 1980. That scram frequency dropped to less than an average of two scrams per reactor per year by 1992.
The ATWS rule did not trigger this reduction or accelerate the rate of reduction. The reduction resulted from the normal physical process, often called the bathtub curve due to its shape. As procedure glitches, training deficiencies, and equipment malfunctions were weeded out, their fixes lessened the recurrence rate of problems resulting in scrams. I bought a Datsun 210 in 1980. That acquisition had about as much to do with the declining reactor scram rate since then as the NRC’s ATWS rule had.
There has been an improvement in the reliability of the scram function since 1980. But again, that improvement was achieved independently from the ATWS rule. The Browns Ferry and Salem ATWS event prompted the NRC to mandate via a series of bulletins that owners take steps to reduce the potential for common mode failures. Actions taken in response to those non-rule-related mandates improved the reliability of the scram function more than the ATWS rule measures.
If the AWTS rule had indeed made nuclear plants appreciably safer, then it would represent under-regulation by the NRC. After all, the question of the need for additional safety arose in the 1960s. If the ATWS rule truly made reactors safer, then the “lost decade” of the 1970s is inexcusable. The ATWS rule should have been enacted in 1974 instead of 1984 if it was really needed for adequate protection of public health and safety.
But the ATWS rule enacted in 1984 did little to improve safety that wasn’t been achieved via other means. The 1980 and 1983 ATWS near-miss events at Browns Ferry and Salem might have been averted by an ATWS rule enacted a decade earlier. Once they happened, the fixes they triggered fleet-wide precluded the need for an ATWS rule. So, the ATWs rule was too little, too late.
The AEC/NRC and nuclear industry expended considerable effort during the 1970s not resolving the AWTS issue—effort that could better have been applied resolving other safety issues more rapidly.
ATWS becomes the first Role of Regulation commentary to fall into the “over-regulation” bin. UCS has no established plan for how this series will play out. ATWS initially appeared to be an “under-regulation” case, but research steered it elsewhere.
* * *
UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.