As described in a recent All Things Nuclear commentary, one of two emergency diesel generators (EDGs) for the Unit 3 reactor at the Palo Verde Nuclear Generation Station in Arizona was severely damaged during a test run on December 15, 2016. The operating license issued by the Nuclear Regulatory Commission (NRC) allowed the reactor to continue running for up to 10 days with one EDG out of service. Because the extensive damage required far longer than 10 days to repair, the owner asked the NRC for permission to continue operating Unit 3 for up to 62 days with only one EDG available. The NRC approved that request.
Around May 18, 2017, I received an envelope in the mail containing internal NRC documents with the back story for this EDG saga. I submitted a request under the Freedom of Information Act (FOIA) for these materials, but the NRC informed me that they could not release the documents because the matter was still under review by the agency. I asked the NRC’s Office of Public Affairs for a rough estimate of when the agency would conclude its review and release the documents. I was told that their review of the safety issues raised in the documents wasn’t a priority for the NRC and they’d get to it when they got to it.
Well, nuclear safety is a priority for me at UCS. And since I already have the documents, I don’t need to wait for the NRC to get around to concluding its stonewalling— I mean “review”—of the issues. Here is the back story the NRC does not want you to know about the busted EDG at Palo Verde.
Emergency Diesel Generator Safety Role
The NRC issued the operating license for Palo Verde Unit 3 on November 25, 1987. That initial operating license allowed Unit 3 to continue running for up to 72 hours with one of its two EDGs out of service. Called the “allowable outage time,” the 72 hours balanced the safety need to have a reliable backup power supply with the need to periodically test the EDGs and perform routine maintenance.
The EDGs are among the most important safety equipment at nuclear power plants like Palo Verde. The March 2011 accident at Fukushima Daiichi tragically demonstrated this vital role. A large earthquake knocked out the electrical power grid to which Fukushima Daiichi’s operating reactors were connected. Power was lost to the pumps providing cooling water to the reactor vessels, but the EDGs automatically started and took over this role. About 45 minutes later, a tsunami wave spawned by the earthquake inundated the site and flooded the rooms housing the EDGs. With both the normal and backup power supplies unavailable, workers could only supply makeup cooling water using battery-powered systems and portable generators. They fought a heroic but futile battle and all three reactors operating at the time suffered meltdowns.
More EDG Allowable Outage Time
On December 23, 2005, the owner of Palo Verde submitted a request to the NRC seeking to extend the allowable outage time for an EDG to be out of service to 10 days from 72 hours. Longer EDG allowable outage times were being sought by nuclear plant owners. Originally, nuclear power reactors shut down every year for refueling. The refueling outages provided ample time to conduct the routine testing and inspection tasks required for the EDGs. To boost electrical output (and hence revenue), owners transitioned to only refueling reactors every 18 or 24 months and to shorten the duration of the refueling outages. To facilitate the transitions, more and more testing and inspections previously performed during refueling outages were being conducted with the reactors operating. The argument supporting online maintenance was that while it adversely affected availability (i.e., an EDG was deliberately removed from service for testing and inspecting), the increased reliability (i.e., tests to confirm EDGs were operable were conducted every few weeks instead of spot checks every 18 to 24 months). The NRC approved the amendment to the operating licenses extending the EDG allowable outage times to 10 days on December 5, 2006.
More NRC/Industry Efforts on Allowable Outage Times
While the EDGs have important safety roles to play, they are not the only safety role players. The operating license for a nuclear power reactor covers dozens of components, each with its own allowable outage time. Around the time that longer EDG allowable outage times were sought and obtained at Palo Verde, the nuclear industry and the NRC were working on protocols to make proper decisions about allowable outage times for various safety components. On behalf of the nuclear industry, the Nuclear Energy Institute submitted guidance document NEI 06-09 to the NRC. On May 17, 2007, the NRC issued its safety evaluation report documenting its endorsement of NEI-06-09 along with its qualifications for that endorsement.
To create yet another acronym for no apparent reason, the nuclear industry and NRC conjured up Risk Informed Completion Time (RICT) to use in place of allowable outage time (AOT). The NRC explicitly endorsed a 30-day limit on RICTs (AOTs):
“The RICT is further limited to a deterministic maximum of 30 days (referred to as the backstop CT [completion time] from the time the TS [technical specification or operating license requirement] was first entered.”
The NRC explained why the 30-day maximum limit was necessary:
“The 30-day backstop CT assures that the TS equipment is not out of service for extended periods, and is a reasonable upper limit to permit repairs and restoration of equipment to an operable status.”
NEI 06-09 and the NRC’s safety evaluation applied to all components within a nuclear power reactor’s operating license. The 30-day backstop limit was the longest AOT (RICT) permitted. Shorter RICTs (AOTs) might apply for components with especially vital safety roles.
For example, the NRC established more limiting AOTs (RICTs) for the EDGs. In February 2002, the NRC issued Branch Technical Position 8-8, “Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions.” This Branch Technical Position is part of the NRC’s Standard Review Plan for operating reactors. The Standard Review Plan helps plant owners meet NRC’s expectations and NRC reviewers and inspectors verify that expectations have been met. The Branch Technical Position is quite clear about the EDG allowable outage time limit:
“An EDG or offsite power AOT license amendment of more than 14 days should not be considered by the staff for review.” [underlining in original]
Exceptions and Precedent
Consistent with the “every rule has its exception” cliché, neither the 14-day EDG AOT in NRC Branch Technical Position 8-8 nor the 30-day backstop limit in the NRC’s safety evaluation for NEI 06-09 are considered hard and fast limits. Owners can, and do, request NRC’s permission for longer times under special circumstances.
The owner of the DC Cook nuclear plant in Michigan asked the NRC on May 28, 2015, for permission to operate the Unit 1 reactor for up to 65 days with one of its two EDGs out of service. The operating licensee for Unit 1 already allowed one EDG to be out of service for up to 14 days. During testing of an EDG on May 21, 2015, inadequate lubrication caused one of the bearings to be severely damaged. Repairs were estimated to require 56 days.
The NRC emailed the owner questions about the 65-day EDG AOT on May 28 and May 29. Among the questions asked by the NRC was how Unit 1 would respond to a design basis loss of coolant accident (LOCA) concurrent with a loss of offsite power (LOOP) and a single failure of the only EDG in service. The EDGs are designed to automatically start from the standby mode and deliver electricity to safety components within seconds. This rapid response is needed to ensure the reactor core is cooled should a broken pipe (i.e., LOCA) drain cooling water should electrical power to the makeup pumps not be available (i.e., LOOP). The single failure provision is an inherent element of the redundancy and defense-in-depth approach to nuclear safety.
The NRC did not approve the request for a 65-day EDG AOT for Cook Unit 1.
The NRC did not deny the request either.
More on the Back Story
About 18 months after one of two EDGs for the Unit 1 reactor at DC Cook was severely damaged during a test run, one of two EDGs for the Unit 3 reactor at Palo Verde was severely damaged during a test run.
About 18 months after DC Cook’s owner requested permission from the NRC to continue running Unit 1 for up to 65 days with only one EDG in service, Palo Verde’s owner requested permission to continue running Unit 3 for up to 62 days.
About 18 months after the NRC staff asked DC Cook’s owner how Unit 1 would respond to a loss of coolant accident concurrent with a loss of offsite power and failure of the remaining EDG, the NRC staff merely assumed that a loss of coolant accident would not happen during the 62 days that Palo Verde Unit 3 ran with only one EDG in service. Enter the back story as reported by the Arizona Republic.
On December 23, 2016, and January 9, 2017, Differing Professional Opinions (DPOs) were initiated by member(s) of the NRC staff registering formal disagreement with NRC senior management’s plan to allow the 62-day EDG AOT for Palo Verde Unit 3. The initiator(s) checked a box on the DPO form to have the DPO case file be made publicly available (Fig. 1).
The DPO initiator(s) allege that the 62-day EDG AOT was approved by the NRC because the agency assumed that a loss of coolant accident simply would not happen. The DPO stated:
“The NRC and licensee ignored the loss of coolant accident (LOCA) consequence element. Longer outage times increase the vulnerability to a design basis accident involving a LOCA with the loss of offsite power (LOOP) event with a failure of Train A equipment.”
Palo Verde has two fully redundant sets of safety equipment, Trains A and B. The broken EDG provided electrical power (when unbroken) to Train B equipment. The 62-day EDG AOT was approved based on workers scurrying about to manually start combustible gas turbines and portable generators to provide electrical power that would otherwise be supplied by EDG 3B. The DPO stated:
“The Train B EDG auto starts and loads all safety equipment in 40 seconds. The manual actions take at least 20 minutes, if not significantly longer.”
Again, the rapid response is required to mitigate a loss of coolant accident that drains water from the reactor vessel. When water does not drain away, it takes time for the reactor core’s decay heat to warm up and boil away the reactor vessel’s water, justifying a slower response time.
The NRC staff considered a loss of coolant accident for the broken EDG at Cook but allegedly dismissed it at Palo Verde. Curious.
The DPO also disparaged the non-routine measures undertaken by the NRC to hide their deliberations from the public:
“The pre-submittal call occurred on a “non-recorded” [telephone] line. The NRC staff debated the merits of the call in a headquarters staff only discussion. Note that the Notice of Enforcement Discretion calls are done on recorded [telephone] lines.”
President Richard Nixon’s downfall occurred when it become known that tape recordings of his impeachable offenses existed. The NRC avoided this trap by deliberately not following their routine practice of recording the telephone discussions. Peachy!
Cognitive Dissonance or Unnatural Selection?
The NRC’s approval of the 62-day EDG AOT for Palo Verde Unit 3 is perplexing, at best.
In the amendment it issued January 4, 2017, approving the extension, the NRC wrote:
“Offsite power sources and one train of onsite power source would continue to be available for the scenario of a loss-of-coolant accident” while EDG 3B was out of service.
In other words, the NRC assumed that loss of offsite power (LOOP) and loss of coolant accident (LOCA) are separate events. The NRC assumed that if a LOCA occurred, electrical power from the offsite grid would enable safety equipment to refill the reactor vessel and prevent meltdown. And the NRC assumed that if a LOOP occurred, a LOCA would not drain water from the reactor vessel, giving workers time to find, deploy, and start up the portable equipment and prevent core overheating.
But in the amendment it issued December 5, 2006, establishing the 10-day EDG AOT, the NRC wrote:
“During plant operation with both EDGs operable, if a LOOP occurs, the ESF [engineered safeguards] electrical loads are automatically and sequentially loaded to the EDGs in sufficient time to provide for safe reactor shutdown or to mitigate the consequences of a design-basis accident (DBA) such as a loss-of-coolant accident (LOCA).”
In those words, the NRC assumed that LOOP and LOCA could occur concurrently in design basis space.
More importantly, page B 3.8.1-2 of the bases document dated May 12, 2016, for the Palo Verde operating licenses is quite explicit about the LOOP/LOCA relationship:
“In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).”
In those words, the operating licenses issued the NRC assumed that LOOP and LOCA could occur concurrently in design basis space.
So, the NRC either experienced cognitive dissonance in having two opposing viewpoints on the same issue or made the unnatural selection of LOCA without LOOP.
Actions May Speak Louder Than Words, But Inaction Shouts Loudest
Check out this chronology:
- December 15, 2016: EDG 3B for Palo Verde Unit 3 failed catastrophically during a test run
- December 21, 2016: Owner requested 21-day EDG AOT
- December 23 2016: NRC approved 21-day EDG AOT
- December 23, 2016: DPO submitted opposing 21-day EDG AOT
- December 30, 2016: Owner requested 62-day EDG AOT
- January 4, 2017: NRC approved 62-day EDG AOT
- January 9, 2017: DPO submitted opposing 62-day EDG AOT
- February 6, 2017: NRC special inspection team arrived at Palo Verde to examine EDG’s failure cause
- February 10, 2017: NRC special inspection team concluded its onsite examinations
- April 10, 2017: NRC issued special inspection team report
The NRC jumped through hoops during the Christmas and New Year’s holidays to expeditiously approve a request to allow Unit 3 to continue generating revenue.
The NRC has not yet responded to two DPOs questioning the safety rationale behind the NRC’s approval.
If the NRC really and truly had a solid basis for letting Palo Verde Unit 3 run for so long with only one EDG, they have had plenty of time to address the issues raised in the DPOs. Way more than 62 days, in fact.
William Shakespeare wrote about something rotten in Denmark.
The bard never traveled to Rockville to visit the NRC’s headquarters. Had he done so, he might have discovered that rottenness is not confined to Denmark.