Role of Regulation in Nuclear Plant Safety #11
The Fatal Accident
As described in Fission Stories #139 and illustrated in Fission Stories #181, a temporary crane removing a component weighing 525 tons on March 31, 2013, in the turbine building of the Unit 1 reactor at Arkansas Nuclear One near Russellville, AR collapsed. The dropped load struck the turbine building floor with considerable force, then rolled and fell through an opening to cause further damage on a lower floor. One worker was killed and eight others injured by the accident.
Hundreds of pictures of the dropped load and the damage it inflicted have been released. Figure 1 shows the structural steel beams and concrete floor damaged when the load struck the turbine deck. Towards the camera from the bent beam is the opening that the load then plunged through.
Figure 2 shows the dropped load (the cylindrical red object) resting on the hauler it damaged. Section of the collapsed crane and portions of the damaged building lie on the hauler and load.
The Unit 1 reactor had been shut down a week earlier for refueling. The vibrations from the heavy load impacting the turbine deck and the damage from the load crashing 30 feet onto the floor below disconnected Unit 1 from the offsite power grid and caused loss of cooling for the irradiated fuel in the reactor core and spent fuel pool. The emergency diesel generators automatically started to restore power to emergency equipment. The station blackout diesel generator was disabled because its connecting cables to both units were severed. Workers ran temporary cables to restore power to non-emergency equipment from the offsite power grid and portable diesel generators. The emergency diesel generators ran for six days until normal supplies from the offsite power grid were recovered.
The Unit 2 reactor was operating at full power at the time. The vibrations caused the electrical breaker for power supply to reactor coolant pump B to open. The loss of reactor coolant pump B triggered an automatic shutdown of Unit 2. The dropped load had ruptured an 8-inch diameter fire suppression system header. Water pouring from the broken ends of the pipe flooded areas of the turbine building with tens of thousands of gallons. It took workers about 45 minutes to turn off pumps and close valves to stop the flow of water from the broken pipe. The internal flooding caused a short circuit and explosion inside an electrical cabinet about 93 minutes after the drop that disabled one of the two offsite power connections for Unit 2. The consequences from the partial loss of power included a water hammer in the feedwater heaters and the operators using natural circulation to cool down the reactor for the first time in the reactor’s 30-plus year lifetime.
The Initial Regulatory Response
The Nuclear Regulatory Commission (NRC) dispatched an Augmented Inspection Team (AIT) to investigate the fatal accident. The AIT’s report, issued on June 7, 2013, identified ten issues requiring additional consideration. For a year after the fatal accident, both reactors at Arkansas Nuclear One remained in Column 1 of the NRC’s Action Matrix reflecting performance meeting or exceeding safety standards as the NRC pondered what to do with what it knew.
The Belated Regulatory Response
One week shy of the accident’s anniversary, the NRC proposed issuing one Red finding for the Unit 1 problems and one Yellow finding for the Unit 2 problems.
The proposed Unit 1 Red finding resulted primarily from the chances that the two emergency diesel generators failed. The accident disconnected the unit from its normal offsite power sources for six days. The accident disabled the station blackout diesel generator. The unavailability of offsite power disabled the instrument air system. Without instrument air, the two emergency diesel generators had air tanks with sufficient capacity for about ten start attempts. Had the emergency diesel generators not successfully started before this air reserve was exhausted, the unit would have entered a station blackout condition. At the time, the decay heat from the reactor core would have heated the reactor vessel water to boiling in 11 hours and the water boiled away would have uncovered the reactor core in 96 hours.
Based on standard human reliability analysis (HRA) values for workers diagnosing problems and likelihood of successfully implementing contingency measures within the necessary time frames, the NRC calculated the conditional core damage probability for Unit 1 to be 3.8×10-4 per year, or one meltdown every 2,632 years. That seems like a remote risk, but the chances of a tsunami inundating the site and causing a meltdown at Fukushima Daiichi—which had been estimated to be about one such event in 3,500 years—before March 11, 2011, beat those odds.
A similar risk analysis was performed for Unit 2. The proposed Unit 2 Yellow finding resulted primarily from the calculated risk that the reactor lost the normal feedwater, auxiliary feedwater, and emergency feedwater systems and that workers could not establish once-through cooling of the core. The NRC estimated the chances of these outcomes occurring concurrently to be 2.8×10-5 per year, or one such meltdown every 35,714 years.
The Owner Rejects the Regulatory Proposals
On May 1, 2014, the owner met with the NRC to dispute the agency’s ciphering and associated color selections. The owner described four independent means for workers to have cooled the Unit 1 reactor core and averted meltdown. While none of these means was absolutely guaranteed, the owner calculated the chance that all four failed to prevent meltdown to be 4.8×10-6 per year, or one meltdown every 208,333 years. If so, this risk corresponds to a White rather than Red finding as proposed.
The owner also disputed the NRC’s ciphering of the Unit 2 risk. The owner’s math put the risk of meltdown at 1.8×10-6 per year, or one meltdown every 555,556 years. If so, this risk corresponds to a White rather than Yellow finding as proposed.
The Modified Belated Regulatory Response
Two weeks after the AIT report’s anniversary, the NRC issued its final answer on the AIT’s findings, issuing Yellow findings for the Unit 1 and 2 problems. And only then did the NRC move both reactors into Column 3 of the Action Matrix.
The NRC revised its initial assessment of the risk of meltdown of the Unit 1 reactor. The owner contended that it would take 115 hours, not the 96 hours assumed by the NRC, for an uncooled reactor to boil away enough water to become uncovered and damaged. Applying the longer core uncovery time reduced the meltdown risk from 3.8×10-4 per year to 2.6×10-4 per year, or one meltdown every 3,846 years. The NRC issued the Yellow finding based on its revised risk assessment.
The NRC stood behind its initial assessment of the risk of meltdown of the Unit 2 reactor. The owner sought credit for manual actions taken by workers to restore components to service. The NRC felt that the owner was very optimistic about workers being able to complete the many steps in time due to increased stress levels of workers tackling darkness, debris, and flood waters resulting from the accident. The NRC retained the Yellow finding based on not revising its risk assessment.
The Rest of the Regulatory Response, Delayed Additionally
Nearly two years after the accident, the NRC issued another Yellow finding for inadequate floor protection measures that became evident during the accident. The collection of Yellow findings let the NRC moved the plant into Column 4. The NRC did not return Arkansas Nuclear One to Column 1 until the summer of 2018.
UCS Perspective
Had this been a regulatory race involving the NRC, a sloth, a snail, and a tortoise, the NRC would have finished a distant fourth. The NRC’s Reactor Oversight Process provides performance ratings that dictate appropriate levels of oversight every quarter. A home pregnancy test that provides an indication one year later is no less useless than an NRC Augmented Inspection Team’s investigation of a fatal accident yielding decisions a year or two later. “Justice delayed is justice denied” was coined for lengthy moments like this one.
But the injustice stemming from the NRC’s foot-dragging deliberations is overshadowed by the injustice of its long overdue verdict. The verdict was two Yellow findings for in-plant power impairments caused by the dropped load and associated flooding. That verdict depended on the NRC’s assessment of the chances that workers could deploy contingency measures to offset the equipment disabled by the event in time to prevent overheating of the reactor core.
That verdict is contrary to most verdicts reached by the NRC when assessing similar situations. Here’s but a very tiny sampling of the typical verdicts issued by the NRC for power impairments:
- Clinton: Two Green findings for December 2017 power transformer failure
- Turkey Point: Green finding for March 2017 high energy arc fault causing explosion and fire
- Palo Verde: No findings for December 2016 emergency diesel generator explosion
- Columbia Generating Station: 3 Green findings for December 2016 scram with complications
Assuming that the overwhelming majority of its verdicts have been correct (or at least, less wrong), then the atypical harshness of the Yellow findings at Arkansas Nuclear One reflects over-regulation by the NRC.
Blame the Game, Not Its Players
Jeff Mitman from NRC headquarters and David Loveless from NRC’s Region IV performed the risk assessments for the Arkansas Nuclear One accident. I have known both men for several years and found them to be among the many dedicated, talented staff at the NRC. I cannot contend that Mitman and Loveless erred when assessing the Unit 1 and 2 risks as high as they did.
Instead, the risk assessment tools they were forced to use are little more than nuclear Ouija boards lacking precision and repeatability. Plant workers using the same risk assessment tools derived “answers” that differed by about a factor of 100.
Imagine using a scale that provided your weight plus or minus a factor of 100. If you weighed 150 pounds, that scale could tell you one day that you weighed 1 ½ pounds and the next day that you weighed 15,000 pounds.
Imagine driving a car with a speedometer reporting your speed plus or minus a factor of 100. Traveling along at 55 mph, it might show you nearly stopped or zipping along at 5,500 mph.
Imagine using an ATM that told you your checking account balance plus or minus a factor of 100. If you had $1,000 in the account, you’d relish the days it revealed you had $100,000 to spend and be glum when it said you only had $10.
Imagine using a risk analysis tool that gave you risk results plus or minus a factor of 100. You can sense what it must be like to be Mitman or Loveless seeking to put some situation in rational context.
Stores do not sell imprecise scales, speedometers, and ATMs because no one in their right minds and few with the wrong minds would buy them.
So why is the NRC forcing its dedicated, talented staff to use imprecise risk assessment tools to make “risk-informed” regulatory decisions?
Why indeed.
* * *
UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.