Disaster by Design: Safety by Intent #8
Disaster by Design
Individuals applying for health insurance are often asked to first undergo a medical examination. The premium rates charged by insurance companies for health care coverage are established based on statistics. If an individual has a pre-existing condition (like a festering gunshot wound to the abdomen), that person might require more medical attention than the statistics would otherwise suggest. Insurance companies rely on medical examinations to lessen the “surprise factor” of pre-existing conditions and set premium rates that provide the coverage the customers need and the profit the companies need.
Longstanding nuclear safety impairments are pre-existing conditions that undermine the plant’s health. The testing and inspections conducted by plant workers and the Nuclear Regulatory Commission’s inspectors are intended to ferret out and remedy pre-existing conditions to preserve the acceptable health level. But the efforts too often fail to achieve that objective. We documented the many pre-existing safety impairments that have caused more than 50 year-plus outages at U.S. nuclear power reactors in our Walking a Nuclear Tightrope report. The following abridged list of case studies illustrates this recurring situation.
A TIME magazine cover story in March 1996 on the safety issues raised by George Galatis put a national spotlight on many longstanding problems at the Millstone nuclear plant and also on the NRC’s chronic inability to compel their resolutions. All three reactors at Millstone were shut down to fix the safety problems (Fig. 1).
The number and scope of problems on Unit 1, the oldest and smallest of the Millstone reactors, proved too costly for its owners—the reactor never restarted.
While Unit 3 had the second most problems to fix, it was also the newest and largest of the Millstone reactors. The owner focused the army of workers it brought in to eliminate the many significant pre-existing safety impairments. Unit 3, which was shut down on March 30, 1996, was restarted on July 1, 1998. It took 2.3 years to resolve enough of the safety impairments for the NRC to permit the reactor to resume operating.
The owner then shifted the focus to Unit 2. It took about another year for the army of workers to eliminate enough of its significant safety impairments. Unit 2, which was shut down on February 20, 1996, was restarted on May 11, 1999, after an extended refueling outage lasting 3.2 years.
Both reactors at the Salem nuclear plant were shut down in mid-1995 due to safety impairments. Not just a safety problem or two, but literally dozens of longstanding safety impairments.
The Restart Issue Checklist is only the final page in the NRC’s Restart Action Plan for Salem (Fig. 2). It lists 11 of the 43 safety problems that that prevented the Salem reactors from restarting.
Issues 34, 35, 36, and 38 involved impairments of the Safety Injection (SI) system. The Safety Injection system provides makeup water to the reactor vessel during an accident to protect the reactor core from damage from inadequate cooling. Issue 39 involved inadequate resolution of problems in the plant’s switchyard—its connection to the offsite electrical power grid. These issues, and 32 other safety problems, kept Unit 1 shut down between May 16, 1995, and April 20, 1998, and Unit 2 shut down between June 7, 1995, and August 30, 1997.
DC Cook (MI)
Both reactors at the DC Cook plant were shut down on September 9, 1997, after an NRC inspection team uncovered a design problem with the units’ ice condenser containment problem. It took months to fix the containment problem (which had existed since the reactors began operating more than two decades earlier), and provided ample time for workers and NRC inspectors to find many more safety impairments. Unit 2 restarted 2.8 years later on June 25, 2000. Unit 1 restarted 3.3 years later on December 21, 2000.
Davis-Besse shut down on February 16, 2002, for a refueling outage. This refueling outage had originally been scheduled to start about six weeks later, but the owner agreed to move up the outage’s start date to allow workers to examine a part that had failed at another nuclear plant with a very similar design. Not only did workers find that part broken, they found many other unrelated safety problems.
In its presentation to the NRC on February 17, 2004, describing all the safety fixes implemented at Davis-Besse, the owner also described the many breakdowns in its programs and oversight that had allowed so many safety impairments to accumulate over so many years (Fig. 3).
The NRC was satisfied with both the resolution of the many safety impairments and with the process fixes to the programs and oversight and allowed the plant to restart.
Davis-Besse restarted on March 16, 2004, after an outage lasting 2.1 years.
Fort Calhoun (NE)
Workers shut down the Fort Calhoun nuclear plant on April 9, 2011, to enter a scheduled refueling outage. The many safety impairments identified during the outage delayed restart until December 21, 2013, more than 32 months later.
Many of the problems had impaired safety at the plant for decades—some even dated all the way back to the plant’s construction in the late 1960s and early 1970s. Some of the safety impairments involved high risk systems like the emergency diesel generators that had been tested and inspected dozens, if not hundreds, of times by workers and NRC inspectors. Yet all these tests and inspections failed to reveal these many pre-existing safety impairments.
Safety by Intent
If an insurance company learned that a specific doctor often failed to identify pre-existing conditions that resulted in the company reimbursing more health care costs than the doctor’s medical examination reports indicated possible, that company would likely cease using that doctor.
The more than 50 year-plus reactor outages described in our Walking a Nuclear Tightrope report strongly suggest that the nuclear industry and the NRC need to change their examination procedures.
When a long-standing safety impairment is finally revealed, that nuclear plant’s owner should formally review its testing and inspection regimes to determine whether different methods and/or different frequencies could have found the impairment sooner. Likewise, the NRC should formally review its oversight protocols to determine whether its audits could be made more effective.
Pre-existing conditions can also indirectly undermine safety levels. Disaster by Design/Safety by Intent #5 described the online maintenance practice within the nuclear industry where safety equipment is intentionally disabled for testing and inspections while the reactor continues operating. This practice relies on the assumption that the equipment remaining in-service will successfully perform the safety function needed by the component with its parts strewn across the floor. But pre-existing conditions can render that assumption false and leave the reactor vulnerable.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how addressing pre-existing problems can lead to a more effective defense-in-depth protection.