Disaster by Design: Safety by Intent #13
Disaster by Design
In 2003, Ohio Citizen Action displayed a large banner beside a primary road used by persons attending the FirstEnergy Board of Directors annual meeting in Cleveland, Ohio. The sentiment in the banner stemmed from years of nuclear neglect at the company’s Davis-Besse nuclear plant outside Toledo, Ohio.
That neglect resulted in a record $5.45 million fine by the Nuclear Regulatory Commission (NRC) as well as stinging indictments of poor oversight performance by the NRC itself. Ohio Citizens Action questioned whether proclamations by the company and the NRC about safety being their foremost priority were contradicted by their woefully inadequate safety performance. Actions may speak louder than words, but inactions often speak the loudest.
A few years later, the North Carolina Waste Awareness and Reduction (NC WARN) distributed bumper stickers questioning whether proclamations by Carolina Power & Light Company (later called Progress Energy and even later called Duke Power) and the Nuclear Regulatory Commission (formerly the Atomic Energy Commission) about nuclear safety being their top (formerly foremost) priority were consistent with their allowing the Shearon Harris nuclear plant to operate for nearly two decades with inadequate fire protection.
In April 2007, the owner of the Indian Point nuclear plant north of New York City applied to the NRC for a 20-year extension of the operating licenses for the Unit 2 and 3 pressurized water reactors. The NRC’s license renewal regulation required the owner to evaluate Severe Accident Mitigation Alternatives (SAMAs)—safety upgrades that could either prevent an accident from happening or lessen the consequences from an accident. Attachment E of the owner’s application provided the required SAMA evaluation.
The SAMA evaluation process started with over 230 candidates. The initial screening weeded out candidates that had already been installed, did not apply (e.g., upgrades to a boiling water reactor that cannot be installed on a pressurized water reactor and vice-versa), were so costly as to clearly out-weigh any benefits, and had such little benefit as to not be justified by even a low to moderate cost. The 68 candidates on Unit 2 and 62 candidates on Unit 3 that passed the initial screening were subjected to an in-depth assessment of their costs and benefits.
Installing a sensor monitoring water level inside the 480-volt switchgear room and an associated alarm in the control room was estimated to cost $200,000 on Unit 2 and $196,800 on Unit 3. This switchgear room housed all the distribution panels connecting safety equipment throughout the plant to electrical power from the offsite grid and the onsite emergency diesel generators. Flooding the room with a few inches of water could plunge the unit into a station blackout—the situation causing disaster at Fukushima. The owner estimated that the flood alarm alerting operators to initiate counter-measures against a station blackout could reduce the risk of reactor core damage by nearly 20 percent for each reactor. The benefits calculated by the owner for the flood alarm were $3.63 million for Unit 2 and $1.98 million for Unit 3, including uncertainties.
The owner told the NRC that 390,550 people live within 10 miles of Indian Point. Installing the flood alarms on both reactors would cost about one dollar per person living within the 10-mile emergency planning zone around the plant. The safety upgrades would cost about two cents each for the 19,228,712 people living within 50 miles of the plant.
Despite having identified safety upgrades that could reduce the reactor core damage risk by nearly 20 percent, deriving benefits at least 10 times greater than their cost, the owner has not installed them. As interpreted by the NRC, the license renewal regulation does not require that owners install safety upgrades they determine to be cost-beneficial, unless the upgrades explicitly involve aging-related degradation. Otherwise, the NRC interprets the regulation to only require that owners do the math.
In May 2015, the Unit 3 switchgear room flooded following the explosion of an electrical transformer located just outside the room. Fortunately, a worker was sent into the room for another reason and noticed water pooling on the floor before its depth got too high. A flood alarm, if installed, would have ensured workers knew about flooding problems in time to avoid disaster.
Safety by Intent
Safety upgrades estimated by the owner to cost a total of $396,800 would reduce the reactor core damage risk by nearly 20 percent for Indian Point Units 2 and 3. The core damage risk for reach unit would be reduced by nearly 20 percent.
Over 19 million people live within 50 miles of Indian Point.
Do these Americans deserve the protection afforded by this cost-beneficial safety upgrade?
Yes! The eyes have it, all 38 million of them.
That’s my two cents’ worth.
Entergy and NRC, where’s your senses?
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.