Disaster by Design/ Safety by Intent #48
Safety by Intent
Oconee Flood Protection Issue
In August 2006, NRC inspectors identified a deficiency in a flood protection measure at the Oconee Nuclear Station in South Carolina. Specifically, the inspectors discovered that workers removed a 6-inch by 10-inch panel in the 5-foot tall flood wall around the Standby Shutdown Facility (SSF) to allow temporary cables to be used during a modification. When the work was completed and the cables removed, the panel was not re-installed.
The SSF houses power supplies and emergency equipment that provide core cooling for all three Oconee reactors during certain accidents. The opening in the flood wall could have allowed water to enter the SSF and submerge the equipment, disabling it. The NRC’s preliminary determination was that the problem warranted a white finding.
The owner contested the white finding in October 2006 on grounds that the lower end of the opening is 4.71 feet above the ground and no credible flood could cause water to rise high enough to flow through the opening to threaten the equipment inside the SSF. The NRC considered the argument, then decided against it and issued the white finding in November 2006.
The owner appealed the white finding in December 2006 on largely the same grounds that the NRC had considered and rejected. The NRC formed a five-member panel to review the owner’s appeal. In February 2007, the NRC panel recommended that the appeal be denied. The NRC notified the owner on March 1, 2007, that the appeal was denied.
The owner appealed the denial of the first appeal in May 2007 on largely the same grounds that it had unsuccessfully trod twice before. Once again, the NRC formed another panel to handle the appeal.
The flood of appeals forced the NRC to closely examine the design basis flood event for Oconee. Included in the mix of things that could inundate the Oconee site was the failure of the Jocassee Dam, upriver about 20 miles. The NRC discovered that the owner made a mistake when calculating the probability of the dam’s failure—the dam’s failure was more than 10 times more likely than the owner had calculated. The NRC denied the second appeal in November 2007 to let the white finding stand.
But the owner’s failed appeals resulted in far more than a white finding. Along the way, the NRC discovered a larger problem than a 6-inch by 10-inch opening in a 5-foot tall flood wall. The NRC learned of a study completed in the early 1990s showing that Jocassee Dam’s failure could inundate the Oconee site up to 16.8 feet and cause the meltdown of all three reactors, rendering the presence or absence of a hole in a 5-foot tall flood wall somewhat moot. The NRC mandated in August 2008 that the owner respond, under oath or affirmation, with information explaining how Oconee is adequately protected against floods. The owner responded to the NRC’s mandate in September 2009.
The NRC sat down with the owner in November 2008 about flood protection deficiencies at Oconee. The NRC informed the owner that its response to the NRC’s mandate was “insufficient.” The NRC seemed more than a little perturbed by the owner’s insistence that Oconee could not possibly be inadequately protected against flooding caused by failure of the Jocassee Dam, because Oconee did not legally have to be protected against dam failures.
The owner and the NRC discussed/debated the matter until they agreed upon 15 compensatory measures to be taken at Jocassee and Oconee to reduce the chances of the dam’s failure and increase the chances of Oconee surviving a flood. The NRC issued a Confirmatory Action Letter in June 2010 requiring 15 measures be taken. Some of the measures sought to make the Jocacasse Dam’s failure less likely. The remaining measures sought to make Oconee less vulnerable to flooding if the dam failed.
The three circles in Fig. 1 to the left of the #3 arrow in the map of the Oconee site represent the three reactor containment buildings. The Keowee Dam and Lake Keowee are to the upper right. The Jocassee Dam is about 20 miles upriver to the north. The measures taken at the site include the #2 arrow pointing out a diversion wall built where the plant draws water from Lake Keowee and the #4 arrow pointing out protection added to the embankment on the site side of the plant’s main structures.
The picture of the diversion wall in Fig. 2 has Lake Keowee to the right and the plant’s main buildings to the left. As suggested by the hill in the background, the topography would direct water rushing downriver from a Jocassee Dam failure through this area towards the plant. This added wall seeks to redirect that charging flow back towards the river channel to lessen the surge depth at the site.
The water rushing downriver from a Jocassee Dam failure, supplemented by the flow redirected by the diversion wall, would strike the embankment between the river and the plant’s main buildings appearing in the background of the photograph. Large rocks were placed on the embankment for scour protection to prevent this rushing flow from eroding and undercutting the site’s foundation.
Bellefonte Flood Protection Issue
Construction of two pressurized water reactors for the Bellefonte nuclear plant near Scottsboro, Alabama began in the mid-1970s. Construction was suspended in the mid-1980s due to financial pressure on the owner and decreased demand for electricity. On October 30, 2007, the owner requested permission from the NRC to resume construction of new pressurized water reactors at Bellefonte—but not the two it had partially constructed. The owner proposed to build two new reactors at the same site. In 1998, the owner re-evaluated flooding of the river due to heavy rainfall or upriver dam failures due to earthquakes. The owner included results from this study in its application to the NRC to build and operate the two new reactors at Bellefonte.
The NRC sent a team of inspectors to the site in February 2008 to review the plans for the new reactors at the old site. The NRC team identified three violations of regulatory requirements:
(1) the owner could not show that the computer code used to model postulated flooding events had been verified and validated,
(2) the owner could not find some of the source input data to the computer code, and
(3) the owner could not find documentation about some of the modifications at upriver dams that allegedly made them more resistance to earthquake forces and less vulnerable to failure during heavy rainfall events.
The owner’s flood re-evaluation affected more than the proposed two new reactors at Bellefonte—it potentially affected seven other reactors by the same owner on the same river: the two reactors each at Watts Bar and Sequoyah in Tennessee and the three reactors at Browns Ferry in Alabama. The NRC expanded its interest from Bellefonte and identified flood protection deficiencies at Watts Bar and Sequoyah that it required the owner to remedy.
Fort Calhoun Flood Protection Issue
As described in an All Things Nuclear post, the NRC identified in July 2010 several deficiencies in protective measures against flooding at the Fort Calhoun nuclear plant (Nebraska). The owner attempted to justify the configuration as-is, largely on grounds that the plant had operated for over three decades without experiencing a flood requiring the protections the NRC deemed inadequate. The NRC considered that argument, then decided against it and issued a yellow finding in October 2010. (For context, the NRC issued 827 findings to plant owners during 2010 and only two were yellow in the green, white, yellow, and red hierarchy; it issued no red findings that year). The NRC pointed out that the flood barriers and related measures were installed for protection against the postulated failure of upriver dams, and the fact that the dams had not yet failed had little relevancy on the acceptability of deficient barriers.
The NRC’s identification of the flood protection deficiencies and their strong inducement for the owner to remedy them expeditiously came in handy when Fort Calhoun literally became an island in the Missouri River in June 2011.
Nationwide Flood Protection Issues
Prior to a flood in March 2011 causing three reactors at Fukushima Daiichi in Japan to melt down, the NRC discovered from Oconee, Bellefonte, and Fort Calhoun that protection against flooding hazards might not be as reliable and robust as necessary. On July 19, 2010, the NRC initiated Generic Issue 204 (GI-204), “Flooding of Nuclear Power Plant Sites Following Upstream Dam Failures.” The NRC was conducting due diligence for GI-204 (i.e., researching postulated floods and associated protections to assess which reactors might have what vulnerabilities) when Fukushima happened. The NRC finished its screening study for GI-204 in July 2011and accepted GI-204 as a generic issue in February 2012. The GI-204 effort helped inform the NRC’s decision-making about steps to be taken to reduce flooding vulnerabilities, the potential consequences of which had been vividly revealed by the Fukushima disaster.
Overcoming Nuclear Safety Inertia
Isaac Newton’s first law of motion states that a body at rest will remain at rest unless an outside force acts upon it while a body in motion at a constant velocity will remain moving in a straight line unless acted upon by an outside force. The first part of the law speaks about inertia; the latter part speaks about momentum.
A common nuclear safety trap is inertia, or tradition. When a safety question is raised, it is tempting to dismiss it on grounds that things must be okay because it’s long been that way. Justifying something due to tradition relies on two assumptions: (1) that the original way was right, and (2) that the original way remains right despite the passage of time that could render right back then wrong now. Many yield to the temptation of leaving the status quo alone.
The NRC avoided the inertia trap. Oconee had been operating for years when the NRC determined its longstanding flood protections were insufficient. Old reactors at Bellefonte had already been approved by the NRC for flood depths comparable to the levels calculated by the owner for the new reactors, but the NRC demanded better. And the fact that Fort Calhoun had not been flooded during the past three decades gave NRC insufficient comfort about its future. The NRC was the outside force needed to remedy safety unrest at these sites.
And the NRC’s force was applied beyond these three plants. The NRC applied it to the other reactors also owned by Bellefonte’s owner and was on its way to applying it to additional reactors in need when Fukushima demonstrated the need for the NRC’s force multiplier.
Disaster by Design
Floods pose dire hazards to nuclear power plant safety for two reasons. First, flood waters can submerge and disable primary safety systems and their backups. Flooding can thus breach multiple barriers in the defense-in-depth approach to safety. Second, flood waters can impair efforts by workers to compensate for disabled systems and breached barriers.
The one-two punch of knocking out installed systems and impairing manual compensatory measures make floods a genuine risk to be reckoned with.
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.