Disaster by Design/Safety by Intent #22
Disaster by Design
The March 1979 accident at the Three Mile Island nuclear plant near Harrisburg, Pennsylvania showed that the procedures used by workers in responding to accidents could be significantly improved.
Prior to that accident, the procedures forced workers to diagnose the cause of the accident so as to figure out what procedural steps to implement. Even when workers successfully identified the proper cause and embarked down the right response path, the procedures did not help them much when the prescribed equipment was unavailable or malfunctioned.
SAMGs
The solution to this problem came in the Emergency Procedures Guidelines (EPGs) and the Severe Accident Management Guidelines (SAMGs) developed by industry representatives (e.g., the Westinghouse Owners Group consisting of representatives from the reactor vendor and from owners of its reactors). The EPGs contained strategies for measures aimed at preventing damage to the reactor core. The SAMGs contained strategies for measures aimed at minimizing the extent of damage to a reactor core and for minimizing releases to the environment from one.
The strategies employ features like iterations that check and re-check key parameters to retain the focus on current situations and to take advantage of repaired equipment that was unavailable an hour ago but may be helpful in the next hour. The EPGs and SAMGs do not instruct workers how to start a makeup pump—such tactical guidance is contained within system operating procedures and procedures for coping with the loss of a power supply.
The NRC applies considerable resources ensuring that EPGs have been effectively developed and maintained. The NRC’s efforts include verifying that candidates for reactor operator and senior reactor operator licenses have adequate proficiency, requalification programs for licensed operators retains that proficiency, revisions to EPGs and associated documents sustain their effectiveness, use of EPGs during actual events mitigates their severity, and deficiencies identified in EPGs have been remedied.
By contrast, the amount of time you spent reading the prior two paragraphs is more effort than expended by the NRC checking the adequacy of SAMGs for every—repeat, every—nuclear power plant in the United States last year. In fact, if you skipped reading the prior two paragraphs, you tied the NRC for the amount of time and effort they expended last year verifying SAMGs. The NRC overlooks rather than oversees SAMGs.
Between March 2009 and March 2010, I worked for the NRC as a boiling water reactor technology instructor. My duties including teaching SAMGs to NRC employees seeking certification or recertification as inspectors and reviewers. The first thing I told the students in SAMG class was that they could not inspect SAMGs or assess their effectiveness.
After the March 2011 accident at Fukushima (where workers using EPGs and SAMGs were unable to prevent three reactor cores from being extensively damaged or to prevent tens of thousands of nearby citizens from being evacuated due to the large amount of radioactivity released to the environment), the NRC directed its inspectors to complete an 11-question survey of the SAMGs at each U.S. operating nuclear power plant. The results showed some good news and some bad news.
All the plants had SAMGs. Nearly all (97%) of the plants had SAMGs available in the technical support centers, the command centers for responding to accidents. At 92% of the plants, workers received training on the SAMGs and their use. Copies of the SAMGs were available in the control rooms at 89% of the plants.
Workers were periodically re-trained on the SAMGs and their use at only 77% of the plants. The SAMGs were updated to reflect modifications to the plant at only 75% of the plants. Emergency exercises including use of the SAMGs have been conducted at only 60% of the plants. And fewer than half (47%) of the plants apply administrative controls to SAMGs that require them to be maintained up to date.
A damaged reactor core can produce large amounts of hydrogen gas, as was dramatically demonstrated by the hydrogen explosions that demolished the reactor buildings for Fukushima Daiichi Unit 1, Unit 3, and Unit 4. The NRC’s survey found that the SAMGs for the Watts Bar Unit 1 reactor in Tennessee had the operators turn on hydrogen recombiners to prevent such bad outcomes. The problem with that strategy is that the plant owner stopped testing and maintaining the hydrogen recombiners and had plans to physically remove the broken, non-maintained components. But, Watts Bar sure had SAMGs. Watts Bar just lacked SAMGs that would be helpful in mitigating a severe accident should one occur.
Safety by Intent
What’s changed since the Fukushima accident? The owners of Diablo Canyon, Grand Gulf, Susquehanna, Salem, South Texas Project, Pilgrim, and all other U.S. nuclear plants have submitted letters to the NRC committing to maintain SAMGs. Will this be déjà vu all over again with 100% of the plants having SAMGs but fewer than half keeping them up to date and useful? Time will tell.
One key difference this time around is that the owners and the NRC seem to have negotiated a middle ground between past practices of considerable NRC oversight of EPGs and considerable NRC overlook of SAMGs. The commitment letters submitted to the NRC by the owners contain boilerplate language similar to this paragraph:
It is expected that NRC staff personnel will conduct periodic inspections of the [plant name] SAMGs and performance deficiencies, if any, will be assessed using the Reactor Oversight Process. [Plant owner] also understands that inspection activities will not extend to NRC review and approval of SAMG strategies, or the use of equipment described in the SAMGs.
If there’s no requirement that workers be trained or retrained on use of the SAMGs or to include SAMG scenarios during periodic exercises, there could be no performance for the NRC to judge. And if there’s no performance, there can be no performance deficiencies—until a hydrogen explosion during an actual emergency tries to launch a containment building roof into orbit. Then, and perhaps only then, might the NRC use its Reactor Oversight Process to figure out whether a roof launch warrants a green or white finding.
SAMGs are intended to protect people and the environment during a severe accident. The NRC needs to ensure, not merely hope, that SAMGs can reliably rise to that challenge—or get a more accurate tag line.
—–
UCS’s Disaster by Design/ Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.