Roy Mathew, Sheila Way, Swagata Som, Gurcharan Singh Matharu, Tania Martinez Navedo, Thomas Koshy, and Kenneth Miller—the NRC Seven— are not names as well known as Scott Carpenter, Gordon Cooper, John Glenn, Gus Grissom, Wally Schirra, Alan Shepard, and Deke Slayton—the Mercury Seven astronauts—but their courage and service to the country are comparable.
The Mercury Seven climbed into space capsules atop vast amounts of highly flammable fuel to be fired out of the earth’s atmosphere.
The NRC Seven filed a petition with their employer seeking to resolve a safety problem affecting every operating nuclear plant in the United States, and the handful of new reactors currently under construction.
The Mercury Seven wore special gear to protect them from the harsh environment they could encounter during their journeys.
Hopefully, the NRC Seven will not encounter a harsh environment in response to their efforts to protect millions of Americans from a longstanding nuclear safety problem.
The key milestones leading to the NRC Seven submitting their petition are summarized below.
Revealing the problem: Byron event on January 30, 2012
As described in Fission Stories #111, the Phase C connection for a three-phase power source to Byron Unit 2 from the plant’s switchyard broke loose and fell to the ground (Fig. 2). The open phase condition was detected, causing the automatic shut down of the reactor.
But the open phase was not detected by the protection system for the two electrical circuits that supply electricity to vital equipment needed to cool the reactor core and perform other safety functions. Those electrical circuits continued to receive electricity from the degraded power source for about eight minutes until workers manually opened breakers to isolate the equipment and trigger automatic switchovers to a reliable power source.
A design vulnerability prevented the protection system from detecting the open phase condition affecting these two vital electrical circuits. The system compared Phase A to Phase B and Phase B to Phase C and required detections from both comparisons to trigger automatic protective actions. The Phase C failure was detected by the Phase B to Phase C comparison, but not by the other comparison. So, no automatic protection measures happened.
The open phase condition did not directly affect the emergency diesel generators. The emergency diesel generators stepped in at Byron to enable workers to sustain cooling of the reactor core.
The NRC calculated that the event at Byron posed a risk of core damage of approximately 1×10-4 per reactor year, or having one reactor meltdown due to an open phase condition every 10,000 years. That sounds like, and is, a low risk. But in nuclear safety, it’s a relatively high number. Risks are typically in the 1×10-6 per reactor year range.
Thus, the open phase condition was about 100 times riskier than risks routinely experienced at nuclear power plants.
Open phase conditions
The main generators at nuclear power plants produce three phase alternating current. Each phase is conducted separately to the main transformer where the voltage and current is adjusted to the needs of the offsite power grid (Fig. 3).
In an open phase condition, one of the three phases fails. That failure could be where the phase is connected at either end, as in the Byron event. Or that failure could occur between the endpoints such as when broken insulation allows a metal wire to contact a nearby piece of metal to short out.
An open phase can occur when the circuit is energized or it can happen when no electricity is flowing through the phases.
Open phase condition consequences
Open phase conditions have different consequences depending on whether the circuit is energized or not.
My parents experienced an open phase condition years ago while they were away on vacation. The line connecting the house’s main power panel to the power line in the neighborhood developed a fault causing an open phase condition. Because they were away on vacation, only small electrical appliances like clock radios were running, with one notable exception—the refrigerator. The open phase condition did not affect the 120 volt electrical circuits that supplied clock radios and other small appliances. But it impaired the 240 volt power supply for larger appliances like the electric stove, clothes dryer, air conditioner, and refrigerator. Of those, only the refrigerator was running during my parent’s absence. The open phase condition meant that the refrigerator was getting 120 volts. The electric motor on the refrigerator’s compressor tried to run, but burned itself out in the effort. The additional electrical current the motor used trying to run tripped the breaker in the house’s main power panel.
Thus, the problem when an open phase condition occurs on an energized circuit is that electrical equipment can be damaged by the degraded power supply unless breakers/fuses operate to isolate the equipment from the problem.
The problem when an open phase condition occurs on a de-energized circuit is different. Federal regulations require nuclear plants have at least two connections to offsite electrical power supplies. When nuclear plants are operating, it is not unusual for one or more of the connections to these offsite power sources to be de-energized in a standby role. Electricity produced by the plant itself is used to power its electrical equipment. If the plant were to suddenly shut down and stop producing electricity, systems are installed to automatically swap in-plant electrical circuits to the offsite power sources.
An open phase condition on a de-energized circuit could result in the in-plant electrical circuits swapping to a “dead” backup.
The bottom line is that an open phase condition could prevent electrical equipment from performing the safety roles needed to prevent or mitigate nuclear plant accidents.
Seeking the extent of condition: July 27, 2012
The NRC sent a Special Inspection Team to investigation the event at Byron. Because the design vulnerability that factored in the Byron event likely affected other nuclear plants, the NRC sent Bulletin 2012-01 to all plant owners in July 2012. The NRC required owners to evaluate their electrical power systems to determine if they had the design vulnerability like the one revealed at Byron. The NRC gave the owners up to 90 days to report the results from their evaluations.
Defining the extent of condition: February 26, 2013
The owners responded to Bulletin 2012-01 during the third week of October 2012. The responses for each nuclear plant are available in the NRC’s online digital library using the following links:
Arkansas Nuclear One (AR)
Beaver Valley (PA)
Braidwood (IL)
Browns Ferry (AL)
Brunswick (NC)
Byron (IL)
Callaway (MO)
Calvert Cliffs (MD)
Catawba (SC)
Clinton (IL)
Columbia Generating Station (WA)
Comanche Peak (TX)
Cooper (NE)
Crystal River 3 (FL)
Dresden (IL)
Davis-Besse (OH)
Diablo Canyon (CA)
Farley (AL)
Fermi 2 (MI)
FitzPatrick (NY)
Fort Calhoun (NE)
Ginna (NY)
Grand Gulf (MS)
Harris (NC)
Hatch (GA)
HB Robinson (SC)
Hope Creek (NJ)
Indian Point (NY)
Kewaunee (WI)
LaSalle (IL)
Limerick (PA)
McGuire (NC)
Millstone (CT)
Monticello (MN)
Nine Mile Point (NY)
North Anna (VA)
Oconee (SC)
Oyster Creek (NJ)
Palisades (MI)
Palo Verde (AZ)
Peach Bottom (PA)
Perry (OH)
Pilgrim (MA)
Point Beach (WI)
Prairie Island (MN)
Quad Cities (IL)
River Bend (LA)
Salem (NJ)
San Onofre (CA)
Seabrook (NH)
Sequoyah (TN)
South Texas Project (TX)
St. Lucie (FL)
Summer (SC)
Surry (VA)
Susquehanna (PA)
Three Mile Island (PA)
Turkey Point (FL)
Vermont Yankee (VY)
Vogtle (GA)
Waterford (LA)
Watts Bar (TN)
Wolf Creek (KS)
The NRC staff reviewed the responses and prepared a memo summarizing the results and recommending next steps. The NRC staff wrote that all plant owners “stated that the relay systems were not specifically designed to detect a single-phase open circuit in a three-phase system.” In other words, all nuclear plants in the U.S. shared the kind of design vulnerability that caused problems at Byron.
As a result, the NRC staff concluded that the plants “may not be in compliance with the existing regulations.” The NRC staff recommended that the NRC take action to require all owners fix the design vulnerabilities at their plants (Fig. 4).
Seeking the solution: 2012-2013
As described in Fission Stories #168, Byron’s owner developed a hardware fix to monitor all three phases for an open phase condition. What impressed me was that the owner offered to provide details of its fix to any other nuclear plant owner—for free.
Spreading the solution: 2013-2015
The NRC staff initiated a number of steps intended to resolve the open phase condition problem at all other nuclear plants. Chief among these steps was developing an “answer key” for plant owners and NRC staff to judge whether the fix at a specific plant is acceptable and drafting the paperwork that would require the owners to implement fixes.
The “answer key” came in the form of an addition to the NRC’s Standard Review Plan for nuclear power plants. The Standard Review Plan articulates applicable regulatory requirements and conveys the NRC’s expectations on what would, and sometimes would not, constitute compliance with the requirements. In this case, the NRC issued Branch Technical Position 8-9 in July 2015.
Developing the implementation paperwork proved more challenging and as yet unachievable. I have been told that the NRC staff drafted the paperwork and distributed it for internal review by appropriate sections of the agency. I was informed that the Office of General Counsel concluded that the paperwork did not satisfy the provisions of the backfit rule. The backfit rule prevents the NRC from imposing regulatory requirements on plant owners unless they are needed for adequate protection of public safety or achieve sufficient safety improvements to justify their cost. The NRC staff revised the draft and re-distributed it for internal review. Once again, the Office of General Counsel concluded that it did not satisfy the backfit rule.
I was told that the NRC staff working on the paperwork was not getting adequate feedback from the Office on General Counsel on how the drafts violated the backfit rule. Thus, they felt it impossible to solve the “secret” concerns no matter how many times they revised the draft.
Side-stepping the stall: February 29, 2016
Seven members of the NRC staff submitted a petition to the NRC seeking to have the NRC order the known design vulnerability at all U.S. nuclear power plants to be remedied. The NRC Seven did not submit the petition as NRC staff members. Instead, they acted as private citizens desperately seeking overdue protection for other private citizens.
Why must seven members of a federal safety regulator take such drastic steps?
Why indeed.
Suppose that seven members of the staff at the Springfield Nuclear Plant near Anytown, USA petitioned the Board of Directors of their company to resolve a nuclear safety problem at the plant. The NRC would quite properly recognize their action as prima facie evidence of a safety culture problem at Springfield needing investigation.
The NRC Seven’s action constitutes prima facie evidence that the NRC has a safety culture problem.
Post updated 3/16/16