Disaster by Design/ Safety by Intent #43
Disaster by Design
There are currently two empty positions on the five-member Nuclear Regulatory Commission (NRC). If comedian Jeff Foxworthy were nominated and confirmed to become a Commissioner, you wonder how he would finish the nuclear safety equivalent of his “redneck” routine?
You might be operating an unsafe reactor if …
This Ending Intentionally Blank
The NRC, at least during the last decade of the 20th century and so far in this 21st century, has never seen an unsafe reactor. Not once.
The NRC often claims they would shut down an unsafe reactor. Perhaps they would. But they’ve not spotted an unsafe reactor in nearly three decades. They suspected they saw an unsafe reactor about 15 years ago, but changed their mind(s).
So, it’s not that the NRC would fail to shut down an unsafe reactor. But it’s been so long since they spotted one, they seem to have forgotten what they look like.
Last NRC Sightings of Unsafe Reactors
Just under 30 years ago, the NRC spotted an unsafe nuclear reactor. Actually, they spotted two unsafe nuclear reactors. Well, both were at the same plant. So, the NRC spotted an unsafe nuclear plant that was operating two unsafe reactors. The NRC did not like it one bit. Or two bits (since there were two reactors.)
By March 31, 1987, the NRC has seen more than enough. It issued an order shutting down the Unit 2 and Unit 3 reactors at the Peach Bottom Atomic Power Station in Pennsylvania (the Unit 1 reactor had permanently shut down in 1974). The order cited evidence dating back more than a year leading to its determination that the reactors might be unsafe:
“Pending the development of other relevant information, I am unable to determine that there is reasonable assurance that the facility will be operated in a manner to assure that the health and safety will be protected. Accordingly, I have determined that continued operation of the facility is an immediate threat to the public health and safety. Therefore, I have determined that the public health, safety and interest requires that the Licensee should proceed to place or maintain its units in a cold condition.”
It took the plant’s owner more than two years to remedy the many safety shortcomings needed to receive the NRC’s authorize to restart the reactors that had been an immediate threat to public safety. Peach Bottom Unit 2 remained shut down until May 22, 1989, while Unit 3 remained shut down until December 11, 1989.
March 1979 is best known within nuclear power circles for the problem late in the month that resulted in the reactor core at Three Mile Island Unit 2 melting down. But in the middle of the month, the NRC ordered five nuclear power reactors to be shut down: Beaver Valley Unit 1 (PA), Surry Units 1 and 2 (VA), FitzPatrick (NY), and Maine Yankee (ME). During a press conference held March 13, 1979, Harold Denton, the Director of the NRC’s Office of Nuclear Reactor Regulation, told reporters:
The order requires them [the five reactors] to cease operation, to reanalyzed the plant, using a code that doesn’t have this defect in it, and to make the modifications indicated by the reanalysis.
The reason they were being shut down is because they don’t meet the Commission’s regulation. The Commission has a specific regulation that says how components such as there must be designed to cope with events such as earthquakes. … I think the real likelihood given an earthquake of a major pipe break and no cooling is low. We did conclude that without the proper analysis, these plants do not meet the Commission’s regulations.
I based this decision on the need to provide the type of protection the public health and safety that the Commission’s regulations require.
All five reactors restarted after the NRC verified that the safety shortcomings had been remedied.
Yes, Virginia (Pennsylvania, New York, and Maine, too), there was a nuclear safety regulator.
Semi-Sighting of Unsafe Reactor at Davis-Besse
In fall 2001, the NRC thought that it had spotted another unsafe reactor. That spring, workers at the Oconee nuclear plant in South Carolina discovered that reactor cooling water had leaked from metal tubes, called Control Rod Drive Mechanisms (CRDM) nozzles, that pass vertically through the domed upper head on the reactor vessel.
The NRC examined the factors contributing to the leak at Oconee and determined that 12 of the 69 pressurized water reactors either had a history of leaks or were highly susceptible to have them. In August 2001, the NRC required the CRDM nozzles to be inspected at these vulnerable reactors by the end of 2001.
The CRDM nozzles could not be inspected while the reactor operated. The Davis-Besse reactor in Ohio was not scheduled to shut down until April 2002. Its owner told the NRC that it would not inspect the CRDM nozzles by the end of 2001 as the NRC directed, but would do so during the spring 2002 refueling outage.
The NRC thought that Davis-Besse might be unsafe based on strong circumstantial evidence. The NRC staff drafted an order to require Davis-Besse to be shut down by December 31, 2001, and notified its Commission of its intent to issue the order.
But the mirage, delusion, hysteria or whatever that momentarily tricked the NRC staff into suspecting that Davis-Besse might be unsafe passed and the draft shutdown order was shelved. When briefing the NRC Executive Director for Operations (EDO) about its changed decision regarding the shutdown order, the NRC staff pointed to the five safety principles in Regulatory Guide 1.174, the guidance developed specifically for making risk-informed decisions. Three of the five were clearly not met, another probably was not met, and the fifth could not be determined until the inspection was performed. Based on the fact that NONE of the five safety principles were known to be met and three were known to be violated, the NRC staff changed its view on Davis-Besse. The reactor was deemed safe enough to continue operating into 2002.
When Davis-Besse was finally shut down and the delayed inspection finally conducted, the results were ugly. The NRC determined the reactor came closer to meltdown than any other reactor since the Three Mile Island accident in March 1979. Davis-Besse remained shut down for over two years as an army of workers fixed a long list of safety problems.
NRC Lacks Criteria to Determine if an Operating Reactor Might be Unsafe
The Congress tasked the U.S. General Accounting Office (GAO, now called the Government Accountability Office) with evaluating how the NRC handled Davis-Besse.
The GAO report was issued in May 2004 and concluded, among other things, that NRC lacked criteria for determining when an operating reactor might be unsafe and its shutdown warranted.
What’s different today? Now it is 2016.
NRC Has Criteria to Determine if a Shutdown Reactor Might be Safe to Restart
Unable to find criteria used by the NRC to determine whether an operating reactor might be unsafe, I sought the criteria used by the NRC in determining whether a shutdown reactor can be safely restarted. I figured I could work backwards from the restart criteria to develop the shutdown criteria.
Restart criteria readily exists. As shown in the table, there have been 52 times when a U.S. reactor was shut down for a year or longer. The NRC often issued Confirmatory Action Letters or Restart Checklists that documented the To Do lists by plant owners en route to NRC’s authorization to restart.
But I discovered that my underlying assumption was just plain false. I’d naively assumed that the criteria used by the NRC to judge when a shutdown reactor could safely restart would at least approximate the criteria to be applied in determining when an operating reactor should shut down.
Seeking to confirm my assumption, I wrote the NRC about several reactors then in prolonged shut downs fixing safety problems and requiring NRC’s approval to restart and asked:
“If these plants are not safe enough to operate today, does the NRC think that these plants were operating safely in the days and weeks prior to their being shut down?”
I would have bet that the NRC would have answered no, because ‘unsafe’ was the only logical label for a reactor that cannot be safely restarted without completing a long list of safety upgrades. But I was wrong:
“Although the causes of the extended shutdowns for each of the Millstone, Salem, and Maine Yankee units existed before the shutdown of the facilities, the NRC considers that the plants were operating safely before they were shut down because of the protection afforded by the defense- in-depth philosophy. Stated otherwise, although there are safety equipment deficiencies at each of these facilities, the conservatism provided by the multiple levels of design and operating requirements reasonably assured that there was no undue risk to public health and safety and the NRC did not find it necessary to require the shutdown of the plants to protect public health and safety. However, the resulting reductions of the margin of safety led the staff to conclude that correction of the problems is called for before the restart of the plants.”
Consider Davis-Besse. The reactor was shut down on February 16, 2002, and did not restart until March 16, 2004. This shut down lasted 25 months not because workers were lollygagging. Nope, it took that long for workers to complete the 29 safety fixes the NRC required before it would allow the reactor to safely restart.
(NOTE: Fig. 7 only shows a dozen of the 29 fixes required by the NRC.) The NRC levied a record $5.45 million fine on Davis-Besse’s owner for violating safety regulations.
And the NRC considers Davis-Besse to have been operating safely on and before February 15, 2002. Wonder how much the NRC would have fined the owner had it considered Davis-Besse to have been “unsafe?”
NRC Wants to Regulate Less More Often
The NRC is now conspiring with the nuclear industry on a scheme to have the NRC regulate less and permit “unsafe” reactors to operate more often. For while the GAO found that the NRC lacks criteria to shut down operating reactors, the NRC has a few black & white criteria that trigger reactor shut downs. The NRC isn’t planning to eliminate these triggers; they are just working on ways to essentially ignore them so the reactors can continue operating.
The operating licenses issued by the NRC for reactors contain technical specification (called tech specs). The tech specs have Limiting Conditions for Operation (LCOs) that establish the minimum complement of safety equipment required for the reactor to operate. For example, the LCOs define how many emergency diesel generators are required as well as the minimum amount of fuel oil that must be available for them.
The LCOs also define how the reactor can continue to operate without the minimum complement of safety equipment. An LCO may provide 3, 7 or 30 days to restore equipment to the minimum complement. If the clock runs out, LCO 3.0.3 requires the reactor to be shut down (i.e., enter MODE 3) within hours.
During a Commission briefing on July, 7, 2016, the NRC staff explained their plan for replacing this short-term limit on reactors operating with less than the minimum complement of safety equipment with a limit of up to four years.
Commissioner Jeff Baran questioned the NRC staff on its plan.
Commissioner Baran: “As I understand it, the NRC is developing a process to disregard the tech spec completion deadlines for low-risk compliance issues and, instead, develop compensatory measures and extended deadlines for eventual compliance with the tech specs. Is that right?”
NRC Staff: “I don’t know if I would characterize it that way.”
Commissioner Baran: “You didn’t characterize it that way, but it there anything about my characterization that’s inaccurate?”
NRC Staff: “Okay, but, yes, we are looking at basically extended completion times.”
Commissioner Baran: “Well, let me ask, the extended deadlines you’re talking about are up to four years, that’s what you’re contemplating?”
NRC Staff: “We – yes, we have considered putting a backstop on it of up to four years.”
And the Commissioner went on to point out that the NRC’s plan would exclude the public from the “secret” deal negotiated between the NRC and the industry:
Commissioner Baran: “If there’s a tech spec that says, you know, in the case of a system being inoperable, it needs to be corrected in 30 days or you shut down. … So now, you don’t get 30 days, you get a year, you get two years, you get four years. … We just changed our regulatory requirements and it sounds like we changed it without having a license amendment as to the deadline for completion of the tech spec efforts. So, you don’t have public participation in that process because it’s not a license amendment process. I guess, you know, I’ll just stop there because I’m over [ironically, his time limit for questioning the NRC staff]. I have serious concerns about this effort.”
The operating licenses are issued following an open licensing process during which members of the public can intervene to contest LCOs they believe to be too lax. The license issued following that open process defines LCO durations.
But now the NRC staff and the industry it pretends to regulate seek to subvert that open licensing process by a closed, non-public process which transforms short limits into multi-year non-limits.
I share Commissioner Baran’s concerns. The NRC staff can do better than turning its collective backs on public safety and public participation.
Safety by Intent
What is more useless?
A speedometer with a pointer but no numbers? Or a speedometer with numbers but no pointer?
It’s a trick question like which eye would you rather get poked?
A useful speedometer requires both a pointer and a numbered scale.
Similarly, a useful regulatory construct require both numbers that define safety and the means to monitor performance against the safety scale.
But a useful speedometer also requires a responsible driver that slows down when the speedometer indicates travel above posted limits, and that seeks repair to a speedometer that fails to indicate above 0 mph despite rushing along a highway.
Similarly, a useful regulatory construct requires a responsible regulator that takes steps to stop reactors operating outside safety bounds, and that seeks to repair missing and errant safety signals.
Perhaps the NRC needs to reframe it decision-making process. Instead of pondering whether an operating reactor might be unsafe and warrant shutting down, the NRC should ponder when a reactor—if it was shut down—could be safely restarted.
UCS’s Disaster by Design/Safety by Intent series of blog posts is intended to help readers understand how a seemingly unrelated assortment of minor problems can coalesce to cause disaster and how effective defense-in-depth can lessen both the number of pre-existing problems and the chances they team up.