My name is David Lochbaum. I have been the
Nuclear Safety Engineer for the Union of Concerned Scientists (UCS) since
October 1996. Prior to joining UCS, I spent more than 17 years in the industry
on the startup and operation of nuclear power plants. UCS, established in 1969, seeks to ensure
that all people have clean air, energy and transportation, as well as food that
is produced in a safe and sustainable manner. We have
worked on nuclear plant safety issues for nearly 30 years. In fact, far too
many of the safety issues that I work on today were also worked on by my
predecessor, Robert Pollard, and his predecessors, Daniel Ford and Henry
Kendall. This experience convinces us that the United States should not
consider an expanded role for nuclear power until we achieve something that we
have never had—namely, a consistently effective regulator.
The Nuclear Regulatory Commission (NRC) has
exclusive responsibility for regulating safety at US nuclear power plants. That
the last US reactor meltdown happened 22 years ago (Three Mile Island) is
circumstantial evidence that the NRC is not always an inept regulator. On the
other hand, there is mounting circumstantial evidence in areas such as nuclear
plant license renewal, steam generator tube cracking, risk-informed regulation,
and nuclear plant security indicating that the NRC is not always an effective
regulator either. These warning signs are described in the following sections.
Nuclear Plant License Renewal
The NRC currently approves a 20-year
extension to the original 40-year license for a nuclear plant after its owner
"demonstrates that a nuclear power plant facility's structures and
components requiring aging management review in accordance with §54.21(a) for
license renewal have been identified and that the effects of aging on the
functionality of such structures and components will be managed to maintain the
CLB [current licensing bases] such that there is an acceptable level of safety
during the period of extended operation."[1]
In theory, this demonstration seems like a solid basis for continued safe
operation. In reality, this demonstration amounts to little more than a
paperwork exercise that is frequently contradicted by actual experience. Since
the beginning of the 21st century, at least eight nuclear power
plants have been forced to shut down due to equipment failures caused by aging:
1.
March 7, 2000: The owner reported that Nine Mile Point
Unit 2 in New York had automatically shut down when the system controlling the
level of water over the reactor core failed. The owner attributed the failure
as "Specifically, the
manual-tracking card failed to provide an output signal when the feedwater
master controller was switched from automatic to manual mode of operation … The
manual-tracking card failed due to aging."
[emphasis added]
2.
March 14, 2000: The owner reported that Catawba Unit 1
in South Carolina had automatically shut down due to an inadvertent electrical
ground problem. The owner reported "A
detailed failure analysis determined that the root cause of the connector
failure was the misapplication of the connector insert insulating material
which is made of neoprene. … The neoprene insert at the failure point on the
connector exhibits signs of accelerated
aging [emphasis added]. The inserts are hardened and there are charred
deposits on the end of the inserts which are indications of electrical
tracking."
3.
March 17, 2000: The owner reported that Indian Point
Unit 2 in New York had been forced to declare an emergency condition and shut
down after a steam generator tube failed and resulted in approximately 19,197
gallons leaking from the reactor coolant system. The owner stated
"Preliminary analysis indicates that the cause of the tube failure is
primary water stress corrosion cracking (PWSCC)" [i.e., aging].
4.
March 27, 2000: The owner reported that Catawba Unit 2
in South Carolina had automatically shut down due to an inadvertent electrical
ground problem. The owner reported "A
detailed failure analysis determined that the root cause of the connector
failure was the misapplication of the connector insert insulating material
which is made of neoprene. … The neoprene insert at the failure point on the
connector exhibits signs of accelerated
aging [emphasis added]. The inserts are hardened and there are charred
deposits on the end of the inserts which are indications of electrical
tracking."
5.
September 12, 2000: The owner reported that Oyster Creek
in New Jersey had been forced to shut down because a system needed to provide
containment integrity had failed a periodic test. The owner determined "The cause of the degradation in Secondary Containment
was age-related degradation
[emphasis added] of the automatic ventilation exhaust valve seals."
6.
September 27, 2000: The NRC reported that Diablo Canyon
Unit 1 in California had automatically shut down after an electrical
transformer failed and interrupted the supply of electricity to the reactor
coolant pumps. The NRC stated "The
licensee's evaluation concluded that a center bus bar overheated at a splice
joint, which caused a polyvinyl chloride boot insulator over the splice joint
to smoke. Eventually, heat-induced failure of fiberglass insulation on adjacent
phases resulted in phase-to-phase arcing" [i.e., aging].
7.
February 16, 2001: The owner reported that North Anna
Unit 2 in Virginia had been forced to shut down due to leakage exceeding ten
gallons per minute from the reactor coolant system. The owner determined "The cause of the stem packing material failure below
the lantern ring is attributed to aging"
[emphasis added].
8.
April 2, 2001: The
owner reported that San Onofre Unit 3 in California automatically shut down
after an electrical breaker failed and started a fire. The failed breaker was
reportedly 25 years old and scheduled for inspection next year. The owner "will implement modifications to
appropriate preventative maintenance
[emphasis added] procedures to address the apparent failure causes."
Aging management programs are intended to
monitor the condition of equipment and structures and implement repairs or
replacements when necessary to prevent failures. The cited aging-related
failures, occurring about once every 60 days, indicate beyond reasonable doubt
that the aging management programs are inadequate because they are not
preventing equipment failures. The NRC must ascertain the effectiveness of
aging management programs—not merely the scope of these programs—before
granting license extensions.
Steam Generator Tube Cracking
Dr. Joram Hopenfeld, who recently retired
from the NRC staff, raised concerns about the integrity of steam generator
tubes to his management nearly ten year ago. The agency—which steadfastly claims that safety is its top
priority—essentially ignored them until an accident last year at Indian Point
2. The ensuing public outcry and Congressional attention resulting from that
accident, which was initiated when a cracked steam generator tube failed,
forced the NRC to dust off Hopenfeld's concerns and finally look into them. The
NRC asked its ACRS to evaluate the decade-old concerns.
The NRC's Advisory Committee on Reactor
Safeguards (ACRS) issued a report in February 2001.[2]
The ACRS substantiated many of Dr. Hopenfeld's concerns. For example, the ACRS
concluded:
ú
"The techniques [used to look for cracked steam
generator tubes] are not nearly so reliable for determining the depth of a
crack, and in particular, whether a crack penetrates through 40% of the tube
wall thickness." [NRC's regulations do not allow a nuclear plant to start
up with any steam generator tube cracked more than 40 percent of its wall
thickness, but the methods used to inspect the tubes for cracks cannot reliably
determine the depth of cracks.]
ú
"The NRC staff acknowledged that there would be
some possibility that cracks of objectionable depth might be overlooked and
left in the steam generator for an additional operating cycle." [Exactly
what actually happened at Indian Point 2 to cause last year's accident.]
ú
"Both the [NRC] staff and the author of the DPO
[Dr. Hopenfeld] agree that the alternative repair criteria [used by the NRC staff
to allow nuclear plants to continue operating with steam generator tubes known
to be cracked] increase the probability of larger primary-to-secondary flows
during the MSLB [main steam line break] and SGTR [steam generator tube rupture]
accidents."
ú
"The [ACRS] also finds that this contention of the
DPO [namely, that an accident at a nuclear plant with cracked steam generator
tubes could cause those tubes to completely break] has merit and deserves
investigation."
ú
"This seems to be a plausible contention [that an
accident at a nuclear plant with cracked steam generator tubes could widen the
cracks and result in larger leakage], and the staff has not produced analyses
or test results to refute it."
ú
"The [ACRS] concluded that the issue of the
possible evolution of severe accident to involve gross failure of steam
generator tubes and bypass of the containment is not yet resolved … [and] that
the issue needs consideration regardless of the criteria adopted for the repair
and replacement of steam generator tubes."
ú
"Data available to the [ACRS] suggest that the
constant probability of detection [of cracked steam generator tubes] adopted by
the NRC staff is nonconservative for flaws producing voltage signals less than
about 0.7 volts." [In other words, the NRC staff assumes that methods used
to find cracked tubes are much better than the data shows them to be.]
ú
"The [ACRS] was unable to identify defensible
technical bases for the [NRC] staff decisions to not consider the correlation
of the iodine spiking factor with initial iodine concentration [when evaluating
the potential offsite radiation dose consequences from accidents involving
cracked steam generator tubes]."
ú
"The [ACRS] found that the [NRC] staff did not have
a technically defensible understanding of these processes to assess adequately
the potential for procession of damage to steam generator tubes." [In
other words, the NRC staff has no sound basis for arguing that one broken tube
will not cascade and cause the failures of other tubes.]
ú
"The [NRC] staff has not developed persuasive
arguments to show that steam generator tubes will remain intact under
conditions of risk-important accidents in which the reactor coolant system
remains pressurized. The current analyses dealing with loop seals in the
coolant system are not yet adequate risk assessments."
ú
"In developing assessments of risk concerning these
design basis accidents, the [NRC] staff must consider the probabilities of
multiple tube ruptures until adequate technical arguments have been developed
to show damage progression is improbable." [In other words, the risk
studies to date, which only consider failure of a single tube, may understate
the true risk and therefore should not be relied upon.]
The concerns raised by Dr. Hopenfeld are
extremely important safety issues. As the ACRS stated:
ú
"Steam generators constitute more than 50% of the
surface area of the primary pressure boundary in a pressurized water
reactor."
ú
"Unlike other parts of the reactor pressure
boundary, the barrier to fission product release provided by the steam
generator tubes is not reinforced by the reactor containment as an additional
barrier."
ú
"Leakage of primary coolant through openings in the
steam generator tubes could deplete the inventory of water available for the
long-term cooling of the core in the event of an accident."
In the decade since Dr. Hopenfeld first
raised his safety concerns, the NRC has allowed many nuclear plants to continue
operating nuclear power plants with literally thousands of steam generator
tubes known to be cracked. The ACRS concluded that the NRC staff made these
regulatory decisions using incomplete and inaccurate information. After
receiving the ACRS's report, the NRC staff considered Hopenfeld's concerns
"resolved" even though it had taken no action to address the numerous
recommendations in the ACRS report (enclosure 1).
The NRC must REALLY resolve Dr. Hopenfeld's
concerns as soon as possible. In the interim, the NRC must stop making
decisions affecting the lives of millions of Americans when it lacks
"defensible technical bases."
Risk-Informed Regulation
Two of the NRC's four strategic goals are to
maintain safety and to reduce unnecessary regulatory burden. The agency
attempts to define "unnecessary" using plant-specific risk studies
that purportedly draw a nice clean line between what is necessary and what is
not. But UCS released a report titled "Nuclear Plant Risk Studies: Failing
the Grade" last August detailing numerous flaws in the publicly available
plant-specific risk studies. Among other flaws, we compared the risk study
results for three sets of nearly identical plants and found that they varied
widely—not because the risks were that disparate but because different
assumptions and methods were used. Consequently, it is extraordinarily easy to
move that nice clean line simply by tweaking a few input assumptions and have a
burden appear as either necessary or unnecessary.
For example, the FitzPatrick nuclear plant
in New York has a problem three or four years ago with a valve that must open
following a certain accident to provide cooling flow to the reactor core. But
the valve's motor did not develop sufficient thrust to move the valve against
the high pressure that would occur if that accident happened. Fixing the valve
was therefore a very necessary burden. Yet the plant's owner went back to the
risk study and re-calculated the risk from that accident happening concurrently
with a complete failure of the electrical grid and adjusted the line until the
burden became "unnecessary." This example is not sharpening one's
pencil because the accident in question happens most frequently when the
electrical grid remains available. Thus, this vital safety system would not
have functioned properly for the most likely accident scenario.[3]
More recently, the NRC staff allowed Fermi
Unit 2 in Michigan to continue operating after the company broke one of its
emergency diesel generator due to either incompetence or negligence. The
company submitted a risk study to the NRC staff that showed the continued operation
increased the threat of an accident. But the NRC staff discounted that
quantified threat by saying that the unquantified threat from shutting down and
then restarting the nuclear reactor would somehow pose an even larger threat.
This NRC decision contradicts its own regulations, policies, and procedures and
UCS has asked the NRC's Inspector General to investigate this matter (enclosure
2).
The plant-specific risk studies that UCS
reviewed for our report are nearly ten years old, but they are the most recent
risk studies that are publicly available. The NRC is allowing plant owners to
reduce the testing frequency for emergency equipment or to continue operating
with degraded equipment based on results from more recent risk studies. The
previously cited ACRS report on Hopenfeld's steam generator tube integrity
concerns indicates that the more recent risk studies remain inaccurate and
incomplete. Members of the public and organizations like UCS cannot challenge
these regulatory decisions because we lack access to the risk studies. The
NRC's own regulations, policies, and procedures require such information to be
publicly available, but it is not. And the agency continues to make regulatory
decisions affecting the lives of millions of Americans in a vacuum. The NRC
must require the flaws in the risk studies to be corrected AND make
sufficient information about the corrected risk studies publicly available.
Nuclear Plant Security
The NRC's handling of physical security at
nuclear reactors is another example of regulatory ineffectiveness. The NRC
began force-on-force tests of security preparedness at nuclear power plants in
the early 1990s. These tests pit a handful of simulated intruders against a
plant's physical defenses and squadrons of armed security personnel. By 1998,
these tests had revealed significant security weaknesses in about 47 percent of
the plants tested. The NRC quietly discontinued the testing, but the ensuing
public outrage forced the agency to re-institute the tests. Since the tests
have been resumed, about 47 percent of the plants continue to have significant
security flaws revealed. Last year, force-on-force tests at the Waterford plant
in Louisiana and the Quad Cities plant in Illinois demonstrated serious
security problems that warranted extensive repairs and upgrades. The owner of
the Waterford spent more than $2 million fixing its inadequate security system.
Having been foiled in its attempt to
secretly deep-six the security tests, the agency resorted to Plan B in which
they will allow the plant owners to conduct the tests themselves, grade the
tests themselves, and simply mail in the scores—virtually guaranteed to be high
marks—to the NRC. If someone like Timothy McVeigh drove to a nuclear power
plant with intentions of causing harm, the people living near that plant would
better protected by security scoring 85 percent on a real test than 100 or even
110 percent on an open-book, take-home, self-scored test. The public deserves
and must get that better protection than that provided by artificially inflated
security test scores.
New Nuclear Plants
A new nuclear technology called the
pebble-bed modular reactor is getting considerable mention as the type of
nuclear reactor most likely to be built in the United States in the future. The
pebble-bed reactor does offer certain safety advantages—at least, on paper.
Proponents claim that the pebble-bed reactor cannot experience the
meltdown-type accident as occurred at Three Mile Island in 1979. Perhaps, but
can the pebble-bed reactor, which will use more graphite in each reactor module
than is presently used in all existing US nuclear power plants combined, can on
fire and burn as happened at Windscale in 1957 and Chernobyl in 1986? Can plant
workers, either by mistake or by design, trigger an accident as occurred at the
SL-1 nuclear reactor in 1961 and Dresden Unit 3 in 1974 and Browns Ferry in
1975? Can some unexpected component failure cause fuel damage, as occurred at
Fermi Unit 1 in 1966?
The pebble-bed reactor is rumored to be
competitive with other energy technologies. It appears from a preliminary
design review that the proposed reactor achieves its economic advantages by
replacing the steel-lined, reinforced-concrete containment structures used for
our existing nuclear plants with a far less robust enclosure building. The
NRC's own Advisory Committee on Reactor Safeguards characterized this as
"a major safety trade-off."
The safety problem with the proposed
"containment-lite" pebble-bed reactor design Is compounded by the
existing security weaknesses. Imagine the consequences from a fertilizer truck
bomb detonated next to a "containment-lite" reactor with millions of
curies of lethal radioactivity to contaminate the environment for many decades.
That would truly be a nuclear nightmare.
Cost projections by the nuclear industry
must be taken with a grain of salt, if not an entire salt shaker. According to
the US Department of Energy, the actual construction costs for 75 nuclear power
plants started between 1966 and 1977 were more than three times higher than
their estimated costs.[4]
Thus, claims that the projected costs of electricity from a proposed pebble-bed
reactor are competitive with the actual costs of electricity from operating
renewable energy technologies must be viewed with skepticism.
It cannot be overemphasized that a facility
like the proposed pebble-bed modular reactor has never been constructed or
operated in the world. Consequently, its expected performance characteristics
are highly speculative. It would not be prudent at this time to place undue
reliance on a risky technology with unproven safety performance. Nuclear
experiments belong in the laboratory, not within the US electricity
marketplace.
Conclusions and Recommendations
Nuclear power plants are inherently
dangerous. If nuclear power is to play an expanded role in the future, it is
imperative that the Nuclear Regulatory Commission become a consistently
effective regulator. UCS believes that this goal is attainable. The Maintenance
Rule (10 CFR 50.63) and the revised reactor oversight process demonstrate that
the agency is capable of effective regulation. That capability must be extended
across all of the NRC's oversight functions and consistently sustained. This
transformation may require that the agency receive additional resources,
particularly during the transformation phase. Because the agency is currently a
fee-based agency, it may require legislative changes to supplement the existing
resources with taxpayer money.
Failing to reform the Nuclear Regulatory
Commission could have tragic consequences. As reported in The Wall Street Journal (enclosure 3), the 1986 accident at the
Chernobyl nuclear plant cost the former Soviet Union several times the net
benefits from all Soviet reactors ever operated. The price tag for the accident
was placed at 170 to 215 billion rubles while the net benefits from every
Soviet nuclear power plant was only 10 to 50 billion rubles. With the price of
failure so very high, it is absolutely imperative that the Nuclear Regulatory
Commission be a consistently—rather than occasionally—effective regulator.
If Congress wants an expanded role for
nuclear power, it must provide the NRC with the resources needed for the agency
to implement consistently effective regulatory programs and must also oversee
the agency's reform efforts to verity that they are successful.
[1] Part 54, Requirements for Renewal of Operating Licenses for Nuclear Power Plants, of Title 10 of the Code of Federal Regulations.
[2] Advisory Committee on Reactor Safeguards, Nuclear Regulatory Commission, "Voltage-Based Alternative Repair Criteria," NUREG-1740 (Washington, DC: February 2001).
[3] Fortunately, this unsafe condition has been remedied. The plant's owner fixed the valve motor at the next scheduled refueling outage. The bogus risk study was used to allow the plant to continue running with the non-functional valve for months. The plant's operating license as granted by the NRC only permitted operation for up to 7 days with this vital safety equipment inoperable.
[4] United States Department of Energy, "Analysis of Nuclear Plant Construction Costs," DOE/EIA-0485 (Washington DC: 1985).