My name is David Lochbaum. I have been the Nuclear Safety Engineer for the Union of Concerned Scientists (UCS) since October 1996. Prior to joining UCS, I spent more than 17 years in the industry on the startup and operation of nuclear power plants. UCS, established in 1969, seeks to ensure that all people have clean air, energy and transportation, as well as food that is produced in a safe and sustainable manner. We have worked on nuclear plant safety issues for nearly 30 years. In fact, far too many of the safety issues that I work on today were also worked on by my predecessor, Robert Pollard, and his predecessors, Daniel Ford and Henry Kendall. This experience convinces us that the United States should not consider an expanded role for nuclear power until we achieve something that we have never had—namely, a consistently effective regulator.

 

The Nuclear Regulatory Commission (NRC) has exclusive responsibility for regulating safety at US nuclear power plants. That the last US reactor meltdown happened 22 years ago (Three Mile Island) is circumstantial evidence that the NRC is not always an inept regulator. On the other hand, there is mounting circumstantial evidence in areas such as nuclear plant license renewal, steam generator tube cracking, risk-informed regulation, and nuclear plant security indicating that the NRC is not always an effective regulator either. These warning signs are described in the following sections.

 

Nuclear Plant License Renewal

The NRC currently approves a 20-year extension to the original 40-year license for a nuclear plant after its owner "demonstrates that a nuclear power plant facility's structures and components requiring aging management review in accordance with §54.21(a) for license renewal have been identified and that the effects of aging on the functionality of such structures and components will be managed to maintain the CLB [current licensing bases] such that there is an acceptable level of safety during the period of extended operation."[1] In theory, this demonstration seems like a solid basis for continued safe operation. In reality, this demonstration amounts to little more than a paperwork exercise that is frequently contradicted by actual experience. Since the beginning of the 21^st century, at least eight nuclear power plants have been forced to shut down due to equipment failures caused by aging:

 

1.     March 7, 2000: The owner reported that Nine Mile Point Unit 2 in New York had automatically shut down when the system controlling the level of water over the reactor core failed. The owner attributed the failure as "Specifically, the manual-tracking card failed to provide an output signal when the feedwater master controller was switched from automatic to manual mode of operation … The manual-tracking card failed due to aging." [emphasis added]

2.     March 14, 2000: The owner reported that Catawba Unit 1 in South Carolina had automatically shut down due to an inadvertent electrical ground problem. The owner reported "A detailed failure analysis determined that the root cause of the connector failure was the misapplication of the connector insert insulating material which is made of neoprene. … The neoprene insert at the failure point on the connector exhibits signs of accelerated aging [emphasis added]. The inserts are hardened and there are charred deposits on the end of the inserts which are indications of electrical tracking."

3.     March 17, 2000: The owner reported that Indian Point Unit 2 in New York had been forced to declare an emergency condition and shut down after a steam generator tube failed and resulted in approximately 19,197 gallons leaking from the reactor coolant system. The owner stated "Preliminary analysis indicates that the cause of the tube failure is primary water stress corrosion cracking (PWSCC)" [i.e., aging].

4.     March 27, 2000: The owner reported that Catawba Unit 2 in South Carolina had automatically shut down due to an inadvertent electrical ground problem. The owner reported "A detailed failure analysis determined that the root cause of the connector failure was the misapplication of the connector insert insulating material which is made of neoprene. … The neoprene insert at the failure point on the connector exhibits signs of accelerated aging [emphasis added]. The inserts are hardened and there are charred deposits on the end of the inserts which are indications of electrical tracking."

5.     September 12, 2000: The owner reported that Oyster Creek in New Jersey had been forced to shut down because a system needed to provide containment integrity had failed a periodic test. The owner determined "The cause of the degradation in Secondary Containment was age-related degradation [emphasis added] of the automatic ventilation exhaust valve seals."

6.     September 27, 2000: The NRC reported that Diablo Canyon Unit 1 in California had automatically shut down after an electrical transformer failed and interrupted the supply of electricity to the reactor coolant pumps. The NRC stated "The licensee's evaluation concluded that a center bus bar overheated at a splice joint, which caused a polyvinyl chloride boot insulator over the splice joint to smoke. Eventually, heat-induced failure of fiberglass insulation on adjacent phases resulted in phase-to-phase arcing" [i.e., aging].

7.     February 16, 2001: The owner reported that North Anna Unit 2 in Virginia had been forced to shut down due to leakage exceeding ten gallons per minute from the reactor coolant system. The owner determined "The cause of the stem packing material failure below the lantern ring is attributed to aging" [emphasis added].

8.     April 2, 2001: The owner reported that San Onofre Unit 3 in California automatically shut down after an electrical breaker failed and started a fire. The failed breaker was reportedly 25 years old and scheduled for inspection next year. The owner "will implement modifications to appropriate preventative maintenance [emphasis added] procedures to address the apparent failure causes."

 

Aging management programs are intended to monitor the condition of equipment and structures and implement repairs or replacements when necessary to prevent failures. The cited aging-related failures, occurring about once every 60 days, indicate beyond reasonable doubt that the aging management programs are inadequate because they are not preventing equipment failures. The NRC must ascertain the effectiveness of aging management programs—not merely the scope of these programs—before granting license extensions.

 

 

Steam Generator Tube Cracking

Dr. Joram Hopenfeld, who recently retired from the NRC staff, raised concerns about the integrity of steam generator tubes to his management nearly ten year ago. The agency—which steadfastly claims that safety is its top priority—essentially ignored them until an accident last year at Indian Point 2. The ensuing public outcry and Congressional attention resulting from that accident, which was initiated when a cracked steam generator tube failed, forced the NRC to dust off Hopenfeld's concerns and finally look into them. The NRC asked its ACRS to evaluate the decade-old concerns.

 

The NRC's Advisory Committee on Reactor Safeguards (ACRS) issued a report in February 2001.[2] The ACRS substantiated many of Dr. Hopenfeld's concerns. For example, the ACRS concluded:

 

ú        "The techniques [used to look for cracked steam generator tubes] are not nearly so reliable for determining the depth of a crack, and in particular, whether a crack penetrates through 40% of the tube wall thickness." [NRC's regulations do not allow a nuclear plant to start up with any steam generator tube cracked more than 40 percent of its wall thickness, but the methods used to inspect the tubes for cracks cannot reliably determine the depth of cracks.]

ú        "The NRC staff acknowledged that there would be some possibility that cracks of objectionable depth might be overlooked and left in the steam generator for an additional operating cycle." [Exactly what actually happened at Indian Point 2 to cause last year's accident.]

ú        "Both the [NRC] staff and the author of the DPO [Dr. Hopenfeld] agree that the alternative repair criteria [used by the NRC staff to allow nuclear plants to continue operating with steam generator tubes known to be cracked] increase the probability of larger primary-to-secondary flows during the MSLB [main steam line break] and SGTR [steam generator tube rupture] accidents."

ú        "The [ACRS] also finds that this contention of the DPO [namely, that an accident at a nuclear plant with cracked steam generator tubes could cause those tubes to completely break] has merit and deserves investigation."

ú        "This seems to be a plausible contention [that an accident at a nuclear plant with cracked steam generator tubes could widen the cracks and result in larger leakage], and the staff has not produced analyses or test results to refute it."

ú        "The [ACRS] concluded that the issue of the possible evolution of severe accident to involve gross failure of steam generator tubes and bypass of the containment is not yet resolved … [and] that the issue needs consideration regardless of the criteria adopted for the repair and replacement of steam generator tubes."

ú        "Data available to the [ACRS] suggest that the constant probability of detection [of cracked steam generator tubes] adopted by the NRC staff is nonconservative for flaws producing voltage signals less than about 0.7 volts." [In other words, the NRC staff assumes that methods used to find cracked tubes are much better than the data shows them to be.]

ú        "The [ACRS] was unable to identify defensible technical bases for the [NRC] staff decisions to not consider the correlation of the iodine spiking factor with initial iodine concentration [when evaluating the potential offsite radiation dose consequences from accidents involving cracked steam generator tubes]."

ú        "The [ACRS] found that the [NRC] staff did not have a technically defensible understanding of these processes to assess adequately the potential for procession of damage to steam generator tubes." [In other words, the NRC staff has no sound basis for arguing that one broken tube will not cascade and cause the failures of other tubes.]

ú        "The [NRC] staff has not developed persuasive arguments to show that steam generator tubes will remain intact under conditions of risk-important accidents in which the reactor coolant system remains pressurized. The current analyses dealing with loop seals in the coolant system are not yet adequate risk assessments."

ú        "In developing assessments of risk concerning these design basis accidents, the [NRC] staff must consider the probabilities of multiple tube ruptures until adequate technical arguments have been developed to show damage progression is improbable." [In other words, the risk studies to date, which only consider failure of a single tube, may understate the true risk and therefore should not be relied upon.]

 

The concerns raised by Dr. Hopenfeld are extremely important safety issues. As the ACRS stated:

 

ú        "Steam generators constitute more than 50% of the surface area of the primary pressure boundary in a pressurized water reactor."

ú        "Unlike other parts of the reactor pressure boundary, the barrier to fission product release provided by the steam generator tubes is not reinforced by the reactor containment as an additional barrier."

ú        "Leakage of primary coolant through openings in the steam generator tubes could deplete the inventory of water available for the long-term cooling of the core in the event of an accident."

 

In the decade since Dr. Hopenfeld first raised his safety concerns, the NRC has allowed many nuclear plants to continue operating nuclear power plants with literally thousands of steam generator tubes known to be cracked. The ACRS concluded that the NRC staff made these regulatory decisions using incomplete and inaccurate information. After receiving the ACRS's report, the NRC staff considered Hopenfeld's concerns "resolved" even though it had taken no action to address the numerous recommendations in the ACRS report (enclosure 1).

 

The NRC must REALLY resolve Dr. Hopenfeld's concerns as soon as possible. In the interim, the NRC must stop making decisions affecting the lives of millions of Americans when it lacks "defensible technical bases."

 

Risk-Informed Regulation

Two of the NRC's four strategic goals are to maintain safety and to reduce unnecessary regulatory burden. The agency attempts to define "unnecessary" using plant-specific risk studies that purportedly draw a nice clean line between what is necessary and what is not. But UCS released a report titled "Nuclear Plant Risk Studies: Failing the Grade" last August detailing numerous flaws in the publicly available plant-specific risk studies. Among other flaws, we compared the risk study results for three sets of nearly identical plants and found that they varied widely—not because the risks were that disparate but because different assumptions and methods were used. Consequently, it is extraordinarily easy to move that nice clean line simply by tweaking a few input assumptions and have a burden appear as either necessary or unnecessary.

 

For example, the FitzPatrick nuclear plant in New York has a problem three or four years ago with a valve that must open following a certain accident to provide cooling flow to the reactor core. But the valve's motor did not develop sufficient thrust to move the valve against the high pressure that would occur if that accident happened. Fixing the valve was therefore a very necessary burden. Yet the plant's owner went back to the risk study and re-calculated the risk from that accident happening concurrently with a complete failure of the electrical grid and adjusted the line until the burden became "unnecessary." This example is not sharpening one's pencil because the accident in question happens most frequently when the electrical grid remains available. Thus, this vital safety system would not have functioned properly for the most likely accident scenario.[3]

 

More recently, the NRC staff allowed Fermi Unit 2 in Michigan to continue operating after the company broke one of its emergency diesel generator due to either incompetence or negligence. The company submitted a risk study to the NRC staff that showed the continued operation increased the threat of an accident. But the NRC staff discounted that quantified threat by saying that the unquantified threat from shutting down and then restarting the nuclear reactor would somehow pose an even larger threat. This NRC decision contradicts its own regulations, policies, and procedures and UCS has asked the NRC's Inspector General to investigate this matter (enclosure 2).

 

The plant-specific risk studies that UCS reviewed for our report are nearly ten years old, but they are the most recent risk studies that are publicly available. The NRC is allowing plant owners to reduce the testing frequency for emergency equipment or to continue operating with degraded equipment based on results from more recent risk studies. The previously cited ACRS report on Hopenfeld's steam generator tube integrity concerns indicates that the more recent risk studies remain inaccurate and incomplete. Members of the public and organizations like UCS cannot challenge these regulatory decisions because we lack access to the risk studies. The NRC's own regulations, policies, and procedures require such information to be publicly available, but it is not. And the agency continues to make regulatory decisions affecting the lives of millions of Americans in a vacuum. The NRC must require the flaws in the risk studies to be corrected AND make sufficient information about the corrected risk studies publicly available.

 

Nuclear Plant Security

The NRC's handling of physical security at nuclear reactors is another example of regulatory ineffectiveness. The NRC began force-on-force tests of security preparedness at nuclear power plants in the early 1990s. These tests pit a handful of simulated intruders against a plant's physical defenses and squadrons of armed security personnel. By 1998, these tests had revealed significant security weaknesses in about 47 percent of the plants tested. The NRC quietly discontinued the testing, but the ensuing public outrage forced the agency to re-institute the tests. Since the tests have been resumed, about 47 percent of the plants continue to have significant security flaws revealed. Last year, force-on-force tests at the Waterford plant in Louisiana and the Quad Cities plant in Illinois demonstrated serious security problems that warranted extensive repairs and upgrades. The owner of the Waterford spent more than $2 million fixing its inadequate security system.

 

Having been foiled in its attempt to secretly deep-six the security tests, the agency resorted to Plan B in which they will allow the plant owners to conduct the tests themselves, grade the tests themselves, and simply mail in the scores—virtually guaranteed to be high marks—to the NRC. If someone like Timothy McVeigh drove to a nuclear power plant with intentions of causing harm, the people living near that plant would better protected by security scoring 85 percent on a real test than 100 or even 110 percent on an open-book, take-home, self-scored test. The public deserves and must get that better protection than that provided by artificially inflated security test scores.

 

New Nuclear Plants

A new nuclear technology called the pebble-bed modular reactor is getting considerable mention as the type of nuclear reactor most likely to be built in the United States in the future. The pebble-bed reactor does offer certain safety advantages—at least, on paper. Proponents claim that the pebble-bed reactor cannot experience the meltdown-type accident as occurred at Three Mile Island in 1979. Perhaps, but can the pebble-bed reactor, which will use more graphite in each reactor module than is presently used in all existing US nuclear power plants combined, can on fire and burn as happened at Windscale in 1957 and Chernobyl in 1986? Can plant workers, either by mistake or by design, trigger an accident as occurred at the SL-1 nuclear reactor in 1961 and Dresden Unit 3 in 1974 and Browns Ferry in 1975? Can some unexpected component failure cause fuel damage, as occurred at Fermi Unit 1 in 1966?

 

The pebble-bed reactor is rumored to be competitive with other energy technologies. It appears from a preliminary design review that the proposed reactor achieves its economic advantages by replacing the steel-lined, reinforced-concrete containment structures used for our existing nuclear plants with a far less robust enclosure building. The NRC's own Advisory Committee on Reactor Safeguards characterized this as "a major safety trade-off."

 

The safety problem with the proposed "containment-lite" pebble-bed reactor design Is compounded by the existing security weaknesses. Imagine the consequences from a fertilizer truck bomb detonated next to a "containment-lite" reactor with millions of curies of lethal radioactivity to contaminate the environment for many decades. That would truly be a nuclear nightmare.

 

Cost projections by the nuclear industry must be taken with a grain of salt, if not an entire salt shaker. According to the US Department of Energy, the actual construction costs for 75 nuclear power plants started between 1966 and 1977 were more than three times higher than their estimated costs.[4] Thus, claims that the projected costs of electricity from a proposed pebble-bed reactor are competitive with the actual costs of electricity from operating renewable energy technologies must be viewed with skepticism.

 

It cannot be overemphasized that a facility like the proposed pebble-bed modular reactor has never been constructed or operated in the world. Consequently, its expected performance characteristics are highly speculative. It would not be prudent at this time to place undue reliance on a risky technology with unproven safety performance. Nuclear experiments belong in the laboratory, not within the US electricity marketplace.

Conclusions and Recommendations

Nuclear power plants are inherently dangerous. If nuclear power is to play an expanded role in the future, it is imperative that the Nuclear Regulatory Commission become a consistently effective regulator. UCS believes that this goal is attainable. The Maintenance Rule (10 CFR 50.63) and the revised reactor oversight process demonstrate that the agency is capable of effective regulation. That capability must be extended across all of the NRC's oversight functions and consistently sustained. This transformation may require that the agency receive additional resources, particularly during the transformation phase. Because the agency is currently a fee-based agency, it may require legislative changes to supplement the existing resources with taxpayer money.

 

Failing to reform the Nuclear Regulatory Commission could have tragic consequences. As reported in The Wall Street Journal (enclosure 3), the 1986 accident at the Chernobyl nuclear plant cost the former Soviet Union several times the net benefits from all Soviet reactors ever operated. The price tag for the accident was placed at 170 to 215 billion rubles while the net benefits from every Soviet nuclear power plant was only 10 to 50 billion rubles. With the price of failure so very high, it is absolutely imperative that the Nuclear Regulatory Commission be a consistently—rather than occasionally—effective regulator.

 

If Congress wants an expanded role for nuclear power, it must provide the NRC with the resources needed for the agency to implement consistently effective regulatory programs and must also oversee the agency's reform efforts to verity that they are successful.