Ƶ

Lessons Learned from “Lessons Learned”: The Evolution of Nuclear Power Safety after Accidents and Near-Accidents

Key Reactor Accidents, Incidents, and Anomalies

Back to table of contents
Authors
Edward D. Blandford and Michael M. May
Project
Global Nuclear Future

In this section, we review the lessons-learned experience following a range of reactor events. We first focus on major reactor accidents in which the lessons-learned process played out in the public domain and many stakeholders were involved in the process. The location of the reactor accident as well as the reactor technology heavily affects the lessons-learned experience. We then review some less severe reactor incidents and anomalies, which can be of equal interest. Such incidents often reveal the conditions that can lead to more serious accidents.

Reactor Accidents

In each of the following reactor accidents, key organizations such as the IAEA, state regulatory authorities, licensee organizations, and independent commissions initiated formal review processes. We will discuss each accident within the context of the type of initiating event, the major contributor(s) to failure, and the extent of hazard consequence. In the case of Three Mile Island and Chernobyl, the initiating events that caused the accident were internal events and were exacerbated by human error. In the case of Fukushima, the initiating event was an external event in the form of an earthquake and subsequent tsunami. A common response to nuclear accidents from those outside the country where the accident occurred is a) we don’t build our reactors that way, b) we don’t operate them that way, and/or c) we understand the governing phenomenology. We keep these three perspectives in mind in the following discussion.

Three Mile Island. This event occurred on March 28, 1979, near Harrisburg, Pennsylvania, when a cooling malfunction and human error caused part of the core to melt in Unit 2 of the Three Mile Island (TMI) Nuclear Generating Station. TMI has two PWR units (pressurized water reactors), both Babcock and Wilcox designs. Unit 1 generates 800 megawatts of electricity (MWe) and was commissioned in 1974; Unit 2 is slightly larger at 900 MWe and began operation in 1978. The accident was initiated by a pilot-operated relief valve (PORV) in the primary system that had become stuck open and was exacerbated by operator action following the initiating event.9 Unit 2 was ultimately destroyed. Some fission product gas was released a couple of days after the accident, but not enough to cause any detectable dose to local residents above background levels. There were no injuries or adverse health effects. The TMI accident was caused by an internal initiating event and has been rated Level 5, “Accident with Wider Consequences,” on the INES. The accident sequence and post-accident forensics are discussed in much greater detail elsewhere.10

Following TMI, there were many efforts to conduct comprehensive studies and investigations of the reactor accident. Two weeks after the accident, President Carter established the Kemeny Commission to carry out a technical assessment of what occurred and to make a series of recommendations for the future based on its findings. The NRC created its own inquiry group, headed by Washington, D.C., attorney Mitchell Rogovin. Following the review of the accident, the NRC established a Lessons Learned Task Force charged with suggesting changes to fundamental aspects of basic plant safety policy.11

Lessons Learned from Three Mile Island. The Kemeny Commission made a series of recommendations concerning the NRC, the licensees, training, technical assessment, public health and safety, emergency planning, and the public’s right to information.12 Four strong themes emerged from these recommendations and were broadly classified by Joseph Rees as management involvement, normative systems, learning from experience, and professionalism.13 An important recommendation that does not fit under those categories is better human factors engineering (HFE), that is, the engineering that goes into operator-machine interactions. Early control rooms without such HFE modifications placed a much greater burden on operators in an emergency.

  • The first key lesson focused on the role of management in operating nuclear power plants. Prior to TMI, many in utility management viewed nuclear plants as assets indistinguishable from fossil fuel–based power generation facilities. Utility executives focused solely on plant output, leaving the challenging day-to-day operations of the plant to others in the company. This situation led to performance objectives that were sometimes inconsistent with the required and expected level of safety.14
  • The second key lesson stems from the overly prescriptive nature of the regulatory structure. The normative landscape was made up of an impressive list of documentation, rules, standards, and so on required to build and operate a nuclear plant. This led to unintended consequences: for example, it left operators to believe, sometimes erroneously, that their plants were completely safe as long as the formal safety requirements had been met.15
  • Third, the Kemeny Commission noted that previous operational experience elsewhere in the fleet had not been learned across the industry. In fact, learning from experience across the industry was viewed as a peripheral activity and not a necessary endeavor. The Commission noted that the dominant hardware failure at TMI, involving the PORV, had occurred in eleven other instances, but this operational experience with Babcock and Wilcox valves had not been shared across the industry.
  • Finally, the Kemeny Commission noted an overall lack of professionalism in the personnel who operated the plants. As a result, operating standards had suffered. Interestingly, the Commission also called for a complete restructuring of the NRC and the abolishment of the five-member commission system. Not all of its recommendations were followed, however. The multimember regulatory commission system is well entrenched in a number of areas in the United States, with members named by political authorities but, once confirmed, nominally independent of them. There is no clear consensus on what structure best assures such independence—or, rather, effectiveness in managing an inherently interdependent process that involves many stakeholders.

The NRC conducted its own review of TMI and suggested several improvements in nuclear power plant operations, design, and regulation.16 This review was performed independently, but it recognized many of the limitations identified by the Kemeny Commission. Some important regulatory changes that the NRC enumerated included the establishment of crucial equipment requirements and the identification of human performance as an integral component of a safe nuclear plant.

Traditionally, the NRC had left plant management strategies to the licensees and had focused most of its effort on plant operations. This gap was largely remedied by the creation of INPO just two weeks after the TMI accident. The creation of INPO is often cited as the major lesson learned from TMI, and for good reason. INPO confounds the expected norm of an organization that improves the safety and reliability of the nuclear industry; that is, INPO is a private regulatory bureaucracy that was set up by the industry itself and is funded directly by licensees. Following TMI, it was recognized that the nuclear navy had an extraordinary safety record and perhaps the commercial industry should learn more from the nuclear navy. Indeed, INPO’s first CEO was retired Navy Admiral Eugene Wilkinson, who had served under Admiral Hyman Rickover. There are many reasons why INPO has been recognized as a successful organization, and we discuss several of them later in this paper. The fact that INPO interacts at three distinct hierarchical levels within the organization (the worker level, the manager level, and senior management and executive levels) makes it extraordinarily effective. Additionally, the naval influence can be seen in INPO’s emphasis on establishing effective self-assessment and corrective action programs.

Chernobyl. In late April 1986, during an experimental systems test at Unit 4 of the Chernobyl Nuclear Power Plant about eighty miles north of Kiev in Ukraine, a sudden power surge caused the plant to become unstable. Attempts to initiate emergency cooling failed, resulting in more severe power excursions. The reactor pressure vessel ultimately failed, and a massive explosion led to huge amounts of radioactive material being released into the environment. The accident, the worst in the history of nuclear power, was largely due to a reactor design that led to an unstable condition during the test as well as to operator error, in part from a lack of adequate information. The ultimate causes were complex and involved several of the reactor’s design features, including its lack of secondary containment. Another factor was that under some conditions, the more the coolant water boiled, the more power was generated; and, again, under some conditions, power generation also increased when the control rods designed to shut down the reaction were inserted. The reactor type, a Soviet-designed RBMK, was originally deployed in several Soviet bloc countries but is now found only in Russia; no new models are being built. Several of the design features that led to the accident have been fixed. Much more on the accident can be found in a number of publicly available references covering the sequence of events, the subsequent analyses, and the environmental and health impacts.17

Lessons Learned from Chernobyl. Reactors in the United States and the West in general have different plant designs, broader shutdown margins, robust containment structures, and operational controls to protect them against the combination of lapses that led to the accident at Chernobyl. Thus, from a Western perspective, the Chernobyl accident could be dismissed as “different technology” run by a completely “different organization.” However, the accident demonstrated some lessons that are relevant for different and safer reactor designs.18

  1. Three crucial elements are containment; effective severe accident management strategies; and perhaps most important, an inherent and/or passive safety function that can respond with no operator action for a set period of time.
  2. Chernobyl demonstrated the importance of operator training, already underscored by TMI, and the complementary need for making accurate and timely information about the complete reactor state available to operators. As a result, a “global INPO” was agreed upon, and WANO was established.
  3. Precursor incidents that are not damaging in themselves but point to conditions that could lead to a much worse accident must be acted upon. In the case of Chernobyl, the International Nuclear Safety Advisory Group (INSAG 7) noted that “observations made at the Ignalina [Lithuania] plant in 1983, when the possibility of positive reactivity insertion on shutdown became evident, and the event at the Leningrad nuclear power plant in 1975 pointed to the existence of design problems. . . . [T]his important information was not adequately reviewed and, where it was disseminated to designers, operators and regulators, its significance was not fully understood and it was essentially ignored.”19
  4. Another important effect of Chernobyl was the realization that reactor accidents can have a regional impact on environment and health and a global impact on plans for future additions to nuclear power.

The above lessons learned were only partially acted upon, for a variety of reasons. Thus, with respect to Lesson 1, while all new reactors have effective secondary containment features, better passive safety features (as found in so-called Gen III+ plants) have been implemented in only limited cases. The more complicated licensing and higher financial risk associated with such features have slowed their introduction, with most reactor vendors continuing to offer evolutionary reactor designs with active safety systems. In the case of Lesson 2— the provision for better operator training—WANO’s lack of real authority has meant that it is devoted mainly to sharing information, a necessary but insufficient feature. Additionally, no effective carrot (for example, through financial incentives) has been established. In contrast, INPO ratings are used by the financial community to assess U.S. utility stocks and by insurance companies to determine premiums. (We discuss this topic further in the next section.) With respect to Lesson 3, precursor incidents are still being overlooked in some cases; we explore this fact in our discussions of Fukushima and Le Blayais. Lesson 4 has, in general, been internalized by established nuclear power users, but it remains to be seen whether it will also be internalized by new users.

Fukushima-Daiichi. The March 2011 large-scale industrial accident at the Fukushima-Daiichi Nuclear Power Plant was the culmination of three interrelated factors: external natural hazard assessment and site preparation, the utility’s approach to risk management, and the fundamental reactor design. The Fukushima-Daiichi plant was first commissioned in 1971 and houses six boiling water reactors (BWRs) ranging in size by age.20 The reactor accident was initiated by a magnitude 9 earthquake on March 11, 2011, followed by an even more damaging tsunami. However, it was the inability to remove the decay heat in the reactor core that led to core meltdown and radioactive release from three units. The plant first experienced a station blackout (that is, loss of all off-site and on-site power) due to flooding of backup critical emergency electrical generation equipment. Following failure of backup water injection equipment, delays in initiating injection of seawater into the reactors using portable pumping equipment led to the fuel overheating. Subsequently, the generation of hydrogen through steam oxidation of the fuel cladding led to chemical explosions causing significant structural damage.

Contamination of surrounding land, groundwater, structures, and vegetation extended to about 10,000 square miles, of which about 250 square miles are contaminated above safety levels, mainly from Cesium-137. Hot spots were identified beyond these areas. Measurements are ongoing; figures are now only approximate and will change. In addition, the cores were cooled by injection of seawater for a period of time before more permanent arrangements could be made. A small but not yet fully known fraction of that seawater, together with some of the core material, was dispersed into the sea. Measurements of the extent of that contamination are also ongoing.

While the direct public health impact of the reactor accident has, to date, appeared to be low, the economic and nearby environmental consequences are severe. Land restoration alone will take more than a decade and perhaps much longer. Nearly as many people have been evacuated as a result of the radioactivity as were displaced by the tsunami and earthquake. The latter of course was far more deadly, causing perhaps twenty thousand deaths. In contrast with the response to the tsunami and earthquake, which has been widely praised, the response to the nuclear accident perhaps worsened the consequences of the accident and showed the responsible authorities as unready to deal with it.

Lessons Learned from Fukushima-Daiichi. While learning all the lessons from Fukushima will take time, a number of important conclusions about preventive design, mitigation actions, and emergency response have been drawn by Japanese and international organizations in the year since the accident. Among the many reports, accounts, analyses, and recommendations, we note the following:

  • Three months after the accident, the Japanese government issued a report to the IAEA Ministerial Conference on Nuclear Safety.21 In this report, the Japanese government identified twenty-eight lessons (thus far) to be learned from the accident. They include (paraphrased here for clarity and brevity):
    • The expectation of and the preparedness for the onslaught of an enormous tsunami were not sufficient.
    • The design against tsunamis was based on tsunami folklore and remaining traces of past tsunamis, not on adequate consideration of the recurrence of large-scale earthquakes.
    • The necessary backup power supply was not adequately safeguarded.
    • Earthquake and tsunami damage caused the loss of cooling functions, leading to the need to diversify those functions.
    • Accident management measures were inadequate in some cases. The report calls for making those measures legal requirements.
    • Effective training to respond to accident restoration at nuclear power plants as well as to work and communicate with relevant organizations in the wake of severe accidents was not sufficiently implemented.
    • Critical instrumentation needed for dealing with the accident failed.
    • Environmental monitoring was insufficient and not communicated adequately to those who needed this information.
    • Central control, communications, and logistics support were inadequate.

Many of the recommendations made by the Japanese government require major organizational changes that could be considered country-specific. In particular, recommendations on regulatory independence and emergency preparedness have already been implemented in some countries (although certainly not all). Additionally, many of the recommendations discussed below have not yet reached final approval.

  • After a ninety-day review of the Fukushima accident, the NRC’s Near-Term Task Force released its findings, including twelve recommendations.22 It attempted to structure its review activities to reflect insights from previous lessons-learned efforts carried out by the agency. For example, some post-TMI recommendations considered a number of actions that were proposed for general safety enhancement as opposed to specific safety vulnerabilities revealed by the accident. The NRC Backfit Rule23 may play an important role in determining which recommendations are ultimately implemented in the United States. The recommendations made by the NRC task force were divided into general regulatory concerns: ensuring protection, enhancing mitigation, strengthening emergency preparedness, and improving the efficiency of the regulatory oversight process of the fleet.
  • More recently, an independent investigative committee created in June 2011 by the Japanese government issued its interim report, which sharply reinforced earlier conclusions.24 In the executive summary of its interim report, the independent investigative committee reemphasized several themes from the earlier report issued by the Japanese government to the IAEA. The summary was particularly explicit in calling attention to failures of communication within the government, between the government and TEPCO (the Tokyo Electric Power Company) headquarters, and among those two entities and the operators in the field. In addition, the organization charged with disseminating radioactivity information to the public, SPEEDI, reported to a different ministry than the one involved most directly in managing the accident; therefore, information did not reach the public or the managers in a timely way.

Key themes emerge from the set of recommendations made by those organizations:

  1. Each report acknowledged the need to rely on a defense-in-depth philosophy, with resources allocated to measures that improve system protection, mitigation, and emergency response.
  2. The Fukushima-Daiichi accident made global licensees and regulators reevaluate whether their facilities have adequate protection from natural phenomena within the design basis. Additionally, redefinition of the design basis and the way in which external hazards are treated was a constant theme. It has become clear that the recurrence time of rare external events cannot be known with any degree of assurance. Even if it could be, simple calculations show that, given the number of reactor sites around the world, the likelihood of a rare external event at some site at some time over the lifetime of a reactor is relatively high.
  3. A station blackout in which all on-site and off-site AC (alternating current) power is unavailable has long been known to be a highly vulnerable plant operational mode. Regulators require licensees to demonstrate that the plant can meet an “acceptable” specified duration of time known as “coping time.” A plant’s coping time varies, depending on the redundancy and reliability of both on-site AC backup and off-site power options. The process is currently performance-based and risk-informed in the United States. However, Fukushima-Daiichi illustrated the importance of adequately defining an acceptable coping time.
  4. There were some positive lessons from Fukushima-Daiichi. The effective performance of fission product scrubbing in the wet well, greatly reducing aerosol fission product release, was impressive. We know from data collected by authorities (for example, measurements of the uptake of Iodine-131 in children living near Fukushima) that the overall direct public health impact from the nuclear accident will be relatively small.25 Soil and water contamination by Cesium-137, however, will cause a lasting decontamination problem, likely making return impossible for many evacuees.
  5. The reports recognized the challenges posed by multi-unit accidents as opposed to a single-unit accident such as TMI. NRC safety inspections of the domestic fleet revealed that some sites were underprepared for a multi-unit reactor accident.26
  6. Assignment of responsibilities, chain of command from the highest relevant authority to the operators on the ground, and communications—issues important in every situation—were a dominant theme in the reports from both the Japanese government and the independent investigative committee. Both recognized the critical communication failures on multiple levels, including the communication between local and central organizations, the communication to the public, and the communication to international organizations and the rest of the world. These operational failures led to unnecessary delays in taking key emergency actions, such as depressurization of and alternative water injection into the primary containment vessel in Units 1 and 3 (for different reasons). Lack of timely communication and gaps in responsibility assignments were pervasive in the relevant organizations in Tokyo as well. Monitoring of off-site radiation levels also failed to be communicated in a timely fashion to responsible authorities. According to Japan’s report to the IAEA, “The Japanese Government could not appropriately respond to the assistance offered by countries around the world because no specific structure existed within the Government to link such assistance offered by other countries to the domestic needs.”27

The Fukushima accident continues to have a major global impact. The three lines of rationalization noted at the beginning of this discussion—we don’t build our reactors that way, we don’t operate them that way, and/or we understand the governing phenomenology—cannot be used here: reactors of the same design as the ones at Fukushima can be found around the world; operations in Japan are not qualitatively different from those elsewhere; and while the phenomenology involved in the reactor is understood, that involved in such external events as earthquakes and tsunamis is not known precisely enough to permit prediction.

The impact on Japan is the most severe. The entire nuclear industry, which provides more than 30 percent of electrical power for that nation, has come under question; as of this writing (March 2012), only two nuclear reactors are in operation in Japan. This outcome seems to stem at least as much from a loss of trust in the government and industrial institutions involved as from the direct effects of the nuclear accident. By comparison, the tsunami itself caused enormously more deaths and devastation than the nuclear accident, but no similar loss of trust in the relevant institutions has occurred.

The impact is not limited to Japan. Germany has returned to a plan calling for early phaseout of its nuclear reactors, and Italy has reconsidered its decision to deploy nuclear power. The impact in the United States, India, and elsewhere continues to evolve. The exact impact cannot now be assessed, nor is it possible to determine how many of the lessons offered by the Fukushima accident will be learned.

Reactor Incidents

In this section, we review two critical reactor incidents that provide insights into industry learning. Neither incident had health or environmental consequences; but in both instances, the responsible licensee and regulator were caught significantly off guard. In the case of Davis-Besse, the trustworthiness of the industry was brought into question. Criminal charges were filed, and two employees and a former contractor were indicted for hiding key evidence from the regulator.

Davis-Besse Reactor Vessel Head Degradation. The Davis-Besse Nuclear Power Station in Oak Harbor, Ohio, closed down on February 16, 2002, for routine refueling and maintenance. During inspections, a refueling outage team discovered serious material flaws in the control rod drive mechanism located in the upper reactor pressure vessel. Davis-Besse has a single PWR of 889 MWe, a Babcock and Wilcox design first commissioned in 1978. The penetrations were made of Alloy 600, which is a common material used to fabricate various parts and components in nuclear power plants and which has historically been susceptible to primary water stress corrosion cracking.

The extent of the pressure vessel corrosion, known as wastage area, was found to be approximately the size of a football. In some regions, instead of the original six-inch-thick reactor head, only the remaining three-eighths-inch stainless steel cladding inner liner made up the primary system pressure boundary. If the liner had failed, the plant would have undergone a loss of coolant accident and would have required activation of the emergency core cooling system to bring the reactor to acceptable standby conditions. With the degradation occurring so close to the control rod penetrations, there was also considerable concern about the reactivity shutdown capability of the plant following a breach in the vessel.

In 2006, two former employees and a contractor were indicted after being criminally prosecuted for a series of safety violations and intentional cover-ups. While Davis-Besse was most affected, this incident represented a management failure on the part of the licensee (FirstEnergy), the NRC, and INPO. Consequently, the entire PWR fleet in the United States was strongly affected. The degradation of the Davis-Besse upper reactor pressure vessel head was ultimately rated Level 3 on the INES, classified as a “Serious Incident.”

Lessons Learned from Davis-Besse. Immediately following Davis-Besse, the NRC established a Davis-Besse Lessons Learned Task Force in order to better understand how such a failure in regulation could occur. On September 30, 2002, the task force reported its findings to a senior management review team.28 The report included fifty-one recommendations for actions that the NRC should take; all but two were ultimately approved by the commission. The recommendations were divided into four categories: (1) assessment of stress corrosion cracking; (2) assessment of operating experience, integration of operating experience into training, and review of program effectiveness; (3) evaluation of inspection, assessment, and project management guidance; and (4) assessment of barrier integrity requirements.

The task force revealed that certain operating experiences from other countries, involving similar reactor pressure vessel penetration nozzles, were not widely known within the NRC and the U.S. nuclear industry. In some cases, these experiences were erroneously determined to be inapplicable to PWR plants in the United States.29

The fundamental issue—better understanding of the governing phenomenology behind stress corrosion cracking in the nickel-based alloy nozzle—has plagued the industry. In Spring 2003, just a year after the Davis-Besse incident, apparent boron deposits were detected at the lower reactor pressure vessel head of South Texas Project Unit 1, near two bottom-mounted instruments. While this degradation was unexpected, the advancements made in visual examination of Alloy 600 components following the Davis-Besse incident contributed greatly to locating these flaws.

In the case of Davis-Besse, the key regulatory and operational stakeholders involved failed on organizational, management, and technical grounds. There had been a number of indicators of corrosion, but they were not acted upon, probably because continued production was prioritized over safety. The deceit and resultant cover-up efforts weakened public confidence in the industry, representing a low point in the history of U.S. commercial reactor operations. Unexpected degradations such as those at the South Texas Project will continue to occur; it is the licensee’s resultant actions that matter.

Le Blayais Flooding. Le Blayais Nuclear Power Plant is a complex of four 900-MWe PWRs built from 1981 to 1983 alongside the Gironde marine estuary, the outlet for the river Garonne to the Atlantic Ocean in southwestern France. Major floods have been recorded in the area for centuries. EdF, the owner-operator, had put in place sea walls ranging in height from 4.75 to 5.2 meters30 and had taken other precautions prior to the December 1999 incident. In the month before the incident, the plant’s annual safety report announced a plan to increase the height of the sea walls to 5.7 meters in the following year, though EdF delayed construction.

On the night of December 27, 1999, a combination of high tide, high waves driven by winds up to 200 kilometers/hour (160 mph), and intense rain resulted in flooding and the loss of most power supplies, shutting the plant down. Diesel backup generators started up, maintaining power to Units 2 and 4 until some supply was restored. In Unit 1, one set of the two pairs of pumps in the Essential Service Water System failed due to flooding; if both sets had failed, the safety of the plant would have been endangered. In both Units 1 and 2, flooding put part of the Emergency Core Cooling System out of commission.31

Because some pumps and generators continued to operate, cooling was maintained and the safety of the plant was not impaired. It was a close call, however, rated as Level 2 on the INES. The incident had an impact on both EdF and political authorities, especially local ones.

Lessons Learned from Le Blayais Flooding. EdF and various advisory committees conducted a review that lasted seven years and focused mainly on the effects of combinations of adverse events, such as those that led to the Le Blayais flood. As a result of the review, protection against floods was upgraded at most French nuclear plants considered to be at risk, including higher dikes and seawalls, better sealed doors and closures, and a stricter protocol for protective action upon warning.32 A continuing assessment of the possible effect of climate change was also provided for. The total cost was estimated at €110 million.

EdF appears to have learned some of the important lessons from the incident and has set up a continuing review process; however, it is unclear what other countries have learned from the Le Blayais incident. While TEPCO faced a far worse situation at Fukushima in the wake of the Tohoku earthquake, some of the lessons from the Le Blayais experience were relevant. Most notable among these were improving the protection of backup power supplies (about which TEPCO had been warned by the Japanese regulatory authority) and establishing and rehearsing a clear protocol to deal with flooding. In the United States, the Fort Calhoun Nuclear Generating Station on the Missouri River (about twenty miles north of Omaha, Nebraska) was surrounded by water up to a level of nearly 1,007 feet above sea level in June 2011. The protective berms and walls were 1,009 feet above sea level; the NRC had mandated an increase to 1,014 feet, which had been contested for a time by the operator, Omaha Public Power District. Similar water levels had been reached in 1952; levels just short of 1,000 feet have been reached several times since.33

Flooding is only one potential external initiator for accidents, but it is an important one given that nuclear plants are frequently located near large bodies of water. Flooding risks are also of particular concern because they are susceptible to a “cliff edge” effect: that is, the safety consequences of a flooding event can increase greatly with a modest increase in the flooding level.34 These incidents and other lesser ones show two common features: the maximum design basis flood in some countries is uncomfortably close to floods that recur on a regular basis, and climate change is likely to affect the recurrence pattern of high waters and high winds. This preliminary examination raises the question of whether flood protection should again be reviewed and should be a major part of protecting any new installation.

Reactor Anomalies

In this section, we look at a reactor event that would be classified as an anomaly or abnormal occurrence rather than an accident or incident. As mentioned earlier, anomalies and reliability indicators are very important, as they often serve as precursors for much larger incidents. The NRC recognizes this fact and is required to provide an annual report to Congress about each abnormal occurrence for the fiscal year. The NRC defines an abnormal occurrence as an unscheduled incident or event that the regulator determines to be significant from the standpoint of public health or safety.

Northeast Blackout. On August 14, 2003, the largest blackout in the history of North America left fifty million people across southeastern Canada and the northeastern United States without power. About six months later, after a three-month investigation, a U.S.-Canada task force determined that a combination of human error and equipment failures was the root cause of the blackout.

Nine nuclear power plants tripped in the United States: eight plants lost off-site power, and one plant was in an outage. The maximum amount of time until power was available to the switchyard for any plant was six-and-a-half hours. While all on-site emergency diesel generators performed as designed, this event was significant due to the number of plants affected by the outage and the unexpected amount of time without off-site power.

Lessons Learned from the Northeast Blackout. The NRC immediately took action following the blackout incident by issuing a regulatory summary reminding licensees that they are required to comply with their technical specifications relative to inoperability of off-site power. The NRC also issued a generic letter titled “Grid Reliability and the Impact on Plant Risk and the Operability of Off-site Power.”35 It required licensees to submit information in four areas: (1) use of protocols between the plant and the transmission system operator (TSO) or independent system operator (ISO) and the use of transmission load flow analysis tools to assist plants in monitoring grid conditions to determine the operability of off-site power systems; (2) use of plant protocols and analysis tools by TSOs to assist plants in monitoring grid conditions for consideration in maintenance risk assessments; (3) off-site power restoration procedures; and (4) losses of off-site power caused by grid failures at a frequency equal to or greater than once in twenty site-years per regulation.

The NRC and the Federal Energy Regulatory Commission (FERC) have held joint meetings annually since the blackout incident to ensure that adequate progress has been made in raising loss of off-site power capabilities of the domestic fleet.36 Licensees and the NRC are routinely in communication with TSOs and ISOs in order to anticipate potential issues. The NRC also developed improved operator examination and training programs that gave operators practice in communicating with grid operators. The relationships among FERC, the North American Electric Reliability Corporation (NERC), the NRC, and domestic licensees appear to be proactive and will be further examined as the NRC recommendations from Fukushima are implemented.


ENDNOTES

9. The so-called Rogovin Report disputes the role of operator error as a major contributor to the TMI accident. Instead, it cites inadequate training, poor operator procedures, lack of diagnostic skill on the part of the entire site-management group, misleading instrumentation, plant deficiencies, and poor control-room design. Whatever the cause, some operator actions clearly contributed to the accident. See Mitchell Rogovin and George T. Frampton, Jr., “Three Mile Island: A Report to the Commissioners and to the Public,” Nuclear Regulatory Commission, Special Inquiry Group (Washington, D.C.: U.S. Government Printing Office, 1980).

10. For example, see ibid. and Douglas M. Chapin et al., “Nuclear Power Plants and Their Fuel as Terrorist Targets,” Science 297 (5589) (September 20, 2002): 1997–1999.

11. U.S. Nuclear Regulatory Commission, “TMI-2 Lessons Learned Task Force Final Report” (NUREG-0585), Washington, D.C., 1979.

12. John G. Kemeny, Report of the President’s Commission on the Accident at Three Mile Island (New York: Pergamon Press, 1979).

13. Rees, Hostages of Each Other.

14. Contrast this mindset with Admiral Hyman Rickover, the “Father of the Nuclear Navy,” who famously said: “My program is unique in the military service in this respect: You know the expression ‘from the womb to the tomb’; my organization is responsible for initiating the idea for a project; for doing the research and the development; designing and building the equipment that goes into the ships; for the operations of the ship; for the selection of the officers and men who man the ship; for their education and training. In short, I am responsible for the ship throughout its life—from the very beginning to the very end.” See “Hearings on Military Posture and H.R. 12564,” Department of Defense Authorization for Fiscal Year 1975, 93rd Cong., 2nd sess. (Washington, D.C.: U.S. Government Printing Office, 1974), 1392.

15 Joseph Rees quotes former UC Berkeley Professor Tom Pigford: “The massive effort to comply with the vast body of [NRC] requirements and to demonstrate compliance therewith . . . foster[ed] . . . [the] complacent feelings that all of the work in meeting regulations must somehow insure safety”; see Rees, Hostages of Each Other.

16 U.S. Nuclear Regulatory Commission, “TMI-2 Lessons Learned Task Force Final Report.”

17. For a generally accepted analysis of the sequence of events, the causative factors of the accident, and a summary of measures to improve the safety of RBMK reactors, see International Nuclear Safety Advisory Group, “The Chernobyl Accident: Updating of INSAG 1,” Safety Series No. 75-INSAG-7 (Vienna, Austria: IAEA, 1992), commonly referred to as INSAG 7, as well as references and annexes therein, including to the earlier document, INSAG 1. See also the NRC backgrounder on Chernobyl: For a description of the RBMK reactor and more details on safety fixes after the Chernobyl accident, see “RBMK Reactors,” For a summary of environmental and health effects, see “The Chernobyl Accident: UNSCEAR’s Assessments of the Radiation Effects,” including references therein, especially “Health Effects due to Radiation from the Chernobyl Accident” (2008), an authoritative and detailed recent assessment. UNSCEAR is the United Nations Scientific Committee on the Effects of Atomic Radiation.

18. In what follows, we do not discuss the fixes specific to the RBMK. Those may be found in the references noted above, particularly “RBMK Reactors,” which also has a list of currently operating RBMK reactors.

19. International Nuclear Safety Advisory Group, “The Chernobyl Accident.”

20. The smallest and oldest, Unit 1, was 460 MWe, while Units 2 through 5 were 784 MWe. Unit 6 was the newest and was 1,100 MWe.

21. Nuclear Emergency Response Headquarters, Government of Japan, “Report of Japanese Government to the IAEA Ministerial Conference on Nuclear Safety–The Accident at TEPCO’s Fukushima Nuclear Power Stations” (Vienna, Austria: IAEA, June 2011).

22. Charles Miller, Amy Cubbage, Daniel Dorman, Jack Grobe, Gary Holahan, and Nathan Sanfilippo, “Recommendations for Enhancing Reactor Safety in the 21st Century: The Near-Term Task Force Review of Insights from the Fukushima Dai-ichi Accident,” Nuclear Regulatory Commission, July 12, 2011, The NRC determined that both short-term and long-term task forces should be established, as has been done in Japan.

23. The Backfit Rule was introduced into NRC rule-making in 1970. A later rule-making change required that a backfit “must result in cost-justified substantial increase in protection of public health and safety or common defense and security.”

24. The interim report was issued on December 26, 2011; the full report is to be made available in Summer 2012. Only the executive summary was available in English at the time of this writing; see (Provisional) Executive Summary of the Interim Report, Investigation Committee on the Accidents at Fukushima Nuclear Power Stations of Tokyo Electric Power Company, December 26, 2011.

25. Per F. Peterson, Testimony to California State Senate Energy Committee Hearing on Nuclear Power Plant Safety, Panel on “Seismic and Secondary Seismic Risks Near Nuclear Power Plants and Spent Fuel Rod Storage Facilities in California,” April 14, 2011,

26. Evidence of a lack of preparation can be found in inadequate mutual aid agreements. For example, Diablo Canyon Power Plant near San Luis Obispo, California, identified the fact that no memorandum of understanding was in place with the California National Guard for the contingency to supply diesel fuel to the site were the main road to be unavailable. More examples can be found in the NRC investigative report,

27. Nuclear Emergency Response Headquarters, Government of Japan, “Report of Japanese Government to the IAEA Ministerial Conference on Nuclear Safety.”

28.For the final report, see U.S. Nuclear Regulatory Commission, “Davis-Besse Reactor Vessel Head Degradation,” Lessons Learned Task Force Report, 2002,

29. Ibid.

30. These are measured from NGF, a sea-level standard used in France.

31. Our account draws from Jean-Marie Mattéi, Eric Vial, Vincent Rebour, Heinz Liemersdorf, and Michael Türschmann, “Generic Results and Conclusions of Re-Evaluating the Flooding in French and German Nuclear Power Plants,” Eurosafe Forum, 2001, ; . (accessed March 21, 2011); A. Gorbatchev, Jean-Marie Mattéi, Vincent Rebour, and Eric Vial, “Report on Flooding of Le Blayais Power Plant on 27 December 1999,” Institute for Protection and Nuclear Safety, 2000; Eric de Fraguier, Presentation on “Lessons Learned from 1999 Blayais Flood: Overview of EdF Flood Risk Management Plan,” March 2010, http://www.nrc.gov/public-involve/conference-symposia/ric/slides/th35defraguierepv.pdf.

32. For a summary, see de Fraguier, “Lessons Learned from 1999 Blayais Flood.”

33. Peter Behr, “A Nuclear Plant’s Flood Defenses Trigger a Yearlong Regulatory Confrontation,” The New York Times, June 24, 2011, . Also, see http://www.forbes.com/feeds/ap/2011/07/27/general-ne-missouri-river-flooding-nuclear-safety_8587449.html.

34 This observation was made in the NRC’s near-term task force report on insights from the Fukushima-Daiichi accident.

35.

36. The capabilities of U.S. nuclear plants to deal with serious situations increased greatly following the 9/11 terrorist attacks. While these changes were targeted toward specific extreme external threats such as airplane attack and large fires, the plants’ defenses, mitigation capabilities, and emergency response capabilities have greatly improved.