Nuclear Leaks: The Back Story the NRC Doesn’t Want You to Know about Palo Verde

, director, Nuclear Safety Project | June 14, 2017, 6:00 am EDT
Bookmark and Share

As described in a recent All Things Nuclear commentary, one of two emergency diesel generators (EDGs) for the Unit 3 reactor at the Palo Verde Nuclear Generation Station in Arizona was severely damaged during a test run on December 15, 2016. The operating license issued by the Nuclear Regulatory Commission (NRC) allowed the reactor to continue running for up to 10 days with one EDG out of service. Because the extensive damage required far longer than 10 days to repair, the owner asked the NRC for permission to continue operating Unit 3 for up to 62 days with only one EDG available. The NRC approved that request.

Around May 18, 2017, I received an envelope in the mail containing internal NRC documents with the back story for this EDG saga. I submitted a request under the Freedom of Information Act (FOIA) for these materials, but the NRC informed me that they could not release the documents because the matter was still under review by the agency. I asked the NRC’s Office of Public Affairs for a rough estimate of when the agency would conclude its review and release the documents. I was told that their review of the safety issues raised in the documents wasn’t a priority for the NRC and they’d get to it when they got to it.

Well, nuclear safety is a priority for me at UCS. And since I already have the documents, I don’t need to wait for the NRC to get around to concluding its stonewalling— I mean “review”—of the issues.  Here is the back story the NRC does not want you to know about the busted EDG at Palo Verde.

Emergency Diesel Generator Safety Role

The NRC issued the operating license for Palo Verde Unit 3 on November 25, 1987. That initial operating license allowed Unit 3 to continue running for up to 72 hours with one of its two EDGs out of service. Called the “allowable outage time,” the 72 hours balanced the safety need to have a reliable backup power supply with the need to periodically test the EDGs and perform routine maintenance.

The EDGs are among the most important safety equipment at nuclear power plants like Palo Verde. The March 2011 accident at Fukushima Daiichi tragically demonstrated this vital role. A large earthquake knocked out the electrical power grid to which Fukushima Daiichi’s operating reactors were connected. Power was lost to the pumps providing cooling water to the reactor vessels, but the EDGs automatically started and took over this role. About 45 minutes later, a tsunami wave spawned by the earthquake inundated the site and flooded the rooms housing the EDGs. With both the normal and backup power supplies unavailable, workers could only supply makeup cooling water using battery-powered systems and portable generators. They fought a heroic but futile battle and all three reactors operating at the time suffered meltdowns.

More EDG Allowable Outage Time

On December 23, 2005, the owner of Palo Verde submitted a request to the NRC seeking to extend the allowable outage time for an EDG to be out of service to 10 days from 72 hours. Longer EDG allowable outage times were being sought by nuclear plant owners. Originally, nuclear power reactors shut down every year for refueling. The refueling outages provided ample time to conduct the routine testing and inspection tasks required for the EDGs. To boost electrical output (and hence revenue), owners transitioned to only refueling reactors every 18 or 24 months and to shorten the duration of the refueling outages. To facilitate the transitions, more and more testing and inspections previously performed during refueling outages were being conducted with the reactors operating. The argument supporting online maintenance was that while it adversely affected availability (i.e., an EDG was deliberately removed from service for testing and inspecting), the increased reliability (i.e., tests to confirm EDGs were operable were conducted every few weeks instead of spot checks every 18 to 24 months). The NRC approved the amendment to the operating licenses extending the EDG allowable outage times to 10 days on December 5, 2006.

More NRC/Industry Efforts on Allowable Outage Times

While the EDGs have important safety roles to play, they are not the only safety role players. The operating license for a nuclear power reactor covers dozens of components, each with its own allowable outage time. Around the time that longer EDG allowable outage times were sought and obtained at Palo Verde, the nuclear industry and the NRC were working on protocols to make proper decisions about allowable outage times for various safety components. On behalf of the nuclear industry, the Nuclear Energy Institute submitted guidance document NEI 06-09 to the NRC. On May 17, 2007, the NRC issued its safety evaluation report documenting its endorsement of NEI-06-09 along with its qualifications for that endorsement.

To create yet another acronym for no apparent reason, the nuclear industry and NRC conjured up Risk Informed Completion Time (RICT) to use in place of allowable outage time (AOT). The NRC explicitly endorsed a 30-day limit on RICTs (AOTs):

“The RICT is further limited to a deterministic maximum of 30 days (referred to as the backstop CT [completion time] from the time the TS [technical specification or operating license requirement] was first entered.”

The NRC explained why the 30-day maximum limit was necessary:

“The 30-day backstop CT assures that the TS equipment is not out of service for extended periods, and is a reasonable upper limit to permit repairs and restoration of equipment to an operable status.”

NEI 06-09 and the NRC’s safety evaluation applied to all components within a nuclear power reactor’s operating license. The 30-day backstop limit was the longest AOT (RICT) permitted. Shorter RICTs (AOTs) might apply for components with especially vital safety roles.

For example, the NRC established more limiting AOTs (RICTs) for the EDGs. In February 2002, the NRC issued Branch Technical Position 8-8, “Onsite (Emergency Diesel Generators) and Offsite Power Sources Allowed Outage Time Extensions.” This Branch Technical Position is part of the NRC’s Standard Review Plan for operating reactors. The Standard Review Plan helps plant owners meet NRC’s expectations and NRC reviewers and inspectors verify that expectations have been met. The Branch Technical Position is quite clear about the EDG allowable outage time limit:

“An EDG or offsite power AOT license amendment of more than 14 days should not be considered by the staff for review.” [underlining in original]

Exceptions and Precedent

Consistent with the “every rule has its exception” cliché, neither the 14-day EDG AOT in NRC Branch Technical Position 8-8 nor the 30-day backstop limit in the NRC’s safety evaluation for NEI 06-09 are considered hard and fast limits. Owners can, and do, request NRC’s permission for longer times under special circumstances.

The owner of the DC Cook nuclear plant in Michigan asked the NRC on May 28, 2015, for permission to operate the Unit 1 reactor for up to 65 days with one of its two EDGs out of service. The operating licensee for Unit 1 already allowed one EDG to be out of service for up to 14 days. During testing of an EDG on May 21, 2015, inadequate lubrication caused one of the bearings to be severely damaged. Repairs were estimated to require 56 days.

The NRC emailed the owner questions about the 65-day EDG AOT on May 28 and May 29. Among the questions asked by the NRC was how Unit 1 would respond to a design basis loss of coolant accident (LOCA) concurrent with a loss of offsite power (LOOP) and a single failure of the only EDG in service. The EDGs are designed to automatically start from the standby mode and deliver electricity to safety components within seconds. This rapid response is needed to ensure the reactor core is cooled should a broken pipe (i.e., LOCA) drain cooling water should electrical power to the makeup pumps not be available (i.e., LOOP). The single failure provision is an inherent element of the redundancy and defense-in-depth approach to nuclear safety.

The NRC did not approve the request for a 65-day EDG AOT for Cook Unit 1.

The NRC did not deny the request either.

On June 1, 2015, the owner formally withdrew its request for the 65-day EDG AOT and shut down the Unit 1 reactor. The Unit 1 reactor was restarted on July 29, 2015.

More on the Back Story

About 18 months after one of two EDGs for the Unit 1 reactor at DC Cook was severely damaged during a test run, one of two EDGs for the Unit 3 reactor at Palo Verde was severely damaged during a test run.

About 18 months after DC Cook’s owner requested permission from the NRC to continue running Unit 1 for up to 65 days with only one EDG in service, Palo Verde’s owner requested permission to continue running Unit 3 for up to 62 days.

About 18 months after the NRC staff asked DC Cook’s owner how Unit 1 would respond to a loss of coolant accident concurrent with a loss of offsite power and failure of the remaining EDG, the NRC staff merely assumed that a loss of coolant accident would not happen during the 62 days that Palo Verde Unit 3 ran with only one EDG in service. Enter the back story as reported by the Arizona Republic.

On December 23, 2016, and January 9, 2017, Differing Professional Opinions (DPOs) were initiated by member(s) of the NRC staff registering formal disagreement with NRC senior management’s plan to allow the 62-day EDG AOT for Palo Verde Unit 3. The initiator(s) checked a box on the DPO form to have the DPO case file be made publicly available (Fig. 1).

Fig. 1 (Source: United States Postal Service)

The DPO initiator(s) allege that the 62-day EDG AOT was approved by the NRC because the agency assumed that a loss of coolant accident simply would not happen. The DPO stated:

“The NRC and licensee ignored the loss of coolant accident (LOCA) consequence element. Longer outage times increase the vulnerability to a design basis accident involving a LOCA with the loss of offsite power (LOOP) event with a failure of Train A equipment.”

Palo Verde has two fully redundant sets of safety equipment, Trains A and B. The broken EDG provided electrical power (when unbroken) to Train B equipment. The 62-day EDG AOT was approved based on workers scurrying about to manually start combustible gas turbines and portable generators to provide electrical power that would otherwise be supplied by EDG 3B. The DPO stated:

“The Train B EDG auto starts and loads all safety equipment in 40 seconds. The manual actions take at least 20 minutes, if not significantly longer.”

Again, the rapid response is required to mitigate a loss of coolant accident that drains water from the reactor vessel. When water does not drain away, it takes time for the reactor core’s decay heat to warm up and boil away the reactor vessel’s water, justifying a slower response time.

The NRC staff considered a loss of coolant accident for the broken EDG at Cook but allegedly dismissed it at Palo Verde. Curious.

The DPO also disparaged the non-routine measures undertaken by the NRC to hide their deliberations from the public:

“The pre-submittal call occurred on a “non-recorded” [telephone] line. The NRC staff debated the merits of the call in a headquarters staff only discussion. Note that the Notice of Enforcement Discretion calls are done on recorded [telephone] lines.”

President Richard Nixon’s downfall occurred when it become known that tape recordings of his impeachable offenses existed. The NRC avoided this trap by deliberately not following their routine practice of recording the telephone discussions. Peachy!

Cognitive Dissonance or Unnatural Selection?

The NRC’s approval of the 62-day EDG AOT for Palo Verde Unit 3 is perplexing, at best.

In the amendment it issued January 4, 2017, approving the extension, the NRC wrote:

“Offsite power sources and one train of onsite power source would continue to be available for the scenario of a loss-of-coolant accident” while EDG 3B was out of service.

In other words, the NRC assumed that loss of offsite power (LOOP) and loss of coolant accident (LOCA) are separate events. The NRC assumed that if a LOCA occurred, electrical power from the offsite grid would enable safety equipment to refill the reactor vessel and prevent meltdown. And the NRC assumed that if a LOOP occurred, a LOCA would not drain water from the reactor vessel, giving workers time to find, deploy, and start up the portable equipment and prevent core overheating.

But in the amendment it issued December 5, 2006, establishing the 10-day EDG AOT, the NRC wrote:

“During plant operation with both EDGs operable, if a LOOP occurs, the ESF [engineered safeguards] electrical loads are automatically and sequentially loaded to the EDGs in sufficient time to provide for safe reactor shutdown or to mitigate the consequences of a design-basis accident (DBA) such as a loss-of-coolant accident (LOCA).”

In those words, the NRC assumed that LOOP and LOCA could occur concurrently in design basis space.

More importantly, page B 3.8.1-2 of the bases document dated May 12, 2016, for the Palo Verde operating licenses is quite explicit about the LOOP/LOCA relationship:

“In the event of a loss of preferred power, the ESF electrical loads are automatically connected to the DGs in sufficient time to provide for safe reactor shutdown and to mitigate the consequences of a Design Basis Accident (DBA) such as a loss of coolant accident (LOCA).”

In those words, the operating licenses issued the NRC assumed that LOOP and LOCA could occur concurrently in design basis space.

So, the NRC either experienced cognitive dissonance in having two opposing viewpoints on the same issue or made the unnatural selection of LOCA without LOOP.

Actions May Speak Louder Than Words, But Inaction Shouts Loudest

Check out this chronology:

  • December 15, 2016: EDG 3B for Palo Verde Unit 3 failed catastrophically during a test run
  • December 21, 2016: Owner requested 21-day EDG AOT
  • December 23 2016: NRC approved 21-day EDG AOT
  • December 23, 2016: DPO submitted opposing 21-day EDG AOT
  • December 30, 2016: Owner requested 62-day EDG AOT
  • January 4, 2017: NRC approved 62-day EDG AOT
  • January 9, 2017: DPO submitted opposing 62-day EDG AOT
  • February 6, 2017: NRC special inspection team arrived at Palo Verde to examine EDG’s failure cause
  • February 10, 2017: NRC special inspection team concluded its onsite examinations
  • April 10, 2017: NRC issued special inspection team report

The NRC jumped through hoops during the Christmas and New Year’s holidays to expeditiously approve a request to allow Unit 3 to continue generating revenue.

The NRC has not yet responded to two DPOs questioning the safety rationale behind the NRC’s approval.

If the NRC really and truly had a solid basis for letting Palo Verde Unit 3 run for so long with only one EDG, they have had plenty of time to address the issues raised in the DPOs. Way more than 62 days, in fact.

William Shakespeare wrote about something rotten in Denmark.

The bard never traveled to Rockville to visit the NRC’s headquarters. Had he done so, he might have discovered that rottenness is not confined to Denmark.

Posted in: Nuclear Power Safety Tags: , , , ,

Support from UCS members make work like this possible. Will you join us? Help UCS advance independent science for a healthy environment and a safer world.

Show Comments

Comment Policy

UCS welcomes comments that foster civil conversation and debate. To help maintain a healthy, respectful discussion, please focus comments on the issues, topics, and facts at hand, and refrain from personal attacks. Posts that are commercial, self-promotional, obscene, rude, or disruptive will be removed.

Please note that comments are open for two weeks following each blog post. UCS respects your privacy and will not display, lend, or sell your email address for any reason.

  • Troy Kelly

    Mr. Lochbaum,
    Just curious about your thoughts on the aging status of the EDG fleet around the world (most of which, even though repaired and maintained are as old as the plants they protect), and contrasting that with the higher reliability and simplicity of Gas Turbine based generators. While each type (16-20 cylinder Diesel vs one Gas Turbine Engine) has its pluses and minuses, It seems the GTGs from a safety standpoint’s advantages vastly outweigh the detractors. Chief advantages of GTGs over Diesels are they require zero cooling water, can run continuously at 100%, and can burn just about any type of fuel oil you can feed them. The engines are modular, lighter, and more quickly replaced (and can be placed high up in structures), the typical engines used are models with literally millions of hours of “flight” time, and are relied on by just about every class of modern (non-nuclear) military vessel for electrical power and propulsion. Even in the Capital DC area, most computing and storage facilities the government relies on are backed up by GTGs, not ETGs. Shipboard GTGs run for years without incident.

    The only comparable detractor is that a Diesel engine can start in as little as 10 seconds, whereas a turbine can take 40 seconds.

    Contrasted with the venerable (but highly complicated) EDGs, that, the government and NRC have had reliability problems with for decades (actually every industry that uses them has manufacturing, maintenance, aging, vibration, lubrication, etc. problems), and the requirement for cooling water to keep them functioning (a requirement that doomed the Fukushima reactors even IF the EDGs hadn’t been flooded), and it would seem the choice would be clear. (Other than the cost perspective, which nuclear plants love to cut corners on that). There have been concerns on the aging fleet of EDGs since at least 1987 – a situation that can only get worse over time, not better.

    Here is a comparison chart of advantages and disadvantages: – The lack of a requirement for cooling water alone (in an environment where most US plants are vulnerable to losing their cooling water intake pumps) seems to be worth the eventual switchover.

    Thoughts? Has the NRC ever even considered this as a move away from older technology?

    • Lenny Sueper

      Some nuclear plants DO have combustion turbines installed that are backups to the EDGs (which in turn are backups in case of problems with the power grid). No one technology is a panacea. If Fukushima had turbine generators installed instead I don’t know that the outcomes would have been any better. For starters, turbines require pipelines to supply that gas that can and do rupture during large earthquakes. I don’t see EDG aging as an issue. As with Jay Leno’s automobile collection, if you maintain the equipment and keep it in repair there is no reason an EDG can’t run forever. When parts break or wear out you can simply replace them, like the head and handle of Abraham Lincoln’s proverbial ax.

      • light299

        Speaking of ‘some plants’… Palo Verde is just such a plant.

      • Troy Kelly

        The EDGs also have fuel supply pipelines that can rupture, so the risks are equal from that front. The difference is, when an EDG blows a piston, cracks a crankshaft, spins a bunch of bearings, or catastrophically fails, it takes a couple of months to repair and/or replace it. (hence the reason plants do things like ask for 62 day extensions to run) They are mammoth in size, weight, and complexity.

        A gas turbine engine is relatively small, light, simple, modular, and can be replaced in hours to a couple of days. And, as I pointed out, can run on just about any combustible oil or gas.

        While its true that even having GTGs wouldn’t have done anything for the Fukushima loss of ultimate heat sync issue, (due to destruction of the cooling pump intakes, etc.) they would have at least had control of all of the electrical/electronic instrumentation and valves, which might have made a difference in the outcome.

        If a plant DOES have GTGs, it is incumbent upon them to update their operating parameters to officially allow them to use them in place of a blown EDG, something Palo Verde didn’t do.

  • Lenny Sueper

    And now for the information UCS doesn’t want you to know about Palo Verde (or maybe its information UCS didn’t know themselves). First, nuclear power plants in the US tend to vary meaningfully from one site to the next. The design of newer reactors have benefited from the lessons learned from the operation of older units. Just as a 1986 Mercury Sable has safety features not found on in a 1974 Grand Torino (both of which continue to be legally driven on our highways), Palo Verde is a newer plant that has more redundancy and flexibility built into its diesel generator system than at DC Cook. Second, the NRC Branch Technical Position sets a high bar with specific criteria that not all power plants likely to be able to meet. In fact, only months before the diesel failure Palo Verde had completed a plant modification without which Palo Verde may not have been able to meet the NRC’s criteria. I performed an analysis for my utility and determined it was far from a sure thing that we would have been able to meet the Branch Technical Position requirements. Other nuclear plants (e.g. Comanche Peak and South Texas Project) have also requested and been granted permission for extended operation in the past but only after implementing significant compensatory measures such as installing several large portable backup diesels in addition to maintaining the existing backup generators in an operable status.
    The DPO process is a valuable tool that allows NRC employees to voice concerns about issues that are often complex and technical in nature. When finalized, the results will be made public along with a thorough explanation. The process doesn’t benefit from speculation from the public peanut gallery.
    Please leave the baseless insinuations and conspiracy theories to Sean Hannity and the Alt Right. Besides, it makes no sense that Palo Verde would have put pressure on the NRC to approve their extension. If anything, DC Cook is under greater financial threat due to the availability of cheap natural gas in the midwest than is Palo Verde.

  • TimS

    UCS is ever doing a nice job to favor the fossil fuel industry through their scaremongering articles against carbon-free nuclear power which is the safest per unit of energy produced, fewer fatalities and less ecological impacts than so-called renewables. Meanwhile, air pollution from fossil fuels(backup for intermittent renewables) respects no border and is killing thousands of people each day, millions each year.