Role of Regulation in Nuclear Plant Safety #6
Both reactors at the DC Cook nuclear plant in Michigan shut down in September 1997 until a containment design flaw identified by a Nuclear Regulatory Commission (NRC) inspection team could be fixed. An entirely different safety problem reported to the NRC in August 1995 at an entirely different nuclear reactor began toppling dominoes until many safety problems at both nuclear plants, as well as safety problems at many other plants, were found and fixed.
First Stone Cast onto the Waters
On August 21, 1995, George Galatis, then an engineer working for Northeast Utilities (NU), and We The People, a non-profit organization founded by Stephen B. Comley Sr. in Rowley, Massachusetts, petitioned the NRC to take enforcement actions because irradiated fuel was being handled contrary to regulatory requirements during refueling outages on the Unit 1 reactor at the Millstone Power Station in Waterford, Connecticut.
Ripples Across Connecticut
The NRC’s investigations, aided by a concurrent inquiry by the NRC’s Office of the Inspector General, substantiated the allegations and also revealed the potential for similar problems to exist at Millstone Units 2 and 3 and at Haddam Neck, the other nuclear reactors operated by NU in Connecticut. The NRC issued Information Notice No. 96-17 to nuclear plant owners in March 1996 about the problems they found at Millstone and Haddam Neck. The owner permanently shut down the Millstone Unit 1 and Haddam Neck reactors rather than pay for the many safety fixes that were needed, but restarted Millstone Unit 2 and Unit 3 following the year-plus outages it took for their safety margins to be restored.
Ripples Across the Country
The NRC sent letters to plant owners in October 1996 requiring them to respond, under oath, about measures in-place and planned to ensure: (1) applicable boundaries are well-defined and available, and (2) reactors operate within the legal boundaries. In other words, prove to the NRC that other reactors were not like the NU reactors were.
The NRC backed up their letter writing safety campaign by forming three NRC-led teams of engineers contracted from architect-engineer (AE) firms (e.g., Bechtel, Stone & Webster, Burns & Roe) to visit plants and evaluate safety systems against applicable regulatory requirements. The NRC’s Frank Gillespie managed the AE team inspection effort. The NRC issued Information Notice No. 98-22 in June 1998 about the results from the 16 AE inspections conducted to that time. Numerous safety problems were identified and summarized by the NRC, including ones that caused both reactors at the DC Cook nuclear plant to be shut down in September 1997.
Ripplin’ in Michigan
The AE inspection team sent to the DC Cook nuclear plant in Michigan was led by NRC’s John Thompson and backed by five consultants from the Stone & Webster Engineering Corporation.
Sidebar: UCS typically does not identify NRC individuals by name as we have here for Gillespie and Thompson. But both received unfair criticisms from a NRC senior manager for performing their jobs well. Gillespie, for example, told me that the manager yelled at him, “We didn’t send teams out there to find safety problems!” NRC workers doing their jobs well deserve praise, not reprisals. Thanks Frank and John for jobs very well done. The senior manager will go unnamed and unthanked for a job not done so well.
DC Cook had two Westinghouse four-loop pressurized water reactors (PWRs) with ice condenser containments. Unit 1 went into commercial operation in August 1975 and Unit 2 followed in July 1978. The NRC team identified a design flaw that could have caused a reactor core meltdown under certain loss of coolant accident (LOCA) conditions.
A LOCA occurs when a pipe connected to the PWR vessel (reddish capsule in the lower center of Figure 1) breaks. The water inside a PWR vessel is at such high pressure that it does not boil even when heated to over 500°F. When a pipe breaks, high pressure water jets out of the broken ends into containment. The lower pressure inside containment causes the water to flash to steam.
In ice condenser containments like those at DC Cook, the steam discharged into containment forces open doors at the bottom of the ice condenser vaults. As shown by the red arrow on the left side of Figure 1, the steam flows upward through baskets filled with ice. Most, if not all, of the steam is cooled down and turned back into water. The condensed steam and melted ice drops down to the lower sections of containment. Any uncondensed steam vapor along with any air pulled along by the steam flows out from the top of the ice condenser into the upper portion of containment.
Emergency pumps and large water storage tanks not shown in Figure 1 initially replace the cooling water lost via the broken pipe. The emergency pumps transfer water from the storage tanks to the reactor vessel, where some of it pours out of the broken pipe into containment.
The size of the broken pipe determines how fast cooling water escapes into containment. A pipe with a diameter less than about 2-inches causes what is called a small-break LOCA. A medium-break LOCA results from a pipe up to about 4-inches round while a large-break LOCA occurs when larger pipes rupture.
Before the storage tanks empty, the emergency pumps are re-aligned to take water from the active sump area within containment. The condensed steam and melted ice collects in the active sump. The emergency pumps pull water from the active sump and supply it to the reactor vessel where it cools the reactor core. Water spilling from the broken pipe ends finds its way back to the active sump for recycling.
The NRC’s AE inspection team identified a problem in the containment’s design for small-break LOCAs. The condensed steam and melted ice flows into the pipe annulus (the region shown in Figure 2 between the outer containment wall and the crane wall inside containment) and into the reactor cavity. The water level in the pipe annulus must rise to nearly 21 feet above the floor before water could flow through a hole drilled in the crane wall into the active sump. The water level in the reactor cavity must rise even farther above its floor before water could flow through a hole drilled in the pedestal wall into the active sump.
For medium-break and large-break LOCAs, the large amount of steam discharged into containment flooded both these volumes and then the active sump long before the storage tanks emptied and the emergency pumps swapped over to draw water from the active sump. Thus, there was seamless supply of makeup cooling water to the vessel to prevent overheating damage.
But for small-break LOCAs, the storage tanks might empty before enough water filled the active sump. In that case, the flow of makeup cooling water could be interrupted and the reactor core might overheat and meltdown.
Calmed Waters in Michigan
The owner fixed the problem by drilling holes through lower sections of the crane and pedestal walls. These holes allowed water to fill the active sump in plenty of time for use by the emergency pumps for all LOCA scenarios. Once this and other safety problems were remedied (and a $500,000 fine paid), both reactors at DC Cook restarted.
The event in this case is the August 1995 notification to the NRC that the Millstone Unit 1 reactor was being operated outside its safety boundaries and the regulatory ripples caused by that notification that led to the identification and correction of containment flaws at DC Cook. For that event sequence, the NRC response reflected just right regulation.
The NRC asked and answered whether the August 1995 allegations were valid—finding that they were.
Once the initial allegation was substantiated, the NRC asked and answered whether that kind of problem also affected other reactors operated by the same owner—finding that it did.
Once the extent-of-condition determined that multiple reactors operated by the same owner were affected, the NRC asked and answered whether similar kinds of problems could also affect other reactors operated by other owners—finding that they did.
In seeking the answer to that broader extent-of-condition question, the NRC AE inspection team identified a subtle design flaw that had escaped detection for two decades. And slightly over two years elapsed between the NRC’s initial notification and both reactors at DC Cook being shut down to fix the design flaw. While neither a blink of an eye nor a frenetic pace, that’s a pretty reasonable timeline given the number of steps needed and taken between these endpoints.
Had the NRC put the blinders on after receiving the allegations about Millstone Unit 1 and not considered whether similar problems compromised safety at other reactors, this event would have fallen into the under-regulation bin.
Had the NRC jumped to the conclusion after receiving the allegations about Millstone Unit 1 that all other reactors were likely afflicted with comparable, or worse, safety problems and ordered all shut down until proven affliction-free, this event would have fallen into the over-regulation bin.
By putting the Millstone Unit 1 allegations in proper context in a timely manner, the NRC demonstrated just-right regulation.
* * *
UCS’s Role of Regulation in Nuclear Plant Safety series of blog posts is intended to help readers understand when regulation played too little a role, too much of an undue role, and just the right role in nuclear plant safety.