Workers began shutting down the reactor at the Palisades nuclear plant near South Haven, Michigan at 11:07 pm on August 11, 2012. After the reactor had restarted on July 10 from an unplanned maintenance outage, operators had detected reactor cooling water leaking into the containment building. After the leak rate exceeded NRC’s threshold limits on July 16, workers entered the containment building several times trying to find the source of the leak, but were unable to locate it.
The leakage rate increased until it reached 0.3 gallons per minute (about 18 gallons per hour) late on August 11. Management directed the operators to shut down the reactor to allow workers to access all of the containment building to search for the leak. With the reactor operating, high temperatures and high radiation levels prevented them from entering some areas inside containment. On August 12 after the reactor had been shut down, workers identified the leak to be from a crack in one of the control rod drive mechanism (CRDM) housings.
Control rods contain material that absorbs small atomic particles called neutrons. Neutrons are released when atoms split apart to power the nuclear engine. Control rods are withdrawn from the reactor core to permit more neutrons to be available to cause atoms to split, increasing the power level. Control rods are inserted into the reactor core to make more neutrons unavailable to reduce the reactor core’s power level or shut it down entirely.
An electric motor for each control rod enables its insertion and withdrawal. The electric motors are outside of the metal reactor vessel that houses the reactor core. They are mounted on top of the reactor vessel’s head. Metal poles connect the motors to the control rods. Each metal pole passes through a roughly 4-inch diameter hole in the 6-inch thick reactor vessel head. The CRDM housing surrounds the electric motor and accommodates the upward and downward travel of the metal poles and the control rods connected to their lower ends. Part of the metal CRDM outside the reactor vessel cracked and was leaking reactor cooling water. The owner reported it to the NRC as being reactor coolant pressure boundary leakage.
Palisades is not the first pressurized water reactor to have operated with reactor coolant pressure boundary leakage longer than permitted by its operating license. Davis-Besse is, so far, the quintessential example.
The photo is looking down at a portion of Davis-Besse’s reactor vessel head. The 4-inch diameter hole for a CRDM is on the left. When the CRDM cracked, small leakage over what the owner estimated to be about six years ate away the reactor vessel metal to its right. A large portion of the six-inch thick reactor vessel head was totally degraded. The silvery material is a thin veneer of stainless steel applied to the inside surface of the reactor vessel head. It alone prevented water from escaping from the reactor vessel like air from a burst balloon.
Davis-Besse may have operated for six years with an unsafe condition that is only allowed to exist for six hours by its operating license. Palisades operated for more than 30 days with the same unsafe condition that its operating license again only permitted for six hours.
How does this happen?
Like other U.S. pressurized water reactors including Davis-Besse, Palisades has four limits in its operating license for reactor cooling water leakage:
- 150 gallons per day leakage through the tubes within any steam generator,
- 10 gallons per minute leakage through identified pathways,
- 1 gallon per minute leakage through unidentified pathways, and
- No leakage through the reactor coolant pressure boundary.
Whenever any of the first three limits is exceeded, the reactor can operate for up to four hours while workers attempt to reduce the leakage rate back within the specified limits. Whenever any of the first three limits is exceeded for four hours or whenever the fourth limit is exceeded, the reactor must be shut down within six hours.
Thus, while the NRC-issued operating license only allowed Palisades to operate for up to six hours with reactor coolant pressure boundary leakage, the reactor operated the reactor for over a month with this affliction.
The problem stems from having four limits and only three monitoring methods. Steam generator tube leakage is monitored by detectors that only react to leaking tubes. Those detectors reliably determine whether the 150 gallon per day limit is being met, or not.
Identified leakage is also effectively monitored. For example, the large coolant pumps that circulate water through the reactor vessels experience small amounts of leakage along their pump shafts. The reactor cooling water leaking from the pump shafts is collected. The detector watching that collection reliably identifies the source of that leakage.
Unidentified leakage, as its name suggests, could be coming from anywhere. Almost anywhere, as it’s known not to be leaking through steam generator tubes or from identified sources like the coolant pumps. Basically, these leak detectors track the water that ends up in the containment’s basement. It could have come from leaking valves, cracked piping, or literally thousands of other places inside containment – including the reactor coolant pressure boundary.
Because its source is known and its safety implications better defined, operating licenses permit up to 10 gallons per minute of identified reactor coolant leakage.
With its source unknown and its safety implications undefined, operating licenses only permit up to 1 gallon per minute of unidentified reactor coolant leakage.
With significant safety implications well known, operating licenses permit NO reactor coolant pressure boundary leakage. Not a single drop, or the reactor must be shut down within six hours.
When unidentified leakage is detected, it’s commonly assumed to be coming from someplace other than the reactor coolant pressure boundary. Statistically, this assumption is valid most of the time. A minority of the time, as in this case at Palisades and the classic case at Davis-Besse, the assumption is bogus. This flawed assumption enabled Palisades to operate for over 30 days with safety degradation that its operating license only permitted to exist for up to 6 hours.
Consider this hypothetical case: Plant A and Plant B are pressurized water reactors each having the four reactor coolant leakage limits specified above in their operating licenses. The operators at both plants detect reactor cooling water leakage of 0.2 gallons per minute from an unidentified location. Plant A’s owner makes the conservative decision to assume that the leakage is through the reactor coolant pressure boundary (because it cannot be conclusively ruled out) and shuts down the reactor within six hours. Plant B’s owner makes the non-conservative decision to assume that the leakage is NOT through the reactor coolant pressure boundary despite no evidence supporting that call and continues to operate the reactor for over a year until the next scheduled refueling outage.
Workers at Plant A and Plant B determine that the leakage was indeed through the reactor coolant pressure boundary. Plant A’s owner complied with the terms of the operating license while Plant B’s owner violated the operating license for over a year.
The NRC did not sanction Palisades for violating its operating license for over 30 days. And it would also be unlikely to sanction Plant B’s owner, even hypothetically, for its year-plus infraction.
How should NRC handle such situations? NRC’s regulations permit it to levy a $130,000 fine for each day that a violation exists. Palisades operated for 26 days (if July 16 is used to start the clock) or 32 days (if July 10 starts the clock) in violation of its operating license limit on reactor coolant pressure boundary leakage. The NRC should fine the owner $3.38 million or $4.16 million for the safety violations.
By failing to enforce safety regulations, NRC is enabling unsafe decisions and establishing a perverse risk/reward situation. When faced with safety decisions like that faced at Palisades, owners can opt for safety – and risk loss of revenue if the leak is coming from someplace other than the reactor coolant pressure boundary – or opt against safety – and risk ZERO chance that the NRC will fine them for violating its safety regulations. That’s just wrong and the NRC should be condemned for sustaining this unsafe practice.
And the Plant A / Plant B example above isn’t all that hypothetical. In fall 2001, NRC wanted Davis-Besse and North Anna to shut down to inspect their CRDM nozzles for leaks. Workers found leaking CRDMs at the Oconee plant in spring 2001. NRC determined that Davis-Besse and North Anna were among 12 reactors most likely to have leaking CRDM nozzles. But these reactors were not scheduled to shut down until 2002 for refueling. NRC wanted them to shut down anyway for the safety inspections. North Anna’s owner voluntarily shut down the reactor for the inspection. Davis-Besse’s owner showed up with its lawyer for its meetings with the NRC. The NRC blinked and allowed Davis-Besse to operate into 2002 with the bag gaping hole in the reactor vessel head.
“Fission Stories” is a weekly feature by Dave Lochbaum. For more information on nuclear power safety, see the nuclear safety section of UCS’s website and our interactive map, the Nuclear Power Information Tracker.