After four years of increasingly tense internal discussion, seven Nuclear Regulatory Commission engineers have formally petitioned the governing Commissioners to either order the nation’s nuclear power plant to immediately correct a design flaw governing their reactor cooling systems or order them all to shut down.
The flaw is in the original design of the electrical system, and has escaped notice for decades. According to the engineers’ petition, as well as a series of staff analyses on file at the NRC, the design flaw occurs in what is called an “single phase” condition in which little or no electricity is entering the plant to operate its backup cooling systems in the event of a blackout or other event cutting off power from the grid. The result is that the motors of backup generators are underpowered and this can cause their motors to burn out. When that happens, there is no way to keep the reactor core cool.
The seven members of the Electrical Engineering Branch in the Office of Nuclear Reactor Regulation, led by Acting Chief Roy K. Mathew, stated in the petition that “the staff determined that all nuclear facilities are susceptible to this design vulnerability except one plant, and recommended that the NRC take prompt regulatory action.”
As a result, the petition states, if the plants are not ordered to immediately redesign their electrical systems then the Commissioners should “issue Orders to immediately shutdown the operating nuclear power plants since the licensees are operating their facilities without addressing the significant design deficiency…and with inoperable electric power systems….”
The situation evolved from an unplanned shutdown in January 30, 2012 in Unit 2 of the Byron Station Nuclear Power Plant in Illinois. At the time, it was thought that the shutdowns resulted from a string of unfortunate coincidences. But further examination by the NRC’s electrical engineering branch found something more alarming.
Alternating current comes out in three currents, or phases, which are positive, negative, and neutral. At the high voltage levels coming directly from the power plant, the currents are on separate lines, labeled A, B, and C. David Lochbaum, nuclear safety expert with the Union of Concerned Scientists, explained that “the output from A and B are constantly monitored to make sure they are together, or in phase.
“There are circuit breakers and sensors within the system noting if there is a fault and the two are not in phase. When that happens, a circuit breaker opens to block that line and reroute the electricity. The grid operates on the same principal, with circuit breakers isolating lines when there are interruptions so the entire northeast doesn’t have a blackout.
“Within the plant there are electrical breakers signaled to open to isolate the problem and others will close for the systems around it. At Byron that didn’t happen. And they didn’t monitor the phase that failed.”
At Byron, however, the single phase, Line C, was not monitored and, in fact, had broken and fallen to the ground between the plant’s main transformer and the nearby power substation. Unfortunately, the staff analysis stated, the line on the ground “did not result in a detectable ground fault” since single phases were not monitored. Because of this power shortage, none of the plant’s four reactor coolant pumps were operable.
Officials from Exelon, which owns and operates Byron and 10 other nuclear power plants, as well as inspectors from the NRC initially thought that the shutdown was the result of a series of unfortunate coincidences. But On Feb. 28, 2012, there was a similar interrupted and undetected phase which caused a shutdown at Byron’s Unit 1. And, as in the earlier event, it disabled the plant’s cooling systems. That caused Mathews and the electric unit he led to investigate further and see if there had been any other shutdowns in which an undetected phase disruption disabled the cooling pumps. Their initial look found identical shutdowns at the Beaver Valley Power Station Unit 1 in Pennsylvania in November, 2007; and in New York, the James Fitzpatrick and the neighboring Nine Mile plants, which share a power substation, shut down in December, 2005.
The staff analysis concluded that the design of the electrical systems was “inadequate because it did not consider the possibility of the loss of a single phase… This situation resulted in neither the onsite nor the offsite electric power system being able to perform its intended safety functions” to provide electric power to the plant’s safety systems. Plants are required to have two separate sets of electrical power lines and monitors for their core cooling systems so that operators can still control the reactor even if one line is damaged by fire or another event.
The loss of a single phase of alternating current, the NRC staff found, “can potentially damage both trains of the emergency core cooling system.” In that case, there is nothing to prevent a meltdown.
In a practical sense, said Lochbaum, who assisted the NRC in updating their operator training manuals, the situation facing Byron resembled a brownout, in which only a small amount of electricity is getting through to the equipment. “The problem at Byron was that all the electrical equipment could not get enough electricity to operate effectively.
“The larger motors on the cooling pumps need a lot of current. If they aren’t getting the flow they need they can sit there and try to run, and basically their motors will burn up.”
In July 2012, the Mathews group sent out an urgent notice to all plant operators requesting that they check their electrical systems to see if they were capable of detecting problems in a single phase. They were ordered to complete their findings within 90 days.
The responses from all but one of the nation’s 100 nuclear plant operators were similar to the October 25, 2012 response from New York’s twin Indian Point nuclear power plants: “The relay systems were not specifically designed to detect an open single phase of a three phase system. Detection of a single-open phase condition is beyond the approved design and licensing basis of the plant.”
The lone outlier, which was not identified, had modified the plant’s electrical system for other reasons. But in the process, their system was immune from the defect present in all the other nuclear power plants.
Not only does this situation affect the 99 operating reactors, it also applies to the four AP1000 plants under construction at the Vogtle Plant in Georgia and the Sumner plant in South Carolina. That is because these plants are a new design, and while their safety systems appeared sound on paper and in simulations, they do not work as planned when actually built and require design modifications to meet actual operational needs. As a result, a Feb. 26, 2013 staff analysis found that the electrical systems are incomplete and are still being designed.
“In addition,” the staff assessment concluded, “the generic AP1000 plant operating procedures are under development and the licensees’ review of the generic procedures did not identify specific operator actions related to phase voltage verifications of the three phases.”
As a result, the electrical group concluded, all of the nation’s nuclear plants are violating the terms of their operating licenses and must either be brought into compliance or shut down.
According to NRC statutes, this is a major issue.
NRC regulations governing the operating licenses dictate that “the safety systems shall be designed so that, once initiated automatically or manually, the intended sequence of protective actions of the execute features shall continue until completion.”
The group’s petition states “any failures in an offsite power system or onsite power system must not disable the safety functions of emergency core cooling and vital safety systems to protect the health and safety of the public.”
With the current system, they assert, the plants are violating a mandatory condition of their operating licenses.
As the issue was debated within the agency, the Mathews group cast a wider net and began looking at the root causes of shutdowns in the US and abroad, while pushing the agency to more forcefully addresses the design problem. To their surprise, they found 13 “open phase events” over a 14-year period, with the latest taking place at the Oconee Nuclear Power Station in South Carolina in December, 2015.
Further, the analysis of the twin events at the Byron plants produced a calculation that the risk of a full or partial meltdown had been 1 in 1,000. By comparison, the NRC’s preferred safety margin is 1 in about 8 million. The risk at Byron was so low that initially the agency considered changing the operating rating of Byron from green, the color associated with the most efficient, well run plants, to red, which is one step away from being shut down. A decision was made by NRC management, however, that it would be unfair to penalize Byron for a systemic problem that applied to the entire American nuclear fleet.
In February, 2013, the NRC sent a notice to all American nuclear plant operators summarizing the findings of the electrical group and solicited industry input while new regulations were being drafted. By July, 2015, the Mathews group submitted a draft order, only to have it rejected by the NRC’s legal department as a violation of the “backfit rule.” That is a controversial measure adopted around 2000 which precludes new regulations which require power plant operators to make costly fixes to existing systems unless it is needed for a major safety reason.
The electrical group submitted a second draft and it, too, was rejected as a violation of the backfit rule. Rather than revise the rule a third time, the group chose to bypass the legal department and file a 2.206 petition, a specific process allowing citizens and civic groups to push for a rule making decision. The foiling was unusual in that the group chose to file as civilians, rather than attempt other in-house means of getting the agency to order the industry to upgrade the suspect electrical systems.
The 2.206 petition first goes to the director of the agency’s Office of Nuclear Reactor Regulation for an opinion. The Commissioners can then assess the issue and adopt, modify, or overrule the director’s opinion.
“All along,” said David Lochbaum, “the engineers were told that this was a really big deal, and then the Office of Legal Counsel shoots it down and senior management apparently says it hasn’t happened often so let’s move on.
“A larger issue, then, is why did these guys have to take the petition route? Why didn’t senior managers back them up? Since the current reactor oversight program was adopted in 2000 there have only been 4 or 5 incidents that warranted a red finding against a plant. Then this comes up, and it’s a red finding on the whole industry, and the engineers are told to give up.
“What kind of safety regulation is that?”
–Roger Witherspoon writes Energy Matters at www.RogerWitherspoon.com