Amnesty Irrational

How the Nuclear Regulatory Commission Fails to Hold Nuclear Reactors Accountable for Violations of its Own Safety Regulations

James P. Riccio

Public Citizen

Critical Mass Energy and Environment Program

215 Pennsylvania, Ave, SE

Washington, DC 20003

August 1999

This report is dedicated to the individuals and families of the National Nuclear Safety Network: An association of whistleblowers and citizens that have risked both their lives and livelihoods to address significant safety issues at nuclear reactors across the U.S.

Copyright 1999 by Public Citizen. All rights reserved. No part of this document may be reproduced or utilized in any form or by any means electronic or mechanical, including photography, recording or by information storage and retrieval system, without written permission from the author.

TABLE OF CONTENTS

Executive Summary

Introduction 1

I. Findings 2

Emergency Core Cooling System Problems 6

Inadequate Cable Separation 7

Single Failure Vulnerabilities 9

II. Nuclear "Safety," The Design Basis & the Final 11

Safety Analysis Report

What is Nuclear "Safety" 11

What is the Design Basis of a Nuclear Reactor 12

What is the Final Safety Analysis Report (FSAR) 13

III. NRC s Decades of Denial 14

Three Mile Island Meltdown & Its Aftermath 14

The Denton Memos 14

The Systematic Evaluation Plan (SEP) 15

Deficiencies in Design Basis Documentation 15

1985 Davis Besse Accident 16

Design Basis Reconstitution Programs 16

License Renewal 17

1992 NRC Policy Statement 18

NRC Generic Letter on Design Basis is Never Issued 18

Design Errors in Nuclear Power Plants 1985-1995 19

Maine Yankee s Design Problems Lead to Shutdown 19

Time Cover Story Blows the Whistle on The NRC 20

IV. The Millstone Debacle & Its Fallout 21

NRC Sends Letters To Every Nuclear CEO 22

Amnesty Irrational 23

Was Haddam Neck Ever Safe 25

Millstone & Maine Yankee Lessons Learned 26

NRC Finally Addresses Galatis 1995 Petition 28

V. Conclusions 29

Endnotes 30

EXECUTIVE SUMMARY

The design basis of a nuclear reactor is the starting point of all regulation. It is the safety and operational blue print for the nuclear reactor. If a reactor is operating "outside design basis" it is impossible for the Nuclear Regulatory Commission (NRC) or the utility to determine whether the reactor is "safe" or whether its operation poses an undue risk to public health and safety. Operating a reactor "outside design basis" constitutes a violation of NRC regulations.

If a utility has operated the reactor outside of the safety parameters established in its operating license, i.e. "outside design basis," it is required to document it in a daily event report filed with the NRC. The more event reports filed by a nuclear reactor, the less certain that the reactor and its safety systems will operate as designed.

Nuclear reactors across the United States have reported to the NRC that they have been splitting atoms while "outside design basis" and in violation of the terms and conditions of their operating licenses. Public Citizen has documented which reactors have most often reported operating while "outside design basis." From October 1996 through May 1999, 102 of 111 nuclear reactors have reported over 500 instances where they have been splitting atoms while "outside design basis."

Event reports filed with the NRC indicate that reactors operating "outside design basis" have undermined the NRC s regulatory philosophy of defense-in-depth. Rather than having multiple, redundant barriers to the release of radiation, i.e. defense-in-depth, reactors have failed to maintain their design basis for such safety significant systems as the emergency core cooling system and the electrical cables that control the nuclear reactor. Additionally, failure to maintain the design basis has led to instances where defense-in-depth has been so thoroughly undermined that a single event or condition could have prevented the functioning of safety systems needed to: shutdown the reactor, cool the radioactive fuel in the reactor core, prevent the release of any radiation into the environment or otherwise mitigate the consequences of an accident.

Many design basis problems have existed for years, if not decades. Some design basis problems date back to when the reactors were first licensed. Design basis deficiencies have reduced safety margins at nuclear reactors across the United States; in some cases safety margins were significantly reduced if not eliminated. However, every time the NRC has moved to address the problem, the nuclear industry lobby has intervened to block any meaningful attempt to correct inadequacies in the design basis of nuclear reactors.

Even before the NRC had documented the extent of the design basis problems in the nuclear industry, the regulator decided that nuclear reactor licensees would not be held accountable for violating NRC regulations. The NRC has re-written its enforcement policy to create an amnesty program that will last until March 30, 2001.

The NRC's amnesty program has severely circumscribed its ability to take enforcement action (issuing a fine and or violation) against nuclear utilities that have failed to maintain the design basis of their nuclear reactors. This amnesty means that the NRC will only hold utilities accountable for the most egregious violations of NRC regulations.

The U.S. Nuclear Regulatory Commission has long been aware that nuclear utilities have failed to adequately maintain their design basis and as a consequence, have operated their reactors "outside design basis" and in violation of the terms of their licenses. Over a span of decades, the NRC was repeatedly put on notice that design basis problems were under-mining the safety of the nuclear reactors they were supposed to regulate. However, due to the potential financial impact on the nuclear industry, the NRC has obfuscated the issue and delayed taking action.

Design basis issues have already contributed to the closure of three nuclear reactors: Haddam Neck, Maine Yankee and Millstone Unit 1. Public Citizen has found that several of the design basis issues that contributed to the closure of Haddam Neck, Maine Yankee and Millstone Unit 1 exist at other nuclear reactors.

The design basis issues that eventually resulted in these shutdowns were not identified by the utility. These problems only came to light when driven by events, whistleblower allegations or subsequent NRC inspections. The NRC design inspections turned up significant safety problems; however, the efficacy of these inspections must be questioned. NRC did not inspect the "as found" conditions of the nuclear reactors. The NRC warned the utilities which systems would be inspected and the utilities worked the systems prior to NRC inspection.

The NRC can not reasonably expect the utility to identify design basis problems that would jeopardize future operation of the reactor. The NRC s amnesty program is an irrational move by an ineffective regulator and will not address the significant design basis issues that still exist at nuclear reactors across the United States.

INTRODUCTION

Nuclear utilities across the United States have been reporting to the Nuclear Regulatory Commission that their reactors have been splitting atoms while "outside design basis" and in violation of the terms and conditions of their operating licenses. Rather than hold these utilities accountable, the NRC instituted an amnesty program in October 1996. This amnesty program means that utilities will only be held accountable for the most egregious violations of NRC regulations

Since that time, Public Citizen has been documenting which reactors have most often operated while "outside design basis." From October 1996 through May 1999,

102 of 111 nuclear reactors have reported over 500 instances where they have been operating "outside design basis." However, if a nuclear reactor is splitting atoms while "outside design basis" neither the NRC nor the utility can determine whether that operation is safe or poses an undue risk to public health and safety.

Public Citizen s report identifies those reactors that have most often operated outside of their design basis and documents how the nuclear industry and the NRC have ignored this important safety issue for decades.

I. FINDINGS

The U.S. Nuclear Regulatory Commission (NRC) is charged with assuring that the public health and safety are protected from the consequences of a nuclear reactor accident. The NRC contends that if a nuclear reactor is designed, constructed and operated in compliance with its approved design, then the redundant safety systems built into the plant will provide an adequate level of safety even if one of the safety systems should fail and an accident were to occur. According to the NRC, the redundant safety systems built into the reactor will prevent the release of radiation into the environment and surrounding communities.

The design basis of a nuclear reactor is the starting point of all NRC regulation. It is the safety and operational blue print for the nuclear reactor. If a reactor is operating "outside design basis" it is impossible for the NRC or the utility to determine whether the reactor is "safe" or whether its operation poses an undue risk to public health and safety. Operating a reactor "outside design basis" constitutes a violation of NRC regulations.

If a utility has operated the reactor outside of the safety parameters established in its operating license, i.e. "outside design basis," it is required to document it in a daily event report filed with the NRC. The more event reports filed by a nuclear reactor, the less certain that the reactor and its safety systems will operate as designed.

Operating nuclear reactors outside their design basis has reduced, if not eliminated safety margins at many reactors across the United States. However, the NRC has failed to hold nuclear reactors accountable for these violations. Rather than holding nuclear utilities responsible for failing to comply with their design basis and violating NRC regulations, the NRC issued an amnesty program in October 1996 that will last until March 30, 2001.

Public Citizen has scoured the daily event reports filed over the past three years of NRC amnesty program documenting those reactors that have reported operating "outside design basis." Over the past three years 102 of 111 nuclear reactors have reported over 500 times that they have been splitting atoms while "outside design basis." The NRC has attempted to down play the significance of this problem that they and the nuclear industry have ignored for decades. This amnesty program means that the NRC will only hold utilities accountable for the most egregious violations of NRC regulations. The NRC policy is not sound regulatory practice, its Amnesty Irrational!

TABLE I

REACTORS REPORTING "OUTSIDE DESIGN BASIS" 1996 -1999

Reactor

Unit #

Owner

State

Reports Number

VERMONT YANKEE

1

VT Yankee Nuclear Power Corp.

VT

42

PILGRIM

1

Boston Edison Co.

MA

27

THREE MILE ISLAND

1

GPU Nuclear Corp.

PA

26

COOK

2

Indiana/Michigan Power Co.

MI

22

COOK

1

Indiana/Michigan Power Co.

MI

18

POINT BEACH

1

Wisconsin Electric Power Co.

WI

18

POINT BEACH

2

Wisconsin Electric Power Co.

WI

18

MILLSTONE

1

Northeast Nuclear Energy Co.

CT

16

OYSTER CREEK

1

GPU Nuclear Corp.

NJ

16

MILLSTONE

3

Northeast Nuclear Energy Co.

CT

16

PRAIRIE ISLAND

1

Northern States Power Co.

MN

14

CATAWBA

2

Duke Power Co.

SC

14

DIABLO CANYON

2

Pacific Gas & Electric Co.

CA

14

NINE MILE POINT

2

Niagara Mohawk Power Corp.

NY

14

HADDAM NECK

1

Northeast Nuclear Energy Co.

CT

13

PRAIRIE ISLAND

2

Northern States Power Co.

MN

13

OCONEE

3

Duke Power Co.

SC

12

DIABLO CANYON

1

Pacific Gas & Electric Co.

CA

11

OCONEE

2

Duke Power Co.

SC

11

CATAWBA

1

Duke Power Co.

SC

10

DAVIS-BESSE

1

Toledo Edison Co.

OH

10

NINE MILE POINT

1

Niagara Mohawk Power Corp.

NY

10

OCONEE

1

Duke Power Co.

SC

10

PALISADES

1

Consumers Power Co.

MI

10

INDIAN POINT

3

New York Power Authority

NY

10

INDIAN POINT

2

Consolidated Edison Co.

NY

9

(NOTE: the entire list is contained in Appendix A. The entire text for each report may be view on the Critical Mass Web site @ https://www.citizen.org/cmep/AI/Default.htm )

Since NRC began its amnesty program, the nuclear reactors listed in Table I have filed the greatest number of event reports with the Commission indicating that they operated "outside design basis." The more event reports filed by a reactor the less certain that the nuclear plant and its safety systems will function as designed.

Table II indicates those nuclear plants that have most often operated their reactors "outside design basis" and in violation of NRC regulations. Nuclear plants have between one and three reactors or units located at the same site. For instance, the Cook nuclear plant consists of two reactors, Unit 1 and 2.

While the number of "outside design basis" event reports indicate the extent of the problem, they do not tell the entire story. Even a single instance of a nuclear reactor operating outside of its design basis can thoroughly undermine the "safety" of the reactor.

TABLE II

"OUTSIDE DESIGN BASIS" BY NUCLEAR PLANT 1996-1999

Reactor

Owner

State

Event

Reports

VERMONT YANKEE

VT Yankee Nuclear Power Corp.

VT

42

MILLSTONE

Northeast Nuclear Energy Co.

CT

35

PILGRIM

Boston Edison Co.

MA

27

THREE MILE ISLAND

GPU Nuclear Corp.

PA

26

NINE MILE POINT

Niagara Mohawk Power Corp.

NY

24

COOK

Indiana/Michigan Power Co.

MI

23

POINT BEACH

Wisconsin Electric Power Co.

WI

20

INDIAN POINT

Con-Edison Co./ NYPA

NY

19

OYSTER CREEK

GPU Nuclear Corp.

NJ

16

PRAIRIE ISLAND

Northern States Power Co.

MN

16

DIABLO CANYON

Pacific Gas & Electric Co.

CA

14

CATAWBA

Duke Power Co.

SC

14

OCONEE

Duke Power Co.

SC

13

HADDAM NECK

Northeast Nuclear Energy Co.

CT

13

PALISADES

Consumers Power Co.

MI

10

DAVIS-BESSE

Toledo Edison Co.

OH

10

(NOTE: The entire listing arranged by nuclear plant is contained in Appendix B. Appendix C contains an accounting of all "outside design basis" event reports.)

The more than 500 event reports documented by Public Citizen all concern design basis issues. More than 70 additional reports of reactors operating "outside design basis" were filed with NRC and later retracted by the utility. However, retracted does not mean there wasn t a problem. Event reports have been retracted because utilities have either made "quick fixes," removed the documentation from the final safety analysis reports, or have amended the terms of their license. Other reports were retracted because the utilities originally mischaracterized the nature or extent of the problem that they thought placed the reactor "outside design basis."

Table III lists those few nuclear reactors that have not reported splitting atoms while "outside design basis." However, the NRC has identified that Fermi Unit 2 and both of the LaSalle reactors have failed to update their final safety analysis reports (FSAR). While failure to update the FSAR does not necessarily result in the reactor operating outside of its design basis, it does mean that these reactors have been making safety decisions based upon incomplete or inaccurate information.

TABLE III

REACTORS NOT REPORTING "OUTSIDE DESIGN BASIS"

Reactor

Unit #

Owner

State

ARKANSAS

1

Entergy Operations, Inc.

AR

FERMI

2

Detriot Edison Co.

MI

HATCH

2

Southern Nuclear Operating Co.

GA

LA SALLE

1

Commonwealth Edison Co.

IL

LA SALLE

2

Commonwealth Edison Co.

IL

PALO VERDE

3

Arizona Public Service Co.

AZ

RIVER BEND

1

Entergy Operations, Inc

LA

WASHINGTON NUCLEAR

2

Washington Public Power System

WA

WATTS BAR

1

Tennessee Valley Authority

TN

"Outside design basis" event reports filed by utilities indicate that serious problems with safety systems have existed for years, if not decades. These reports indicate that reactors operating "outside design basis" have undermined the NRC s regulatory philosophy of "defense-in-depth." Rather than having multiple, redundant barriers to the release of radiation, i.e. defense-in-depth, reactors have failed to maintain their design basis for significant safety systems such as the emergency core cooling system and the electrical cables that control the nuclear reactor.

Additionally, failure to maintain the design basis has led to instances where defense-in-depth has been so thoroughly undermined that a single event or condition could have prevented the functioning of safety systems needed to: shutdown the reactor, cool the radioactive fuel in the reactor core, prevent the release of any radiation into the environment or otherwise mitigate the consequences of an accident.

Although not every design basis issue is of high safety significance, a preliminary review by the NRC s now defunct Office of Analysis and Evaluation of Operational Data (AEOD) conducted in June 1997 found that:

  • 34% of all event reports contained design basis issues.
  • 42% of these events involved four risk significant systems: emergency core cooling, primary reactor systems, emergency ac/dc power and containment isolation.
  • 29% of event reports were judged by AEOD to be significant.

Design basis issues have already contributed to the closure of three nuclear reactors: Haddam Neck, Maine Yankee and Millstone Unit 1. The design basis issues that eventually resulted in these shut downs were not identified by the utility. These problems only came to light when driven by events, whistleblower allegations or subsequent NRC inspections. Public Citizen has found that several of the design basis deficiencies that contributed to these shut downs exist at other reactors. Specifically, design basis deficiencies concerning the ECCS, inadequate separation of control cables and "single failure vulnerabilities" which are all discussed below.

EMERGENCY CORE COOLING SYSTEM PROBLEMS

There are two purposes of the Emergency Core Cooling Systems (ECCS). The first is to provide cooling to the reactor core to prevent a meltdown following a loss of coolant accident or LOCA. This is accomplished by the injection of large amounts of borated water into the reactor coolant system. The borated water helps to quell the chain reaction in the reactor s core. The second purpose of the ECCS is to ensure the reactor remains shut down. This is accomplished by the use of the same borated water source.

Haddam Neck was permanently shut down due in large part to the fact that its ECCS would not have performed its function. If, during the 28 years of its operation, Haddam Neck had experienced a loss of coolant accident, the ECCS would not have functioned as designed and the reactor would likely have had a meltdown. As explained in a later section, (See: Was Haddam Neck Ever Safe at p.25.) Northeast Utilities which owned and operated the Haddam Neck never realized that the ECCS was outside of its design basis.

The D.C. Cook nuclear power plant in Michigan also had design basis problems with the ECCS. As at Haddam Neck, these design basis deficiencies with the ECCS were not self identified. The NRC only identified the ECCS issue at Cook after the Commission was forced to institute design basis inspections. The NRC report on the Cook plant states that "some of the issues indicate that the ECCS system may not have performed its safety function under all design basis accident scenarios." Table IV identifies the reactors where the ECCS would not have performed its function.

TABLE IV

NUCLEAR REACTORS REPORTING "OUTSIDE DESIGN BASIS" DUE TO EMERGENCY CORE COOLING SYSTEM PROBLEMS

Event Number

Reactor

UNIT Number

ST

Date

Details

33378

OCONEE

3

SC

12/10/97

DISCOVERY OF A POSSIBILITY OF THE ECCS BECOMING INOPERABLE DURING THE SUMP RECIRCULATING MODE

ON 12/08/97, DURING A SELF-INITIATED TECHNICAL AUDIT OF THE PLANTS ECCS, IT WAS DETERMINED THAT A CERTAIN INPUT WAS NOT CONSIDERED IN AN ASSUMPTION IN THE CALCULATIONS ASSOCIATED WITH TRANSPORTATION OF DEBRIS TO THE REACTOR BUILDING EMERGENCY SUMP DURING THE RECIRCULATION MODE. INCLUSION OF THIS INPUT RESULTED IN A REDUCTION IN THE MINIMUM AVAILABLE SUMP WATER LEVEL, WHICH CAUSED INCREASED FLOW VELOCITIES AND CONSEQUENTLY INCREASED TRANSPORTABILITY OF DEBRIS SUCH AS INSULATION. INCREASED TRANSPORTABILITY OF DEBRIS COULD RESULT IN INCREASED SUMP BLOCKAGE AND REDUCED AVAILABLE ECCS NET PUMP SUCTION HEAD (NPSH). AS A RESULT, THIS CONDITION IS BEING FURTHER INVESTIGATED.

THERE ARE CERTAIN MEASURES THAT CAN BE TAKEN TO INCREASE THE AVAILABLE ECCS NPSH. THESE MEASURES INCLUDE REMOVAL OF THE STRAINERS FROM THE FUEL TRANSFER CANAL, REMOVAL OF A FLANGE FROM THE REACTOR VESSEL ANNULUS DRAIN, AND REMOVAL OF INSULATION SUSCEPTIBLE TO TRANSPORTABILITY.

SINCE UNIT 1 IS SHUTDOWN, THESE ECCS REQUIREMENTS ARE NOT CURRENTLY APPLICABLE, BUT THEY WILL BE ADDRESSED PRIOR TO RESTART. UNIT 2 HAS NO INSULATION SUSCEPTIBLE TO TRANSPORT

33762

OCONEE

1, 2, 3

SC

2/20/98

EMERGENCY OPERATING PROCEDURE (EOP) REVIEW HAS IDENTIFIED A STEP IN THE PROCEDURE WHICH COULD PLACE THE OCONEE UNITS OUTSIDE THE DESIGN BASIS OF THE PLANT.

THE EOP STEP REQUIRES VALVES LP-19 AND LP-20 TO BE OPENED WHEN BORATED WATER STORAGE TANK (BWST) LEVEL IS GREATER THAN 6 FEET AND THE REACTOR BUILDING EMERGENCY SUMP LEVEL IS GREATER THAN 4 FEET. HOWEVER, CONDITIONS COULD EXIST, WITH WORST CASE INSTRUMENT UNCERTAINTIES, WHERE THE INDICATED REACTOR BUILDING EMERGENCY SUMP LEVEL DOES NOT EXCEED 4 FEET PRIOR TO THE BWST LEVEL DECREASING BELOW THE 6-FOOT LEVEL. AT 1700 HOURS ON 02/20/98, IT WAS CONCLUDED THAT THE SUPPORTING ANALYSIS FOR THE EOP RESULTED IN PROCEDURAL SETPOINTS THAT DID NOT PROVIDE THE NECESSARY GUIDANCE TO ASSURE THAT THE OPERATORS COULD SUCCESSFULLY SWAP SUCTION FROM THE BWST TO THE REACTOR BUILDING SUMP. INTERIM GUIDANCE HAS BEEN PROVIDED TO THE OPERATORS TO ADDRESS THE PROCEDURAL DEFICIENCY, AND THE EOP IS CURRENTLY BEING REVISED. ALTHOUGH THERE IS REASONABLE ASSURANCE THAT THE OPERATORS COULD HAVE COMPLETED THE SWAPOVER FOR SOME WORST CASE CONDITIONS, THE EMERGENCY CORE COOLING SYSTEM MAY HAVE BEEN UNABLE TO PERFORM ITS REQUIRED FUNCTION. |

| |

| THE NRC RESIDENT INSPECTOR WAS NOTIFIED OF THIS EVENT BY THE LICENSEE

33843

PALISADES

1

MI

3/5/98

MANUAL ACTIONS TO SUPPORT EMERGENCY CORE COOLING SYSTEM (ECCS) RESPONSE TO A POSTULATED SMALL BREAK LOSS OF COOLANT ACCIDENT (LOCA) MAY NOT HAVE BEEN ADEQUATELY DEFINED.

A REVIEW OF HIGH PRESSURE (HP) AIR SYSTEM OPERATION NEEDED TO SUPPORT ECCS RESPONSE TO A POSTULATED SMALL BREAK LOCA HAS LED TO A CONCERN THAT REQUIRED OPERATOR ACTIONS ARE NOT ADEQUATELY DEFINED IN OPERATING PROCEDURES. SOME MANUAL ACTIONS ARE REQUIRED TO ASSURE HP AIR AVAILABILITY FOR A RANGE OF SMALL BREAK LOCAs. THESE ACTIONS MUST BE TAKEN PRIOR TO DRAINING THE SAFETY INJECTION AND REFUELING WATER TANK (SOURCE OF ECCS WATER) TO ASSURE THAT ECCS PUMP SUCTIONS WILL SUCCESSFULLY SWITCH TO THE CONTAINMENT SUMP. MANUAL ACTIONS ARE PERMITTED BY PLANT DESIGN BASES. BECAUSE THE OPERATING PROCEDURES LACK DEFINITIVE GUIDANCE, THERE MAY BE A SIGNIFICANT PROBABILITY THAT OPERATORS WILL FAIL TO TAKE THE NEEDED ACTIONS IN THE REQUIRED TIME. THE TIME REQUIRED TO COMPLETE ACTIONS WOULD RANGE FROM A MINIMUM OF APPROXIMATELY 1 HOUR FOR LARGE BREAKS TO MANY HOURS AS THE BREAKS GET SMALLER. SINCE THE FAILURE TO TAKE NECESSARY MANUAL ACTIONS COULD JEOPARDIZE THE ECCS FUNCTION, THIS SITUATION COULD BE VIEWED AS A POTENTIAL CONDITION OUTSIDE THE DESIGN BASIS.

IMMEDIATE ACTION HAS BEEN TAKEN TO PROVIDE GUIDANCE TO OPERATING SHIFTS. THIS GUIDANCE IS ADEQUATE TO ENSURE ECCS EQUIPMENT OPERABILITY. PROCEDURE ENHANCEMENTS ARE IN PROGRESS, AND THE LICENSEE STATED THAT THEY WILL BE MADE PROMPTLY.

THE LICENSEE HAS NOTIFIED THE NRC RESIDENT INSPECTOR.

32551

ROBINSON

2

SC

6/27/97

NRC A/E INSPECTION IDENTIFIED POTENTIALLY INADEQUATE NPSH FOR SIPUMPS. ENGINEERING EVALUATION OF A CONDITION IDENTIFIED DURING THE RECENT ROBINSON A/E INSPECTION HAS RESULTED IN A PRELIMINARY CONCLUSION THAT PRIOR TO JUNE 19, 1997, ADEQUATE NPSH DID NOT EXIST FOR THE 'C' SAFETY INJECTION (SI) PUMP. ADDITIONALLY, IT APPEARS THAT ADEQUATE NPSH POTENTIALLY DID NOT EXIST FOR THE 'B' SI PUMP PRIOR TO JUNE 7, 1997. IT CURRENTLY APPEARS THAT ADEQUATE NPSH DID EXIST FOR THE 'A' SI PUMP. THESE PRELIMINARY RESULTS ARE DERIVED FROM A VENDOR HYDRAULIC ANALYSIS OF THE ECCS PIPING SYSTEM THAT IS STILL BEING FINALIZED. THE ANALYSIS INCLUDED SCENARIOS WITH VARIOUS COMBINATIONS OF ECCS PUMPS IN OPERATION. THE POTENTIALLY INADEQUATE NPSH RESULTS APPLIED ONLY TO SINGLE SI PUMP OPERATION (i.e., ONE SI PUMP OPERATING WITH NO RHR OR CONTAINMENT SPRAY PUMPS IN OPERATION). IT IS UNCERTAIN AT THIS TIME AS TO HOW LONG THIS CONDITION HAS EXISTED. ON JUNE 7, 1997, IN ORDER TO MAXIMIZE EXISTING NPSH, WHILE THE VENDOR ANALYSIS WAS BEING PERFORMED, THE RWST LEVEL WAS RAISED AND LEVEL TRANSMITTERS WERE RESCALED EFFECTIVELY RAISING THE ELEVATION OF THE DELIVERABLE VOLUME OF THE RWST. IN ADDITION, ON JUNE 19, 1997, THE 'C' SI PUMP WAS REMOVED FROM SERVICE AND REPLACED WITH THE 'B' SI PUMP, SINCE THE 'C' SI PUMP APPEARED TO HAVE HIGHER NPSH REQUIREMENTS. AS A RESULT OF THESE ACTIONS, ADEQUATE NPSH IS AVAILABLE FOR BOTH THE 'A' AND 'B' SI PUMPS WHICH ARE IN SERVICE MEETING TECHNICAL SPECIFICATION REQUIREMENTS. THE ROBINSON SI SYSTEM CONTAINS THREE PUMPS TWO OF THESE PUMPS ARE NORMALLY ALIGNED FOR SERVICE AND THE THIRD PUMP IS AVAILABLE TO BE MANUALLY CONNECTED IN PLACE OF EITHER OF THE NORMALLY ALIGNED PUMPS. THE ABOVE INFORMATION IS CONSIDERED TO BE PRELIMINARY AND IT REMAINS TO BE CONFIRMED BY VENDOR CALCULATIONS AND LICENSEE REVIEW OF THESE CALCULATIONS. THIS CONDITION IS BEING IDENTIFIED AS A POTENTIAL CONDITION OUTSIDE THE DESIGN BASIS IN ACCORDANCE WITH 10 CFR 50.72(b)(1)(ii)(B). THE NRC A/E INSPECTION PUBLICLY EXITED TWO WEEKS AGO. A WRITTEN INSPECTION REPORT WILL BE ISSUED WITHIN 60 DAYS OF THE EXIT MEETING. THE LICENSEE HAS ISSUED A NIGHT ORDER WITH INSTRUCTIONS FOR OPERATORS TO REALIGN THE THIRD SI PUMP IN THE EVENT THAT ONE OF THE TWO NORMALLY ALIGNED SI PUMPS FAILS. THE LICENSEE INFORMED THE NRC RESIDENT INSPECTOR.

31497

THREE MILE ISLAND

1

PA

12/21/96

UNIT OUTSIDE DESIGN BASIS DUE TO CONCERNS WITH BWST SWITCHOVER ANALYSIS THE LICENSEE RECENTLY PERFORMED A REVISED, MORE CONSERVATIVE, REACTOR BUILDING PRESSURE ANALYSIS WHICH ASSUMED MAXIMUM COOLING OF REACTOR BUILDING AIR SPACES, RESULTING IN LOWER PRESSURES. THE REVISED AIR PRESSURE RESULTS WERE THEN USED AS ASSUMPTIONS FOR A NEW ECCS BORATED WATER SWITCHOVER ANALYSIS. THE RESULTS OF THIS ANALYSIS INDICATED THAT EXISTING PLANT PROCEDURES FOR ECCS SWITCHOVER FROM THE BWST TO THE REACTOR BUILDING SUMP COULD RESULT IN INSUFFICIENT NET POSITIVE SUCTION HEAD (NPSH) FOR ECCS PUMPS DUE TO DECREASED AIRSPACE OVERPRESSURIZATION. THE LICENSEE HAS DECLARED THE ECCS INOPERABLE, AND IS PRESENTLY DEVELOPING REVISED PROCEDURES FOR BWST SWAPOVER TO ADDRESS THE NPSH CONCERNS. THE LICENSEE STATED THAT THESE REVISED PROCEDURES SHOULD BE COMPLETED SHORTLY. THE NRC RESIDENT INSPECTOR HAS BEEN INFORMED BY THE LICENSEE.

INADEQUATE CABLE SEPARATION

Although Maine Yankee had problems with the ECCS, it was cable separation problems that eventually forced it to shutdown. The proper separation of cables is important in nuclear power plants to ensure that if one or more sets of cables are damaged, other control cables will be available to shut down the reactor.

Cable separation became an issue after a fire at the Browns Ferry nuclear plant in Alabama. On March 22, 1975, the Browns Ferry nuclear plant experienced one of the worst accidents prior to the meltdown at Three Mile Island. Workers were looking for air leaks using a candle when the flame was sucked into an opening and ignited the polyurethane foam insulation in the trays that carried the electrical cables which controlled the reactor. The fire burned for seven and a half-hours. It damaged over 1600 electrical cables, more than a third of which were safety related. Unit 2 was immediately shut down but Unit 1 was perilously out of control for several hours. Whistleblowers, who at the time spoke with the Union of Concerned Scientists, said that a major release of radiation was only avoided "by sheer luck.."

In 1978, NRC Inspector Peter Atherton identified numerous inadequately separated safety-related electrical cables at Maine Yankee dating back to plant construction. Maine Yankee declined to reroute the cables due to "physical limitations." Because of his efforts to address this significant safety issue, the NRC Inspector was subjected to psychological testing, forced out of the NRC and "blackballed" in the nuclear industry. However, Maine Yankee acknowledged that at least two and probably three recently identified cable separation issues date back to plant construction.

Although the NRC considered Maine Yankee s performance to be adequate, a number of significant weaknesses and design deficiencies were identified through NRC inspection efforts. An independent assessment concluded that "these weaknesses and deficiencies appeared to be related to two root causes: economic pressures to contain costs and poor problem identification as a result of complacency and the lack of a questioning attitude."

Table V lists other reactors that have reported inadequate cable separation that have placed these reactors outside of their design basis.

TABLE V

NUCLEAR REACTORS REPORTING"OUTSIDE DESIGN BASIS" DUE TO INADEQUATE CABLE SEPARATION

Event Number

Reactor

Unit Number

State

Date

Details

31213

MAINE YANKEE

1

ME

10/25/96

CABLES FOR BOTH CHANNELS OF CONTAIN-MENT HYDROGEN MONITORING SYSTEM ARE ROUTED THROUGH THE SAME CONDUIT.

|DURING A WALKDOWN, THE LICENSEE DISCOVERED THAT CABLES FOR BOTH CHANNELS OF

THE CONTAINMENT H2 MONITORING SYSTEM ARE ROUTED THROUGH THE SAME CONDUIT.

THIS CONDITION IS IN CONFLICT WITH THE CABLE ROUTING METHOD DESCRIBED IN CHAPTER 8 OF THE UFSAR. THE LICENSEE HAS DECLARED BOTH CHANNELS OF THE CONTAINMENT H2 MONITORING SYSTEM INOPERABLE.

THE LICENSEE PLANS TO TAG OUT ONE OF THE CABLES IN ORDER TO PERMIT THE

OTHER CHANNEL TO BE DECLARED OPERABLE. THE NRC RESIDENT INSPECTOR WILL BE

INFORMED BY THE LICENSEE.

31291

MILLSTONE

3

CT

11/7/96

NUMEROUS EXCEPTIONS TO THE SEPARA-TION CRITERIA IN REG GUIDE 1.75HAVE NOT BEEN INCLUDED IN THE FSAR.

BACK IN 1985/1986 THE LICENSEE TOOK EXCEPTION TO THE SEPARATION CRITERIA OF REG GUIDE 1.75. THESE EXCEPTIONS WERE EVALUATED BY THE NRC, BUT WERE NEVER INCORPORATED INTO THE FINAL SAFETY ANALYSIS REPORT (FSAR). NUMEROUS SYSTEMS ARE AFFECTED BY THIS OVERSIGHT.

THE LICENSEE IS CONSIDERING AN UPDATE TO THE FSAR.

THE LICENSEE INFORMED THE NRC RESIDENT INSPECTOR AND THE STATE GOVERNMENT.

31442

MILLSTONE

3

CT

12/12/96

DISCOVERY OF INADEQUATE CABLE SEPARA-TION FOR THE CONTAINMENT LEAK MONITORING AND STEAM GENERATOR CHEMICAL FEED SYSTEMS THE LICENSEE DISCOVERED THAT CABLE SEPARATION FOR THE CONTAINMENT LEAK MONITORING AND STEAM GENERATOR CHEMICAL FEED SYSTEMS WAS LESS THAN THE REQUIRED DESIGN SEPARATION BETWEEN THE SAFETY-GRADE AND NON-SAFETY-GRADE CABLE. THIS EFFECT RENDERED THE CONTAINMENT ISOLATION VALVES FOR THOSE SYSTEMS INOPERABLE. ENGINEERING PERSONNEL PLAN TO ADDRESS THIS ISSUE. THE UNIT IS NOT CURRENTLY IN A TECHNICAL SPECIFICATION LIMITING CONDITION FOR OPERATION AS A RESULT OF THIS ISSUE BECAUSE THE UNIT IS IN COLD SHUTDOWN. THE LICENSEE PLANS TO NOTIFY THE NRC RESIDENT INSPECTOR.

33669

NINE MILE POINT

2

NY

2/6/98

VIOLATION OF CABLE SEPARATION CRITERIA. DURING A PLANT WALKDOWN, THE RESIDENT INSPECTOR DISCOVERED THAT FLEX CONDUIT FROM "RHS*TE49A" WAS TOUCHING THE FLEX CONDUIT OF "RHS*TE49B". THE TEMPERATURE ELEMENTS PROVIDE FOR GROUPS 5 & 10 ISOLATION, RHR SHUTDOWN COOLING ISOLATION, AND SYSTEM RCIC ISOLATION. ENGINEERING SPECIFICATION "E61A" STATES THAT MINIMUM DISTANCE BETWEEN ENCLOSED RACEWAY OF DIFFERENT COLORS (DIV 1 & DIV 2) SHOULD BE 1/2 INCH. THE CONDITION OBSERVED DID NOT MEET THIS CRITERIA, AND WAS DETERMINED TO BE OUTSIDE THE DESIGN BASIS. THE AFFECTED INSTRUMENTS WERE ALSO DECLARED INOPERABLE, HOWEVER, THEY WERE RETURNED TO OPERABLE STATUS AT 1315 WHEN THE SEPARATION CRITERIA WAS MET.

THE LICENSEE WILL INFORM THE NRC RESIDENT INSPECTOR.

* * * UPDATE AT 1604 ON 03/09/98 BY DON NEWMAN ENTERED BY JOLLIFFE * * *

BASED ON FURTHER EVALUATION, THE LICENSEE DETERMINED THAT THE FUNCTION OF THE TEMPERATURE ELEMENTS (TEs) WAS NOT IMPACTED BY THE CONDUITS TOUCHING (i.e., EVEN THOUGH THE CONDUITS FOR THE 'A' AND 'B' TRAIN TEs WHOSE CONDUITS WERE TOUCHING COULD HAVE BEEN NEGATIVELY AFFECTED, THE 'C' AND 'D' TRAIN TEs WHOSE CONDUITS WERE NOT TOUCHING WOULD NOT HAVE BEEN NEGATIVELY AFFECTED). THUS, ALTHOUGH THIS CONDITION WAS A DEVIATION FROM THE SEPARATION REQUIREMENTS, IT WAS NOT A CONDITION THAT WAS OUTSIDE THE DESIGN BASIS OF THE PLANT. THEREFORE, THE LICENSEE DESIRES TO RETRACT THIS EVENT. THE LICENSEE WILL INFORM THE NRC RESIDENT INSPECTOR. THE OPERATIONS OFFICER NOTIFIED THE R1DO RICH CONTE.

35541

OYSTER CREEK

1

NJ

04/02/ 99

THREE CABLE TRAYS FOUND IN REACTOR BUILDING DO NOT MEET SEPARATION CRITERIA.

The licensee discovered three cable trays in the reactor building that do not meet the design criteria for separation of trains. The discovery was during a walkdown of cable trays in the plant following review of similar events in the industry. Corrective action will be to install fire barrier material between the division 1 and 2 cable trays. The design for the barriers has been started, and the actual work is expected to be complete within 2 weeks. It has been determined that interim measures, such as a fire watch, are not necessary because the cable trays carry only low amperage instrument and control cables and because they are fused. The licensee intends to notify the NRC Resident Inspector.

33314

PILGRIM

1

MA

11/26/97

TEMP POWER CABLES & EXTENSION CORDS IN VIOLATION OF SEPARATION CRITERIA -

DURING A PLANT WALKDOWN ON 10/28/97 WITH THE PLANT AT 100% POWER, THE LICENSEE DISCOVERED TEMPORARY POWER CABLES AND ELECTRICAL EXTENSION CORDS DRAPED OVER OR TIE WRAPPED TO CLASS 1E CONDUITS IN THE REACTOR BUILDING IN VIOLATION OF ELECTRICAL SEPARATION CRITERIA. EXAMPLES INCLUDED CABLES FROM THE POWER PACK FOR TORUS TEMPORARY LIGHTING, EXTENSION CORDS FROM THIS SAME POWER PACK FOR THE STEAM TUNNEL, AND AN EXTENSION CORD PLUGGED INTO AN OUTLET FOR USE IN THE REACTOR WATER CLEANUP SYSTEM PUMP ROOM.

THE PLANT WALKDOWN WAS PROMPTED BY A RECENT NRC VIOLATION ISSUED TO GRAND GULF FOR FAILURE TO CONTROL ELECTRICAL SEPARATION DURING THE USE OF EXTENSION CORDS IN THE VICINITY OF CLASS 1E ELECTRICAL RACEWAYS.

THE LICENSEE REMOVED, REROUTED, AND DEENERGIZED POWER PACKS AND TOOK COMPENSATORY MEASURES FOR THOSE TEMPORARY POWER SUPPLIES THAT WOULD BE NEEDED ON A PERIODIC BASIS. WHEN THESE TEMPORARY POWER SUPPLIES ARE REQUIRED TO BE ENERGIZED, FIRE WATCHES WILL BE STATIONED IN THE VICINITY TO MONITOR THE ENERGIZED TEMPORARY POWER SUPPLIES.

THE LICENSEE PLANS TO ISSUE A POLICY STATEMENT TO STATION PERSONNEL REGARDING THE USE OF TEMPORARY POWER SUPPLIES AND REQUIRED ELECTRICAL SEPARATION CONSIDERATIONS AND TO REVISE APPROPRIATE PLANT PROCEDURES TO INCORPORATE NECESSARY GUIDANCE REGARDING ELECTRICAL SEPARATION WITH RESPECT TO THE USE OF TEMPORARY POWER CABLES AND EXTENSION CORDS.

THE LICENSEE DETERMINED THIS EVENT TO BE REPORTABLE TO THE NRC AT 1045 ON 11/26/97. THE LICENSEE INFORMED THE NRC RESIDENT INSPECTOR.

32369

ROBINSON

1

SC

5/21/97

- 'C' SI PUMP INOP DUE TO CONTROL CABLES RUN IN 'A' SI PUMP CABLE TRAYS -

ON 05/21/97, THE LICENSEE CONFIRMED THAT PORTIONS OF THE MANUAL AND AUTO-START CONTROL CABLES FOR THE 'C' SAFETY INJECTION PUMP ARE ROUTED IN THE SAME CABLE TRAY WITH THE AUTO-START CONTROL CABLE FOR THE 'A' SAFETY INJECTION PUMP AND FOR THE 'B' SAFETY INJECTION PUMP WHEN IT IS LINED UP FOR 'A' TRAIN OPERATION.

AT 1650 ON 05/21/97, THE LICENSEE DETERMINED THAT THIS CONDITION IS REPORTABLE TO THE NRC AS A POTENTIAL CONDITION OUTSIDE THE DESIGN BASIS OF THE PLANT.

DURING INVESTIGATION OF THIS POTENTIAL ISSUE, BUT PRIOR TO CONFIRMING THAT THIS CONDITION EXISTED, PLANT OPERATORS REMOVED THE 'C' SAFETY INJECTION PUMP FROM SERVICE BY RACKING THE BREAKER OUT AND REMOVING THE CONTROL POWER FUSES AND DECLARED THE 'C' SAFETY INJECTION PUMP INOPERABLE. THE 'A' SAFETY INJECTION PUMP IS LINED UP FOR 'A' TRAIN OPERATIONS AND THE 'B' SAFETY INJECTION PUMP IS LINED UP FOR 'B' TRAIN OPERATIONS.

THERE IS NO ROBINSON TECH SPEC LCO ACTION STATEMENT FOR THE INOPERABLE 'C' SAFETY INJECTION PUMP.

THIS CONDITION HAS APPARENTLY EXISTED SINCE INITIAL PLANT STARTUP.

THE LICENSEE IS DETERMINING CORRECTIVE ACTIONS AND WILL INFORM THE NRC RESIDENT INSPECTOR.

33070

VERMONT YANKEE

1

VT

10/10/97

- INADEQUATE CABLE SEPARATION IN SAFETY-RELATED ALTERNATECOOLING SYSTEM -

DURING A DESIGN REVIEW, THE LICENSEE DISCOVERED THAT ELECTRICAL CABLES FROM DIVISION I MOTOR CONTROL CENTER (MCC) #8C AND DIVISION 2 MCC #9C MERGE INTO A COMMON CLASS 1E CABLE FEEDING SAFETY-RELATED ALTERNATE COOLING SYSTEM COOLING TOWER FAN #2-1. THIS COMMON CABLE INSTALLATION IS CONTRARY TO THE CABLE SEPARATION CRITERIA OF UFSAR SECTION 8.4.6.

THE LICENSEE OPENED THE CIRCUIT BREAKERS ON MCC #8C AND #9C AND DECLARED THE ALTERNATE COOLING SYSTEM INOPERABLE. TECH SPEC LCO A/S 3.5.D.3 REQUIRES THE ALTERNATE COOLING SYSTEM TO BE RESTORED TO OPERABLE STATUS WITHIN 7 DAYS OR TO SHUT THE PLANT DOWN.

THE LICENSEE IS INVESTIGATING THIS CONDITION AND DETERMINING CORRECTIVE ACTIONS.

THE LICENSEE WILL INFORM THE NRC RESIDENT INSPECTOR.

33779

VERMONT YANKEE

1

VT

2/24/98

LICENSEE IDENTIFIED AN ELECTRICAL CABLE WHICH DID NOT MEET CABLE SEPARATION CRITERIA.

"DURING THE PREPARATION OF VARIOUS CABLE SEPARATION MINOR MODIFICATIONS (MMs), THE FIELD ROUTING FOR CABLE C1351B WAS DISCOVERED NOT TO MATCH THE ROUTING SHOWN ON THE CABLE AND CONDUIT LIST (C&CL). SUBSEQUENT HAND-OVER-HAND VERIFICATION OF THE CABLE ROUTING FOUND THAT THE CABLE IS ROUTED IN BOTH SI AND SII DIVISIONAL RACEWAY, WHICH IS PROHIBITED BY FSAR SECTION 8.4.6 AND THE SEPARATION CRITERIA (VYS-027). THE CABLE IS PART OF THE PLANT COMMUNICATIONS SYSTEM AND IS USED FOR NIGHTTIME SILENCING OF THE OUTDOOR SPEAKERS. THE C&CL HAS BEEN UPDATED TO REFLECT THE CURRENT CABLE ROUTING."

THE LICENSEE'S CORRECTIVE ACTIONS INCLUDE RE-ROUTING THIS CABLE AS PART OF A MM WHICH IS CURRENTLY BEING PREPARED. ALSO, AN OPERABILITY DETERMINATION (INCLUDED IN BMO 97-13, REV 4) WAS PERFORMED WHICH CONCLUDED THAT OPERATION COULD CONTINUE. THE LICENSEE INFORMED VERMONT PUBLIC SERVICES AND THE NRC RESIDENT INSPECTOR.

33870

VERMONT YANKEE

1

VT

3/10/98

NON-SAFETY-RELATED CABLES ROUTED IN BOTH SAFETY-RELATED DIVISION RACEWAYS

DURING PLANT WALKDOWNS AND REVIEWS OF PLANT DRAWINGS, LICENSEE PERSONNEL IDENTIFIED 15 INSTANCES WHEREBY A NON-SAFETY-RELATED CABLE IS ROUTED IN A RACEWAY ALONGSIDE ONE DIVISION OF SAFETY-RELATED CABLES AND THEN IS FURTHER ROUTED IN ANOTHER RACEWAY ALONGSIDE THE OTHER DIVISION OF THE SAFETY-RELATED CABLES FOR THE SAME SYSTEM. THE CABLES OF BOTH SAFETY-RELATED DIVISIONS OF THE SAME SYSTEM COULD GET DAMAGED AT THE SAME TIME DUE TO THE EFFECTS OF THE FAULT CURRENT FROM THE COMMON NON-SAFETY-RELATED CABLE. THIS CONDITION IS IN VIOLATION OF THE REQUIREMENTS OF THE UPDATED FINAL SAFETY ANALYSIS REPORT, SECTION 8.4.6, AND DOCUMENT VYS-027, PLANT ELECTRICAL CABLE SEPARATION CRITERIA.

THE LICENSEE HAS REVIEWED THE FUNCTION OF EACH OF THESE NON-SAFETY-RELATED CABLES FOR SAFETY SIGNIFICANCE AND PERFORMED A CORRESPONDING OPERABILITY ASSESSMENT. THESE NON-SAFETY-RELATED CABLES PROVIDE ANNUNCIATION, CONTROL, OR POWER FOR VARIOUS NON-SAFETY-RELATED FUNCTIONS. ELEVEN OF THESE CABLES ARE EITHER LOW ENERGY OR HAVE AT LEAST TWO PROTECTIVE DEVICES IN SERIES TO ISOLATE AN ELECTRICAL FAULT. THE LICENSEE IS CONTINUING TO INVESTIGATE THESE CONDITIONS.

THE LICENSEE INFORMED THE NRC RESIDENT INSPECTOR.

32035

VERMONT YANKEE

1

VT

3/27/97

FIRE PROTECTION LIGHTING CABLE RUN IN BOTH DIVISION I & II CABLETRAYS -

AT 1535 ON 03/27/97, CONTROL ROOM PERSONNEL WERE INFORMED BY ENGINEERING DEPARTMENT PERSONNEL THAT THE FEEDER CABLE FOR LIGHTING PANEL #LP-1SR (APPENDIX R LIGHTS ON THE REFUEL FLOOR) WAS ROUTED THROUGH BOTH DIVISION I AND DIVISION II CABLE TRAYS. A SINGLE FAILURE IN THIS CABLE COULD RENDER BOTH DIVISIONS INOPERABLE. THIS CONFIGURATION IS CONTRARY TO DIVISIONAL SEPARATION CRITERIA AS STATED IN VERMONT YANKEES SPECIFICATION AND PLACES THE PLANT OUTSIDE ITS DESIGN BASIS.

THE LICENSEE HAS TAGGED THE FEEDER BREAKER TO LP-1SR OPEN, IS INSPECTING OTHER PANELS FOR SIMILAR CONDITIONS, AND IS DETERMINING LONG TERM CORRECTIVE ACTIONS.

THE LICENSEE INFORMED THE NRC RESIDENT INSPECTOR.

32146

VERMONT YANKEE

1

VT

4/14/97

THE LICENSEE REPORTED A CABLE SEPARATION CONDITION WHICH DOES NOTMEET THE DIVISION 1 AND DIVISION 2 SEPARATION CRITERIA.

THIS CONDITION EXIST BETWEEN THE FEEDER CABLES FOR DIVISION 2 LPCI INJECTION VALVES, THE RECIRC VALVES IN THE RECIRC LOOP, AND DIV 1 HPCI INJECTION VALVE, TORUS SUCTION VALVES AND RECIRC TEST VALVE. THIS LACK OF SEPARATION OCCURS IN A PULL BOX BETWEEN THE SWITCHGEAR ROOM AND THEIR REACTOR BUILDING. THEIR OPERABILITY ASSESSMENT HAS DETERMINED THAT DURING AN ACCIDENT CONDITION WITH A LO-LO LEVEL, THE FEEDER BREAKER FOR THE LPCI VALVES WILL DE-ENERGIZE, BUT THE VALVES WILL BE SUPPLIED POWER FROM THE BATTERY BANK. DIVISION 1 HPCI WOULD START AND BE SUPPLIED POWER BY THE CABLE WHICH GOES THROUGH THE PULL BOX. THEREFORE, THE DIVISION 1 CABLE WILL BE THE ONLY ENERGIZED CABLE IN THE PULL BOX DURING THAT ACCIDENT CONDITION. THE RESIDENT WILL BE INFORMED.

32163

VERMONT YANKEE

1

VT

4/16/97

CERTAIN NONNUCLEAR SAFETY CABLES MAY NOT MEET CABLE SEPARATION CRITERIA

  • ALL OF THE 59 NONNUCLEAR SAFETY (NNS) CABLES INSPECTED ARE 120 VOLT OR LESS AND ARE USED FOR INDICATION, ANNUNCIATION, CONTROL POWER AND INTERLOCKS, SIGNAL INPUTS FROM INSTRUMENTATION, OR RELAYING. THE INDICATION, ANNUNCIATION, AND SIGNAL INPUTS ARE LOW LEVEL AND CANNOT GENERATE ENOUGH ENERGY TO CAUSE DAMAGING SHORT CIRCUITS WITHIN THESE CABLES. THE POWER FEEDS ARE PROVIDED FROM SAFETY CLASS ELECTRICAL (SCE) BUSES AND BREAKERS (CRP-9-46, DC-1C, AND DC-2C) AND HAVE SCE BREAKERS UPSTREAM TO PROVIDE BACKUP SHORT CIRCUIT PROTECTION. ANY SHORT CIRCUIT IN THESE CABLES WILL BE ISOLATED PRIOR TO CABLE DAMAGE.

IN ADDITION, THE CONTROL POWER AND INTERLOCKS ARE PROTECTED BY AT LEAST TWO DEVICES SUCH AS A BREAKER AND FUSE, TWO BREAKERS IN SERIES, OR A FUSE AND CONTROL POWER TRANSFORMER. FOR A POSTULATED FIRE IN THE CABLE VAULT THAT MAY AFFECT BOTH DIVISIONAL SYSTEMS, THE ALTERNATE SHUTDOWN SYSTEM IS AVAILABLE TO SAFELY SHUT THE PLANT DOWN. FOR CABLES THAT CROSS OVER SI AND SII DIVISIONS IN OTHER AREAS OF THE PLANT, ADEQUATE FIRE BARRIERS ARE INSTALLED BETWEEN FIRE AREAS OR SUFFICIENT SEPARATION DISTANCE EXISTS BETWEEN SI AND SII DIVISIONS TO ASSURE THAT A FIRE IN ONE AREA WILL NOT PROPAGATE. ANY POSTULATED DAMAGE WILL BE CONFINED TO NNS TRAY AND ONLY ONE DIVISIONAL SYSTEM. A FAULTED NNS CABLE MAY AFFECT THE AVAILABILITY OF BOTH TRAINS OF RHR SERVICE WATER SINCE BOTH GROUPS OF CABLES SHARE A COMMON TRAY. EXCEPT FOR TWO CABLES, UPS-1A FEEDER AND TORUS TEMPERATURE RECORDER INPUTS, ALL IDENTIFIED CABLES WERE INSTALLED DURING ORIGINAL CONSTRUCTION. THE LICENSEE WILL INFORM THE NRC RESIDENT INSPECTOR.

SINGLE FAILURE VULNERABILITIES.

A number of reactors have identified what are known as "single failure" vulnerabilities. Failure to maintain the design basis of the nuclear reactor has led to instances where a single event or condition could have prevented the functioning of the nuclear reactor s safety systems. These safety systems are needed to: shutdown the reactor, cool the radioactive fuel in the reactor core, contain the release of any radiation into the environment or otherwise mitigate the consequences of an accident.

Single failures are significant because they represent instances where the NRC s "defense-in-depth" approach to reactor safety has been undermined. Rather than having multiple, redundant layers of protection from the release of radiation into the environment, single failure vulnerabilities reveal holes in the NRC s nuclear safety net.

Single failures are defined by the NRC as:

Any event or conditions that alone could have prevented the fulfillment of the safety function of structures or systems that are needed to:

  1. Shut down the reactor and maintain it in a safe shutdown condition,
  2. Remove residual heat,
  3. Control the release of radioactive material, or
  4. Mitigate the consequences of an accident.

Table VI lists those reactors have identified single failure vulnerabilities.

TABLE VI

NUCLEAR REACTORS REPORTING "OUTSIDE DESIGN BASIS" DUE TO SINGLE FAILURE VULNERABILITIES

Event Number

Reactor

Unit

State

Date

Details

32917

BRUNSWICK

1, 2

NC

9/12/97

A SINGLE FAILURE CAN PREVENT THE FUNCTION OF THE PRESSURE SUPPRESSION FUNCTION OF CONTAINMENT.

DURING REVIEW OF PLANT PROCEDURES AND DESIGN OF SYSTEMS UTILIZED TO INERT

AND DE-INERT PRIMARY CONTAINMENT, IT WAS DETERMINED THAT A SINGLE FAILURE

CAN PREVENT THE FUNCTION OF THE PRESSURE SUPPRESSION FUNCTION OF

CONTAINMENT. SPECIFICALLY, THE INBOARD ISOLATION VALVES FOR THE CONTAINMENT

ATMOSPHERIC CONTROL INERTING SYSTEM FOR THE TORUS AND DRYWELL UTILIZE A

COMMON RELAY. A CREDIBLE SINGLE FAILURE EXISTS WHICH COULD PREVENT BOTH

VALVES FROM CLOSING DURING A LOCA WHILE INERTING. BOTH VALVES ARE NORMALLY

SHUT AT POWER. FAILURE OF THESE VALVES TO CLOSE WITH A GROUP 6 ISOLATION

SIGNAL ON HIGH DRYWELL PRESSURE WOULD ALLOW BYPASS OF STEAM FROM A LOCA

INTO THE AIR SPACE OF THE TORUS PREVENTING COMPLETE QUENCHING AND PRESSURE

SUPPRESSION. A POTENTIAL TO OVER PRESSURIZE THE DRYWELL EXISTS. THIS IS

ONLY APPLICABLE TO A SMALL BREAK LOCA WHICH HAS A SLOW PRESSURE RISE IN

CONTAINMENT DURING INERTING OR DE-INERTING ACTIVITIES. FOR THIS CONDITION

TO OCCUR, THE FOLLOWING HAS TO HAPPEN: 1) SIMULTANEOUSLY INERTING OR

PURGING THE DRYWELL AND SUPPRESSION POOL, 2) A SMALL BREAK LOCA OCCURS, AND

3) A SINGLE FAILURE OF A CONTACT TO OPEN IN THE GROUP 6 LOGIC; THE

SUPPRESSION FUNCTION OF THE SUPPRESSION POOL WOULD BE BYPASSED.

THIS ACCIDENT IS ONLY APPLICABLE WITH THE PLANT IN HOT SHUTDOWN OR AT POWER

WITH THE ABOVE INFREQUENT PLANT CONFIGURATION. THE TIME SPENT INERTING OR

PURGING IS STRICTLY LIMITED BY TECHNICAL SPECIFICATION WHILE AT POWER. IN

ORDER TO EXCEED DESIGN BASIS PRESSURE REQUIREMENTS, A SMALL BREAK LOCA MUST

OCCUR IN CONJUNCTION WITH SIMULTANEOUS INERTING OR PURGING OF THE DRYWELL

AND SUPPRESSION POOL. A SENSITIVITY ANALYSIS HAS BEEN INCLUDED AS PART OF

THE UFSAR WHICH INDICATES THAT THE PRESSURE SUPPRESSION FUNCTION WILL NOT

FAIL IN THIS EVENT WITH THE SUPPRESSION POOL BYPASS AREA EQUIVALENT TO A

SIX-INCH PIPE. THIS SINGLE FAILURE CONFIGURATION ALLOWS BYPASS FLOW ACROSS

AN 18-INCH BUTTERFLY VALVE THROTTLED TO 45 DEGREES.

CORRECTIVE ACTION: ALL APPLICABLE PROCEDURES HAVE BEEN ADMINISTRATIVELY

PLACED ON HOLD UNTIL PROVISIONS WHICH ALLOW SIMULTANEOUS INERTING OR

DE-INERTING OF THE DRYWELL AND TORUS HAVE BEEN REMOVED.

THE NRC RESIDENT INSPECTOR WAS NOTIFIED OF THIS EVENT BY THE LICENSEE.

33120

LIMERICK

1, 2

PA

10/20/97

POTENTIAL FOR SUPPRESSION POOL TO BE BYPASSED DURING A LOCA.

ON AUGUST 21, 1997, A REVIEW OF INDUSTRY OPERATING EXPERIENCE IDENTIFIED A POTENTIAL BYPASS PATH FROM THE DRYWELL TO THE SUPPRESSION POOL THROUGH THE CONTAINMENT PURGE NITROGEN SUPPLY PIPING AND VALVES. THE STATION TOOK IMMEDIATE ACTIONS TO ADMINISTRATIVELY CONTROL THE AFFECTED FLOW PATH BY DISABLING ONE OF THE TWO PURGE VALVES IN THE FLOW PATH, AND TO CHANGE THE ASSOCIATED PROCEDURES PENDING REVIEW OF THE ISSUE. IN ADDITION, THE LICENSEE AND NSSS VENDOR COMMENCED A MORE DETAILED REVIEW OF THE ISSUE.

AT 1715 ON OCTOBER 20, 1997, FOLLOWING A REVIEW OF THIS ISSUE BY THE LICENSEE AND NSSS VENDOR PERSONNEL, LICENSEE PERSONNEL CONCLUDED THAT THE UNIT 1 AND 2 DESIGN CONFIGURATION IN QUESTION MAY RESULT IN THE PLANT BEING OUTSIDE OF THE CURRENT PLANT DESIGN BASIS. IN THE EVENT OF A SINGLE FAILURE, THE COMMUNICATION PATH BETWEEN THE DRYWELL AIRSPACE AND SUPPRESSION CHAMBER AIRSPACE COULD BE IN EXCESS OF THE ALLOWABLE SUPPRESSION CHAMBER STEAM BYPASS LEAKAGE SPECIFIED IN THE PLANT TECH SPECS. THE COMMUNICATION PATH IS NORMALLY ISOLATED BY TWO VALVES IN SERIES. THE VALVES ARE AIR OPERATED, NORMALLY CLOSED-FAIL CLOSE VALVES. THE POWER SUPPLY, CONTROL LOCATION, AND CABLE ROUTING ARE COMMON TO BOTH VALVES. IN THE EVENT OF A FAILURE OF THE COMMON CABLE RACEWAY OR CONTROL CABINET, THE POTENTIAL FOR THE INADVERTENT OPENING OF THE VALVES EXISTS. IF THIS COMMON RACEWAY OR CONTROL CABINET FAILURE WERE TO OCCUR CONCURRENT WITH A LOSS OF COOLANT ACCIDENT, THE SUPPRESSION CHAMBER STEAM BYPASS LEAKAGE WOULD BE IN EXCESS OF THE CURRENTLY ANALYZED AMOUNT, RESULTING IN THE POTENTIAL DEGRADING OF THE PRESSURE SUPPRESSION CAPABILITY OF THE PRIMARY CONTAINMENT. A DEGRADED PRESSURE SUPPRESSION CAPABILITY MAY RESULT IN EXCEEDING PRIMARY CONTAINMENT DESIGN PRESSURES. A CALCULATION HAS NOT YET BEEN PERFORMED TO DETERMINE IF THE PRIMARY CONTAINMENT DESIGN PRESSURE WOULD BE EXCEED IN THIS SCENARIO.

THE ADMINISTRATIVE CONTROLS AND PROCEDURE CHANGES ALREADY IN PLACE TO ADDRESS THIS ISSUE WILL REMAIN IN PLACE PENDING RESOLUTION OF THE DESIGN ISSUE.

THE LICENSEE WILL NOTIFY THE NRC RESIDENT INSPECTOR.

34222

LIMERICK

1, 2

PA

5/13/98

PRIMARY CONTAINMENT ELECTRICAL PENETRA-TION OVER CURRENT ROTECTION CIRCUITS DO NOT MEET SINGLE FAILURE CRITERION.

THE PRIMARY CONTAINMENT ELECTRICAL PENETRATION OVERCURRENT PROTECTION CIRCUITS FOR INBOARD PCIVs ON UNIT 1 AND 2 RHR SHUTDOWN COOLING LINE, RWCU SYSTEM, MAIN STEAM LINE DRAIN, AND PRIMARY CONTAINMENT INSTRUMENT GAS SUCTION LINE DO NOT MEET SINGLE FAILURE CRITERION FOR SPECIFIC, BUT LIMITED, TIME CURRENT FAULTED CONDITIONS. A TOTAL OF 4 VALVES PER UNIT ARE AFFECTED. UNDER THESE LIMITED CONDITIONS, THE INSTANTANEOUS OVERCURRENT TRIP BREAKER WOULD NOT ACTUATE AND A FAILURE OF THE THERMAL MAGNETIC OVERCURRENT TRIP BREAKER COULD RESULT IN SUFFICIENT DAMAGE TO THE ELECTRICAL PENETRATION TO RENDER THE PENETRATION INOPERABLE. THE UFSAR AND THE CORRESPONDING SECTIONS OF THE SER STATE THAT THE PENETRATION OVERCURRENT PROTECTION SYSTEM MEETS THE SINGLE FAILURE CRITERION AND IS CONSIDERED NECESSARY TO MEET THE DESIGN BASIS FOR THIS SYSTEM. THE NOTIFICATION IS BEING MADE FOR UNIT 2 SINCE IT IS OPERATING. UNIT 1 HAS A SIMILAR CONDITION, BUT IT IS IN A REFUELING OUTAGE AND PRIMARY CONTAINMENT PENETRATION PROTECTION IS NOT REQUIRED TO BE OPERABLE. FOR EACH AFFECTED PENETRATION, THE THERMAL MAGNETIC OVERCURRENT PROTECTION BREAKER IS OPERABLE AND AN EVALUATION HAS CONCLUDED THAT THERE ARE NO CREDIBLE FAULTED CONDITIONS NOTED. THEREFORE, IT IS CONCLUDED THAT THIS CONDITION DOES NOT RESULT IN A SERIOUSLY DEGRADED NOR UNANALYZED CONDITION. A PLANT MODIFICATION WILL PROVIDE A REDUNDANT OVERCURRENT TRIP DEVICE THAT WILL INCLUDE PROTECTION FOR THE LIMITED TIME CURRENT CONDITION.

THE RESIDENT INSPECTOR WAS NOTIFIED.

HOO NOTE: SEE SIMILAR EVENT #34186

34186

LIMERICK

1, 2

PA

5/6/98

THE LICENSEE IDENTIFIED A CONDITION WHERE THE ELECTRICAL PENETRATION OVERCURRENT PROTECTION CIRCUITS FOR HIGH PRESSURE COOLANT INJECTION (HPCI) AND REACTOR CORE ISOLATION COOLING (RCIC) SYSTEMS INBOARD PRIMARY CONTAINMENT ISOLATION VALVES (PCIVs) DO NOT MEET THE SINGLE FAILURE CRITERION AS STATED IN THE DESIGN.

"ON MAY 6, 1998, ENGINEERING PERSONNEL DISCOVERED THAT THE PRIMARY CONTAINMENT ELECTRICAL PENETRATION OVERCURRENT PROTECTION CIRCUITS FOR THE INBOARD PCIVs FOR THE LGS UNIT 1 AND UNIT 2 HPCI AND RCIC SYSTEMS DO NOT MEET THE SINGLE FAILURE CRITERION FOR SPECIFIC, BUT LIMITED, TIME CURRENT FAULTED CONDITIONS. UNDER THESE LIMITED CONDITIONS, THE INSTANTANEOUS OVERCURRENT TRIP BREAKER WOULD NOT ACTUATE AND A FAILURE OF THE THERMAL MAGNETIC OVERCURRENT TRIP BREAKER COULD RESULT IN SUFFICIENT DAMAGE TO THE ELECTRICAL PENETRATION TO RENDER THE PENETRATION INOPERABLE. THE UFSAR SECTIONS 8.1.5 AND 8.1.6 AND THE CORRESPONDING SECTIONS OF THE SER STATE THAT THE PENETRATION OVERCURRENT PROTECTION SYSTEM MEETS THE SINGLE FAILURE CRITERION AND IS CONSIDERED NECESSARY TO MEET THE DESIGN BASIS FOR THIS SYSTEM. THIS NOTIFICATION IS MADE PURSUANT TO 10CFR50.72(b)(1)(ii)(B) FOR UNIT 2 (OPERATING) AS A CONDITION OUTSIDE THE DESIGN BASIS OF THE PLANT. UNIT 1 HAS A SIMILAR CONDITION BUT UNIT 1 IS SHUTDOWN FOR A REFUELING OUTAGE AND THE PRIMARY CONTAINMENT PENETRATION PROTECTION IS NOT CURRENTLY REQUIRED TO BE OPERABLE. FOR EACH AFFECTED PENETRATION, THE THERMAL MAGNETIC OVERCURRENT PROTECTION BREAKER IS OPERABLE AND AN ENGINEERING EVALUATION HAS CONCLUDED THAT THERE IS NO CREDIBLE FAULTED CONDITION THAT WOULD RESULT IN THE SPECIFIC TIME CURRENT FAULTED CONDITIONS NOTED ABOVE. THEREFORE, IT IS CONCLUDED THAT THIS CONDITION DOES NOT RESULT IN A SERIOUSLY DEGRADED NOR AN UNANALYZED CONDITION. A PLANT MODIFICATION IS BEING INSTALLED TO PROVIDE A REDUNDANT OVERCURRENT TRIP DEVICE THAT WILL INCLUDE PROTECTION FOR THE LIMITED TIME CURRENT CONDITIONS. A UNIT 1 OVERCURRENT TRIP FUNCTION WILL BE RESTORED PRIOR TO RESTART FROM THE CURRENT REFUELING OUTAGE. A REVIEW HAS BEEN PERFORMED THAT CONCLUDED THAT THESE ARE THE ONLY CIRCUITS WITH THIS CONDITION."

THIS CONDITION WAS DISCOVERED DURING A LICENSEE INITIATED SAFETY SYSTEM FUNCTIONAL INSPECTION.

THE LICENSEE WILL INFORM THE NRC RESIDENT INSPECTOR.

31731

MILLSTONE

1

CT

2/5/97

FAILURE TO ASSUME THAT A SINGLE FAILURE OF THE AUTOMATIC PRESSURE RELIEF VALVES MIGHT INVOLVE MORE THAN ONE VALVE DURING A SMALL BREAK LOCA

THE FOLLOWING TEXT IS FROM A FACSIMILE SENT IN BY THE LICENSEE:

"ADVERSE CONDITION REPORT (ACR) #11575 CONCERNS THE FUNCTIONAL REQUIREMENTS OF THE FEEDWATER COOLANT INJECTION (FWCI)/AUTOMATIC PRESSURE RELIEF (APR) SYSTEMS TO MITIGATE THE CONSEQUENCES OF A DESIGN BASIS ACCIDENT AND REPORTS THAT THE APR SYSTEM IS VULNERABLE TO SINGLE FAILURES WHICH MAY INVALIDATE PREVIOUS ASSUMPTIONS OF THE OPERATING CYCLE 15 SMALL BREAK LOSS OF COOLANT ACCIDENT (SBLOCA) ANALYSIS. DURING THE CORRECTIVE ACTION AND RESOLUTION PROCESS OF ACR #11575, IT WAS DISCOVERED THAT LOCA ANALYSES PERFORMED IN THE MID 1970s AND SUBSEQUENT ANALYSES TO SHOW COMPLIANCE WITH THE REQUIREMENTS OF 10 CFR 50.46 AND 10 CFR PART 50, APPENDIX K, WERE BASED ON THE ASSUMPTION THAT DIVERSE SYSTEMS, FWCI AND APR, WERE INDEPENDENTLY CAPABLE OF MITIGATING THE CONSEQUENCES OF A SBLOCA COINCIDENT WITH A POSTULATED FAILURE OF A SINGLE APR VALVE. THE ANALYSIS FAILED TO RECOGNIZE

THE SINGLE FAILURE VULNERABILITY OF THE APR SYSTEM AND POTENTIAL LOSS OF MORE THAN ONE APR VALVE AND THAT BOTH APR AND FWCI ARE REQUIRED TO SATISFY LONG TERM COOLING REQUIREMENTS PER CRITERION #5 OF 10 CFR 50.46."

THE LICENSEE SAFETY ANALYSIS DEPARTMENT WILL REVISE THE LOCA ANALYSIS (10 CFR 50.46 AND 10 CFR PART 50, APPENDIX A) BASED ON UNIT 1 SPECIFIC DESIGN CONFIGURATIONS AND TAKING INTO ACCOUNT ANY DESIGN MODIFICATION IDENTIFIED FOR CORRECTIVE ACTION FOR ACR #11575.

THE LICENSEE NOTIFIED THE NRC RESIDENT INSPECTOR AND THE APPLICABLE STATE AND LOCAL OFFICIALS OF THIS EVENT.

33121

PEACH BOTTOM

1, 2

PA

10/20/97

POTENTIAL FOR THE SUPPRESSION POOL TO BE BYPASSED DURING A LOCA.

ON AUGUST 21, 1997, A REVIEW OF INDUSTRY OPERATING EXPERIENCE IDENTIFIED A POTENTIAL BYPASS PATH FROM THE DRYWELL TO SUPPRESSION CHAMBER THROUGH THE CONTAINMENT PURGE NITROGEN SUPPLY PIPING AND VALVES. THE STATION TOOK IMMEDIATE ACTIONS TO ADMINISTRATIVELY CONTROL THE AFFECTED FLOWPATH BY DISABLING ONE OF THE TWO PURGE VALVES IN THE FLOW PATH AND TO CHANGE THE ASSOCIATED PROCEDURES PENDING REVIEW OF THE ISSUE. IN ADDITION, THE LICENSEE AND NSSS VENDOR COMMENCED A MORE DETAILED REVIEW OF THE ISSUE.

FOLLOWING A REVIEW OF THIS ISSUE BY LICENSEE AND NSSS VENDOR PERSONNEL, LICENSEE PERSONNEL CONCLUDED THAT THE UNIT 2 AND 3 DESIGN CONFIGURATION IN QUESTION MAY RESULT IN THE PLANT BEING OUTSIDE THE CURRENT PLANT DESIGN BASIS. IN THE EVENT OF A SINGLE FAILURE, THE COMMUNICATION PATH BETWEEN THE DRYWELL AIRSPACE AND THE SUPPRESSION CHAMBER AIR SPACE COULD BE IN EXCESS OF THE ALLOWABLE SUPPRESSION CHAMBER STEAM BYPASS LEAKAGE PATH SPECIFIED IN THE PLANT TECH SPECS AND BASES. THE COMMUNICATION PATH IS NORMALLY ISOLATED BY TWO VALVES IN SERIES. THE VALVES ARE AIR OPERATED, NORMALLY CLOSED-FAIL CLOSE VALVES. THE POWER SUPPLY, CONTROL LOCATION AND CABLE ROUTING ARE COMMON TO BOTH VALVES. IN THE EVENT OF A FAILURE OF THE COMMON CABLE RACEWAY OR CONTROL CABINET, THE POTENTIAL FOR THE INADVERTENT OPENING OF THE VALVES EXISTS. IF THIS COMMON FAILURE WAS TO OCCUR CONCURRENT WITH A LOCA, THE SUPPRESSION CHAMBER STEAM BYPASS LEAKAGE COULD BE IN EXCESS OF THE CURRENT ANALYZED AMOUNT RESULTING THE EXCEEDING THE PRIMARY CONTAINMENT DESIGN PRESSURES.

THE LICENSEE WILL NOTIFY THE NRC RESIDENT INSPECTOR.

33608

PILGRIM

1

MA

1/27/98

SINGLE FAILURE COULD PREVENT OPERATION OF EDG FOR SEVEN DAYS

DURING REVIEW OF SAFETY-RELATED CALCULATION S&SA 55, "MINIMUM ONSITE DIESEL FUEL REQUIREMENT," THE LICENSEE DETERMINED THAT A SINGLE COMPONENT FAILURE WOULD PLACE THE UNIT OUTSIDE OF ITS DESIGN BASIS. EACH EMERGENCY DIESEL GENERATOR (EDG) IS CAPABLE OF STARTING AND OPERATING CONTINUOUSLY UNDER POSTULATED ACCIDENT CONDITIONS FOR A PERIOD OF SEVEN DAYS USING FUEL STORED ONSITE IN UNDERGROUND STORAGE TANKS. A FAILURE OF EDG OIL STORAGE TANK FOOT VALVES 38-CK-101A OR B WOULD PREVENT THE ABILITY TO CROSS TIE THE STORAGE TANKS, PREVENTING THE EDGs FROM OPERATING FOR THE FULL SEVEN DAY PERIOD.

THE LICENSEE'S PRELIMINARY OPERABILITY EVALUATION HAS DETERMINED THAT THE USE OF APPROVED EOPs WOULD REDUCE THE AMOUNT OF FUEL CONSUMED WITHIN THE FIRST SEVEN DAYS FOLLOWING AN ACCIDENT TO LESS THAN THAT REQUIRED TO BE AVAILABLE BY TECHNICAL SPECIFICATIONS. THE NRC RESIDENT INSPECTOR HAS BEEN INFORMED BY THE LICENSEE.

35048

PRAIRIE ISLAND

1, 2

MN

11/17/98

POTENTIAL FOR SINGLE FAILURE DURINGTESTING

"On November 17, 1998, Prairie Island personnel identified a condition potentially outside of the plant design basis. Prairie Island has performed Technical Specification required surveillance testing of Boric Acid Storage Tank Level channels by placing the respective channel in the tripped condition. When in this condition, a single failure of another channel could cause a premature transfer of the Safety Injection Pump suctions to the Refueling Water Storage Tank. This would bypass the injection of highly borated water required to mitigate a steam line break accident. At this time, all boric acid level channels are OPERABLE and surveillance tests are being quarantined until corrective actions can be implemented. Unit 1 is currently in Mode 3 and Unit 2 is currently in Mode 6. Prairie Island will likely request Technical Specification changes to allow this testing."

The NRC resident inspector has been informed of this event by the licensee.

33131

SUSQUEHANNA

1, 2

PA

10/22/97

POTENTIAL FOR SUPPRESSION POOL TO BE BYPASSED DURING A LOCA

CONTROL CABLING FOR BOTH DRYWELL AND SUPPRESSION CHAMBER PURGE INBOARD ISOLATION VALVES IS CONTAINED IN THE SAME RACEWAY. DUE TO A POSTULATED SINGLE FAILURE BOTH ISOLATION VALVES COULD ENERGIZE OPEN, ALLOWING THE DRYWELL AND SUPPRESSION CHAMBER ATMOSPHERES TO COMMUNICATE THROUGH A 6" LINE FOLLOWING A POSTULATED LOSS OF COOLANT ACCIDENT (LOCA).

THIS SINGLE FAILURE CONDITION WOULD RESULT IN BYPASS LEAKAGE OF THE POSTULATED LOCA ENVIRONMENT AROUND THE SUPPRESSION POOL, THUS LOSING THE BENEFITS OF BOTH THE QUENCHING OF THE BLOWDOWN ENERGY AND THE SCRUBBING OF ANY FISSION PRODUCTS. THIS SEQUENCE WOULD ALSO LEAD TO AN OVERPRESSURIZATION OF THE CONTAINMENT BEYOND THE DESIGN REQUIREMENTS, AND CONSEQUENTLY RADIATION RELEASES COULD EXCEED THE PRESENTLY ANALYZED LIMITS FOR COMPLIANCE TO 10 CFR 100.

AIR SUPPLY WILL BE REMOVED FROM THE SUBJECT VALVE WHICH WILL RENDER THEM DEACTIVATED CLOSED IN PLACE. THIS WILL IN TURN ENSURE PRIMARY CONTAINMENT INTEGRITY IN ACCORDANCE WITH TECH SPECS.

THE LICENSEE HAS NOTIFIED THE NRC RESIDENT INSPECTOR.

II. NUCLEAR "SAFETY," THE DESIGN BASIS & THE FINAL SAFETY ANALYSIS REPORT

WHAT IS NUCLEAR "SAFETY"

The U.S. Nuclear Regulatory Commission (NRC) is the agency charged with assuring that public health and safety are protected from the consequences of a nuclear reactor accident. While the NRC does not precisely define nuclear "safety", the Commission assumes nuclear reactors are safe if:

1. they are built and operated within their approved designs and;

2. comply with all applicable NRC regulations.

Before a utility can receive a license to split atoms, the NRC must approve the design of a nuclear reactor, monitor its construction and review the final safety analysis report (FSAR). Once a nuclear reactor is licensed, the NRC is responsible for inspecting the reactor to assure that it continues to operate within its approved design, i.e. its design basis. Since the design basis of a reactor can change over time due to amendments to its operating license and changes in NRC regulations, utilities that own nuclear reactors are required to periodically update their final safety analysis reports.

When utilities fail to maintain their design basis or update their safety analyses, the NRC may cite them with a violation and a fine. If the violation is serious enough, the NRC can force the reactor to shut down. However, this has only happened once, when reactor operators were found sleeping at the Peach bottom reactor in Pennsylvania. Usually, the utility will shutdown the reactor on its own accord and the NRC will then prevent the reactor from restarting until the problem has been addressed.

The NRC contends that if a nuclear reactor is designed, constructed and operated in compliance with its approved design then the redundant safety systems built into the plant will provide an adequate level of safety even if one of the safety systems should fail and an accident were to occur. This concept is known as "defense-in-depth." Redundant safety systems are supposed to provide multiple layers of protection to help assure that radiation is not released into the environment and the surrounding communities.

While redundant safety systems are necessary, the 1979 meltdown of the Three Mile Island reactor in Harrisburg, Pennsylvania has shown that these safety systems do not guarantee that an accident will not occur or that radiation will not be released into the environment. Additionally, over reliance on the concept of defense-in-depth can lull the NRC and the nuclear industry into a false sense of security. As noted by MIT professor of nuclear engineering Theos J. Thompson:

Most dangerous of all is the operating philosophy that there are several independent sequential barriers to prevent a given accident and that therefore, the failure of any given barrier is not serious and that repair to that barrier can be postponed indefinitely. Each true safety barrier to an accident should be treated as if it were the last one for indeed it may be.

WHAT IS THE DESIGN BASIS OF A NUCLEAR REACTOR

The design basis is the starting point of all NRC regulation; it is the safety and operational blue print for the nuclear reactor. The design basis for every nuclear reactor is unique. The design basis for each reactor differs based upon the specific type of nuclear reactor, and the different regulations that were in place at the time it was licensed. The NRC has licensed two types of nuclear reactors for commercial operation, pressurized water reactors (PWRs) and boiling water reactors (BWRs).

These two basic types of reactors, PWR and BWRs, have four different manufacturers. General Electric has manufactured the nuclear systems in the boiling water reactors while Westinghouse, Combustion Engineering and Babcock & Wilcox have manufactured the nuclear systems in the pressurized water reactors. Each of these manufacturers have several different designs. General Electric has six, Westinghouse has three and Combustion Engineering and Babcock & Wilcox each have two different reactor designs that are operating in the United States. Each of these different types and styles of reactor have different design basis.

If a nuclear reactor is operating "outside design basis," it is impossible for the NRC or the utility to determine whether the reactor is "safe" or if its operation poses an undue risk to public health and safety. The design basis of a nuclear reactor is defined in the U.S. Code of Federal Regulations:

  • Design bases means that information which identifies the specific functions

to be performed by a structure, system, or component of a facility, and the specific values or ranges of values chosen for controlling parameters as reference bounds for design.

  • These values may be (1) restraints derived from generally accepted "state of the art" practices for achieving functional goals, or (2) requirements derived from analysis of the effects of a postulated accident for which a structure, system, or component must meet its functional goals.

Every safety decision made by the regulator is premised upon the supposition that the nuclear reactor has been constructed and maintained in accordance with its design basis. This supposition forms the foundation upon which the NRC builds its argument that nuclear reactors do not pose an unwarranted risk to the public health and safety.

WHAT IS THE FINAL SAFETY ANALYSIS REPORT (FSAR)

Every nuclear utility is required to provide the NRC with a Final Safety Analysis Report (FSAR) for each of its reactors. The final safety analysis report is the document that the NRC relies upon to issue a nuclear reactor a license to split atoms. The FSAR is defined in 10 CFR Part 50.34(b) of the Commission's regulations:

Final safety analysis report. Each application for a license to operate a facility shall include a final safety analysis report. The final safety analysis report shall include information that describes the facility, presents the design bases and the limits on its operation, and presents a safety analysis of the structures, systems, and components and of the facility as a whole&

The FSAR requires a description of the plant, a presentation of the plant's design bases and the limits on its operation, and a safety analysis of the structures, systems, and components as well as the whole facility. The FSAR becomes part of the basis for granting an operating license.

Nuclear utilities are required to periodically update their FSAR. These requirements are supposed to assure that the information included in the FSAR contains the latest material. The Code of Federal Regulations state that the updated FSAR:

  • shall be revised to include the effects of all changes made in the facility or procedures;
  • all safety evaluations performed by the licensee either in support of requested license amendments or in support of conclusions that changes did not involve an unreviewed safety question; and
  • all analyses of new safety issues performed by or on behalf of the licensee at Commission request. The updated information shall be appropriately located within the FSAR.

In 1996, as a result of the problems experienced at the Millstone nuclear power plant, the NRC was forced to acknowledge that many reactors were failing to update these safety analysis reports and that the FSAR at many reactors did not contain the types of information the NRC expected. The NRC would have Congress and the public believe that they just discovered these problems with design basis documentation. However, the NRC has long been aware of design basis problems at the nuclear reactors it purports to regulate. In fact, the Nuclear Regulatory Commission has been in denial of these design basis problems for decades.

III. NRC S DECADES OF DENIAL

The U.S. Nuclear Regulatory Commission has long been aware of the fact that that nuclear utilities have failed to adequately maintain the design basis documentation in their final safety analysis reports and, as a consequence, have operated their reactors "outside design basis" and in violation of the terms of their licenses. Over a span of decades, the NRC was repeatedly put on notice that design basis problems were under-mining the safety of the nuclear reactors they were supposed to regulate. However, due to the potential financial impact on the nuclear industry, the NRC has obfuscated the issue and delayed taking action.

THREE MILE ISLAND MELTDOWN & ITS AFTERMATH

On March 28, 1978, the number two reactor at the Three Mile Island nuclear power plant experienced a meltdown; the worst nuclear accident to date in the United States. Suddenly, the entire country became aware of the fact that safety levels at nuclear reactors across the U.S. were not adequate to protect the public from the consequences of an accident. In November 1979, in the aftermath of the meltdown at Three Mile Island, Congress required the NRC to:

  1. Identify which of NRC s current safety requirements were met by each operating plant;
  2. Identify those generic unresolved issues for which technical solutions have been developed;
  3. Identify those licensed plants that had implemented those solutions.

By identifying those reactors that met safety requirements, the NRC was supposed to provide the Congress with some confidence that the level of safety at the nation s nuclear plants was adequate. However, identifying which reactors met safety requirement and which did not was a lot easier said than done.

THE DENTON MEMOS

Throughout the summer of the following year, a series of memos from the NRC Director of the Office of Nuclear Reactor Regulation, Harold Denton, to the Commission detailed the difficulty the NRC would have complying with the congressional requirement. Denton concluded that:

The problem of documentation of conformance with the Commission s regulations is a vexing, manpower intensive effort to which the staff, due to time and manpower limitations, has been forced to give inadequate attention. By good management effort, I hope to improve this situation and to gradually eliminate it. But to do so by an intense effort will be costly. This was the thrust of my June 13, 1980 memorandum. However, the defects in documentation should not be misconstrued as evidence of defects in the review process. Using a audit process, it is simply not possible for the NRC to state, based upon its own knowledge, that every rule and regulation has been met for every applicable action by the applicant.

THE SYSTEMATIC EVALUATION PLAN (SEP)

The NRC attempted to address this "vexing" problem noted in the Denton memos and answer Congress by using the Systematic Evaluation Plan (SEP). The NRC had initiated the systematic evaluation program several years earlier to review the designs of older, operating nuclear power plants. The SEP was divided into 2 phases:

  • First, the staff identified 137 safety issues where regulations had so changed enough over time that they warranted a re-evaluation.
  • Then the staff compared the design of 10 of the 51 older plants to the current requirements.

Through the SEP, the NRC supposedly addressed Congress concern as to whether nuclear reactors met safety requirements. However, the public must question the efficacy of the NRC s Systematic Evaluation Plan. Both Millstone 1 and Haddam Neck were part of this review and both have been permanently shut down due to design basis deficiencies that dated back to construction of the reactors. If the SEP had been effective, the NRC should have identified and corrected the problems at Haddam Neck and Millstone Unit 1 decades ago.

Congress also questioned the efficacy of the SEP. According to Representative Morris Udall, the NRC had taken a congressional request to ascertain the safety of operating reactors and turned it into, "a multi-million dollar bureaucratic exercise that will not give answers about the safety of today s operating plants until sometime in the 1990 s." Congress did eventually get its answer in the 1990 s. However, that answer came in the form of a shutdown of every nuclear reactor in the state of Connecticut.

DEFICIENCIES IN DESIGN BASIS DOCUMENTATION

In 1984, the NRC again acknowledged problems with the design basis but failed to require any action by the utilities. On July 5, 1984, the NRC issued an information notice which stated that, "A common finding in (inspections) conducted by the (NRC s) Office of Inspection and Enforcement has been deficiencies in design base documentation and calculations for nuclear power plant structures, systems, and components." Despite the fact that NRC regulations require accurate and complete design basis documentation, the NRC information notice failed to require any action by the nuclear utilities. The notice stated that, "suggestions contained in this information notice do not constitute NRC requirements and, therefore, no specific action or written response is required."

1985 DAVIS BESSE ACCIDENT

In 1985, design basis issues were again brought to the forefront when Davis Besse experienced a loss of feed water accident. According to then- NRC Executive Director for Operations James Taylor:

We really began looking at existing utilities in the aftermath of the Davis-Besse event of 1985 when there were clear indications that portions of the design -- that was a complete loss of feed and then failure of auxiliary feedwater event. It was a very significant event. But one of the things that triggered our intense interest to go back and look at the designs grew out of that event& . that was a clear-cut case due to some design issues that hadn't been carefully checked out where we actually lost a safety system completely.

DESIGN BASIS RECONSTITUTION PROGRAMS

As a result of the Davis Besse accident, the NRC began what became known as safety system functional inspections. As these inspections turned up problems, the nuclear industry adopted programs to address deficiencies in the design basis of their nuclear reactors. However, not all reactors participated in this voluntary industry initiative. According to NRC s Director of the Division of Reactor Inspection and Safeguards:

The current industry status is that a majority of utilities are embarking on a design document reconstitution program. We are aware of a few that will forego this, Big Rock Point for example, because of economic factors. Others have stretched out their evaluations and reconstitution program because of budget reasons.

However, the NRC acknowledged that they really didn t have a clear idea of what the nuclear industry was actually doing to address the situation:

We haven't done a rigorous inquiry to determine who is doing what. We do have the results of industry surveys and our own knowledge as we go out in the field and we can say some people are deferring, but we don't have exactly who is doing what at this point.

LICENSE RENEWAL

In the early 1990 s design basis issues were again the topic of discussion as the NRC attempted to formulate a rule to renew nuclear reactor licenses for an additional 20 years. The Commission's original rule was premised on the assumption that a nuclear reactors design basis and final safety analysis report would be sufficient to protect the public health and safety so long as it was modified to account for the effecting of aging.

Rather than reviewing the design basis documentation in order to prove that reactors were in compliance with the design, the final safety analysis report and the terms of its operating license, the NRC merely deemed that it was so. Under the license renewal rule, members of the public could not challenge the sufficiency of or question the compliance with a reactor's design basis.

When a reactor applies to renew its license, the NRC is neither going to review these documents nor confirm that the reactor is in compliance with the regulations imposed under the current license. Yet, the NRC acknowledges that the current licensing basis for the nation s nuclear power plants is "outdated and oftentimes poorly recorded."

In 1991, NRC Chairman Ivan Selin illustrated this point stating that:

Many of these documents have gotten lost over the years. In some cases the licensees never had them. In other cases they had them but didn't keep them up to date. So, this is a very, very important part of what we do. Obviously, you have to understand what the design basis and the safety margins of a plant are before one can look at plant modifications.

Chairman Selin acknowledged that the Congress had expressed considerable interest in requiring that design basis be available as part of a license renewal. Selin stated that:

The Commission's position was very strong. On the one hand, we felt and do feel strongly that whatever our views are on having the design basis in hand, they are independent of whether the licensee is coming in for plant life extension or not, but we did agree to take a look at the possibility of requiring that the design basis be available up to a certain standard.

If the Commission s position was strong, the Commission s actions failed to live up to it. Even after acknowledging the necessity of having the "design basis in hand," Selin s Commission waffled on the issue. Rather than "requiring that the design basis be available up to a certain standard," the Commission merely wrote an unenforceable policy statement.

1992 NRC POLICY STATEMENT

In order to address the design basis issues that were raised during the development of the license renewal rule, the NRC issued a policy statement entitled, "Availability and Adequacy of Design Bases Information at Nuclear Power Plants."

The policy statement stressed the importance of nuclear utilities maintaining current and accessible design basis documentation. It also recommended that all reactor licensees assess the accessibility and adequacy of their design bases information. Nuclear utilities were supposed to be able to show that there was sufficient documentation to conclude that the nuclear reactor, as constructed, is consistent with the design bases.

However, since the NRC only issued a policy statement rather than a regulation, it's dictates failed to have the desired impact upon the nuclear industry.

NRC GENERIC LETTER ON DESIGN BASIS IS NEVER ISSUED

In March 1993, the NRC issued a draft generic letter for public comment. The letter requested that nuclear reactor licensees, on a voluntary basis, submit information and schedules for any design bases programs completed, planned, or being conducted, or a rationale for not implementing such a program. This generic letter would have at least given some additional regulatory weight to the NRC s unenforceable policy statement issued the previous year.

However, the nuclear industry lobby argued that the generic letter was "unnecessary and unwarranted." Seven months later, NRC acquiesced to industry pressure and decided not to issue a generic letter.

DESIGN ERRORS IN NUCLEAR POWER PLANTS 1985-1995

In 1997, a report from the NRC s Office for Analysis and Evaluation of Operational Data (AEOD), reviewed design errors that had been reported by nuclear reactors from 1985 1995. The AEOD identified three design basis event reports where the probability of an accident that damaged the reactor core was unacceptably high.

The AEOD reported two events where the probability of damaging the core was 1 in 1000 and one event with a core damage probability of 1 in 100. All three of these event reports are exponentially more dangerous than NRC standards allow. However, the AEOD failed to identify which nuclear reactors had reported those events.

The AEOD report found that the number of reported design errors "steadily decreased by 1995, presumably due in part to diminishing licensing resources allocated to this effort and the lessening number of undiscovered latent design errors." Furthermore the AEOD concluded that "the number of design errors discovered at any given time was dependent on the extent of initiatives taken by the NRC and the industry."

These findings indicate that the more effort nuclear utilities put into discovering deficiencies in their design basis the more they found. Unfortunately, the AEOD can not do a similar analysis of the post-Millstone event reports. After the reports produced by AEOD were used to prove that NRC senior managers were not doing their jobs, NRC broke up the office scattering its personnel throughout the agency.

MAINE YANKEE S DESIGN PROBLEMS LEAD TO SHUTDOWN

In December 1995, in response to whistleblower allegations regarding the adequacy of safety analyses to support license amendments at Maine Yankee, the NRC staff audited the design basis analyses used to demonstrate the adequacy of the Maine Yankee emergency core cooling system. The staff concluded Maine Yankee s analysis was unreliable.

In December of the following year, based upon further investigations into design basis deficiencies, Maine Yankee identified cable separation problems that could have resulted in the inability of the reactor operators to manually shut down the reactor. The reactor was taken offline to address these issues. Once the reactor shut down, the NRC prohibited its restart until the cable separation problems had been addressed. The NRC noted that "the proper separation of cables is important in nuclear power plants to ensure that if one or more set of cables is damaged, the plant will be able to achieve a safe shutdown."

After the utility s attempts to sell the reactor, either whole or in parts, failed to find a buyer Maine Yankee moved to decommission the nuclear reactor.

TIME COVER STORY BLOWS THE WHISTLE ON THE NRC

On March 4, 1996 George Galatis and the Millstone nuclear reactor graced the cover of Time magazine. In a special investigation, Time detailed how "two gutsy engineers in Connecticut have caught the Nuclear Regulatory Commission at a dangerous game it has played for years: routinely waiving safety rules to let plant keep costs down and stay on line."

Suddenly, the issue that the NRC had been sweeping under the proverbial rug for decades was receiving national attention. Within two weeks of the Time cover story the NRC issued Information Notice 96-17: Reactor Operation Inconsistent with the Updated Final Safety Analysis Report detailing the design basis problems at Millstone.

However, the NRC would have the public believe that it has been unaware of the design basis problem in the nuclear industry until the Millstone debacle. This is not true. The NRC has long been aware of deficiencies in the design basis of the nuclear reactors it purports to regulate. Once the design basis problems landed the Millstone reactor on the cover of Time magazine, NRC was forced to take action. Unfortunately, that action took the form of an amnesty program rather than holding nuclear reactor owners to the terms of their license.

IV. THE MILLSTONE DEBACLE & ITS FALLOUT

In 1992, a senior engineer named George Galatis raised the issue of the improper refueling of the Millstone Unit 1 nuclear reactor in Connecticut. When Millstone Unit 1 had to replace its radioactive fuel rods, it would take the entire core of the nuclear reactor and place it in the reactors spent fuel pool. However, this practice of fully off loading the core of the reactor was not approved by Millstone s license and neither the utility nor the NRC had ever done an analysis to see if it was safe. Galatis notified his management at Northeast Utilities (NU) that the refueling practices at Millstone Unit 1 were outside the design basis assumptions in the Millstone final safety analysis report (FSAR) and a violation of the reactor s operating license.

After NU failed to take any action to address his safety concerns, Galatis filed a petition with the NRC claiming that Northeast Utilities had "knowingly, willingly and flagrantly operated Millstone Unit 1 in violation of its operating license for approximately 20 years." Galatis knew that absent compliance with the reactor s design basis, it was impossible for the NRC or Northeast Utilities to determine whether a reactor was operated "safely". What Galatis didn t know was that he had uncovered one of the nuclear industry s dirtiest secrets. Not only was the Millstone 1 nuclear reactor operating outside of its design basis, so was most, if not all of the nuclear industry!

In May 1996, the NRC reported on the extent to which problems encountered at Millstone Unit 1 existed at other nuclear power plants. The NRC staff determined that fifteen nuclear reactors at nine sites needed to either modify their license or their plant practices to ensure that their refueling practices were in compliance with their design basis. Similar to Millstone Unit 1, a number of other reactors had previously performed full core offloads in violation of their design basis, as shown in Table VII

TABLE VII

PAST OFFLOADS IN VIOLATION OF THE DESIGN BASIS

REACTOR

OWNER

STATE

Cooper

Nebraska Public Power

NE

McGuire 1 & 2

Duke Power Company

NC

Millstone 1

Northeast Nuclear Energy Co.

CT

North Anna 1 & 2

Virginia Electric & Power Co.

VA

Oconee 1,2 & 3

Duke Power Company

SC

South Texas 1 & 2

Houston Lighting & Power

TX

Summer

South Carolina Electric & Gas Co.

SC

Turkey Point 3 & 4

Florida Power & Light Co.

FL

Vogtle 1

Southern Nuclear Operating Co.

GA

In addition, the NRC found that eighteen reactors had failed to update their final safety analysis reports, as shown in Table VIII. The utilities that owned these reactors were therfore making safety decisions based upon incomplete and incorrect information about the design of the nuclear reactor.

TABLE VIII

REACTORS THAT FAILED TO UPDATE THEIR FSAR

REACTOR

OWNER

STATE

Browns Ferry 1, 2 & 3

Tennessee Valley Authority

AL

Crystal River

Florida Power Corp.

FL

Fermi 2

Detroit Edison Co.

MI

Kewaunee

Wisconsin Public Service

WI

LaSalle 1 & 2

Commonwealth Edison Co.

IL

Millstone 1, 2 & 3

Northeast Nuclear Energy Co.

CT

Salem 1 & 2

Public Service Electric & Gas

NJ

Sequoyah 1 & 2

Tennessee Valley Authority

TN

Vermont Yankee

VT Yankee Nuclear Power Corp.

VT

Zion 1 & 2

Commonwealth Edison Co.

IL

NRC SENDS LETTERS TO EVERY NUCLEAR CEO

In October 1996, the NRC sent letters to every utility requiring that they provide information to the NRC concerning the adequacy and availability of design bases information. The Commission not only required that the utility chief executive officers provide this information, but that they swear to it. Under oath or affirmation, the utility CEO s were to provide:

Information documenting current practices for concluding that the plant is

consistent with its design and processes for identification of problems and

implementation of corrective actions.

The CEOs were to inform the NRC as to whether they had undertaken any programs to review the accuracy and completeness of their reactors design basis. If so, they had to describe how these programs would ensure that their reactors had accurate information, were using it and that this information was being kept up-to-date. If the CEOs had not instituted a design basis program they had to provide the NRC with some rationale.

The NRC s demand for information was almost unprecedented, raising the hopes of whistleblowers and other safety advocates that the NRC was finally going to take action to rectify design basis problems that had festered for decades. However, rather than holding nuclear utilities accountable for failing to adequately maintain their design basis the NRC decided to exercise its discretion not to enforce its own regulations.

AMNESTY IRRATIONAL

Even before NRC had documented the full extent of the design basis problems at nuclear reactors throughout the country, the Commission decided that the nuclear industry would not be held accountable. On October 18, 1996, NRC revised its enforcement policy to establish an amnesty program for those nuclear reactors that were not in compliance with their design and as a result had operated their reactors in violation of NRC safety regulations.

This amnesty program states that the NRC may refrain from imposing a fine upon the utility so long as the violation is documented, the utility has described what action it will take to correct the situation and that it meets all of the following criteria:

  • The violation was identified by the licensee as a result of its voluntary initiative;
  • It was or will be corrected within a reasonable time following identification and;
  • The violation was not likely to be identified by routine licensee efforts such as normal surveillance or quality assurance (QA) activities.

Additionally, the NRC may choose not to issue a violation if the staff believes that the issue is not linked to the present performance of the nuclear reactor. For instance, NRC will not take enforcement action for violations that are over 3 years old or violations that occurred during plant construction unless the nuclear utility should have identified the violation earlier.

The NRC s amnesty program applies not only to violations of a reactors design basis but also to the underlying root cause: the licensee s failure to adequately maintain and up-date its final safety analysis report. NRC s amnesty program runs until March 30, 2000 for items having high safety-significance and until March 30, 2001 for other equipment.

The NRC has severely circumscribed its ability to take enforcement action against nuclear reactor licensees that have design basis violations. However, the extent to which even the NRC will ignore violations of its own regulations has a limit and its amnesty program does not mean total immunity. The NRC has indicated that it will not employ this amnesty program and may issue violations and fines if:

  • The NRC identifies the violation, unless it was likely in the staff's view that the licensee would have identified the violation in light of the defined scope, thoroughness, and schedule of the licensee's initiative;
  • The licensee identifies the violation as a result of an event or surveillance or other required testing where required corrective action identifies the FSAR issue;
  • The licensee identifies the violation but had prior opportunities to do so and failed to correct it earlier;
  • There is willfulness associated with the violation;
  • The licensee fails to make a report required by the identification of the departure from the FSAR; or
  • The licensee either fails to take comprehensive corrective action or fails to appropriately expand the corrective action program.

The NRC claims that, "this exercise of discretion is to place a premium on licensees initiating efforts to identify and correct subtle violations that are not likely to be identified by routine efforts before degraded safety systems are called upon to work." However, the NRC has no reason to expect that the current voluntary nuclear industry effort will be any more successful at addressing significant design basis issues than any of the other myriad programs, notices, and ineffectual policies NRC has already employed.

Additionally, the NRC cannot reasonably expect nuclear reactor licensees to self-identify design basis issues that would threaten the continued operation of the nuclear reactor. The design basis issues that resulted in the permanent shutdowns at Haddam Neck, Maine Yankee and Millstone Unit 1 were not identified by the nuclear reactor owner but by an accident and whistleblowers who were paid for their honesty by being driven from the nuclear industry.

The NRC s amnesty program might make more sense if the regulator could make the case that it was unaware of the design basis problems. It can not. Both the NRC and the nuclear industry have been aware of the fact that design basis problems have undermined safety at nuclear reactors for years, if not for decades.

Despite the breadth of NRC s amnesty program, the NRC has taken escalated enforcement (a violation and fine) action against a few nuclear power plants including:

Cook, Palo Verde, Perry, River Bend, Robinson, Three Mile Island and Vermont Yankee.

WAS HADDAM NECK EVER SAFE

After being forced to acknowledge the problems at Millstone 1, the NRC expanded its investigations to see whether similar problems existed at other reactors operated by Northeast Utilities. The subsequent investigations found that Haddam Neck s emergency core cooling system (ECCS) would have been unable to perform its function of cooling the reactor core in the event of an accident. In other words, if Haddam Neck had experienced a loss of coolant accident, the reactor s safety systems would not have been up to the task and the nuclear reactor would likely have had a meltdown. What is equally disturbing is the fact that this problem existed since the plant was licensed. For 28 years, Northeast Utilities operated a nuclear reactor with an ECCS that would not have cooled the reactor core in the event of an accident. Subsequent NRC inspections revealed that:

Inspectors also found that safety margins were reduced, and in some cases technical specifications were violated a result of poor engineering. For example, too small pipes leading from the containment sump system to the residual heat removal pump left insufficient suction to support pump operation without relying on containment building backpressure. This violation is significant because it could have caused a failure of the system needed to keep the reactor core cool in the event of an accident.

On July 22, 1996, operators had to shut down the reactor due to questions regarding the operability of safety systems. On December 4, 1996, NU announced its decision to permanently shut down Haddam Neck. The NRC finally got around to writing a violation against NU for the ECCS problems at Haddam Neck six months after the reactor had permanently shut down. On May 12, 1997, The Nuclear Regulatory Commission staff proposed a $650,000 fine against Northeast Utilities for more than 70 alleged violations at Haddam Neck. Yet even after the reactor had permanently shut down, NRC attempted to down play the severity of the issues revealed at Haddam Neck and continued to play the role of nuclear industry apologist. NRC s press release announcing the proposed fine of NU stated that:

While none of these matters immediately threatened public safety, NRC Region I Administrator Hubert J. Miller wrote in a letter to Northeast Utilities that the violations and underlying causes demonstrated "significant departures from the defense-in-depth principles upon which nuclear power plants are designed, built and operated, and upon which the NRC relies to ensure nuclear power plant operation does not jeopardize public health and safety."

The only reason the NRC can claim that the problems at Haddam Neck

did not "immediately threaten public safety" was because the reactor had not operated in over nine months.

MILLSTONE & MAINE YANKEE LESSONS LEARNED

As a result of problems that came to light at the Millstone and Maine Yankee nuclear power plants in 1996, NRC became concerned that other nuclear reactors may have had design basis issues that compromised safety. The agency formed three NRC-led teams of contract engineers to perform design basis inspections of risk-significant safety systems. These inspections were supposed to determine three things:

  • Would the selected safety systems have performed their function
  • Had the licensees adhered to their design and licensing bases and
  • Did the "as-built" safety system operate as described the final safety analysis report

As of May 1998, 16 inspections have been completed at the following nuclear plants:

Arkansas Nuclear 1

Palisades

Cook 1 & 2

Perry 1

Cooper

Robinson 2

Davis-Besse

St. Lucie 1 & 2

Diablo Canyon

Three Mile Island

Farley 1 & 2

Vermont Yankee

Ginna

Washington Nuclear 2

Indian Point 2

Wolf Creek

These inspections revealed that like Millstone, other nuclear plants had:

  1. failed to appropriately maintain or adhere to plant design bases,
  2. failed to appropriately maintain or adhere to the plant licensing basis,
  3. failed to comply with the terms and conditions of licenses and NRC regulations, and
  4. failed to assure that Updated Final Safety Analysis Reports (UFSAR) reflect the actual condition of facilities.

Although these inspections turned up significant problems, the efficacy of NRC s inspections must be questioned. NRC did not inspect the "as found" conditions of the nuclear reactors. The NRC warned the utilities which systems would be inspected and the utilities worked the systems prior to NRC inspection. The NRC acknowledged that:

We tell the plant which system we're looking at. And what happened is

-- give you an example --at St. Lucie we have two contractors: Stone & Webster, Sargent Lundy. We were going in with Sargent Lundy. They went and hired Stone & Webster at St. Lucie to look at the systems we had picked to look at before we got there. And we're seeing extensive efforts on the part of the Utilities looking at the systems before we show up, because they want credit to have it self-identified and self-fixed.

In light of the fact that NRC told the utilities which reactor systems they would inspect and that the utilities preconditioned these system prior to NRC s inspection, it s a wonder that the NRC found anything at all. Despite NRC s attempts to limit their findings and to put these design basis inspections in a positive light, the NRC was forced to admit that:

the industry's voluntary efforts to improve and maintain design bases information for their plants . . . have not been effective in all cases. The extent of the licensees' failures is of concern because of the potential impact on public health and safety if safety-related systems do not perform properly.

To her credit, Chairman Jackson asked the pertinent follow up question during the NRC briefing on the Millstone and Maine Yankee Lessons Learned:

Let me ask you this kind of a bomb question. You know, given that, in a certain sense, we got to where we are because we thought there were voluntary things that were being done by the industry relative to design basis, one could argue this is a deja vu kind of a set of statements. What comfort do we take that this would be any different from what got us to where we are in the first place, you know, always keeping the focus on what is most risk-significant But if you don't have the basis here in the first place, you can't parse it to talk about what has a risk or safety feature.

The Chairman s question is instructive. Why should we believe that the current voluntary nuclear industry initiative to improve the design basis of nuclear reactors will be any more successful than the previous voluntary nuclear industry attempts to address this problem Time after time, the NRC has been forced to acknowledge that nuclear reactors have operated "outside design basis" and that safety margins were compromised if not eliminated. Yet the Commission has continually acquiesced to industry pressure and for decades has failed to adequately address the design basis problem at nuclear reactors throughout the United States.

NRC FINALLY ADDRESSES GALATIS 1995 PETITION

On July 27, 1999, the NRC finally completed its review of George Galatis petition to hold Millstone unit 1 to terms of its operating license. Four years after the petition was filed, three years after every nuclear reactor in the state of Connecticut was shut down, two years after Galatis was harassed and intimidated into leaving the nuclear industry and one year after Millstone Unit 1 permanently ceased splitting atoms, the NRC finally answered the petition that brought the entire Millstone debacle into the light of day.

While the NRC addressed the issue of full core offloads in December of 1996, "the NRC indicated that it was still considering the petitioners' assertions that Unit 1 was operated in violation of its license and that (Northeast Utilities) had given material false statements to the NRC in a license amendment submittal."

When the NRC finally completed its investigation of the Galatis petition, the agency issued a violation and concluded that Millstone had:

knowingly, willingly, and flagrantly operated Millstone Unit 1 in violation of its license, and that (Northeast Utilities) had provided the NRC with a material false statement. The NRC staff determined that a fine was not necessary because (Northeast Utilities) had previously addressed the basic cause of this issue in response to the NRC's enforcement action in December 1997 when (Northeast Utilities) was assessed a $2.1 million fine. With the May 25, 1999, violation, the NRC staff concluded that, in effect, the petitioners' request for enforcement action was granted.

After the permanent shutdowns of Haddam Neck, Maine Yankee and Millstone Unit 1, the NRC finally got around to acknowledging what everyone in the nuclear industry and the concerned public already knew: that Northeast Utilities had knowingly, willingly, and flagrantly operated Millstone Unit 1 in violation of its license.

V. CONCLUSION

The U.S. Nuclear Regulatory Commission has long been aware of the fact that nuclear utilities have failed to maintain the design basis documentation in their final safety analysis reports and as a consequence have operated their reactors in violation of the terms of their licenses. Absent compliance with the design bases, neither the NRC nor the utility can determine whether operation of the reactor poses an undue risk to the public health and safety. However, due to the potential financial impact on the nuclear industry, the NRC has obfuscated and delayed taking action for decades.

Even before NRC had documented the extent of the design basis problems in the nuclear industry, the regulator decided that the nuclear reactor licensees would not be held accountable for violating NRC regulations. The NRC has re-written its enforcement policy to create an amnesty program that will last until March 30, 2001.

The NRC s amnesty program has severely circumscribed its ability to take enforcement action against nuclear utilities that have design basis violations. This amnesty means that the NRC will only hold utilities accountable for the most egregious violations of NRC regulations.

Design basis issues have already contributed to the closure of three nuclear reactors: Haddam Neck, Maine Yankee and Millstone Unit 1. However, in each case, the NRC was forced to regulate only due to the actions of whistleblowers and citizens petitions.

The design basis issues that resulted in the shutdown of Haddam Neck and Maine Yankee were not identified by the utility. These problems only came to light when driven by events or NRC inspections. The NRC can not reasonably expect the utility to identify design basis problems that would jeopardize future operation of the reactor.

The NRC design inspections turned up significant safety problems, however, the efficacy of these inspections must be questioned. NRC did not inspect the "as found" conditions of the nuclear reactors. The NRC warned the utilities which systems would be inspected and the utilities worked the systems prior to NRC inspection.

Design basis problems have reduced safety margins at nuclear reactors across the United States; in some cases safety margins have been significantly reduced if not eliminated. However, every time the NRC has moved to address the problem the nuclear industry lobby has intervened to block any meaningful attempt to address inadequacies in the design basis of nuclear reactors.

The NRC s amnesty program is an irrational move by an ineffective regulator and will not address the significant design basis issues that still exist at nuclear reactors across the United States.

________________

U.S. Nuclear Regulatory Commission, Proceedings of the NRC Regulatory Information Conference, April 14 15, 1998, pp.187-188.

U.S. Nuclear Regulatory Commission, Emergency Core Cooling Systems, http://www.nrc.gov/NRC/EDUCATE/REACTOR/04-PWR/part12.html .

U.S. Nuclear Regulatory Commission, Office of Nuclear Reactor Regulation, Report No. 50-315, 316/ 97-201, November 26, 1997, p. i.

Daniel F. Ford, Henry W. Kendall & Lawrence S. Tye, Browns Ferry: The Regulatory Failure, Union of Concerned Scientists, June 10, 1976, p. 1.

U.S. Nuclear Regulatory Commission, Maine Yankee Restart Readiness Plan, Public Meeting Transcript, April 3, 1997. See Also: "Maine Yankee Response to NRC Staff Position on Fire Protection, March 14, 1978.

U.S. Nuclear Regulatory Commission, 1996 NRC Annual Report, , NUREG-1145, Vol. 13, September 1997, p. 27.

U.S. Nuclear Regulatory Commission, Office of Inspection and Enforcement, Information Notice No. 85-27: Notifications To The NRC Operations Center And Reporting Events In Licensee Event Reports, April 3, 1985, p. 2.

U.S. General Accounting Office, Preventing Problem Plants Requires More Effective NRC Action, GAO/RCED-97-145, May 1997, pp. 2- 4.

Id. at p. 4.

U.S. General Accounting Office, Testimony of Ms. Gary L. Jones, Associate Director, Before the Subcommittee on Clean Air, Wetlands, Private Property and Nuclear Safety, Committee on Environment and Public Works, U.S. Senate, Preventing Problem Plants Requires More Effective NRC Action, GAO/T-RCED-97-145, July 1998, p. 3.

Theos J. Thompson, "Accidents and Destructive Tests," The Technology of Nuclear Safety, MIT Press, Cambridge, MA, 1964, p. 698.

U.S. Nuclear Regulatory Commission, Information Digest, NUREG-1350, Vol. 10, 1998, pp. 85- 99.

U.S. Code of Federal Regulations, 10 CFR50.2, Definitions.

U.S. Code of Federal Regulations, 10CFR50.34, Contents of applications; technical information.

U.S. Nuclear Regulatory Commission, Technical Issue Paper, TIP: Final Safety Analysis Report, www.nrc.gov

U.S. Code of Federal Regulations,10 CFR 50.71(e), Maintenance of records, making of reports.

Union of Concerned Scientists, Safety Second: A Critical Evaluation of NRC s First Decade, February 1985, pp. 142- 143.

Memorandum For: Chairman Ahearne, Commissioner Gilinsky, Commissioner Hendrie, Commissioner Bradford, From: Harold R. Denton, Office of Nuclear Reactor Regulation, Subject: Compliance of NRC Licensees with NRC Regulations, Regulatory Guides, Branch Technical Positions, and Licensee Commitments, July 23, 1980, p. 5.

U.S. Nuclear Regulatory Commission, Issue 156: Systematic Evaluation Program, www.nrc.gov/NRC/NUREGS/ SR0933/SEC3/156r4.html

Union of Concerned Scientists, Safety Second: A Critical Evaluation of NRC s First Decade, February 1985, p. 143.

U.S. Nuclear Regulatory Commission, Information Notice No. 84-54: Deficiencies In Design Base Documentation And Calculations Supporting Nuclear Power Plant Design, July 5, 1984, pp. 1 2.

Id. at p. 1.

U.S. Nuclear Regulatory Commission, Briefing On Status Of Design Basis Reconstitution, November 18, 1991, p. 2.

Id. at p. 8.

Id. at p. 9.

U.S. Nuclear Regulatory Commission, "Regulatory Options for Nuclear Power Plant License Renewal, Draft for Comment," NUREG-1317, August 1988.

U.S. Nuclear Regulatory Commission, Briefing on the Status of Design Basis Reconstitution, November 18, 1991, p. 1.

Id. at p. 1.

U.S. Nuclear Regulatory Commission, Adequacy and Availability of Design Basis Information at Nuclear Power Plants; Policy Statement, August 10, 1992, 57 FR 35455 35456.

U.S. Nuclear Regulatory Commission, Technical Issue Paper, TIP 41: Final Safety Analysis Report, www. nrc.gov. NOTE: This TIP is no longer available on NRC s web site.

U.S. Nuclear Regulatory Commission, Office for Analysis and Evaluation of Operational Data, Design Errors in Nuclear Power Plants, January 1997, p. 16.

Id. at p. 5.

Id. at p. 5.

U.S. Nuclear Regulatory Commission, 1996 NRC Annual Report, NUREG-1145, Vol. 13, p.27.

U.S. Nuclear Regulatory Commission, Office of Public Affairs -- Region I, NRC, Maine Yankee Officials To Discuss Cable Separation Issues, I-97-86, July 16, 1997.

Eric Pooley, Blowing the Whistle on Nuclear Safety: How a showdown at a power plant exposed the federal governments failure to enforce its own regulations, Time, March 4, 1996, p. 47.

U.S. Nuclear Regulatory Commission, Information Notice 96-17 Reactor Operation Inconsistent with the Updated Final Safety Analysis Report, March 18, 1996.

U.S. Nuclear Regulatory Commission, Office of the Inspector General, NRC Handling of Issues Related to Refueling Practices at Millstone Unit 1, Case No. 96-05S, July 23, 1996, p. 7.

Id. at p. 7.

U.S. Nuclear Regulatory Commission, Report on Survey of Refueling Practices, Memorandum to: Chairman Jackson, Commissioners Rogers & Dicus, From: James M. Taylor, Executive Director for Operations, May 21, 1996, p. 1.

U.S. Nuclear Regulatory Commission, Report on Survey of Refueling Practices, Memorandum to: Chairman Jackson, Commissioners Rogers & Dicus, From: James M. Taylor, Executive Director for Operations, May 21, 1996, p. 1.

U.S. Nuclear Regulatory Commission, Office of Public Affairs, NRC Requests Information From All Licensees On Maintaining Plant Design, No. 96-137, October 9, 1996.

Id. at p. 1.

U.S. Nuclear Regulatory Commission, Policy and Procedure for Enforcement Actions; Departures From FSAR, 61 FR 54461 54466, October 18, 1996.

U.S. Nuclear Regulatory Commission, Technical Issue Paper, TIP 41: Final Safety Analysis Report, www.nrc.gov.

U.S. Nuclear Regulatory Commission, Policy and Procedure for Enforcement Actions; Departures From FSAR, 61 FR 54461 54466, October 18, 1996.

Id. at pp. 54461-54466.

U.S. General Accounting Office, Testimony of Ms. Gary L. Jones, Associate Director, Before the Subcommittee on Clean Air, Wetlands, Private Property and Nuclear Safety, Committee on Environment and Public Works, U.S. Senate, Strategy Needed to Develop a Risk Informed Safety Approach, GAO/T-RCED-99-71, February 4, 1999, p. 4. See also U.S. Nuclear Regulatory Commission, Escalated Enforcement Actions Issued Since March 1996 for Reactor Licensees, http://www.nrc.gov/OE/rpr/rx.html .

U.S. Nuclear Regulatory Commission, Office of Public Affairs - Region I, NRC Proposes $650,000 Civil Penalty for Northeast Utilities for Alleged Violations at Haddam Neck Nuclear Power Plant, I-97-52, May 12, 1997, p. 2.

U.S. Nuclear Regulatory Commission, Office of Public Affairs -- Region I, NRC Proposes $650,000 Civil Penalty for Northeast Utilities for Alleged Violations at Haddam Neck Nuclear Power Plant, I-97-52, May 12, 1997, p. 1.

U.S. Nuclear Regulatory Commission, NRC Information Notice 98-22: Deficiencies Identified During NRC Design Inspections, June 17, 1998, p. 4.

Id. at p. 4.

U.S. Nuclear Regulatory Commission, Technical Issue Paper, TIP: 41 -- Adequacy of Reactor Design Bases Information, www.nrc.gov. NOTE: This TIP is no longer available on NRC s web site.

U.S. Nuclear Regulatory Commission, 441st Meeting Advisory Committee on Reactor Safeguards ACRS, May 1, 1997.

U.S. Nuclear Regulatory Commission, Technical Issue Paper, TIP: 41 -- Adequacy of Reactor Design Bases Information, www.nrc.gov. NOTE: This TIP is no longer available on NRC s web site.

U.S. Nuclear Regulatory Commission, Briefing On Millstone and Maine Yankee Lessons Learned, February 19, 1997, p. 34.

U.S. Nuclear Regulatory Commission, Office of Public Affairs, NRC Completes Review Of Millstone Public Petition, No. 99-159 , July 27, 1999, pp. 1- 2.

Id. At p. 2.