Statement of David Lochbaum, Union of Concerned Scientists

Good morning. I appreciate this opportunity to testify before the Subcommittee regarding this important topic. The industry representatives on this panel are justifiably proud of nuclear power's record over the past decade. Indeed, they paint a very rosy picture and argue that the industry's healthy performance warrants redirected NRC oversight effort. My objective is to caution you to watch out for the thorns as you enjoy the roses.

The industry sometimes touts its record in ways which imply that it was achieved in spite of the NRC. That's not accurate. The industry's performance over the past ten years benefited from NRC initiatives, such as the Maintenance Rule and its need for plant-specific risk assessments, and also from the NRC's support for industry initiatives, such as cost-beneficial licensing actions.

The industry cites data such as higher plant capacity factors, fewer plant trips, and fewer safety system actuations as evidence of healthy performance. This information is valid, but it does not provide the complete picture. At this moment, nine US nuclear plants languish in protracted shut downs. These plants are not shut down because the NRC issued them too many uncited and Level IV violations or because the NRC is dragging its feet on risk-informed regulation. No, these plants are shut down because their owners failed to properly discharge their record-keeping of the how, what, when, and why information for emergency equipment, also known as design control and configuration management.

In the mid and late 1980s, NRC inspections at several plants revealed that their owners had made physical changes to emergency equipment to solve one problem, only to cause other problems. These errors occurred because these owners had not fully understood or had lost track of the design bases for the emergency equipment. The NRC proposed a new rule that would have required all plant owners to fully document the design bases for emergency equipment and to re-create any information that was missing. The industry opposed this rule and convinced the NRC that they could handle the problem internally. So, the NRC dropped its plans for the rule.

The industry was wrong. Millstone and its fall-out have clearly demonstrated that some nuclear plants operated with vital safety systems that would not or may not have functioned had there been an accident. For example, owners of the Big Rock Point plant in Michigan reported two weeks ago that one of its safety systems would not have functioned during the 13 years before the plant closed last August. An NRC team discovered in 1996 that the piping for safety systems at the Haddam Neck plant in Connecticut was too small to assure adequate cooling of the reactor core during that plant's entire 28-year operating lifetime. The nine plants shut down today are fixing design control problems like these.

We should not be operating nuclear power plants unless we know with reasonable certainty that their systems needed to protect the public during an accident will work. There have been an alarming number of reports in recent years which clearly show that several plants have operated without fully functional safety systems. In cases like Maine Yankee, Donald C. Cook, Beaver Valley, Millstone, and Big Rock Point, the public was protected by luck as much as by defense-in-depth.

The industry wants to push the NRC more rapidly towards risk-informed regulation. The development of plant-specific risk assessments this past decade has provided valuable insights which prompted many plant owners to voluntarily make physical changes to their facilities that increased safety margins. Unfortunately, these risk assessments assume that the plants have no design control and configuration management problems. For some plants, this is not a valid assumption. Thus, their risk assessments are inaccurate and non-conservative. Design control and configuration management problems must be corrected at all nuclear plants before risk-informed regulation can advance.

The industry cites examples of NRC over-regulation, but there are examples of under-regulation as well. Both sets of these examples are probably valid because the NRC regulates subjectively and inconsistently. In a report entitled The Good, The Bad, and The Ugly which we issued last month, we documented a wide gap in safety performance in our ten-plant "focus group." This discernible difference is due to the NRC's subjectivity. Instead, the NRC must develop objective standards which it consistently enforces, especially when it comes to decisions about whether problem plants should be shut down or restarted. It is a daunting challenge, but it can be done.

Commissioner McGaffigan pointed out during a recent stakeholders' meeting that the NRC does a good job on matters in its spotlight. We would agree with that contention, although we feel that the NRC needs a larger floodlight. This little penlight job just isn't going to allow the NRC to handle the important items on its plate in a timely manner. The NRC could do a better job if it developed, and used, good procedures. Procedures are like the conveyor belt in a factory they move products from station to station until the work is completed. Good procedures are like a strong, wide conveyor belt because they handle most of the work items. Bad procedures are like a thin, unreliable conveyor belt because too many items must be hand-carried through the process. The NRC really needs to have and follow better procedures.

I must comment briefly on the industry complaint about the service it gets from the NRC. In recent years, a top NRC priority has been its review and certification of advanced reactor designs. To our knowledge, a line of potential buyers for advanced reactors is not forming anywhere in the country. However, there seems to be a market for these things overseas. We do not oppose efforts to improve US trade. It is simply incomprehensible to us that nuclear safety issues such as fire barriers that are combustible linger while the certification of advanced reactor designs gets fast-tracked through the NRC. The industry is getting very good service from the NRC, compared to that afforded public health and safety.

In closing, I want to again thank the Subcommittee for providing us this opportunity to share our views with you. I would also like to respectfully suggest that in addition to having the NRC Commissioners point to where they are headed, that you formally ask them to provide you with their roadmap showing how they intend to reach that destination. Reviewing their action plan for achieving their promised improvements might make it easier for you to monitor their progress along the way. Thank you very much.

Index for Documents Submitted to Supplement Oral Testimony

Millstone Unit 3

UCS Letter to NRC Regional Administrator, January 6, 1998

Key Point: Millstone Units 1,2 & 3, Salem Units 1 & 2, and Maine Yankee began 1997 shut down while safety problems are repaired. Does the NRC consider the safety margins at these plants to be adequate? If yes, why must they be shut down for so long? If not, why were they operating for so long with these problems?

Donald C. Cook Units 1&2

UCS Petition, October 9, 1997 (without its attachments)

Key Point: An NRC inspection team looked at two (2) safety systems and found problems which prompted an immediate shut down of both units. UCS examined the record and discovered that the plant's owners had recently reviewed both of these systems and found no serious problems. Since the owner's review process was clearly flawed, what assurance is there that the other 60-plus safety systems do not have problems like those identified by NRC?

UCS Petition Supplement, January 12, 1998

Key Point: The restart of D C Cook (then pending) is premature because several safety questions have not been answered.

NRC Oversight

UCS Letter to Senate Appropriations Committee, June 24, 1998 (without its attachments)

Key Point: NRC may be guilty of over-regulation at times, but it is also guilty of under-regulation. The reason is the same the NRC lacks objective criteria when it evaluates licensee performance.

UCS Handout at NRC Commissioners Meeting with Stakeholders, July 17, 1998

Key Point: NRC requires its licensees to meet high management standards, yet it frequently fails to meet these same standards. If the NRC met these same standards, many of its problems would disappear.

UCS Letter to NRC Commissioners, July 20, 1998

Key Point: The industry's push for risk-informed regulation must be countered by the ample evidence that many nuclear plants have operated well outside the bounds of their recent risk assessments. Thus, NRC cannot rely on risk assessments which are mathematically correct but which do not reflect reality.


January 6, 1997

Mr. Hubert J. Miller

Regional Administrator, Region I

United States Nuclear Regulatory Commission

475 Allendale Road

King of Prussia, PA 19406-1415

SUBJECT: REACTOR SAFETY QUESTIONS

Dear Mr. Miller:

Region I entered 1997 with seven nuclear units shut down due to reactor safety concerns: the three Millstone units, the two Salem units, and Maine Yankee. R. G. Brown & Associates, Inc., a financial consulting firm hired by the State of Connecticut's Department of Utility Control, recently concluded that Northeast Utilities "lost focus on the safe operation" of Millstone and placed "primary importance on financial issues." In 1988, the Nuclear Business Unit at Public Service Electric & Gas revised its mission statement for the Salem and Hope Creek plants from "World Class by 1995" to one placing greater emphasis on economic performance. Consequently, the Salem and Hope Creek plants experienced significant regulatory and performance difficulties by 1995. More recently, the NRC found that Maine Yankee's problems were caused by that utility's economic pressures. Clearly, economics played a significant role in the poor safety performance at these troubled nuclear plants.

In order to better understand the NRC's criteria for assessing reactor safety, please address the following question:

(1) Does the NRC consider the three Millstone units, the two Salem units, and Maine Yankee safe enough to allow these plants to restart today?

Depending on the answer to the question above, please address the applicable following question:

(2) If these plants are not safe enough to operate today, does the NRC think that these plants were operating safely in the days and weeks prior to their being shut down?

If the safety margins at these plants are not sufficient to allow them to restart, it seems evident that these plants operated with inadequate safety margins prior to being closed. This determination would raise serious doubts about the NRC's ability to protect public health and safety following restart of these troubled plants as well as during operation of other seemingly untroubled plants.

(3) If these plants are safe enough to operate today, does the NRC have the right to conduct additional inspections and impose additional requirements for these troubled plants that prolong the duration, and significantly increase the costs, of their outages?

If these plants had adequate safety margins prior to being closed and those safety margins have not been eroded while the plants have been idled, it seems evident that the NRC may be unduly harming the communities around these plants (as well as the ratepayers and stockholders of these utilities) by taking actions that prolong the outages and further weaken the economic viability of these plants. If these plants are safe enough to operate today, it seems obvious that their generating revenues would only enhance the ability of these utilities to maintain the necessary safety margins.

I respectfully request your response to these questions prior to the restart of any unit at Millstone, Salem, and Maine Yankee.

Sincerely,

David A. Lochbaum

Nuclear Safety Engineer

cc: Chairman Shirley Ann Jackson

United States Nuclear Regulatory Commission

Washington, DC 20555

Mr. George Mulley

Assistant Inspector General

United States Nuclear Regulatory Commission

Washington, DC 20555

Mr. Philip A. Olson, Rm. 2440

United States General Accounting Office

Washington, DC 20548


October 9, 1997

Mr. L. Joseph Callan

Executive Director for Operations

United States Nuclear Regulatory Commission

Washington, DC 20555-0001

SUBJECT: PETITION PURSUANT TO 10 CFR 2.206, DONALD C. COOK NUCLEAR PLANTS UNITS 1 AND 2, DOCKET NOS. 50-315 AND 50-316

Dear Mr. Callan:

The Union of Concerned Scientists submits this petition pursuant to 10 CFR 2.206 requesting that the operating licenses for Donald C. Cook Units 1 and 2 be modified, revoked, or suspended until there is reasonable assurance that their systems are in conformance with design and licensing bases requirements. A process comparable to the system certifications recently used by the Salem and Millstone licensees would provide this necessary level of assurance. UCS additionally requests that a public hearing into this matter be held in the Washington, DC area prior to the first unit at D C Cook being authorized to restart. At this hearing, we will present information supporting the contentions in this petition.

Background

On October 9, 1996, the NRC requested that its power reactor licensees provide information pursuant to 10 CFR 50.54(f) regarding the adequacy and availability of design bases information. The NRC's issued this request as a result of its investigations at the Millstone Power Station. The licensee for the D C Cook plant responded with a letter dated February 6, 1997, describing the administrative controls it uses to provide assurance that the Cook Nuclear Plant is operated and maintained within the established design bases.

An NRC team recently conducted an architect/engineer design inspection at D C Cook. According to the NRC's Project Manager for D C Cook, this NRC team examined two safety systems and their supporting systems. The team's findings forced the licensee to shut down both units on September 10, 1997.

The NRC issued a confirmatory action letter to the licensee dated September 19, 1997, specifying issues arising from the design inspection that must be resolved prior to restarting the units. These issues (listed in Attachment 1) include physical modifications to the plants and revisions to the plants' operating licenses. Numerous NRC Daily Event Reports (listed in Attachment 2) described the findings from design inspection as reported by the licensee. The NRC has not yet released the design inspection report and we have been told that it will not be issued until next week at the earliest.

Basis for Requested Action

The NRC conducted architect/engineer design inspections at only six of its nearly 70 operating power reactor licensee sites. These design inspections examined only one or two safety systems along with their supporting systems at each site. The NRC Project Manager reported that the design inspection at D C Cook examined the residual heat removal and component cooling water systems along with their supporting systems. These design inspections focused on the facilities' original design and the licensees' conformance with the safety analysis reports.

The systems examined by the NRC at D C Cook had already been covered by the licensee's design basis documentation reconstitution program. Design basis documents (DBDs) for the containment, containment structure, containment spray, emergency core cooling, component cooling water, and residual heat removal systems had been approved by the licensee prior to the NRC team's arrival. The licensee informed the NRC that its DBD program had not identified any deficiencies involving equipment operability.

The findings by the NRC design inspection team prompted the licensee to declare both trains of the emergency core cooling systems and the containment spray system inoperable. The units were shut down on September 8 and 9, 1997. The licensee reported making physical changes to the plant to correct some of the problems and indicated that additional physical changes may be required.

The licensee has proposed fixing the specific operability issues identified during the NRC design inspection and then restarting the units. Confining the scope of the restart activities in this way would be treating the symptoms rather than the cause of the problems. The NRC design inspection revealed serious deficiencies in the licensee's design control programs. These deficiencies created the specific problems that forced the plants to be shut down. These deficiencies may also be responsible for similar problems in other safety systems which were not examined by the NRC.

It is important to note that the NRC identified significant operability problems in systems that the licensee had covered in recently approved DBDs. The licensee stated in its February 6, 1997, submittal that it verifies and validates the information in its DBDs via reviews and physical plant walkdowns prior to their approval. Thus, the NRC discovered significant problems in systems which had been closely scrutinized by the licensee. Had the NRC's findings involved systems which have not yet been covered under the licensees' DBD program, it might be reasonable to assume that the licensee would have identified them at that later date. However, there is little reason to believe that these problems would have been resolved unless the NRC had identified them.

Attachment 2 lists NRC Daily Event Reports (DERs) involving issues identified by the NRC design inspection at D C Cook. DER Nos. 32740, 32806, 32822, 32839, 32843, 32875, 32890, 32904, 32914, 32915, 32921, 32948, and 32988 describe potential deficiencies that appear to have existed at D C Cook prior to the initiation of its design basis documentation reconstitution effort in 1992. That effort was therefore apparently unable to detect these potential deficiencies. DER Nos. 32823, 32824, 32903, 32939, and 32948 describe potential deficiencies that appear to have been introduced since 1992. Thus, the licensee's design control and quality assurance programs are apparently unable to ensure that the facility is maintained within its design bases.

UCS feels that the design basis documentation reconstitution and Updated Final Safety Analysis Report (UFSAR) validation programs as described in the licensee's response to the NRC's 50.54(f) letter lack the rigor and focus necessary to identify potential design-related operability issues. Our conviction is supported by the findings from the NRC design inspection. Since the corrections to the NRC's findings were not limited to mere paperwork fixes but included actual changes to the plant's physical configuration, the safety significance of these and potentially other undetected problems cannot be understated.

The flaws in the licensee's design control programs must be corrected. The systems at D C Cook, at least those with a safety function, must be certified to be capable of performing their required actions under all design conditions. Then, and only then, can the units be restarted with reasonable assurance that public safety will be adequately protected. It would be irresponsible to restart these units knowing that the programmatic failures that caused the safety problems identified by the NRC team may have produced comparable problems affecting the operability of other safety systems.

The legal precedent for our position is stated by the NRC's Atomic Safety and Licensing Appeal Board in the Matter of Vermont Yankee Nuclear Power Corporation , Memorandum and Order (ALAB-138), dated July 31, 1973:

"As a general rule, the Commission's regulations preclude a challenge to applicable regulations in an individual licensing proceeding. 10 CFR 2.758. This rule has been frequently applied in such proceedings to preclude challenges by intervenors to Commission regulations. Generally, then, an intervenor cannot validly argue on safety grounds that a reactor which meets applicable standards should not be licensed. By the same token, neither the applicant nor the staff should be permitted to challenge applicable regulations, either directly or indirectly. Thus, those parties should not generally be permitted to seek or justify the licensing of a reactor which does not comply with applicable standards. Nor can they avoid compliance by arguing that, although an applicable regulation is not met, the public health and safety will still be protected. For, once a regulation is adopted, the standards it embodies represent the Commission's definition of what is required to protect the public health and safety." [emphasis added]

"In short, in order for a facility to be licensed to operate, the applicant must establish that the facility complies with all applicable regulations. If the facility does not comply, or if there has been no showing that it does comply, it may not be licensed." [emphasis added]

The NRC design inspection at D C Cook identified significant issues which caused both units to be shut down. These issues were caused by programmatic deficiencies in the licensee's design control programs. A contributing factor for these issues is the failure of the licensee's quality assurance and self-assessment programs to detect these problems. Nothing in the reported findings from the design inspection supports a conclusion that these findings are isolated consequences. The NRC's design inspection invalidates any showing that this facility complies with all applicable regulations. Therefore, the design control deficiencies must be corrected to prevent future non-compliances with safety regulations. And just as importantly, a thorough review of all systems with safety functions must be completed prior to restart to detect and correct past non-compliances.

UCS is not advocating that the NRC apply a higher standard at D C Cook. Instead, we are requesting that the NRC ensure that the D C Cook facility is in accordance with the minimum safety standards which constitute the legal grounds for allowing the units to operate. Our request is consistent with the measures required by the NRC when other sampling inspections find problems. We ask the NRC to expand the inspection scope based upon the identified problems just as would be required when snubber (e.g., pipe restraint) and reactor vessel internals inspections found problems.

Requested Actions

UCS petitions the NRC to protect public health and safety by preventing the units at D C Cook from operating until such time that there is reasonable assurance that all significant non-compliances have been identified and corrected. The system certification process recently used at the Salem Generating Station and the Millstone Power Station would provide such reasonable assurance. We request a public hearing on this matter be held in the Washington, DC area before any unit at D C Cook is authorized to restart.

Sincerely,

David A. Lochbaum

Nuclear Safety Engineer

cc: Chairman Shirley Ann Jackson Honorable Spencer Abraham

United States Nuclear Regulatory Commission United States Senate

Washington, DC 20555-0001 Washington, DC 20510-2203

Mr. A. B. Beach, Regional Administrator Honorable Carl Levin

United States Nuclear Regulatory Commission United States Senate

801 Warrenville Road Washington, DC 20510-2202

Lisle, IL 60532-4351

Honorable Fred Upton

United States House of Representatives

Washington, DC 20515-2206

Attachments:

1) Design Inspection Issues That Will Be Resolved Prior to D C Cook Restart

2) NRC Daily Event Reports on D C Cook Design Inspection Findings

Attachment 1

Design Inspection Issues That Will Be Resolved Prior to D C Cook Restart

The following issues, quoted verbatim, were specified on the NRC's Confirmatory Action Letter dated September 19, 1997, as requiring resolution prior to restart of any D C Cook unit:

1. Recirculation Sump Inventory/Containment Dead Ended Compartments Issue

Analyses will be performed to demonstrate that the recirculation sump level is adequate to preventvortexing, or appropriate modifications will be made. [See also Attachment 2 - Power Reactor Event Number 32890]

2. Recirculation Sump Venting Issue

Venting will be re-installed in the recirculation sump cover. The design will incorporate foreign material exclusion requirements for the sump. [See also Attachment 2 Power Reactor Event Numbers 32875 and 32903]

3. Thirty-six Hour Cooldown, with One Train of Cooling

Analyses will be performed that will demonstrate the capability to cool down the units consistent with design basis requirements and necessary changes to procedures will be completed.

4. ES-1.3 (Switchover to Recirculation Sump) Procedure

Changes to the emergency procedure used for switchover of the emergency core cooling and containment spray pumps to the recirculation sump will be implemented. These changes will provide assurance there will be adequate sump volume, with proper consideration of instrument bias and single failure criteria. [See also Att. 2 Power Reactor Event Numbers 32806 and 32904]

5. Compressed Air Overpressure Issue

Overpressure protection will be provided downstream of the 20 psig, 50 psig, and 85 psig control air regulators to mitigate the effects of a postulated failed regulator. [See also Attachment 2 Power Reactor Event Numbers 32939 and 32988]

6. Residual Heat Removal (RHR) Suction Valve Interlock Issue

A technical specification change to allow operation in mode 4 with the RHR suction valves open and power removed is being processed. Approval of this change by the NRC will be required prior to restart. [See also Attachment 2 Power Reactor Event Numbers 32914 and 32921]

7. Fibrous Material in Containment

Removal of fibrous material from containment that could clog the recirculation sump will be completed. [See also Attachment 2 Power Reactor Event Number 32948]

Attachment 2

NRC Daily Event Reports on D C Cook Design Inspection Findings

The following summaries were taken from the daily event reports available on the NRC's website (www.nrc.gov). The only editing involved deletion of unnecessary detail, such as who was notified about the events, and the addition of clarification for acronyms. Otherwise, these narratives are verbatim.

POWER REACTOR EVENT NUMBER: 32890UNUSUAL EVENT DECLARED & TECHNICAL SPECIFICAITON REQUIRED SHUTDOWN ON BOTH UNITS DUE TO INOPERABLE CONTAINMENTS

As a result of issues raised during the ongoing architect/engineer design inspection, the licensee was reviewing the design aspects of the containments (both units have similar containments). After consulting with the nuclear steam supply system supplier (Westinghouse) the licensee determined that concerns existed about whether adequate communication (flow paths) exists between the active and inactive portions of the containment sump.

During certain scenarios, the volume of water flow back to the containment recirculation sump may not be adequate to support long-term emergency core cooling (ECC) systems (RHR [residual heat removal] system, safety injection system, charging system) or containment spray pump operation during the recirculation phase of a large or small break LOCA. The containment drainage system is designed to ensure that water entering the containment from the breach in the reactor coolant system, ECC systems injection, and ice condenser melt flows back into the containment recirculation sump via drains. Licensee analysis was unable to confirm that sufficient communication existed between inactive and active volumes of the containment to ensure adequate drainage to the recirculation sump. Without adequate drainage into the sump, a low sump level will result, which jeopardizes long term operation of the ECC Systems and containment spray pumps due to vortexing and air entrainment.

As a conservative measure because of these concerns, the licensee declared both trains of the ECC Systems and the containment spray system inoperable for both units and entered Technical Specification limiting condition for operation action statement 3.0.3 to shut down both units. The licensee commenced shutting Unit 1 down from 100% power at 1655 and Unit 2 down from 100% power at 1728. At 2000, the licensee declared an unusual event on both units due to the potential loss of containment barrier on both units.

The licensee plans to perform further analysis to determine the extent of the existing communication between the portions of the sumps and whether plant modifications will be necessary.

***Update

0311 EDT on 09/10/97 by Tilly taken by MacKinnon***

The unusual event was terminated and exited at 0303 EDT when Unit 1 entered mode 5 (cold shutdown). Unit 2 entered mode 5 at 0015 EDT (cold shutdown).

POWER REACTOR EVENT NUMBER: 32875

FAILURE TO MAINTAIN THE CONTAINMENT RECIRCULATION SUMP 1/4" PARTICULATE RETENTION REQUIREMENT (HISTORICAL ISSUE)

A 1/4" particulate retention requirement for the containment recirculation sump was not properly established in 1979 following sump modifications. The containment recirculation sump requirement to retain 1/4" particles is to ensure that containment spray nozzles do not become plugged. The containment spray system takes suction from the containment recirculation sump following injection of the refueling water storage tank supply during a loss of coolant accident.

In 1979, modifications were performed on the containment recirculation sump. One of the modifications involved moving a 1/4" retention element from inside the recirculation sump to the entrance of the sump. When the retention element was moved, the 1/4" retention requirement was not fully addressed, and pathways exceeding the 1/4" requirement were inadvertently established. The inadvertent pathways established included: 3/4" vents in the roof of the recirculation sump entrance, the containment sump drain line from the recirculation sump, and small gaps around the sump entrance. These pathways have since been eliminated or the 1/4" requirement has been established.

The licensee is reporting the fact that since 1979 until the 1/4" requirement was established or the pathway was eliminated, the containment recirculation sump did not meet its design requirement.

The containment recirculation sump currently meets the 1/4" requirement. A condition report has been written to initiate investigation into this event and determine appropriate preventive actions.

This event was determined to be reportable at 0856 on September 5, 1997.

*** Update at 1905 on 09/10/97 by Randy Ptacek entered by Jolliffe ***

After further review of the above condition, the licensee concluded that the emergency core cooling (ECC) system was outside its design basis as a result of the 1/4" requirement not being met following the 1979 plant modifications. By not adequately covering the 1/4" particulate retention requirement, larger particles had the potential to enter the recirculation sump. The ECC System has not been analyzed for these larger particles nor is it within the design of the ECC System to handle these larger particles.

The licensee has concluded that this event is also reportable to the NRC in accordance with the requirements of 10CFR50.72(b)(1)(ii)(a) unanalyzed condition, and 10CF50.72(b)(2)(iii)(d)accident mitigation.

POWER REACTOR EVENT NUMBER: 32903

CONTAINMENT RECIRCULATION SUMP VENT HOLES HAVE BEEN FILLED WITH CONCRETE

As a result of questions posed by the NRC architect/engineer design inspection team, the licensee determined that the inlet venting requirement for the containment recirculation sumps was not properly maintained following modifications to the Unit 2 sump in 1996 and the Unit 1 sump in 1997 (both units have similar containments).

The containment recirculation sump venting requirement was established in 1979 as part of the original sump design to reduce the potential for air entrainment through the sump. The venting requirement was met through the addition of five 3/4-inch diameter holes drilled in the roof of the sump inlet. (The holes did not meet the 1/4-inch diameter requirement as reported in Event #32875.) When these holes were discovered during the Unit 2 1996 refueling outage and the Unit 1 1997 refueling outage, they were classified as abandoned equipment holes that exceeded the 1/4-inch particulate retention requirement for the sumps and they were filled with concrete.

POWER REACTOR EVENT NUMBER: 32806

INSTRUMENTATION INDICATIONS USED TO DETERMINE WHEN REFUELING WATER STORAGE TANK TO CONTAINMENT SWITCHOVER IS REQUIRED MAY NOT HAVE BEEN CORRECT TO PREVENT VORTEXING IN THE CONTAINMENT RECIRCULATION SUMP.

During the evaluation of a proposed procedure change that affects switchover from the refueling water storage tank (RWST) to the containment sump during a loss-of-coolant accident (LOCA), it was determined that the instrumentation indications used to determine when the switchover is required may not have been correct to prevent vortexing in the containment recirculation sump.

To address this situation, procedures associated with the switchover (on both units) have been conservatively changed to accommodate the related instrument inaccuracies. These changes assure adequate RWST water is in containment before switchover to eliminate concerns that vortexing would occur in the containment sump after switchover.

The problem is that the RWST water level indicators are connected to the suction line that goes to the residual heat removal (RHR) pumps. Due to the flow in these lines, the indicated water level at which the switchover would be initiated would be less than the actual water level of the RWST (the licensee would be putting less water into the containment than expected). Also, the licensee said that they had some inaccuracies associated with their containment sump instrumentation. The licensee adjusted the containment sump indication to assure that they have an adequate volume in the containment to prevent vortexing. The licensee relies upon two indications for switchover; RWST water level and containment water level.

POWER REACTOR EVENT NUMBER: 32904

SINGLE FAILURE DURING RECIRC SUMP SWITCHOVER COULD BE UNANALYZED CONDITION

As a result of questions posed by the NRC architect/engineer design inspection team, the licensee determined that the possibility of a single failure during an accident while performing switchover of the emergency core cooling system pumps from the refueling water storage tank (RWST) suction to the recirculation sump suction could have resulted in the plant being in an unanalyzed condition. This condition is outside the plant design basis, and it potentially could have prevented the fulfillment of a safety function of structures or systems.

The plant emergency operating procedures (EOPs) as currently written require that the west residual heat removal (RHR) pump be the first pump switched from the RWST suction to the recirc sump suction. Once this is accomplished, the centrifugal charging (CC) pumps' suctions and the safety injection (SI) pumps' suctions are then swapped from the RWST supply to the discharge of the west RHR pump. If the west RHR pump were to fail at this point when all CC and SI pumps were being supplied from its discharge, prior to the east RHR pump suction being transferred from the RWST to the recirc sump, all CC and SI pumps could also fail due to the loss of suction flow. This would result in the loss of all high and medium head injection with only the flow from the east RHR pump available for injection into the reactor coolant system. The licensee is currently reviewing the EOPs to determine an alternate switchover sequence that would eliminate the condition as described above.

POWER REACTOR EVENT NUMBER: 32939

INSTALLED PLANT MODIFICATION INTRODUCED THE POSSIBILITY OF A SINGLE FAILURE WHICH COULD RESULT IN THE LOSS OF BOTH TRAINS OF THE ESF VENTILATION SYSTEM.

At 1620 on 09/16/97, the licensee determined that a plant modification installed between December 1996 and August 1997 introduced the possibility of a single failure which could result in the loss of both trains of the engineered safety features (ESF) ventilation system if the 85-psi air header was to be lost. Prior to the installation of the plant modification, the ESF ventilation system charcoal inlet and bypass dampers both utilized a 20-psi air header and were positioned such that the charcoal bypass dampers were normally open and would fail closed; and the charcoal inlet dampers were normally closed and would fail open. The plant modification installed new bypass dampers which required higher air pressure to operate and were, therefore, transferred to the 85-psi header. If the 85-psi air header was lost, it would result in the repositioning of the normally open bypass dampers without the opening of the charcoal inlet dampers on both trains. This would result in dead heading of the filter train fans and loss of cooling to emergency core cooling system (ECCS) equipment.

POWER REACTOR EVENT NUMBER: 32988

NON-SAFETY RELATED AIR HEADERS LACK OVERPRESSURE PROTECTION

During an architectural engineering inspection a question was raised regarding the lack of overpressure protection on the 20, 50 and 85 psig control air headers. The specific concern is the potential for common mode failure of both trains of safety related equipment served by the air headers. The overpressure condition is postulated to be caused by regulator failure.

Although system reviews have found no component failure mode which would result in the devices being incapable of going to their fail-safe position, a design change package has been prepared to provide overpressure protection on the 20, 50 and 85 psig headers.

POWER REACTOR EVENT NUMBER: 32914

LICENSEE IDENTIFIED THAT BOTH UNITS HAD OPERATED THEIR RHR SYSTEM CONTRARY TO THE DESCRIPTION IN THE FSAR.

At 1615 EDT, with Units 1 and 2 shutdown in mode 5, it was determined that both units have operated contrary to the design basis for the residual heat removal (RHR) system as described in the Final Safety Analysis report (FSAR). FSAR Chapter 9, Section 9.3, describes the interlocks associated with the residual heat removal (RHR) suction valves from the reactor coolant system (RCS). The suction line valves are interlocked through separate channels of the RCS system pressure signals to provide automatic closure of both valves whenever RCS pressure exceeds RHR design pressure. The FSAR states that the interlock may be defeated when the RCS is open to atmosphere. However, for a number of years this interlock has been procedurally defeated on both units to prevent inadvertent closure and loss of RHR suction during shutdown cooling operation by opening the valves and racking out their breakers in mode 4.

The overpressure protection afforded by the automatic closure function described in the FSAR was defeated without a safety evaluation being performed. This loss of automatic closure function represents an unanalyzed condition and is, therefore, reportable.

Plans are to degas, depressurize, and open the RCS on both units to atmosphere. Degas will start on Unit 1, and when completed, the unit will proceed to depressurize while Unit 2 starts degas procedures. When the RCS is open to atmosphere on both units, the plant will be in compliance with the FSAR.

This condition was identified by the licensee during an ongoing NRC architect/engineer inspection.

*** Update at 2130 EDT on 9/13/97 from Robert Blyth to S. Sandin ***

The licensee has completed its safety evaluation for mode 5 operation and concluded that there was no unreviewed safety question or change of operation as described in the FSAR. Consequently, degas of Unit 1 has been terminated, and neither unit will be vented to atmosphere.

POWER REACTOR EVENT NUMBER: 32921

THE LICENSEE IDENTIFIED THAT BOTH RHR PUMPS HAD BEEN OPERATED WHEN THE RCS WAS DEPRESSURIZED, WHICH IS CONTRARY TO THE DESCRIPTION IN THE FSAR.

Chapter 9 of the Final Safety Analysis Report (FSAR) states: 'Only one residual heat removal (RHR) pump will be operated when the reactor coolant system is open to atmosphere to prevent damaging both pumps in the unlikely event that suction should be lost.' Operating procedures for the RHR system do not prevent operation of both RHR pumps when the reactor coolant system (RCS) is open to atmosphere, and in the past, both RHR pumps have been run when the RCS was vented to atmosphere.

Plant operating procedures are being reviewed to determine the impact. Procedure changes will be implemented as necessary to address the FSAR requirement. A condition report has been initiated to investigate and determine appropriate preventative actions.

POWER REACTOR EVENT NUMBER: 32948

IT WAS DETERMINED THAT FIBROUS MATERIAL IS PRESENT IN BOTH UNIT 1 AND UNIT 2 CONTAINMENT IN ENOUGH QUANTITY TO POTENTIALLY CAUSE EXCESSIVE BLOCKAGE OF THE CONTAINMENT RECIRCULATION SUMP SCREEN DURING THE RECIRCULATION PHASE OF A LOSS OF COOLANT ACCIDENT.

In 1985, 1986, and 1995 "Fiberfrax" refractory insulation materials in bulk, blanket or board form were used as damming material when installing fire stops in cable trays in both containments. The specification governing installation of the fire stops did not require removal of the material, only stating that it should be removed "if necessary." The material was not removed. The material is present in 12 cable trays in Unit 1 and 15 cable trays in Unit 2.

When the Fiberfrax is exposed to water or steam/water environment it could potentially break into small pieces, which could be transported to the recirculation sump by the water flow in containment during a loss of coolant accident. Once it reaches the recirculation sump it has the potential to clog the screens in excess of the design value. Excessive screen blockage could result in ECCS inoperability during the recirculation mode.

The Fiberfrax material is currently being removed from the containments, and removal will be completed prior to restart of the units. The possibility that the licensee's work control process allowed unencapsulated fibrous material to be installed in other locations inside containment is being investigated.

POWER REACTOR EVENT NUMBER: 32740

UNITS 1 & 2 OPERATED OUTSIDE THE DESIGN BASIS FOR SERVICE WATER INLET TEMP

As a result of questions posed by members of the ongoing NRC design inspection team, the licensee has determined that Units 1 & 2 have operated outside the plant design basis for service water inlet temperature.

The Updated Final Safety Analysis Report (UFSAR), Table 9.5-3, lists service water inlet temperature design value as 76F. This value is used as input to analyses such as containment peak pressure and control room habitability. Although engineering analyses were performed in 1988 raising the temperature to 87.5F as listed in the plant Technical Specifications, a 10CFR50.59 safety evaluation was never performed, nor was the UFSAR properly revised.

Plant service water inlet temperature is the same as Lake Michigan water temperature. A review of historical data indicates that during July and August of any year, Lake Michigan water temperature is likely to exceed the 76F value. Specific data for 1997 shows that Lake Michigan water temperature, and therefore plant service water inlet temperature, was greater than 76F on July 17, July 18, and August 4, 1997. All plant systems which utilize service water as a cooling medium have been determined to be operable. A 10CFR50.59 safety evaluation will be performed and appropriate changes will be incorporated into the UFSAR.

This report is intended to cover any temperature exclusions above 76F and below the 87.5F value listed in the plant Technical Specifications that may occur prior to the completion of the 10CFR50.59 safety evaluation.

POWER REACTOR EVENT NUMBER: 32822

DISCOVERY THAT A NORMAL OPERATING PROCEDURE ALLOWED PLANT OPERATION WITH COMPONENT COOLING WATER HEAT EXCHANGER OUTLET TEMPERATURES GREATER THAN THE DESIGN LIMIT SPECIFIED IN THE FINAL SAFETY ANALYSIS REPORT

During the ongoing NRC architect/engineer design inspection, a question was asked relative to a statement used in the normal operating procedure for the component cooling water (CCW) system. The statement allows for a heat exchanger outlet temperature for CCW to reach 120F for a period of 3 hours during normal cooldown on the residual heat removal system. Investigation revealed that this statement was in the original issue of the procedure in 1976. However, no 10 CFR 50.59 unreviewed safety evaluation determination documentation could be found to support this design parameter.

The licensee's Final Safety Analysis Report (FSAR) states that the CCW heat exchanger outlet design temperature is 95F. Based on the FSAR requiring the 95F outlet temperature and the lack of an unreviewed safety question determination to justify operation exceeding 95F, the units were in a condition that allowed operation outside the design basis because the procedure allowed operation up to 120F for a period of 3 hours during normal cooldown on the residual heat removal system. The units are not currently in a Technical Specification limiting condition for operation as a result of this issue.

Procedure changes have been made to remove the inappropriate statement. A condition report has also been written to initiate an investigation into this event and determine appropriate preventive actions.

POWER REACTOR EVENT NUMBER: 32823

FAILURE OF A SAFETY REVIEW TO ADDRESS FINAL SAFETY ANALYSIS ATTRIBUTES ON ASSOCIATED COMPONENT COOLING WATER COOLING REQUIREMENTS

During the ongoing NRC architect/engineer design inspection, a question was asked relative to dual train component cooling water (CCW) system outages. During dual train CCW outages, CCW cooling is supplied to the spent fuel pool (SFP) heat exchanger only from the opposite unit. If that unit has a loss of coolant accident (LOCA), CCW to the SFP heat exchanger will isolate. Final Safety Analysis Report (FSAR) Table 9.5-2, footnote 3, indicates that the SFP heat exchanger is assumed to be on the non-accident unit.

The licensee reported the following inspection questions:

1) Does a dual train CCW outage represent a condition outside the plant design basis?

2) Was this reviewed as part of the process of allowing a dual train CCW outage?

Based on a review of FSAR Table 9.5-2, it was concluded that footnote 3 was established to clarify why no values for SFP heat exchanger flow for the unit undergoing the LOCA are listed in the table. Footnote 3 reflects normal SFP cooling system design and operation.

A review was performed of the safety evaluation performed for the Unit 2 full core offload with one train of spent fuel cooling. This safety review covered the Unit 2 refueling outage schedule which included a dual train CCW outage.

Footnote 3 of Table 9.5-2 represents the normal design of the SFP cooling system, that is, the SFP cooling system is designed to remove the heat generated by stored spent fuel elements in the [SFP]. The system incorporates two separate trains.

The safety review for the Unit 2 full core offload with one train of spent fuel cooling addressed the FSAR section 9.4 attribute of the SFP cooling dealing with time to boil events and bulk pool temperature requirements; however, the safety review failed to address FSAR section 9.5 attributes associated CCW cooling requirements as given in Table 9.5-2.

This issue impacts both units. However, the units are not currently in a Technical Specification limiting condition for operation as a result of this issue.

POWER REACTOR EVENT NUMBER: 32824

FAILURE TO PERFORM A 10 CFR 50.59 EVALUATION FOR A PROCEDURE CHANGE INVOLVING COMPONENT COOLING WATER HEAT EXCHANGER OUTLET TEMPERATURE LIMITS

During the ongoing NRC architect/engineer design inspection, a question was asked relative to the fact that during the last Unit 2 refueling outage, an administrative limit of 90F was placed on the component cooling water (CCW) system. The thermal analysis indicated that a maximum CCW temperature of 90F would eliminate all margin associated with the spent fuel pool (SFP) design assuming a design flow of 3,000 gpm.

The following inspection question was asked: Since a change in CCW temperature was required to meet the Final Safety Analysis Report (FSAR) value of 160F for the SFP, was a 10 CFR 50.59 unreviewed safety evaluation performed?

The licensee reviewed the change to the procedure to limit CCW temperature to 90F. The licensee considered this change to be an administrative change only to lower the allowable temperature to the SFP cooling heat exchanger. A 10 CFR 50.59 evaluation was not performed because it was not recognized that the 95F requirement was essentially being changed.

Without the completion of an unreviewed safety question determination, the plant was in a condition outside the design basis. The units are not currently in a technical specification limiting condition for operation as a result of this issue.

A condition report has been written to initiate actions to investigate this event and provide preventive actions. The 90F limit is no longer in the operating procedures.

POWER REACTOR EVENT NUMBER: 32839

AVAILABLE WATER VOLUME IN RWST NOT ADEQUATE IN MODES 5 AND 6

During the ongoing NRC architect/engineer design inspection, NRC inspectors asked a question about the reactor coolant makeup required after a 10CFR50, Appendix R fire. To respond to the question, the licensee reviewed two associated design calculations. The more restrictive calculation was determined to be the calculation of record to meet the requirement. This calculation requires 87,000 gallons of water to be available in the refueling water storage tank (RWST). The value of 87,000 gallons was approved on 02/20/90. During modes 1 through 4, plant procedures adequately ensure that this requirement is met. During modes 5 and 6, plant procedures are not adequate to ensure that this requirement is met.

The plant has been in modes 5 and 6 many times since this requirement became effective on 02/20/90. Based on this, the plant has been in an unanalyzed condition several times since 02/20/90.

Currently both units are in mode 1. The licensee is reviewing plant operating procedures to determine impact and will implement procedure chances as needed prior to either unit entering modes 5 or 6. The licensee is continuing to evaluate the subject calculations and plans to submit a licensee event report to the NRC on this subject.

POWER REACTOR EVENT NUMBER: 32843

LAKE MICHIGAN TEMPERATURE EXCEEDED PLANT DESIGN BASIS LIMIT IN AUGUST 1988

As a result of questions posed by members of the ongoing NRC architect/engineer design inspection team, the licensee has determined that the water temperature of Lake Michigan, the plant's ultimate heat sink, exceeded the plant design basis lake temperature limit of 76F for 22 days during August 1988.

The control room is normally cooled by an air conditioning system which utilizes non-safety related chillers. The safety related portion of the control room air conditioning system utilizes water from Lake Michigan as the cooling medium. This water would be supplied directly to the cooling coils following manual realignment. At an average lake temperature of 81F that existed during the 22 day period in August 1988, the temperature inside the control room could have reached 110.4F had the non-safety related chillers not functioned. At a temperature of 110.4F, the lifetime of some instrumentation inside the control room, the solid state protection system, and the nuclear instrumentation, is estimated to be at 150 hours or 6.25 days. The impact of this shortened instrument life span on plant operation had not been evaluated.

At the time of this event, the plant Technical Specifications allowed continuous operation with control room temperatures up to 120F. The Technical Specifications have since been revised such that continued operation with control room temperatures in excess of 95F is not permitted.

Operation of the plant during the time period when lake temperature exceeded the design basis limit, without analysis indicating acceptable control room cooling could be maintained above this temperature limit, and without procedures to alert personnel of the situation, is considered as operation in an unanalyzed condition. The instrumentation was not adversely impacted by the high lake temperatures as the non-safety related chillers continued to function and maintain acceptable control room temperatures.

POWER REACTOR EVENT NUMBER: 32915

OVERPRESSURE PROTECTION OF THE COMPONENT COOLING WATER SYSTEM PIPING NOT IN ACCORDANCE WITH THE ANSI CODE REQUIREMENTS

Chapter 9.5 of the FSAR states: 'The relief valve on the component [cooling water] surge tank is sized to relieve the maximum flow rate of water that would enter the surge tank following a rupture of a reactor coolant thermal barrier cooling coil. The set pressure assures that the design pressure of the component cooling system is not exceeded.'

The piping design code at the Cook plant is B31.1. B31.1 states that an intercepting stop valve cannot be located between the source of pressure and the pressure relief device credited for protecting the pipe. In this instance, the pressure source is the ruptured thermal barrier; the pressure relief device is a safety relief valve on the surge tank. Contrary to the code requirement, there are manual valves maintained open between the two. These valves were not controlled in accordance with or exempted from B31.1.

An evaluation is being performed to determine the most effective method of establishing and maintaining the code requirement. A condition report has been written to initiate an investigation into this event and determine the appropriate preventative actions."

This condition was identified in response to an ongoing NRC architect/engineer design inspection.


January 12, 1998

Mr. L. Joseph Callan

Executive Director for Operations

United States Nuclear Regulatory Commission

Washington, DC 20555-0001

SUBJECT: ADDENDUM TO PETITION PURSUANT TO 10 CFR 2.206, DONALD C. COOK NUCLEAR PLANTS UNITS 1 AND 2, DOCKET NOS. 50-315 AND 50-316

Dear Mr. Callan:

The Union of Concerned Scientists submits this addendum to the petition pursuant to 10 CFR 2.206 we submitted on October 9, 1997 regarding Donald C. Cook Units 1 and 2. This addendum was requested by Ms. Elinor Adensam of your staff following my oral presentation this morning of our safety concerns. Enclosed is the prepared statement which I read during that presentation.

Sincerely,

David A. Lochbaum

Nuclear Safety Engineer

cc: Chairman Shirley Ann Jackson Honorable Spencer Abraham

United States Nuclear Regulatory Commission United States Senate

Washington, DC 20555-0001 Washington, DC 20510-2203

Mr. A. B. Beach, Regional Administrator Honorable Carl Levin

United States Nuclear Regulatory Commission United States Senate

801 Warrenville Road Washington, DC 20510-2202

Lisle, IL 60532-4351

Honorable Fred Upton

United States House of Representatives

Washington, DC 20515-2206

This is a public meeting, not the public hearing that we requested when we submitted our 2.206 petition over three months ago. There have not been many public hearings held for 2.206 petitions. In fact, it is my understanding that I have attended every 2.206 public hearing ever held. One. That public hearing was held on the Millstone petition filed by We The People and Mr. George Galatis. Mr. Galatis was featured on the cover of TIME in March 1996. The first, and only, public hearing for a 2.206 petition was held the following month. Coincidence? I honestly doubt it. But I will get into statistics and how they are used by the NRC later.

You agreed to this meeting to see if I have "new" information about D C Cook. Before I present my information, and I'll leave it to the NRC staff to determine its age, I will briefly discuss some "old" information. You have heard this information before, but maybe not yet in 1998 the 2.206 petition process is seriously and fundamentally broken. It ain't isn't bent, it's broke.

You revised the 2.206 process 3 or 4 years ago and think it is fixed. The process was indeed changed, but it is not fixed. The old 2.206 process was broken. The new 2.206 process is broken. It needs to be fixed, or eliminated.

I suspect that the NRC's difficulty in stemming declining performance by its licensees offers a close parallel with the history of the 2.206 petition process. Your inspectors detect a performance problem at a plant. Its owner implements corrective actions. You conduct a followup inspection. If you find that things are the same, you correctly assume that the problem has not been fixed. If you find that things are different, you assume that the problem has been fixed. However, things can be different but still not fixed. That's your trouble with the 2.206 process and may have been the trouble you had preventing performance declines during the early stages of Salem and Millstone.

UCS submitted its 2.206 petition on October 9, 1997. We asked for two things: specific actions regarding D C Cook and a public hearing to present our concerns. To date, UCS has received one piece of paper from you concerning our petition a letter dated December 9, 1997, acknowledging its receipt. All of the few telephone discussions we've had regarding the petition have been originated by me.

But enough on the 2.206 process. Perhaps too much. Today's meeting is for UCS to convey its concerns regarding D C Cook to you. Normally, I distribute copies of the slides or handouts to accompany my oral remarks. Since I thought, in good faith, that we would be granted a public hearing and assumed that I'd have at least 10 days to prepare for it, and since that did not happen, I am unable to provide any written documentation to you.

There are six concerns that I would like to discuss with you today.

My first concern involves D C Cook's ice condenser containment. The NRC Inspector General's office was informed last summer about alleged problems in the configuration and testing of the ice condenser at Watts Bar. Problems with the bay doors and components of the ice baskets were specifically identified. The allegations also suggested that many of the problems were generic and therefore affected the other ice condenser plants, including D C Cook. Finally, it was alleged that the problems were known, but not properly reported, by the Watts Bar licensee, the D C Cook licensee, the McQuire licensee, and even Westinghouse.

I refer you to Mr. George Mulley in the IG's office for the technical issues. I don't want to compromise IG's investigation, any more than I've already done. B but these allegations exist and they may affect D C Cook. You recently issued an amendment to D C Cook's technical specifications involving the amount of ice in the ice condenser. The ice condenser licensing bases were changed, albeit to a limited extent. It provided another opportunity for the licensee to identify and report any ice condenser problems. I did not see any such report. Are the Watts Bar ice condenser problems valid? Do they apply to D C Cook? I can't answer that at this time. Can you?

My second concern involves the licensee's 50.59 safety evaluation process. From the material I've reviewed, it appeared that you felt the licensee's 50.59 safety evaluation process needed improvements. I understand that the licensee made changes to its process., I am concerned that it is not evident that the licensee made any attempt to determine if safety evaluations prepared under the old process led to inappropriate conclusions. In other words, did the bad process cause bad products?

Before joining UCS in 1996, I was a consultant on a UFSAR vertical slice project for Salem Unit 2. We looked at every safety evaluation written for every modification to the systems we examined. Prior to that assignment, I was a consultant on the power update project for Susquehanna. Although that licensee did not have a suspect 50.59 process, the effect of increasing the plant's licensed power level might have invalidated the conclusions from prior safety evaluations. Therefore, we reviewed the summary for every safety evaluation written. Prior to that assignment, I was a consultant on the Browns Ferry Restart Project. TVA did have a configuration management problem. We reviewed every safety evaluation written for every modification to the systems we examined.

So, based on industry experience and common sense, I expected to see at least some screening of safety evaluations written at D C Cook using the bad process. Has an assessment of D C Cook's safety evaluations been performed? If not, could "bad" safety evaluations prepared using the "bad" 50.59 process mean that unidentified safety problems remain at D C Cook?

My third concern involves engineering calculations. From the material I've reviewed, it appears that the quality of the licensee's calculations was suspect. In fact, the licensee's response to the confirmatory action letter (CAL) dated December 2, 1997, stated that a root cause for its problems was that "Some analyses were found to contain errors and incorrect assumptions." The licensee said a peer review process was used to spot check its calculations. According to the licensee's response, a total of 191 calculations were peer reviewed. Sounds like a broad review. But it's not, for the following reason.

171 calculations were reviewed to resolve the concerns you raised during the design inspection. The remaining 20 calculations covered the auxiliary feedwater, component cooling water, chemical volume and control, containment spray, essential service water, residual heat removal, and electrical distribution systems. 20 calculations for 7 safety systems. That's an average of fewer than 3 calculations reviewed per safety system. Even given this tiny sample, the licensee reported that "some administrative and minor technical concerns were identified."

Is the NRC satisfied that a review of merely 20 calculations is an adequate extent of condition assessment? If so, why?

My fourth concern also involves engineering calculations. Between the time we submitted our petition and the time the licensee responded to the CAL, I received allegations involving net positive suction head (NPSH) calculations performed for D C Cook. The individual making the allegations was at D C Cook and told me there were problems with more than one NPSH calculation. The alleged problems involved both "missing" and inaccurate calculations. I do not know which pumps were affected, but it should not be too difficult for you to check. I am unable to check myself since these documents are not publicly available. Do the safety-related pumps at D C Cook have adequate NPSH as shown by quality calculations?

My fifth concern involves the credibility of the licensee's response to your CAL. By letter dated February 6, 1997, the licensee submitted, under oath, its response to the NRC's 50.54(f) request dated October 9, 1996. I think it is fair to state that the licensee, in that response, told you that there were no major problems with the two safety systems you examined in the subsequent design inspection. Each of these safety systems had been the subject of a design bases document recently issued by the licensee. Essentially, the licensee gave both of these safety systems a clean bill of health. Your subsequent design inspection clearly showed otherwise. Both units have been shut down for over three months to fix the problems you identified in the allegedly "clean" systems.

Since the shut down, the licensee has expended considerable effort fixing the many problems you identified. Numerous physical plant changes were necessary. However, the licensee has expended less effort examining whether the programmatic problems you found affected other systems as well. The licensee was unable to identify the problems in the two systems you examined during a thorough design bases documentation program. It appears that the licensee applied less effort, per system, on the recent extent of condition assessment than it applied during the design bases document process. Since the larger effort failed, can you be sure that the smaller effort succeeded?

My sixth concern involves the NRC's own inspection process. You came in, looked at two safety systems, and found enough problems to force both units to shut down. The licensee maintains that these problems were confined to these two systems and everything else is well. Sound familiar? In 1996, you examined 4 systems at Maine Yankee and documented over 70 pages of problems. That licensee claimed the problems were limited to just those systems. Last year, you examined 2 systems at Vermont Yankee and found a serious problem affecting 1 system and lesser problems affecting the other. That licensee claimed the problems were limited to just those systems. If these licensees are correct, then you are the best regulator on the planet. You consistently find the needles in the haystacks. You find the only significant system problems that exist at the plants.

Were these licensees correct? I don't know. More importantly, you don't know either. You've never expanded the scope for system sampling inspections. If you had , just once, examined another system or two, then you'd really know whether you found the only problems or not.

You make sure that the licensees fix the problems you find in the few systems. That obviously needs to be done. But much more needs to be done. The true purpose of the your inspection of sample systems is not to ensure the operability of these few systems. Your inspections are intended to assess the licensee's programs and controls for maintaining all safety systems. Your findings tell you something about the material condition of the plant, but they also provide you information on the licensee's general safety management ability. Theoretically, you should not find anything during an inspection. Thus, any finding actually represents two problems a nonconforming condition as well as a failure of the licensee's Quality Assurance (QA) process. Too often, you allow licensees to simply fix half of the problem the nonconforming condition. For example, when you find a broken widget, you make sure that the licensee changes the widget. You also need to find out why the licensee did not identify the broken widget and if they have any other broken widgets. The licensee's programmatic failures must be fixed. Otherwise, problems in other systems will remain undetected and future problems may be introduced.

What would it take for you to expand the sample size? This may be a rhetorical question since you have never expanded the sample size. It should not be a rhetorical question. You must should develop and issue clearly defined criteria on when you will require additional system assessments based on findings from your system inspections.

These are my concerns.

I think UCS asked for very reasonable actions in our petition. The significant problems you found raise valid questions about the other safety systems at D C Cook. To date, I do not think those questions have been adequately answered. It is clearly the licensee's burden to answer these questions. It is your burden not to permit D C Cook to restart until these questions are answered and the answers indicate the plant will be operated safely.

To be perfectly candid, I never expected our petition to be granted. The NRC's record is such that a public petition has very little chance of being granted. My fallback position is to monitor daily event reports, LERs, and inspection reports after the plants restart. When I see a significant problem reported that might have been identified and corrected before restart had the NRC granted our petition, you can be sure I'll let you know.


June 24, 1998

The Honorable Pete V. Domenici

Chairman

The Honorable Harry Reid

Ranking Minority Member

Subcommittee on Energy and Water Development

Committee on Appropriations

United States Senate

Dear Senators:

The Nuclear Regulatory Commission (NRC) has the mission of ensuring that the public is adequately protected from the radiation hazards of nuclear power plant operation. We had misgivings about the NRC staffing cuts recently proposed by your subcommittee because we felt they would compromise the agency's ability to carry out its oversight function. The position adopted in the final appropriations language relieved many of our concerns. The NRC's oversight problems identified by the subcommittee warrant further scrutiny. We commend the subcommittee for initiating an inquiry into these important matters.

The final appropriations language contains several examples of alleged NRC over-regulation. We agree that the NRC should avoid regulations or actions which impose unnuecessary burdens on nuclear plant owners. Unnecessary actions may divert resources that could be better used to improve safety performance. Thus, we support the initiative undertaken by the subcommittee to examine this issue in the context of an investigation of how the NRC implements its oversight role.

However, the emphasis appears focused solely on potential over-regulation by the NRC. The equally important subject of potential under-regulation should also be considered. For example, we call your attention to the report released in May 1997 by the United States General Accounting Office (GAO) in response to questions from Senators Biden and Lieberman. The GAO concluded that the NRC had waited too long to stem declining safety performance at the Millstone plant, the Cooper nuclear plant in Nebraska, and the Salem nuclear plant in New Jersey. The NRC implemented numerous changes as a result of lessons it learned from Millstone and other facilities. But we are not confident that sufficient progress has been made. For comparison, the NRC ordered Millstone's owners to bring in two independent companies to confirm that the plant's problems had been fully corrected. The NRC has not had comparable appraisals by Congress, or another independent party, to confirm that its own problems have been fully remedied.

We recently released a report called The Good, The Bad, and The Ugly: A Report on Safety in America's Nuclear Power Industry. A copy of this report is enclosed. We describe numerous safety problems in this report which we feel fall into the category of under-regulation by the NRC. Please note that most of these safety problems occurred after the GAO's report was released.

We could communicate additional examples of possible under-regulation by the NRC. We feel that it would be more useful at this point to suggest that the fundamental reason for the NRC's possible under-regulation is also responsible for its alleged over-regulation that the NRC lacks objective standards when monitoring safety at nuclear power plants. If our contention is true, then resolution of this root cause will remedy both of the adverse consequences from the NRC's oversight problems.

Lacking objective safety standards, the agency cannot pro-actively check declining safety levels at a plant. As a result, a watershed event or protracted series of troubling incidents must occur before the NRC reacts. Considerable work had to be completed at Millstone, Salem, and Indian Point 3 before the NRC would permit these plants to restart. The volume of these efforts suggests that these plants operated with inadequate safety margins before they were shut down.

We feel that the NRC currently has the means to apply objective safety standards in its oversight of nuclear power plants. We recently presented our recommended approach at a meeting of the American Nuclear Society. A copy of our ANS presentation is enclosed.

The NRC usually considers the safety implications of degraded plant conditions in the wrong context. The NRC only discusses the defense-in-depth elements (i.e., multiple barriers and redundant equipment) within its regulations that provide adequate protection of the public in event of an accident. Degraded plant conditions typically involve more than one non-conformance with the safety regulations. For example, nearly 70 physical changes to Millstone Unit 3 were made during its current outage to restore the facility into compliance with safety regulations. According to the plant's owners, at least 20 problems were corrected that had moderate or high safety risk. The virtues of the regulations are irrelevant when a plant like Millstone is so far out of compliance with them.

The NRC also underestimates the safety implications from degraded plant conditions by independently evaluating each problem. In our view, that approach is non-conservative and improper. By analogy, an individual can generally tolerate a single bee sting with minor health consequences. The effects from 20 to 70 bee stings could be a more serious matter.

We advocate that the NRC evaluate, or require that its licensees evaluate, the safety implications of degraded plant conditions in their proper context. The purpose of this evaluation would be to determine whether the public would have been protected had an accident occurred at the plant in its degraded condition. The NRC should determine if the public would have been protected had Millstone Unit 3 suffered an accident while it operated with so many of its safety systems degraded. Occasionally, results from these determinations may indicate that public safety could have been compromised. Identification of such near-misses is vitally important. First, it significantly reduces the chances that the problem will recur with potentially more tragic consequences. In addition, it prioritizes safety issues into those which must be addressed immediately and those which can wait. This distinction allows resources to be applied properly from both safety and economic perspectives.

We respectfully ask the subcommittee to consider both under-regulation and over-regulation as it examines the NRC's effectiveness. If there's any way that UCS can be of assistance in your efforts, please do not hesitate to contact me.

Sincerely,

David A. Lochbaum

Nuclear Safety Engineer

Enclosures: 1) UCS Presentation at 1998 ANS Annual Meeting, "Reactor Safety Margins,"

June 8, 1998

2) The Good, The Bad, and The Ugly: A Report on Safety in America's Nuclear

Power Industry, June 1998

Distribution:

Representative Joseph M. McDade

Chairman

Subcommittee on Energy and Water Development

Committee on Appropriations

House of Representatives

Representative Vic Fazio

Ranking Minority Member

Subcommittee on Energy and Water Development

Committee on Appropriations

House of Representatives


Summary

Nuclear plant performance is a function of management effectiveness more than it is a function of plant age, reactor type, and other factors.

All plants can develop comprehensive corrective action plans. Good management ensures that the plans are implemented properly and revised as necessary such that the desired objectives are obtained. Bad management allows the plan to get waylaid by emerging issues such that schedule or quality, or both, suffer. Good management uses yardsticks to measure the effectiveness of changes, physical or administrative) implemented at their plants. Bad management does not.

Good management establishes objective standards, which are clearly and consistently communicated to plant workers. Bad management sends unclear or mixed messages (i.e., either standards are vague/ill-defined like excellence' or objectives cannot be attained with resources devoted to projects).

Good management establishes clear accountability, or ownership, for issues. Bad management does not, leading to confusion, frustration, ineffectiveness, and delays as things get sorted out.

Good management provides workers with effective procedures and policies such that most items can be processed through normal channels. Bad management does not, which forces the majority of items to be hand-carried through the process.

NRC regulatory performance is a function of management effectiveness more than it is a function of staff size, structure, and other factors. Unfortunately, the NRC staff more closely resembles bad management than good management:

The NRC staff develops corrective action plans, but fails to adequately monitor them to ensure the stated objectives are obtained (examples: enforcement policy, 2.206 and allegation processes have been revised in recent years, but are no better than they were a decade ago).

The NRC staff does not consistently enforce criteria whether they are 10 CFR 50 regulations or NRC policies (examples: D C Cook was shut down last September due to LOCA concerns under postulated conditions. Yet suction strainer issues on BWRs, which actually happened and had unusually similar consequences, did not trigger the shut down of any of the affected plants).

The NRC staff seems to lack clearly defined accountability (example: UCS allegation involving Millstone Unit 3 was purportedly handled' by NRR until the week after the restart vote, then it was passed back to Region I).

The NRC staff suffers from a lack of continuity (example: allegations, 2.206 petitions, and issues raised by UCS get routinely re-assigned from one interim or transient person to another).

Inspection and Enforcement

Inspection program is flawed because inspection reports do not accurately reflect inspection findings.

Examples: Maine Yankee ISAT (10/96), Dresden assessment (late 96)

Inspection program is also flawed because inspection reports are primarily dictated by NRC's general impression of the plant's performance.

Example: D C Cook virtually every inspection report issued since January 1998 has included one or more violations. In the two years prior to 1998, fewer than half of the inspection reports contained violation(s). Most of the violations cited in 1998 are not for new problems, but are for longstanding material condition or administrative control problems. The floodgates' at D C Cook are now open.

Enforcement process is badly broken because it is inconsistent and untimely.

Examples: By policy, licensees who implement good corrective actions in a timely manner (i.e., do what the law requires) can have their civil penalties totally waived. By practice, licensees who run up a huge tab (e.g., Millstone's $2.1 million fine) receive a discount because of their protracted outages. The middle-of-the-road plants are the only ones paying full fare.

Largest single failure of inspection and enforcement programs is that they lack credibility. From the public's perspective, credibility will never be restored as long as NRC staff steadfastly maintains that every violation and event lacks safety significance. The public simply does not believe that the NRC would fine a utility $2.1 million for "safe" behavior.

Use of Performance Indicators and Performance Assessment

NRC staff does not need a new or revised performance assessment process it needs to do something tangible when the process being used indicates a licensee is not performing adequately.

Examples: Millstone, Salem, and the Watch List perennial Dresden Recall Mr. Kenyon's comment to the Commission that he found NU to be the most dysfunctional organization he ever saw. If Mr. Kenyon could reach that conclusion during his first week at NU, NRC staff must have known that Millstone was in trouble.

Development of Risk-informed Regulations and Regulatory Policies

Risk-informed regulation cannot proceed unless the risks are known. Until plants are generally in conformance with their design and licensing bases such that their Individual Plant Examinations are valid, risk-informed regulation cannot be implemented.

Examples: Pilgrim, Vermont Yankee, and D C Cook all responded to NRC's October 9, 1996 50.54(f) letter on design bases information by stating that they everything under control:

Subsequent NRC inspection showed that Pilgrim did not have strong control over design bases and consequently was performing weak' operability determinations. Pilgrim committed to DBD effort.

NRC A/E inspection revealed numerous shortcomings in design bases control at Vermont Yankee. Vermont Yankee committed to expanded, revamped DBD program.

NRC A/E inspection triggered shut down of both units at D C Cook. Both units are likely to remain shut down for over a year while extensive plant and administrative changes are made.

All of these plants had previously submitted their IPEs in response to NRC Generic Letter 88-20. Yet these findings unequivocally demonstrate that these risk assessments were useless because they did not accurately reflect the actual plant conditions.

During the current design bases Amnesty Program, licensees have reported literally dozens of design bases problems that dated back to original construction. Many of these problems required physical plant changes or procedure revisions to correct. These deficiencies are reality, yet the IPEs do not account for these common-mode failures. Risk assessments should account for all possible failure modes, not just the mathematically convenient ones.

The industry is lengthening surveillance and inspection intervals based on empirical database of equipment failure rates. However, these activities have also detected cases of sabotage and inadvertent component mispositioning. It is not apparent that the justification for longer testing and inspection intervals has accounted for these other risk factors. Risk-informed regulation must include all risks.

Timeliness of NRC Processes

NRC staff should not establish timeliness goals unless it also provides resources and oversight necessary to ensure that time frames are not met at the expense of quality.

Example: Recent emphasis on closing allegations within 180 days may be causing a high percentage of them to be closed without the underlying issues being addressed.

Whenever possible, NRC staff should live by same timeliness standards mandated for licensees.

Example: Per 10 CFR Part 21, licensees have up to 60 days from discovery of a potential safety hazard to justify hwy it is not a problem or report it to the NRC. The NRC, upon receipt of a 10 CFR Part 21 report, can and will evaluate it at a much more leisurely pace.


July 20 , 1998

Chairman Shirley A. Jackson

Commissioner Greta J. Dicus

Commissioner Nils J. Diaz

Commissioner Edward McGaffigan, Jr.

United States Nuclear Regulatory Commission

Washington, DC 20555-0001

Dear Chairman Jackson and Commissioners:

UCS appreciated the opportunity to participate in the roundtable discussion on Friday, July 17, 1998. Three issues raised during that discussion require our further comment:

An industry representative stated Friday, and others have stated similar sentiments in various forums, that the NRC over-reacted to Millstone. UCS does not share this characterization. In any event, it must be noted that an NRC reaction would not have been necessary had the Millstone licensee and the industry fulfilled its legal obligations. In the late 1980s, the NRC was concerned about design bases control and configuration management issues. The industry assured the NRC that it had these areas under control. Millstone clearly demonstrated that this assurance was unwarranted.

It should also be pointed out that on the very day of this roundtable discussion, ten (10) US nuclear power plants (Clinton, D C Cook 1&2, LaSalle 1&2, Millstone 1&2, Beaver Valley 1&2, and Indian Point 2) were shut down while they resolved design bases and configuration management problems. These plants are not enduring protracted outages because the NRC saddled them with too many Level IV and uncited violations they are shut down because they failed to properly implement their design control and configuration management programs.

Several people commented Friday about "inspector mischief." It is UCS's perspective that NRC inspectors are a strength and not a weakness. We contend that these capable individuals are inadequately managed because they are not given well-defined, objective criteria to measure plant performance against. Inspectors cannot be the primary fault of the NRC's inspection program their reports are signed out by NRC regional and headquarters supervision.

We maintained that an obstacle to risk-informed regulation was that all risks are not being accounted for. For example, design errors are handled differently than operator errors. Individual plant examinations (IPEs) include probabilities for operator mistakes even through licensee event reports contain sections explaining what actions will be used to prevent recurrence of such mistakes. Thus, IPEs recognize that operator errors are a fact of life.

Design errors are treated differently. The reality of the past few years is that safety systems at many operating nuclear power plants contained design errors dating back to original plant construction that would have prevented, or seriously impaired, their functioning in case of an accident. Yet despite the growing empirical database of such findings, IPEs do not account for design errors that might prevent safety systems from functioning. It is possible to calculate design error probabilities from the existing data just as the operator error probabilities are determined.

While the focus of the roundtable discussion was on areas in which the various stakeholders felt that the NRC needed to improve, we would be remiss if we did not comment that the NRC does many things very well. It is, in fact, this demonstrated capability that gives us hope that the NRC will be able to resolve the weak areas discussed last Friday.

Sincerely,

David A. Lochbaum

Nuclear Safety Engineer