Nuclear Regulation
NRC Needs to More Aggressively and Comprehensively Resolve Issues Related to the Davis-Besse Nuclear Power Plant's Shutdown
Gao ID: GAO-04-415 May 17, 2004
In March 2002, the most serious safety issue confronting the nation's commercial nuclear power industry since Three Mile Island in 1979 was identified at the Davis- Besse plant in Ohio. After the Nuclear Regulatory Commission (NRC) allowed Davis-Besse to delay shutting down to inspect its reactor vessel for cracked tubing, the plant found that leakage from these tubes had caused extensive corrosion on the vessel head--a vital barrier preventing a radioactive release. GAO determined (1) why NRC did not identify and prevent the corrosion, (2) whether the process NRC used in deciding to delay the shutdown was credible, and (3) whether NRC is taking sufficient action in the wake of the incident to prevent similar problems from developing at other plants.
NRC should have but did not identify or prevent the corrosion at Davis- Besse because its oversight did not generate accurate information on plant conditions. NRC inspectors were aware of indications of leaking tubes and corrosion; however, the inspectors did not recognize the indications' importance and did not fully communicate information about them. NRC also considered FirstEnergy--Davis-Besse's owner--a good performer, which resulted in fewer NRC inspections and questions about plant conditions. NRC was aware of the potential for cracked tubes and corrosion at plants like Davis-Besse but did not view them as an immediate concern. Thus, NRC did not modify its inspections to identify these conditions. NRC's process for deciding to allow Davis-Besse to delay its shutdown lacks credibility. Because NRC had no guidance specifically for making a decision on whether a plant should shut down, it used guidance for deciding whether a plant should be allowed to modify its operating license. NRC did not always follow this guidance and generally did not document how it applied the guidance. The risk estimate NRC used to help decide whether the plant should shut down was also flawed and underestimated the amount of risk that Davis-Besse posed. Further, even though underestimated, the estimate still exceeded risk levels generally accepted by the agency. NRC has taken several significant actions to help prevent reactor vessel corrosion from recurring at nuclear power plants. NRC has required more extensive vessel examinations and augmented inspector training. However, NRC has not yet completed all of its planned actions and, more importantly, has no plans to address three systemic weaknesses underscored by the incident. Specifically, NRC has proposed no actions to help it better (1) identify early indications of deteriorating safety conditions at plants, (2) decide whether to shut down a plant, or (3) monitor actions taken in response to incidents at plants. Both NRC and GAO had previously identified problems in NRC programs that contributed to the Davis-Besse incident, yet these problems continue to persist.
Recommendations
Our recommendations from this work are listed below with a Contact for more information. Status will change from "In process" to "Open," "Closed - implemented," or "Closed - not implemented" based on our follow up work.
Director:
Team:
Phone:
GAO-04-415, Nuclear Regulation: NRC Needs to More Aggressively and Comprehensively Resolve Issues Related to the Davis-Besse Nuclear Power Plant's Shutdown
This is the accessible text file for GAO report number GAO-04-415
entitled 'Nuclear Regulation: NRC Needs to More Aggressively and
Comprehensively Resolve Issues Related to the Davis-Besse Nuclear Power
Plant's Shutdown' which was released on May 18, 2004.
This text file was formatted by the U.S. General Accounting Office
(GAO) to be accessible to users with visual impairments, as part of a
longer term project to improve GAO products' accessibility. Every
attempt has been made to maintain the structural and data integrity of
the original printed product. Accessibility features, such as text
descriptions of tables, consecutively numbered footnotes placed at the
end of the file, and the text of agency comment letters, are provided
but may not exactly duplicate the presentation or format of the printed
version. The portable document format (PDF) file is an exact electronic
replica of the printed version. We welcome your feedback. Please E-mail
your comments regarding the contents or accessibility features of this
document to Webmaster@gao.gov.
This is a work of the U.S. government and is not subject to copyright
protection in the United States. It may be reproduced and distributed
in its entirety without further permission from GAO. Because this work
may contain copyrighted images or other material, permission from the
copyright holder may be necessary if you wish to reproduce this
material separately.
Report to Congressional Requesters:
May 2004:
NUCLEAR REGULATION:
NRC Needs to More Aggressively and Comprehensively Resolve Issues
Related to the Davis-Besse Nuclear Power Plant's Shutdown:
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-04-415]:
GAO Highlights:
Highlights of GAO-04-415, a report to congressional requesters
Why GAO Did This Study:
In March 2002, the most serious safety issue confronting the nation‘s
commercial nuclear power industry since Three Mile Island in 1979 was
identified at the Davis-Besse plant in Ohio. After the Nuclear
Regulatory Commission (NRC) allowed Davis-Besse to delay shutting down
to inspect its reactor vessel for cracked tubing, the plant found that
leakage from these tubes had caused extensive corrosion on the vessel
head”a vital barrier preventing a radioactive release. GAO determined
(1) why NRC did not identify and prevent the corrosion, (2) whether the
process NRC used in deciding to delay the shutdown was credible, and
(3) whether NRC is taking sufficient action in the wake of the incident
to prevent similar problems from developing at other plants.
What GAO Found:
NRC should have but did not identify or prevent the corrosion at Davis-
Besse because its oversight did not generate accurate information on
plant conditions. NRC inspectors were aware of indications of leaking
tubes and corrosion; however, the inspectors did not recognize the
indications‘ importance and did not fully communicate information about
them. NRC also considered FirstEnergy”Davis-Besse‘s owner”a good
performer, which resulted in fewer NRC inspections and questions about
plant conditions. NRC was aware of the potential for cracked tubes and
corrosion at plants like Davis-Besse but did not view them as an
immediate concern. Thus, NRC did not modify its inspections to identify
these conditions.
NRC‘s process for deciding to allow Davis-Besse to delay its shutdown
lacks credibility. Because NRC had no guidance specifically for making
a decision on whether a plant should shut down, it used guidance for
deciding whether a plant should be allowed to modify its operating
license. NRC did not always follow this guidance and generally did not
document how it applied the guidance. The risk estimate NRC used to
help decide whether the plant should shut down was also flawed and
underestimated the amount of risk that Davis-Besse posed. Further, even
though underestimated, the estimate still exceeded risk levels
generally accepted by the agency.
NRC has taken several significant actions to help prevent reactor
vessel corrosion from recurring at nuclear power plants. For example,
NRC has required more extensive vessel examinations and augmented
inspector training. However, NRC has not yet completed all of its
planned actions and, more importantly, has no plans to address three
systemic weaknesses underscored by the incident. Specifically, NRC has
proposed no actions to help it better (1) identify early indications of
deteriorating safety conditions at plants, (2) decide whether to shut
down a plant, or (3) monitor actions taken in response to incidents at
plants. Both NRC and GAO had previously identified problems in NRC
programs that contributed to the Davis-Besse incident, yet these
problems continue to persist.
What GAO Recommends:
Because the nation‘s nuclear power plants are aging, GAO is
recommending that NRC take more aggressive actions to mitigate the risk
of serious safety problems occurring at Davis-Besse and other nuclear
power plants.
NRC disagreed with two of the report‘s five recommendations”that it
develop (1) additional means to better identify safety problems early
and (2) guidance for making decisions whether to shut down a plant. GAO
continues to believe these recommendations are appropriate and should
be implemented.
www.gao.gov/cgi-bin/getrpt?GAO-04-415.
To view the full product, including the scope and methodology, click on
the link above. For more information, contact Jim Wells at (202)
512-3841 or wellsj@gao.gov.
[End of section]
Contents:
Letter:
Scope and Methodology:
Results in Brief:
Background:
NRC's Actions to Oversee Davis-Besse Did Not Provide an Accurate
Assessment of Safety at the Plant:
NRC's Process for Deciding Whether to Allow a Delayed Davis-Besse
Shutdown Lacked Credibility:
NRC Has Made Progress in Implementing Recommended Changes, but Is Not
Addressing Important Systemic Issues:
Conclusions:
Recommendations for Executive Action:
Agency Comments and Our Evaluation:
Appendixes:
Appendix I: Time Line Relating Significant Events of Interest:
Appendix II: Analysis of the Nuclear Regulatory Commission's
Probabilistic Risk Assessment for Davis-Besse:
Appendix III: Davis-Besse Task Force Recommendations to NRC and Their
Status, as of March 2004:
Appendix IV: Comments from the Nuclear Regulatory Commission:
GAO Comments:
Appendix V: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Staff Acknowledgments:
Related GAO Products:
Table:
Table 1: Status of Davis-Besse Lessons-Learned Task Force
Recommendations, as of March 2004:
Figures:
Figure 1: Major Components of a Pressurized Water Reactor:
Figure 2: Major Components of the Davis-Besse Reactor Vessel Head and
Pressure Boundary:
Figure 3: Diagram of the Cavity in Davis-Besse's Reactor Vessel Head:
Figure 4: The Cavity in Davis-Besse's Reactor Vessel Head after
Discovery:
Figure 5: Rust and Boric Acid on Davis-Besse's Vessel Head as Shown to
Resident Inspector during the 2000 Refueling Outage:
Figure 6: NRC's Acceptance Guidelines for Core Damage Frequency:
Abbreviations:
NRC: Nuclear Regulatory Commission:
PRA: Probabilistic risk assessment:
Letter May 17, 2004:
Congressional Requesters:
In 2002, the most serious safety issue confronting the nation's
commercial nuclear power industry since the accident at Three Mile
Island in 1979 was identified at the Davis-Besse nuclear power plant in
northwestern Ohio. On March 7, 2002, during shutdown for inspection and
refueling, the owner of the Davis-Besse plant--FirstEnergy Nuclear
Operating Company--discovered a pineapple-sized cavity in the plant's
carbon steel reactor vessel head. The reactor vessel head is an 18-
foot-diameter, 6-inch-thick, 80-ton cap that is bolted to the reactor
vessel. The vessel head is an integral part of the reactor coolant
pressure boundary that serves as a vital barrier for protecting the
environment from any release of radiation from the reactor core. In
pressurized water reactors such as the one at Davis-Besse, the reactor
vessel contains the nuclear fuel, as well as water with diluted boric
acid that cools the fuel and helps control the nuclear reaction. At the
Davis-Besse plant, vertical tubes had cracked that penetrate the
reactor vessel head and that contain this water as well as drive
mechanisms used to lower and raise the fuel, thus allowing leaked boric
acid to corrode the reactor vessel head. The corrosion had extended
through the vessel head to a thin stainless steel lining and had likely
occurred over a period of several years. The lining, which is less than
one-third of an inch thick and was not designed as a pressure barrier,
was found to have a slight bulge with evidence of cracking. Had this
lining given way, the water within the reactor vessel would have
escaped, triggering a loss-of-coolant accident, which--if back-up
safety systems had failed to operate--likely would have resulted in the
melting of the radioactive core and a subsequent release of radioactive
materials into the environment. In March 2004, after 2 years of
increased NRC oversight and considerable repairs by FirstEnergy, NRC
approved the restart of Davis-Besse's operations.
Under the Atomic Energy Act of 1954, as amended, and the Energy
Reorganization Act of 1974, as amended, the Nuclear Regulatory
Commission (NRC) and the operators of nuclear power plants share the
responsibility for ensuring that nuclear reactors are operated safely.
NRC is responsible for issuing regulations, licensing and inspecting
plants, and requiring action, as necessary, to protect public health
and safety; plant operators have the primary responsibility for safely
operating the plants in accordance with their licenses. NRC has the
authority to order plant operators to take actions, up to and including
shutting down a plant, if licensing conditions are not being met and
the plant poses an undue risk to public health and safety. In carrying
out its responsibilities, NRC relies on, among other things, on-site
NRC resident inspectors to assess plant conditions and quality
assurance programs, such as those for maintenance and operations, that
operators establish to ensure safety at the plant.
Before the discovery of the cavity in the Davis-Besse reactor vessel
head, NRC had requested that operators of Davis-Besse and other similar
pressurized water reactors (1) thoroughly inspect the vertical tubing
on their reactor vessel heads by December 31, 2001, for possible
cracking, or (2) justify why their tubing and reactor vessel heads were
sufficiently safe without being inspected. This request was a reaction
to cracked vertical tubing found on a pressurized water reactor vessel
head at another plant. Such thorough inspections require that the
reactor be shut down. FirstEnergy, believing that its reactor vessel
head was safe, asked NRC if its shutdown could be delayed until the end
of March 2002 to coincide with an already scheduled shutdown for
refueling--during which time it would conduct the requested inspection.
FirstEnergy provided evidence supporting its assertion that the reactor
could continue operating safely. After considerable discussion, and
after NRC developed a risk assessment estimate for deciding that Davis-
Besse would not pose an unacceptable level of risk, NRC and FirstEnergy
compromised, and FirstEnergy agreed to shut down the reactor in mid-
February 2002 for inspection. Soon after Davis-Besse was shut down, the
cracked tubes and the significant reactor vessel head corrosion were
discovered.
You asked us to determine (1) why NRC did not identify and prevent the
vessel head corrosion at Davis-Besse, (2) whether the process NRC used
when deciding to allow FirstEnergy to delay its shutdown was credible,
and (3) whether NRC is taking sufficient action in the wake of the
Davis-Besse incident to prevent similar problems from developing in the
future at Davis-Besse and other nuclear power plants. As agreed with
your offices, our review focused on NRC's role in the events leading up
to Davis-Besse's shutdown, NRC's response to the problems discovered,
and NRC's management controls over programs and processes that may have
contributed to the Davis-Besse incident. We did not evaluate the role
of FirstEnergy because, at the time of our review, NRC's Office of
Investigations and the Department of Justice were conducting separate
inquiries into the potential liability of FirstEnergy concerning its
knowledge of conditions at Davis-Besse, including the condition of the
reactor vessel head. We also did not review NRC's March 2004 decision
to allow the plant to restart.
Scope and Methodology:
To determine why NRC did not identify and prevent the vessel head
corrosion at the Davis-Besse nuclear power plant, we reviewed NRC's
lessons-learned task force report;[Footnote 1] FirstEnergy's root cause
analysis reports;[Footnote 2] NRC's Office of the Inspector General
reports on Davis-Besse;[Footnote 3] NRC's augmented inspection team
report;[Footnote 4] and NRC's inspection reports and licensee
assessments from 1998 through 2001. We also reviewed NRC generic
communications issued on boric acid corrosion and on nozzle cracking.
In addition, we interviewed NRC regional officials who were involved in
overseeing Davis-Besse at the time corrosion was occurring, and when
the reactor vessel head cavity was found, to learn what information
they had, their knowledge of plant activities, and how they
communicated information to headquarters. We also held discussions with
the resident inspector who was at Davis-Besse at the time that
corrosion was occurring to determine what information he had and how
this information was communicated to the regional office. Further, we
met with FirstEnergy and NRC officials at Davis-Besse and walked
through the facility, including the containment building, to understand
the nature and extent of NRC's oversight of licensees. Additionally, we
met with NRC headquarters officials to discuss the oversight process as
it related to Davis-Besse, and the extent of their knowledge of
conditions at Davis-Besse. We also met with county officials from
Ottawa County, Ohio, to discuss their views on NRC and Davis-Besse
plant safety. Further, we met with representatives from a variety of
public interest groups to obtain their thoughts on NRC's oversight and
the agency's proposed changes in the wake of Davis-Besse.
To determine whether the process NRC used was credible when deciding to
allow Davis-Besse to delay its shutdown, we evaluated NRC guidelines
for reviewing licensee requests for temporary and permanent license
changes, or amendments to their licenses. We also reviewed NRC guidance
for making and documenting agency decisions, such as those on whether
to accept licensee responses to generic communications, as well as
NRC's policies and procedures for taking enforcement action. We
supplemented these reviews with an analysis of internal NRC
correspondence related to the decision-making process, including e-mail
correspondence, notes, and briefing slides. We also reviewed NRC's
request for additional information to FirstEnergy following the
issuance of NRC's generic bulletin for conducting reactor vessel head
and nozzle inspections, as well as responses provided by FirstEnergy.
In addition, we reviewed the draft shutdown order that NRC prepared
before accepting FirstEnergy's proposal to conduct its inspection in
mid-February 2002. We reviewed these documents to determine whether the
basis for NRC's decision was clearly laid out, persuasive, and
defensible to a party outside of NRC.
As part of our analysis for determining whether NRC's process was
credible, we also obtained and reviewed NRC's probabilistic risk
assessment (PRA) calculations that it developed to guide its decision
making. To conduct this analysis, we relied on the advice of
consultants who, collectively, have an extensive background in nuclear
engineering, PRA, and metallurgy. These consultants included Dr. John
C. Lee, Professor and Chair, Nuclear Engineering and Radiological
Sciences at the University of Michigan's College of Engineering; Dr.
Thomas H. Pigford, Professor Emeritus, at the University of California-
Berkeley's College of Engineering; and Dr. Gary S. Was, Associate Dean
for Research in the College of Engineering, and Professor, Nuclear
Engineering and Radiological Sciences at the University of Michigan's
College of Engineering. These consultants reviewed internal NRC
correspondence relating to NRC's PRA estimate, NRC's calculations, and
the basis for these calculations. These consultants also discussed the
basis for NRC's estimates with NRC officials and outside contractors
who provided information to NRC as it developed its estimates. These
consultants were selected on the basis of recommendations made by other
nuclear engineering experts, their résumés, their collective
experience, lack of a conflict of interest, and previous experience
with assessing incidents at nuclear power plants such as Three Mile
Island.
To determine whether NRC is taking sufficient action in the wake of the
Davis-Besse incident to prevent similar problems from developing in the
future, we reviewed NRC's lessons-learned task force recommendations,
NRC's analysis of the underlying causes for failing to identify the
corrosion of the reactor vessel head, and NRC's action plan developed
in response to the task force recommendations. We also reviewed other
NRC lessons-learned task force reports and their recommendations, our
prior reports to identify issues related to those at Davis-Besse, and
NRC's Office of the Inspector General reports. We met with NRC
officials responsible for implementing task force recommendations to
obtain a clear understanding of the actions they were taking and the
status of their efforts, and discussed NRC's recommendations with NRC
regional officials, on-site inspectors, and representatives from public
interest groups. We conducted our review from November 2002 through May
2004 in accordance with generally accepted government auditing
standards.
Results in Brief:
NRC should have but did not identify or prevent the vessel head
corrosion at Davis-Besse because both its inspections at the plant and
its assessments of the operator's performance yielded inaccurate and
incomplete information on plant safety conditions. With respect to
inspections, NRC resident inspectors had information revealing
potential problems, such as boric acid deposits on the vessel head and
air monitors clogged with boric acid deposits, but this information did
not raise alarms about the plant's safety. NRC inspectors did not know
that these indications could signal a potentially significant problem
and therefore did not fully communicate their observations to other NRC
staff, some of whom might have recognized the significance of the
problem. However, even if these staff had been informed, according to
NRC officials, the agency would have taken action only if these
indications were considered significant safety concerns. Furthermore,
NRC's assessments of Davis-Besse, which include inspection results as
well as other data, did not provide complete and accurate information
on FirstEnergy's performance. For example, NRC consistently assessed
Davis-Besse's operator as a "good performer" during those years when
the corrosion was likely occurring, and the operator was not correctly
identifying the source of boric acid deposits. NRC had been aware for
several years that corrosion and cracking were issues that could
possibly affect safety, but did not view them as immediate safety
concerns and therefore had not fully incorporated them into its
oversight process.
NRC's process for deciding whether Davis-Besse could delay its shutdown
to inspect for nozzle cracking lacks credibility because the guidance
NRC used was not intended for making such a decision and the basis for
the decision was not fully documented. In the absence of written
guidance specifically intended to direct the decision-making process
for a shutdown, NRC used guidance designed for considering operator
requests for license amendments. This guidance describes safety factors
that NRC should consider in deciding whether to approve a license
amendment, as well as a process for considering the relative risk the
amendment could pose. However, the guidance does not specify how NRC
should use the safety factors, and we could not determine if NRC
appropriately followed this guidance because it did not clearly
document the basis for its decision. For example, NRC initially decided
that several safety factors were not met and considered issuing a
shutdown order. Regardless, the agency allowed FirstEnergy to delay its
shutdown, even though it is not clear whether--and if so, how--the
safety factors were subsequently met. Further, NRC did not provide a
rationale for its decision for more than a year. NRC also did not
follow other aspects of its guidance. In the absence of specific
guidance, and with little documentation of the decision-making process,
we could not judge whether the agency's decision was reasonable. Our
consultants identified substantial problems with how NRC developed and
used its risk estimate when making the decision. For example, NRC did
not perform an analysis of the uncertainty associated with the risk
estimate; if it had, our consultants believe the uncertainty would have
been so large as to render NRC's risk estimate of questionable value.
Further, the risk estimate indicated that the likelihood of an accident
occurring at Davis-Besse was greater than the level of risk generally
accepted as being reasonable by NRC.
Responding to the Davis-Besse incident, NRC has taken several
significant actions to help prevent boric acid from corroding reactor
vessel heads at nuclear power plants. NRC issued requirements that
licensees more extensively examine their reactor vessel heads, revised
NRC inspection guidance used to identify and resolve licensee problems
before they affect operations, augmented training to keep its
inspectors better informed about boric acid and cracking issues, and
revised guidance to better ensure that licensees implement commitments
to change their operations. However, NRC has not yet implemented more
than half of its planned actions, and resource constraints could affect
the agency's ability to fully and effectively implement the actions.
More importantly, NRC is not addressing three systemic problems
underscored by the Davis-Besse incident. First, its process for
assessing safety at nuclear power plants is not adequate for detecting
early indications of deteriorating safety. In this respect, the process
does not effectively identify changes in the operator's performance or
approach to safety before a more serious safety problem can develop.
Second, NRC's decision-making guidance does not specifically address
shutdown decisions or explain how different safety considerations, such
as quantitative estimates of risk, should be weighed. Third, NRC does
not have adequate management controls for systematically tracking
actions that it has taken in response to incidents at plants to
determine if the actions were sufficient to resolve underlying problems
and thereby prevent future incidents. Analyses of earlier incidents at
other plants identified several issues, such as inadequate
communication, that contributed to the Davis-Besse incident. Such
management controls may have helped to resolve these issues before the
Davis-Besse incident occurred. While NRC is monitoring how it
implements actions taken as a result of the Davis-Besse incident, the
agency has not yet committed to a process for assessing the
effectiveness of actions taken.
Given NRC's actions in response to Davis-Besse, severe vessel head
corrosion is unlikely to occur at a plant any time soon. However, in
part because of unresolved systemic problems, another incident
unrelated to vessel head corrosion could occur in the future. As a
result, we are recommending that NRC take more aggressive and specific
actions in several areas, such as revising how it assesses plant
performance, establishing a more specific methodology for deciding to
shut down a plant, and establishing management controls for monitoring
and assessing the effectiveness of changes made in response to task
force findings.
In commenting on a draft of this report, NRC generally addressed only
those findings and recommendations with which it disagreed. While
commenting that it agreed with many of our findings, the agency said
that the report overall does not appropriately characterize or provide
a balanced perspective on NRC's actions surrounding the discovery of
the reactor vessel head condition at Davis-Besse or its efforts to
incorporate the lessons learned from that experience into its
processes. More specifically, NRC stated that the report does not
acknowledge that NRC must rely heavily on its licensees to provide
complete and accurate information. NRC also expressed concern about the
report's characterization of its use of risk estimates. We believe that
the report fairly and accurately describes NRC's actions regarding the
Davis-Besse incident. Nonetheless, we expanded our discussion of NRC's
roles and responsibilities to point out that licensees are required to
provide NRC with complete and accurate information.
NRC disagreed with our recommendations to develop (1) specific guidance
and a well-defined process for deciding when to shut down a plant and
(2) a methodology to assess early indications of deteriorating safety
at nuclear power plants. NRC stated that it has sufficient guidance to
make plant shutdown decisions. NRC also stated that, as regulators, the
agency is not charged with managing licensees' facilities and that
direct involvement with those aspects of licensees' operations that
could provide it with information on early indications of deteriorating
safety crosses over to a management function. We continue to believe
that NRC should develop specific guidance and a well-defined process to
decide when to shut down a plant. In absence of such guidance for
making the Davis-Besse shutdown decision, NRC used its guidance for
considering operators' requests for amendments to their licenses. This
guidance describes safety factors that NRC should consider in deciding
whether to approve license changes, as well as a process for
considering the relative risk the amendment would pose. This guidance
does not specify how NRC should use the safety factors. We also
continue to believe that NRC should develop a methodology to assess
aspects of licensees' operations as a means to have an early warning of
developing safety problems. In implementing this recommendation, we
envision that NRC would be analyzing data for changes in operators'
performance or approach to safety, not prescribing how the plants are
managed.
Background:
NRC's Role and Responsibilities:
NRC, as an independent federal agency, regulates the commercial uses of
nuclear material to ensure adequate protection of public health and
safety and the environment. NRC is headed by a five-member commission
appointed by the President and confirmed by the Senate; one
commissioner is appointed as chairman.[Footnote 5] NRC has about 2,900
employees who work in its headquarters office in Rockville, Maryland,
and its four regional offices. NRC is financed primarily by fees that
it imposes on commercial users of the nuclear material that it
regulates. For fiscal year 2004, NRC's appropriated budget of $626
million includes about $546 million financed by these fees.
NRC regulates the nation's commercial nuclear power plants by
establishing requirements for plant owners and operators to follow in
the design, construction, and operation of the nuclear reactors. NRC
also licenses the reactors and individuals who operate them. Currently,
104 commercial nuclear reactors at 65 locations are licensed to
operate.[Footnote 6] Many of these reactors have been in service since
the early to mid-1970s. NRC initially licensed the reactors to operate
for 40 years, but as these licenses approach their expiration dates,
NRC has been granting 20-year extensions.
To ensure the reactors are operated within their licensing requirements
and technical specifications, NRC oversees them by both inspecting
activities at the plants and assessing plant performance.[Footnote 7]
NRC's inspections consist of both routine, or baseline, inspections and
supplemental inspections to assess particular licensee programs or
issues that arise at a power plant. Inspections may also occur in
response to a specific operational problem or event that has occurred
at a plant. NRC maintains inspectors at every operating nuclear power
plant in the United States and supplements the inspections conducted by
these resident inspectors with inspections conducted by staff from its
regional offices and from headquarters. Generally, inspectors verify
that the plant's operator qualifications and operations, engineering,
maintenance, fuel handling, emergency preparedness, and environmental
and radiation protection programs are adequate and comply with NRC
safety requirements. NRC also oversees licensees by requesting
information on their activities. NRC requires that information provided
by licensees be complete and accurate and, according to NRC officials,
this is an important aspect of the agency's oversight.[Footnote 8]
While we have added information to this report on the requirement that
licensees provide NRC with complete and accurate information, we
believe that NRC's oversight program should not place undue reliance on
this requirement.
Nuclear power plants have many physical structures, systems, and
components, and licensees have numerous activities under way, 24-hours
a day, to ensure the plants operate safely. Programs to ensure quality
assurance and safe operations include monitoring, maintenance, and
inspection. To carry out these programs, licensees typically prepare
several thousand reports per year describing conditions at the plant
that need to be addressed to ensure continued safe operations. Because
of the large number of activities and physical structures, systems, and
components, NRC focuses its inspections on those activities and pieces
of equipment or systems that are considered to be most significant for
protecting public health and safety. NRC terms this a "risk-informed"
approach for regulating nuclear power plants. Under this risk-informed
approach, some systems and activities that NRC considers to have
relatively less safety significance receive little NRC oversight. NRC
has adopted a risk-informed approach because it believes it can focus
its regulatory resources on those areas of the plant that the agency
considers to be most important to safety. In addition, it was able to
adopt this approach because, according to NRC, safety performance at
nuclear power plants has improved as a result of more than 25 years of
operating experience.
To decide whether inspection findings are minor or major, NRC uses a
process it began in 2000 to determine the extent to which violations
compromise plant safety. Under this process, NRC characterizes the
significance of its inspection findings by using a significance
determination process to evaluate how an inspection finding impacts the
margin of safety at a power plant. NRC has a range of enforcement
actions it can take, depending on how much the safety of the plant had
been compromised. For findings that have low safety significance, NRC
can choose to take no formal enforcement action. In these instances,
nonetheless, licensees remain responsible for addressing the identified
problems. For more serious findings, NRC may take more formal action,
such as issuing enforcement orders. Orders can be used to modify,
suspend, or even revoke an operating license. NRC has issued one
enforcement order to shut down an operating power plant in its 28-year
history--in 1987, after NRC discovered control room personnel sleeping
while on duty at the Peach Bottom nuclear power plant in Pennsylvania.
In addition to enforcement orders, NRC can issue civil penalties of up
to $120,000 per violation per day. Although NRC does not normally use
civil penalties for violations associated with its Reactor Oversight
Process, NRC will consider using them for issues that are willful, have
the potential for impacting the agency's regulatory process, or have
actual public health and safety consequences. In fiscal year 2003, NRC
proposed imposing civil penalties totaling $120,000 against two power
plant licensees for the failure to provide complete and accurate
information to the agency.
NRC uses generic communications--such as bulletins, generic letters,
and information notices--to provide information to and request
information from the nuclear industry at large or specific groups of
licensees. Bulletins and generic letters both usually request
information from licensees regarding their compliance with specific
regulations. They do not require licensees to take any specific
actions, but do require licensees to provide responses to the
information requests. In general, NRC uses bulletins, as opposed to
generic letters, to address significant issues of greater urgency. NRC
uses information notices to transmit significant recently identified
information about safety, safeguards, or environmental issues.
Licensees are expected to review the information to determine whether
it is applicable to their operations and consider action to avoid
similar problems.
Operation of Pressurized Water Nuclear Power Plants and Events Leading
to the March 2002 Discovery of Serious Corrosion:
The Davis-Besse Nuclear Power Station, owned and operated by
FirstEnergy Nuclear Operating Company, is an 882-megawatt electric
pressurized water reactor located on Lake Erie in Oak Harbor, Ohio,
about 20 miles east of Toledo. The power plant is under NRC's Region
III oversight, which is located in Lisle, Illinois. Like other
pressurized water reactors, Davis-Besse is designed with multiple
barriers between the radioactive heat-producing core and the outside
environment--a design concept called "defense-in-depth." Three main
design components provide defense-in-depth. First, the reactor core is
designed to retain radioactive material within the uranium oxide fuel,
which is also covered with a layer of metal tubing. Second, a 6-inch-
thick carbon steel vessel, lined with three-sixteenth-inch-thick
stainless steel, surrounds the reactor core. Third, a steel containment
structure, surrounded by a thick reinforced concrete building, encloses
the reactor vessel and other systems and components important for
maintaining safety. The containment structure and concrete building are
intended to help not only prevent a release of radioactivity to the
environment, but also shield the reactor from external hazards like
tornados and missiles. The reactor vessel, in addition to housing the
reactor core, contains highly pressurized water to cool the radioactive
heat-producing core and transfer heat to a steam generator.
Consequently, the vessel is referred to as the reactor pressure vessel.
From the vessel, hot pressurized water is piped to the steam generator,
where a separate supply of water is turned to steam to drive turbines
that generate electricity. (See fig. 1.):
Figure 1: Major Components of a Pressurized Water Reactor:
[See PDF for image]
[End of figure]
The top portion of the Davis-Besse reactor pressure vessel consisted of
an 18-foot-diameter vessel head that was bolted to the lower portion of
the pressure vessel. At Davis-Besse, 69 vertical tubes penetrated and
were welded to the vessel head. These tubes, called vessel head
penetration nozzles, contained control rods that, when raised or
lowered, were used to moderate or shut down the nuclear reaction in the
reactor.[Footnote 9] Because control rods attach to control rod drive
mechanisms, these types of nozzles are referred to as control rod drive
mechanism nozzles. A platform, known as the service structure, sat
above the reactor vessel head and the control rod drive mechanism
nozzles. Inside the service structure and above the pressure vessel
head was a layer of insulation to help contain the heat emanating from
the reactor. The sides of the lower portion of the service structure
were perforated with 18 5-by 7-inch rectangular openings, termed
"mouse-holes," that were used for vessel head inspections. In
pressurized water reactors such as Davis-Besse, the reactor vessel, the
vessel head, the nozzles, and other equipment used to ensure a
continuous supply of pressurized water in the reactor vessel are
collectively referred to as the reactor coolant pressure boundary. (See
fig. 2.):
Figure 2: Major Components of the Davis-Besse Reactor Vessel Head and
Pressure Boundary:
[See PDF for image]
[End of figure]
To better control the nuclear reaction at nuclear power plants, boron
in the form of boric acid crystals is dissolved in the cooling water
contained within the reactor vessel and pressure boundary. Boric acid,
under certain conditions, can cause corrosion of carbon steel. For
about 3 decades, NRC and the nuclear power industry have known that
boric acid had the potential to corrode reactor components. In general,
if leakage occurs from the reactor coolant system, the escaping coolant
will flash to steam and leave behind a concentration of impurities,
including noncorrosive dry boric acid crystals. However, under certain
conditions, the coolant will not flash to steam, and the boric acid
will remain in a liquid state where it can cause extensive and rapid
degradation of any carbon steel components it contacts. Such extensive
degradation, in both domestic and foreign pressurized water reactor
plants, has been well documented and led NRC to issue a generic letter
in 1988 requesting information from pressurized water reactor licensees
to ensure they had implemented programs to control boric acid
corrosion. NRC was primarily concerned that boric acid corrosion could
compromise the reactor coolant pressure boundary. This concern also led
NRC to develop a procedure for inspecting licensees' boric acid
corrosion control programs and led the Electric Power Research
Institute to issue guidance on boric acid corrosion control.[Footnote
10]
NRC and the nuclear power industry have also known that nozzles made of
alloy 600,[Footnote 11] used in several areas within nuclear power
plants, were prone to cracking. Cracking had become an increasingly
topical issue as the nuclear power plant fleet has aged. In 1986,
operators at domestic and foreign pressurized water reactors began
reporting leaks in various types of alloy 600 nozzles. In 1989, after
leakage was detected at a domestic plant, NRC identified the cause of
the leakage as cracking due to primary water stress corrosion.[Footnote
12] However, NRC concluded that the cracking was not an immediate
safety concern for a few reasons. For example, the cracks had a low
growth rate, were in a material with an extremely high flaw tolerance
and, accordingly, were unlikely to spread. Also, the cracks were axial-
-that is, they ran the length of the nozzle rather than its
circumference. NRC and the nuclear power industry were more concerned
that circumferential cracks could result in broken or snapped nozzles.
NRC did, however, issue a generic information notice in 1990 to inform
the industry of alloy 600 cracking. Through the early 1990s, NRC, the
Nuclear Energy Institute,[Footnote 13] and others continued to monitor
alloy 600 cracking. In 1997, continued concern over cracking led NRC to
issue a generic letter to pressurized water reactor licensees
requesting information on their plans to monitor and manage cracking in
vessel head penetration nozzles as well as to examine these nozzles.
In the spring of 2001, licensee inspections led to the discovery of
large circumferential cracking in several vessel head penetration
nozzles at the Oconee Nuclear Station, in South Carolina. As a result
of the discovery, the nuclear power industry and NRC categorized the 69
operating pressurized water reactors in the United States into
different groups on the basis of (1) whether cracking had already been
found and (2) how similar they were to Oconee in terms of the amount of
time and the temperature at which the reactors had operated. The
industry had developed information indicating that greater operating
time and temperature were related to cracking. In total, five reactors
at three locations were categorized as having already identified
cracking, while seven reactors at five locations were categorized as
being highly susceptible, given their similarity to Oconee.[Footnote
14]
In August 2001, NRC issued a bulletin requesting that licensees of
these reactors provide, within 30 days, information on their plans for
conducting nozzle inspections before December 31, 2001.[Footnote 15] In
lieu of this information, NRC stated that licensees could provide the
agency with a reasoned basis for their conclusions that their reactor
vessel pressure boundaries would continue to meet regulatory
requirements for ensuring the structural integrity of the reactor
coolant pressure boundary until the licensees conducted their
inspections. NRC used a bulletin, as opposed to a generic letter, to
request this information because cracking was considered a significant
and urgent issue. All of the licensees of the highly susceptible
reactors, except Davis-Besse and D.C. Cook reactor unit 2, provided NRC
with plans for conducting inspections by December 31, 2001.[Footnote
16]
In September 2001, FirstEnergy proposed conducting the requested
inspection in April 2002, following its planned March 31, 2002,
shutdown to replace fuel. In making this proposal, FirstEnergy
contended that the reactor coolant pressure boundary at Davis-Besse met
and would continue to meet regulatory requirements until its
inspection. NRC and FirstEnergy exchanged information throughout the
fall of 2001 regarding when FirstEnergy would conduct the inspection at
Davis-Besse. NRC drafted an enforcement order that would have shut down
Davis-Besse by December 2001 for the requested inspection in the event
that FirstEnergy could not provide an adequate justification for safe
operation beyond December 31, 2001, but ultimately compromised on a
mid-February 2002 shutdown date. NRC, in deciding when FirstEnergy had
to shut down Davis-Besse for the inspection, used a risk-informed
decision-making process, including probabilistic risk assessment
(PRA), to conclude that the risk that Davis-Besse would have an
accident in the interim was relatively low. PRA is an analytical tool
for estimating the probability that a potential accident might occur by
examining how physical structures, systems, and components, along with
employees, work together to ensure plant safety.
Following the mid-February 2002 shutdown and in the course of its
inspection in March 2002, FirstEnergy removed about 900 pounds of boric
acid crystals and powder from the reactor vessel head, and subsequently
discovered three cracked nozzles. The number of nozzles that had
cracked, as well as the extent of cracking, was consistent with
analyses that NRC staff had conducted prior to the shutdown. However,
in examining the extent of cracking, FirstEnergy also discovered that
corrosion had caused a pineapple-sized cavity in the reactor vessel
head. (See figs. 3 and 4.):
Figure 3: Diagram of the Cavity in Davis-Besse's Reactor Vessel Head:
[See PDF for image]
[End of figure]
Figure 4: The Cavity in Davis-Besse's Reactor Vessel Head after
Discovery:
[See PDF for image]
[End of figure]
After this discovery, NRC directed FirstEnergy to, among other things,
determine the root cause of the corrosion and obtain NRC approval
before restarting Davis-Besse. NRC also dispatched an augmented
inspection team consisting of NRC resident, regional, and headquarters
officials.[Footnote 17] The inspection team concluded that the cavity
was caused by boric acid corrosion from leaks through the control rod
drive mechanism nozzles in the reactor vessel head. Primary water
stress corrosion cracking of the nozzles caused through-wall cracks,
which led to the leakage and eventual corrosion of the vessel head.
NRC's inspection team also concluded, among other things, that this
corrosion had gone undetected for an extended period of time--at least
4 years--and significantly compromised the plant's safety margins. As
of May 2004, NRC had not yet completed other analyses, including how
long Davis-Besse could have continued to operate with the corrosion it
had experienced before a vessel head loss-of-coolant accident would
have occurred.[Footnote 18] However, on May 4, 2004, NRC released
preliminary results of its analysis of the vessel head and cracked
cladding. Based on its analysis of conditions that existed on February
16, 2002, NRC estimated that Davis-Besse could have operated for
another 2 to 13 months without the vessel head failing. However, the
agency cautioned that this estimate was based on several uncertainties
associated with the complex network of cracks on the cladding and the
lack of knowledge about corrosion and cracking rates. NRC plans to use
this data in preparing its preliminary analysis of how, and the
likelihood that, the events at Davis-Besse could have led to core
damage. NRC plans to complete this preliminary analysis in the summer
of 2004.
NRC also established a special oversight panel to (1) coordinate NRC's
efforts to assess FirstEnergy's performance problems that resulted in
the corrosion damage, (2) monitor Davis-Besse's corrective actions, and
(3) evaluate the plant's readiness to resume operations. The panel,
which is referred to as the Davis-Besse Oversight Panel, comprises
officials from NRC's Region III office in Lisle, Illinois; NRC
headquarters; and the resident inspector office at Davis-Besse. In
addition to overseeing FirstEnergy's performance during the shutdown
and through restart of Davis-Besse, the panel holds public meetings in
Oak Harbor, Ohio, where the plant is located, and nearby Port Clinton,
Ohio, to inform the public about its oversight of Davis-Besse's restart
efforts and its views on the adequacy of these efforts. The panel
developed a checklist of issues that FirstEnergy had to resolve prior
to restarting: (1) replacing the vessel head and ensuring the adequacy
of other equipment important for safety, (2) correcting FirstEnergy
programs that led to the corrosion, and (3) ensuring FirstEnergy's
readiness to restart. To restart the plant, FirstEnergy, among other
things, removed the damaged reactor vessel head, purchased and
installed a new head, replaced management at the plant, and took steps
to improve key programs that should have prevented or detected the
corrosion. As of March 2004, when NRC gave its approval for Davis-Besse
to resume operations, the shutdown and preparations for restart had
cost FirstEnergy approximately $640 million.[Footnote 19]
In addition, NRC established a task force to evaluate its regulatory
processes for assuring reactor pressure vessel head integrity and to
identify and recommend areas for improvement that may be applicable to
either NRC or the nuclear power industry. The task force's report,
which was issued in September 2002, contains 51 recommendations aimed
primarily at improving NRC's process for inspecting and overseeing
licensees, communicating with industry, and identifying potential
emerging technical issues that could impact plant safety. NRC developed
an action plan to implement the report's recommendations.
NRC's Actions to Oversee Davis-Besse Did Not Provide an Accurate
Assessment of Safety at the Plant:
NRC's inspections and assessments of FirstEnergy's operations should
have but did not provide the agency with an accurate understanding of
safety conditions at Davis-Besse, and thus NRC failed to identify or
prevent the vessel head corrosion. Some NRC inspectors were aware of
the indications of corrosion and leakage that could have alerted NRC to
corrosion problems at the plant, but they did not have the knowledge to
recognize the significance of this information. These problems were
compounded by NRC's assessments of FirstEnergy that led the agency to
believe FirstEnergy was a good performer and could or would
successfully resolve problems before they became significant safety
issues. More broadly, NRC had a range of information that could have
identified and prevented the incident at Davis-Besse but did not
effectively integrate it into its oversight.
Several Factors Contributed to the Inadequacy of NRC's Inspections for
Determining Plant Conditions:
Three separate, but related, NRC inspection program factors contributed
to the development of the corrosion problems at Davis-Besse. First,
resident inspectors did not know that the boric acid, rust, and
unidentified leaking indicated that the reactor vessel head might be
degrading. Second, these inspectors thought they understood the cause
for the indications, based on licensee actions to address them.
Therefore, resident inspectors, as well as regional and headquarters
officials, did not fully communicate information on the indications or
decide how to address them, and therefore took no action. Third,
because the significance of the symptoms was not fully recognized, NRC
did not direct sufficient inspector resources to aggressively
investigate the indicators. NRC might have taken a different approach
to the Davis-Besse situation if its program to identify emerging issues
important to safety had pursued earlier concerns about boric acid
corrosion and cracking and recognized how they could affect safety.
Inspectors Did Not Know Safety Significance of Observed Problems:
NRC limits the amount of unidentified leakage from the reactor coolant
system to no more than 1 gallon per minute. When this limit is
exceeded, NRC requires that licensees identify and correct any sources
of unidentified leakage. NRC also prohibits any leakage from the
reactor coolant pressure boundary, of which the reactor vessel is a key
component. Such leakage is prohibited because the pressure boundary is
key to maintaining adequate coolant around the reactor fuel and thus
protects public health and safety. Because of this, NRC's technical
specification states that licensees are to monitor reactor coolant
leakage and shut down within 36 hours if leakage is found in the
pressure boundary.
In the years leading up to FirstEnergy's March 2002 discovery that
Davis-Besse's vessel head had corroded extensively, NRC had several
indications of potential leakage problems. First, NRC knew that the
rates of leakage in the reactor coolant system had increased. Between
1995 and mid-1998, the unidentified leakage rate was about 0.06 gallon
per minute or less, according to FirstEnergy's monitoring. In mid-1998,
the unidentified reactor coolant system leakage rate increased
significantly--to as much as 0.8 gallon per minute. The elevated
leakage rate was dominated by a known problem with a leaking relief
valve on the reactor coolant system pressurizer tank, which masked the
ongoing leak on the reactor pressure vessel head. However, the elevated
leak rate should have raised concerns.
To investigate this leakage, as well as to repair other equipment,
FirstEnergy shut down the plant in mid-1999. It then identified a
faulty relief valve that accounted for much of the leakage and repaired
the valve. However, after restarting Davis-Besse, the unidentified
leakage rate remained significantly higher than the historical average.
Specifically, the unidentified leakage rate varied between 0.15 and
0.25 gallon per minute as opposed to the historical low of about 0.06
gallon or less. While NRC was aware that the rate was higher than
before, NRC did not aggressively pursue the difference because the rate
was well below NRC's limit of no more than 1 gallon per minute, and
thus the leak was not viewed as being a significant safety concern.
Following the repair in 1999, NRC's inspection report concluded that
FirstEnergy's efforts to reduce the leak rate during the outage were
effective.
Second, NRC was aware of increased levels of boric acid in the
containment building--an indication that components containing reactor
coolant were leaking. So much boric acid was being deposited that
FirstEnergy officials had to repeatedly clean the containment air
cooling system and radiation monitor filters. For example, before 1998,
the containment air coolers seldom needed cleaning, but FirstEnergy had
to clean them 28 times between late 1998 and May 2001. Between May 2001
and the mid-February 2002 shutdown, the containment air coolers were
not cleaned, but at shutdown, FirstEnergy removed 15 5-gallon buckets
of boric acid from the coolers--which is almost as much as was found on
the reactor pressure vessel head. Rather than seeing these repeated
cleanings as an indication of a problem that needed to be addressed,
FirstEnergy made cleaning the coolers a routine maintenance activity,
which NRC did not consider significant enough to require additional
inspections. Furthermore, the radiation monitors, used to sample air
from the containment building to detect radiation, typically required
new filters every month. However, from 1998 to 2002, these monitors
became clogged and inoperable hundreds of times because of boric acid,
despite FirstEnergy's efforts to fix the problem.
Third, NRC was aware that FirstEnergy found rust in the containment
building. The radiation monitor filters had accumulated dark colored
iron oxide particles--a product of carbon steel corrosion--that were
likely to have resulted from a very small steam leak. NRC inspection
reports during the summer and fall of 1999 noted these indications and,
while recognizing FirstEnergy's aggressive attempts to identify the
reasons for the phenomenon, concluded that they were a "distraction to
plant personnel." Several NRC inspection reports noted indications of
leakage, boric acid, and rust before the agency adopted its new Reactor
Oversight Process in 2000, but because the leakage was within NRC's
technical specifications and NRC officials thought that the licensee
understood and would fix the problem, NRC did not aggressively pursue
the indications. NRC's new oversight process, implemented in the spring
of 2000, limited the issues that could be discussed in NRC inspection
reports to those that the agency considers to have more than minor
significance. Because the leakage rates were below NRC's limits, NRC's
inspection reports following the implementation of NRC's new oversight
process did not identify any discussion of these problems at the plant.
Fourth, NRC was aware that FirstEnergy found rust on the Davis-Besse
reactor vessel head, but it did not recognize its significance. For
instance, during the 2000 refueling outage, a FirstEnergy official said
he showed one of the two NRC resident inspectors a report that included
photographs of rust-colored boric acid on the vessel head. (See fig.
5.):
Figure 5: Rust and Boric Acid on Davis-Besse's Vessel Head as Shown to
Resident Inspector during the 2000 Refueling Outage:
[See PDF for image]
[End of figure]
According to this resident inspector, he did not recall seeing the
report or photographs but had no reason to doubt the FirstEnergy
official's statement. Regardless, he stated that had he seen the
photographs, he would not have considered the condition to be
significant at the time. He said that he did not know what the rust and
boric acid might have indicated, and he assumed that FirstEnergy would
take care of the vessel head before restarting. The second resident
inspector said he reviewed all such reports at Davis-Besse but did not
recall seeing the photographs or this particular report. He stated that
it was quite possible that he had read the report, but because the
licensee had a plan to clean the vessel head, he would have concluded
that the licensee would correct the matter before plant restart.
However, FirstEnergy did not accomplish this, even though work orders
and subsequent licensee reports indicated that this was done. According
to the NRC resident inspector and NRC regional officials, because of
the large number of licensee activities that occur during a refueling
outage, NRC inspectors do not have the time to investigate or follow up
on every issue, particularly when the issue is not viewed as being
important to safety. While the resident inspector informed regional
officials about conditions at Davis-Besse, the regional office did not
direct more inspection resources to the plant, or instruct the resident
inspector to conduct more focused oversight. Some NRC regional
officials were aware of indications of boric acid corrosion at the
plant; others were not. According to the Office of the Inspector
General's investigation and 2003 report on Davis-Besse,[Footnote 20]
the NRC regional branch chief--who supervised the staff responsible for
overseeing FirstEnergy's vessel head inspection activities during the
2000 refueling outage--said that he was unaware of the boric acid
leakage issues at Davis-Besse, including its effects on the containment
air coolers and the radiation monitor filters. Had his staff been
requested to look at these specific issues, he might have directed
inspection resources to that area. (App. I provides a time line showing
significant events of interest.):
NRC Did Not Fully Communicate Indications:
NRC was not fully aware of the indications of a potential problem at
Davis-Besse because NRC's process for transmitting information from
resident inspectors to regional offices and headquarters did not ensure
that information was fully communicated, evaluated, or used. NRC staff
communicated information about plant operations through inspection
reports, licensee assessments, and daily conference calls that included
resident, regional, and headquarters officials. According to regional
officials, information that is not considered important is not
routinely communicated to NRC management and technical specialists. For
example, while the resident inspectors at Davis-Besse knew all of the
indications of leakage, and there was some level of knowledge about
these indications at the regional office level, the knowledge was not
sufficiently widespread within NRC to alert a technical specialist who
might have recognized their safety significance. According to NRC
Region III officials, the region uses an informal means--memorandums
sent to other regions and headquarters--of communicating information
identified at plants that it considers to be important to safety.
However, because the indications at Davis-Besse were not considered
important, officials did not transmit this information to headquarters.
Further, because the process is informal, these officials said they did
not know whether--and if so, how--other NRC regions or headquarters
used this information.
Similarly, NRC officials said that NRC headquarters had no systematic
process for communicating information, such as on boric acid corrosion,
cracking, and small amounts of unidentified leakage, that had not yet
risen to a relatively high level of concern within the agency, in a
timely manner to its regions or on-site inspectors. For example, the
regional inspector that oversaw FirstEnergy's activities during the
2000 refueling outage, including the reactor vessel head inspection,
stated that he was not aware of NRC's generic bulletins and letters
pertaining to boric acid and corrosion, even though NRC issues only a
few of these bulletins and generic letters each year.[Footnote 21] In
addition, according to NRC regional officials and the resident
inspector at Davis-Besse, there is little time to review technical
reports about emerging safety issues that NRC compiles because they are
too lengthy and detailed. Ineffective communication, both within the
region and between NRC headquarters and the region, was a primary
factor cited by NRC's Office of the Inspector General in its
investigation of NRC's oversight of Davis-Besse boric acid leakage and
corrosion.[Footnote 22] For example, it found that ineffective
communication resulted in senior regional management being largely
unaware of repeated reports of boric acid leakage at Davis-Besse. It
also found that headquarters, in communications with the regions, did
not emphasize the issues discussed in its generic letters or bulletins
on boric acid corrosion or cracking. NRC programs for informing its
inspectors about issues that can reduce safety at nuclear power plants
were not effective. As a result, NRC inspectors did not recognize the
significance of the indications at Davis-Besse, fully communicate
information about the indications, or spend additional effort to follow
up on the indications.
Resource Constraints Affected NRC Oversight:
NRC also did not focus on the indications that the vessel head was
corroding because of several staff constraints. Region III was
directing resources to other plants that had experienced problems
throughout the region, and these plants thus were the subject of
increased regulatory oversight. For example, during the refueling
outages in 1998 and 2000, while NRC oversaw FirstEnergy's inspection of
the reactor vessel head, the region lacked senior project engineers to
devote to Davis-Besse. A vacancy existed for a senior project engineer
responsible for Davis-Besse from June 1997 until June 1998, except for
a one month period, and from September 1999 until May 2000, which
resulted in fewer inspection hours at the facility than would have been
normal. Other regional staff were also occupied with other plants in
the region that were having difficulties, and NRC had unfilled
vacancies for resident and regional inspector positions that strained
resources for overseeing Davis-Besse.
Even if the inspector positions had been filled, it is not certain that
the inspectors would have aggressively followed up on any of the
indications. According to our discussions with resident and regional
inspectors and our on-site review of plant activities, because nuclear
power plants are so large, with many physical structures, systems, and
components, an inspector could miss problems that were potentially
significant for safety. Licensees typically prepare several hundred
reports per month for identifying and resolving problems, and NRC
inspectors have only a limited amount of time to follow up on these
licensee reports. Consequently, NRC selects and oversees the most
safety significant structures, systems, and components.
NRC's Assessment Process Did Not Indicate Deteriorating Performance:
Under NRC's Reactor Oversight Process, NRC assesses licensees'
performance using two distinct types of information: (1) NRC's
inspection results and (2) performance indicators reported by the
licensees. These indicators, which reflect various aspects of a plant's
operations, include data on, for example, the failure or unavailability
of certain important operating systems, the number of unplanned power
changes, and the amount of reactor coolant system leakage. NRC
evaluates both the inspection results and the performance indicators to
arrive at licensee assessments, which it then color codes to reflect
their safety significance. Green assessments indicate that performance
is acceptable, and thus connote a very low risk significance and impact
on safety. White, yellow, and red assessments each represent a greater
degree of safety significance. After NRC adopted its Reactor Oversight
Process in April 2000, FirstEnergy never received anything but green
designations for its operations at Davis-Besse and was viewed by NRC as
a good performer until the 2002 discovery of the vessel head
corrosion.[Footnote 23] Similarly, prior to adopting the Reactor
Oversight Process, NRC consistently assessed FirstEnergy as generally
being a good performer. NRC officials stated, however, that significant
issues were identified and addressed as warranted throughout this
period, such as when the agency took enforcement action in response to
FirstEnergy's failure to properly repair important components in 1999-
-a failure caused by weaknesses in FirstEnergy's boric acid corrosion
control program.
Key Davis-Besse programs for ensuring the quality and safe operation of
the plant's engineered structures, systems, and components include, for
example,
* a corrective action program to ensure that problems at the plant that
are relevant to safety are identified and resolved in a timely manner,
* an operating experience program to ensure that experiences or
problems that occur are appropriately identified and analyzed to
determine their significance and relevance to operations, and:
* a plant modification program to ensure that modifications important
to safety are implemented in a timely manner.
As at other commercial nuclear power plants, NRC conducted routine,
baseline inspections of Davis-Besse to determine the effectiveness of
these programs. Reports documenting these inspections noted incidences
of boric acid leakage, corrosion, and deposits. However, between
February 1997 and March 2000, the regional office's assessment of the
licensee's performance addressed leakage in the reactor coolant system
only once and never noted the other indications. Furthermore, Davis-
Besse was not the subject of intense scrutiny in regional plant
assessment meetings because plants perceived as good performers--such
as Davis-Besse--received substantially less attention. Between April
2000--when NRC's revised assessment process took effect--until the
corrosion was discovered in March 2002, none of NRC's assessments of
Davis-Besse's performance noted leakage or other indications of
corrosion at the plant. As a result, NRC may have missed opportunities
to identify weaknesses in the Davis-Besse programs intended to detect
or prevent the corrosion.
After the corrosion was discovered, NRC analyzed the problems that led
to the corrosion on the reactor vessel head and concluded that
FirstEnergy's programs for overseeing safety at Davis-Besse were weak,
as seen in the following examples:
* Davis-Besse's corrective action program did not result in timely or
effective actions to prevent indications of leakage from reoccurring in
the reactor coolant system.
* FirstEnergy officials did not always enter equipment problems into
the corrective action program because individuals who had identified
the problem were often responsible for resolving it.
* For over a decade, FirstEnergy had delayed plant modifications to its
service structure platform, primarily because of cost. These
modifications would have improved its ability to inspect the reactor
vessel head nozzles. As a result, FirstEnergy could conduct only
limited visual inspections and cleaning of the reactor pressure vessel
head through the small "mouse-holes" that perforated the service
structure.
NRC was also unaware of the extent to which various aspects of
FirstEnergy's safety culture had degraded--that is, FirstEnergy's
organization and performance related to ensuring safety at Davis-Besse.
This degradation had allowed the incident to occur with no forewarning
because NRC's inspections and performance indicators do not directly
assess safety culture. Safety culture is a group of characteristics and
attitudes within an organization that establish, as an overriding
priority, that issues affecting nuclear plant safety receive the
attention their significance warrants. Following FirstEnergy's March
2002 discovery, NRC found numerous indications that FirstEnergy
emphasized production over plant safety. First, Davis-Besse routinely
restarted the plant following an outage, even though reactor pressure
vessel valves and control rod drive mechanisms leaked. Second, staff
was unable to remove all of the boric acid deposits from the reactor
pressure vessel head because FirstEnergy's schedule to restart the
plant dictated the amount of work that could be performed. Third,
FirstEnergy management was willing to accept degraded equipment, which
indicated a lack of commitment to resolve issues that could potentially
compromise safety. Fourth, Davis-Besse's program that was intended to
ensure that employees feel free to raise safety concerns without fear
of retaliation had several weaknesses. For example, in one instance, a
worker assigned to repair the containment air conditioner was not
provided a respirator in spite of his concerns that he would inhale
boric acid residue. According to NRC's lessons-learned task force
report, NRC was not aware of weaknesses in this program because its
inspections did not adequately assess it.
Given that FirstEnergy concluded that one of the causes for the Davis-
Besse incident was human performance and management failures, the panel
overseeing FirstEnergy's efforts to restart Davis-Besse requested that
FirstEnergy assess its safety culture before allowing the plant to
restart. To oversee FirstEnergy's efforts to improve its safety
culture, NRC (1) reviewed whether FirstEnergy had adequately identified
all of the root causes for management and human performance failures at
Davis-Besse, (2) assessed whether FirstEnergy had identified and
implemented appropriate corrective actions to resolve these failures,
and (3) assessed whether FirstEnergy's corrective actions were
effective. As late as February 2004, NRC had concerns about whether
FirstEnergy's actions would be adequate in the long term. As a result,
the Davis-Besse safety culture was one of the issues contributing to
the delay in restarting the plant. In March 2004, NRC's panel concluded
that FirstEnergy's efforts to improve its safety culture were
sufficient to allow the plant to restart. In doing so, however, NRC
officials stated that one of the conditions the panel imposed was for
FirstEnergy to conduct an independent assessment of the safety culture
at Davis-Besse annually over the course of the next 5 years.
NRC Did Not Effectively Incorporate Long-Standing Knowledge about
Corrosion, Nozzle Cracking, and Leak Detection into Its Oversight:
NRC has been aware of boric acid corrosion and its potential to affect
safety since at least 1979. It issued several notices to the nuclear
power industry about boric acid corrosion and, specifically, the
potential for it to degrade the reactor coolant pressure boundary. In
1987, two licensees found significant corrosion on their reactor
pressure vessel heads, which heightened NRC's concern. A subsequent
industry study concluded that concentrated solutions of boric acid
could result in unacceptably high corrosion rates--up to 4 inches per
year--when primary coolant leaks onto surfaces and concentrates at
temperatures found on the surface of the reactor vessel.[Footnote 24]
After considering this information and several more instances of boric
acid corrosion at plants, NRC issued a generic letter in 1988
requesting licensees to implement boric acid corrosion control
programs.
In 1990, NRC visited Davis-Besse to assess the adequacy of the plant's
boric acid corrosion control program. At that time, NRC concluded that
the program was acceptable. However, in 1999, NRC became aware that
FirstEnergy's boric acid corrosion control program was inadequate
because boric acid had corroded several bolts on a valve, and NRC
issued a violation. As a result of the violation, FirstEnergy agreed to
review its boric acid corrosion procedures and enhance its program. NRC
inspectors evaluated FirstEnergy's completed and planned actions to
improve the boric acid corrosion control program and found them to be
adequate. According to NRC officials, they never inspected the
remaining actions--assuming that the planned actions had been
implemented effectively. In 2000, NRC adopted its new Reactor Oversight
Process and discontinued its inspection procedure for plants' corrosion
control programs because these inspections had rarely been conducted
due to higher priorities. Thus, NRC had no reliable or routine way to
ensure that the nuclear power industry fully implemented boric acid
corrosion control programs.
NRC also did not routinely review operating experiences at reactors,
both in the United States and abroad, to keep abreast of boric acid
developments and determine the need to emphasize this problem. Indeed,
NRC did not fully understand the circumstances in which boric acid
would result in corrosion, rather than flash to steam. Similarly, NRC
did not know the rate at which carbon steel would corrode under
different conditions. This lack of knowledge may be linked to
shortcomings in its program to review operating experiences at
reactors, which could have been exacerbated by the 1999 elimination of
the office specifically responsible for reviewing operating
experiences.[Footnote 25] This office was responsible for, among other
things, (1) coordinating operational data collection, (2)
systematically analyzing and evaluating operational experience, (3)
providing feedback on operational experience to improve safety, (4)
assessing the effectiveness of the agencywide program, and (5) acting
as a focal point for interaction with outside organizations on issues
pertaining to operational safety data analysis and evaluation.
According to NRC officials who had overseen Davis-Besse at the time of
the incident, they would not have suspected the reactor vessel head or
cracked head penetration nozzles as the source of the filter clogging
and unidentified leakage because they had not been informed that these
could be potential problems. According to these officials, the vessel
head was "not on the radar screen.":
With regard to nozzle cracking, NRC, for more than two decades, was
aware of the potential for nozzles and other components made of alloy
600 to crack. While cracks were found at nuclear power plants, NRC
considered their safety significance to be low because the cracks were
not developing rapidly. In contrast, other countries considered the
safety significance of such cracks to be much higher. For example,
concern over alloy 600 cracking led France, as a preventive measure, to
institute requirements for an extensive nondestructive examination
inspection program for vessel head penetration nozzles, including the
removal of insulation, during every fuel outage. When any indications
of cracking were observed, even more frequent inspections were
required, which, because of economic considerations, resulted in the
replacement of vessel heads when indications were found. The effort to
replace the vessel heads is still under way. Japan replaced those
vessel heads whose nozzles it considered most susceptible to cracking,
even though no cracks had yet been found. Both France and Sweden also
installed enhanced leakage monitoring systems to detect leaks early.
However, according to NRC, such systems cannot detect the small amounts
of leakage that may be typical from cracked nozzles.
NRC recognized that an integrated, long-term program, including
periodic inspections and monitoring of vessel heads to check for nozzle
cracking, was necessary. In 1997, it issued a generic letter that
summarized NRC's efforts to address cracking of control rod drive
mechanism nozzles and requested information on licensees' plans to
inspect nozzles at their reactors. More specifically, this letter asked
licensees to provide NRC with descriptions of their inspections of
these nozzles and any plans for enhanced inspections to detect cracks.
At that time, NRC was planning to review this information to determine
if enhanced licensee inspections were warranted. Based on its review of
this information, NRC concluded that the current inspection program was
sufficient. As a result, between 1998 and 2001, NRC did not issue or
solicit additional information on nozzle cracking or assess its
requirements for inspecting reactor vessels to determine whether they
were sufficient to detect cracks. At Davis-Besse, NRC also did not
determine if FirstEnergy had plans or was implementing any plans for
enhanced nozzle inspections, as noted in the 1997 generic letter. NRC
took no further action until the cracks were found in 2001 at the
Oconee plant, in South Carolina. NRC attributed its lack of focus on
nozzle cracking, in part, to the agency's inability to effectively
review, assess, and follow up on industry operating experience events.
Furthermore, as with boric acid corrosion, NRC did not obtain or
analyze any new data about cracking that would have supported making
changes in either its regulations or inspections to better identify or
prevent corrosion on the vessel head at Davis-Besse.
NRC's technical specifications regarding allowable leakage rates also
contributed to the corrosion at Davis-Besse because the amount of
leakage that can cause extensive corrosion can be significantly less
than the level that NRC's specifications allow. According to NRC
officials, NRC's requirements, established in 1973, were based on the
best available technology at that time. The task of measuring
identified and unidentified leakage from the reactor coolant system is
not precise. It requires licensees to estimate the amount of coolant
that the reactor is supposed to contain and identify any difference in
coolant levels. They then have to account for the estimated difference
in the actual amount of coolant to arrive at a leakage rate; to do
this, they identify all sources and amounts of leakage by, among other
things, measuring the amount of water contained in various sump
collection systems. If these sources do not account for the difference,
licensees know they have an unidentified source of leakage. This
estimate can vary significantly from day to day between negative and
positive numbers.
According to analyses that FirstEnergy conducted after it identified
the corrosion in March 2002, the leakage rates from the nozzle cracks
were significantly below NRC's reactor coolant system unidentified
leakage rate of 1 gallon per minute. Specifically, the leakage from the
nozzle around which the vessel head corrosion occurred was predicted to
be 0.025 gallon per minute. If such small leakage can result in such
extensive corrosion, identifying if and where such leakage occurs is
important. NRC staff recognized as early as 1993 it would be prudent
for the nuclear power industry to consider implementing an enhanced
method for detecting small leaks during plant operation, but NRC did
not require this action, and the industry has not taken steps to do so.
Furthermore, NRC has not consistently enforced its requirement for
reactor coolant pressure boundary leakage. As a result, the NRC Davis-
Besse task force concluded that inconsistent enforcement may have
reinforced a belief that alloy 600 nozzle leakage was not actually or
potentially a safety significant issue.
NRC's Process for Deciding Whether to Allow a Delayed Davis-Besse
Shutdown Lacked Credibility:
Although FirstEnergy operated Davis-Besse without incident until
shutting it down in February 2002, certain aspects of NRC's
deliberations allowing the delayed shutdown raise questions about the
credibility of the agency's decision making, if not about the Davis-
Besse decision itself. NRC does not have specific guidance for deciding
on plant shutdowns. Instead, agency officials turned to guidance
developed for a different purpose--reviewing requests to amend license
operating conditions--and even then did not always adhere to this
guidance. In addition, NRC did not document its decision-making
process, as called for by its guidance, and its letter to FirstEnergy
to lay out the basis for the decision--sent a year after the decision-
-did not fully explain the decision. NRC's lack of guidance, coupled
with the lack of documentation, precludes us from independently judging
whether NRC's decision was reasonable. Finally, some NRC officials
stated that the shutdown decision was based, in part, on the agency's
probabilistic risk assessment (PRA) calculations of the risk that
Davis-Besse would pose if it delayed its shutdown and inspection.
However, as noted by our consultants, the calculations were flawed, and
NRC's decision makers did not always follow the agency's guidance for
developing and using such calculations.
NRC Did Not Have Specific Guidance for Deciding on Plant Shutdowns:
NRC believed that Davis-Besse could have posed a potential safety risk
because it was, in all likelihood, failing to comply with NRC's
technical specification that no leakage occur in the reactor coolant
pressure boundary. Its belief was based on the following indicators of
probable leakage:
* All six of the other reactors manufactured by the same company as
Davis-Besse's reactor had cracked nozzles and identified
leakage.[Footnote 26]
* Three of these six reactors had identified circumferential cracking.
* FirstEnergy had not performed a recent visual examination of all of
its nozzles.
Furthermore, a FirstEnergy manager agreed that cracks and leakage were
likely.
NRC has the authority to shut down a plant when it is clear that the
plant is in violation of important safety requirements, and it is clear
that the plant poses a risk to public health and safety.[Footnote 27]
Thus, if a licensee is not complying with technical specifications,
such as those for no allowable reactor vessel pressure boundary
leakage, NRC can order a plant to shut down. However, NRC decided that
it could not require Davis-Besse to shut down on the basis of other
plants' cracked nozzles and identified leakage or the manager's
acknowledgement of a probable leak. Instead, it believed it needed more
direct, or absolute, proof of a leak to order a shutdown. This standard
of proof has been questioned. According to the Union of Concerned
Scientists,[Footnote 28] for example, if NRC needed irrefutable proof
in every case of suspected problems, the agency would probably never
issue a shutdown order. In effect, in this case NRC created a Catch-22:
It needed irrefutable proof to order a shutdown but could not get this
proof without shutting down the plant and requiring that the reactor be
inspected.
Despite NRC's responsibility for ensuring that the public is adequately
protected from accidents at commercial nuclear power plants, NRC does
not have specific guidance for shutting down a plant when the plant may
pose a risk to public health and safety, even though it may be
complying with NRC requirements. It also has no specific guidance or
standards for quality of evidence needed to determine that a plant may
pose an undue risk. Lacking direct or absolute proof of leakage at
Davis-Besse, NRC instead drafted a shutdown order on the basis that a
potentially hazardous condition may have existed at the plant. NRC had
no guidance for developing such a shutdown order, and therefore, it
used its guidance for reviewing license amendment requests. NRC
officials recognized that this guidance was not specifically designed
to determine whether NRC should shut down a power plant such as Davis-
Besse. However, NRC officials stated that this guidance was the best
available for deciding on a shutdown because, although the review was
not to amend a license, the factors that NRC needed to consider in
making the decision and that were contained in the guidance were
applicable to the Davis-Besse situation.
To use its guidance for reviewing license amendment requests, NRC first
determined that the situation at Davis-Besse posed a special
circumstance because new information revealed a substantially greater
potential for a known hazard to occur, even if Davis-Besse was in
compliance with the technical specification for leakage from the
reactor coolant pressure boundary. The special circumstance stemmed
from NRC's determination that requirements for conducting vessel head
inspections were not sufficient to detect nozzle cracking and, thus,
small leaks.[Footnote 29] According to NRC officials, this
determination allowed NRC to use its guidance for reviewing license
amendment requests when deciding whether to order a shutdown.
The Extent of NRC's Reliance on License Amendment Guidance Is Not
Clear:
Under NRC's license amendment guidance, NRC considers how the license
change affects risk, but not how it has previously assessed licensee
performance, such as whether the licensee was viewed as a good
performer. With regard to the Davis-Besse decision, the guidance
directed NRC to determine whether the plant would comply with five NRC
safety principles if it operated beyond December 2001 without
inspecting the reactor vessel head. As applied to Davis-Besse, these
principles were whether the plant would (1) continue to meet
requirements for vessel head inspections, (2) maintain sufficient
defense-in-depth, (3) maintain sufficient safety margins, (4) have
little increase in the likelihood of a core damage accident, and (5)
monitor the vessel head and nozzles. The guidance, however, does not
specify how to apply these safety principles, how NRC can demonstrate
it has followed the principles and ensured they are met, or whether any
one principle takes precedence over the others. The guidance also does
not indicate what actions NRC or licensees should take if some or all
of the principles are not met.
In mid-September 2001, NRC staff concluded that Davis-Besse complied
with the first safety principle but did not meet the remaining four.
According to the staff, Davis-Besse did not meet three safety
principles because the requirements for vessel head inspections were
not adequate. Specifically, the requirements do not require the
inspector to remove the insulation above the vessel head, and thus
allow all of the nozzles to be visually inspected. NRC therefore could
not ensure that FirstEnergy was maintaining defense-in-depth and
adequate safety margins or sufficiently monitoring the vessel head and
nozzles. The staff believed that Davis-Besse did not meet the fourth
safety principle because the risk estimate of core damage approached an
unacceptable level and the estimate itself was highly uncertain.
Between early October and the end of November 2001, NRC requested and
received additional information from FirstEnergy regarding its risk
estimate of core damage--its PRA estimate--and met with the company to
determine the basis for the estimate. NRC was also developing its own
risk estimate, although its numbers kept changing. At some point during
this time, NRC staff also concluded that the first safety principle was
probably not being met, although the basis for this conclusion is not
known.
At the end of November 2001, NRC contacted FirstEnergy and informed it
that a shutdown order had been forwarded to the NRC commissioners and
asked if FirstEnergy could take any actions that would persuade NRC to
not issue the shutdown order. The following day, FirstEnergy proposed
measures to mitigate the potential for and consequences of an accident.
These measures included, among other things, lowering the operating
temperature from 605 degrees Fahrenheit to 598 degrees Fahrenheit to
reduce the driving force for stress corrosion cracking on the nozzles,
identifying a specific operator to initiate emergency cooling in
response to an accident, and moving the scheduled refueling outage up
from March 31, 2002, to no later than February 16, 2002. NRC staff
discussed these measures, and NRC management asked the staff if they
were concerned about extending Davis-Besse's operations until mid-
February 2002. While some of the staff were concerned about continued
operations, none indicated to NRC management that cracking in control
rod drive mechanism nozzles was likely extensive enough to cause a
nozzle to eject from the vessel head, thus making it unsafe to operate.
NRC formally accepted FirstEnergy's compromise proposal within several
days, thus abandoning its shutdown order.
NRC Did Not Fully Explain or Document the Basis for Its Decision:
We could not fully assess NRC's basis for accepting FirstEnergy's
proposal. NRC did not document its deliberations, even though its
guidance requires that it do so. This documentation is to include the
data, methods, and assessment criteria used; the basis for the
decisions made; and essential correspondence sufficient to document the
persons, places, and matters dealt with by NRC. Specifically, the
guidance requires that the documentation contain sufficient detail to
make possible a "proper scrutiny" of NRC decisions by authorized
outside agencies and provide evidence of how basic decisions were
formed, including oral decisions. NRC's guidance also states that NRC
should document all important staff meetings.
In reviewing NRC's documentation on the Davis-Besse decision, we found
no evidence of an in-depth or formal analysis of how Davis-Besse's
proposed measures would affect the plant's ability to satisfy the five
safety principles. Thus, it is unclear whether the safety principles
contained in the guidance were met by the measures that FirstEnergy
proposed. However, several NRC officials stated that FirstEnergy's
proposed measures had no impact on plant operations or safety. For
example, according to one NRC official, FirstEnergy's proposal to
reduce the operating temperature would have had little impact on safety
because the small drop in operating temperature over a 7-week period
would have had little effect on the growth rate of any cracks in a
nozzle. As such, this official considered the measures as "window
dressing." A proposed measure that NRC staff did consider as having a
significant impact on the risk was for FirstEnergy to dedicate an
operator for manually turning on safety equipment in the event that a
nozzle was ejected. Subsequent to approving the delayed shutdown, NRC
learned that FirstEnergy had not, in fact, planned to dedicate an
operator for this task--rather, FirstEnergy planned to have an operator
do this task in addition to other regularly assigned duties.
According to an NRC official, once NRC decided not to issue a shutdown
order for December 2001, NRC staff needed to discuss how NRC's
assessment of whether the five safety principles had been met had
changed in the course of the staff's deliberations. However, there was
no evidence in the agency's records to support that this discussion was
held, and other key meetings, such as the one in which the agency made
its decision to allow Davis-Besse to operate past December 31, 2001,
were not documented. Without documentation, it is not clear what
factors influenced NRC's decision. For example, according to the NRC
Office of the Inspector General's December 2002 report that examined
the Davis-Besse incident, NRC's decision was driven in large part by a
desire to lessen the financial impact on FirstEnergy that would result
from an early shutdown.[Footnote 30] While NRC disputed this finding,
we found no evidence in the agency's records to support or refute its
position.
In December 2001, when NRC informed FirstEnergy that it accepted the
company's proposed measures and the February 16, 2002, shutdown date,
it also said that the company would receive NRC's assessment in the
near future. However, NRC did not provide the assessment until a full
year later--in December 2002. In addition, the December 2002
assessment, which includes a four-page evaluation, does not fully
explain how the safety principles were used or met--other than by
stating that if the likelihood of nozzle failure were judged to be
small, then adequate protection would be ensured. Even though NRC's
regulations regarding the reactor coolant pressure boundary dictate
that the reactor have an extremely low probability of failing, NRC
stated it did not believe that Davis-Besse needed to demonstrate strict
conformance with this regulation. As evidence of the small likelihood
of failure, NRC cited the small size of cracks found at other power
plants, as well as its preliminary assessment of nozzle cracking, which
projected crack growth rates. NRC concluded that 7 weeks of additional
operation would not result in an appreciable increase in the size of
the cracks.[Footnote 31] While NRC included its calculated estimates of
the risk that Davis-Besse would pose, it did not detail how it
calculated its estimates.
NRC's PRA Estimate Was Flawed and Its Use in Deciding to Delay the
Shutdown Is Unclear:
In moving forward with its more risk-informed regulatory approach, NRC
has established a policy to increase the use of PRA methods as a means
to promote regulatory stability and efficiency. Using PRA methods, NRC
and the nuclear power industry can estimate the likelihood that
different accident scenarios at nuclear power plants will result in
reactor core damage and a release of radioactive materials. For
example, one of these accident scenarios begins with a "medium break"
loss-of-coolant accident in which the reactor coolant system is
breached and a midsize--about 2-to 4-inch--hole is formed that allows
coolant to escape from the reactor pressure boundary. The probability
of such an accident scenario occurring and the consequences of that
accident take into account key engineering safety system failure rates
and human error probabilities that influence how well the engineered
systems would be able to mitigate the consequences of an accident and
ensure no radioactive release from the plant.
For Davis-Besse, NRC needed two estimates: one for the frequency of a
nozzle ejecting and causing a loss-of-coolant accident and one for the
probability that a loss-of-coolant accident would result in core
damage. NRC first established an estimate, based partially on
information provided by FirstEnergy, for the frequency of a plant
developing a cracked nozzle that would initiate a medium break loss-of-
coolant accident. NRC estimated that the frequency of this occurring
would be about 2x10^-2, or 1 chance in 50,[Footnote 32] per year. NRC
then used an estimate, which FirstEnergy provided, for the probability
of core damage given a medium break loss-of-coolant accident. This
probability estimate was 2.7x10^-3, or about 1 chance in 370.[Footnote
33] Multiplying these two numbers, NRC estimated that the potential for
a nozzle to crack and cause a loss-of-coolant accident would increase
the frequency of core damage at Davis-Besse by about 5.4x10^-5per year,
or about 1 in 18,500 per year.[Footnote 34] Converting this frequency
to a probability associated with continued operation for 7 weeks, NRC
calculated that the increase in the probability of core damage was
approximately 5x10^--6 or 1 chance in 200,000.[Footnote 35] While NRC
officials currently disagree that this was the number it used, this is
the number that it included in its December 2002 assessment provided to
FirstEnergy. Further, we found no evidence in the agency's records to
support NRC's current assertion.
According to our consultants, the way NRC calculated and used the PRA
estimate was inadequate in several respects. (See app. II for the
consultants' detailed report.) First, NRC's calculations did not take
into account several factors, such as the possibility of corrosion and
axial cracking that could lead to leakage. For example, the consultants
concluded that NRC's estimate of risk was incorrectly too small,
primarily because the calculation did not consider corrosion of the
vessel head. In reviewing how NRC developed and used its PRA estimates
for Davis-Besse, our consultants noted that the calculated risk was
smaller than it should have been because the calculations did not
consider corrosion of the reactor vessel from the boric acid coolant
leaking through cracks in the nozzles. According to the consultants,
apparently all NRC staff involved in the Davis-Besse decision were
aware that coolant under high pressure was leaking from valves,
flanges, and possibly from cracks but evidently thought that the
coolant would immediately flash into steam and noncorrosive compounds
of boric acid. Our consultants, however, stated that because boric acid
could potentially cause corrosion, except at temperatures much higher
than 600 degrees Fahrenheit, NRC should have anticipated that corrosion
could occur. Our consultants further stated that as evaporation occurs,
boric acid becomes more concentrated in the remaining liquid--making it
far more corrosive--and as vapor pressure decreases, evaporation is
further slowed. They said it should be expected that some of the boric
acid in the escaping coolant could reach the metal surfaces as wet or
moist, highly corrosive material underlying the surface layers of dry
noncorrosive boric acid, which is evidently what happened at Davis-
Besse.
Our consultants concluded that NRC staff should have been aware of the
experience at French nuclear power plants, where boric acid corrosion
from leaking reactor coolant had been identified during the previous
decade, the safety significance had been recognized, and safety
procedures to mitigate the problem had been implemented. Furthermore,
tests had been conducted by the nuclear power industry and in
government laboratories on boric acid corrosion that were widely
available to NRC. They stated that keeping abreast of safety issues at
similar plants, whether domestic or foreign, and conveying relevant
safety information to licensees are important functions of NRC's safety
program. According to NRC, the agency was aware of the experience at
French nuclear power plants. For example, NRC concluded, in a December
15, 1994, internal NRC memo, that primary coolant leakage from a
through-wall crack could cause boric acid corrosion of the vessel head.
However, because it concluded that some analyses indicated that it
would take at least 6 to 9 years before any corrosion would challenge
the structural integrity of the head, NRC concluded that cracking was
not a short-term safety issue.
Our consultants also stated that NRC's risk analysis was inadequate
because the analysis concerned only the formation and propagation of
circumferential cracks that could result in nozzle failure, loss of
coolant, and even control rod ejection. Although there is less chance
of axial cracks causing complete nozzle failure, these cracks open
additional pathways for coolant leakage. In addition, their long
crevices provide considerably greater opportunity for the coolant to
concentrate near the surface of the vessel head. However, according to
our consultants, NRC was convinced that the boric acid they saw
resulted from leaking flanges above the reactor vessel head, as opposed
to axial cracks in the nozzles.
Second, NRC's analysis was inadequate because it did not include the
uncertainty of its risk estimate and use the uncertainty analysis in
the Davis-Besse decision-making process, although NRC staff should have
recognized large uncertainties associated with its risk estimate. Our
consultants also concluded that NRC failed to take into account the
large uncertainties associated with estimates of the frequency of core
damage resulting from the failure of nozzles. PRA estimates for nuclear
power plants are subject to significant uncertainties associated with
human errors and other common causes of system component failures, and
it is important that proper uncertainty analyses be performed for any
PRA study. NRC guidance and other NRC reports on advancing PRA
technology for risk-informed decisions emphasize the need to understand
and characterize uncertainties in PRA estimates. Our consultants stated
that had the NRC staff estimated the margin of error or uncertainty
associated with its PRA estimate for Davis-Besse, the uncertainty would
likely have been so high as to render the estimate of questionable
value.
Third, NRC's analysis was inadequate because the risk estimates were
higher than generally considered acceptable under NRC guidance. Despite
PRA's important role in the decision, our consultants found that NRC
did not follow its own guidance for ensuring that the estimated risk
was within levels acceptable to the agency. NRC required the nuclear
power industry to develop a baseline estimate for how frequently a core
damage accident could occur at every nuclear power plant in the United
States. This baseline estimate is used as a basis for deciding whether
changes at a plant that affect the core damage frequency are
acceptable. The baseline core damage frequency estimate for the Davis-
Besse plant was between 4x10^-5 and 6.6x10^-5 per year (which is between
1 chance in 25,000[Footnote 36] per year and about 1 chance in
15,150[Footnote 37] per year). NRC guidance for reviewing and approving
license amendment requests indicates that any plant-specific change
resulting in an increase in the frequency of core damage of 1x10^-5 per
year (which is 1 chance in 100,000 per year) or more would fall within
the highest risk zone: In this case, NRC would generally not approve
the change because the risk criterion would not be met. If a license
change would result in a core damage frequency change of 1x10^-5per year
to 1x10^--6er year (which is 1 chance in 100,000 per year to 1 chance in
1 million per year), the risk criterion would be considered marginally
met and NRC would consider approving the change but would require
additional analysis. Finally, if a license change would result in a
core damage frequency change of 1x10^-6 per year (which is 1 chance in 1
million per year) or less, the risk would fall within the lowest risk
zone and NRC would consider the risk criterion to be met and would
generally consider approving the change without requiring additional
analysis. (See fig. 6.):
Figure 6: NRC's Acceptance Guidelines for Core Damage Frequency:
[See PDF for image]
[A] Risk criterion is met and license changes would generally be
considered.
[B] Risk criterion is considered marginally met and while license
changes are generally considered, they require additional analysis.
[C] Risk criterion is not met and license changes are generally not
allowed.
[End of figure]
However, NRC's PRA estimate for Davis-Besse--an increase in the
frequency of core damage of 5.4x10^-5, or 1 chance in about 18,500 per
year--was higher than the acceptable level. While an NRC official who
helped develop the risk estimate said that additional NRC and industry
guidance was used to evaluate whether its PRA estimate was acceptable,
this guidance also suggests that NRC's estimate was too high. NRC's
estimate of the increase in the frequency of core damage of 5.4x10^-5
per year equates to an increase in the probability of core damage of
5x10^-6, or 1 chance in 200,000, for the 7-week period December 31,
2001, to February 16, 2002.335NRC's guidance for evaluating requests to
relax NRC technical specifications suggests that a probability increase
higher than 5x10^-7 or 1 chance in 2 million[Footnote 38], is
considered unacceptable for relaxing the specifications. Thus, NRC's
estimate would not be considered acceptable under this guidance. NRC's
estimate would also not be considered acceptable under Electric Power
Research Institute or Nuclear Energy Institute guidance unless further
action were taken to evaluate or manage risk. According to NRC
officials, NRC viewed its PRA estimate as being within acceptable
bounds because it was a temporary situation--7 weeks--and NRC had, at
other times, allowed much higher levels of risk at other plants.
However, at the time that NRC made its decision, it did not document
the basis for accepting this risk estimate, even though NRC's guidance
explicitly states that the decision on whether PRA results are
acceptable must be based on a full understanding of the contributors to
the PRA results and the reasoning must be well documented. In defense
of its decision, NRC officials said that the process they used to
arrive at the decision is used to make about 1,500 licensing decisions
such as this each year.
Lastly, NRC's analysis was inadequate because the agency does not have
clear guidance for how PRA estimates are to be used in the decision-
making process. Our consultants concluded that NRC's process for risk-
informed decision making is ill-defined, lacks guidelines for how it is
supposed to work, and is not uniformly transparent within NRC.
According to NRC officials involved in the Davis-Besse decision, NRC's
guidance is not clear on the use of PRA in the decision-making process.
For example, while NRC has extensive guidance, this guidance does not
outline to what extent or how the resultant PRA risk number and
uncertainty should be weighed with respect to the ultimate decision.
One factor complicating this issue is the lack of a predetermined
methodology to weigh risks expressed in PRA numbers against traditional
deterministic results and other factors.[Footnote 39] Absent this
guidance, the value assigned to the PRA analysis is largely at the
discretion of the decision maker. The process, which NRC stated is
robust, can result in a decision in which PRA played no role, a partial
role, or one in which it was the sole deciding factor. According to our
consultants, this situation is made worse by the lack of guidelines for
how, or by whom, decisions in general are made at NRC.
It is not clear how NRC staff used the PRA risk estimate in the Davis-
Besse decision-making process. For example, according to one NRC
official who was familiar with some of the data on nozzle cracking,
these data were not sufficient for making a good probabilistic
decision. He stated that he favored issuing an order requiring that
Davis-Besse be shut down by the end of December 2001 because he
believed the available data were not sufficient to assure a low enough
probability for a nozzle to be ejected. Other officials indicated that
they accepted FirstEnergy's proposed February 16, 2002, shutdown date
based largely on NRC's PRA estimate for a nozzle to crack and be
ejected. According to one of these officials, allowing the additional 7
weeks of operating time was not sufficiently risk significant under
NRC's guidance. He stated that safety margins at the plant were
preserved and the PRA number was within an acceptable range. Still
another official said he discounted the PRA estimate and did not use it
at all when recommending that NRC accept FirstEnergy's compromise
proposal. This official also stated that it was likely that many of the
staff did base their conclusions on the PRA estimate. According to our
consultants, although the extent to which the PRA risk analysis
influenced the decision making will probably never be known, it is
apparent that it did play an important role in the decision to allow
the shutdown delay.
NRC Has Made Progress in Implementing Recommended Changes, but Is Not
Addressing Important Systemic Issues:
NRC has made significant progress in implementing the actions
recommended by the Davis-Besse lessons-learned task force. While NRC
has implemented slightly less than half--21 of the 51--recommendations
as of March 2004, it is scheduled to have more than 70 percent of them
implemented by the end of 2004. For example, NRC has already taken
actions to improve staff training and inspections that would appear to
help address the concern that NRC inspectors viewed FirstEnergy as a
good performer and thus did not subject Davis-Besse to the level of
scrutiny or questioning that they should have. It is not certain when
actions to implement the remaining recommendations will occur, in part
because of resource constraints. NRC also faces challenges in fully
implementing the recommendations, also in part because of resource
constraints, both in the staff needed to develop specific corrective
actions and in the additional staff responsibilities and duties to
carry them out. Further, while NRC is making progress, the agency is
not addressing three systemic issues highlighted by the Davis-Besse
experience: (1) an inability to detect weakness or deterioration in
FirstEnergy's safety culture, (2) deficiencies in NRC's process for
deciding on a shutdown, and (3) lack of management controls to track,
on a longer-term basis, the effectiveness of actions implemented in
response to incidents such as Davis-Besse, so that they do not occur at
another power plant.
NRC Does Not Expect to Complete Its Actions until 2006, in Part Because
of Resource Constraints:
NRC's lessons-learned task force for Davis-Besse developed 51
recommendations to address the weaknesses that contributed to the
Davis-Besse incident. Of these 51 recommendations, NRC rejected 2
because it concluded that agency processes or procedures already
provided for the recommendations' intent to be effectively carried
out.[Footnote 40] To address the remaining 49 recommendations, NRC
developed a plan in March 2003 that included, for each recommendation,
the actions to be taken, the responsible NRC office, and the schedule
for completing the actions. When developing its schedule, NRC placed
the highest priority on implementing recommendations that were most
directly related to the underlying causes of the Davis-Besse incident
as well as those recommendations responding to vessel head corrosion.
NRC assigned a lower priority to the remaining recommendations, which
were to be integrated into the planning activities of those NRC offices
assigned responsibility for taking action on the recommendations. In
assigning these differing priorities, NRC officials stated they
recognized that the agency has many other pressing matters to address
that are not related to the Davis-Besse incident, such as renewing
operating licenses, and they did not want to divert resources away from
these activities. (App. III contains a complete list of the task
force's recommendations, NRC actions, and the status of the
recommendations as of March 2004.):
To better track the status of the agency's actions to implement the
recommendations, we split two of the 49 recommendations that NRC
accepted into 4; therefore, our analysis reflects NRC's response to 51
recommendations. As shown in table 1, as of March 2004, NRC had made
progress in implementing the recommendations, although some completion
dates have slipped.
Table 1: Status of Davis-Besse Lessons-Learned Task Force
Recommendations, as of March 2004:
Status: Completed as of March 2004;
Number of recommendations: 21.
Status: Scheduled for completion April through December 2004;
Number of recommendations: 17.
Status: Scheduled for completion in 2005;
Number of recommendations: 6.
Status: Completion date yet to be determined;
Number of recommendations: 7.
Total;
Number of recommendations: 51.
Source: GAO analysis of NRC data.
Note: This table does not include the two recommendations NRC rejected.
[End of table]
As the table shows, as of March 2004, NRC had implemented 21
recommendations and scheduled another 17 for completion by December
2004. However, some slippage has already occurred in this schedule--
primarily because of resource constraints--and NRC has rescheduled
completion of some recommendations. NRC's time frames for completing
the recommendations depend on several factors--the recommendations'
priority, the amount of work required to develop and implement actions,
and the need to first complete actions on other related
recommendations.
Of the 21 implemented recommendations, 10 called upon NRC to revise or
enhance its inspection guidance or training. For example, NRC revised
the guidance it uses to assess the implementation of licensees'
programs to identify and resolve problems before they affect
operations. It took this action because the task force had concluded
that FirstEnergy's weak corrective action program implementation was a
major contributor to the Davis-Besse incident. NRC has also developed
Web-based training modules to improve NRC inspectors' knowledge of
boric acid corrosion and nozzle cracking. The other 11 completed
recommendations concerned actions such as:
* collecting and analyzing foreign and domestic information on alloy
600 nozzle cracking,
* fully implementing and revising guidance to better assure that
licensees carry out their commitments to make operational changes, and:
* establishing measurements for resident inspector staffing levels and
requirements.
By the end of 2004, NRC expects to complete another 17 recommendations,
12 of which generally address broad oversight or programmatic issues,
and 5 of which provide for additional inspection guidance and training.
On the broader issues, for example, NRC is scheduled to complete a
review of the effectiveness of its response to past NRC lessons-learned
task force reports by April 2004. By December 2004, NRC expects to have
a framework established for moving forward with implementing
recommended improvements to its agencywide operating experience
program.
In 2005, 4 of the 6 recommendations scheduled for completion concern
leakage from the reactor coolant system. For example, NRC is to (1)
develop guidance and criteria for assessing licensees' responses to
increasing leakage levels and (2) determine whether licensees should
install enhanced systems to detect leakage from the reactor coolant
system. The fifth recommendation calls for NRC to inspect the adequacy
of licensees' programs for controlling boric acid corrosion, and the
final recommendation calls on NRC to assess the basis for canceling a
series of inspection procedures in 2001.
NRC did not assign completion dates to 7 recommendations because, among
other things, their completion depends on completing other
recommendations or because of limited resources. Even though it has not
assigned completion dates for these recommendations, NRC has begun to
work on 5 of the 7:
* Two recommendations will be addressed when requirements for vessel
head inspections are revised. To date, NRC has taken some related, but
temporary, actions. For example, since February 2003, it has required
licensees to more extensively examine their reactor vessel heads. NRC
has also issued a series of temporary instructions for NRC inspectors
to oversee the enhanced examinations. NRC expects to replace these
temporary steps with revised requirements for vessel head inspections.
* Two recommendations call upon NRC to revise requirements for
detecting leaks in the reactor coolant pressure boundary. In response,
NRC has, for example, begun to review its barrier integrity
requirements and has contracted for research on enhanced detection
capabilities.
* One recommendation is directed at improving follow-up of licensee
actions taken in response to NRC generic communications. NRC is
currently developing a temporary inspection procedure to assess the
effectiveness of licensee actions taken in response to generic
communications. Additionally, as a long-term change in the operating
experience program, the agency plans to improve the verification of how
effective its generic communications are.
The remaining two recommendations address NRC's need to (1) evaluate
the adequacy of methods for analyzing the risks posed by passive
components, such as reactor vessels, and integrate these methods and
risks into NRC's decision-making process and (2) review a sample of
plant assessments conducted between 1998 and 2000 to determine if any
identified plant safety issues have not been adequately assessed. NRC
has not yet taken action on these recommendations.
Some recommendations will require substantial resources to develop and
implement. As a result, some implementation dates have slipped and some
plans in response to the recommendations have changed in scope. For
example, owing to resource constraints, NRC has postponed indefinitely
the evaluation of methods to analyze the risk associated with passive
reactor components such as the vessel head. Also, in part due to
resource constraints, NRC has reconceptualized its plan to review
licensee actions in response to previous generic communications, such
as bulletins and letters.
Staff resources will be strained because implementing the
recommendations adds additional responsibilities or duties--that is,
more inspections, training, and reviews of licensee reports. For
example, NRC's revised inspection guidance for more thorough
examinations of reactor vessel heads and nozzles, as well as new
requirements for NRC oversight of licensees' corrective action
programs, will require at least an additional 200 hours of inspection
per reactor per year. As of February 2004, NRC was also revising other
inspection requirements that are likely to place additional demands on
inspectors' time. Thus, to respond to these increased demands, NRC will
either need to add inspectors or reduce oversight of other licensee
activities.
To its credit, in its 2004 budget plan, NRC increased the level of
resources for some inspection activities. However, it is not certain
that these increases will be maintained. The number of inspection hours
has fallen by more than one-third between 1995 and 2001. In addition,
NRC is aware that resident inspector vacancies are filled with staff
having varying levels of experience--from the basic level that would be
expected from a newly qualified inspector to the advanced level that is
achieved after several years' experience. According to the latest
available data, as of May 2003, about 12 percent of sites had only one
resident inspector; the remaining 88 percent had two inspectors of
varying levels of experience. Because of this situation, NRC augments
these inspection resources with regional inspectors and contractors to
ensure that, at a minimum, its baseline inspection program can be
implemented throughout the year. Because of surges in the demand for
inspections, NRC in 2003 increased its use of contractors and
temporarily pulled qualified inspectors from other jobs to help
complete the baseline inspection program for every plant. According to
NRC, it did not expect to require such measures in 2004.
Similarly, NRC may require additional staff to identify and evaluate
plants' operating experiences and communicate the results to licensees,
as the task force recommended. NRC has currently budgeted an increase
of three full-time staff in fiscal year 2006 to implement a centralized
system, or clearinghouse, for managing the operating experience
program. However, according to an NRC official, questions remain about
the level of resources needed to fully implement the task force
recommendations. NRC's operating experience office, before it was
disbanded in 1999, had about 33 staff whose primary responsibility was
to collect, evaluate, and communicate activities associated with safety
performance trends, as reflected in licensees' operating experiences,
and participate in developing rulemakings. However, it is too early to
know the effectiveness of this clearinghouse approach and the adequacy
of resources in the other offices available for collecting and
analyzing operating experience information. Neither the operating
experience office before it was disbanded nor the other offices flagged
boric acid corrosion, cracking, or leakage as problems warranting
significantly greater oversight by NRC, licensees, or the nuclear power
industry.
NRC Has Not Proposed Any Specific Actions to Correct Systemic
Weaknesses in Oversight and Decision-Making Processes:
NRC's Davis-Besse task force did not make any recommendations to
address two systemic problems: evaluating licensees' commitment to
safety and improving the agency's process for deciding on a shutdown.
NRC's Task Force Recommendations Did Not Address Licensee Safety
Culture:
NRC's task force identified numerous problems at Davis-Besse that
indicated human performance and management failures and concluded that
FirstEnergy did not foster an environment that was fully conducive to
ensuring that plant safety issues received appropriate attention.
Although the task force report did not use the term safety culture, as
evidence of FirstEnergy's safety culture problems, the task force
pointed to:
* an imbalance between production and safety, as evidenced by
FirstEnergy's efforts to address symptoms (such as regular cleanup of
boric acid deposits) rather than causes (finding the source of the
leaks during refueling outages);
* a lack of management involvement in or oversight of work at Davis-
Besse that was important for maintaining safety;
* a lack of a questioning attitude by senior FirstEnergy managers with
regard to vessel head inspections and cleaning activities;
* ineffective and untimely corrective action;
* a long-standing acceptance of degraded equipment; and:
* inadequate engineering rigor.
The task force concluded that NRC's implementation of guidance for
inspecting and assessing a safety-conscious work environment and
employee concerns programs failed to identify significant safety
problems. Although the task force did not make any specific
recommendations that NRC develop a means to assess licensees' safety
culture, it did recommend changes to focus more effort on assessing
programs to promote a safety-conscious work environment.
NRC has taken little direct action in response to this task force
recommendation. However, to help enhance NRC's capability to assess
licensee safety culture by indirect means, NRC modified the wording in,
and revised its inspection procedure for, assessing licensees' ability
to identify and resolve problems, such as malfunctioning plant
equipment. These revisions included requiring inspectors to:
* review all licensee reports on plant conditions,
* analyze trends in plant conditions to determine the existence of
potentially significant safety issues, and:
* expand the scope of their reviews to the prior 5 years in order to
identify recurring issues.
This problem identification and resolution inspection procedure is
intended to assess the end results of management's safety commitment
rather than the commitment itself. However, by measuring only the end
results, early signs of a deteriorating safety culture and declining
management performance may not be readily visible and may be hard to
interpret until clear violations of NRC's regulations occur.
Furthermore, because NRC directs its inspections at problems that it
recognizes as being more important to safety, NRC may overlook other
problems until they develop into significant and immediate safety
problems. Conditions at a plant can quickly degrade to the extent that
they can compromise public health and safety.
The International Atomic Energy Agency and its member nations have
developed guidance and procedures for assessing safety culture at
nuclear power plants, and today several countries, such as Brazil,
Canada, Finland, Sweden, and the United Kingdom, assess plant safety
culture or licensees' own assessments of their safety culture.[Footnote
41] In assessing safety culture, an advisory group to the agency
suggests that regulatory agencies examine whether, for example, (1)
employee workloads are not excessive, (2) staff training is sufficient,
(3) responsibility for safety has been clearly assigned within the
organization, (4) the corporation has clearly communicated its safety
policy, and (5) managers sufficiently emphasize safety during plant
meetings. One reason for assessing safety culture, according to the
Canadian Nuclear Safety Commission, is because management and human
performance aspects are among the leading causes of unplanned events at
licensed nuclear facilities, particularly in light of pressures such as
deregulation of the electricity market. Finland specifically requires
that nuclear power plants maintain an advanced safety culture and its
inspections target the importance that has been embedded in factors
affecting safety, including management. NRC had begun considering
methods for assessing organizational factors, including safety culture,
but in 1998, NRC's commissioners decided that the agency should have a
performance-based inspection program of overall plant performance and
should infer licensee management performance and competency from the
results of that program. They chose this approach instead of one of
four other options:
* conduct performance-based inspections in all areas of facility
operation and design, but not infer or articulate conclusions regarding
the performance of licensee management;
* assess the performance of licensee management through targeted
operations-based inspections using specific inspection procedures,
trained staff, and contractors to assess licensee management--a task
that would require the development of inspection procedures and
significant training--and to document inspection results;
* assess the performance of licensee management as part of the routine
inspection program by specifically evaluating and documenting
management performance attributes--a larger effort that would require
the development of assessment tools to evaluate safety culture as well
as additional resources; or:
* assess the competency of licensee management by evaluating management
competency attributes--an even larger effort that would require that
implementation options and their impacts be assessed.
When adopting the proposal to infer licensee management performance
from the results of its performance-based inspection program, NRC
eliminated any resource expenditures specifically directed at
developing a systematic method of inferring management performance and
competency. NRC stated that it currently has a number of means to
assess safety culture that provide indirect insights into licensee
safety culture. These means include, for example, (1) insights from
augmented inspection teams, (2) lessons-learned reviews, and (3)
information obtained in the course of conducting inspections under the
Reactor Oversight Process. However, insights from augmented inspection
teams and lessons-learned reviews are reactionary and do not prevent
problems such as those that occurred at Davis-Besse. Further, before
the Davis-Besse incident, NRC assumed its oversight process would
adequately identify problems with licensees' safety culture. However,
NRC has no formalized process for collectively assessing information
obtained in the course of its problem identification and resolution
inspection to ensure that individual inspection results would identify
poor management performance. NRC stated that its licensee assessments
consider inputs such as inspection results and insights, correspondence
to licensees related to inspection observations, input from resident
inspectors, and the results of any special investigations. However,
this information may not be sufficient to inform NRC of problems at a
plant in advance of these problems becoming safety significant.
In part because of Davis-Besse, NRC's Advisory Committee on Reactor
Safeguards[Footnote 42] recommended that NRC again pursue the
development of a methodology for assessing safety culture. It also
asked NRC to consider expanding research to identify leading indicators
of degradation in human performance and work to develop a consistent
comprehensive methodology for quantifying human performance. During an
October 2003 public meeting of the advisory committee's Human
Performance Subcommittee, the subcommittee's members again reiterated
the need for NRC to assess safety culture. Specifically, the members
recognized that certain aspects of safety culture, such as beliefs,
perceptions, and management philosophies, are ultimately the nuclear
power industry's responsibility but stated that NRC should deal with
patterns of behavior and human performance, as well as organizational
structures and processes. At this meeting, NRC officials discussed
potential safety culture indicators that NRC could use, including,
among other things, how many times a problem recurs at a plant,
timeliness in correcting problems, number of temporary modifications,
and individual program and process error rates. Committee members
recommended that NRC test various safety culture indicators to
determine whether (1) such indicators should ultimately be incorporated
into the Reactor Oversight Process and (2) a significance determination
process could be developed for safety culture. As of March 2004, NRC
had yet to respond to the advisory committee's recommendation.
Despite the lack of action to address safety culture issues, NRC's
concern over FirstEnergy's safety culture at Davis-Besse was one of the
last issues resolved before the agency approved Davis-Besse's restart.
NRC undertook a series of inspections to examine Davis-Besse's safety
culture and determine whether FirstEnergy had (1) correctly identified
the underlying causes associated with its declining safety culture, (2)
implemented appropriate actions to correct safety culture problems, and
(3) developed a process for monitoring to ensure that actions taken
were effective for resolving safety culture problems. In December 2003,
NRC noted significant improvements in the safety culture at Davis-
Besse, but expressed concern with the sustainability of Davis-Besse's
performance in this area. For example, a survey of FirstEnergy and
contract employees conducted by FirstEnergy in November 2003 indicated
that about 17 percent of employees believed that management cared more
about cost and schedule than resolving safety and quality issues--
again, production over safety.
NRC's Task Force Recommendations Did Not Address NRC's Decision-Making
Process:
NRC's task force also did not analyze NRC's process for deciding not to
order a shutdown of the Davis-Besse plant. It noted that NRC's written
rationale for accepting FirstEnergy's justification for continued plant
operation had not yet been prepared and recommended that NRC change
guidance requiring NRC to adequately document such decisions. It also
made a recommendation to strengthen guidance for verifying information
provided by licensees. According to an NRC official on the task force,
the task force did not assess the decision-making process in detail
because the task force was charged with determining why the degradation
at Davis-Besse was not prevented and because NRC had coordinated with
NRC's Office of the Inspector General, which was reviewing NRC's
decision making.
NRC's Failure to Track the Resolution of Identified Problems May Allow
the Problems to Recur:
The NRC task force conducted a preliminary review of prior lessons-
learned task force reports to determine whether they suggested any
recurring or similar problems. As a result of this preliminary review,
the task force recommended that a more detailed review be conducted to
determine if actions that NRC took as a result of those reviews were
effective. These previous task force reports included: Indian Point 2
in Buchanan, New York, in February 2000; Millstone in Waterford,
Connecticut, in October 1993; and South Texas Project in Wadsworth,
Texas, from 1988 to 1994.[Footnote 43] NRC's more detailed review, as
of May 2004, was still under way. We also reviewed these reports to
determine whether they suggested any recurring problems and found that
they highlighted broad areas of continuing programmatic weaknesses, as
seen in the following examples:
* Inspector training and information sharing. All three of the other
task forces also identified inspector training issues and problems with
information collection and sharing. The Indian Point task force called
upon NRC to develop a process for promptly disseminating technical
information to NRC inspectors so that they can review and apply the
information in their inspection program.
* Oversight of licensee corrective action programs. Two of the three
task forces also identified inadequate oversight of licensee corrective
action programs. The South Texas task force recommended improving
assessments of licensees' corrective action programs to ensure that NRC
identifies broader licensee problems.
* Better identification of problems. Two of the three task force
reports also noted the need for NRC to develop a better process for
identifying problem plants, and one report noted the need for NRC
inspectors to more aggressively question licensees' activities.
Over the past two decades, we have also reported on underlying causes
similar to those that contributed, in part, to the incident at Davis-
Besse. (See Related GAO Products.) For example, with respect to the
safety culture at nuclear power plants, in 1986, 1995, and 1997, we
reported on issues relevant to NRC assessing plant management so that
significant problems could be detected and corrected before they led to
incidents such as the one that later occurred at Davis-Besse.
Regardless of our 1997 recommendation that NRC require that the
assessment of management's competency and performance be a mandatory
component of NRC's inspection process, NRC subsequently withdrew
funding to accomplish this. In terms of inspections, in 1995 we
reported that NRC, itself, had concluded that the agency was not
effectively integrating information on previously identified and long-
standing issues to determine if the issues indicated systemic
weaknesses in plant operations. This report further noted that NRC was
not using such information to focus future inspection activities. In
1997 and 2001, we reported on weaknesses in NRC's inspections of
licensees' corrective action programs. Finally, with respect to
learning from plants' operating experiences, in 1984 we noted that NRC
needed to improve its methods for consolidating information so that it
could evaluate safety trends and ensure that generic issues are
resolved at individual plants. These recurring issues indicate that
NRC's actions, in response to individual plant incidents and
recommendations to improve oversight, are not always institutionalized.
NRC guidance requires that resolutions to action plans be described and
documented, and while NRC is monitoring the status of actions taken in
response to Davis-Besse task force recommendations and preparing
quarterly and semiannual reports on the status of actions taken, the
Davis-Besse action plan does not specify how long NRC will monitor
them. It also does not describe how long NRC will prepare quarterly and
semiannual status reports, even though, according to NRC officials,
these semiannual status reports will continue until all items are
completed and the agency is required to issue a final summary report.
The plan also does not specify what criteria the agency will use to
determine when the actions in response to specific task force
recommendations are completed. Furthermore, NRC's action plan does not
require NRC to assess the long-term effectiveness of recommended
actions, even though, according to NRC officials, some activities
already have an effectiveness review included. As in the past and in
response to prior lessons-learned task force reports and
recommendations, NRC has no management control in place for assessing
the long-term effectiveness of efforts resulting from the
recommendations. NRC officials acknowledged the need for a management
control, such as an agencywide tracking system, to ensure that actions
taken in response to task force recommendations effectively resolve the
underlying issue over the long term, but the officials have no plans to
establish such a system.
Conclusions:
It is unlikely, given the actions that NRC has taken to date, that
extensive reactor vessel corrosion will occur any time soon at another
domestic nuclear power plant. However, we do not yet have adequate
assurances from NRC that many of the factors that contributed to the
incident at Davis-Besse will be fully addressed. These factors include
NRC's failure to keep abreast of safety significant issues by
collecting information on operating experiences at plants, assessing
their relative safety significance, and effectively communicating
information within the agency to ensure that oversight is fully
informed. The underlying causes of the Davis-Besse incident underscore
the potential for another incident unrelated to boric acid corrosion or
cracked control rod drive mechanism nozzles to occur. This potential is
reinforced by the fact that both prior NRC lessons-learned task forces
and we have found similar weaknesses in many of the same NRC programs
that led to the Davis-Besse incident. NRC has not followed up on prior
task force recommendations to assess whether the lessons learned were
institutionalized. NRC's actions to implement the Davis-Besse lessons-
learned task force recommendations, to be fully effective, will require
an extensive effort on NRC's part to ensure that these are effectively
incorporated into the agency's processes. However, NRC has not
estimated the amount of resources necessary to carry out these
recommendations, and we are concerned that resource limitations could
constrain their effectiveness. For this reason, it is important for NRC
to not only monitor the implementation of Davis-Besse task force
recommendations, but also determine their effectiveness, in the long
term, and the impact that resource constraints may have on them. These
actions are even more important because the nation's fleet of nuclear
power plants is aging.
Because the Davis-Besse task force did not address NRC's unwillingness
to directly assess licensee safety culture, we are concerned that NRC's
oversight will continue to be reactive rather than proactive. NRC's
oversight can result in NRC making a determination that a licensee's
performance is good one day, yet the next day NRC discovers the
performance to be unacceptably risky to public health and safety. Such
a situation does not occur overnight: Long-standing action or inaction
on the part of the licensee causes unacceptably risky and degraded
conditions. NRC needs better information to preclude such conditions.
Given the complexity of nuclear power plants, the number of physical
structures, systems, and components, and the manner in which NRC
inspectors must sample to assess whether licensees are complying with
NRC requirements and license specifications, it is possible that NRC
will not identify licensees that value production over safety. While we
recognize the difficulty in assessing licensee safety culture, we
believe it is sufficiently important to develop a means to do so.
Given the limited information NRC had at the time and that an accident
did not occur during the delay in Davis-Besse's shutdown, we do not
necessarily question the decision the agency made. However, we are
concerned about NRC's process for making that decision. It used
guidance intended to make decisions for another purpose, did not
rigorously apply the guidance, established an unrealistically high
standard of evidence to issue a shutdown order, relied on incomplete
and faulty PRA analyses and licensee evidence, and did not document key
decisions and data. It is extremely unusual for NRC to order a nuclear
power plant to shut down. Given this fact, it is more imperative that
NRC have guidance to use when technical specifications or requirements
may be met, yet questions arise over whether sufficient safety is being
maintained. This guidance does not need to be a risk-based approach,
but rather a more structured risk-informed approach that is
sufficiently flexible to ensure that the guidance is applicable under
different circumstances. This is important because NRC annually makes
about 1,500 licensing decisions relating to operating commercial
nuclear power plants. While we recognize the challenges NRC will face
in developing such guidance, the large number and wide variety of
decisions strongly highlight the need for NRC to ensure that its
decision-making process and decisions are sound and defensible.
Recommendations for Executive Action:
To ensure that NRC aggressively and comprehensively addresses the
weaknesses that contributed to the Davis-Besse incident and could
contribute to problems at nuclear power plants in the future, we are
recommending that the NRC commissioners take the following five
actions:
* Determine the resource implications of the task force's
recommendations and reallocate the agency's resources, as appropriate,
to better ensure that NRC effectively implements the recommendations.
* Develop a management control approach to track, on a long-term basis,
implementation of the recommendations made by the Davis-Besse lessons-
learned task force and future task forces. This approach, at a minimum,
should assign accountability for implementing each recommendation and
include information on the status of major actions, how each
recommendation will be judged as completed, and how its effectiveness
will be assessed. The approach should also provide for regular--
quarterly or semiannual--reports to the NRC commissioners on the status
of and obstacles to full implementation of the recommendations.
* Develop a methodology to assess licensees' safety culture that
includes indicators of and inspection information on patterns of
licensee performance, as well as on licensees' organization and
processes. NRC should collect and analyze this data either during the
course of the agency's routine inspection program or during separate
targeted assessments, or during both routine and targeted inspections
and assessments, to provide an early warning of deteriorating or
declining performance and future safety problems.
* Develop specific guidance and a well-defined process for deciding on
when to shut down a nuclear power plant. The guidance should clearly
set out the process to be used, the safety-related factors to be
considered, the weight that should be assigned to each factor, and the
standards for judging the quality of the evidence considered.
* Improve NRC's use of probabilistic risk assessment estimates in
decision making by (1) ensuring that the risk estimates, uncertainties,
and assumptions made in developing the estimates are fully defined,
documented, and communicated to NRC decision makers; and (2) providing
guidance to decision makers on how to consider the relative importance,
validity, and reliability of quantitative risk estimates in conjunction
with other qualitative safety-related factors.
Agency Comments and Our Evaluation:
We provided a draft of this report to NRC for review and comment. We
received written comments from the agency's Executive Director for
Operations. In its written comments, NRC generally addressed only those
findings and recommendations with which it disagreed. Although
commenting that it agreed with many of the report's findings, NRC
expressed an overall concern that the report does not appropriately
characterize or provide a balanced perspective on NRC's actions
surrounding the discovery of the Davis-Besse reactor vessel head
condition or NRC's actions to incorporate the lessons learned from that
experience into its processes. Specifically, NRC stated that the report
does not acknowledge that NRC must rely heavily on its licensees to
provide it with complete and accurate information, as required by its
regulations. NRC also expressed concern about the report's
characterization of its use of risk estimates--specifically the
report's statement that NRC's estimate of risk exceeded the risk levels
generally accepted by the agency. In addition, NRC disagreed with two
of our recommendations: (1) to develop specific guidance and a well-
defined process for deciding on when to shut down a plant and (2) to
develop a methodology to assess licensees' safety culture.
With respect to NRC's overall concern, we believe that the report
accurately captures NRC's performance. Our draft report, in discussing
NRC's regulatory and oversight role and responsibilities, stated that
according to NRC, the completeness and accuracy of the information
provided by licensees is an important aspect of the agency's oversight.
To respond further to NRC's concern, we added a statement to the effect
that licensees are required under NRC's regulations to provide the
agency with complete and accurate information. While we do not want to
diminish the importance of this responsibility on the part of the
licensees, we believe that NRC also has a responsibility, in designing
its oversight program, to implement management controls, including
inspection and enforcement, to ensure that it has accurate information
on and is sufficiently aware of plant conditions. In this respect, it
was NRC's decision to rely on the premise that the information provided
by FirstEnergy was complete and accurate. As we point out in the
report, the degradation of the vessel head at Davis-Besse occurred over
several years. NRC knew about several indications that problems were
occurring at the plant, and the agency could have requested and
obtained additional information about the vessel head condition.
We also believe that the report's characterization of NRC's use of risk
estimates is accurate. The NRC risk estimate that we and our
consultants found for the period leading up to the December 2001
decision on Davis-Besse's shutdown, including the risk estimate used by
the staff during key briefings of NRC management, indicated that the
estimate for core damage frequency was 5.4x10^-5, as used in the report.
The 5x10^-6 referenced in NRC's December 2002 safety evaluation is for
core damage probability, which equates to a core damage frequency of
approximately 5x10^-5--a level that is in excess of the level generally
accepted by the agency. The impression of our consultants is that some
confusion about the differences in these terms may exist among NRC
staff.
Concerning NRC's disagreement with our recommendation to develop
specific guidance for making plant shutdown decisions, NRC stated that
its regulations, guidance, and processes are robust and do provide
sufficient guidance in the vast majority of situations. The agency
added that from time to time a unique situation may present itself
wherein sufficient information may not exist or the information
available may not be sufficiently clear to apply existing rules and
regulations definitively. According to NRC, in these unique instances,
the agency's most senior managers, after consultation with staff
experts and given all of the information available at the time, decide
whether to require a plant shutdown. While we agree that NRC has an
array of guidance for making decisions, we continue to believe that NRC
needs specific guidance and a well-defined process for deciding when to
shut down a plant. As discussed in our report, the agency used its
guidance for approving license change requests to make the decision on
when to shut down Davis-Besse. Although NRC's array of guidance
provides flexibility, we do not believe that it provides the structure,
direction, and accountability needed for important decisions such as
the one on Davis-Besse's shutdown.
In disagreeing with our recommendation concerning the need for a
methodology to assess licensees' safety culture, NRC said that the
Commission, to date, has specifically decided not to conduct direct
evaluations or inspections of safety culture as a routine part of
assessing licensee performance due to the subjective nature of such
evaluations. According to NRC, as regulators, agency officials are not
charged with managing licensees' facilities, and direct involvement
with organizational structure and processes crosses over to a
management function. We understand NRC's position that it is not
charged with managing licensees' facilities, and we are not suggesting
that NRC should prescribe or regulate the licensees' organizational
structure or processes. Our recommendation is aimed at NRC monitoring
trends in licensees' safety culture as an early warning of declining
performance and safety problems. Such early warnings can help preclude
NRC from assessing a licensee as being a good performer one day, and
the next day being faced with a situation that it considers a
potentially significant safety risk. As discussed in the report,
considerable guidance is available on safety culture assessment, and
other countries have established safety culture programs.
NRC's written response also contained technical comments, which we have
incorporated into the report, as appropriate. (NRC's comments and our
responses are presented in app. IV.):
As arranged with your staff, unless you publicly announce its contents
earlier, we plan no further distribution of this report until 30 days
from its issue date. At that time, we plan to provide copies of this
report to the appropriate congressional committees; the Chairman, NRC;
the Director, Office of Management and Budget; and other interested
parties. We will also make copies available to others upon request. In
addition, this report will be available at no charge on the GAO Web
site at [Hyperlink, http://www.gao.gov]. If you or your staff have any
questions, please call me at (202) 512-3841. Key contributors to this
report are listed in appendix V.
Signed by:
Jim Wells Director, Natural Resources and Environment:
List of Congressional Requesters:
The Honorable George V. Voinovich:
United States Senate:
The Honorable Dennis J. Kucinich:
House of Representatives:
The Honorable Steven C. LaTourette:
House of Representatives:
[End of section]
Appendixes:
[End of section]
Appendix I: Time Line Relating Significant Events of Interest:
[See PDF for image]
[End of figure]
[End of section]
Appendix II: Analysis of the Nuclear Regulatory Commission's
Probabilistic Risk Assessment for Davis-Besse:
Report of the Committee to Review the NRC's Oversight of the Davis-
Besse Nuclear Power Station:
John C. Lee
Department of Nuclear Engineering and Radiological Sciences
University of Michigan
Ann Arbor, MI 48109:
Thomas H. Pigford Department of Nuclear Engineering
University of California
Berkeley, CA 94720:
Gary S. Was
Department of Nuclear Engineering and Radiological Sciences
University of Michigan
Ann Arbor, MI 48109:
Table of Contents:
1. Scope of the Review:
2. Key Findings of the Committee:
3. NRC Probabilistic Risk Assessment Model and Database:
3.1 Basic PRA Methodology and Data Used for the DB Risk Analysis:
3.2 DB Calculation of Risk due to CRDM Nozzle Failures:
3.3 NRC Calculation of Risk due to CRDM Nozzle Failures:
4. Assumptions and Uncertainties in NRC Risk Analysis:
4.1 The Discovery of Massive Corrosion Wastage at Davis-Besse:
4.2 Assumption that Boric Acid in Hot Escaping Coolant Will Not
Corrode:
4.3 Control Rod Ejection and Reactivity Transient:
4.4 Need to Account for Corrosion in Risk Analysis:
4.5 Uncertainties in Predicting Risk from Nozzle Cracking:
4.6 Lack of Uncertainty Analysis in DB Risk Estimation:
5. Relevant Regulations and Guidelines:
5.1 Use of Regulatory Guide 1.174 and Other Guidelines in the DB
Decision:
5.2 Technical Specifications and General Design Criteria Regarding
Coolant Leak:
5.3 Balance between Probabilistic and Deterministic Indicators for Risk
Assessment:
6. Review of the November 2001 NRC Decision Regarding Davis-Besse:
6.1 Involvement of NRC Staff and Management in the DB Decision:
6.2 Coordination among NRR, RES, and Inspectors:
6.3 Arbitrariness of the Requested Shutdown Date:
6.4 The Role of NRC's Advisory Committee on Reactor Safeguards:
6.5 NRC Staff Workload Affecting Its Ability for Detailed Risk
Assessment:
6.6 Davis-Besse, NRC, and Three Mile Island:
7. Recommendations for Improved Use of Probabilistic Risk Assessment:
References:
Report of the Committee to Review the NRC's Oversight of the Davis-
Besse Nuclear Power Station:
1. Scope of the Review:
The U. S. General Accounting Office formed a committee in September-
October 2003 to review the oversight that the U. S. Nuclear Regulatory
Commission provided on matters related to the pressure vessel head
corrosion at the Davis-Besse (DB) Nuclear Power Station. The GAO charge
to the committee was to respond to the questions:
(1) What probabilistic risk assessment model did NRC use and is it an
appropriate model?
(2) What was the source of key data used to run NRC's probabilistic
risk assessment and were these data valid?
(3) What key assumptions implicit in the model did NRC use to govern
the estimated risk of different scenarios and were these reasonable?
(4) Is probabilistic risk assessment an appropriate tool for making
such decision in these instances?
(5) How could NRC improve its use of probabilistic risk assessment to
make more informed decisions?
The committee was initially provided with a set of 53 documents, which
included GAO's preliminary analysis of the issues involved and
chronology of the DB events during 2001 and 2002. The GAO reports
summarized NRC-DB interactions in fall 2001
related to NRC Bulletin 2001-01 on control rod drive mechanism (CRDM)
nozzle cracking, the eventual shutdown of the plant on 16 February
2002, and the subsequent discovery of pressure vessel head corrosion.
Included also were:
(1) Official NRC documents, Generic Letters, Bulletins, and Information
Notices transmitted to licensees including Davis-Besse,
(2) DB reports submitted to NRC related to the CRDM nozzle issues, (3)
NRC documents summarizing the staffs positions and discussions,
(4) Summaries of NRC staff presentations to NRC's Advisory Committee on
Reactor Safeguards (ACRS) and to the Commission Technical Assistants,
(5) Event inquiry report of the NRC Office of Inspector General (OIG)
and response from the NRC Chair,
(6) Redacted transcripts of OIG interviews of NRC staff, and (7)
Transcripts of GAO interviews with NRC staff.
The committee reviewed the initial set of documents received from GAO
and conducted discussion on the phone and quite frequently via email.
One member (GSW) provided a set of initial questions, which GAO used in
a meeting with the NRC staff in
October 2003. Another member (JCL) met with Mark Reinhart of NRC at the
November American Nuclear Society meeting to discuss relevant technical
issues and to prepare for a meeting of the review committee with NRC
staff, which took place on December 11, 2003. At the meeting, two
members (GSW, JCL) discussed technical and management issues with a
total of nine NRC officials.
The review committee also consulted a number of experts from the
industry and national laboratories, and reviewed a number of additional
materials including:
(1) Several NRC Regulatory Guides,
(2) NRC Augmented Inspection Report and Lessons-Learned Task Force
Report,
(3) Additional NRC reports on significance assessment of the DB CRDM
degradations and the October 2003 OIG review of NRC's oversight on DB,
(4) Reports (including one proprietary version) from Electric Power
Research Institute and Nuclear Energy Institute,
(5) Notes from William Shack, Argonne National Laboratory (ANL),
describing his calculation of CRDM nozzle failure probability,
(6) DB probabilistic risk assessment (PRA) study performed for NRC by
the Idaho National Engineering and Environmental Laboratory,
(7) Transcripts of several ACRS meetings during 2001-2003, and (8)
Select papers in engineering journals and proceedings.
The committee conducted an extensive review and discussion on the
probabilistic risk calculations performed both by the FirstEnergy
Nuclear Operating Company (FENOC) and NRC for Davis-Besse. One
committee member (JCL) also developed a simplified analytical model to
determine the CRDM failure probability, which provided a rough check on
numerical calculations performed at ANL.
Following the 11 December 2003 meeting with the NRC staff, the
committee made an effort to follow up on a number of questions that
required additional information or clarifications. One essential piece
of information is the core damage probability due to the postulated
CRDM failure and ejection that NRC actually used in connection with the
decision to allow continued DB operation until February 16, 2002. After
a long wait, finally on February 24, 2004, the committee received a
response from Jin Chung, Richard Barrett, and Gary Holahan,
summarizing, to the extent they could reconstruct, how NRC arrived at
key quantitative risk estimates in November 2001.
We present in Section 2 key findings of the committee on NRC's
oversight related to the DB issues. We provide responses to the first
four GAO charges in Sections 3 through 6, in a slightly restructured
format, covering (a) PRA methodology and data used in NRC's risk
assessment, (b) assumptions and uncertainties in the risk assessment,
(c) relevant regulations and guidelines, and (d) November 2001 NRC
decision. Our response to the fifth GAO charge is finally presented in
Section 7.
2. Key Findings of the Committee:
The committee presents key findings of its review on NRC's oversight on
Davis-Besse and related safety and regulatory issues:
(1) NRC's Risk Analysis for Davis-Besse:
(a) To guide a risk-informed decision on whether to grant an extension
beyond its December 31, 2001 date for shutdown of Davis-Besse for
nozzle inspection, NRC relied on its PRA of risks from crack-induced
failure of control-rod housing nozzles. The calculated risk was
incorrectly small because the calculations did not consider corrosion
of the reactor vessel due to boric acid in coolant leaking through the
cracks. The calculated risk was also subject to large uncertainties. As
a result, NRC staff found it difficult to balance results of
quantitative risk calculations against qualitative considerations.
Regulatory Guide 1.174 provided little help in this regard.
(b) NRC did not perform uncertainty analysis in applying PRA in the DB
decision-making process and there was confusion regarding the
interpretation of core damage frequency (CDF) and core damage
probability (CDP) as risk attributes within the framework of RG 1.174.
NRC staff should have recognized large uncertainties associated with
the CDF estimated for CRDM nozzle failures:
(c) NRC's risk analysis was poorly documented and inadequately
understood by NRC staff.
(d) Even now, NRC is unable to provide estimates of the risk from
continued operation of Davis-Besse from December 31, 2001 to February
16, 2002, taking into account the large corrosion cavity in the reactor
vessel head found in March 2002. The risks from that operation prior to
shutdown are likely to have been unacceptably large. Thus, with proper
risk analysis, quantified risk calculations would have provided clear
guidance for prompt shutdown.
(2) Relevant Regulations and Guidelines:
(a) Coolant leakage through flanges and valves was allowed under the DB
Technical Specifications, leading the DB personnel and NRC resident
inspectors to treat boric acid deposits in various locations in the
containment as routine events, and hence not risk significant.
(b) NRC has no predetermined methodology to weigh PRA against
deterministic factors. NRC needs to develop a set of guidelines for the
use of PRA in decision-making.
(3) November 2001 Davis-Besse Decision:
(a) The proposed shutdown date of 31 December 2001 was arbitrary. There
was significant pressure from DB to delay the shutdown for financial
reasons, but no cost-benefit analysis was presented.
(b) Communication was seriously lacking between NRC headquarters and
Region III and also between resident inspectors and Region III
administrators regarding the extent of coolant leakage and boric-acid
corrosion.
(c) NRC staff incorrectly assumed that the visible white deposits of
anhydrous boric acid resulted entirely from rapid evaporation and
drying of the leaking coolant and were not associated with corrosion.
(d) The transparency of the decision-making process within NRC is not
uniform. The NRC lacks an established and well-defined process for
decision-making.
(4) General Safety and Regulatory Issues:
(a) How to ensure safety from corrosion by leaking coolant is generic
to all pressurized water reactors (PWRs). There is no evidence that it
has been evaluated as such by NRC's Advisory Committee on Reactor
Safeguards.
(b) The root cause of this near miss of a serious accident at Davis-
Besse is human error: inadequate evaluation of the effect of
simplifying assumptions in the risk analysis and inadequate perception
and understanding of the many clues that challenged those assumptions.
(c) NRC is slow to integrate new safety information into its programs,
and to share that information with its licensees.
3. NRC Probabilistic Risk Assessment Model and Database:
3.1 Basic PRA Methodology and Data Used for the DB Risk Analysis:
The NRC staff relied on a Standardized Plant Analysis Risk (SPAR) study
[Sat00] for Davis-Besse that Idaho National Engineering and
Environmental Laboratory performed. The Saphire code [Sap98] provided
the PRA tools and database for key system failure rates and human error
probabilities in the SPAR study. The PRA methodology combines semi-
pictorial structures of event and fault trees to estimate the
probability of occurrence of rare events, in particular, the core
damage frequency (CDF) and large early release frequency (LERF) of
radioactivity associated with the operation of a nuclear power plant.
An event tree is constructed for each major sequence of events
beginning with an initiating event, e.g., a medium-break loss-of-
coolant accident (MBLOCA), and following through multiple stages of
safety systems to be activated. The probability of failure or
unreliability of a safety system that is called upon to function is
determined as the probability of the top event of a fault tree, which
is determined through Boolean logic representing failure probabilities
of components making up the top event. Uncertainties in the CDF and
LERF are then obtained by a Monte Carlo convolution of probability
density functions representing failure rates of components in fault
trees and of safety systems in event trees.
The MBLOCA, which is assumed to occur following the failure and
ejection of CRDM nozzles at Davis-Besse, is analyzed in the SPAR report
[Sat00] as one of 12 major internal events postulated to lead to core
damage and radioactivity release. A
baseline CDF of 1.0x10 ^-7/year for MBLOCA results from a generic value
[Pol99] of the initiating event frequency of 4.0x10^-5/year for the
MBLOCA combined with the failure probabilities of a number of
engineered safety features, including high-and low-pressure injection
systems. This results in an estimate of 2.5x 10^-3for the conditional
core damage probability (CCDP) for MBLOCA. The CCDP of 2.5x10^^-3is
almost entirely due to the failure of low-pressure recirculation pumps,
which in turn depends heavily on the ability of the operator to
properly align and start the pumps. Based on human factor analysis, an
estimate of 1.0x10^-3 for the operator error is included in determining
the CCDP of 2.5x10^-3. The baseline or point-estimate CDF of 1.0 x
10^-7 1e/year for
MBLOCA contributes 0.5% toward the total baseline CDF of 2.0 x 10^-5/
year, with uncertainties represented as CDF = {5th percentile, median,
mean, 95th percentile 16.3x 10^-6, 1.6x 10^-5, 5.1x10^-5, 9.6x10^-5}
per year. The SPAR report for Davis-Besse provides only baseline CDF
estimates for individual core damage events; hence no uncertainty
estimates are available for the MBLOCA event. The mean overall CDF =
5.1x10-5/year for Davis-Besse compares well with the those for internal
initiating events for three PWR plants analyzed extensively as part of
NRC's severe accident evaluation project in NUREG-1150 [Nrc90]: Surry
Unit 1, 4x10^-5/year; Sequoyah Unit 1, 6x10^-5/year; and Zion Unit 1,
6x 10^-/year. The CDF estimates for the four PWRs are, however, an
order of magnitude larger than those for two boiling water reactors
analyzed in NUREG-1150: Peach Bottom Unit 2, 5x10/year, and Grand Gulf
Unit 1, 4x10/year.
3.2 DB Calculation of Risk due to CRDM Nozzle Failures:
The DB calculation of the nozzle failure probability consisted of the
following steps [Cam01c]. The nozzles were divided into three groups
based on the extent of visual inspection possible during refueling
outage (RFO) 10, 11 and 12. Group 1 consisted of 15 nozzles that were
not inspected during RFO 10 and 11. Group 2 consisted of 5 additional
nozzles that were not inspected during RFO 12. Group 3 consisted of 45
nozzles, all of which were inspected during all outages. This analysis
accounts for 65 nozzles, four short of the total number of nozzles on
the DB head. The four nozzles not
included in this analysis are at the center of the head. They were
determined by a Structural Integrity Associates analysis [Cam01d] d] to
have no demonstrable annular gaps, and therefore, were considered as
not susceptible to circumferential cracking and were excluded from the
calculation. This particular assumption turned out to be quite
inappropriate, since the February-March 2002 inspection revealed that
three central nozzles (Nos. 1, 2, 3) had developed through-wall axial
cracks and that nozzle 2 also had a circumferential crack.
Leak frequencies were determined for each group according to the
equation: leak frequency = 1.1/year x F where F, is the fraction of
the total nozzles (65) in group i, and the value of 1.1 is the
estimated frequency of CRDM leaks per reactor year based on
observations on 5 other Babcock and Wilcox (B&W) plants. Data on CRDM
cracking noted in the 2001-01 NRC Bulletin were incorporated into the
PRA analysis [Cam01c] in calculating the leak frequency. Specifically,
recent inspections had revealed that there were sixteen leaking nozzles
identified in the B&W plants, Arkansas Nuclear One Unit 1 (ANO-1),
Crystal River Unit 3 (CR-3), Oconee Nuclear Station Unit 1 (ONS-1),
ONS-2 and ONS-3. The assumption was made that all leaks appeared during
the most recent two fuel cycles. Assuming 1.5 years per fuel cycle, 2
cycles per plant and 5 plants, a product of these three values yields
15 reactor years of operation. Sixteen leaking nozzles over 15 years of
operation yields a leak frequency of about 1.1 leaks per reactor year.
This value then incorporated the most recent data on CRDM cracking at
other B&W plants.
An event tree was constructed for each CRDM group, beginning with the
CRDM leak frequency, accounting for crack growths and failures during
subsequent operation and CRDM nozzle inspection failures and
culminating with a total CDF. The event tree
analysis included CCDP = 2.7x 10^-3 for all groups. The resulting total
CDF summed over all three groups was 6.97x 1 e/year. Dividing by the
CCDP yielded a value of the initiating event (IE) frequency of 2.58x
10^-3/year representing an MBLOCA due to CRDM nozzle ejection. Using
the IE frequency, one would then calculate an IE probability of 3.4x
10^-4 for continued DB operation for another 0.13 year, representing
the period between 31 December 2001 and 16 February 2002. We note here
also that the DB estimation of CCDP = 2.7x 10^-3 agrees closely with
the SPAR estimate of 2.5x 10^-3 discussed in Section 3.1.
The probability of missing a leak in an inspection was estimated by
Framatome [Cam01b] using human reliability analysis. Their estimates
[CamOld] indicated that the probability of missing a leak was 0.06 in
the first inspection (RFO 10), 0.065 in the second inspection (RFO 11)
and 0.11 in subsequent inspections. Davis-Besse's analysis [Cam01c],
however, uses a single probability of value 0.05 applied to all of the
nozzles covered in RFO 10, 11 and in subsequent inspections. The
document [Cam01c] references the Framatome analysis [cam01b], but does
not indicate why a different value was used and why a single, lower
value was applied for all inspections. Correcting, however, the
calculation to account for the three separate failure detection
probabilities results in an IE frequency of 2.64x10^-3 /year vs.
2.58x10^-3 /year assumed [Cam01c].
3.3 NRC Calculation of Risk due to CRDM Nozzle Failures:
Although documents provided to the review committee do not provide
sufficient details on how NRC arrived at the incremental CDF or core
damage probability (CDP), it appears that the NRC staff used the DB
estimate of CCDP = 2.7x 10^-3 for the MBLOCA initiated by CRDM nozzle
failure and ejection. The NRC did not have the in-house expertise to
determine the nozzle ejection probability for Davis-Bessie. They had
two sources for estimates of the nozzle ejection probability. One
source was Dr. William Shack at Argonne National Laboratory (ANL). Dr.
Shack conducted a rather extensive
analysis of the failure probability consisting of 5 steps: 1) the
number of cracked nozzles, 2) the crack size distribution, 3) the crack
growth rate, 4) a time to failure based on initial crack size and crack
growth rate, and 5) a probability of failure, based on a Monte Carlo
analysis of failure times. The end result was a plot and a table with
failure probability vs. time that was provided to NRC and is described
in several references [Sha01, Sha03, Nrc01 a]. The second source of
information on the MBLOCA frequency was the DB estimate [Cam01c] for IE
frequency of 2.58x10^-3/year, discussed in Section 3.2.
Documents provided to the review committee [Rei03, Chu04] list the IE
probability of 2.0x10^-3 for continued operation for another 0.13 year,
representing the period between 31 December 2001 and 16 February 2002,
but reference Dr. Shack as the source. However, the values provided by
Shack to the NRC [Sha01 ] do not agree with this number and apparently
NRC decided not to use the ANL analysis, as it was viewed as
preliminary, and a work in progress.
In a final response [Chu04] to questions the review committee raised
following the 11 December 2003 meeting with nine NRC staff, Jin Chung,
Richard Barrett, and Gary Holahan confirmed that NRC used the DB
estimate of CCDP = 2.7x10^-3, coupled with
the IE frequency of 2.0x 10^-2/year, to obtain an incremental CDF =
5.4x 10"5/year, associated with the postulated CRDM failure and
ejection leading to an MBLOCA. They indicate that, instead of allowing
for the inspection failure probability of 0.05 for RFO 10, assumed in
the Framatome risk calculation [CamOlc], NRC allowed no credit to
discover the nozzle cracking. NRC, however, used the same crack growth
and failure rates as in the Framatome PRA submittal to arrive at the IE
frequency of 3.4x 10-2/year, which is an order of magnitude larger than
the Framatome estimate of 2.58x10-3/year. Dr. Chung then decided to
reduce the IE frequency to 2.0x 10^-2/year, to "reflect best estimate
rather than 75 percentile fracture mechanics," which is the best
description of the adjustment that NRC is able to present in February
2004. The adjusted value of IE frequency = 2.0x 10'2/year is then used
together with CCDP = 2.7x 10"3 to yield the incremental CDF = 5.4x 10^-
5/year. Finally, to convert the incremental CDF to an incremental CDP,
associated with the continued DB operation for 0.13 year, NRC again
rounded off the resulting CDP = 7.0x 10"6 to 5.0x 10^-6. In the
deliberations leading to the 28 November 2001 DB decision, NRC
apparently used the adjusted, rounded-off risk estimates: incremental
CDF = 5.4x 10^-5/year. and incremental CDP = 5.0x 10-6.
The conclusion of the review committee is that the determination of IE
probability is questionable, and that the error or uncertainty
associated with this probability is likely to be very high, rendering
it of questionable value. In the February 2004 response [Chu04]
to the review committee questions, NRC confirms that no uncertainty
analysis was performed on the incremental CDF and CDP estimates they
used in November 2001. Furthermore, NRC proposes an unusual use of the
incremental CDF and CDP values to compare with the quantitative
guidelines given in RG 1.174 [Nrc02a]. This will be discussed further
in Section 5.1.
4. Assumptions and Uncertainties in NRC Risk Analysis:
4.1 The Discovery of Massive Corrosion Wastage at Davis-Besse:
The most serious shortcoming in NRC's risk analysis was the complete
neglect of any consideration of corrosion of the reactor vessel by
boric acid in reactor coolant known to be leaking from the high-
pressure cooling system. After finally shutting down the reactor and
inspecting the control housing nozzles, Davis-Besse discovered
extensive corrosive wastage of the steel pressure vessel. Boric acid in
leaking coolant had reacted with iron to form a mass of corrosion
products which, when removed, left a cavity the size of a
pineapple. Corrosion had penetrated the 6-inch thick steel head of the
reactor vessel and exposed the thin corrosion-resistant vessel liner,
found to be only about 0.2 inches thick at that location.
The reactor had been operating for months, maybe years, perilously
close to rupture of the vessel liner and rapid loss of reactor coolant.
In response to our repeated requests to NRC to share with us what it
has learned about the risks from corrosion-induced failure of the
coolant pressure boundary, NRC states that such analysis has not been
completed, awaiting completion of laboratory tests on relevant failure
mechanics at the Oak Ridge National Laboratory. That answer is most
disappointing.
An earmark of a responsive safety program is prompt incorporation of
new safety information, by undertaking new risk analysis, whether
deterministic, probabilistic, or both, to guide new procedures that
would avoid such a potential accident and to guide
research and testing necessary for proper risk-informed decision
making. Now, some two years since the discovery of massive and
dangerous corrosion wastage at Davis-Besse, NRC seems unable to supply
even preliminary analysis of the magnitude of potential safety problems
arising from coolant leakage and corrosion. This harks back to the
1977-79 era, when NRC failed to recognize the implications of a near
miss of a serious reactor accident at Davis-Besse, discussed further in
Section 6.6. If NRC had made a prompt analysis of Davis-Besse's 1977
operator errors and the implications for a more serious accident if not
corrected, and if that analysis had been communicated to other
licensees, the tragic accident at Three Mile Island could have been
avoided. It appears that NRC has not fully recovered from its mistakes
in 1977-79.
4.2 Assumption that Boric Acid in Hot Escaping Coolant Will Not
Corrode:
Apparently all NRC staff who were involved in the November 2001
decision on Davis-Besse were aware that high-pressure coolant was
leaking from valves, flanges, and possibly from cracks, but they
evidently thought that the hot coolant, at 600 °F, would immediately
flash into steam and non-corrosive anhydrous compounds of boric acid.
As evidence, they referred to the readily visible deposits of white
fluffy anhydrous boric acid observed on plant equipment. But
evaporation concentrates boric acid in the remaining liquid, which
becomes far more corrosive. Its vapor pressure decreases and slows
further evaporation. Thus, one should expect that some of the boric
acid in the escaping coolant can reach the metal surfaces as wet or
moist highly corrosive material underlying the white fluffy surface
layers. That is evidently what happened. It should have been
anticipated.
Also the geometry of a cracked nozzle was not considered in NRC's
thoughts about boric acid corrosion. NRC was focused on the metal
surface because they were convinced that the boric acid they saw came
from "dripping" from the leaky valves above the head. However, in a
leaking nozzle, the escape path of the water is some 6-8 inches - from
the clad to the vessel surface. Such a long crevice provides
considerably greater opportunity for concentration of the liquid behind
the evaporation front at or near the vessel head surface where the
steam escapes.
NRC staff should also have been aware of experience at the French
nuclear plants, where boric acid corrosion from leaking reactor coolant
had been identified during the previous decade, the safety significance
had been recognized, and safety procedures to
mitigate the problem had been implemented. Keeping abreast of safety
issues at similar plants, whether domestic or abroad, and conveying
relevant safety information to its licensees is an important function
of NRC's safety program.
NRC staff were involved a few years earlier in discussions regarding
boric acid deposits on the reactor pressure vessel head [Epr01]. Boric-
acid corrosion programs were initiated. But to the NRC staff involved
in the November 2001 decision on Davis-Besse, boric-acid corrosion was
not viewed as a significant safety concern; rather, there was concern
that the anhydrous crystals could obscure indication of leakage from
the nozzles above the reactor head. But already several tests of boric
acid corrosion had been underway in industry and government
laboratories. Representative tests of nozzle leakage showed that
corrosion rates from boric acid solutions dripping onto carbon steel at
600 °F can be in the range of four inches per year [Nrc02b]. Drip tests
sponsored by the Electric Power Research Institute [Sri98, Epr01]
showed that the corrosion rate is much higher for carbon-steel surfaces
at 600 °F than at lower temperature. Only at temperatures much higher
than 600 °F is the vaporization rate high enough to produce anhydrous
boric acid crystals with little corrosion.
NRC personnel involved in the November 2001 safety review evidently
were not aware of these corrosion tests or else they had forgotten
about them. An NRC resident inspector at Davis-Besse was shown, by a
Davis-Besse engineer, a photograph that
revealed streaks of rust-colored corrosion products on the head of the
reactor vessel, in the midst of the expected white crystals. But the
inspector was not aware of the significance of these rust streaks, and
he did not report this information to other NRC personnel. At other
times, Davis-Besse reported the presence of airborne rust particles
that had lodged on the surveillance filters, but the significance of
this information was not recognized.
After the discovery of the corrosion wastage in 2002, an NRC official
was asked about the corrosion data reported by the Electric Power
Research Institute (EPRI). He replied that those data were not
considered in the discussions with Davis-Besse because
EPRI had not "submitted" the report of those data to NRC. EPRI points
out that the corrosion data had been published in 1998 in a widely
available technical report, well known to industry and NRC. EPRI had
not formally "submitted" the report because NRC charges a fee for the
submittal process.
4.3 Control Rod Ejection and Reactivity Transient:
In discussions related to the consequences of CRDM nozzle ejections at
Davis-Besse, NRC duly considered the effects of the control rods
ejected, thereby made inoperable, in the resulting LOCA. They
apparently concluded before the 28 November 2001 Davis-Besse decision
that the negative reactivity feedback resulting from the overheating
and boiling of coolant in a LOCA would easily overshadow any potential
decrease in the amount of subcritical reactivity that would ensure safe
shutdown of the reactor. Furthermore, a more recent NRC report [Dye03]
evaluating the significance of the Davis-Besse CRDM penetration
cracking and pressure vessel head degradation presents a similar
conclusion. Here, a combined thermal-hydraulic and reactivity transient
analysis performed with the RELAP code indicates that the boiling of
the reactor coolant coupled with the addition of boric acid in the
emergency coolant water injected is sufficient to maintain the shutdown
condition, thereby obviating the concern for an anticipated transient
without scram (ATWS).
One consequence of the CRDM nozzle ejection that has not been, however,
analyzed is the positive reactivity inserted into the reactor core when
the control rod ejection occurs in a hot zero power (HZP) rather than a
hot full power (HFP) condition. The consequences of postulated control
rod ejection accidents are generally more severe, if initiated in a HZP
condition when the system is fully pressurized but at low power. This
is because at HZP the control rods would be inserted deeply into the
core, thereby adding
a larger positive reactivity when the rods are ejected, than that
resulting in a HFP rod ejection accident. Thus, a HZP CRDM nozzle
ejection could result in a power level above rated power before a
significant coolant heating or boiling occurs. This combination of
postulated accidents requires an integrated analysis of two PWR design
basis accidents, LOCA and rod ejection accident, and should be
performed for a complete evaluation of CRDM nozzle ejection
consequences.
4.4 Need to Account for Corrosion in Risk Analysis:
NRC's analysis of risks from nozzle cracking was concerned only with
the formation and propagation of circumferential cracks that could
result in nozzle failure, loss of coolant, and even control rod
ejection. The formation of axial cracks was neglected in the risk
analysis. There is less chance of axial cracks causing complete failure
of a nozzle but they do open additional pathways for coolant leakage.
Leakage from axial cracks is believed to have been the main source for
the massive corrosion wastage at Davis-Besse.
Neglecting axial cracking and corrosion wastage that could result in
rupture of the reactor vessel and a more serious loss-of-coolant
accident was a principal deficiency in NRC's risk assessment.
NRC has not described to us any plans for extensions to its risk
analysis that would predict the dangers of corrosion wastage. In our
view, the necessary additional ingredients of the probabilistic risk
analysis must include:
* Formation and growth of axial cracks in control-rod-housing nozzles,
* Flow of leaking coolant from cracks,
* Evaporation of leaking coolant and concentration of boric acid, *
Corrosion of the steel pressure vessel,
* Time-dependent penetration of the corrosion front into the pressure
vessel, * Corrosion and stress-corrosion cracking of the vessel liner,
* Time-dependent calculation of stress on the vessel and its failure if
ruptured, and * Loss-of-coolant analysis of reactor core damage if
rupture occurs.
Some of the possible parameters for such an analysis were developed for
this report from sources other than NRC, as outlined in the next
section. The wide variations in some of the key parameters illustrate
uncertainties that must be resolved to make accurate predictions of
risk and its uncertainty.
4.5 Uncertainties in Predicting Risks from Nozzle Cracking':
For risk-informed decision making, it is important to include
calculation of uncertainties in the predicted risks. NRC informs us
that it has not calculated uncertainties in its present risk
assessments of nozzle cracking. It does believe that its present
results on core-damage risks are accurate "to within a factor of 2 or
3". NRC did not provide the basis for their belief. The information
necessary for probabilistic risk calculation should include enough data
for uncertainty analysis. NRC should perform uncertainty calculations.
A major uncertainty arises in attempting to predict the corrosion
wastage that would rupture the reactor vessel, particularly after
boric-acid-induced corrosion has penetrated all the way through the
carbon steel and exposed the thin stainless steel liner that would
serve as the reactor coolant system pressure boundary, as occurred at
Davis-Besse. From other sources [PinWa,b], we are informed that in
early 2003 an internal NRC memo concluded that there was no danger of
imminent rupture of the Davis-Besse reactor prior
to its shutdown in February 2002. The memo cited calculations by the
Oak Ridge National Laboratory, that the as-discovered cavity could have
supported twice the operating pressure of 2185 psia before rupturing
and that, "had the cavity enlarged under continued operation, at least
twelve months remained before the cavity would reach a size that
rupture would occur at normal operating temperature and pressure." It
was assumed that "the wastage cavity was actively growing at a maximum
rate of seven inches per year" [Pin03a], much greater than the 4 inches
per year quoted earlier by NRC. The NRC memo stated that the need for
more accurate data on the morphology and depth of cladding cracks
necessitates a revision of these calculations and expects a possible
reduction in the amount of margin that was originally calculated.
A report by Structural Integrity Associates [Sia02], commissioned by
FirstEnergy, calculated that the cladding could withstand pressures of
more than 5000 psia. Davis-Besse concluded that vessel rupture "was
therefore considered not to be a credible event". Later in 2003, an Oak
Ridge National Laboratory study, conducted on a spare reactor-vessel
head with a machined-out cavity simulating wastage, reported two
rupture tests, one occurring at 2000 psia, the other at 2700 psia. If
these two results are applicable, Davis-Besse had been operating at
2185 psia with significant probability of vessel rupture. NRC's project
manager for these tests stated in October 2003 that the Oak Ridge test
results would be made public "probably within weeks." The report is not
yet released.
An important feature of the Oak Ridge tests was taking into account the
"dissimilar weld" between the carbon-steel vessel head and the
stainless steel cladding. The Union of Concerned Scientists pointed out
that the Oak Ridge tests revealed that the weld overlay process used
for the Davis-Besse vessel left a thin interface that was not as strong
as either of the adjoining layers. Also, the tests were conducted
quasi-statically, whereas pressure transients during reactor operation
must be considered [Pin03b].
These are examples of crucial data uncertainties that need to be
resolved. Such uncertainties must be considered in reporting
probabilistic risks.
It is not enough to finesse such uncertainties by instituting new
procedures intended to eliminate the possibility of operator error. The
near accident at Davis-Besse resulted from human error, errors by
reactor operators, by NRC on-site inspectors and by the staffs at
Davis-Besse and NRC. The experience at Three Mile Island has taught us
that human errors can occur and must be included in responsible risk
analysis.
4.6 Lack of Uncertainty Analysis in DB Risk Estimation:
As discussed in Section 4.5, an important issue regarding the
application of quantitative guidelines for risk management and
regulatory decisions, as in the Davis-Besse case under review, is the
need to account for uncertainties in risk values determined through PRA
techniques. It was noted in Sections 3.1 and 3.3 that we are unable to
obtain any uncertainty estimates for the SPAR baseline CDF of 1.0x10^-
7/year for Davis-Besse MBLOCA, without CRDM nozzle failures, or the NRC
estimate of 5.4x 10^-5/year for the corresponding MBLOCA CDF accounting
for CRDM nozzle failures. It is well known among the PRA community that
all quantitative risk estimates for nuclear power plants are subject to
significant uncertainties and that it is imperative that proper
uncertainty analysis be performed for any PRA study for nuclear power
plants. This point was made abundantly clear in a recent NRC report
[Fle03], prepared at the request of NRC's Advisory Committee on Reactor
Safeguards (ACRS), for the purpose of evaluating practices and issues
regarding PRA applications. The need to understand and characterize
uncertainties in PRA and risk-informed regulatory activities was also
emphasized in both RG 1.174 [Nrc02a] and RG 1.200 [Nrc03]. Furthermore,
it was primarily for the purpose of duly accounting for uncertainties
in the calculated risks of postulated severe accidents that NRC and its
contractors had to go through two draft versions of the massive volumes
of the severe accidents risk study of NUREG-1150 [Nrc90] before
releasing the final version in 1990. Nonetheless, it is rather clear to
the review committee that the NRC staff and management did not give due
considerations to the impact of large uncertainties, in particular, in
the frequency of MBLOCA initiated by the postulated Davis-Besse CRDM
nozzle ejection in their Davis-Besse deliberations in November 2001. In
addition, the SPAR calculation of CCDP = 2.5x 10^-3 is subject to
significant uncertainties associated with human errors and common cause
failures represented in the fault tree analysis. Questions were also
raised in GAO interviews with the NRC staff if the staff had the proper
understanding of the impact on the CCDP estimate of the compensatory
measures proposed by Davis-Besse before the November 2001 decision.
During the 11 December 2003 meeting with the NRC staff, we got the
indication that several NRC staff felt that Regulatory Guide 1.174
[Nrc02a], with its PRA framework, does account for uncertainties in
risk estimates including the effects of unknown events, e.g., the
Davis-Besse pressure vessel head wastage, through the defense-in-depth
philosophy. As discussed in detail in the February 2003 NRC Region III
report [Dye03], it is very much doubtful how the system modeling
uncertainties and unknown events could possibly have been represented
through a simple application of RG 1.174. It is noteworthy that the
ACRS, at its first full committee meeting [Acr02] after the Davis-Besse
cavity findings, repeatedly criticized the NRC staff for not having
performed any uncertainty analysis for the CRDM nozzle failure issues
and suggested that the staff had drifted away from the RG 1.174
guidelines. Had the staff gone through even a simple analysis, without
any detailed uncertainty calculations or invoking RG 1.174, they should
have realized that the incremental CDF of 5.4x10 5/year would result in
doubling the total CDF for Davis-Besse, even with the mean SPAR value
of 5.1x10-5/year. Note furthermore that the SPAR baseline CDF is 1.6x
105/year. Thus, the staff should have readily recognized the risk
significance of the incremental CDF = 5.4x10^-5/year estimated in
November 2001 for the CRDM nozzle failure event.
One regulatory decision-making case where PRA applications were
questioned is the ATWS issue. A recent review [Rau03] emphasizes that
the uncertainty in the calculated values of the reactor scram system
reliability requires maintaining defense in depth regarding ATWS,
rather than relying heavily on PRA results. Thus, despite small values
of scram failure probabilities calculated in the early 1980s, system
changes, including improved reactor shutdown systems and circuits, were
implemented but only after incipient ATWS events had occurred at the
Salem Unit 1 plant in 1983 [Sci83]. We suggest that the NRC staff
should have applied the lessons learned from the ATWS rulemaking case
to the DB case, which would have reduced the NRC staffs heavy reliance
on the quantitative risk. Although we will never be able to determine
the extent by which the incremental CDF or CDP values influenced the
decision making, it is rather apparent to the review committee that the
quantitative risk values, without due considerations for uncertainties,
did play an important role in the 28 November 2001 decision.
5. Relevant Regulations and Guidelines:
5.1 Use of Regulatory Guide 1.174 and Other Guidelines in the DB
Decision:
One key set of guidelines discussed extensively among the NRC staff and
management before the 28 November 2001 DB decision is RG 1.174
[Nrc02a], which is intended to
promote risk-informed decisions on plant-specific changes. Included in
RG 1.174 is one particular quantitative metric in the form of
incremental CDF. According to Figure 3 illustrating acceptance
guidelines, any plant-specific changes resulting in an incremental CDF
of 1 x 10^-5/year or higher should not be allowed. In addition, there
apparently was considerable discussion and lack of unanimity among the
NRC staff prior to the 28 November 2001 decision if the other four
safety principles of RG 1.174 were satisfied. The February 2003 NRC
Region III report [Dye03] documenting the significance of the Davis-
Besse CRDM penetration cracking and pressure vessel head degradation
leaves, however, no question that all five safety principles of REG
1.174 were violated at Davis-Besse in November 2001. Included in this
report is a revised estimate of incremental MBLOCA frequency of
3.0x10^-2/year; yielding estimates of incremental CDF in the range of
[1 x 10^-5,1x10^-6] per year, due to the ejection of three central CRDM
nozzles. These estimates of incremental CDF bracket the value of
5.4x10^^-/year presented to the review committee [Rei03] and would have
clearly resulted in violation of the sole quantitative metric of RG
1.174.
Although the February 2003 findings of NRC rendering Davis-Besse in the
"red" status are attained certainly with the benefits of hindsight, it
is worth summarizing the reasoning presented in the report, rather than
presenting the review committee's evaluations:
(1) Principle 1: Regulations were not met, because reactor coolant
system (RCS) pressure boundary leakage occurred over an extended period
of time and the RCS was not inspected and maintained properly. This
resulted in violation of the General Design Criteria.
(2) Principle 2: Performance and maintenance deficiency degraded the
level of defense in depth required for safe operation of the plant.
(3) Principle 3: Safety margins were not maintained because the
integrity of the RCS pressure boundary relied solely on the vessel
lining, which was not designed for this purpose.
(4) Principle 4: Calculated risk violated the quantitative guideline.
(5) Principle 5: There was no basis for assuring that degradations due
to CRDM leaks would be properly monitored and managed.
It goes without saying that nobody anticipated in November 2001 the
severe vessel wastage that was uncovered in March 2002, which resulted
in an unambiguous verdict regarding Principle 3 above. Nonetheless,
there were sufficient indications in November 2001 to question if
safety margins were not violated, as voiced by a number of the NRC
staff before the 28 November 2001 decision. This in turn raises
questions if NRC made proper application of RG 1.174 in arriving at the
decision to allow a delay of the shutdown of Davis-Besse for the
pressure vessel head inspection required in NRC Bulletin 2001-01
[Nrc01c].
During the 11 December 2003 meeting with the NRC staff, the review
committee was offered a number of other NRC and industry guidelines
that the NRC staff apparently used for the Davis-Besse decision. A
review of these additional guidelines further:
suggests that the NRC value for the incremental CDF = 5.4x10^-5/year
for seven weeks of additional Davis-Besse operation could not have
satisfied these guidelines either. To clarify the point here, we follow
the process NRC used to convert the incremental CDF = 5.4x 10^-5/year
to the incremental core damage probability (CDP) for seven weeks or
0.13 year: incremental CDP = 5.4x 10^-5/year x 0.13 year = 7.0x le,
rounded off to 5.0x 10^-6, which is roughly equivalent to approximating
7 weeks as 0.1 year. We may now compare this incremental CDP estimate
with three additional guidelines for risk-informed decision-making
processes
(1) RG 1.177 [Nrc98] intended for evaluating Technical Specification
changes suggests that an incremental CDP of 5x10 is acceptable for
relaxation of allowed outage time or surveillance test intervals.
(2) PSA Applications Guidelines [Tru95] proposed by the Electric Power
Research Institute indicates that an incremental CDP in the range of
[1x10, 1x10^-5] requires assessment of non-quantifiable factors.
(3) NUMARC 93-01 [Nei96] suggests that an incremental CDP in the range
of [1 x10, 1x10^-5] requires risk management actions adding further
that any decisions resulting in an incremental CDP greater than 1x10^-
5 should not be allowed.
Thus, NRC's incremental CDP value of 5x10 would have resulted in
violation of RG 1.177 and would have required risk management actions
according to both the EPRI and Nuclear Energy Institute guidelines. In
addition, during the 11 December 2003 meeting with the NRC staff,
Richard Barrett insisted that the quantitative RG 1.174 guidelines are
supposed to be applied in terms of incremental CDP, not incremental CDF
as stipulated clearly in the Regulatory Guide. In the February 2004
response [Chu04] to the review committee questions, NRC now proposes
that the incremental CDF used as a key metric in RG 1.174 is meant to
be an annual average. Thus, NRC now suggests that the incremental CDF =
5.4x 10^-5/year for 13% of a year should be combined with CDF = 0.0 for
the remaining 87% of the year to yield an annual-average incremental
CDF = 5x 10 ./year. This new interpretation is at best unusual and
certainly is inconsistent with clear RG 1.174 guidelines regarding the
use of incremental CDF. This reinforces the impression of the review
committee that perhaps there was in November 2001 and possibly is still
some confusion among the NRC staff regarding basic quantitative metrics
that should be considered in evaluating regulatory and safety issues.
A recent release of RG 1.200 [Nrc03] is intended to provide guidance
for determining the technical adequacy of PRA results in regulatory
decision making. The Regulatory Guide discusses various technical
characteristics and attributes that should be included in PRA, and
highlights the importance of capturing system dependencies in risk
evaluations. RG 1.200 also emphasizes that understanding uncertainties
in PRA is an essential aspect of risk characterization and refers to RG
1.174 for guidance on how to address the uncertainties. As reviewed in
connection with the DB decision-making process, however, we feel that
the guidelines in RG 1.174 are not specific enough, especially for PRA
results subject to large uncertainties and for representing events not
well understood.
5.2 Technical Specifications and General Design Criteria Regarding
Coolant Leak:
Davis-Besse technical specification 3.4.6.2 requires that no reactor
coolant pressure boundary (RCPB) leakage is allowed. The General Design
Criteria, 10 CFR 50 Appendix A, addresses reactor coolant pressure
boundary leakage in GDC 14, GDC 31, and GDC 32. GDC 14 specifies that
the RCPB have an extremely low probability of abnormal leakage, or
rapidly propagating failure, and of gross rupture. GDC 31 specifies
that the probability of rapidly propagating fracture of the RCPB be
minimized. GDC 32 specifies that components which are part of the RCPB
have the capability of being periodically inspected to assess their
structural and leaktight integrity.
The FENOC response [Cam01a] to the NRC Bulletin 2001-01 applies the GDC
against the situation of potentially cracked nozzles at Davis-Besse.
Specifically the following points were made:
* The presence of cracked and leaking vessel head penetration (VHP)
nozzles is not consistent with GDC14 or GDC 31.
* Inspection practices that do not permit reliable detection of VHP
nozzle cracking are not consistent with GDC 32.
The situation regarding primary coolant leakage can be summarized as
follows. The Davis-Besse technical specifications (TS) present a
definitive criterion that allows no RCPB leakage. The GDC are not as
definitive by virtue of their reference to probability of occurrence,
which is not an absolute or definitive condition. GDC 14 and 31 are in
agreement with the TS in principle, but not in their level of
definitiveness. Therefore, there exists the possibility that a specific
condition can be considered to satisfy the GDC but not the TS.
Furthermore, the GDC implemented in the TS for DB allows for 1 gpm of
unidentified reactor coolant system (RCS) leakage and 10 gpm. of
identified RCS leakage, with the interpretation that leakage past
seals, flanges, and gaskets is not pressure boundary leakage.
GDC 32 refers to the capability to inspect the leaktight integrity of
the nozzles. Inspections were acknowledged to be incomplete because of
failure to inspect all nozzles. They were insufficient because it was
acknowledged that visual inspection may be inadequate in detecting
cracks. By virtue of the inadequacy of the inspections in achieving
their intended purpose, GDC 32 was largely not satisfied.
According to the 2002 OIG Event Inquiry [Bel02], FENOC's own risk-
informed evaluation estimated that Davis-Besse had between one and nine
leaking CRDM nozzles, depending on the analysis used. According to the
NRC, FENOC reported [Nrc02c] an estimate of 8.8 leaking nozzles to
ACRS. From the results and analysis of the-inspection data from five
other B&W plants that revealed 16 cracked nozzles in 15 reactor years
of operation [Cam01c] there should be 1-2 leaking nozzles since the
last outage (RFO 12 in April 2000). So from the available data, it was
highly likely that there were leaks in the pressure boundary. These
data were circumstantial as there was no direct evidence of the leaks,
in part due to the inadequacy of the visual inspection techniques.
Given that positive identification of nozzle leakage was not obtainable
because of the nature and capability of the inspections, and given that
multiple analyses show that as many as 9 leaking nozzles were likely,
it can be concluded that Davis-Besse was likely in violation of their
Technical Specifications. This point was further discussed in the NRC
Significance Assessment Report [Dye03].
The incorporation of PRA into the decision-making process at NRC should
have compelled the NRC to consider the likelihood of leaking nozzles in
the decision on whether to allow Davis-Besse to continue to operate.
However, "the NRR Director told OIG that from a legal point of view,
there was an issue about constructing an order without knowing with
certainty that there were cracks" [Bel02]. This position had a
significant impact on the NRC decision as the key decision-maker in
this case, Brian Sheron, believed that NRC had no case to shut down the
plant based on the technical specification that there be no RCPB
leakage. The potential conflict between PRA and legal considerations
must be resolved for PRA to play any role in the decision-making
process of the NRC.
5.3 Balance between Probabilistic and Deterministic Indicators for Risk
Assessment:
NRC management is responsible for decision-making. The technical staff
is responsible for providing the technical case that serves as the
foundation for decisions by
management. The technical case includes both deterministic and PRA
analysis that both involve models, data and calculations.
NRC has adopted "risk-informed" decision-making. However, the process
is ill-defined and lacks guidelines as to exactly how it is supposed to
work. The management does not have a set formula, process or procedure
for incorporating PRA into its decision making process. Brian Sheron
was the key decision-maker in the Davis-Besse case. He stated in the
December 11 interview with the review team that the PRA analysis was
used as a "calibration point" that gives NRC a ballpark figure of the
risk. He indicated that the PRA value is not of much consequence unless
it is of a "wildly" extreme value. He also indicated that there is
little clear guidance on the use of PRA in the decision-making process.
This point was supported by comments from Jack Strosnider and Gary
Holahan who confirmed in their December 11 interview with the review
team that there is no documentation or guidance that outlines to what
extent or how the NRC should weigh the resultant risk number and
uncertainty with respect to the ultimate decision.
This viewpoint indicates that NRC has no predetermined methodology to
weigh the PRA result against a deterministic result or other factors.
That is, the value assigned to the PRA analysis is largely at the
discretion of the decision-maker and there is no guidance as to the
weight to assign to this result. Such a process can result in a
decision in which PRA plays a role anywhere from 0 to 100%. Clearly,
there is need for the NRC to provide guidance for the use of PRA in
decision-making.
6. Review of the November 2001 NRC Decision Regarding Davis-Besse:
6.1 Involvement of NRC Staff and Management in the DB Decision:
The basis of the November 28 decision to allow Davis-Besse to operate
until February 16 was a meeting involving both technical staff and
management. The meeting was called by Brian Sheron and was held on
November 28, 2001. Following discussion of the various issues regarding
Davis-Besse, Brian Sheron asked the staff if they could accept an
extension of operation of the plant until February 16, 2002. Three
staff members had objections. Mr. Sheron then refrained the question
and asked the staff if any of them thought that Davis-Besse was not
safe to operate until that date. None thought that this was the case.
Based on this result, NRC accepted the February 16, 2002 date proffered
by FENOC.
During the discussion, both deterministic analyses and PRA results were
considered. However, a cost-benefit type of analysis of the situation
was not performed. In an interview with the review team, Richard
Barrett explained that NRC followed the RG
1.174 and RIS 2001-02 [Nrc01b] argument, based on a "special
circumstance." This special circumstance was that the regulations (ASME
inspection codes) at the time were not adequate to detect cracked and/
or leaking nozzles and thus NRC had to take special action to address
the special circumstance. Once the existence of a special circumstance
was established, NRC used RG 1.174 to determine if the problem was risk
significant enough. NRC determined that the problem was not risk
significant, per RG 1.174, because "defense-in-depth" was preserved.
Therefore, NRC did not consider the third factor, which would have been
"higher level NRC management thoughts," such as a "cost-benefit"
analysis or impact/burden on license.
However, as noted by several staff, there was pressure on the NRC from
industry, Congress and the NRC Commissioners to keep plants running. It
is not clear how much influence this pressure had on the decision-
making process.
The transparency of the decision-making process within NRC is not
uniform. In the case of a shutdown order, the Executive Director for
Operations (Office Director) would be the official responsible for
signing the order. If the issue does not involve an order,
the process is less clear. The specification of decision-maker appears
to depend on the importance of the issue. There does not appear to be a
policy that identifies what individuals are empowered to make what
decisions. Strosnider and Holahan indicated that a routine response to
a generic letter may be handled by a project manager, or perhaps by the
Divisions of Licensing Project Management, with the concurrence of the
involved sections or other divisions. NRC has no standard process or
guidelines for decision-making. Sometimes the decision process involves
a memo describing the licensee's request and NRC's response that is
routed around and signed off on by relevant NRC staff. Other times, NRC
will pull together a meeting of decision stakeholders.
The lack of an established and well-defined process for decision-making
within the agency is a significant problem that needs to be addressed.
6.2 Coordination among NRR, RES, and Inspectors:
The analysis and decision-making process for the Davis-Besse case
involved numerous individuals and offices. Included in the
consideration of issues regarding Davis-Besse were the Directorate for
Project Licensing & Technical Analysis, the Division of Engineering,
and Division of System Safety and Analysis and the technical staff of
the several Branches that report to those Division Directors of the
Office of Nuclear Reactor Regulation (NRR). In addition, the Office of
Research (RES) and ACRS played roles, as did the regional office and
the regional inspector at Davis-Besse.
While there were a number of individuals and offices involved in the
technical assessment of nozzle cracking, the interplay between offices
and individuals is impossible to reconstruct. However, there are two
cases that highlight problems with
communication between offices and between individuals. The first is in
the assessment of the initiating event probability. Based on interviews
with some 12 different individuals, all significantly involved in the
Davis-Besse issue and analysis, and spanning two Offices, one
Directorate, two Divisions and several Branches, there was no sense of
understanding about how the initiating event probability used in the
PRA analysis was determined and by whom. In fact, the origin of the
value for the initiating event probability that appears to have been
used in the PRA analysis was variously ascribed to Bill Shack at ANL,
FENOC, Framatome and EMC'. Further, the perception of who within NRC
was responsible for establishing this quantity was not consistent. This
situation indicates a very uneven understanding of one of the key
underlying quantities for the entire PRA analysis. The origin of this
term remains an outstanding issue, even with the February 2004 NRC
response [Chu04]. It was clear that there was substantial interaction
among offices and individuals during the period of intense analysis in
the Fall of 2001. However, communication did not appear to be well
structured, complete or effective in establishing a value for the
initiating event probability.
A second problem was evident in the communication between the various
components (headquarters, regional office, regional inspector at Davis-
Besse) of the NRC. The resident inspector appears to have played little
or no role in providing
information relevant to the issues being analyzed at NRC HQ. Further,
there appears to have been no communication between the resident
inspector and HQ. In the December 11th interview with the review team,
Mr. Strosnider stated that it was rare one would think a resident
inspector would offer substantive help. He did not believe that the
resident inspector at Davis-Besse was, in fact, contacted. He also
believed that the resident inspector is busy with other things, and
that he probably had not been part of the
vessel head inspections, and that he lacked the technical aptitude
needed to contribute to the issue.
There were several indications of operational irregularities that
should have been noted by an inspector in residence at the plant. These
include: 1) radiological surveys showing a contamination plume effect
originating from the service structure ventilation exhaust over the
East D-ring [Dye02], 2) significant increase in the cleaning of
containment air coolers, 3) the removal of fifteen, 5-gallon buckets of
boric acid from the ductwork and plenum of the containment air coolers
and the discovery of significant boric acid elsewhere in the
containment, such as service water piping, stairwells, and other areas
of low ventilation, and 4) the sudden change to rust-colored boric acid
in June of 1999. That these events were occurring without the knowledge
or appreciation of the resident NRC inspector highlights a major
weakness of the role of the resident inspector in helping to ensure
safe operation of the plant at which he/she is stationed.
6.3 Arbitrariness of the Requested Shutdown Date:
The 12/31/01 date for completing inspections of reactor vessel head
nozzles imposed on licensees by the NRC was arbitrarily set. The
arbitrariness of the 12/31/01 date was confirmed by Brian Sheron in his
interview with the review committee in which he stated that there was
nothing magical about the December 31st date, and that it just as
easily could have been February 28tH or March 31st.
The arbitrariness of the date caused difficulty for the NRC when
challenged by FENOC. The challenge resulted in a perceived reversal of
the burden of proof from the licensee to the NRC. NRC believed that
they needed to make a case in order to force a shutdown of DB to look
for cracks. Unfortunately, their authority to act was perceived to be
undermined by the lack of a defensible rationale for the selection of
the inspection date.
NRC has been encouraging the use of risk analysis as part of the risk-
informed decision-making process. Yet NRC did not consider including
risk analysis in the original call for inspection. The inclusion of risk
analysis in the formulation of the inspection date could have provided
the NRC with the justification for enforcement that they lacked under
the present circumstances. If the call for inspection were based on a
risk-informed decision-making strategy, then the calculations of the
likelihood of nozzle failure and LOCA would have provided the support
they needed to call for an inspection. The practical considerations in
this strategy are not trivial. Yet had NRC followed its commitment to
incorporate risk analysis in its decision-making process at the outset,
the decision regarding Davis-Besse may have been much more
straightforward.
6.4 The Role of NRC's Advisory Committee on Reactor Safeguards:
Although we recognize that ACRS does not provide routine guidance on
plant-specific issues, we feel that NRC staffs should have recognized
the CRDM nozzle failures as a generic issue and should have solicited
in-depth assistance from ACRS before the 28 November 2001 decision.
Thus, relying on a narrow interpretation of the CRDM nozzle . failure
issues, the staff missed an opportunity to obtain important expert
perspectives on the issues. We recommend that the NRC staff make more
direct use of ACRS to augment in-house expertise on the staff, which
may be limiting at times.
6.5 NRC Staff Workload Affecting Its Ability for Detailed Risk
Assessment:
An NRC manager raised the question if NRC had sufficient personnel,
given the workload, to perform detailed studies on complex regulatory
or licensing issues such as the Davis-Besse case. Although the upper
level management seems to be satisfied with the overall staff
performance, we recommend a review of the workload and technical
competence of the staff required to provide licensing and regulatory
support in a timely manner.
6.6 Davis-Besse, NRC, and Three Mile Island:
The human errors on the parts of Davis-Besse and NRC, resulting in a
near miss of a serious accident, echo a similar chain of events that
originated at Davis-Besse in 1977 and culminated in America's most
serious reactor accident at Three Mile Island in 1979. It began in
September 1977 at Davis-Besse when a relief valve on the reactor
coolant pressurizer stuck open. The coolant pressure fell but the water
level in the pressurizer increased, the result of an anomaly in the
pressurizer piping. Thinking that the reactor was getting too much
water, the operator improperly interfered with the high-pressure
injection system. Fortunately, a supervisor recognized what was
happening and closed the relief valve twenty minutes later and re-
admitted coolant. No damage was done to the reactor because it had been
operating at only 9 percent power.
The incident was investigated by both NRC and by B&W, the reactor
supplier, but no information calling attention to the correct operating
actions was provided to other utilities. A B&W engineer had stated in
an internal memorandum that if the Davis-Besse event had occurred in a
reactor operating at full power, "it is quite possible, perhaps
probable, that core uncovering and possible fuel damage would have
occurred.":
In 1978 an NRC official pointed out the likelihood of erroneous
operator action in B&W reactors. The NRC did not notify utilities about
the lessons learned at Davis-Besse and the pressing need for new
training to avoid the confusing interpretation of water level
indicators at B&W plants. Fourteen months later the core-melt accident
happened at Three Mile Island.
In March 1979, a similar B&W reactor was operating at full power at
Three Mile Island in Pennsylvania. Again, the pressure relief valve
stuck open, reactor coolant escaped, coolant pressure fell and the
operators made the same mistake as had the operators two years earlier
at Davis-Besse. They turned off the high-pressure coolant injection.
Unfortunately, the ensuing control room confusion did not lead to
early
diagnosis and restoration of reactor water. With. the high-pressure
injection water incorrectly turned off, the reactor continued to
generate heat and boil coolant, ultimately uncovering the reactor core
and melting a substantial portion of the reactor fuel. When a
supervisor finally diagnosed the problem and restored high-pressure
injection water, some two hours later, enormous fuel damage had been
done and considerable radioactivity released to the reactor building.
The President's Commission on the Accident at Three Mile Island [Kem79]
concluded that the major factor that turned the TMI incident into a
serious accident was inappropriate operator action, deficiencies in
training and failure of responsible organizations, especially the NRC,
to learn the proper lessons from previous incidents. There was a
serious lack of recognition of the safety implications of new
information and there was serious lack of questioning of the adequacy
of assumptions made in the reactor design, in the operating procedures,
and in the follow up of events. The Commission concluded that, starting
with the Davis-Besse 1977 event and given all the deficiencies of the
safety system and its regulation, an accident like Three Mile Island
was eventually inevitable.
For many months and even years it was not realized that the TMI
accident had resulted in such extensive core damage. More responsive
earlier analyses by NRC of the 1977 Davis-Besse precursor event and its
potential consequences would have alerted NRC to forewarn the utilities
of the incipient danger. Similarly, the seeming lack of aggressive
followup by NRC and industry to understand the risks from the recent
near miss at Davis-Besse is a serious concern. History should not be
allowed to repeat itself.
7. Recommendations for Improved Use of Probabilistic Risk Assessment:
There are several ways in which NRC can improve the use of PRA in its
decision-making process:
(1) Establish an appreciation for PRA across the spectrum of NRC
technical and managerial personnel. There is great divergence in the
appreciation for, and understanding of PRA and its value in the
decision-making process. In a sense, NRC needs to get their staff "on
the same page" with regard to PRA applications in regulatory and
licensing issues.
(2) Establish a set of guidelines for the use of PRA in decision-
making. No guidelines currently exist for how PRA should be
incorporated into the decision-making process other than the general
philosophy that risk analysis should be part of a risk-informed
decision-making process. A set of guidelines that establishes the level
and nature of consideration of PRA is needed. In particular, guidance
should be provided on how to balance PRA results against deterministic
or qualitative evaluations, especially when the PRA results are subject
to large uncertainties.
(3) Establish a set of guidelines for how decisions are made at NRC and
by whom. This is a necessary precursor to the success of recommendation
2. The decision-making process must be defined in order to incorporate
risk analysis into that process. Further, the offices and individuals
responsible for making decisions need to be defined in order to
successfully determine who needs to be aware of and familiar with PRA
as discussed in recommendation 1.
(4) Establish a better protocol for estimating and incorporating
uncertainties in PRA. PRA results without associated uncertainties are
of little value. As a result, it is difficult to incorporate results of
an analysis into a decision strategy without an understanding of the
bounds of the validity of the result.
(5) Provide for unanticipated events. Corrosion of the Davis-Besse
pressure vessel head was not an anticipated event. As put by NRC
personnel, it was not even on the radar screen. As such, it was not
incorporated into the event tree analysis in PRA. However, PRA needs to
be able to anticipate the consequences of such oversight.
(6) Establish a better system at NRC for recognizing generic problems
and transmitting information and concerns about these potential
problems to other plants.
(7) NRC should issue preliminary analyses of risks from nozzle cracking
that include leakage through axial cracks, evaporation of leaking
coolant, concentration of and corrosion by boric acid, corrosion of the
carbon-steel vessel and the vessel liner, the time-dependent
probability of rupture of the corroded vessel, core damage resulting
from loss of coolant, and the effects of human failure to make and
interpret surveillance inspections. The results and possible
interpretations of the recent Oak Ridge tests of vessel failure should
be made known to the safety community.
References:
[Acr02] Transcript of the 491st Meeting of the Advisory Committee on
Reactor Safeguards, U. S. Nuclear Regulatory Commission (2002).
[Bar03] R. Barrett. "Note for GAO Meeting on Dec 1, 2003," private
communication to the review committee (2003).
[Bel02] H. T. Bell, "NRC's Regulation of Davis-Besse Regarding Damage
to the Reactor Vessel Head (Case No. 02-03S)," U. S. Nuclear Regulatory
Commission (2002).
[Cam01a] G. G. Campbell, "Response to NRC Bulletin 2001-01,
Circumferential Cracking of Reactor Pressure Vessel Head Penetration
Nozzles," FirstEnergy Nuclear Operating Company, Docket Number 50-346,
License Number NPF-3, Serial Number 2731 (2001).
[Cam0lb] G. G. Campbell, "Response to Requests for Additional
Information Concerning NRC Bulletin 2001-01, Circumferential Cracking
of Reactor Pressure Vessel Head Penetration Nozzles," FirstEnergy
Nuclear Operating Company, Docket Number 50-346, License Number NPF-3,
Serial Number 2741 (2001).
[Cam0lc] G. G. Campbell, "Transmittal of Davis-Besse Nuclear Power
Station Risk Assessment of Control Rod Drive Mechanism Nozzle Cracks,"
FirstEnergy Nuclear Operating Company, Docket Number 50-346, License
Number NPF-3, Serial Number 2745 (2001).
[Cam01d] G. G. Campbell, "Supplemental Information in Response to NRC
Bulletin 2001-01, Circumferential Cracking of Reactor Pressure Vessel
Head Penetration Nozzles," FirstEnergy Nuclear Operating Company,
Docket Number 50-346, License Number NPF-3, Serial Number 2735 (2001).
[Chu04] J. Chung, R. Barrett, and G. Holahan, "Response to GAO
Questions," communication to M. B. McWreath, February 24, 2004.
[Dye02] "Davis-Besse Nuclear Power Station NRC Augmented Inspection
Team - Degradation of the Reactor Pressure Vessel Head, Report No. 50-
346/02-03(DRS)," U. S. Nuclear Regulatory Commission (2002).
[Dye03] J. E. Dyer, "Davis-Besse Control Rod Drive Mechanism
Penetration Cracking and Reactor Pressure Vessel Head Degradation
Preliminary Significance Assessment, Report No. 50-346/2002-08(DRS),"
U. S. Nuclear Regulatory Commission (2003).
[Epr01] "Boric Acid Corrosion Handbook, Revision 1," Report 1000975,
Electric Power Research Institute (2001).
[Fle03] K. N. Fleming, "Issues and Recommendations for Advancement of
PRA Technology in Risk-Informed Decision Making," NUREG/CR-6813, U. S.
Nuclear Regulatory Commission (2003).
[Hub03] "NRC's Oversight of Davis-Besse Boric Acid Leakage and
Corrosion During the April 2000 Refueling Outage (Case No. 03-02S),"
Memorandum from H. T. Bell,
Inspector General, to Chairman Diaz, U. S. Nuclear Regulatory
Commission, October 17, 2003.
[Kem79] J. G. Kemeny, B. Babbitt, P. E. Haggerty, C. Lewis, P. A.
Marks, C. B. Marrett, L. McBride, H. C. McPherson, R. W. Peterson, T.
H. Pigford, T. B. Taylor, A. D. Trunk, "The Need For Change: The Legacy
of TMI," Report of the Presidential Commission on The Accident at Three
Mile Island (1979).
[Nei96] "Industry Guideline for Monitoring the Effectiveness of
Maintenance at Nuclear Power Plants," NUMARC 93-01, Rev. 2, Nuclear
Energy Institute (1996).
[Nrc01a] "Preliminary Staff Technical Assessment for Pressurized Water
Reactor Vessel Head Penetration Nozzles Associated with NRC Bulletin
2001-01, Circumferential Cracking of Reactor Pressure Vessel Head
Penetration Nozzles," U. S. Nuclear Regulatory Commission (2001).
[Nrc01b] "Guidance on Risk-informed Decisionmaking in License Amendment
Reviews," Regulatory Issue Summary (RIS) 2001-02, U. S. Nuclear
Regulatory Commission (2001).
[Nrc01c] "Circumferential Cracking of Reactor Pressure Vessel Head
Penetration Nozzles," U. S. Nuclear Regulatory Commission (2001).
[Nrc02a] "An Approach for Using Probabilistic Risk Assessment in Risk-
Informed Decisions on Plant-Specific Changes to the Licensing Basis,"
Regulatory Guide 1.174, U. S. Nuclear Regulatory Commission (2002).
[Nrc02b] "Davis-Besse Reactor Vessel Head Degradation Lessons-Learned
Task Force Report," U. S. Nuclear Regulatory Commission (2002).
[Nrc02c] Transcript of the 20 August 2002 Interview, Office of
Investigations, U. S. Nuclear Regulatory Commission (2002).
[Nrc03] "An Approach for Determining the Technical Adequacy of
Probabilistic Risk Assessment Results for Risk-Informed Activities,"
Regulatory Guide 1.200, U. S. Nuclear Regulatory Commission (2003).
[Nrc90] "Severe Accident Risks: An Assessment for Five U.S. Nuclear
Power Plants," NUREG-1150, U. S. Nuclear Regulatory Commission (1990).
[Nrc98] "An Approach for Plant-Specific Risk-Informed Decisionmaking:
Technical Specifications," Regulatory Guide 1.177, U.S. Nuclear
Regulatory Commission (1998).
[Pin03a] Platts: Inside NRC, McGraw-Hill Companies, February 16, 2003.
[Pin03b] Platts: Inside NRC, McGraw-Hill Companies, November 3, 2003.
[Pol99] J. P. Poloski, et al., "Rates of Initiating Events at U. S.
Nuclear Power Plants: 1987-1995," NUREG/CR-5750, U. S. Nuclear
Regulatory Commission (1999).
[Rau03] W. S. Raughley and G. F. Lanik, "Regulatory Effectiveness of
the Anticipated Transient Without Scram Rule," NUREG-1780, U. S.
Nuclear Regulatory Commission (2003).
[Rei03] "Jin Chung's email dated May 29, 2003 and subsequent
discussion," email communication from M. Reinhart, November 25, 2003.
[Sap98] "Systems Analysis Program for Hands-On Integrated Reliability
Evaluations (SAPHIRE)," Technical Reference Manual, Version 6, NUREG/
CR-6116, U. S. Nuclear Regulatory Commission (1998).
[Sat00] M. B. Sattison, J. K. Knudsen, L. M. Wolfram, and S. T. Beck,
"Standardized Plant Analysis Risk Model for Davis-Besse," ASP PWR D,
Rev. 3i, Idaho National Engineering and Environmental Laboratory
(2000).
[Sci83] "The Salem Case: A Failure of Nuclear Logic," Science, 220,280
(1983).
[Sha0l] W. Shack, DavisBesseANL.pdf file, October 27, 2001.
[Sha03] W. Shack, Integrated model outline.pdf file, private
communication to G. S. Was, 2003.
[Sia02] "Elastic-Plastic Finite Element Stress Analysis of Davis-Besse
RPV Head Wastage Cavity with Different Enlarged Areas and Thicknesses,"
Non-Proprietary Version, Structural Integrity Associates, Inc. (2002).
[Sri98] "Boric Acid Corrosion Evaluation (BACE) Corrosion Program --
Phase II Corrosion Testing," Topical Report, Southwest Research
Institute (1998).
[Tru95] D. True, K. Fleming, G. Parry, B. Putney, and J-P Sursock, "PSA
Applications Guide," TR-105396, Electric Power Research Institute
(1995).
[End of section]
Appendix III: Davis-Besse Task Force Recommendations to NRC and Their
Status, as of March 2004:
Completed recommendations:
Recommendation: Either fully implement or revise guidance to manage
licensee commitments. Determine whether the periodic report on
commitment changes submitted by licensees should continue;
NRC actions and status as of March 2004: Revised instructions for these
submittals and reviews to ensure that these tasks are accomplished.
Completed in May 2003.
Recommendation: Determine if stress corrosion cracking models are
appropriate for predicting susceptibility of vessel head penetration
nozzles to pressurized water stress corrosion cracking. Determine if
additional analysis and testing is needed to reduce modeling
uncertainties for their continued applicability in regulatory decision
making;
NRC actions and status as of March 2004: Evaluated existing stress
corrosion cracking models for their continuing use in determining
susceptibility. Completed in July 2003.
Recommendation: Revise the problem identification and resolution
approach so that safety problems noted in daily licensee reports are
reviewed and assessed. Enhance guidance to prescribe the format of
information that is screened when deciding which problems to review;
NRC actions and status as of March 2004: Revised inspection procedure
for determining licensee ability to promptly identify and resolve
conditions adverse to quality or safety. Completed in September 2003.
Recommendation: Provide enhanced inspection guidance to pursue issues
and problems identified during reviews of plant operations;
NRC actions and status as of March 2004: Revised inspection procedure
for determining licensee capability to promptly identify and resolve
conditions adverse to quality or safety. Completed in September 2003.
Recommendation: Revise inspection guidance to provide for longer-term
follow-up of previously identified issues that have not progressed to
an inspection finding;
NRC actions and status as of March 2004: Revised inspection procedure
for determining licensee capability to promptly identify and resolve
conditions adverse to quality or safety. Completed in September 2003.
Recommendation: Revise inspection guidance to assess (1) the safety
implications of long-standing unresolved licensee equipment problems,
(2) the impact of phased in corrective actions, and (3) the
implications of deferred plant modifications;
NRC actions and status as of March 2004: Revised inspection procedure
for determining licensee capability to identify and resolve conditions
adverse to quality or safety. Completed in September 2003.
Recommendation: Revise inspection guidance to allow for establishing
reactor oversight panels even when a significant performance problem,
as defined under NRC's Reactor Oversight Process, does not exist;
NRC actions and status as of March 2004: Revised inspection guidance
for establishing reactor oversight panels. Completed in October 2003.
Recommendation: Assess the scope and adequacy of requirements for
licensees to review operating experience;
NRC actions and status as of March 2004: Included in NRC's
recommendation to develop a program for collecting, analyzing, and
disseminating information on experiences at operating reactors.
Completed in November 2003.
Recommendation: Ensure inspector training includes (1) boric acid
corrosion effects and control, and (2) pressurized water stress
corrosion cracking of nickel-based alloy nozzles;
NRC actions and status as of March 2004: Developed and implemented Web-
based training and a means for ensuring training is completed.
Completed in December 2003.
Recommendation: Provide training and reinforce expectations to managers
and staff to (1) maintain a questioning attitude during inspection
activities, (2) develop inspection insights from Davis-Besse on
symptoms of reactor coolant leakage, (3) communicate expectations to
follow up recurring and unresolved problems, and (4) maintain an
awareness of surroundings while conducting inspections. Establish
mechanisms to perpetuate this training;
NRC actions and status as of March 2004: Developed Web-based inspector
training and a means for ensuring that training has been completed. NRC
headquarters provided an overview of the training to NRC regional
offices. (Training modules will be added and updated as needed.)
Completed in December 2003.
Recommendation: Reinforce expectations that regional management should
make every effort to visit each reactor at least once every 2 years;
NRC actions and status as of March 2004: Discussed at regional
counterparts meeting. Completed in December 2003.
Recommendation: Develop guidance to address impacts of regional
oversight panels on regional resource allocations and organizational
alignment;
NRC actions and status as of March 2004: Evaluated past and present
oversight panels. Developed enhanced inspection approaches for
oversight panels and issued revised procedures. Completed in December
2003.
Recommendation: Evaluate (1) the capacity to retain operating
experience information and perform long-term operating experience
reviews;
(2) thresholds, criteria, and guidance for initiating generic
communications;
(3) opportunities for more gains in effectiveness and efficiency by
realigning the organization (i.e., feasibility of a centralized
operating experience "clearinghouse");
(4) effectiveness of the generic Issues program;
and (5) effectiveness of internal dissemination of operating experience
information to end users;
NRC actions and status as of March 2004: Developed program objectives
and attributes and obtained management endorsement of a plan to
implement the recommendation. Developed specific recommendations to
improve program. Evaluation completed in November 2003. (Implementation
of recommendations resulting from this evaluation expected to be
completed in December 2004.).
Recommendation: Ensure that generic requirements or guidance are not
inappropriately affected when making unrelated changes to other
programs, processes, guidance, etc;
NRC actions and status as of March 2004: Revised inspection guidance.
Completed in February 2004.
Recommendation: Develop inspection guidance to assess scheduler
influences on amount of work performed during refueling outages;
NRC actions and status as of March 2004: Revised the appropriate
inspection procedure. Completed in February 2004.
Recommendation: Establish guidance to ensure that NRC decisions
allowing licensees to deviate from guidelines and recommendations
issued in generic communications are adequately documented;
NRC actions and status as of March 2004: Update guidance to address
documentation. Develop training and distribute to NRC offices and
regions to emphasize compliance with the updated guidance. Follow up to
assess the effectiveness of the training. Completed follow-up in
February 2004.
Recommendation: Develop or revise inspection guidance to ensure that
NRC reviews vessel head penetration nozzles and the reactor vessel head
during licensee inspection activities;
NRC actions and status as of March 2004: Develop or revise inspection
guidance to ensure that nozzles and the vessel head are reviewed during
licensee inspection. Issued interim guidance in August 2003 and a
temporary inspection procedure in September 2003. Additional guidance
expected in March 2004.
Recommendation: Develop inspection guidance to assess (1) repetitive or
multiple technical specification actions in NRC inspection or licensee
reports, and (2) radiation dose implications for conducting repetitive
tasks;
NRC actions and status as of March 2004: Revise the appropriate
inspection procedure to reflect this need. Completion expected in March
2004.
Recommendation: Develop guidance to periodically inspect licensees'
boric acid corrosion control programs;
NRC actions and status as of March 2004: Issued temporary guidance in
November 2003. Completion of further inspection guidance changes
expected in March 2004.
Recommendation: Reinforce expectations for managers responsible for
overseeing operations at nuclear power plants regarding site visits,
coordination with resident inspectors, and assignment duration.
Reinforce expectations to question information about operating
conditions and strengthen guidance for reviewing license amendments to
emphasize consideration of current system conditions, reliability, and
performance data in safety evaluation reports. Strengthen guidance for
verifying licensee-provided information;
NRC actions and status as of March 2004: Update project manager
handbook that provides guidance on activities to be conducted during
site visits and interactions with NRC regional staff. Also, revise
guidance for considering plant conditions during licensing action and
amendment reviews. Completion expected in March 2004.
Recommendation: Assemble and analyze foreign and domestic information
on Alloy 600 nozzle cracking. If additional regulatory action is
warranted, propose a course of action and implement a schedule to
address the results;
NRC actions and status as of March 2004: Assemble and analyze alloy 600
cracking data. Completion expected in March 2004.
Recommendations due to be completed between April and December 2004:
Recommendation: Conduct an effectiveness review of actions taken in
response to past NRC lessons-learned reviews;
NRC actions and status as of March 2004: Review past lessons- learned
actions. Completion expected in April 2004.
Recommendation: Provide inspection and oversight refresher training to
managers and staff;
NRC actions and status as of March 2004: Develop a training module.
Completion expected in June 2004.
Recommendation: Establish guidance for accepting owners group and
industry recommended resolutions for generic communications and generic
issues, including guidance for verifying that actions are taken;
NRC actions and status as of March 2004: Revise office instructions to
provide recommended guidance. Completion expected in June 2004.
Recommendation: Review inspection guidance to determine the inspection
level that is sufficient during refueling outages, including inspecting
reactor areas inaccessible during normal operations and passive
components;
NRC actions and status as of March 2004: Revised an inspection
procedure to reflect these changes. Some inspection procedure changes
were completed in November 2003, and additional changes are expected in
August 2004.
Recommendation: Evaluate, and revise as necessary, guidance for
proposing candidate generic issues;
NRC actions and status as of March 2004: Evaluate and revise guidance.
Completion expected in October 2004.
Recommendation: Assemble and analyze foreign and domestic information
on boric acid corrosion of carbon steel. If additional regulatory
action is warranted, propose a course of action and implement a
schedule to address the results;
NRC actions and status as of March 2004: Review Argonne National
Laboratory study on boric acid corrosion. Analyze data to revise
inspection requirements. Completion expected in October 2004.
Recommendation: Conduct a follow-on verification of licensee actions to
implement a sample of significant generic communications with emphasis
on those that are programmatic in nature;
NRC actions and status as of March 2004: Screen candidate generic
communications to identify those most appropriate for follow-up using
management-approved criteria. Develop and approve verification plan.
Completion expected in November 2004.
Recommendation: Strengthen inspection guidance for periodically
reviewing licensee operating experience;
NRC actions and status as of March 2004: Incorporated into the
recommendation pertaining to NRC's capacity to retain operating
experience information. Completion expected in December 2004.
Recommendation: Enhance the effectiveness of processes for collecting,
reviewing, assessing, storing, retrieving, and disseminating foreign
operating experience;
NRC actions and status as of March 2004: Incorporated into the
recommendation pertaining to NRC's capacity to retain operating
experience information. Completion expected in December 2004.
Recommendation: Update operating experience guidance to reflect the
changes implemented in response to recommendations for operating
experience;
NRC actions and status as of March 2004: Incorporated into the
recommendation pertaining to NRC's capacity to retain operating
experience information. Completion expected in December 2004.
Recommendation: Review a sample of NRC evaluations of licensee actions
made in response to owners groups' commitments to identify whether
intended actions were effectively implemented;
NRC actions and status as of March 2004: Conduct the recommended
review. Completion expected in December 2004.
Recommendation: Develop general inspection guidance to periodically
verify that licensees implement owners groups' commitments;
NRC actions and status as of March 2004: Develop inspection procedure
to provide a mechanism for regions to support project managers' ability
to verify that licensees implement commitments. Completion expected in
December 2004.
Recommendation: Conduct follow-on verification of licensee actions
pertaining to a sample of resolved generic issues;
NRC actions and status as of March 2004: No specific actions have been
identified. Completion expected in December 2004.
Recommendation: Review the range of baseline inspections and plant
assessment processes to determine sufficiency to identify and dispose
of problems like those at Davis-Besse;
NRC actions and status as of March 2004: No specific actions have been
identified. Completion expected in December 2004.
Recommendation: Identify alternative mechanisms to independently assess
licensee plant performance for self-assessing NRC oversight processes
and determine the feasibility of such mechanisms;
NRC actions and status as of March 2004: No specific actions have been
identified. Completion expected in December 2004.
Recommendation: Establish measurements for resident inspector staffing
levels and requirements, including standards for satisfying minimum
staffing levels;
NRC actions and status as of March 2004: Develop standardized staffing
measures and implement details. Metrics were developed in December
2003. Completion expected in December 2004.
Recommendation: Structure and focus inspections to assess licensee
employee concerns and a "safety conscious work environment.";
NRC actions and status as of March 2004: No specific actions have been
identified. Completion expected in December 2004.
Recommendations due to be completed in calendar year 2005:
Recommendation: Develop inspection guidance and criteria for addressing
licensee response to increasing leakage levels and/or adverse trends in
unidentified reactor coolant system leakage;
NRC actions and status as of March 2004: Develop recommendations for
guidance with action levels to trigger greater NRC interaction with
licensees in response to increased leakage. Completion expected in
January 2005.
Recommendation: Reassess the basis for the cancellation, in 2001, of
certain inspection procedures (i.e., boric acid control programs and
operational experience feedback) to assess if these procedures are
still applicable;
NRC actions and status as of March 2004: Review revised procedures and
reactivate as necessary. Completion expected in March 2005.
Recommendation: Assess requirements for licensee procedures to respond
to plant alarms for leakage to determine whether requirements are
sufficient to identify reactor coolant pressure boundary leakage;
NRC actions and status as of March 2004: Review and assess adequacy of
requirements and develop recommendations to (1) improve procedures to
identify leakage from boundary, (2) establish consistent technical
specifications for leakage, and (3) use enhanced leakage detection
systems. Completion expected in March 2005.
Recommendation: Determine whether licensees should install enhanced
systems to detect leakage from the reactor coolant system;
NRC actions and status as of March 2004: Re-evaluate the basis for
current leakage requirements and assess the capabilities of current
leakage detection systems. Develop recommendations to (1) improve
procedures for identifying leakage, (2) establish consistent technical
specifications, and (3) use enhanced leakage detection systems.
Completion expected in March 2005.
Recommendation: Inspect the adequacy of licensee's programs to control
boric acid corrosion, including effectiveness of implementation;
NRC actions and status as of March 2004: Develop guidance to assess
adequacy of corrosion control programs, including implementation and
effectiveness, and evaluate the status of this effort after the first
year of inspections. Guidance expected to be developed by March 2004.
Follow-up scheduled for completion in March 2005.
Recommendation: Continue ongoing efforts to review and improve the
usefulness of barrier integrity performance indicators and evaluate the
use of primary system leakage that licensees have identified but not
yet corrected as a potential indicator;
NRC actions and status as of March 2004: Develop and implement improved
performance indicators based on current requirements and measurements.
Explore the use of additional performance indicators to track the
number, duration, and rate of system leakage. Determine the feasibility
of establishing a risk-informed performance indicator for barrier
integrity. Completion expected in December 2005.
Recommendations whose completion dates have yet to be determined:
Recommendation: Encourage the American Society of Mechanical Engineers
to revise inspection requirements for nickel-based alloy nozzles.
Encourage changes to requirements for nonvisual, nondestructive
inspections of vessel head penetration nozzles. Alternatively, revise
NRC regulations to address the nature and scope of these inspections;
NRC actions and status as of March 2004: Monitor and provide input to
industry efforts to develop revised inspection requirements.
Participate in American Society of Mechanical Engineers' meetings and
communicate with appropriate stakeholders. Decide whether to endorse
the revised American Society of Mechanical Engineers' code
requirements. These actions parallel a larger NRC rulemaking effort.
Completion date yet to be determined.
Recommendation: Revise processes to require short-and long-term
verification of licensee actions to respond to significant NRC generic
communications before closing out issues;
NRC actions and status as of March 2004: Target date to be set upon
completion of review of NRC's generic communications program.
Completion date yet to be determined.
Recommendation: Determine whether licensee reactor vessel head
inspection summary reports should be submitted to NRC and, if so,
revise submission requirements and report disposition guidance, as
appropriate;
NRC actions and status as of March 2004: Will be included as part of
revised American Society of Mechanical Engineers' requirements for
inspection of reactor vessel heads and vessel head penetration nozzles.
Completion date yet to be determined.
Recommendation: Evaluate the adequacy of methods for analyzing the risk
of passive component degradation and integrate these methods and risks
into NRC's decision-making processes;
NRC actions and status as of March 2004: No specific actions have been
identified. Completion date yet to be determined.
Recommendation: Review pressurized water reactor technical
specifications to identify plants that have nonstandard reactor coolant
pressure boundary leakage requirements and change specifications to
make them consistent among all plants;
NRC actions and status as of March 2004: Assessed plants for
nonstandard technical specifications. Completed in July 2003. Change
leakage detection specifications in coordination with other changes in
leakage detection requirements. Completion date yet to be determined.
Recommendation: Improve requirements for unidentified leakage in
reactor coolant system to ensure they are sufficient to (1)
discriminate between unidentified leaks from the coolant system and
leaks from the reactor coolant pressure boundary and (2) ensure that
plants do not operate with pressure boundary leakage;
NRC actions and status as of March 2004: Issue regulations implementing
the improved requirements when these requirements are determined.
Completion date yet to be determined.
Recommendation: NRC should review a sample of plant assessments
conducted between 1998 and 2000 to determine if any identified plant
safety issues have not been adequately assessed;
NRC actions and status as of March 2004: No specific actions have been
identified. Completion expected in March 2004.
Recommendations rejected by NRC management:
Recommendation: Review industry approaches licensees use to consider
economic factors for inspection and repair and consider this
information in formulating future positions on the performance of non-
visual inspections of vessel head penetration nozzles;
NRC actions and status as of March 2004: Recommendation rejected by NRC
management. No completion date.
Recommendation: Revise the criteria for review of industry topical
reports to allow for NRC staff review of safety-significant reports
that have generic implications but have not been formally submitted for
NRC review in accordance with the existing criteria;
NRC actions and status as of March 2004: Recommendation rejected by NRC
management. No completion date.
Source: GAO analysis of NRC data.
[End of table]
[End of section]
Appendix IV: Comments from the Nuclear Regulatory Commission:
UNITED STATES NUCLEAR REGULATORY COMMISSION
WASHINGTON, D.C. 20555-0001:
May 5, 2004:
Mr. James Wells, Director:
Natural Resources and Environment
United States General Accounting Office
441 G Street, NW:
Washington, D.C. 20548:
Dear Mr. Wells:
On behalf of the U.S. Nuclear Regulatory Commission (NRC), I am
responding to your letter of April 2, 2004, requesting the NBC's review
of the draft report entitled "Nuclear Regulation: NRC Needs to More
Aggressively and Comprehensively Resolve Issues Related to the Davis-
Besse Nuclear Power Plant's Shutdown" (GAO-04-415). I appreciate the
opportunity to provide comments to the General Accounting Office (GAO)
on this report.
I am concerned that the draft report does not appropriately
characterize or provide a balanced perspective on the NBC's actions
surrounding the discovery of the Davis-Besse reactor vessel head
condition or NBC's actions to incorporate the lessons learned from that
experience into our processes. The NRC also does not agree with two of
the report's recommendations, as discussed in the following paragraphs.
The first sentence of the draft report states: "...oversight did not
generate accurate, complete information on plant conditions." I agree
that our oversight program should have identified certain evolving
plant conditions for regulatory follow-up. This was also identified in
the report of the Davis-Besse Lessons Learned Task Force (LLTF) that
the NRC formed to ensure that lessons from the Davis-Besse experience
are learned and appropriately captured in the NBC's formal processes.
However, the draft report does not acknowledge that the NRC, in
carrying out its safety responsibilities, must rely heavily on our
licensees to provide us with complete and accurate information. In
fact, Title 10 of the Code of Federal Regulations Section 50.9 requires
that information provided to the NRC by a licensee be complete and
accurate in all material respects. The report should clearly indicate
that NBC's licensees are responsible for providing us with accurate and
complete information. While the NBC's Davis-Besse LLTF concluded that
the NRC, the Davis-Besse licensee (FirstEnergy), and the nuclear
industry failed to adequately review, assess, and follow up on relevant
operating experience, they also noted that the information that
FirstEnergy provided in response to Bulletin 2001-01, "Circumferential
Cracking of Reactor Pressure Vessel Head Penetration Nozzles" was
inconsistent with information identified by the task force. Further,
the LLTF report stated that had this information been known in the fall
of 2001, "...the NRC may have identified the VHP [vessel head
penetration] nozzle leaks and RPV [reactor pressure vessel] head
degradation a few months sooner than the March 2002 discovery by the
licensee." As you are aware, there is an ongoing investigation by the
Department of Justice regarding the completeness and accuracy of
information that FirstEnergy provided to the NRC on the condition of
Davis-Besse.
The NRC is particularly concerned about the draft report's
characterization of the NBC's use of risk estimates. The statement in
the report that the NBC's "estimate of risk exceeded the risk
levels generally accepted by the agency" is not factually correct. NRC
officials pointed out to GAO and GAO's consultants, both in interviews
and in written responses to GAO questions, that our estimate of delta
core damage frequency was 5x10[^-6] per reactor year, not 5x10^-5 per
reactor year as indicated in the report. In fact, the NRC staff safety
evaluation (attached to a December 3, 2002, letter to FirstEnergy)
stated that the change in core damage frequency due to the potential
for control rod drive mechanism nozzle ejection was consistent with the
guidelines of Regulatory Guide 1.174, "An Approach for Using
Probabilistic Risk Assessment in Risk-Informed Decisions on Plant-
Specific Changes to the Licensing Basis." The enclosure to this letter
provides detailed comments on issues of correctness and clarity in the
report, many of which are related to the NBC's estimate of risk at
Davis-Besse.
We disagree with the finding that the NRC does not have specific
guidance for deciding on plant shutdowns and with the report's related
recommendation identifying the need for NRC to develop specific
guidance and a well-defined process for deciding when to shut down a
nuclear power plant. We believe our regulations, guidance, and
processes that cover whether and when to shut down a plant are robust
and do, in fact, provide sufficient guidance in the vast majority of
situations. Plant technical specifications, as well as many other NRC
requirements and processes, provide a spectrum of conditions under
which plant shutdown would be required. Plants have shut down numerous
times in the past in accordance with NRC requirements. From time to
time, however, a unique situation may present itself wherein sufficient
information may not exist or the information available may not be
sufficiently clear to apply existing rules and regulations
definitively. In these unique instances, the NBC's most senior
managers, after consultation with staff experts and given all of the
information available at the time, will decide whether or not to
require a plant shutdown. Risk information is used in accordance with
Regulatory Guide 1.174. This process considers deterministic factors as
well as probabilistic factors (i.e., risk information). We regard the
combined use of deterministic and probabilistic factors to be a
strength of our decision-making process.
Another issue identified in the draft report as a systemic weakness is
that the NRC has not proposed specific actions to address a licensee's
commitment to safety, also known as safety culture. We disagree with
the report's recommendation that NRC should develop a methodology to
assess licensees' safety culture that includes indicators of and/or
information on patterns of licensee behavior, as well as on licensee
organizational structures and processes. To date, the Commission has
specifically decided not to conduct direct evaluations or inspections
of safety culture as a routine part of assessing licensee performance
due to the subjective nature of such evaluations. As regulators, we are
not charged with managing our licensees' facilities. Direct involvement
with safety culture, organizational structure, and processes crosses
over to a management function. The NRC does conduct a number of
assessments that adequately evaluate how effectively licensees are
managing safety. These include an inspection procedure for assessing
licensees' employee concerns programs, the NRC allegation program,
enforcement of employee protection regulations, and safety-conscious
work environment assessments during problem identification and
resolution (PI&R) inspections. In addition, the NBC's LLTF made several
recommendations (which are being addressed) to enhance the NBC's
capability in this area. The NRC does not assess, nor does it plan to
assess, licensee management competence, capability, or optimal
organizational structure as part of safety culture.
While there are a number of factual errors in the draft report, as
noted in the enclosure, we agree with many of the findings in the draft
report. Most of GAO's findings are similar to the findings of the NBC's
Davis-Besse LLTF. The NRC staff has made significant progress in
implementing actions recommended by the LLTF and expects to complete
implementation of more than 70 percent of them, on a prioritized basis,
by the end of calendar year 2004. Reports tracking the status of these
actions are provided to the Commission semiannually and will continue
until all items are completed, at which time a final summary report
will be issued.
I have enclosed the NBC's detailed comments on the draft report. If you
have any questions, please contact Stacey L. Rosenberg, of my staff, at
(301) 415-3868.
Sincerely,
Signed for:
William D. Travers:
Executive Director for Operations:
Enclosure:
1. NRC Comments on GAO Draft Report on Davis-Besse 2. Memorandum from
EDO to OIG dated April 19, 2004:
NRC Comments on Draft Report, GAO-04-415:
1. The draft report does not speak to a key issue, the responsibility of
licensees to provide complete and accurate information to the NRC. In
carrying out its safety responsibilities, NRC must rely heavily on our
licensees to provide us with complete and accurate information. Title
10 of the Code of Federal Regulations Section 50.9 requires that
information provided to the NRC by a licensee be complete and accurate
in all material respects. By not recognizing this explicitly and its
role in this matter, the draft report conveys the expectation that the
NRC staff should have known about the thick layer of boron on the
reactor vessel head. The Davis-Besse Lessons Learned Task Force (LLTF),
which NRC formed to ensure that lessons from the Davis-Besse experience
are learned and appropriately captured in the NBC's formal processes,
noted that the information that FirstEnergy provided in response to
Bulletin 2001-01, "Circumferential Cracking of Reactor Pressure Vessel
Head Penetration Nozzles" was inconsistent with information identified
by the task force. Further, the LLTF report stated that had this
information been known in the fall of 2001, the NRC may have identified
the vessel head penetration (VHP) nozzle leaks and reactor pressure
vessel (RPV) head degradation a few months sooner than the March 2002
discovery by the licensee. See also the related information in response
#2.
2. Page 7, first sentence of the last paragraph states: "NRC should have
but did not identify or prevent the vessel head corrosion at Davis-
Besse because both its inspections at the plant and its assessments of
the operator's performance yielded inaccurate and incomplete
information on plant safety conditions.":
Response: This statement is misleading. We agree that our oversight
program should have identified certain evolving plant conditions for
regulatory follow-up. This was also
identified in the report of the Davis-Besse Lessons LLTF. It is the
responsibility of licensees to provide the NRC with complete and
accurate information. In fact, Title 10 of the Code of Federal
Regulations Section 50.9 requires that information provided to the NRC
by a licensee be complete and accurate in all material respects. The
report should clearly indicate that NBC's licensees are responsible for
providing us with accurate and complete information. While the NBC's
Davis-Besse LLTF concluded that the NRC, the Davis-Besse licensee
(FirstEnergy), and the nuclear industry failed to adequately review,
assess, and follow up on relevant operating experience, the LLTF also
noted that the information that FirstEnergy provided in response to
Bulletin 2001-01 was inconsistent with information identified by the
task force. Further, the LLTF report stated that had this information
been known in the fall of 2001, the NRC may have identified the vessel
head penetration nozzle leaks and the reactor vessel head degradation a
few months sooner than the March 2002 discovery by the licensee. As you
are aware, there is an ongoing investigation by the Department of
Justice regarding the completeness and accuracy of information that
FirstEnergy provided to the NRC on the condition of Davis-Besse.
3. Page 8, last sentence states: "Further, the risk estimate indicated
that the likelihood of an accident occurring at Davis-Besse was greater
than the level of risk generally accepted as being reasonable by NRC.":
Response: This is incorrect. NRC staff explained to the GAO consultants
that NRC guidance produces an estimate for the change in core damage
frequency of 5x10 per year, not 5x10"5 as indicated in the GAO report.
According to Regulatory Guide
(RG) 1.174, for Davis-Besse, this estimate is within acceptable bounds.
NRC specifically documented the acceptability of the estimate in the
December 2002 assessment. Thus, the December 3, 2002, safety evaluation
concluded that the delta core damage frequency was consistent with the
guidelines of RG 1.174.
4. Page 15 states that borax (i.e., sodium borate) is dissolved in the
water. This is incorrect. Please replace the word "borax" with "boric
acid crystals.":
5. Page 18, first full paragraph states: "NRC, in deciding on when
FirstEnergy had to shutdown Davis-Besse for the inspection,...":
Response: In addition, the staff relied upon information provided by
the licensee regarding the condition of the vessel head (i.e., previous
leakage and action taken to. repair leaks and clean the vessel head).
6. Page 26, beginning on line 4, states: "According to the NRC regional
branch chief-who supervised the staff responsible for overseeing
FirstEnergy's vessel head inspection activities during the 2000
refueling outage-he was unaware of the boric acid leakage issues at
Davis-Besse, including its effects on the containment air coolers and
the radiation monitor filters.":
Response: According to the individual to whom this statement is
attributed, the statement would be correct if the phrase, "he was
unaware ... filters" is changed to "he was unaware that boric acid was
found on the reactor vessel head during the outage.":
7. Page 27, first sentence states: "Similarly, NRC officials said that
NRC headquarters had no systematic process for communicating
information in a timely manner to its regions or on-site inspectors.":
Response: If the "information" in question refers to issues of
potential safety significance into which inspectors should look, then
this statement is inaccurate. The systematic process for temporarily
focusing inspection activity in a coordinated program-wide manner on
high-priority issues is the "Temporary Instruction" (TI) process, which
is well established within the NRC Inspection Manual and frequently
used. The legitimate point
to be made is that until the Davis-Besse event, the NRC had not
concluded that boric acid corrosion was a sufficient safety concern
that reached the threshold for using the TI process.
8. Page 33, middle paragraph states: "For example, concern over alloy
600 cracking led France, as a preventive measure, to develop plans for
replacing all of its reactor vessel heads and installing removable
insulation to better inspect for cracking." Response: French regulators
instituted requirements for an extensive, non-visual nondestructive
examination inspection program for vessel head penetration nozzles that
resulted in plant operators deciding, on the basis of economic
considerations, to replace vessel heads in lieu of conducting such
examinations.
9. Page 34, last paragraph states: "If such small leakage can result in
such extensive corrosion... ":
Response: Small leakage alone was not the cause of the corrosion. It
was a combination of prolonged leakage in conjunction with allowing
caked-on boron to remain on the vessel head.
10. Page 36, middle paragraph states: "However, NRC decided that it
could not order Davis-Besse to shut down on the basis of other plants'
cracked nozzles and identified leakage or the manager's acknowledgment
of a probable leak. Instead, it believed it needed more direct, or
absolute, proof of a leak to order a shutdown." Response: As discussed
at the NRC-GAO exit conference, plant Technical Specifications, as well
as many other NRC requirements and processes, provide a number of
circumstances in which a plant shutdown would or could be required,
including the existence of reactor coolant pressure boundary leakage
while operating at power.
Please note that there was no legal objections to the draft order and
the stated basis for deciding to not issue the order was not an
insufficient legal basis.
11. Page 36, last paragraph states: ":..NRC does not have specific
guidance for shutting down a plant when the plant may pose a risk to
public health and safety even though it may be complying with NRC
requirements.":
Response: We disagree with this finding and with the report's related
recommendation on Page 63 identifying the need for NRC to develop
specific guidance and a well-defined process for deciding when to shut
down a nuclear power plant. We believe our regulations, guidance, and
processes that cover whether and when to shut down a plant are robust
and do, in fact, provide sufficient guidance in the vast majority of
situations. Plant technical specifications, as well as many other NRC
requirements and processes, provide a spectrum of conditions under
which plant shutdown would be required. Plants have shut down numerous
times in the past in accordance with NRC requirements. From time to
time, however, a unique situation may present itself wherein sufficient
information may not exist or the information available may not be
sufficiently clear to apply existing rules and regulations
definitively. In these unique instances, the NRC's most senior
managers, after consultation with staff experts and given all of the
information available at the time, will decide whether or not to
require a plant shutdown. Risk information is used in accordance with
RG 1.174. This process considers deterministic factors as well as
probabilistic factors (i.e., risk information). We regard the combined
use of deterministic and probabilistic factors to be a strength of our
decisionmaking process.
12. Page 38, third paragraph states: "At some point during this time,
NRC staff also concluded that the first safety principle was probably
not being met, although the basis for this conclusion is not known.":
Response: The report should clarify GAO's basis for this statement. NRC
staff believed that the regulations were met.
13. Page 40, last paragraph states: "However, NRC did not provide the
assessment until a full year later-in December 2002. In addition, the
December 2002 assessment, which includes a 4 -page evaluation, does not
fully explain how the safety principles were used or met-other than by
stating that if the likelihood of nozzle failure were judged to be
small, then adequate protection would be ensured.":
Response: The attachment to the December 3, 2002, letter is an 8-page
evaluation, not 4 pages. We note this to make sure GAO is referring to
the same document. The assessment addresses four of the five safety
principles. In the NRC's December 2002 safety evaluation, the staff
stated that the criterion related to compliance with the regulations
was being met because the inspections performed by the licensee were in
conformance with the ASME Code. In addition, the safety evaluation
stated that Davis-Besse met the criterion related to defense-in-depth
because all three barriers against release of radiation were intact and
reliable; they met the margin criterion because even the largest
circumferential cracks found in pressurized-water reactors had
considerable margin to structural failure, and they met the low-risk
impact criterion based on a comparison of delta core damage frequency
estimates with the guidelines of RG 1.174. The fifth safety principle,
requiring a monitoring program, was not relevant to a decision that
lasted only 6 weeks.
14. Page 42, first paragraph states: "Multiplying these two numbers, NRC
estimated that the potential for a nozzle to crack and cause a loss-of-
coolant accident would increase the frequency of core damage at Davis-
Besse by about 5.4x1015 per year, or about 1 in 18,500 per year.
Converting this frequency to a probability, NRC
calculated that the increase in probability of core damage was
approximately 5.0x10, or 1 chance in 200,000. While NRC officials
currently disagree that this was the number it used, this is the number
that it included in its December 2002 assessment provided to
FirstEnergy. Further, we found no evidence in the agency's records to
support NRC's current assertion.":
Response: These statements mischaracterize the facts. NRC estimated
that the probability of nozzle cracking leading to a loss-of-coolant
accident during the first 6 weeks in 2002 would increase the annual
core damage frequency (CDF) by about 5.4x10^-6 per year, or about 1 in
185,000 per year. The estimate of 5x10^-5 was an intermediate step in
our calculation. The estimate of 5x10^-5 represents the change in CDF
if Davis-Besse were allowed to operate for one year without shutting
down for inspection of the vessel head. Allowing Davis-Besse to
continue to operate for one year was never a consideration. Thus,
multiplying by the fraction of time in one year under consideration (in
this case:
7 weeks) was the final step in the calculation of delta CDF. The
confusion about the estimate NRC used in the decisionmaking process may
be due to NRC's method of calculating delta CDF for plant conditions
which do not persist for the entire year. If this final step (the
fraction of the year the plant is allowed to operate) were not part of
the calculation, then the risk estimate of allowing the licensee to
continue to operate for:
7 weeks, as compared to one year, would be the same. Logically, this
does not make sense. Therefore, the estimate of 5x10"5 does not
automatically convert to a probability, as GAO's statement implies.
Because the period of operation under consideration was approximately
0.13 years, the annual average change in CDF was about 5x10^-6 per
year, and the increase in the probability of core damage was about
5x106 as well. NRC officials agree that 5x106 was the estimate used in
the decisionmaking process and is the estimate provided in the December
2002 assessment.
15. Page 42, second paragraph states: "For example, the consultants
concluded that NRC's estimate of risk was incorrectly too small,
primarily because the calculation did not consider corrosion of the
vessel head.":
Response: An underlying assumption in any risk assessment is that you
have complete and accurate information from the licensee. NRC staff was
of the understanding that efforts had been made to remove boric acid
accumulation from the vessel head during previous outages. For all six
B&W plants that found signs of penetration leakage, the leakage
manifested itself in the form of small amounts of dry boron crystals on
the vessel head, which are not corrosive, and did not produce any
corrosion on the vessel heads of these six B&W plants. Boron leaking
onto a clean vessel head does not cause corrosion. Therefore, corrosion
this extensive was not anticipated at the time. Also, it is important
to note that had Davis-Besse shut down on December 31, 2001, the same
corrosion would have been found.
16. Page 43, first full paragraph discusses the experience at French
nuclear power plants. Response: The NRC staff was aware of the issue as
illustrated in an internal memorandum dated December 15, 1994, from
Brian Grimes to Charles Rossi.
17. Page 44, first full paragraph states: "Third, NRC's analysis was
inadequate because the risk estimates were higher than generally
considered acceptable under NRC guidance. Despite PRA's [probabilistic
risk assessment's] important role in the decision, our consultants
found that NRC did not follow its guidance for ensuring that the
estimated risk was within levels acceptable to the agency. Page 45,
first paragraph states: "...NRC's PRA estimate for Davis-Besse resulted
in an increase in the frequency of core damage of 5.4x10^-5 or 1 chance
in about 18,500 per year was higher than the acceptable level.":
Response: This conclusion is not supported by the facts and it is
misleading. The estimate referenced by GAO is an intermediate
calculation in our process, and was not used, and should not be used,
in the decisionmaking process. NRC staff explained to the GAO
consultants that NRC guidance produces an estimate for the change in
core damage frequency of 5x10^-6 per year, not 5x10^-5 as indicated in
the GAO report. According to RG 1.174, for Davis-Besse, this estimate
is within acceptable bounds. NRC specifically documented the
acceptability of the estimate in the December 2002 assessment. Thus,
the December 3, 2002, safety evaluation concluded that the delta CDF
was consistent with the guidelines of RG 1.174.
18. Page 45, first paragraph states: "NRC's guidance for evaluating
requests to relax NRC technical specifications suggests that a
probability increase higher than 5x10^-7 or 1 chance in 2 million is
considered unacceptable for relaxing the specifications. Thus, NRC's
estimate would not be considered acceptable under this guidance."
Response: This criterion in RG 1.177 is not relevant to the Davis-Besse
decision. It is confined to decisions on allowed outage times (AOT) for
equipment, and is defined to avoid very high instantaneous risks (CDF >
10^-3) for very short periods (5 hours).
19. Page 46, first full paragraph states: "Lastly, NRC's analysis was
inadequate because the agency does not have clear guidance for how PRA
estimates are to be used in the decision-making process.":
Response: The NRC's process for risk-informed decision-making is
considerably more robust than characterized in this section. Regulatory
Guide 1.174 comprises 40 pages of guidance on how to use risk in
decisions of this type, and it is backed up by equally detailed
guidance for specific types of decisions such as technical
specifications, in-service inspection programs, in-service testing,
and quality assurance. The NRC has
amassed a great deal of experience in application of the guidance. Risk
assessment is a tool to help better inform decisions that are based on
engineering judgements.
20. Page 46, last paragraph states: "it is not clear how NRC staff used
the PRA risk estimate in the Davis-Besse decision-making process.":
Response: The December 3, 2002, safety evaluation clearly states how
the PRA estimate was used in the decisionmaking process; the estimate
was compared with the guidelines of RG 1.174. The safety evaluation
also points out that N RC staff who are expert in non-PRA disciplines
such as probabilistic fracture mechanics, gave more weight to
deterministic factors, such as the structural margin that remains in
the nozzles with circumferential cracks. The NRC considers the combined
use of deterministic and probabilistic factors to be a strength of our
decisionmaking process.
21. Page 48, last paragraph states: ":..NRC had made progress in
implementing the recommendations, although some completion dates have
slipped.":
Response: The schedules for implementation of all high priority
recommendations have not slipped. The implementation schedule for
certain low or medium priority recommendations slip only in accordance
with NRC's Planning, Budgeting and Performance Management (PBPM)
process, which explicitly considers safety significance when making
budget priority decisions.
22. Page 51, top of page, first full bullet states: "One recommendation
is directed at improving NRC's generic communications program. NRC
is...":
Response: We recommend re-wording this as follows: "One recommendation
is directed at improving follow up of licensee actions taken in
response to NRC generic communications. A Temporary Instruction
(Inspection Procedure) is currently being
developed to assess the effectiveness of licensee actions taken in
response to generic communications. Additionally, improvements in the
verification of effectiveness of generic communications are planned as
a long-term change in the operating experience program.":
23. Page 51, last paragraph states: "...NRC's revised inspection
guidance for more thorough examinations of reactor vessel heads and
nozzles, as well as new requirements for NRC oversight of licensees'
corrective action programs, will require at least an additional 200
hours of inspection per reactor per year." Response: It is unclear
where this number comes from, but the changes to the corrective action
program procedure require only about 16 hours per reactor year for the
trend review.
24. Page 53, first paragraph discusses the NRC's Office of the Inspector
General's (OIG's) findings on communications.
Response: The NRC's actions are not limited primarily to improving
communication about boric acid corrosion and cracking. There are
multiple task force recommendations, and other NRC initiatives, that
are aimed at addressing the broader implications stemming from
communication lapses noted by the task force and the OIG. For example,
actions have been implemented to more effectively disseminate operating
experience to end users, reenforce a questioning attitude in the
inspection staff, and discuss Davis-Besse lessons learned at various
forums.
NRC's initial response to the OIG did not directly address the broader
actions we are taking to improve communications. Our response to the
OIG only indirectly addressed this by discussing the operating
experience program enhancements. Part of the
enhancements to the operating experience program is the expectations
for improved communications. In addition, communication improvement
initiatives with internal and external stakeholders are in progress to
address shortcomings in this critical area. Our revised response to the
OIG on this issue, dated April 19, 2004, is provided as Enclosure 2.
25. Page 53, second paragraph states: "NRC's Davis-Besse task force did
not make any recommendations to address two systemic problems:
evaluating licensees' commitment to safety and improving the agency's
process for deciding on a shutdown. ":
Response: The LLTF did not make a recommendation for improving the
agency's process for deciding on a shutdown. This area was not reviewed
in detail by the task force because of coordination with the OIG.
Moreover, the task force review efforts were focused on why the
degradation cavity was not prevented. While related, the shutdown issue
had little to do with the degradation cavity.
The task force made multiple recommendations aimed at enhancing NRC's
capability to evaluate the licensees' commitment to safety, by indirect
means. Refer to task force recommendations: 3.2.5(1), 3.2.5(2),
3.3.2(2), 3.3.4(5), and Appendix F.
26. Page 54, last paragraph states: "This problem identification and
resolution inspection procedure is intended to assess the end-results
of management's safety commitment rather than the commitment itself.":
Response: This statement is inaccurate. Regarding its accuracy, the
PI&R inspection procedure (IP 71152) actually has six stated inspection
objectives (refer to section 71152-01) including: (1) provide for early
warning of potential performance issues that could
result in crossing threshold in the action matrix and (2) to provide
insights into whether licensees have established a safety-conscious
work environment. Using this IP, inspectors seek factual evidence of
the licensee's assumed commitment to safety (by reviewing their
identification and correction of actual problems). Inspection issues
routinely are raised with regard to a licensee's weakness in correcting
recurrent problems or in adequately addressing issues that could become
a future significant safety concern. The statement on Page 55 of the
report, "Furthermore, because NRC directs its inspections at problems
that it recognizes as being more important to safety, NRC may overlook
other problems until they develop into significant and immediate safety
problems" does not accurately reflect the stated objectives and
demonstrable implementation of IP 71152.
27. Pages 55-56, discuss safety culture.
Response: To a significant degree, the areas referenced in this draft
report are addressed either by NRC requirements or inspection
activities. For example, the NRC has requirements limiting work hours
for critical plant staff members such as security officers and plant
operators. The NRC has requirements governing operator training.
Inspectors routinely monitor various licensee meetings and job
briefings to evaluate the licensee's emphasis on safety.
Moreover, the NRC has a number of other means to indirectly assess
safety culture. Other NRC tools that provide indirect insights into
licensee safety culture include:
inspection procedure for assessing the licensee's employee concerns
program, NRC's allegation program,
enforcement of employee protection regulations,
Safety-Conscious Work Environment (SCWE) assessments during problem
identification and resolution inspections,
lessons-learned reviews such as the one conducted for the Davis-Besse
reactor pressure vessel head degradation; and:
Reactor Oversight Process cross-cutting issues of human performance,
problem identification and resolution, and SCWE.
28. Page 58, paragraph under the first header states: "it recognized
that NRC's written rationale for accepting FirstEnergy's justification
for continued plant operation was not prepared until 1 year after its
decision...":
Response: For clarification, the documentation of the decision about
one year later was corrective action from a task force finding.
29. Page 58, paragraph under second header states: "The NRC task force
did not address NRC's failure to learn from previous incidents at power
plants and prevent their recurrence.":
Response: This sentence is factually inaccurate. The task force
performed a limited review of past lessons-learned reports and actually
identified many more potentially recurring programmatic issues as a
result of that review than the three examples cited by the GAO in this
section of the draft report. As discussed during the NRC-GAO exit
conference, the task force made a recommendation to perform a more
detailed effectiveness review of the actions stemming from other past
NRC lessons learned reviews (Appendix F). This review is currently in
progress.
UNITED STATES:
NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001:
April 19, 2004:
MEMORANDUM TO:
Hubert T. Bell Inspector General:
FROM: William D. Travers [RA Carl J. Paperiello Acting For]
Executive Director for Operations:
SUBJECT: FEBRUARY 2, 2004, OFFICE OF INSPECTOR GENERAL (OIG) MEMORANDUM
CONCERNING AGENCY RESPONSE TO OIG EVENT INQUIRY CASE NO. 03-02S (NRC'S
OVERSIGHT OF DAVIS-BESSE BORIC ACID LEAKAGE AND CORROSION DURING THE
APRIL 2000 REFUELING OUTAGE):
This memorandum responds to your memorandum to Chairman Diaz, dated
February 2, 2004, concerning the Nuclear Regulatory Commission (NRC)
staff's response of January 12, 2004, to OIG Event Inquiry 03-02S. The
referenced OIG event inquiry was initiated in response to a
Congressional request that OIG determine how the NRC staff handled
Davis-Besse Condition Report (CR) 2000-0782 at the time of discovery in
refueling outage (RFO) 12 (2000) and whether the CR was considered in
the November 2001 decision to allow Davis-Besse to continue to operate
to February 16, 2002. The NRC staff's previous response to OIG (January
12, 2004) regarding this issue provided a matrix of those
recommendations from the Davis-Besse Lessons Learned Task Force
(DBLLTF) report that specifically addressed the event inquiry findings
and referenced the report for a complete picture of the staff's
efforts. The OIG response of February 2, 2004, stated that the NRC
staff had not addressed the problem of communications as an underlying
cause of the findings of the OIG event inquiry and that the agency
should include an expectation of improved communication between and
among NRC Headquarters and regional staff and should outline specific
guidance to achieve this goal. In addition, OIG specifically concluded
that "had the [Davis-Besse Nuclear Power Station] DBNPS inspectors been
better informed of ongoing NRC industry-wide efforts to address coolant
pressure boundary leakage and the effects of boric acid corrosion, they
would have recognized the significance of Condition Report 2000-0782
and highlighted the information to regional management.":
The DBLLTF report discusses the NBC's and industry's failure to
understand the significance of boric acid corrosion of the reactor
vessel head. The NRC staff believes that this failure caused the
underlying communications lapses. Although the potential for this type
of degradation existed previously, the significance of boric acid
deposits was not understood by the staff. The assumption throughout NRC
was that the boric acid deposits would be in a dry, powder-like form
that could easily be removed and would not accumulate in a condition
that would be corrosive to the reactor vessel head. As identified in
the event inquiry, the inspectors did communicate a substantial amount
of information to the region and the NRR Project Manager, particularly
regarding the fouling of the containment air coolers and radiation
monitor filter
elements; however, the significance of this information was also not
appreciated at the time. This same failure to understand the
significance of the situation was the cause of the lack of
communication from Headquarters to the regions. Several elements of the
matrixed DBLLTF Action Plans address this underlying issue of lack of
recognition of the significance of the evidence. The desired outcome
for these actions is for all NRC staff to maintain a questioning
attitude and lower thresholds for communications concerning materials
degradation corrosion.
Contact: Edwin M. Hackett, NRR/DLPM/PDII 415-1485:
More broadly, the NRC staff agrees that communications are of critical
importance in all aspects of NRC activities and particularly important
as an underlying cause for issues discovered at DBNPS. The corrective
actions outlined in the DBLLTF Action Plans address communications
beyond the topic of boric acid corrosion control. For example,
corrective actions in the area of operating experience development and
use are focused on enhancing communications. The recommendations to
strengthen inspection guidance, institute training to reinforce a
questioning attitude on the part of management and staff, and change
the Inspection Manual to provide guidance for the staff to pursue
issues identified during plant status reviews are intended to establish
more definitive expectations for improved communications of operating
experience. As discussed in the February 23, 2004, semiannual update
report and at the February 26, 2004, Commission meeting, implementation
plans for this area are still under development and may significantly
influence the way the agency does business in the future. Developing
the most effective and efficient communications channels will be key to
the successful implementation of an effective operating experience
program.
Beyond the DBLLTF Action Plan, the agency has several ongoing
initiatives that provide examples of efforts to more broadly improve
intra-agency communications. These examples include establishment of a
Communication Council reporting to the Executive Director for
Operations and the creation of a communications specialist position
reporting to the Office of Nuclear Reactor Regulation (NRR) Associate
Director for Inspections and Programs. NRR also continues to improve
and enhance its Web site as a focused means of communicating with both
internal and external stakeholders. From a regional perspective,
examples of communication enhancements include lowering the threshold
for communication of plant issues on morning status calls, devoting
additional time to discussing lessons learned from plant events and
inspection findings during counterpart meetings, and developing
enhanced guidance for documenting significant operational event
followup decisions. Collectively, these examples provide a strong
indication that NRC Headquarters and regional staff have begun to
internalize two of the most important lessons from the Davis-Besse
event. These are that on occasion, information initially considered to
have low significance by the first NRC recipient is later found to be
of greater significance once the information is shared and evaluated
more collegially; and with regard to the complex nature of commercial
nuclear power operations, no one person can be aware of all aspects of
an issue. As a result, the more information that is shared, the more
likely significant problems will be identified and appropriate
action(s) taken.
In summary, the NRC staff recognizes that communication failures were
an underlying cause of the agency's problems concerning the delayed
discovery of the boric acid corrosion at DBNPS. Our January 12, 2004,
response to the event inquiry specifically addressed what we considered
to be the root cause of the event-specific communication failures,
namely that the entire staff
did not recognize the potential significance of boric acid corrosion.
Expectations for improved communications will be developed as an
integral part of our operating experience program enhancements. More
broadly, communication improvement initiatives with internal and
external
stakeholders are in progress to enhance agency performance in this
critical area of our responsibilities. We regret that our initial
response did not clearly address the broader actions we are taking to
improve communications and appreciate the opportunity to clarify our
response.
cc: Chairman Diaz
Commissioner McGaffigan
Commissioner Merrifield
SECY:
LReyes:
The following are GAO's comments on the Nuclear Regulatory Commission's
letter dated May 5, 2004.
GAO Comments:
1. We agree with NRC that 10 C.F.R. § 50.9 requires that information
provided to NRC by a licensee be complete and accurate in all material
respects, and we have added this information to the report. NRC also
states that in carrying out its oversight responsibilities, NRC must
"rely heavily" on licensees providing accurate information. However, we
believe that NRC's oversight program should not place undue reliance on
applicants providing complete and accurate information. NRC also
recognizes that it cannot rely solely on information from licensees, as
evidenced by its inspection program and process for determining the
significance of licensee violations. Under this process, NRC considers
whether there are any willful aspects associated with the violation--
including the deliberate intent to violate a license requirement or
regulation or falsify information. We believe that management controls,
including inspection and enforcement, should be implemented by NRC so
as to verify whether licensee-submitted information considered to be
important for ensuring safety is complete and accurate as required by
the regulation. In this regard, as stated in NRC's enforcement policy
guidance, NRC is authorized to conduct inspections and investigations
(Atomic Energy Act § 161); revoke licenses for, among other things, a
licensee's making material false statements or failing to build or
operate a facility in accordance with the terms of the license (Atomic
Energy Act § 186); and impose civil penalties for a licensee's knowing
failure to provide certain safety information to NRC (Energy
Reorganization Act § 206).
With regard to the draft report conveying the expectation that NRC
should have known about the thick layer of boron on the reactor vessel
head, we note in the draft report that since at least 1998, NRC was
aware that (1) FirstEnergy's boric acid corrosion control program was
inadequate, (2) radiation monitors within the containment area were
continuously being clogged by boric acid deposits, (3) the containment
air cooling system had to be cleaned repeatedly because of boric acid
buildup, (4) corrosion was occurring within containment as evidenced by
rust particles being found, and (5) the unidentified leakage rate had
increased above the level that historically had been found at the
plant. NRC was also aware of the repeated but ineffective attempts by
FirstEnergy to correct many of these recurring problems--evidence that
the licensee's programs to identify and correct problems were not
effective. Given these indications at Davis-Besse, NRC could have taken
more aggressive follow-up action to determine the underlying causes.
For example, NRC could have taken action during the fuel outage in
1998, the shutdown to repair valves in mid-1999, or the fuel outage in
2000 to ensure that staff with sufficient knowledge appropriately
investigated the types of conditions that could cause these
indications, or followed up to ensure that FirstEnergy had fully
investigated and successfully resolved the cause of the indications.
2. With respect to the responsibility of the licensee to provide
complete and accurate information, see comment 1. As to the Davis-Besse
lessons-learned task force finding, we agree that some information
provided by FirstEnergy in response to Bulletin 2001-01 may have been
inconsistent with some information subsequently identified by NRC's
lessons-learned task force, and that had some of this information been
known in the fall of 2001, the vessel head leakage and degradation may
have been identified sooner than March 2002. This information included
(1) the boric acid accumulations found on the vessel head by
FirstEnergy in 1998 and 2000, (2) FirstEnergy's limited ability to
visually inspect the vessel head, (3) FirstEnergy's boric acid
corrosion control procedures relative to the vessel head, (4)
FirstEnergy's program to address the corrosive effects of small amounts
of reactor coolant leakage, (5) previous nozzle inspection results, (6)
the bases for FirstEnergy's conclusion that another source of leakage-
-control rod drive mechanism flanges--was the source of boric acid
deposits on the vessel head that obscured multiple nozzles, and (7)
photographs of vessel head penetration nozzles. However, various NRC
officials knew some of this information, other information should have
been known by NRC, and the remaining information could have been
obtained had NRC requested it from FirstEnergy. For example, according
to the senior resident inspector, he reviewed every Davis-Besse
condition report on a daily basis to determine whether the licensee
properly categorized the safety significance of the conditions. Vessel
head conditions found by FirstEnergy in 1998 and 2000 were noted in
such condition reports or in potential-condition-adverse-to-quality
reports. According to a FirstEnergy official, photographs of the
pressure vessel head nozzles were specifically provided to NRC's
resident inspector, who, although he did not specifically recall seeing
the photographs, stated that he had no reason to doubt the FirstEnergy
official's statement. NRC had been aware, in 1999, of limitations in
FirstEnergy's boric acid corrosion control program and, while it cited
FirstEnergy for its failure to adequately implement the program, NRC
officials did not follow up to determine if the program had improved.
Lastly, while NRC questioned the information provided by FirstEnergy in
its submissions to NRC in response to Bulletin 2001-01 (regarding
vessel head penetration nozzle inspections), NRC staff did not
independently review and assess information pertaining to the results
of past reactor pressure vessel head inspections and vessel head
penetration nozzle inspections. Similarly, NRC did not independently
assess the information concerning the extent and nature of the boric
acid accumulations found on the vessel head by the licensee during past
inspections.
On page 2 of the report, we note that the Department of Justice has an
ongoing investigation concerning the completeness and accuracy of
information that FirstEnergy provided to NRC on the conditions at
Davis-Besse. The investigation may or may not find that FirstEnergy
provided inaccurate or incomplete information. While NRC notes that it
might have detected something months earlier if information had been
known in the fall of 2001, we would also note that the degradation of
the reactor vessel head likely took years to occur.
3. We believe that the statement is correct. NRC produced an estimate
of 5x10^-5 per year for the change in core damage frequency, as we state
in the report. NRC specifically documented this calculation in its
December 2002 assessment:
"The NRC staff estimated that, giving credit only to the [FirstEnergy]
inspection performed in 1996, the probability of a [control rod drive
mechanism] nozzle ejection during the period of operation from December
31, 2001, to February 16, 2002, was in the range of 2E-3 and was an
increase in the overall [loss of coolant accident] probability for the
plant. The increase in core damage probability and large early release
probability were estimated as approximately 5E-6 and 5E-08,
respectively."[Footnote 44]
The probability of a large early release--5E-6--equates to a frequency
of 5x10^-5 per year.[Footnote 45] As we note in the report, according to
NRC's regulatory guide 1.174, this frequency would be in the highest
risk zone and NRC would generally not approve the requested change.
On several occasions, we met with the NRC staff that developed the risk
estimate in an attempt to understand how it was calculated. We obtained
from NRC staff the risk estimate information provided to senior
management in late November 2001, as well as several explanations of
how the staff developed its calculations. We were provided with no
evidence that NRC estimated the frequency of core damage as being 5x10^-
6 per year until February 2004, after our consultants and we had
challenged NRC's estimate as being in the highest risk zone under NRC's
regulatory guide 1.174. Furthermore, several NRC staff involved in
deciding whether to issue the order to shut down Davis-Besse, or to
allow it to continue operating until February 16, 2002, stated that the
risk estimate they used was relatively high.
4. We agree that existing regulations provide a spectrum of conditions
under which a plant shutdown could occur and that could be interpreted
as covering the vast majority of situations. However, we continue to
believe that NRC lacks sufficient guidance for making plant shutdown
decisions. We disagree on two grounds: First, the decision-making
guidance used by NRC to shut down Davis-Besse was guidance for
approving license change requests. This guidance provides general
direction on how to make risk-informed decisions when licensees request
license changes. It does not address important aspects of decision-
making involved in deciding whether to shut down a plant. It also does
not provide direction on how NRC should weigh deterministic factors in
relation to probabilistic factors in making shutdown decisions.
Secondly, while NRC views the flexibility afforded by its existing
array of guidance as a strength, we are concerned that, even on the
basis of the same information or circumstances, staff can arrive at
very different decisions. Without more specific guidance, NRC will
continue to lack accountability and the degree of credibility needed to
convince the industry and the public that its shutdown decisions are
sufficiently sound and reasoned for protecting public health and
safety.
5. We are aware that the commissioners have specifically decided not to
conduct direct evaluations or inspections of safety culture. We agree
that as regulators, NRC is not charged with managing licensees'
facilities, but disagree that any direct NRC involvement with safety
culture crosses over to a management function. Management is an
embodiment of corporate beliefs and perceptions that affect management
strategies, goals, and philosophies. These, in turn, impact licensee
programs and processes and employee behaviors that have safety
outcomes. We believe that NRC should not assess corporate beliefs and
perceptions or management strategies, goals, or philosophies. Rather,
we believe that NRC has a responsibility to assess licensee programs
and processes, as well as employee behaviors. We cite several areas of
safety culture in the report as being examples of various aspects of
safety culture that NRC can assess which do not constitute "management
functions." The International Atomic Energy Agency has extensive
guidance on assessing additional aspects of licensee performance and
indicators of safety culture.[Footnote 46] Such assessments can provide
early indications of declining safety culture prior to when negative
safety outcomes occur, such as at Davis-Besse.
We also agree that NRC has indirect means by which it attempts to
assess safety culture. For example, NRC's problem identification and
resolution inspection procedure's stated objective is to provide an
early warning of potential performance issues and insight into whether
licensees have established safety conscious work environments. However,
we do not believe that the implementation of the inspection procedure
has been demonstrated to be effective in meeting its stated objectives.
The inspection procedure directs inspectors to screen and analyze
trends in all reported power plant issues. In doing so, the procedure
directs that inspectors annually review 3 to 6 issues out of
potentially thousands of issues that can arise and that are related to
various structures, systems, and components necessary for the safe
operation of the plant. This requires that inspectors judgmentally
sample 3 to 6 issues on which they will focus their inspection
resources. While we do not necessarily question inspector judgment when
sampling for these 3 to 6 issues, NRC inspectors stated that due to the
large number of issues that they can sample from, they try to focus on
those issues that they believe have the most relevance for safety.
Thus, if an issue is not yet perceived as being important to safety, it
is less likely to be selected for follow up. Further, even if an issue
were selected for follow up and this indicated that the licensee did
not properly identify and resolve underlying problems that contributed
to the issue, according to NRC officials, it is highly unlikely that
this one issue would rise to a high enough level of significance for it
to be noted under NRC's Reactor Oversight Process. Additionally, the
procedure is dependant on the inspector being aware of, and having the
capability to, identify issues or trends in the area of safety culture.
According to NRC officials, inspectors are not trained in what to look
for when assessing licensee safety culture because they are, by and
large, nuclear engineers. While they may have an intuition that
something is wrong, they may not know how to assess it in terms of
safety culture.
Additional specific examples NRC cites for indirectly assessing a
selected number of safety culture aspects have the following
limitations:
* NRC's inspection procedure for assessing licensees' employee concerns
program is not frequently used. According to NRC Region III officials,
approval to conduct such an inspection must be given by the regional
administrator and the justification for the inspection to be performed
has to be based on a very high level of evidence that a problem exists.
Because of this, these officials said that the inspection procedure has
only been implemented twice in Region III.
* NRC's allegation program provides a way for individuals working at
NRC-regulated plants and the public to provide safety and regulatory
concerns directly to NRC. It is a reactive program by nature because it
is dependent upon licensees' employees feeling free and able to come
forward to NRC with information about potential licensee misconduct.
While NRC follows up on those plants that have a much higher number of
allegations than other plants to determine what actions licensees are
taking to address any trends in the nature of the allegations, the
number of allegations may not always provide an indication of a poor
safety culture, and in fact, may be the reverse. For example, the
number of allegations at Davis-Besse prior to the discovery of the
cavity in the reactor head in March 2002 was relatively small. Between
1997 and 2001, NRC received 10 allegations from individuals at the
plant. In contrast, NRC received an average of 31 allegations per plant
over the same 5-year period from individuals at other plants.
* NRC's lessons-learned reviews, such as the one conducted for Davis-
Besse, are generally conducted when an incident having potentially
serious safety consequences has already occurred.
* With respect to NRC's enforcement of employee protection regulations,
NRC, under its current enforcement policy, would normally only take
enforcement action when violations are of very significant or
significant regulatory concern. This regulatory concern pertains to
NRC's primary responsibility for ensuring safety and safeguards and
protecting the environment. Examples of such violations would include
the failure of a system designed to prevent a serious safety incident
not working when it is needed, a licensed operator being inebriated
while at the control of a nuclear reactor, and the failure to obtain
prior NRC approval for a license change that has implications for
safety. If violations of employee protection regulations do not pose
very significant or significant safety, safeguards, or environmental
concerns, NRC may consider such violations minor. In such cases, NRC
would not normally document such violations in inspection reports or
records, and would not take enforcement action.
* NRC's Reactor Oversight Process, instituted in April 2000, focuses on
seven specific "cornerstones" that support the safety of plant
operations to ensure reactor safety, radiation safety, and security.
These cornerstones are: (1) the occurrence of operations and events
that could lead to a possible accident if safety systems did not work,
(2) the ability of safety systems to function as intended, (3) the
integrity of the three safety barriers, (4) the effectiveness of
emergency preparedness, (5) the effectiveness of occupational radiation
safety, (6) the ability to protect the public from radioactive
releases, and (7) the ability to physically protect the plant. NRC's
process also includes three elements that cut across these seven
cornerstones: (1) human performance, (2) a licensee's safety-conscious
work environment, and (3) problem identification and resolution. NRC
assumes that problems in any of these three crosscutting areas will be
evidenced in one or more of the seven cornerstones in advance of any
serious compromise in the safety of a plant. However, as evidenced by
the Davis-Besse incident, this assumption has not proved to be true.
NRC also cites lessons-learned task force recommendations to improve
NRC's ability to detect problems in licensee's safety culture, as a
means to achieve our recommendation to directly assess licensee safety
culture. These lessons-learned task force recommendations include (1)
developing inspection guidance to assess the effect that a licensee's
fuel outage shutdown schedule has on the scope of work conducted during
a shutdown; (2) revising inspection guidance to provide for assessing
the safety implications of long-standing, unresolved problems;
corrective actions being phased in over the course of several years or
refueling outages; and deferred plant modifications; (3) revising the
problem identification and resolution inspection approach and guidance;
and (4) reviewing the range of NRC's inspections and assessment
processes and other NRC programs to determine whether they are
sufficient to identify and dispose of the types of problems experienced
at Davis-Besse. While we commend these recommendations, we do not
believe that revising such guidance will necessarily alert NRC
inspectors to early declines in licensee safety culture before they
result in negative safety outcomes. Further, because of the nature of
NRC's process for determining the relative safety significance of
violations under NRC's new Reactor Oversight Process, we do not believe
that any indications of such declines will result in a cited violation.
6. We have revised the report to reflect that boron in the form of
boric acid crystals is dissolved in the cooling water. (See p. 13.):
7. On page 41 of the report, we recognize that NRC also relied on
information provided by FirstEnergy regarding the condition of the
vessel head. For example, in developing its risk estimate, NRC credited
FirstEnergy with a vessel head inspection conducted in 1996. However,
NRC decided that the information provided by FirstEnergy documenting
vessel head inspections in 1998 and 2000 was of such poor quality that
it did not credit FirstEnergy with having conducted them. As a result,
NRC's risk estimate was higher than had these inspections been given
credit.
8. The statement made by the NRC regional branch chief was taken
directly from NRC's Office of the Inspector General report on NRC's
oversight of Davis-Besse during the April 2000 refueling
outage.[Footnote 47]
9. We agree that up until the Davis-Besse event, NRC had not concluded
that boric acid corrosion was a high priority issue. We clarified the
text of the report to reflect this comment. (See p. 25.):
10. We agree that plant operators in France decided to replace their
vessel heads in lieu of performing the extensive inspections instituted
by the French regulatory authority. The report has been revised to add
these details. (See p. 31.):
11. We agree that caked-on boron, in combination with leakage, could
accelerate corrosion rates under certain conditions. However, even
without caked-on boron, corrosion rates could be quite high.
Westinghouse's 1987 report on the corrosive effects of boric acid
leakage concluded that the general corrosion rate of carbon steel can
be unacceptably high under conditions that can prevail when primary
coolant leaks onto surfaces and concentrates at the temperatures that
are found on reactor surfaces. In one series of tests that it
performed, boric acid solutions corroded carbon steel at a rate of
about 0.4 inches per month, or about 4.8 inches a year. This was
irrespective of any caked-on boron. In 1987, as a result of that report
and extensive boric acid corrosion found at two other nuclear reactors
that year--Salem unit 2 and San Onofre unit 2--NRC concluded that a
review of existing inspection programs may be warranted to ensure that
adequate monitoring procedures are in place to detect boric acid
leakage and corrosion before it can result in significant degradation
of the reactor coolant pressure boundary. However, NRC did not take any
additional action.
12. We agree that NRC has requirements and processes that provide a
number of circumstances in which a plant shutdown would or could be
required. We also recognize that there were no legal objections to the
draft enforcement order to shut down the plant, and that the basis for
not issuing the order was NRC's belief that the plant did not pose an
unacceptable risk to public health and safety. The statement in our
report that NRC is referring to is discussing one of these
circumstances--the licensee's failure to meet NRC's technical
specification--and whether NRC believed that it had enough proof that
the technical specification was not being met. The statement is not
discussing the basis for NRC issuing an enforcement order. We revised
the report to clarify this point. (See p. 34.):
13. The basis for our statement that NRC staff concluded that the first
safety principle was probably not met was its November 29, 2001,
briefing to NRC's Executive Director's Office and its November 30,
2001, briefing to the NRC commissioners' technical assistants. These
briefings, the basis for which are included in documented briefing
slides, took place shortly before NRC formally notified FirstEnergy on
December 4, 2001, that it would accept its compromise shutdown date.
14. We are referring to the same document that NRC is referring to--
NRC's December 3, 2002, response to FirstEnergy (NRC's ADAMS accession
number ML023300539). The response consists of a 2-page transmittal
letter and an 7.3-page enclosure. The 7.3-page enclosure is 3 pages of
background and 4.3 pages of the agency's assessment. The assessment
includes statements that the safety principles were met but does not
provide an explanation of how NRC considered or weighed deterministic
and probabilistic information in concluding that each of the safety
factors were met. For example, NRC concluded that the likelihood of a
loss-of-coolant accident was acceptably small because of the (1)
staff's preliminary technical assessment for control rod drive
mechanism cracking, (2) evidence of cracking found at other plants
similar to Davis-Besse, (3) analytical work performed by NRC's research
staff in support of the effort, and (4) information provided by
FirstEnergy regarding past inspections at Davis-Besse. However, the
assessment does not explain how these four pieces of information
successfully demonstrated if and how each of the safety principles was
met. The assessment also states that NRC examined the five safety
principles, the fifth of which is the ability to monitor the effects of
a risk-informed decision. The assessment is silent on whether this
principle is met. However, in NRC's November 29, 2001, briefing to
NRC's Executive Director's Office and in its November 30, 2001,
briefing to the NRC commissioners' technical assistants, NRC concluded
that this safety principle was not met. As noted above, NRC formally
notified FirstEnergy on December 4, 2001, that it would accept
FirstEnergy's February 16, 2002, shutdown date.
15. See comment 3. We do not agree that the report statements
mischaracterize the facts. Rather, we are concerned that NRC is
misusing basic quantitative mathematics. In addition, with regard to
NRC's concept of an annual average change in the frequency of core
damage, NRC stated that the agency averaged the frequency of core
damage that would exist for the 7-week period of time (representing the
period of time between December 31, 2001, and February 16, 2002) over
the entire 1-year period, using the assumption that the frequency of
core damage would be zero for the remainder of the year--February 17,
2002, to December 31, 2002. According to our consultants, this
calculation artificially reduced NRC's risk estimate to a level that is
acceptable under NRC's guidance. By this logic, our consultants stated,
risks can always be reduced by spreading them over time; by assuming
another 10 years of plant operation (or even longer) NRC could find
that its calculated "risks" are completely negligible. They further
stated that NRC's approach is akin to arguing that an individual, who
drives 100 miles per hour 10 percent of the time, with his car
otherwise garaged, should not be cited because his time-average speed
is only 10 miles per hour.
Further, our consultants concluded that the "annual-average" core
damage frequency approach was also clearly unnecessary, since one need
only convert a core damage frequency to a core damage probability to
handle part-year cases like the Davis-Besse case. Lastly, we find no
basis for the calculation in any NRC guidance. According to our
consultants, this new interpretation of NRC's guidance is at best
unusual and certainly is inconsistent with NRC's guidelines regarding
the use of an incremental core damage frequency. This interpretation
also reinforces our consultants' impression that perhaps there was, in
November 2001 and possibly is still today, some confusion among the NRC
staff regarding basic quantitative metrics that should be considered in
evaluating regulatory and safety issues. As noted in comment 3, we
found no evidence of this calculation prior to February 2004.
16. While we agree that vessel head corrosion as extensive as later
found at Davis-Besse was not anticipated, NRC had known that leakage of
the primary coolant from a through-wall crack could cause boric acid
corrosion of the vessel head, as evidenced by the Westinghouse work
cited above. Regardless of information provided to NRC by individual
licensees, such as FirstEnergy, NRC's model should account for known
risks, including the potential for corrosion.
17. We agree that NRC was aware of control rod drive mechanism nozzle
cracking at French nuclear power plants. NRC provided us additional
information consisting of a December 15, 1994, internal memo, in which
NRC concluded that primary coolant leakage from a through-wall crack
could cause boric acid corrosion of the vessel head. However, because
some analyses indicated that it would take at least 6 to 9 years before
any corrosion would challenge the structural integrity of the head, NRC
concluded that cracking was not a short-term safety issue. We revised
the report to include this additional information. (See p. 40.):
18. See comment 15.
19. We agree that while not directly relevant to the Davis-Besse
situation, NRC uses regulatory guide 1.177 to make decisions on whether
certain equipment can be inoperable while a nuclear reactor is
operating, which can pose very high instantaneous risks for very short
periods of time. However, we include the reference to this particular
guidance in the report because it was cited by an NRC official involved
in the Davis-Besse decision-making process as another piece of guidance
used in judging whether the risk that Davis-Besse posed was acceptable.
20. While regulatory guide 1.174 comprises 25 pages of guidance on how
to use risk in making decisions on whether to allow license changes, it
does not lay out how NRC staff are to use quantitative estimates of
risk or probabilistic factors, or how robust these estimates must be in
order to be considered along with more deterministic factors. The
regulatory guide, which was first issued in mid-1998, had been in
effect for only about 1.5 years when NRC staff was tasked with making
their decision on Davis-Besse. According to the Deputy Executive
Director of Nuclear Reactor Programs at the time the decision was being
made, the agency was trying to bring the staff through the risk-
informed decision-making process because Davis-Besse was a learning
tool. He further stated that it was really the first time the agency
had used the risk-informed decision-making process on operational
decisions as opposed to programmatic decisions for licensing. At the
time the decision was made, and currently, NRC has no guidance or
criteria for use in assessing the quality of risk estimates or clear
guidance or criteria for how risk estimates are to be weighed against
other risk factors.
21. The December 3, 2002, safety assessment or evaluation did state
that the estimated increase in core damage frequency was consistent
with NRC's regulatory guidelines. However, as noted in comment 3, we
disagree with this conclusion. In addition, while we agree that NRC has
staff with risk assessment disciplines, we found no reference to these
staff in NRC's safety evaluation. We also found no reference to NRC's
statement that these staff gave more weight to deterministic factors in
arriving at the agency's decision. While we endorse NRC's consideration
of deterministic as well as probabilistic factors and the use of a
risk-informed decision-making process, we continue to maintain that NRC
needs clear guidance and criteria for the quality of risk estimates,
standards of evidence, and how to apply deterministic as well as
probabilistic factors in plant shutdown decisions. As the agency
continues to incorporate a risk-informed process into much of its
regulatory guidance and programs, such criteria will be increasingly
important when making shutdown as well as other types of decisions
regarding nuclear power plants.
22. The information that NRC provided us indicates that completion
dates for 2 of the 22 high priority recommendations have
slipped.[Footnote 48] One, the completion date for encouraging the
American Society of Mechanical Engineers to revise vessel head
penetration nozzle inspection requirements or, alternatively, for
revising NRC's regulations for vessel head inspections has slipped from
June 2004 to June 2006. Two, the completion date for assessing NRC's
requirements that licensees have procedures for responding to plant
leakage alarms to determine if the requirements are sufficient for
identifying reactor coolant pressure boundary leakage has slipped from
March 2004 to March 2005.
23. We agree with this comment and have revised the report to reflect
this clarification. (See p. 49.):
24. Our estimate of at least an additional 200 hours of inspection per
reactor per year is based on:
* NRC's new requirement that its resident inspectors review all
licensee corrective action items on a daily basis (approximately 30
minutes per day). Given that reactors are intended to operate
continuously throughout the year, this results in about 3.5 hours per
week for reviewing corrective action items, or about 182 hours per
year. In addition, resident inspections are now required to determine,
on a semi-annual basis, whether such corrective action items reflect
any trends in licensee performance (16 to 24 hours per year). The total
increase for these new requirements is about 198 to 206 hours per
reactor per year.
* A new NRC requirement that its resident inspectors validate that
licensees comply with additional inspection commitments made in
response to NRC's 2002 generic bulletin regarding reactor pressure
vessel head and vessel head penetration nozzles. This requirement
results in an additional 15 to 50 hours per reactor per fuel outage.
25. Our draft report included a discussion that NRC management's
failure to recognize the scope or breadth of actions and resources
necessary to fully implement task force recommendations could adversely
affect how effective the actions may be. We made this statement based
on NRC's initial response to the Office of the Inspector General's
October 2003 report on Davis-Besse.[Footnote 49] That report concluded
that ineffective communication within NRC's Region III and between
Region III and NRC headquarters contributed to the Davis-Besse
incident. NRC, in its January 2004 response to the report, stated that
among other things, it had developed training on boric acid corrosion
and revised its inspection program to require semi-annual trend
reviews. In February 2004, the Office of the Inspector General
criticized NRC for limiting the agency's efforts in responding to its
findings. Specifically, it stated that NRC did not address underlying
and generic communication failures identified in the Office's report.
In response to the criticism, on April 19, 2004 (while our draft report
was with NRC for review and comment), NRC provided the Office of the
Inspector General with additional information to demonstrate that its
actions to improve communication within the agency were broader than
indicated in the agency's January 2004 response. Based on NRC's April
19, 2004, response and the Office's agreement that NRC's actions
appropriately address its concerns about communication within the
agency, we deleted this discussion in the report.
26. We recognize that the lessons-learned task force did not make a
recommendation for improving the agency's decision-making process
because the task force coordinated with the Office of the Inspector
General regarding the scope of their respective review activities and
because the task force was primarily charged with determining why the
vessel head degradation was not prevented. (See p. 55.):
27. We agree that NRC's December 3, 2002, documentation of its decision
was prepared in response to a finding by the Davis-Besse lessons-
learned task force. We revised our report to incorporate this fact.
(See p. 55.):
28. We agree that NRC's lessons-learned task force conducted a
preliminary review of reports from previous lessons-learned task forces
and, as a result of that review, made a recommendation that the agency
perform a more detailed effectiveness review of the actions taken in
response to those reviews. We revised the report to reflect that NRC's
detailed review is currently underway. (See p. 55.):
[End of section]
Appendix V: GAO Contacts and Staff Acknowledgments:
GAO Contacts:
Jim Wells, (202) 512-3841 Ray Smith, (202) 512-6551:
Staff Acknowledgments:
In addition, Heather L. Barker, David L. Brack, William F. Fenzel,
Michael L. Krafve, William J. Lanouette, Marcia Brouns McWreath, Judy
K. Pagano, Keith A. Rhodes, and Carol Hernstadt Shulman made key
contributions to this report.
[End of section]
Related GAO Products:
[End of section]
Management Weaknesses Affect Nuclear Regulatory Commission Efforts to
Address Safety Issues Common to Nuclear Power Plants.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-84-149]
Washington, D.C.: September 19, 1984.
Probabilistic Risk Assessment: An Emerging Aid to Nuclear Power Plant
Safety Regulation.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-85-11]
Washington, D.C.: June 19, 1985.
The Nuclear Regulatory Commission Should Report on Progress in
Implementing Lessons Learned from the Three Mile Island Accident.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-85-72]
Washington, D.C.: July 19, 1985.
Nuclear Regulation: Oversight of Quality Assurance at Nuclear Power
Plants Needs Improvement.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-86-41.
Washington, D.C.: January 23, 1986.
Nuclear Regulation: Efforts to Ensure Nuclear Power Plant Safety Can Be
Strengthened.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-87-141]
Washington, D.C.: August 13, 1987.
Nuclear Regulation: NRC's Restart Actions Appear Reasonable--but
Criteria Needed.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-89-95].
Washington, D.C.: May 4, 1989.
Nuclear Regulation: NRC's Efforts to Ensure Effective Plant Maintenance
Are Incomplete.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-91-36].
Washington, D.C.: December 17, 1990.
Nuclear Regulation: NRC's Relationship with the Institute of Nuclear
Power Operations.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-91-122].
Washington, D.C.: May 16, 1991.
Nuclear Regulation: Weaknesses in NRC's Inspection Program at a South
Texas Nuclear Power Plant.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-96-10].
Washington, D.C.: October 3, 1995.
Nuclear Regulation: Preventing Problem Plants Requires More Effective
NRC Action.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-97-145].
Washington, D.C.: May 30, 1997.
Nuclear Regulatory Commission: Preventing Problem Plants Requires More
Effective Action by NRC.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-T-RCED-98-252].
Washington, D.C.: July 30, 1998.
Nuclear Regulatory Commission: Strategy Needed to Develop a Risk-
Informed Safety Approach.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-T-RCED-99-71].
Washington, D.C.: February 4, 1999.
Nuclear Regulation: Strategy Needed to Regulate Safety Using
Information on Risk.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-RCED-99-95]
Washington, D.C.: March 19, 1999.
Nuclear Regulation: Regulatory and Cultural Changes Challenge NRC.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO/T-RCED-00-115].
Washington, D.C.: March 9, 2000.
Major Management Challenges and Performance Risks at the Nuclear
Regulatory Commission.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-259].
Washington, D.C.: January 2001.
Nuclear Regulation: Progress Made in Emergency Preparedness at Indian
Point 2, but Additional Improvements Needed.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-605].
Washington, D.C.: July 30, 2001.
Nuclear Regulation: Challenges Confronting NRC in a Changing Regulatory
Environment.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-707T].
Washington, D.C.: May 8, 2001.
Nuclear Regulatory Commission: Status of Achieving Key Outcomes and
Addressing Major Management Challenges.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-01-760]
Washington, D.C.: June 29, 2001.
Managing for Results: Efforts to Strengthen the Link between Resources
and Results at the Nuclear Regulatory Commission.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-258]
Washington, D.C.: December 10, 2002.
Nuclear Regulatory Commission: Oversight of Security at Commercial
Nuclear Power Plants Needs to Be Strengthened.
[Hyperlink, http://www.gao.gov/cgi-bin/getrpt?GAO-03-752]
Washington, D.C.: September 4, 2003.
(360292):
FOOTNOTES
[1] NRC, Degradation of Davis-Besse Nuclear Power Station Reactor
Pressure Vessel Head Lessons-Learned Report (Washington, D.C.; Sept.
30, 2002).
[2] FirstEnergy, Davis-Besse Nuclear Power Station, Root Cause Analysis
Report: Significant Degradation of the Reactor Pressure Vessel Head, CR
2002-089 (Oak Harbor, Ohio; Aug. 27, 2002) and Root Cause Analysis
Report: Failure to Identify Significant Degradation of the Reactor
Pressure Vessel Head, CR-02-0685, 02-0846, 02-0891, 02-1053, 02-1128,
02-1583, 02-1850, 02-2584, and 02-2585 (Oak Harbor, Ohio; Aug. 13,
2002).
[3] NRC, Office of the Inspector General, NRC's Regulation of Davis-
Besse Regarding Damage to the Reactor Vessel Head (Washington, D.C.;
Dec. 30, 2002) and NRC's Oversight of Davis-Besse Boric Acid Leakage
and Corrosion during the April 2000 Refueling Outage (Washington, D.C.:
Oct. 17, 2003).
[4] NRC, Davis-Besse Nuclear Power Station NRC Augmented Inspection
Team--Degradation of the Reactor Pressure Vessel Head (Washington,
D.C.; May 3, 2002).
[5] Two commissioner positions are currently vacant.
[6] These licensed reactors include Browns Ferry Unit 1--one of three
reactors owned by the Tennessee Valley Authority in Alabama--which was
shut down in 1985. The Tennessee Valley Authority plans to restart the
reactor in 2007, which will require NRC approval.
[7] NRC's oversight program has changed significantly since the
beginning of 1998. The third and most recent change occurred in mid-
2000, when the agency adopted its Reactor Oversight Process. Under this
process, NRC continues to rely on inspection results to assess licensee
performance. However, it supplements this information with other
indicators of self-reported licensee performance, such as how
frequently unscheduled shutdowns occur.
[8] 10 C.F.R. § 50.9 requires that information provided by licensees be
complete and accurate in all material respects.
[9] While Davis-Besse had 69 nozzles, 7 were spare and 1 was used for
head vent piping.
[10] The Electric Power Research Institute is a nonprofit energy
research consortium whose members include utilities. It provides
science and technology-based solutions to members through its
scientific research, technology development, and product
implementation program.
[11] Alloy 600 is an alloy of nickel, chromium, iron, and minor amounts
of other elements. The alloy is highly resistant to general corrosion
but can be susceptible to cracking at high temperatures.
[12] Primary water stress corrosion cracking refers to cracking under
stress and in primary coolant water. The primary water coolant system
is that portion of a nuclear power plant's coolant system that cools
the reactor core in the reactor pressure vessel and deposits heat to
the steam generator.
[13] The Nuclear Energy Institute comprises companies that operate
commercial power plants and supports the commercial nuclear industry;
and universities, research laboratories, and labor unions affiliated
with the nuclear industry. Among other things, it provides a forum to
resolve technical and business issues and offers information to its
members and policymakers on nuclear issues.
[14] Reactors that were categorized as having already identified
cracking or were highly susceptible included Arkansas Nuclear reactor
unit 1; D.C. Cook reactor unit 2; Davis-Besse; North Anna reactor units
1 and 2; Oconee reactor units 1, 2 and 3; Robinson reactor unit 2;
Surry reactor units 1 and 2; and Three Mile Island reactor unit 1.
[15] NRC, "Circumferential Cracking of Reactor Pressure Vessel Head
Penetration Nozzles" (Bulletin 2001-01, Aug. 8, 2001).
[16] The licensee for D.C. Cook reactor unit 2 proposed to shut down in
mid-January 2002 for its inspection. NRC agreed to the delay after
crediting D.C. Cook for having been shut down for about a month during
the fall of 2001, thus reducing the reactor's operating time.
[17] NRC forms such inspection teams to ensure that the agency
investigates significant operational events in a timely, objective,
systematic, and technically sound manner, and identifies and documents
the causes of such events.
[18] NRC has an Accident Sequence Precursor Analysis Program to analyze
significant events that occur at nuclear power plants to determine how,
and the likelihood that, the events could have led to core damage.
[19] FirstEnergy spent about $293 million on operations, maintenance,
and capital projects (including $47 million for the new reactor vessel
head) and $348 million to purchase power to replace the power that
Davis-Besse would have generated over the 2-year shutdown period. In
contrast, during a more routine refueling outage, Davis-Besse would
spend about $60 million--about $37 million on operations, maintenance,
and capital projects and $23 million on replacing the power that would
have been generated over a 42-day shutdown period. These latter
estimates are based on the Davis-Besse refueling outage in midcalendar
year 2000.
[20] NRC, Office of the Inspector General, NRC's Oversight of Davis-
Besse during the April 2000 Refueling Outage (Washington, D.C.: Oct.
17, 2003).
[21] Over the last 10 years, NRC has issued an average of about two
generic bulletins and about four generic letters a year.
[22] NRC, Office of the Inspector General, NRC's Oversight of Davis-
Besse during the April 2000 Refueling Outage (Washington, D.C.; Oct.
17, 2003).
[23] Before adopting the Reactor Oversight Process, NRC also assessed
licensee performance based on inspection results and other information;
however, NRC did not assign color codes to assessment results.
[24] Westinghouse Electric Company, Corrosion Effects of Boric Acid
Leakage on Steel under Plant Operating Conditions--A Review of
Available Data (Pittsburgh: October 1987).
[25] NRC's Office for Analysis and Evaluation of Operating Data was
established in response to a recommendation that we made to the agency
in 1978 that it have a systematic process for analyzing operating
experience and feeding this information back to licensees and the
industry. NRC eliminated this office, and its responsibilities were
transferred to other NRC offices in an effort to gain efficiencies.
[26] Davis-Besse's manufacturer was the Babcock and Wilcox Company,
which is an operating unit of McDermott International.
[27] Ordinarily, NRC would not suspend a license for a failure to meet
a requirement unless the failure was willful and adequate corrective
action had not been taken.
[28] The Union of Concerned Scientists is a nonprofit partnership of
scientists and citizens that augments scientific analyses and policy
development for identifying environmental solutions to issues such as
energy production.
[29] Specifically, reactor vessel head inspection requirements do not
require that insulation be removed. Because of this, reactor vessel
head inspections performed without removing the insulation above the
vessel head could not result in 100 percent of the nozzles being
visually inspected.
[30] NRC, Office of the Inspector General, NRC's Regulation of Davis-
Besse Regarding Damage to the Reactor Vessel Head (Washington, D.C.;
Dec. 30, 2002).
[31] NRC, Preliminary Staff Technical Assessment for Pressurized Water
Reactor Vessel Head Penetration Nozzles Associated with NRC Bulletin
2001-01, "Circumferential Cracking of Reactor Pressure Vessel Head
Penetration Nozzles" (Washington, D.C.; Nov. 6, 2001).
[32] Here is how to calculate the frequency estimate: 2x10^-2 equates to
0.02, or 2/100, which equals 1/50.
[33] Here is how to calculate the probability estimate: 2.7x10^-3
equates to 0.0027, or 27/10,000, which equals 1/370.37.
[34] Here is how to calculate the frequency estimate: 5.4x10^-5 equates
to 0.000054, or 54/1,000,000, which equals 1/18,518.52.
[35] Here is how to calculate the probability estimate: 5x10^-6 equates
to 0.000005, or 5/1,000,000, which equals 1/200,000.
[36] Here is how to calculate the frequency estimate: 4x10^-5equates to
0.00004, or 4/100,000, which equals 1/25,000.
[37] Here is how to calculate the frequency estimate: 6.6x10^-5equates
to 0.000066, or 66/1,000,000, which equals 1/15,151.51.
[38] Here is how to calculate the probability estimate: 5x10^-7 equates
to 0.0000005, or 5/10,000,000, which equals 1/2,000,000.
[39] The deterministic approach considers a set of safety challenges
and how those challenges should be mitigated through engineering safety
margins and quality assurance standards. The probabilistic approach
extends this by allowing for the consideration of a broader set of
safety challenges, prioritizing safety challenges based on risk
significance, and allowing for a broader set of mitigation mechanisms.
[40] These two recommendations were for NRC to (1) review how industry
considers economic factors in making decisions to repair equipment and
consider these factors in developing guidance for nonvisual inspections
of vessel head penetration nozzles, and (2) revise the criteria for
reviewing industry topical reports that have not been formally
submitted to NRC for review but that have generic safety implications.
[41] The International Atomic Energy Agency is an international
organization affiliated with the United Nations that provides advice
and assistance to its members on nuclear safety matters.
[42] The Advisory Committee on Reactor Safeguards is an independent
committee comprising nuclear experts that advises NRC on matters of
licensing and safety-related issues, and provides technical advice to
aid the NRC commissioners' decision-making process.
[43] NRC formed the Indian Point lessons-learned task force in response
to a steam-generator-tube rupture that forced a reactor shutdown. NRC
formed the Millstone lessons-learned task force because the plant
operated outside its design standards while refueling. NRC formed the
South Texas task force in response to concerns about the effectiveness
of NRC's inspection program and the adequacy of the licensee's employee
concerns program.
[44] The numbers 2E-3, 5E-6, and 5E-8 can also be written as 2x10^-3,
5x10^-6, and 5x10^-8.
[45] The probability of an event occurring is the product of the
frequency of an event and a given time period. In this case, the time
period--7 weeks--was approximated as one-tenth of the year. Thus,
5.4x10^-5 per year multiplied by 0.10 equates to a probability of
5.4x10^-6. According to NRC, it revised 5.4x10^-6 to 5.0x10^-6 to account
for uncertainties.
[46] The International Atomic Energy Agency, International Nuclear
Safety Advisory Group, Safety Culture (Vienna, Austria: February 1991).
[47] NRC, Office of the Inspector General, NRC's Oversight of Davis-
Besse during the April 2000 Refueling Outage (Washington, D.C.: Oct.
17, 2003).
[48] Of NRC's 21 high priority recommendations, we categorized 1
recommendation as 2 so that we could better track actions taken to
implement it. Thus, we have 22 recommendations categorized as high
priority.
[49] NRC, Office of the Inspector General, NRC's Oversight of Davis-
Besse during the 2000 Refueling Outage (Washington, D.C.: Oct. 17,
2003).
GAO's Mission:
The General Accounting Office, the investigative arm of Congress,
exists to support Congress in meeting its constitutional
responsibilities and to help improve the performance and accountability
of the federal government for the American people. GAO examines the use
of public funds; evaluates federal programs and policies; and provides
analyses, recommendations, and other assistance to help Congress make
informed oversight, policy, and funding decisions. GAO's commitment to
good government is reflected in its core values of accountability,
integrity, and reliability.
Obtaining Copies of GAO Reports and Testimony:
The fastest and easiest way to obtain copies of GAO documents at no
cost is through the Internet. GAO's Web site ( www.gao.gov ) contains
abstracts and full-text files of current reports and testimony and an
expanding archive of older products. The Web site features a search
engine to help you locate documents using key words and phrases. You
can print these documents in their entirety, including charts and other
graphics.
Each day, GAO issues a list of newly released reports, testimony, and
correspondence. GAO posts this list, known as "Today's Reports," on its
Web site daily. The list contains links to the full-text document
files. To have GAO e-mail this list to you every afternoon, go to
www.gao.gov and select "Subscribe to e-mail alerts" under the "Order
GAO Products" heading.
Order by Mail or Phone:
The first copy of each printed report is free. Additional copies are $2
each. A check or money order should be made out to the Superintendent
of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or
more copies mailed to a single address are discounted 25 percent.
Orders should be sent to:
U.S. General Accounting Office
441 G Street NW,
Room LM Washington,
D.C. 20548:
To order by Phone:
Voice: (202) 512-6000:
TDD: (202) 512-2537:
Fax: (202) 512-6061:
To Report Fraud, Waste, and Abuse in Federal Programs:
Contact:
Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov
Automated answering system: (800) 424-5454 or (202) 512-7470:
Public Affairs:
Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S.
General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C.
20548: