Beginning in 2012, I used the Nuclear Regulatory Commission non-concurrence and differing professional opinion (DPO) processes to raise nuclear safety issues affecting the Diablo Canyon nuclear plant. These internal processes allow employees to raise issues and make recommendations that differ from the prevailing agency view. These safety issues were related to how the NRC addressed design control, equipment evaluation and operating license fidelity after Pacific Gas and Electric Co. developed new seismic information affecting the Diablo Canyon site. The agency carefully considered my recommendations and dispositioned these concerns in September 2014. The NRC subsequently made my views and the agency’s conclusions publicly available in the Agencywide Documents Access and Management System (ADAMS Accession Number ML1425A743).
Diablo Canyon seismology is both highly complex and controversial. However, my DPO was not about seismology. My DPO addressed routine and generally well-understood inspection practices related to agency enforcement of existing design basis requirements at a power reactor facility. These requirements are equally applicable regardless if the issues involved seismic qualification, spent fuel, accident analysis, or any other aspect of the facility design basis. The DPO did not identify any “immediate or significant safety issues.” However, the DPO asserted that PG&E continues to operate the Diablo Canyon reactors outside of the bounds of the facility design basis as defined by the NRC Operating License. Any operation outside of the design basis challenges plant safety due to erosion of regulatory margins.
For example, in 2004 a seismologist identified that the Fukushima sea wall was too low. This was a condition outside of the facility design basis that required protection against the maximum creditable flood and demanded corrective action. But the low sea wall was not an “immediate or significant safety issue” because the probability of a large tsunami was thought to be small. But as we saw in 2011, the low sea wall did impact the capability of facility operators to mitigate a flood.
The license application (Final Safety Analysis Report or FSAR) for a nuclear power plant must include safety analyses demonstrating that regulatory design bases are satisfied. The design basis requires that equipment needed to prevent or mitigate an accident (equipment important to safety) remains functional following the safe shutdown earthquake (SSE). The NRC defines the SSE as largest credible earthquake that can affect the site.
The Diablo Canyon license application, as amended and approved by the NRC, stated that this design basis SSE was satisfied by the Double Design Earthquake (DDE) safety analysis. NRC Rules required PG&E to maintain the plant capable of meeting this design basis requirement, as specified in the license application (as amended), during reactor operation. The Diablo Canyon license application also discussed a second earthquake analysis, called the Hosgri Evaluation (HE).
Nuclear seismic qualification is not just about how much the ground will shake following an earthquake. Equally important are the methods used to analyze how seismic energy propagates through plant structures; the engineering assumptions and inputs used in the safety analysis; and the application of load combinations and acceptance limits. The larger HE earthquake (0.75 g peak ground acceleration) predicted less mechanical stress on plant equipment, including reactor components, than the smaller SSE/DDE (0.4 g). While this may sound counterintuitive, this result reflected the different analytical methods and assumptions used in the two analyses. The PG&E license application (as approved) explicitly stated that SSE design basis requirement was satisfied by the DDE. The application discussed the HE as a response to NRC questions raised during the original licensing process. The application also specifically stated that the HE did not meet NRC requirements for the SSE. In other words, the facility Operating License established the DDE/SSE as the maximum ground motion for the site, implementing NRC design basis rules for protection against earthquakes. The HE demonstrated that PG&E could safety shutdown the plant (assuming no accident or fire) if a 7.5 magnitude earthquake occurred on the Hosgri fault. The reasons for excluding the larger HE ground motions from the SSE safety analysis are complex and reflect negotiated agreements made between the NRC and PG&E prior to original plant licensing.
In early 2011, PG&E placed a re-evaluation of the local seismology on the NRC docket. This report concluded that three earthquake faults were capable of producing greater ground motion than SSE/DDE but less than the HE. NRC regulations required PG&E to evaluate this new information against the existing facility design basis and update any deficient FSAR safety analysis. PG&E could have updated the SSE safety analysis with the new ground motions. However, this approach would have required an amendment to the Operating License because the resulting stress would have exceeded established safety limits for equipment important to safety, including the reactor pressure boundary. The NRC typically doesn’t approve safety analysis changes that conclude safety limits have been exceeded.
As an alternative, PG&E chose to change the SSE safety analysis methodology from the DDE to the HE. At the time, this seemed to be a reasonable approach since the new ground motions were bound by the HE spectrum. Also, both PG&E and the NRC personnel assumed that the very complex HE safety analysis would meet agency requirements for the SSE design basis.
PG&E was required to obtain NRC approval before incorporating this change. NRC Rules require an amendment to the Operating License if less conservative analytical methods are used to demonstrate that a design basis requirement is satisfied. In October 2011, PG&E submitted License Amendment Request 11-05 requesting NRC approval for this change. NRC rules allowed continued reactor operation while the agency reviews the amendment request provided that PG&E demonstrates a “reasonable assurance” that equipment important to safety remains “operable.” In other words, PG&E would have to show by evaluation that accident mitigation equipment would still work and reactor piping would hold together (meet acceptance limits of the American Society of Mechanical Engineers, Boiler and Pressure Vessel Code) given the higher seismic inputs.
As a resident inspector, my job was to compare the Diablo Canyon facility and PG&E activities against the facility Operating License, NRC regulations and industry guidance. When inspections identify gaps in the implementation of these requirements, then I was expected to draft violations consistent with the NRC Enforcement Policy. I was specifically tasked with reviewing between 19 and 25 PG&E operability evaluations each year.
In the summer of 2011, PG&E concluded that all safety equipment was “operable” given the higher ground motions. This evaluation relied on the HE as an alternate methodology. NRC operability policy allows use of “alternate analytical methods” provided certain conditions are met. For example, the alternate method cannot produce a result that “over-predicts” equipment performance when compared to the design bases method.
My inspection concluded that the PG&E evaluation failed to meet NRC operability standards. For a given ground motion, the HE method will always produce a less conservative result when compared to the SSE/DDE method. Gaining margin over the SSE/DDE was the sole reason PG&E used the HE as an alternate method. I also knew that very little margin to the Code limits existed from my experience with the replacement reactor head and steam generator inspections. Almost any increase in seismic loading would result in exceeding the Code acceptance limits, roughly 2/3 of the critical buckling strength for the material.
I included an inadequate operability evaluation violation with my 2011 third and fourth quarter Intergraded Inspection Reports. In both cases, NRC Region IV management removed the violation prior to issuing the reports. The proposed violation addressed the decrease in nuclear safety because PG&E had encroached on design basis margins and safety limits.
NRC violations associated with inadequate operability evaluations are common. Typically, these violations address technical deficiencies in the analytical or regulatory approach used by the licensee. Corrective actions usually involve adding technical rigor or additional justification to the evaluation. However, for the seismic operability case, it was unlikely that PG&E would have been successful. The magnitude of the new ground motions combined with the lack of available margin in the existing SSE safety analysis would have made it all but impossible to conclude that plant equipment was operable. If this equipment was determined to be inoperable, then the Operating License required PG&E to immediately shut down both reactors.
A license mandated shutdown is not all that unusual. The NRC has and routinely uses statutory authority to grant regulatory dispensation in these types of cases. PG&E could have used the HE to support a safety argument justifying continued operation pending NRC approval of the license amendment. This path would have required the NRC to formally waive the current Diablo Canyon seismic design basis requirements and approve relief from the code. This path would have also reversed the previously well-publicized agency position that PG&E had been operating within the bounds of the facility design basis.
To ensure NRC management fully understood the underlying technical and regulatory aspects of the proposed violation, I non-concurred on my own inspection report. To my surprise, the agency response stated that insufficient information was available to complete an operability evaluation. To the best of my knowledge, this position was completely unprecedented and contrary to written NRC policy. In my 30-plus years’ performing and inspecting operability evaluations, I had never once come across this view. The failure to clearly demonstrate operability has always resulted in a declaration of “inoperability,” requiring immediate application of the Technical Specification remedial actions. The agency’s response went on to state that NRC approval of the PG&E license amendment request was needed before operability could be fully assessed.
Apparently, I had misapplied NRC operability criteria during the inspection. However, the non concurrence response did not provide sufficient information for me to understand why or how I had missed the mark. The NRC response also appeared to establish new agency policy and precedent.
In 2012, NRC technical reviewers concluded that HE methodology was not suitable for the Diablo Canyon SSE design basis. In October 2012, PG&E withdrew the license amendment request at the NRC’s request. The NRC Diablo Canyon Project Manager subsequently requested PG&E to directly add the results of the Shoreline fault analysis to the facility FSAR, appearing to work around the failed license amendment process.
This action limited stakeholder input by bypassing statutory requirements for notice and hearing opportunity associated with a facility design basis change. NRC rejection of the license amendment also appeared to have voided the agency’s stated bases for the non-concurrence decision on operability.
I submitted the DPO in July 2013. My goal was to include sufficient technical detail and regulatory analysis to support a third-party review of the issues. I addressed the unresolved operability issue from 2011 and added the lack of appropriate corrective actions to restore the FSAR safety analysis to the facility design basis and regulatory requirements.
During the DPO deliberations, I did my best to reach a consensus on the technical and regulatory issues with the panel. I offered to withdraw the DPO if the panel could provide a technical resolution consistent with both agency rules and the facility license. I also requested that the panel obtain a legal opinion from the NRC Office of General Council since the DPO involved application of specific legal requirements established by the facility operating license. My understanding was that the panel did not accept either recommendation.
In May 2014, the panel concluded that PG&E had satisfied all regulatory requirements. Apparently, I had misapplied the Diablo Canyon license requirements. The panel’s conclusion was built on the assumption that the HE was a facility SSE. Because the HE was an SSE, then neither a license amendment nor an operability evaluation was required. To the best of my knowledge, this was the first time the agency had asserted that the HE was the Diablo Canyon SSE. Unfortunately, the panel report offered no explanation or the basis for this assumption. I found this partially frustrating since I went to great lengths in the DPO to provide a detailed description of the facility seismic licensing basis. I thought that if I had gotten it wrong, then the panel should be able to point out were I made my error.
The assumption that the HE was a facility SSE appeared to be in direct conflict with the facility license application (FSAR). I followed up with the panel chairman to better understand the basis for their assumption and my error. He directed me to an FASR section. Interestingly, PG&E had revised this section in September 2013 following the NRC project manager’s direction to add the Shoreline fault to the FSAR. NRC rules require that all FSAR changes potentially affecting how the design basis is satisfied be screened to determine whether an amendment to the license is required. For the Diablo Canyon case, these changes were flagged by PG&E as exempt from this screening requirement based on “correspondence from the NRC.” From my view, the panel appeared to have relied on circular logic to resolve the DPO. The panel concluded that PG&E was not required to obtain an amendment to the license based on the change that PG&E made to the license without first obtaining the required amendment.
In June 2014, I submitted an appeal to the DPO decision. My appeal stated that the DPO conclusion appeared to be built on a misunderstanding of the Diablo Canyon license requirements and agency rules. Also, the panel appeared not to have fully addressed the statutory requirements associated with adding the new seismic information to the FSAR (Title 10 of the Code of Federal Regulations, CFR , Part 50.59) and meeting the ASME Code for the facility SSE (required by 10 CFR 50.55a). Specifically, the panel appeared not have compared the new seismic inputs against the FSAR safety analysis as explicitly required by agency rules.
I included the actual original (license application, as approved) and current FSAR pages describing the seismic design and licensing basis in the appeal. I included these pages to avoid any misunderstanding of the facility license requirements. I included the specific language of applicable agency rules and approved guidance to avoid unsupported assumptions. I also added specific examples detailing past NRC enforcement action taken on similar issues at other facilities and formal agency guidance addressing expected actions following discovery of conditions outside of the seismic design basis.
In response to my appeal, the agency again told me my conclusions were incorrect. Apparently, my regulatory analysis had inappropriately excluded the HE from the facility licensing basis. Again the agency response did not offer sufficient detail to help me understand where I had made my error or which part of the license application I misinterpreted.
I have exhausted the NRC processes for raising nuclear safety concerns. At every turn, the agency reinforced that their original conclusions and actions had been correct. From my perspective, I applied the same NRC inspection standards and agency rules to the Diablo Canyon seismic issues that I’ve used to disposition many other design bases issues during my 20-plus years as an inspector. Because the DPO was reviewed by the highest levels of agency management, I was left with the impression that the NRC may have applied a special standard to Diablo Canyon.
As an insider, I’ve found that the industry culture sometimes operates with the assumption that NRC rules and license requirements impose excessive margins and burdens. In the 1980s, I worked as a reactor engineer (in-core physics) for the Tennessee Valley Authority. The plant culture often viewed NRC design basis requirements as far exceeding those need to preserve safety. “We have systems that back up systems, that back up systems, that ” This industry culture justified encroachment on the facility design basis.
I’ve also encountered this culture as an inspector. For example, the NRC issued eight 10 CFR 50.59 violations during my five-year tenure at Diablo Canyon. Each of these violations was associated with facility changes PG&E had made without first obtaining the required amendment to the operating license.
By studying major nuclear accidents, Three Mile Island, Chernobyl and Fukushima, I found that these events were largely preventable. Encroachment of operating standards and the design basis contributed to each event. In some cases decision makers didn’t fully appreciate the complexity or consequence of the safety barriers they encroached upon. For example, a test engineer directed that reactor power be maneuvered outside of design basis limits at Chernobyl. The engineer didn’t realize that his actions had placed the reactor in an unstable region, leading to an uncontrolled power excursion. The results of his actions are now part of the nuclear legacy.
As I’ve worked thought these issues, I’ve heard agency personnel express over and over again that Diablo Canyon has “plenty of seismic margin.” “Just look at the HE.” These statements imply that no real safety issue exists with the new seismic information. I maintain that Diablo Canyon seismic safety is very complex. It took the DPO Panel almost year just to conclude that the new ground motions were within the bounds of the existing SSE safety analysis. And I’m pretty sure that they didn’t even get that right. While the NRC license review processes may seem exhaustive and stakeholder input can be frustrating at times, use of the established regulatory framework and NRC acceptance criteria provides us the basis for our presumption of nuclear safety. History has repeatedly taught us that we sometimes get ourselves in trouble when we try working around these processes.