Comment On Article About The Author More Articles By This Author

Commercial atomic power was the moniker used when the current generation of nuclear plants were built. Distrust grew as the public mind fused the concepts of atomic power and atom bombs, and questioned the ability the government to both promote and regulate. A re-marketing scheme was necessary. The Atomic Energy Commission of the sixties became the Nuclear Regulatory Commission (NRC)1 of the seventies and atomic power became nuclear energy. Though the names have changed, the plants and many of the people that operate and regulate them are much the same as they were then... only older. With a focus on safety, this article examines the present state of the industry in part one, and looks to the future in part two.

Part 1: State of the Industry

Age is not the only concern. The accident at Three Mile Island in 1979 ended orders for new plants in this country but demand for electricity continued to rise. Nuclear utilities responded by up-rating and extending the lives of their operating reactors. A unit up-rate makes the physical and licensing changes necessary to support higher power output. A life extension project seeks a twenty-year addition to the license of a plant originally designed for forty years. This too often involves some equipment upgrades.

Aging plants are now pushed harder and longer to meet growing demand. These two processes, up-rates and life extension, are analogous to taking a middle-aged runner who puts in twenty miles per week, asking him to do thirty, do them faster, and keep at it way past retirement.

Nuclear plant safety rests on a three-legged stool. Active and redundant safety systems, to prevent and mitigate accidents, form the first leg. The second leg is safety margin: a cushion between success and failure under limiting conditions. The third leg is the skill, commitment, and culture of the nuclear workforce -- the safety culture.

So, are the plants still safe -- is the stool stable? The first leg, the safety systems and equipment, are older now and becoming obsolete. Up-rates and license extensions are eroding safety margin (the second leg of the stool) while production and profit demands of the private sector threaten the third leg -- the safety culture. A detailed look at the three foundations of safety follows.

Active safety means that when the accident happens, pumps must start, valves must stroke, and emergency power sources must start-up. Redundancy means that there are at least two independent sets (or trains) of all the emergency equipment, in case one should fail when needed. Designs based on active and redundant systems present two intractable problems. Redundancy is necessary to accommodate active failures; however, redundant systems can never be truly independent. Common mode failures are insidious, be they errors in common maintenance procedures, or design flaws in common spare parts.

Availability is the second problem with active safety equipment. Frequent maintenance and testing is necessary to prove that systems and components are reliable, but these activities render them unavailable to perform their intended function. The plant staff must trade availability for reliability. As the equipment ages, more maintenance is necessary, and the price of reliability, as measured in out of service hours, rises.

Active safety systems require actuation systems to monitor vital parameters and initiate protective actions when needed. The protection and control systems deployed at most domestic nuclear plants were state-of-the-art design in the sixties and seventies. The analog instrumentation, relay logic, early vintage solid state logic, and first generation digital technologies can now be found primarily in nuclear plants and museums. Though troubling, there is a sound reason for this condition.

The nature of their mission demands a rigorous qualification process and a long performance history to demonstrate reliability of reactor protection systems. Innovation may be a top priority in enterprises where the consequences of failures are low, but this is not that kind of business. Innovation takes a back seat to caution in the nuclear world, where a deliberate approach to change is essential. State-of-the art digital instrumentation and control systems are being actively pursued by the industry, but replacement technology must be of pedigree equal to the original. Thorough qualification testing must demonstrate that new digital systems are free of common cause failures embedded in software or firmware which would compromise the diversity and defense in depth designed into current systems.

Safety margins are at the very heart of nuclear safety. All of our plants have a body of analyses to demonstrate that the public will be protected, even under the worst accident conditions. The responsible regulatory agency, the NRC, will not grant a license without such a body of analyses. These analyses are the benchmark against which all equipment performance and proposed changes are measured, and safety margin is the room between success and failure under limiting accident scenarios. Age-related performance degradation, or plant changes that demand better performance, are acceptable only if the equipment continues to perform at least as well as required in the analysis of record.

The methods of analyses used to license the current generation of plants are deterministic, and these methods too are dated. In such analyses, there are no gray areas; equipment is assumed to either perform or fail, and if it performs, it does so the lowest allowable level. If a valve must stroke in five seconds, but is always measured at two, the analysis assumes five. If a pump is designed to deliver a minimum of 300 gallons per minute (gpm) at 400 feet of head, but it always tests to 350 gpm, only 300 gpm can be credited in the analyses. The analyses generally assume that the plant, equipment and environment at the time of the accident are at their absolute worst possible initial conditions for the accident of interest. They also assume that a single failure occurs at the time of the accident and disables an entire protection train.

While deterministic methods and assumptions are generally conservative, they do not model reality very well. In the real world, the worst possible initial conditions never occur simultaneously, and equipment performs better than barely good enough. Further, multiple failures sometimes occur. A new risk-based method of analyses, probabilistic risk analyses (PRA), accounts in real time for the actual state of the plant, environment and equipment, and has built-in failure probabilities for all major safety equipment. Caution is warranted, however, before the old methods are discarded. The fidelity of PRA models must be up to the task.

Plant up-rates reduce safety margin, generally by imposing more demanding performance requirements. Plant life extensions require that the safety equipment continue to function acceptably for a period half again as long as originally intended. The active equipment mentioned above is not the only safety equipment of interest. Plants also rely on passive equipment: piping systems, pressure vessels, containment structures, electrical cables, support structures, and buildings. These too must continue to perform at high levels, and they are not so easy to maintain or test. Consequently, any license extension usually imposes requirements for supplemental inspection and monitoring programs.

The NRC had approved 110 up-rate applications as of 2006, and anticipates another 25 by 20112. The industry will have expanded capacity by the equivalent of 8-10 large reactors, and is extending the life of most reactors by 50%. This expansion is not free, and part of the cost is in safety margin.

Human fallibility is a reality that any enterprise must acknowledge and address. Mistakes are born of both inexperience and complacency, and mistakes are not the only behaviors that present risk. Self-interest, confused priorities, and pride -- in short, the entire spectrum of the human psyche can, if not properly managed, get in the way of safety.

A strong safety culture is the most effective defense against human behaviors that threaten safety. Such a culture exists when everyone holds an almost spiritual reverence for nuclear safety. There is no confusion of priorities, and if any doubt exists, decisions default to the safest one. Generally, the nuclear industry has successfully cultivated such a culture, but threats persist. The domestic nuclear industry resides in the private sector, historically in the hands of public utilities. De-regulation in the electric utility industry coupled with an economic crisis has introduced new production and profit pressure on plant owner/operators.

The goals of profit and safety do not always align; production and safety are sometimes in conflict. There will always be those clever enough to interpret safety rules in a manner that, though technically legal, undermines the spirit of the rules. In the competitive business world, such behavior earns promotion, and those exhibiting such skills rise through the organization to lead. This is a fundamental danger demanding regulatory vigilance.

There is another more subtle and innocent threat to safety culture. A healthy safety culture requires that everyone see how his or her task supports the goal. As processes grow more complex, workers lose that line of sight. Three decades ago, the nuclear industry formed an internal watchdog organization: The Institute of Nuclear Power Operations (INPO). This group, fully funded and partially staffed by member utilities, is chartered with moving the industry ever closer to excellence. INPO is often even more intrusive and demanding than the regulator, driving for ever-increasing levels of performance by imposing new processes and programs. Though well intentioned, they have had the unintended consequence of breaking the worker's line of sight to the task.

A popular variety show of the sixties occasionally featured plate twirlers -- performers that would spin plates on freestanding poles. The entertainer would slowly add more poles and plates to the act while running from plate to plate to keep them all spinning. Plant operators find themselves in a similar predicament as INPO adds more and more process requirements. The entertainers on the old Ed Sullivan show sometimes managed to end the show in a controlled manner, removing plates one-by-one. Other times, the act did not end so neatly. The nuclear industry is procedure heavy and process-bound, the fundamental knowledge of its workers is in decline, and nuclear safety suffers.

The nuclear fleet produces over twenty percent of the nation's electricity and, despite the challenges of age, duty and design, it continues to operate safely, a fact substantiated by the performance record of the last half-century. Large safety margins, robust and redundant design features, intrusive regulatory oversight, and a pervasive safety culture are the reasons. The industry has stalled though, and the safety record is at risk.

Part 2: The Path Forward

Though the commercial atomic power industry has successfully met the human and equipment performance challenges, it has failed in other ways. All of the spent fuel ever produced - and its burden of highly-radioactive fission products - is stored on sites, in deep pools or dry casks, spread across the country. This is clearly not the most effective or efficient way to protect the hazardous material from accident or mal-intended purpose.

Further, the spent fuel contains a tremendous energy potential in the form of fissile and fertile isotopes that could go a long way towards meeting future energy needs. Re-processing spent fuel not only expands available energy supplies, but also dramatically reduces high-level radioactive waste. A completely closed fuel cycle could reduce Uranium consumption by two orders of magnitude and reduce the volume of high level waste by a factor of 243. Tapping that potential demands a national will that we have not mustered, but a will that others have.

Nuclear plants in this country fall into about a half dozen broad categories, based on the vendor that designed and supplied the reactor and associated support systems. In reality, each nuclear unit is a one-of-a kind design. Several vendors made weak attempts at standardization early on, but the concept never took hold, and the industry efficiency has suffered. In a standardized nuclear industry, everything from training programs to operating procedures, spare parts to fuel design would be common. Expertise and equipment would be fully transportable. The failure to standardize is a costly mistake.

In the nineteen-eighties, vendors, regulators, and plant operators saw a need for a new generation of plants and a new regulatory process to license them. The next generation was to be based on modular designs that were passively safe. Under accident conditions, decay heat is removed by natural circulation without a need for pumps and valves and power sources. Advance design certification would expedite the licensing process and reduce uncertainty and financial risk. Further, this was a new opportunity for standardization.

Unfortunately, the concepts of passive safety and standardization fell victim to the free market pressures. Passively safe plants cannot be built as large as other designs, and economics favor building plants as large as possible. Absent a controlling government agency, there was no one to force standardization.

As the current generation of plants successfully lumbers forward, albeit with a bit of brute force, the nation stands on the brink of a nuclear renaissance. The large problems of the past, however, remain unsolved. Perhaps it is irresponsible to launch this new generation without addressing those issues. There is a way to deal with the problems and a working model upon which we can base our national strategy.

The nation of France generates over seventy-five percent4 of its electrical power from nuclear plants of a standardized design. They also reprocess fuel and have a working strategy for storing high level waste. Perhaps it is time that we nationalize our nuclear industry -- including a complete and closed fuel cycle. Re-processing fuel introduces the concern of controlling potentially weapons grade fissile material, but our government (i.e. the Department of Energy) has the experience and a long history of managing such material for the nation's nuclear weapons program. We have at our disposal the world's greatest military to protect the material.

Commercial Atomic Power remains safe in this country, but large obstacles block its path forward, specifically: spent fuel disposal, passively safe designs, standardization, private sector conflicts, and re-processing. A nationalized fleet of passively safe, standardized reactors operating with a closed fuel cycle is a viable and coherent solution. The Westinghouse AP-1000 is a passively safe, modular design already certified by the Nuclear Regulatory Commission. Four such plants are under construction in China and five US utilities have placed orders. The technology and the economic and regulatory models for a safe commercial nuclear future exist; only the will is lacking.

In a fervently free market society, nationalization sounds like heresy. There is a deep-seated belief that government-run businesses always produce wasteful bureaucracies. That kind of thinking is not appropriate for the commercial nuclear power industry, an enterprise in which the consequences of failure are much more than financial. Safety and security must always trump innovation in this business.

References

1. U.S.NRC "A Short History of Nuclear Regulation 1946-1999.
2. Teresa Hansen, "Nuclear Plant Uprates," Power Engineering International, March 2007
3. E. Bertel, "Advanced Fuel Cycles and Radioactive Waste Management" NEA News 2006 Volume 24, Number 2,
4. World Nuclear Association, "Nuclear Power in France", 26 June 2009.