March 19—Leakage from the lubricating oil system for the reactor coolant pumps violated fire protection requirements.
March 27—Heating, ventilation, and air conditioning systems had been improperly excluded from an analysis of equipment need- ing manual adjustments in response to a fire. This abridged list omits dozens of other
problems identified by workers after the NRC placed Crystal River 3 on its Watch List. Most of the problems had existed since the plant’s startup 20 years earlier but were missed during countless subsequent tests and inspections. Did the plant’s owner bring in busloads of smarter workers after the NRC put the reactor on notice? No, capable workers missed these problems for the same reason that capable NRC inspectors found few problems at Donald C. Cook prior to its year-plus outage: when Crystal River 3 was perceived to be a good plant, tests and inspections “confirmed” this perception. When Crystal River 3 was per- ceived to be a troubled plant, the same tests and inspections “confirmed” this perception, too.
The Crystal River experience reflects that of many other year-plus outages. Plant owners do not continue operating reactors that they know suffer from extensive degradation. Instead, widening gaps between perception and reality and a steadfast belief in overly optimistic percep- tions leaves the plant owners as “surprised” as the NRC when the depths of the problems are finally revealed.
Despite numerous attempts over the past four decades to prevent safety test and inspection results from being influenced by perceptions, this problem has yet to be addressed effectively. The public health risks and financial stakes of a “surprise” nuclear disaster are too high to allow false perceptions to continue guiding nuclear safety decisions.
Walking a Nuclear Tightrope
Lesson 7: Owners Are Not Made Aware of Non-Hardware Problems
The NRC issues generic communications to its licensees in the form of bulletins, circulars, generic letters, information notices, and regulatory issue summaries that describe new and revised regulations and lessons learned from operational events. Thousands of such communications have been issued by the NRC since 1975, and plant owners incorporate the content into their proce- dures, practices, and training.
Our case studies reveal that the NRC has issued numerous generic communications about equipment problems it identified prior to and during year-plus outages, but hardly any regarding non-hardware problems—despite the fact that it knew such issues were associated with extended outages. For example, the NRC informed Congress about programmatic fail- ures at TVA that caused the extended outages at Browns Ferry in Alabama and Sequoyah in Tennessee. But it did not issue generic commu- nications to plant owners about these failures nor (for the most part) about similar programmatic failures it knew had occurred at nearly two dozen other reactors experiencing year-plus outages.
Consequently, plant owners have not had the same opportunities to update flawed procedures, practices, or training that they have had to fix equipment problems. The NRC must stop keep- ing “secrets” about programmatic breakdowns that can cause significant erosion of safety margins at nuclear power reactors.
Lesson 8: Programmatic Breakdowns Are Not Confined to One Plant
At nuclear power plants with multiple reactors, programmatic breakdowns (the cause of most year-plus outages) typically resulted in all of the reactors being shut down until the problems were corrected. This makes sense considering that