ML13256A372

From kanterella
Jump to navigation Jump to search
(Redacted) Letter from L Criscione to Chairman a Macfarlane
ML13256A372
Person / Time
Site: Oconee  
Issue date: 09/18/2012
From: Lawrence Criscione
NRC/RES/DRA
To: Macfarlane A
NRC/Chairman
Shared Package
ML24330A209 List:
References
FOIA/PA 2013-0239, FOIA/PA-2016-0071
Download: ML13256A372 (21)
v  d  e


Text

September 18, 2012 (b)(6)

Chairman Allison Macfarlane US Nuclear Regulatory Commission Mail stop O-16G4 Washington, DC 20555-0001

Dear Dr. Macfarlane:

Admiral Rickover served 63 years as an officer in the United States Navy - longer than any other naval officer in US history and possibly longer than any US government employee. He spent the last half of his career developing the nuclear powered submarine force and commercial nuclear power. He was more experienced than anyone else with regard to the functioning of the United States' military, industrial and governmental institutions when, in 1982, he gave a speech at Columbia University in which he noted:

A major flow in our system of government, and even in industry, is the latitude to do less than is necessary. Too often officials are willing to accept and adapt to situations they know to be wrong. The tendency is to downplay problems instead of actively trying to correct them.

On March 11, 2011 an earthquake and tsunami struck the Japanese nuclear facilities at Fukushima Dai-ichi. The flood walls built to protect the reactor plants were too short and the 49 foot wave that hit the plants took out the emergency electric power. With no way to remove decay heat, over the next several days heat built up in the reactor cores until it melted the fuel, breached the steel reactor vessels, and eventually breached the containment buildings.

The utility owner - TEPCO - was aware of analyses that showed their tsunami walls were not adequately sized. But in the spirit of Admiral Rickover's quote, they were willing to accept and downplay situations they knew to be wrong instead of actively trying to correct them.

Why did the utility behave so irresponsibly? Because it is human nature to focus on immediate problems and to delay addressing "what if's". And a 49 foot tsunami was a very low probability "what if".

c)3

Please note that the reactors at Fukushima survived both the earthquake and the tsunami. The reactors themselves did not start to fail until hours later. It was the support systems for providing emergency cooling to the reactors which were destroyed in the earthquake.

In Oconee County, South Carolina there are three reactor plants in a plain downstream of the Jocassee Lake Dam. These reactors and their containment buildings are designed to withstand floods, tornados and earthquakes. But are their support systems?

About four times a day, each reactor at Oconee produces the equivalent energy as released in the atomic bomb dropped on Hiroshima.

But unlike that A-bomb, instead of releasing this energy in less than a nanosecond, the equivalent energy release occurs over a six hour period allowing plant systems to remove the energy and convert it to electricity.

Following a reactor shutdown, the reactors at Oconee still produce a significant amount of energy due to the inventory of radioactive waste nuclides stored in their cores. The energy released over the first three days is equivalent to roughly a tenth of the energy released at Hiroshima. As long as this energy is removed, there is no problem. But what if it cannot be removed? What if it builds up in the reactor cores and containment buildings? Then, just like at Fukushima, this energy will cause the fuel to melt and the containment buildings to breach.

Unlike Fukushima, the fallout of radionuclides released during this accident will not mostly blow out to sea - depending on the wind they will blow towards Knoxville, Charlotte, Columbia, Atlanta or Huntsville. Any which way they get blown, these radionuclides will fall out over agricultural lands.

The Oconee Nuclear Station (ONS) is equipped with a Standby Shutdown Facility (SSF) which contains the emergency equipment necessary to remove the decay heat during an emergency.

Just like at Fukushima, this equipment is protected from flooding by a flood wall, and just like at Fukushima that flood wall is inadequately sized.

A five foot flood wall was installed around the Standby Shutdown Facility in 1984 based on an assessment that, were Jocassee Dam to fail, the SSF would experience flood levels of 4.71 feet.

However, according to the NRC's publicly available April 28, 2006 inspection report on Oconee:

...a December 10, 1992 Jocassee Dam Failure Inundation Study (Federal Energy Regulatory Commission Project No. 2503) predicted that a Jocassee Dam failure could result in flood waters of approximately 12.5 to 16.8 feet deep at the Oconee Nuclear Site.

2

So by 1993 Duke Energy was aware that their flood wall at Oconee was 7 to 11 feet too short.

And just like TEPCO, they adapted to a situation they knew to be wrong and, instead of actively correcting the inadequately sized flood wall, they worked to downplay the problem.

On August 13, 2003 the flood wall around Oconee's Standby Shutdown Facility was breached in order to-run a "temporary" cable.

Seven hundred twenty days later (on 2005-08-03) this breach was finally corrected two months after it had been brought to the attention of the plant by the NRC's resident inspector (on 2005-06-02).

The breach of the flood wall caused the NRC Resident Inspectors at Oconee to look into the licensing basis for the flood wall and to become aware of the 1992-12-10 inundation study. The issue eventually was referred to the Office of Nuclear Reactor Regulation (NRR).

On August 15, 2008 the Division of Operating Reactor Licensing (NRR/DORL) sent a letter to Duke Energy requesting "additional information regarding externaI flooding of the Oconee site, including the consequences of a Jocassee Dam failure." At this point, it appears DORL was refusing to accept a situation they suspected to be wrong and refusing to allow Duke Energy the latitude to do less than is necessary.

For reasons unknown to me, the 2008-08-15 letter from NRR/DORL to Duke Energy has the following markings:

Limited Internal Distribution Permitted Official Use Only - Security-Related Information There is nothing in the letter which is classified with regard to national security. There is nothing in the letter which is Safeguards. There is no discussion in the letter about any security related topics. In fact, an electronic word search of the letter only finds the word "security" in the "Security-Related Information" markings.

Why is this document for "Official Use Only"? Why is it "Security-Related Information"? Why is only "Limited Internal Distribution Permitted"? I see nothing in the 2008-08-15 letter from NRR/DORL to Duke Energy which prevents it from being released to the public.

Is "transparency" still something we've committed to?

This is not the only letter regarding Jocassee Dam which NRR has marked as security related. Is there a security concern regarding Jocassee Dam?

I have seen nothing in these "security 3

4° g

related" letters regarding terrorist threats to the dam. All of these letters deal entirely with safety concerns from natural phenomena and latent construction or engineering liabilities.

Duke Energy responded to our 2008-08-15 letter on September 26, 2008. Duke marked its response as "Sensitive Information". Note that they do not use the NRC term "Security-Related Information". And just like in the NRC's 2008-08-15 letter, the word "security" does not appear in the Duke 2008-09-26 letter.

However, Duke's letter is without doubt "sensitive information". If I were Duke, I would not want the public to see this information. I would not want the public to know how I allow my nuclear managers the latitude to do less than is necessary, how my corporate officials are willing to accept and adapt to situations they know to be wrong, and how my utility succumbs to the tendency to downplay problems instead of actively trying to correct them. I would be very sensitive about these things if I were Duke. But I'm not Duke. And neither are you. We're the NRC and as such have an obligation to transparently allow the public to see correspondence with Duke Energy regarding a significant safety concern.

In their 2008-09-26 letter, Duke provides the following scenario and analysis regarding a failure of Jocassee Dam:

Notification from Jocassee would occur before a total failure of the dam; however, for the purposes of this timeline, notification is assumed to be at the time the dam fails.

Following notification from Jocassee, the reactor(s) are shutdown within approximately 1 hour1.157407e-5 days <br />2.777778e-4 hours <br />1.653439e-6 weeks <br />3.805e-7 months <br />. The predicted flood would reach ONS in approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br />, at which time the 5SF walls are overtopped. The SSF is assumed to fail, with no time delay, following the flood level exceeding the height of the SSF wall. The failure scenario results are predicted such that core damage occurs in about 8 to 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> following the dam break and containment failure in about 59 to 68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br />. When containment failure occurs, significant dose to the public would result.

The scenario description above does not acknowledge that the postulated flood arrives at the site and then recedes rather quickly. In the above scenario, ONS is no Iongei flooded approximately 5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> after the onset of initial flooding (10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> followin(

failure of the dam). At this point, recovery actions can begin to mitigate the loss of Ai power and thus extend the time to a potential containment breach.

4

With, regard to the first paragraph, please note that core damage occurs in about 8 to 9 hours1.041667e-4 days <br />0.0025 hours <br />1.488095e-5 weeks <br />3.4245e-6 months <br /> following the dam break and containment failure in about 59 to 68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br />. Also note Duke's assertion that when containment failure occurs, significant dose to the public would result.

With regard to the second paragraph, Duke appears to be suggesting that reinforcements can be sent to the plant and possibly restore equipment before containment failure. Consider the environment they will be working in though. The dam failure will not just impact the nuclear station. Roads and bridges could be washed away or blocked with downed trees and utility poles.

A General Emergency will be declared at the nuclear station which will trigger an evacuation of the area.

And of course the evacuation of these citizens will be severely impacted by the poor road conditions and the search and rescue operations being conducted due to the flood.

The good news, however, is the "nuclear side" of this event will likely not result in any loss of life. Imminent deaths might possibly result from the dam failure, but just like at Fukushima the nuclear aspect of the incident should be entirely contained to lost property - at least on the "tangible" side.

But probably more tragic than the tangible loss of property are the intangibles. Three reactors melting down and breaching their containments will affect nuclear utilities worldwide.

Our nuclear navy, which so far has been unaffected by any loss of public confidence concerning Chernobyl and Fukushima, would likely not be so lucky were an event to occur in the US. And consider "acceptable" levels of radioactive fallout in Columbia, Charleston or Atlanta. What will that do to home prices? What will it do to local economies? How will it affect people's mental health?

Will textile manufacturers want to buy cotton from even minimally contaminated areas? Will cigarette companies buy tobacco from these areas? Will anyone buy their produce and grains? Their hogs and chickens?

Also in their 2008-09-26 Duke Energy states that they do not consider the failure of Jocassee Dam to be a credible event for which the Oconee Nuclear Station must be protected against:

When considering the overall performance history of modern rock-fill dams, there is no evidence to suggest that a Jocassee dam failure is credible.

There are two general methods for determining "adequate protection" at nuclear plants:

deterministic and probabilistic. The deterministic method assumes one piece of equipment fails and analyzes whether the remaining equipment can prevent core damage. Per the quote on the previous page, Duke Energy's deterministic assessment is/that a failure of Jocassee Dam 5

results in core damage within 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> iand therefore deterministically ONS is not adequately protected for a failure of Jocassee Dam. However, deterministic assessments only need to be done for "credible" failures and thus by claiming a failure of Jocassee Dam is not a credible event, Duke is claiming that it does not require a deterministic assessment. But what does

."credible" mean?

In previous probabilistic studies for ONS, Duke has used an annual failure probability for Jocassee Dam of 1.3E-5/year. Note, as will be discussed later, the NRC does not agree with this number. However, for the moment let's assume this is an accurate number. Integrated over

.the 60 year life expectancy of the reactors at the Oconee Nuclear Station, Duke's number yields a probability of 7.8E-4. That is, the probability of Jocassee Dam failing at some point during the 60 year life of ONS is 7.8E-4. In other terms: a probability of 0.00078, a 0.078% chance, or odds of 1 to 1282. Considering that the odds of rolling a Yahtzee are 1 to 1295, the odds of Jocassee Dam failing during the lifetime of ONS are better than the odds of rolling a Yahtzee. I've played Yahtzee and can personally attest that rolling a Yahtzee is something that can credibly occur.

On April 30, 2009 Joseph Glitter, the Director of NRR/DORL, replied to Duke Energy's 2008-09-26 letter.

Melanie Galloway, the then Deputy Director of NRR's Division of Risk Assessment (NRR/DRA), had disagreed with Mr. Giitter's reply during its internal routing and had submitted a Non-Concurrence form on April 6, 2009. Just like Mr. Guitter's letter, Ms.

Galloway's Non-Concurrence is marked "Security-Related Information" and is being withheld from the public. And just like all the documents I mention in this letter, neither Ms. Galloway's Non-Concurrence nor Mr. Giiter's 2009-04-30 letter discusses any security related topics.

Sabotage, terrorists and insider threats are nowhere mentioned.

Outside of the security markings, the only place the word "security" occurs in either document is the final sentence of Ms. Galloway's "Reason for Non-Concurrence":

In conclusion, I remain concerned that this approach is not in the best interest of public health and safety and security, regulatory stability, and our role as a strong regulator.

Although I do not understand why she is concerned that the approach is not in the best interest of public security, I certainly agree with her other conclusions.

In addition to the quote mentioned at the beginning of this letter, Admiral Rickover shared many other profound insights in his 1982 speech at Columbia University.

My favorite quote from the speech - the one which I believe most embodies the attitude responsible for the phenomenal 60 years of success of the Naval Reactors program - is the admiral's opening sentence:

6

Human experience shows that people, not organizations or management systems, get things done.

When she received Mr. Giitter's letter, Ms. Galloway recognized that in the letter we were allowing Duke Energy the latitude to do less than what is necessary.

By his letter, we were accepting and adapting to situations we knew to be wrong. We were succumbing to the human tendency to downplay problems instead of actively trying to correct them. Ms Galloway also recognized that the organizations and management systems within the NRC were not getting done what needed to be done. So she, as a capable and concerned nuclear professional - not due to her significant position in the organization as a deputy division director but merely as a person determined to get things done - filed a Non-Concurrence form with the hope of revising Mr. Glitter's letter into something that actually required Duke Energy to take actions to protect its Standby Shutdown Facility from potential inundation from flood waters in the event of a failure of Jocassee Dam.

In her Non-Coficurrence Ms. Galloway provides the following background information:

No other potential initiating event at Oconee is as risk significant. The probability of core damage from a Jocassee Dam failure is three times higher than the sum total probability, of core damage from all initiating events. Duke has acknowledged that, given a Jocassee Dam failure with subsequent site inundation, all three Oconee units will go to core damage; that is, given a dam failure, the conditional core damage probability (CCDP) is 1.0. Thus, for a Jocassee Dam failure frequency of 2E-4, there is a conditional core damage frequency (CCDF) of 2.OE-4 (CCDF = IEFX CCDP).

For a Jocassee Dam failure, using potentially optimistic assumptions, Duke estimates that containment will fail approximately 59 to 68 hours7.87037e-4 days <br />0.0189 hours <br />1.124339e-4 weeks <br />2.5874e-5 months <br /> after dam failure without mitigating actions.

Under the dam break conditions, resultant flood waters and infrastructure damage would affect public evacuation and potentially affect Emergency Operations Facility response capability. Duke has not demonstrated that its radiological emergency plan actions can be adequately implemented under these conditions.

As already mentioned, Melanie Galloway was the Deputy Director of the Division of Risk Assessment in the NRC's Office of Nuclear Reactor Regulation. Hence, the language she used in her Non-Concurrence were the terms of risk professionals; for example: "given a dam failure, the conditional core damage probability (CCDP) is 1.0".

7

Conditional Core Damage Probability (CCDP) is the probability that, given a specific event, the circumstances of the event will lead to damage of the reactor core. Like all probabilities, CCDP must be a number between 0 and 1. A value of "0" means that given only that specific event there is no chance that core damage will occur. A value of "1" means that given that specific event (e.g. a failure of Jocassee Dam) then core damage will certainly occur. For most initiating events (e.g. tornados, loss of offsite power, fires) the CCDP is typically a very small fraction on the order of one ten thousandth to one tenth. "1.0" might not sound big, but it's enormous.

The point of the last sentence of Ms. Galloway's first bullet is that, since core damage is a certainty given a failure of Jocassee Dam, then the probability that all three reactors at Oconee will melt down is equal to the probability of the failure of Jocassee Dam. Since the probability of failure of Jocassee Dam failing in any given year is 2E-4, the probability of the three reactors at ONS melting down is 2E-4 in any given year. As a point of reference, this is a number that is about ten times higher than at a typical US nuclear reactor plant. However, the risks at Oconee are actually much worse than that due to the uncertainty about containment failure.

A nominal value for the probability of containment failure at US Pressurized Water Reactors (PWRs) is 1E-2 or 0.01. In other words, containment's survivability is nominally 99% at a US PWR. However, does anyone believe there is a 99% chance that, after the flood waters recede, Duke Energy will be able to restore cooling to their flood damaged facilities? Although they do have 49 to 58 hours6.712963e-4 days <br />0.0161 hours <br />9.589947e-5 weeks <br />2.2069e-5 months <br />, keep in mind that the infrastructure will have been significantly damaged by the flood waters. There will likely be washouts at roads and bridges and obstructions from trees and other debris. Having met operators from ONS, I cannot discount their efforts. With luck going their way, there is certainly a chance they can succeed.

But I do not have 99%

confidence in them. The operators at Fukushima weren't successful at it.

What is your confidence in them? If you asked NRR, what would they tell you their confidence is? I may be wrong, but I don't think NRR has an official position on it. I have seen no estimates in any of the documents I have reviewed. But this is an extremely important number. It is what separates Three Mile Island from Fukushima. At Three Mile Island the containment structure did not fail whereas at Fukushima at least one of them did. After knowing about this problem for over 6 years, it is negligent for the NRC to not possess a formal estimate of the probability that following a failure of Jocassee Dam the ONS employees will be able to restore heat removal prior to containment failure. Please note that I am not accusing NRR of negligence because, for all I know, this probability has been analyzed by the NRC and I have just not been able to locate it. 'However, if NRR cannotprovide you a formal estimate at this point (i.e. 6 years after knowing about the ONS issue and 18 months after lFukushima) then they have been negligent in their duties.

8

As feared by Ms. Galloway, the latitude provided by Mr. Giitter's 2009-04-30 letter resulted in further attempts by Oconee to downplay the problem of its inadequately sized flood wall.

By February 2010, the issues regarding Jocassee Dam and the SSF flood wall were still not yet addressed.

George Wilson, the NRC's Dam Safety Officer in the Office of Nuclear Reactor Regulation, was concerned with what he was experiencing regarding Oconee.

Mr. Wilson observed that the root of the problem with Oconee was a combination of (1) overlooked items during initial plant licensing and (2) a change in knowledge regarding plant hazards. In the case of Oconee, when the reactors were licensed in the early 1970's it was overlooked that they required protection from a failure of Jocassee Dam.

As knowledge regarding plant hazards improved, it was recognized in the 1980's that a flood wall was required to protect Oconee's Standby Shutdown Facility. However, the flood height was only estimated to be 4.71 feet. As modeling and assessment procedures improved, it was recognized in the 1990's that the 5 foot flood wall was not adequate. Mr. Wilson had concerns that similar problems might exist at other nuclear facilities and used the Oconee/Jocassee issue as the basis for a memo requesting a Generic Issue on flooding from upstream dam failures.

Although Mr. Wilson's February 2010 memo was nominally sufficient to implement a Generic Issue, the Office of Nuclear Regulatory Research (RES) requested additional information. On July 19, 2010 the Division of Risk Assessment of NRR (NRR/DRA) submitted a memo to the Division of Risk Assessment of RES (RES/DRA) requesting a Generic Issue on flooding hazards due to upstream dam failures.

This memo exists in the Agencywide Documents Access and Management System (ADAMS) under Accession Number ML101900305.

Like all the other documents produced by NRR regarding Jocassee Dam, this memo is stamped "Official Use Only -

Security-Related Information".

And like all the other documents, there are no security issues discussed anywhere in the document.

The document entirely concerns safety risks associated with natural phenomena or latent hazards resulting from flaws in construction and/or engineering.

In August 2010 RES/DRA assembled a team which began producing a screening report for evaluating whether or not there was strong enough basis for generating a Generic. Issue.

Meanwhile, NRR's sparring with Oconee over Jocassee Dam continued. On March 15, 2010 NRR/DRA completed a study of the Jocassee Dam and analyzed it against other large dams in order to determine a reasonable annual failure probability.

Again, like all NRR documents concerning a failure of Jocassee Dam, this study was marked "Security-Related Information" despite being solely concerned with the failure of Jocassee Dam due to environmental 9

phenomena and latent construction/engineering issues.

No mention is made of terrorism, sabotage or vandalism. The fact that the Oconee Nuclear Station sits 11 miles downstream of Jocassee Dam is not mentioned in the report. In fact, the report neither mentions Oconee Nuclear Station, Duke Energy, Oconee County, core damage, radioactivity nor any other indication that a breach of Jocassee Dam could lead to a nuclear accident.

The annual failure probability of Jocassee Dam that was calculated by the study was about 2.5E-4/year. That equates to: a 0.00025 probability, a 0.025% chance, or a chance of 1 in 4000 years.

What exactly is 4000 years? Four thousand years ago Rome was just an outpost along the Neolithic salt trade routes. Wolves still roamed her Seven Hills.

Lions roamed the hillside where in a later millennium the Athenians would build the Parthenon. It was before Alexander, Socrates, Homer and even Achilles. The ancestors of Abraham were still eating bacon and living in Ur. Four thousand years is a long time - it is a Biblical length of time. An annual failure probability of 2.5E-4/year suggests that in this 4000 year expanse of history one external even;.

(e.g. a "5000-year" paleoflood, an earthquake) capable of triggering mechanisms leading to the failure of Jocassee Dam might have occurred in northwest South Carolina.

Compare this to the annual failure probability which Duke Energy uses: 1.3E-5/year. That equates to: a 0.000013 probability, a 0.0013 chance, or a chance of 1 in 76923 years.

Seventy-seven thousand years ago modern men had not yet left Africa. Europe was still the domain of mammoths and Neanderthals. South Carolina is not known for its earthquakes and floods, but 77,000 years is a long time -

a "Paleolithic" length of time.

How many risk significant earthquakes and paleofloods have occurred in Oconee County in the last 77,000 years? Duke Energy's numbers suggest only one. The NRC's numbers suggest about 20.

The NRC's annual failure frequency was based on a statistical analysis of all available data on dams similar to Jocassee. The 5th percentile of their data was 1.3E-4/year which is ten times the frequency being used by Duke Energy An author of the study pointed out to me that it is quite possible that the failure probability of Jocassee Dam is 1.3E-5/year, but from the data he's seen, from the calculations he's done, and from the Duke Energy submittals he's reviewed, he considers Duke's 1.3E-5/year estimate to be indefensible. Although it's possible the Duke number is accurate, the currently available data does not support it. Should we - as an agency - be using a failure probability which was calculated by our own risk experts and which can be defended by the available data, or should 10

we be accepting a failure rate calculated by Duke Energy which is indefensible? It depends: is it our goal to downplay this problem or to actively seek its adequate resolution?

In a June 3, 2010 letter Duke Energy provided the NRC with a summary of fifteen "External Flood Commitments" that it was implementing to mitigate the consequences of a failure of Jocassee Dam. Although all 15 commitments were important actions to take, none of them would have much appreciable impact either on lowering the failure probability of Jocassee Dam or on mitigating the consequences of a failure.

On June 22, 2010 the NRC issued a Confirmatory Action Letter(CAL) directing Oconee to:

1. "...submit to the NRC by August 2, 2010, oil documentation necessary to demonstrate to the NRC that the inundation of the Oconee site resulting from the failure of the Jocossee Dam has been bounded." Or, in other words, perform a study and determine the worse case credible conditions that could result in a failure of Jocassee Dam.
2. "...submit by November 30, 2010 a list of all modifications necessary to adequately mitigate the inundation..."
3. "...make all necessary modifications by November 30, 2011."

To my knowledge, this letter is the first time the NRC gave Duke Energy a date by which they needed to actively try to correct the deficiently sized flood wall. By item 1 above Duke Energy had until 2010-08-02 to determine the highest credible water height that a failure of Jocassee Dam would produce at Oconee.

By item 2 Duke Energy had until 2010-11-30 to list what modifications needed to be constructed or installed to protect the Standby Shutdown Facility from the highest credible water height.

By item 3 Duke Energy needed to have the modifications completed. This letter is an example of the NRC finally taking away the latitude for Duke Energy to do less than is necessary to correct a situation they know to be wrong.

Unfortunately the NRC later relaxed their stance and again succumbed to the tendency to downplay problems instead of actively trying to correct them.

Duke Energy met its 2010-08-02 deadline to provide the NRC with a bounded inundation study.

On November 29, 2010 Duke Energy informed the NRC that they would need more time to compile a list of modifications necessary to adequately mitigate the postulated inundation at Oconee due to a failure of Jocassee Dam.

Duke Energy gave themselves a new due date of April 30, 2011 for determining the modifications needed and was silent on whether or not they would get these modifications done by the November 30, 2011 deadline.

11

In January 2011 Eric Leeds was preparing a letter to Oconee concerning the NRC's acceptance of the information contained in Duke Energy's 2010-08-02 inundation study. Jeff Mitman of NRR/DRA/APOB was on the review chain for Mr. Leeds's letter and filed a Non-Concurrence form against it on 2011-01-10. Mr. Mitman's primary concern was that Duke's analysis was a "sunny day" analysis. For some reason (possibly due to possessing common sense) Mr. Mitman believes that an abnormally large amount of rainfall could increase the probability of a failure of Jocassee Dam and that the "bounding" case for an inundation study should take the possibility of dam failure during severe storms into account.

NRR answered Mr. Mitman's concerns in part by saying that an overtopping of Jocassee Dam due to severe rainfall was not credible. Jocassee Lake has two saddle dikes which are the same elevation as the top of Jocassee Dam but not as tall. NRR argued reasonably that since these saddle dikes are the same height as Jocassee Dam then they would overtop concurrent with Jocassee Dam. Since these saddle dikes are not as well built as Jocassee Dam, NRR postulated they should fail prior to the dam and thereby drain the reservoir by 35 feet at which point water would no longer flow over the main dam. NRR may have a point, but there is something curious about their argument: why is NRR, an office of the NRC, making this argument for Duke Energy? It is our role to review and challenge Duke's analysis, not to internally defend it for them. Our focus seems more on downplaying and concealing the problem instead of actively working to get Duke Energy to correct it.

On March 10, 2011 the status of the Oconee/Jocassee issue was as follows:

1. In a January 28, 2011 letter to Oconee, Eric Leeds of NRR accepted Oconee's 2010-08-02 inundation study which was based on a "sunny day" failure of Jocassee Dam and did not consider failure modes resultant from severe rainfall or earthquakes.
2. Duke Energy had missed its 2010-11-30 deadline for submitting its list of modifications for adequately protecting the Standby Shutdown Facility at Oconee Nuclear Station from a failure of Jocassee Dam and had committed to providing this list by 2011-04-30.
3. The screening analysis for a Generic Issue on flooding due to upstream dam failures had been prepared by the Office of Nuclear Regulatory Research and was in "final draft" form and ready for routing.

On March 11, 2011 the Fukushima Dai-ichi nuclear complex in Japan was struck by a beyond design basis earthquake and 50 minutes later by a 49 foot tsunami which breached its 19 ft seawall. Within a few days, three of the reactor cores at Fukushima Dai-ichi had melted down, breached their reactor vessels and exploded the buildings housing their containments. The NRC recommended a 50 mile evacuation of US citizens from around the site.

12

In the Office of Nuclear Regulatory Research, we assumed the Fukushima Dai-ichi accidents would be a "big deal" with regard to GI 204 on flooding due to upstream dam failures; yet, incredibly, it still took an additional 10 months for GI 204 to be approved.

Part of the hold up on releasing GI 204 was the fact that many of the references for it (e.g. the correspondence with Duke Energy regarding Jocassee Dam) had been labeled "Security-Related Information" by NRR, but RES could not determine any justification for marking the GI 204 screening report as "Security-Related" since it dealt entirely with safety issues. Every time NRR requested that all "Security-Related Information" be removed from the GI 204 screening report, RES's reply (i.e. the authors) was that nothing in the report was related to security.

Prior to its release, the screening report for GI 204 was reviewed by the Department of Homeland Security which found that none of the information related to Jocassee Dam and Oconee Nuclear Station was security sensitive. Despite this finding, the decision was made by the NRC to redact the screening report prior to releasing it to the public.

The NRC can redact anything it voluntarily releases without providing any justification.

However, when something is being involuntarily released through a Freedom of Information Act (FOIA) request, the NRC must provide a reason for everything which is exempted from release.

On January 4, 2012 a reporter submitted a Freedom of Information Act request for documents concerning GI 204. In response to this request, the NRC released the GI 204 screening report with heavy redactions. Many of these redactions and their justifications are nonsensical. For example, on page 9 of the report (included in redacted and unredacted form as an enclosure to this letter) there is the following sentence:

In 2010, NRC staff produced a report that estimates a typical dam failure rate for large rock fill dams similar to the Jocassee Dam to be 2.8(l0)4/year The above sentence was redacted.

The justification given for the redaction was FOIA exemption 7(F):

Disclosure could reasonably be expected to endanger the life or physical safety of an individual.

How is anyone's life or physical safety in jeopardy by disclosing the NRC's estimated failure rate for Jocassee Dam? The only possible answer I can come up with is that someone within the 13

NRC believes that Jocassee Dam might be the object of a terrorist threat. But even if this were true (and I have seen no mention of security concerns in any document referenced by the GI 204 screening report), how would knowing the NRC's estimated failure rate help the terrorists?

Our estimated failure rate of Jocassee Dam is based entirely upon natural phenomena and construction/engineering flaws.

Terrorist activity and internal sabotage were in no way included in the study that generated this estimation. Does Al Qaeda really care what the NRC's estimated failure rate due to natural phenomena is?

There are some (e.g. me) that believE the 2.8E-4/year failure rate is being withheld from the public because it is embarrassing to the NRC and embarrassing to Duke Energy.

What does a 2.8E-4/year failure rate mean?

It means that in any given year there is a probability of 0.00028 that Jocassee Dam will fail. Since, as mentioned above, the probability that a failure of Jocassee Dam will lead to the meltdown of all three reactors at Oconee, a 2.8E-4/year failure rate of Jocassee Dam equates to an annual probability of 0.00028 that three reactor cores will melt down in Oconee County, South Carolina.

What are the odds that one of the core meltdowns will lead to a failure of its containment building and the release of a significant amount of radioactivity? I don't have a good answer because I have yet to see a NRC or Duke Energy assessment of the likelihood that the ONS operators can restore cooling to containment within the.,ýpproximately 2 Y2 day Window prior to containment failure. That's not to say this study doesn't exist, but if it does I have not seen it. I can only make assumptions.

Since I personally know some of the ONS operators having served with some in the navy and having met others at functions of the Professional Reactor Operator Society, I am willing to give them better odds than the Fukushima operators. I'll give them 2 to 1 odds. That is, for each reactor they have a 67% chance of being successful in restoring cooling prior to containment failure. Please keep in mind the conditions they will be working under. A "tsunami" of water from the dam break has breached their inadequately sized flood wall and flooded out all their normal equipment. They have no installed electric power and much of the installed mechanical equipment in unusable due to having their electric motors flooded. Unanticipated equipment that was not staged before the dam break will need to be brought in over a severely compromised infrastructure and through an evacuating populace.

A 67% chance of success integrated over three reactor plants gives a 70% chance that at least one containment building will fail.

This yields an annual frequency of 2E-4/year that a 14

significant release of radioactivity will occur in Oconee County, South Carolina. Those are odds that are about 500 times greater than at a typical US reactor plant. Yet these are still relatively good odds for the people of Oconee County. They are equivalent to the odds of being dealt a four of a kind. Most poker players have never been dealt a four of a kind and probably never will.

However, these are the annual odds. That is, the people of Oconee County live with these odds every year. Integrated over the 22 years the ONS reactors have left on their licenses, the probability becomes 0.43% or about the chance of being dealt a straight. Being dealt a straight is rare, but I personally beat twice those odds on the first poker hand I was ever dealt. As a thirteen year old summer camper, my first poker hand ever was a flush. My poker career has gone downhill ever since, but I know from personal experience that being dealt a hand that beats a straight is credible.

Nonetheless, a straight is a really good hand. As long as I had the chips, I'd keep up with the ante if I were holding a straight.

But risk involves more than just probability. Risk also involves hazard. I would be willing to bet a few hundred dollars on a straight, but I certainly wouldn't "bet the farm" on it. And the NRC should not allow Duke Energy to bet all the farms in Oconee County on it.

However, there is more to gambling than risk. There is also reward. And the rewards from Oconee Nuclear Station should not be ignored.

The greatest rewards from ONS are paid out to the people who hazard the greatest risk: the residents of Oconee County, South Carolina. I have no data to back up any of the items below, but based on my professional experience (I have worked at eight rural reactor plants and have visited seven others) I am confident of the following:

1. Oconee Nuclear Station is likely the largest employer in Oconee County and the salaries and wages paid there are likely double the average salary and wage rate for typical residents of the county.
2.

ONS likely pays more in property taxes than any other entity in the county and is responsible for a significant portion of the funding of the county's public schools.

3. For every Duke Energy employee at ONS, there is likely a non-Duke employee in the county who receives a significant portion of their livelihood from either doing business directly with ONS or with the families of employees who work at ONS.

15

Would I be willing to bet my life and the lives of my family on a straight for the rewards mentioned above - or for any rewards for that matter? Of course not. But Oconee Nuclear Station isn't gambling with anyone's life. The accident scenario at Oconee takes over two days to unfold and, even once it occurs, it is unlikely to release significant doses in terms of public health. What is being hazard is people's property. And although Duke Energy could not pay me enough to compensate me for the health of my family, they could certainly pay me for the loss of my home or the loss of my farm.

As a citizen I'm not opposed to Duke Energy not doing anything. As long as the shareholders of Duke Energy, the residents of Oconee County, the citizens of neighboring counties and states, and the elected representatives at the local, state and federal level are all aware of the risks and are willing to accept them, then I have no problems with them betting their futures on a "straight". If there are affected people who have an issue with the risks at ONS, there are a variety of means which Duke can employ to lower their risk by "improving their hand" (e.g.

construct a flood berm around the site) or lower their risk by lowering the hazard (e.g. fund an insurance policy that covers the property losses of an accident). As long as the approach taken is transparent to the citizens involved, I do not care what solutions are implemented - I trust our democratic and republican institutions to more fairly deal with the public than a secretive commission of scientists crunching risk calculations.

However, as a regulator I am very concerned about what has been occurring. The decision to do nothing has not been formally made but rather has occurred by default due to bureaucratic ineptitude. I have encountered no documentation that, after knowing about this problem for six.years, the NRC has:

1. Determined a baseline risk for the ONS reactors which takes into account the NRR/DRA/APOB estimated probability of a failure of Jocassee Dam and an analysis of Duke Energy's ability to restore cooling prior to containment failure.
2. Set a hard and fast due date for Duke Energy to implement modifications at ONS to adequately protect the facility from a failure of Jocassee Dam (other than the 2011-11-30 due date which in the end was not hard and fast)
3.

Informed the external stakeholders (e.g. the citizens of Oconee County, the American public, the US Congress, other nuclear utilities, and many other specific groups that would directly suffer from a reactor accident in the US) about the risks they face due to a failure of Jocassee Dam.

Maybe the NRC has done all of the above, but from my research it appears to me the only thing to which the NRC has committed is keeping this issue from public scrutiny.

16

A 2E-4/year annual chance of a reactor accident leading to containment failure is something the NRC must address. "Acceptance sets the standard" and we cannot allow 2E-4/year to be the standard.

Integrated over the 104 US Nuclear Power Plants (NPPs), 2E-4/year becomes 2.OE-2/year. That is a 2% annual chance that a core meltdown and containment breach will occur resulting in a significant release of radioactivity to the public (something that has not yet occurred in over fifty years of commercial nuclear power in the United States when one accounts for the fact that neither the 1966 core melt at Fermi plant nor the 1979 core melt at Three Mile Island involved a containment breach).

As means of comparison, a 2% annual chance is once in every 50 years. Integrated over the 439 operating commercial reactors worldwide, a 2E-4/year probability becomes an 8.3% chance which is once in every 12 years. If you count Fukushima as three separate accidents and add it to Chernobyl, then an accident every 12 years is about what we have experienced in the past fifty years.

Can our national nuclear enterprise accept a core meltdown and containment failure once every 12 years worldwide and once every 50 years in America? It cannot; consider the current decommissioning plans of Japan and Germany as evidence.

Consider the post-Chernobyl shutdown orders in Italy. Consider the current state of new reactor construction in America, Britain, Canada and even France.

But even if we -as an agency - cannot accept 2E-4/year across the US industry, we - as a nation

- certainly can accept that risk at one three-unit site in South Carolina.

The issue I have, however, is that the actual Commissioners of the US NRC need to be the ones deciding whether or not we - as a nation - accept the risks which Jocassee Dam poses to our nuclear enterprise, and the Commissioners need to be transparently making that decision in front of the external stakeholders:

1. The applicable US congressional oversight committees
2. The federal, state and local representatives of Oconee County, the neighboring counties and the neighboring states
3. The shareholders of Duke Energy and all nuclear utilities
4. The venders of reactor plants
5. The residents of Oconee County and the citizenry of the United States
6. The international operators of nuclear reactors whom we expect to adequately mitigate risks to their plants and who thusly expect the same of us.

17

But I have not seen the Commissioners publicly debate the risks faced at Oconee Nuclear Station. Thus far, all I have observed is NRR withholding these risks from the public under the guise of "Security-Related Information" and accepting and adapting to an issue they know to be wrong. instead of forcing Duke Energy to actively correct a situation we know to be wrong, we are continuing to allow them the latitude to downplay the problems and do less than what is necessary. The tool that enables this is the inappropriate marking of safety related issues as "Security-Related Information".

Unlike documents classified for reasons of national security, the NRC's markings of "Official Use Only" and "Security-Related Information" hold no legal basis. I can pass these documents on to the public if I so choose without violating any federal laws. I will never see jail time or fines for sharing these documents. However, I will be violating internal standards of conduct within the NRC and I will certainly lose my job. These false markings are not being done to protect the security of the public; they are being done to intimidate me and other concerned agency employees from distributing these documents to our elected representatives, to nonprofit government watchdog groups, to members of the press and to anyone else who might be in a position to put pressure on the NRC to address glaring safety concerns in a timely manner.

Instead of being used to protect the security of the public, NRR is using markings of "Security-Related Information" in a manner that impedes addressing an issue that hazards the safety of the public.

I respectfully request the following assistance from you:

1.

Request the Office of General Counsel review the security markings of the documents concerning a failure of Jocassee Dam and determine whether or not the information contained in these documents could and should be released to the public as part of the NRC's commitment to conduct business transparently.

I1.

Request the Office of Nuclear Security and Incident Response review the security markings which NRR placed on the documents concerning a failure of Jocassee Dam and determine whether or not the information contained in these documents represent security related information which must be withheld from the public.

Ill.

Based on the determinations of OGC and NSIR, ensure all appropriate documents concerning the failure of Jocassee Dam are released publicly through ADAMS.

IV.

Request the Office of the Inspector General investigate whether or not NRR has inappropriately used markings of "Security-Related Information".

I intend to share the documents mentioned in this letter with the staffs of members of the US Congress whom I believe have an interest in the NRC and Oconee Nuclear Station. I believe as a 18

I r F.

professional engineer and as a public servant I have a duty to the citizens of this country to address my concerns regarding the NRC's handling of the Jocassee Dam issue with the staffs of our congressional oversight committees. There are some who might say it is irresponsible to distribute "Security-Related Information". If there is really a security threat to Jocassee Dam then it needs to be actively addressed; merely withholding safety-related information from Congress and thereby impeding the handling of nuclear safety issues is not an acceptable way of addressing security threats.

Very respectfully, Lawrence S. Criscione, PE Reliability and Risk Engineer Operating Experience and Generic Issues Branch Division of Risk Analysis Office of Nuclear Regulatory Research NRC/RES/DRA/OEGIB pages Cc: Sen. Lindsey Graham, South Carolina Sen. Jim DeMint, South Carolina Sen. Joseph Lieberman, US Senate Comm. on Homeland Security & Governmental Affairs Sen. Susan Collins, US Senate Committee on Homeland Security & Governmental Affairs Sen. Barbara Boxer, US Senate Committee on Environment & Public Works Sen. James Inhofe, US Senate Committee on Environment & Public Works Rep. Jeff Duncan, South Carolina's 3 'd District Rep. Fred Upton, Energy & Commerce Committee Rep. Henry Waxman, Energy & Commerce Committee Rep. Peter King, Committee on Homeland Security Rep. Bernie Thompson, Committee on Homeland Security Rep. Darrel Issa, Committee on Oversight & Government Reform Rep. Elijah Cummings, Committee on Oversight and Government Reform Carolyn Lerner, US Office of Special Counsel Hubert Bell, Nuclear Regulatory Commission Inspector General Marian Zobler, Nuclear Regulatory Commission General Counsel James Wiggins, NRC Office of Nuclear Security and Incident Response 19

K..

.Not for Publ'c Release)

(b)(4)

ý Duke 2008, t 2,p.10).

In the Oconee Nuclear Station IPEEE submirtal (ONS 1995, p.5.27), the licensee estimates that the conditional core damage frequency resulting fromr] flooding due to failure of the Jocassee Dam is 7.0(10-6)/year (ONS 1995, p. 5-27). The contributon to core damage frequency from precipitation-induced extuial flooding is considered negligible (ONS 1995, p. 5-18). The licensee notes that this external flood core-damage frequency is of the same magnitude as other severe accident events (e.g..

earthquakes, fires). Consequently, in the IPEEE. the licensee concluded that external flooding does not pose severe accident vulnerability (ONS 1995, p. 5-27).

The aforementioned estimate of conditional core-damage frequency is based on an estimate (made by the licensee) that the probability of a random failure of Jocassee Dam is 1.3(1ot 5)/year (ONS 1995, p.

5-21). This failure rate includes failures due to seepage, embankment slides, and structuJral failure of the foundation or abutments. It does not include failures due to earthquakes (not deemed credible) or overtopping (ON$ 1995, p.5-21).I(b)(7)(F) i This NRC estimate is ati order of magnitude larger than the estimate repo-tno MNROconee Nuclear Station IPEEE submittal. The database used by NRC staff to calculate the estimated failure rate includes failures due to overtopping, internal erosion, and settlement. Due to a lack of earthquake-induced failures affecting dams with characteristics similar to Jocassee Dam, the database does not contain failures due to seismic events.

As illustrated above, several uncertainties exist with regard to the risk posed to Oconee Nuclear Station due to upstream dam failure, In particular, uncertainty exists about the flood levels at the site thrilt would result from failure of Jocassee Dam. Moreover, hazard due to external flooding was "screened out" in the IPEEE based on a sufficiently small contribution to core damage frequency as calculated at the time. However, uncertainty exists about the appropriate probability of dam failure that shoutd be used in computing the contribution of external flooding to core damage frequency. This is illustrated by the disparate results of the separate analyses described above that differ by an order of magnitude in estimating the probarility of failure or Jocassee Dam.

2.3.

Applicability of Proposed Generic Issue to Multiple Plants It is notable tnat an exclusive review of FSAR and IPEEE submittais would not necessarily indicate a potential problem due to external flooding hazard in either of the above-described cases (i.e., Fort Calhoun Station or Oconee Nuclear Station). Problems at Fort Calhoun Station were recognized because of an NRC inspection that identified an apparent violation of Technical Soecification 5.8.1.a for failure to maintain adequate procedures to protect the plant during external flooding events (USNRC 2010b). At Oconee Nuclear Station, attention was drawn to the elevated consequence from extemal flooding after staff identified a performance deficiency during maintenance activities that involved the inslallation of temporary electrical cables through an opening in the flood protection wall (LJSNRC 2006b, p. 1). This performance deficiency was of particular concern when coupled with flooding estimates that are significantly higher than previously assumed (USNRC 2006a). Thus, in these two cases, identification of fIood-related issues resulted from parlicular scrutiny and analysis of flood 9

Enclosure, page I

Not for Public Release The above timeline assumes that Oconee Nuclear Station is notified at the same time the dam fails.

The licensee considers this assumption to be conservative because the plant expects notification before the dam fails (the dam is monitored 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br /> a day, 7 days a week). The licensee notes that thel above timeline does not account for the recession of floodwaters, which is postulated to occur 10 hours1.157407e-4 days <br />0.00278 hours <br />1.653439e-5 weeks <br />3.805e-6 months <br /> following dam failure (5 hours5.787037e-5 days <br />0.00139 hours <br />8.267196e-6 weeks <br />1.9025e-6 months <br /> following onset of flooding at the site) (Duke 2008, att 2, p.10).

In the Oconee Nuclear Station IPEEE submittal (ONS 1995, p.5.27), the licensee estimates that the conditional core damage frequency resulting from flooding due to failure of the Jocassee Dam is 7.0(10- 6)/year (ONS 1995, p. 5-27). The contribution to core damage frequency from precipitation-induced external flooding is considered negligible (ONS 1995, p. 5-18). The licensee notes that this

.external flood core-damage frequency is of the same magnitude as other severe accident events (e.g.,

earthquakes, fires). Consequently, in the IPEEE, the licensee concluded that external flooding does not pose severe accident vulnerability (ONS 1995, p. 5-27).

The aforementioned estimate of conditional core-damage frequency is based on an estimate (made by the licensee) that the probability of a random failure of Jocassee Dam is 1.3(10- 5)/year (ONS 1995, p.

5-21). This failure rate includes failures due to seepage, embankment slides, and structural failure of the foundation or abutments. It does not include failures due to earthquakes or overtopping (ONS 1995, p.5-21).1 In 2010, NRC staff produced a report that estimates a typical dam failure rate for large rock fill dams similar to the Jocassee Dam to be 2.8(10- 4 )/year (USNRC 201 Oc). This NRC estimate is an order of magnitude larger than the estimate reported in the Oconee Nuclear Station IPEEE submittal. The database used by NRC staff to calculate the estimated failure rate includes failures due to overtopping, internal erosion, and settlement. Due to a lack of earthquake-induced failures affecting dams with characteristics similar to Jocassee Dam, the database does not contain failures due to seismic events.

  • As illustrated above, several uncertainties exist with regard to the risk posed to Oconee Nuclear Station due to upstream dam failure. In particular, uncertainty exists about the flood levels at the site that would result from failure of Jocassee Dam. Moreover, hazard due to external flooding was "screened out" in the IPEEE based on a sufficiently small contribution to core damage frequency as calculated at the time. However, uncertainty exists about the appropriate probability of dam failure that should be used in computing the contribution of external flooding to core damage frequency. This is illustrated by the disparate results of the separate analyses described above that differ by an order of magnitude in estimating the probability of failure of Jocassee Dam.

2.3.

Applicability of Proposed Generic Issue to Multiple Plants It -is notable that an exclusive review of FSAR and IPEEE submittals would not necessarily indicate a potential problem due to external flooding hazard in either of the above-described cases (i.e., Fort Calhoun Station or Oconee Nuclear Station). Problems at Fort Calhoun Station were recognized because of an NRC inspection that identified an apparent violation of Technical Specification 5.8.1.a for failure to maintain adequate procedures to protect the plant during external flooding events (USNRC 2010b). At Oconee Nuclear Station, attention was drawn to the elevated consequence from external flooding after staff identified a performance deficiency during maintenance activities that involved the installation of temporary electrical cables through an opening in the flood protection wall (USNRC 2006b, p. 1). This performance deficiency was of particular concern when coupled with flooding estimates that are significantly higher than previously assumed (USNRC 2006a). Thus, in these two cases, identification of flood-related issues resulted from particular scrutiny and analysis of flood 9

Enclosure, page 2

Retrieved from "https://kanterella.com/w/index.php?title=ML13256A372&oldid=5230663"