ML19308C132
| ML19308C132 | |
| Person / Time | |
|---|---|
| Site: | Crane  |
| Issue date: | 12/11/1979 |
| From: | NRC - NRC THREE MILE ISLAND TASK FORCE |
| To: | |
| Shared Package | |
| ML19308C129 | List: |
| References | |
| TASK-TF, TASK-TMR NUDOCS 8001210431 | |
| Download: ML19308C132 (100) | |
Text
a e
12/11/79 GTF Tantativa Draft Incomplete INTRODUCTION AND
SUMMARY
OF RECOMMENDATIONS If there _ is one theme that runs through the conclusions we have reached, it is that the principal deficiencies in com-mercial reactor safety today are not hardware problems, they are management problems.
These problems cannot be addressed by the addition of a few pipes cnd valves -- though a number of detailed design changes, including much-improved instrumenta-tion and better systems for handling and filtering radioacti-vity in case of a serious accident, are suggested i.n the detailed back-up studies to this Report.
Rather, the problems are more endemic.
What we have found is a regulatory program consisting primarily of an elaborate system for reviewing the safety of nuclear reactor designs which has served the public well in the past and produced an admirable safety record to date, but is no longer focused, organized or managed to meet today's needs.
We have found that many nuclear plants probably are not operated by management that has undertaken to insure that enough properly trained operators and engineers are available to cope with a potentially serious accident -- and the indus-try in which the expertise and the responsibility for safety is fragmented among many parties and in which there are many disincentives to safety.
Coordination between these parties and the NRC (and even within the NRC itself) is lacking, and the utility industry, prior to Three Mile Island, had made only feeble attempts to mount its own industry-wide affirma-tive safety program.
- 00 1210 y3,
j m
The kinds of changes needec to cope with these problems are institutional, organizational and managerial changes.
They include, in our view:
a substantial shift in the balance of resources in the NRC from design review to the monitoring of existing reactors and consolidation of the Agency's resources devoted to operating reactors into one office, including (1) the development of new mecha-nisms for the systematic evaluation of ope.ating problems so that lessons learned from experience can be applied to improve reactor safety; and (2) a revised, expanded and better coordinated inspection and enforcement program.
a new philosophy and program for training of reactor operators, and new requirements that engineering expertise be available at all times in the control room to reactor operators to cope with potential acc ic'e n ts.
greater application of human engineering disci-plines to reactor operations, including improved control room design, better instrumentation that can be monitored in the control rooin or at remota sites, and improved operator procedures.
substantial changes in the way the NRC is organized and managed, including the establishment of a clear line of authority from a single chief executive who has direct authority over the entire NRC staff; establishment of a " safety assessment board"; and the transfer from the NRC to other agencies of non-reactor safety responsibilities such as export licenses, antitrust, and emergency planning.
remote siting for all new reactors; for existing reactors, insuring that workable evacuation plans are in effect.
improved emergency planning, including assignment to a single federal agency of lead responsibility for monitoring radioactive releases in a reactor accident, and provision of real-time, on-line moni-toring equipment around all reactors.
immediate changes in the NRC's emergency response functions.
3 2
t' a
in the case of new applications for reactor licenses, a completely overhauled licensing system that includes:
a single review and hearing on a detailed design plan prior to contruction; aboli-tion of licensing appeal boards; establishment of an Of fice of Public Assistance, and intervenor fund-ing in both licensing and rulemaking proceedings; an increased role for the ACRS; regular appellate review of all licenses by the Comminsion, if it is retained; abolition of the ex parte rule; and, to encourage standardization, -direct licensing of manufacturer designs with subsequent licensing review limited to changes from the standardized sys-tems.
substantial changes in the current " design basis accident" and " safety vs. non-safety" risk-assess-ment bases for licensing, and adoption by the NRC of improved methods of risk assessiaent.
a moratorium on new construction permits until the licensing system, risk assessment methods and NRC structure are revised, with a recommendation that these changes proceed as promptly as possible to avoid unnecessary delay.
serious consideration of separating the generation of electricity by nuclear power plants from its sale; in the meantime, continuous monitoring by NRC of the competence and technical qualifications of utility management.
The accident at Three Mile Island did not, in hindsight, result.in radioactive release levels that posed any threat to public health, even in the long run.
Public alarm over radio-activity fueled by the Governor 's evacuation advisory to preg-nant women and children two days after the accident, and the fear caused by reports the next day and afterwards of a possi-ble hydrogen oubble explosion, turn out to have been vastly exaggerated by the NRC's disorganized response to the emergency.
3
But our investigation has indicated that on the morning of March 28, before anyone appreciated the seriousness of the situation, Three Mile Island came very close to being an acci-dent that could have had the most serious public health and safety consequences for hundreds of thousands of people living near the plant.
If the accident had begun a few hours ear-lier, and a shift foreman reporting for normal duty at about 6:00 a.m. had not undertaken on his own initiative to survey some instruments and block off the failed-open pressurizer valve that was leaking reactor coolant into the reactor con-tainment building to see if that would help the situation, projections show that within 30 to 60 minutes a substantial amount of the reactor's core would have begun to melt down --
with uncertain but potentially disastrous consequences.
An accident identical to that at Three Mile Island is not going to happen again.
Not only have changes been made to cope with the particular problems revealed there, but the accident has spawned major reexamination by the industry and the NRC of many aspects that contributed to that accident.
However, the work done by the Special Inquiry Group over the past seven months has led us to conclude that unless fundamental changes such as those spelled out above are made in the way commercial nuclear power is built, operated and regulated in this country, similar accide:it s -- perhaps with the potentially serious consequences that were only narrowly averted at Three Mile Island -- are likely to recur.
4 L
We were not asked, and it is not our place to tell the public "how safe is safe enough."
Indeed, as we make clear in this. Report, we believe this is a decision that in tne end probably should not be made even by the NRC; it is an execu-tive decision that should be made as a part of our national energy strategy by the Executive and by Congress.
The NRC cannot continue to face, sub silentio, in every policy and licensing determination the question of the future of nuclear power in this country.
The generation of nuclear power can never be risk-free.
It will inevitably prasent certain risks to public health and safety no matter how " safe" plants are made.
Available sur-veys show that nuclear power is unique in that public percep-tion of the risk of injury or health consequences is many, many times greater than the best estimates (however suspect) of actual risk -- far more so than for any other potentially harmful everyday or industrial activity.
Just as the regula-t tors must change their attitudes to appreciate that this per-ception of risk cannot be met by trying to convince the public that it "can't happen," so renewed efforts must be made to educate the public that the risks and benefits associated with nuclear power plants must be weighed against the very real health risks associated with other forms of power generation, such as increased use of coal, synthetic fuels, etc.
We considered at great length and rejected a recommenda-tion that none of the reactors presently nearing completion or 5
m
undergoing testing be allowed to operate until some speified list of reforms are implemented.
This is really a false issue, because the fundamental changes we propose apply equal-
.ly to reactors that are operating now and those about to come on-line.
If anything, from a hardware point of view, the newer reactors are probably marginally safer on average than older plants.
If reactors nearing completion are not " safe enough" to operate, the only logical conclusion is ti at all currently operating reactors should be shut down.
Especially in light of the fact that the substantive standard of safety is one we believe should be made by the President and Congress, not by an independent regulatory body, we were not able to conclude confidently that existing reac-tors are so unsafe they should be shut down -- assuming that prompt action proceeds to implement the kinds of fundamental changes we have proposed.
These changes will nuc be easy:
they will require new legislation, executive reorganization, and substantial over-haul of the way the NRC is organized and managed, at the very least.
But the changes are feasible, and they will not require such Wast expenditures of money or other resources as to.be beyond the bounds of reason.
What the changes require is a firm commitment on the part of the President and the con-gressional oversight committees each to play its own role, and a commitment by the public if what it w7nts is safer to keep the pressure on its elected nuclear power plants L
6
' representatives for major, meaningful reform.
For in the polarization.of the current public debate over nuclear power, we have found there is precious little constituency for that course:
on the one side are those who do not want reforras and do not want to put any more resources into nuclear power at all because they believe it should be shut down; on the other are those who argue that existing plants and the program for operating and regulating them adequately protect the public, and major reforms are not necessary.
What we are able to conclude confidently, based upon the work of the Special Inquiry Group, is that while the changes that must be made are major ones, these changes will make com-mercial nuclear power much safer than it is today.
In our view, if a firm commitment is not made promptly to bring about these changes, we will be exposing the public to an unaccep-table -- that is, needless -- level of risk.
I e
7
I i
I.
A NARRATIVE ACCOUNT OF THE THREE MILE ISLAND ACCIDENT AND EMERGENCY RES?'ONSE (To Be Supplied) i (Insert near beginning of narrative will describe how reactor, cooling system, pressurizer and certain other components important to the accident work, i
where they are located, etc.)
(other inserts and diagrams will also be included)
- i. -
L 8
II.
CONCLUSIONS AND RECOMMENDATIONS.
1.
Systematic Evaluation of Operating Experience, and
' Revised and Expanded Monitoring of Operating Reactors.
10 2.
Revised and Improved Operator Training Programs, and the Necessity for Additional Engineering Expertise in the Control Room.
23
. 3.
Greater Application' of Human Factors Engineering, Improved Instrumentation and Control Room Design.
33 4.
Improved NRC Management and Reorganization.
5.6.7.
Remote Siting; Adequate Evacuation and Emergency Planning; Insuring Accurate Information to Protect the Public; Changes in the NRC's Emergency Response.
8.
Overhaul of the Licensing Process.
9.
Improvement in Risk Assessment Techniques and in the Bases for Safety Review of Reactor Design.
10.
Moratorium on New Construction Permits.
i
- 11.
Separation of the Generation of Nuclear Electricity from Its Sale.
i e
L l
L 4
9-
1.
Systematic Evaluation of Operating Experience, and Revised and Expanded Monitoring of Operatino Reactors.
The accident at Three Mile Island on March 28, 1979, had happened before -- twice.-
Virtually identical " transients,"
as they are called in the industry, occurred in 1974 at a Westinghouse reactor in Beznau, Switzerland, and in 1977 at Toledo Edison's Davis-Besse plant, a Babcock & Wilcox reactor similar in design to the one at Three Mile Island.
Both n
ivolved the same failed-open pressurizer relief valve, and the A
same misleading indications to operators that the reactor coolant system was full of water.
In both cases, operators diagnosed and solved the problem in a matter of minutes before serious damage could be done.
The Davis-Besse accident was intensitvely analyzed -- by Toledo Ed ison, by Babcock & Wilcox, by the NRC and by a TVA engineer who was also a consultant to the NRC's Advisory Com-mittee on Reactor Safeguards.
Each of these studies identi-fied what should have been perceived to be a significant safety issue.
But none of the results of these studies were ever communicated to Metropolitan Edison or its operators.
Toledo Edison, apparently at the urging of NRC inspec-tors, eventually adopted new operator precautions.
But they were not communicated to B&W or to other utilities.
NRC's regional office knew of the change, but did not inform head-quarters.
At B&W, line engineers and their supervisors drafted a new procedure warning operators that any time the automatic emergency core cooling system came on, it should not 10
be turned off until the cause of low pressure in the reactor coolant system had been positively identified.
They recom-mended that it be sent to all of B&W's customers -- including Met Ed.
But an engineer in another section of the company raised questions about the proposed procedure.
The issue was never brought to a head and resolved, so the new instructions never went out.
The story at the NRC was much the same.
Teams from two separate offices analyzed the Davis-Besse accident.
Both were more interested in the behavior of the reactor's engineering sub-systems than they were in the operators' problems.
Other warnings and questions raised by NRC staff and the TVA engi-neer simply fell through the cracks.
The agency's fragmented bureaucracy, its preoccupation with hardware and design ques-tions, and the lack of any clearcut responsibility for identi-fying significant operating problems and warning operators about them combined to prevent the real message of Davis-Besse from getting to Three Mile Island.
The NRC never learned about the accident at the Beznau rasctor.
Westinghouse was notified, but in 1974 accidents at foreign reactors manufactured by U.
S.
companies were not required to be reported to the NRC by the manufacturer.
West-inghouse concluded that the actions by the Swiss operators preved the validity of an earlier Westinghouse study showing that, in this kind of accident, operators would have enough time to react to a stuck-open valve and correct the situation.
This earlier study had, in fact, been submitted to the NRC.
11
But neither the Beznau accident nor the earlier study had prompted Westinghouse to notify its customers that operators might well be misled by their instruments if a valve stuck open.
The f ailure to heed these warnings and take action cannot be said to be an isolated example.
We found that in the past the NRC and the industry have done almost nothing to systema-tically evaluate the operation of existing reactors, pinpoint potential safety problems and eliminate them by requiring changes in design, operator procedures or control logic _.
The lack of any such comprehensive program constitutes, in our view, an unacceptable safety risk that cannot be allowed to continue.
When the current generation of "large" (900-1300 MWe) nuclear plants were developed some fifteen years ago, the safety of reactor designs could not be verified in some impor-tant respects by actual experimentation.
Uncertainties in this new technology therefore had to be analyzed, and the risk of accidents estimated, on the basis of a lack of actual experience.
Safety reviews by manufacturers and the AEC relied substantitally on sophisticated scientific projections and complicated " computer codes" to predict how safety systems in the plant would behave and interact during an accident.
Reliance on scientific and engineering predictions was deemed acceptable as a basis for constructing this new genera-tion 'of reactors in part because the estimates were based on 12
very " conservative" i.e.,
worst case assumptions at every stage, and because of the " defense in depth" philosophy employed:
multiple safety systems, redundant equipment, and the ultimate protection of enormous concrete " containment" buildings to bottle up radioactivity in case of a serious accident in the reactor.
But it was also assumed that as the number of reactor-years of actual operation increased, the estimates could be confirmed or modfications made where neces-sary.
As it turns out, this process of learning frc.n experi-ence has not been undertaken by anyone.
In the first place, the NRC devotes proportionally far more resources to the review and analysis of reactor design than of reactor coerations.
This was appropriate a decade ago, when the agency was flooded with new license applica-tions.
But today, with over seventy commercial nuclear plants operating and a like number in the pipeline, it is no longer so.
Large reactors are now a " maturing" technology Yet the emphasis on design review continues -- due perhaps to congres-sional failure to revise the old AEC's statutory mandate that focuses on licensing, due perhaps to inertia and lack of lead-ership on the part of the NRC.
Second, while NRC requirements result in a great deal of material on reactor operations being generated by the utili-
- ties, this information is not systematically reviewed to extract potentially important safety problems or trends.
In 13
part, this is because the reporting system itself is flawed:
it does not distinguish the significant from the trivial, and, as the reporting of the Davis-Besse accident demonstrates, reports often do 'wt clearly idntify the real cause of a par-ticular incident.
The NRC requires prompt reporting by licensees of any one of a number of categories of abnormal events in an operating plant.
But the reporting threshold is so low that the agency currently receives 2000-3000 of these Licensee Event Reports ("LER's") a year, ranging from reports of near-serious accidents in which automatic safety systems were activated, to routine violations of a plant's " technical specifications" (the license conditions that detail the limi-tations within which plant equipment must be operated).
In addition, utilities must submit a host of other, more routine reports.
As a result, the NRC is flooded with a mass of unc.if-ferentiated data on reactor operations.
In order to make effective use of this information. given the present reporting system, someone must separate the wheat from the chaff; then, potential safety concerns must be inves-tigated in greater depth.
However, neither NRC's Of fice of Inspection and Enforcement (IE), which has principal responsi-bility, nor any other NRC component performs this " sort and score" operation on LER's, or any other method of analysis of existing data.
LER's, for example, are sent from the NRC regional-offices to NRC headquarters in Bethesda, summarized in - a few sentences for computer listing, and filed away.
14
Important problems are followed up on a haphazard basis, at best,-depending on the interest of an IE inspector in the field or a heaguarters engineer who may be alerted to a par-ticular report.
Perhaps most important of all, there is no institutional mechanism within NRC for developing solutions to potential-safety problems and insuring through the regulatory system that these solutions are integrated into the operation of reactors through design changes, altered procedures, improved training, or other methods.
Many of the areas in which thic input would be achieved are neglected in the existing regula-tory framework, for example, operating training and the sub-stance of operator procedures.
The institutional fragmenta-tion of the agency -- the isolation of offices such as IE and NRR from one another -- also works to defeat any comprehensive program.
is clear to us th' t the systematic evaluation of oper-l It a
ating experience cannot be undertaken by individual utilities, even the largest ones like TVA and Dul;e Power.
Met Ed cer-tainly did not. have the resources or the :nanagement structure in place to peform such a task.
Nor did it receive a. great deal of useful help from NRC.
NRC publishes a coh.puter ized listing of LER's, each described in a few sentences at most, and a periodical called " Current Events - Power Reactors" con-taining more detailed descriptions of major problems.
The latter described the Davis-Besse accident in some detail.
But 15
neither publication identified the key elements at Davis-Besse misleading indications to operators that the reactor coolant system was
- full, and their resultant decision to throttle back the emergency core cooling system af te: it auto-matically came on.
The task could more effectively be undertaken by the four U. S.
manufacturers of reactors
(" vendors") -, GE, Westing-house, Cumbustion Engineering and B&W.
But we found that the extent to which the four vendors systematically evaluate oper-ating experience in their own plants at their own expense after the plants are tested and taken over by the utilities that purchased them varies; and the relationship between the vendor and its utility customer is largely determined primari-
'ly by the individual utility's choice of how much (and how expensive) services it purchases from the vendor or on ongoing or contract basis.
We have concluded that the systematic evluation of oper-ating experience must be undertaken both by the utility indus-try which has the greatest direct stake in safe operations, on an industry-wide basis, and by the NRC.
The utility industry has already put in motion plans to establish an institute, funded by all the nuclear utilities, that will undertake this task.
Whether it will be successful remains to be seen.
We are less sanguine about ti steps the NRC has taken to date to deal with this prob'em.
16
A history of the AEC/NRC's efforts in this area is
^
instructive.
In 1969, an AEC internal study suggested that a systematic-review of operating data be undertaken.
In mid-1972, an Of fice of Operations Evaluation was formed in the AEC to summarize LER's and do oi.her analyses.
But a staff reorhgnization in 1975 basically dismantled this unit as v
originally intended.
Internal proposals in 1976 to reestab-lish such an entity received short shrift and were abandoned.
Early in 1979, a GAO study of the NRC concluded that its failure to " sort and score" LER's prevented it from identify-ing safety-related problems.
Nothing was done, however, until after Three Mile Island.
- Then, in April, the Commission itself established a Task Force of seven high-ranking staff officials on an urgent basis to recommend new ways to assess operating experience for generic problems.
The need for answers was accorded such a high priority that the Task Force was given only seven days to come up with a report to the Com-mission.
The Task Force met its-deadline.
It reported that it had reached quick agreement that a new group or management func-tion should be set up to evaluate LER's and other information, but could not agree on where within the Commission it should be put, in what program office.
The Commission then did noth-ing for two months.
Meantime, program office directors quar-reled among themselves about who was going to get this new unit.
On June 25, the Commission met for a number of hours on l-l-
17
~
the subject but made no decision.
Finally, on July 12, the j
Commission accepted a compromise proposal to establish a full-time grou (Office of Operational Data Analysis") that would be part of none of the program offices but would report directly to the Executive Director for Operations.
This new office would have an oversight function, independent of the NRC's individual program offices; it would be the focal point for communication with industry and the ACRS; and it would develop recommendations and provide guidance.
At present, the new office does not exist, apparently because there are prob securing OMB approval for about eight additional slots to staff it.
This business-as-usual approach suggests that the Com-mission has not fully appreciated the importance of the pro-blem or the kinds of changes that will be required to meet it.
For one thing, if the new Office of Operational Data Analysis has no operational authority and no power to cause its recom-mendations to be implemented -- or even considered -- by NRC's program offices, it is hard to see how its effectiveness can be guaranteed.
The unit could well become another isolated little ivory tower within the NRC staff, depending for its
" clout" entirely on the authoritativeness of its analyses in an agency staffed largely by specialists often jealous of their own skills and opinions.
1 We view the lack of any comprehensive system for evaluat-ing operating experience and mandating changes as being a part l'd
of a larger organizational problem within the agency.
Once a nuclear plant is licensed and operating, the responsibility for those staff activities necessary to assure the plant's safety should be delegated to a single organizational entity.
But current practice at the NRC permits responsibility for post-licensing monitoring of operating plants to be divided between IE and NRR.
The former inspects the plant to detemine if NRC regulations and license conditions are being complied with; the latter rules on proposed changes in the license con-ditions necessary to insure safe operation of the plant.
This split is inefficient and probably harmful to safety.
We believe that all the agency's resources devoted to ensuring safe operation of existing reactors should be consolidated in a single office -- the current Office of Inspection and Enforcement (IE).
This includes the current functions of sR and the new Of fice of Operational Data Analysis.
- Moreover, the Office of Operational Data Analysis should be given the task of developing recommendations as to where changes to meet operating problems ought to be required in training, in procedures, in tech specs, in licensing, or in a number of areas at one time -- which, after comment by appropriate staff units, would in each instance be rejected, imposed or imposed as :aodified by the NRC.
In addition, staff functions current-ly devoted to quantitative risk assessment, whether in the i
Office'of Research, NRR standards or at the EDO level should be combined with the Office of Operational Data Analysis.
19
This new combined office should be staffed on a rotational basis from all the other offices and branches of the NRC staff, at a level of no less than 35-40 professionals.
To aid in this task, consideratino should be given to a revised comprehensive reporting system applicable to both utilities and vendors that requires more in-depth reporting and follow-up of significant events, and eliminates reporting of routine statistics and minor incidents.
Such a reorganization will provide new and expanded tech-nical resources to IE, and thus provide an opportunity for the headquarters staff to coordinate and manage more effectively the operations of the field of fices.
Consistent inspection practices and procedures, and establishment of a respected central organization at headquarters, is essential to a com-prehensive safety program for operating reactors.
At present, the NRC's field inspection program for the most part follows an " audit" approach:
inspectors spend the bulk of their time confirming that utility personnel have fol-lowed proper bookkeeping procedures for maintenance, noted in writing any operating problems, etc.
Given the complexity of today's large plants it is hard for us to see how this system can be fundamentally altered without an enormous addition of manpower to inspection.
We are convinced that substantially more manpower should be devoted to this task.
However, there are important steps that can be taken within th context of the 20
(
<> + ////
a k\\
~
IMAGE EVALUATION TEST TARGET (MT-3)
L 1.0 582 Lu e m gu na m
I.I L'* lM
\\~
i.8 1
I.25 1.4 1.6
.6 N
MICROCOPY RESOLUTION TEST CHA'RT
+A 4*o4
+
4
- $fh n
.;Q. g 3,n 1_.,____,,_ - < (u.
current philosophy to improve the effectiveness of the pro-gram, in addition to the need to improve coordination and com-munication between headquarters and field offices cited above. First, while the Commission has been moving toward the goal of a " resident inspector" at each nuclear station for some time, such an approach should not be seen as a panacea. Indeed, the inability of a single inspector to assess all of the different systems in a large nuclear plant and the danger that he may become " captive" to the utility staff, as well as the d if ficulty of finding and keeping excellent people in these positions, suggest that reliance on the resident inspec-tor alone could in the final analysis be counterproductive to safety. Instead, more emphasis should be given to the team or " blitz" approach, in which a number of inspectors descend from regional headquarters to conduct an in-depth inspection of the overall operation of the plant. Second, more attention should be given to " reactive" inspections (responding to notifications, complaints, speci-fic problems, or following up on previous difficulties. Third, when individual inspectors visit a plant for two to three days, they should be instructed not only to inspect within the " modules" which lay out procedures for particular-ized i.._pection but be alert for deficiencies in other area systemic problems. Fourth, more effort should be devoted by Regional Offices to evaluating each licensee across-the-board vis a vis other licenses, in order to identify weak spots and problem areas. l f 21 l
These areas should then be the subject of repeated inspec-tions. Fifth, IE should develop a new program to monitor and evaluate utility management and technical competence on an ongoing basis. This will require not only the development of new standards but also acquisition of new skills by NRC to study management effectiveness, suggest changes and provide technical assistance to licenses. Sixth, the staff as a whole, and particularly IE, 6 should institute new procedures for staff rotation so that individuals with field experience get exposure to headquarters management, and vice versa. Top managers in IE should be required to have had field experience or, in the alternative, to be exposed to field operations through month-long stints working in regional offices and accompanying inspectors in the field. IE should conduct regular seminars attended by both management of *icials and inspectors in order to identify prob-lems inspecto.s are encountering that might be ameliorated by better inspection procedures or management, i ) I 22
2. Revised and Improved Operator Training Programs, and the Necessity for Additional Engineering Exper-tise in the Control Room. Both the IE Report on Three Mile Island and the Deport of the President's Commission have been read as attributing the accident in large part to " operator error." We reject this conclusion as far too simplistic. The operators on duty early that morning were faced with misleading instrumentation, plant parameters they had never been trained to understand and procedures that of fered no use-ful assistance. In the fact of that situation, they followed their training as best they could. Supervisors who were in touch with the plant and ~ arrived within a few hours of the beginning of the accident did not demand or receive critical information necessary to assess the situation, disbelieved or discounted important information when they did receive it, and failed to diagnose the situation. NRC and B&W engineers did not learn enough to comprehend the seriousness of the problem in the reactor til early on mid-afternoon on Wednesday, March 28; even then, they did not recognize the problem and press hard for proper strategy to restore core cooling to the reactor. It was not until late afternoon on Wednesday that Bob Arnold, Vice President of Met Ed's engineering sister com-pany in New Jersey, GPU Service Company, and his engineers in consultation with Jack Herbein, Met Ed's Vice President, i decided upon a course of action that restored the reactor's i l stability a few hours later. l 23
This scenario suggests two conclusions. First, reactor operator training and procedures are inadequate to insure that operators have the necessary skills to take the essential first steps to recognize and cope with a serious accident. Second, better-trained operators are not enough. The NRC should require utilities to hire, train and man every shift with one or more trained engineers thoroughly familiar with the plant who can function in a supervisory capacity to assist operators and shif t supervisors in diagnosing and mitigating a serious accident. The NRC licenses both reactor operators and " senior" operators by administering written and (in most cases) oral examinations. However, these examinations do not guarantee that an operator has the knowledge or competence to operate a reactor safely when something unexpected occurs. Only ade-quate training can do that. And the area of operator training has, as one top staff member put it, been a " backwater" at the NRC for some time. The agency prescribes requirements for the number of hours of classroom and " hot" (on-the-job) training, or simula-tor training, that an applicant must receive, and the general subjects that must be taught. Beyond this, it does not regu-larly review the substance of written materials used or the quality of in-plant or simclator training prospective opera-tors receive. And only a very small staff within the NRC is devoted to operator qualifications and testing. l c 24
The fact that the larget portion of operator training is reading and classroom training is a weakness of the current program. A more significant problem, however, and one that was crucial to the Three Mile Island accident, is that opera-tors are training primarily for normal power operations and routine start-up and shu:down of the plant, not for accidents. The skills required for operation of a large nuclear power plant are not unlike those required of commercial air-line pilots. The vast majority of the pilot's time is spent in routine, high-altitude flying -- little more than babying the ship through clear skies, often on automatic pilot. Simi-larly, the reactor operator's typical eight-hour shift is a study in boredom: the reactor system pretty much runs itself. What does require considerable specialized skill in flying is take-offs and landings. Similary, in a nuclear plant, both start-up to full power and routine shut-down are also rels-tively complex procedures in which a variety of coordinated actions must be taken and instruments closely monitored. A great deal of reactor operator training is devoted to these manipulations. Howevr, the public expects a commercial airline pilot to be intensively trained and qualified not for routine opera-tions but to handle an accident -- the loss of an engine, sud-- den depressurization, hydraulic failure, a fire or whatever. It is here that reactor operator training has been seriously deficient. Other than being required to memorize a few emer-i gency procedures, reactor operators are not extensively ) 25
trained to diagnose M cope with the unexpected -- minor and serious transients, events that cannot easily be understood. To take an example, prior to TMI operators were repeat-edly trained that they should take all measures to avoid " going solid," i.e_., losing the steam bubble in the top of the pressurizer. This training prompted the operators on duty during the accident to throttle back the emergency core cool-ing system -- a critical causal factor in the accident. But what if they did go solid? At the B&W simulator in Lynchburg, Virginia, where these. operators were trained, when the pres-surizer "goes solid" the simulator program comes to a halt; the " game is over." In other words, the simulator itself is not even programmed to duplicate accident conditions and help the operators make decisions about how to mitigate these con-ditions. Similarly, the simulator training available to Met Ed operators, which is not dissimilar to that throughout the country, did not give them an opportunity to respond to simu-lated accidents involving more than a " single failure." The Three Mile Island
- accident, of course, involved multiple failures.
NRC-prescribed training for regular control room opera-tors involves only a limited amount of sophisticated engineer-ing and physics necessary to understand the thermodynamics of the reactor's primary system. Senior operators are taught somewhat more of this material. But what the accident made clear is that this type of training is insufficient to give 26 l
operators even a fairly basic appreciation of the way safety systems might interact, and what phenomena they could expect to see on the instruments from conditions that were not "nor-mal" in their previous experience. With respect to training, the problems are not unique to Met Ed. Virtually all of its operators and many supervisory personnel were products of Admiral Rickover 's Navy submarine reactor operator program system, to begin with. While it is true that Met Ed's training was deficient in some respects -- the company contracted out to B&W for certain aspects of training, which resulted in a lack of coordination in the overall program -- it appears that Met Ed's operators received training which, taken as a whole, was not atypical of the industry and in some respects probably above average. To the extent. that poor training was an important causal factor in the accident, this is a failure that must be attributed to the industry as a whole and to the NRC's deficient requirements, not to this particular utility. Some have argued that large nuclear power plants are too sophisticated to be entrusted to ope.:ators who are required to have only a high school degree or 3quivalent and a limited general knowledge of physics and engineering -- that we should qualify only PhD's or graduate engineers as reactor operators. 'But it might be dif ficult to find enough such highly-qualified people who wanted to fill these postions..The counter-argu-l ment has been made that for the kinds of tasks reactor opera-l l 27
tors routinely perform, PhD's would be ocorly qualified and perhaps would not perform as well. It is worth noting that the Navy operator training pro-gram, generally acknowledged to have been splendidly success-
- ful, takes exactly the opposite approach.
Operators are rigidly trained to provide preconditioned responses by rote to particular plant indications, not to apply engineering skills and decide for themselves what the best action might be. In the Navy program, the expertise is supplied by " engineering officers of the watch" who stand in the control room behind the operators constantly, monitoring operations. By the same token, it has been argued that additional expertise in commer-cial reactor control rooms should be provided by having gradu-ate engineers instantly available to deal with abnormal situa-tions -- not to try to make reactor operators, who must stay awake and perform a variety of mundane functions on long shifts with virtually nothing else to do, into such experts. We think both better training and new manning require-ments are needed. The Navy program works well because Navy reactor plants are simple and compact. Operators can reason-ably be expected to memorize every element of a reactor sub-system; there are a relatively limited number of things that can go wrong. Large commercial plants are so much more com-plex, and'the primary or reactor system so much more sensitive to what happens throughout the rest of the plant, that it would be foolish to try to make operators into automatons. 28
Operators themselves must be better trained to understand the system they operate and to use good judgment to cope with accidents and unexpected events. But engineers with a great depth of background must also be on-tap to provide assistance should the plant be threatened with an accident. After the accident one Met Ed official, in coordination with B&W, initiated a simulator training program that illu-strates the direction we think operator training should take. First, the simulator was programmed not to deal with start-ups or " routine" transient.s but with various accident sequences. Then, instead of a crew of Met Ed operators splitting up so that some studied books while others worked on the simulator, the entire crew was taken through a number of accident sequences and graded on their responses as a team, not as individuals. Some of these accident sequences were not single failure, but multiple failure accidents. And they were not, as is customary, "short" accidents. The simulator was pro-grammed to play accidents out over a long period of time. The goal was not to " beat the game" and get the right answer, but to limit the damage, so that failure after failure might be "sent in" by the programmers to see how the operators would react. Clearly, more of this kind of training is needed. One of l the hardware problems in expanding it, however, is that there are no simulators that closely replicate the control rooms of many plants. B&W's simulator, which members of the Special 29
Inquiry Group observed during a ceplay of the TMI accident, is d fairly accurate mock-up of the Control room in a different plant the TMI has the same basic reactor design but responds somewhat differently. The simulator simply does not have the feel or " play" of the TMI control room, which is larger, more confusing and less well organized. And it has a third as many alarms as does the TMI control room. In addition to training more knowledgeable operators bet-ter equipped to take the first steps in an accident, we must also insure that technically competent management personnel are in a position to be fully-informed and to provide back-up advice in the event of an accident. At Three Mile Island, difficulties in communications, management and logistics contributed to the failure to bring available expertise to bear. Met Ed's Vice President Herbein, a highly qualified engineer, did not arrive at the site til about seven hours after the accident had begun and stayed across the river from the Island at the company's observation center. GPU Service Company's engineering headquarters, located in New Jersey, was in only sporadic contact with the Unit 2 control room. There was no direct telephone contact throughout the day between the site and B&W in Lynchburg, Vir-ginia; and contact between NRC engineers in Washington and the site was often ir.lirect and appears to have been largely inef-fective in making affirmative decisions to respond to events. We strongly endorse the proposal made by one of our con-sultants that one or more " data centers" be established to 30
which essential plant parameters would be telemetered automa-tically from the display computer systems of every nuclear plant. These centers would be staffed by experts in reactor operations and reactor engineering with detailed knowledge of the various plant designs. Simulators, computers for diagno-stic assistance and other special capabilities could be made available from these data centers. Each plant's control room would be connected with the data center via a telephone hot line as well as telemetry lines. In the event of any unex-pected occurrence the plant would notify the center; the cen-ter would " call up" real-time readouts of essential plant instrumentation on the center's own display
- panels, and experts would be available to advise control room operators on the telephone hot line.
The data center's computer would also store these readings in its memory for a certain number of hours or days, so that information of the type that was " lost" at Three Mile Island could be played back to determine at what point certain alarms had gone off or to red trends in plant parameters. We understand that many or even most existing plants have instrumentation display cy c t.am: that could accommodate such telemetry, and that thase that do not could be altered at small expense. It appears that the technology for transmis-sion of the data.is not sophisticated and is readily at hand. NRC's Of fice of Inspection and Enforcement has already asked for an internal NRC feasibility study to see whether such 31
information could be telemetered to NRC's emergency response center in Bethesda. We think, however, that it would be pref-erable for a comprehensive data center and support team such as we have described to be managed by the industry itself, perhaps fre he utilities and the venders, not by the NRC -- though the NRC could take advantage of the system by receiving a duplicate remote read-out. ( ' 'i # Even this kind of back-up, hovever, is not a substitute for competent technical personnel on-site, in the control room. We think the NRC should require every licensee to hire a small cadre of qualified engineers knowledgeable in reactor engineering and physics, provide them with training in the specific characteristics of its plant at least equivalent to that of senior reactor operators, and deploy at least one such individual on each shift in the plant. We understand that Metropolitan Edison is already moving in this direction on its own initiative. As suggested by a GPU official in the course of our inquiry, in order to attract and hold good engineers for these positions an utility might also use these engineers to staff an " operational systems analysis" unit which would monitor operating experience in the plant and in other plants, and coordinate with the NRC's Office of Operational Data Anal-ysis and the reactor manufacturer. l{ I. 32
3. Greater Application of Human Factors Engineering, Including Better InstrumentationjaImproved Control Room Design _ Procetterest The central finding of the President's Commission was that reactor safety problems are primarily " people-related" -- that the preoccupation with performance of equipment has been a " mind-set" injurious to safety, and that both the industry and the NRC have " failed to recognize sufficiently that the human beings who manage and operate the plants constitute an important safety system." We agree with this conclusion. As one of the NRC staff's leading safety experts put it in a memorandum to Commissioner Gilinsky in 1975 setting forth the major problems in safety that should be addressed by the new NRC, "Present designs do not make adequate provision for limitations of people." A senior B&W official put it a dif-ferent way: he told us that the industry had done a fine job in engineering safety equipment, but that good engineering also meant designing for people, and that there the industry had fallen down in bringing " operators within the design enve-lope." The short shrift giuen to human error in the NRC's design review, and the almost total exclusion from this process of analysis of how well operators will be able to diagnose abnor-i mal events based on available instrumentation and respond to them, illustrate the agency's preoccupation with safety hard-ware. Our investigation and other NRC analyses have shown, for example, that the B&W design in use at the Three Mile 33
Island plant was substantially.more sensitive to, and depen-dent upon, operator action to prevent a routine loss-of-feed-water transient from turning into a possible accident under various circumstances than other designs. The specific "oper-ator sensitivities" of these plants revealed by the accident have been ameliorated by changes in control logic and by the setting of different "setpoints" for automatic operation of certain equipment. The point is that this sensitivity -- and undoubtedly the sensitivity of other designs to opere. tor action in other types of " transients" -- has never received much attention from the NRC. In part, this failure reflects a lack of close attention to operating experience. When a design goes through a number of supposedly " routine transients" and the emergency cooling system comes on each time, that alone shou]d be cause for a searching reexamination of design and issues. In part, it is a function of the NRC's lack of interest in the blossoming field of human factors engineering that has expanded so greatly in the past fifteen years, especially in the areas of space and defense technology, and the airline industry. The agency has no office or staff members knowledgeable about or charged with examining the interaction between operators and design systems, and until well after the Three Mile Island accident made no effort to seek out such people. You could safely conclude that the automobile you drive, if it is less than ten years old, wac designed with more " human factors" input than a nuclear reactor power plant. 34
By the same token, most of the instrumentation in a com-mercial nuclear plant, the design of its control room and the substantive procedures (including emergency procedures) used by operators'have all been mostly beyond the NRC's purview. Poor control room design is a case in point. The NRC has vir-tually no requirements for the design and layout of control rooms, readability of instruments that must be placed on con-soles, or what plant parameters and alarms must be displayed. In the past few years there have been a number of excellent, - comprehensive studies of serious deficiencies in control room design: instruments that are difficult to read and do not display trends; poor instrument grouping; failure to display important plant parameters in prominent positions; lack of " mimicking," so that operators see at a glance which dials and levers operate equipment in the same system; lack of color coding; too many alarms, both audible and visible; handles at one end of the control room that operate systems which are ready by instruments whose displays are at the cther end of the control room; etc. But the NRC did nothing to improve even future control rooms, despite this excellent work by out-side experts. The Three Mile Island Unit 2 control room exhibits many of these weaknesses. While it is undoubtedly not unique in the industry in its deficiencies, a detailed study done by one of our subcontractors showed that it is definitely inferior in design and layout to a number of other control rooms studied, 35
both those of a similar vintage and newer ones. For one thing, the control room is too large, and has too many unnec-essary displays, and is poorly lighted. What mimicking there -is has been done by the operators themselves, with colored tape. There are three times as many alarms at TMI-2 as there are in the B&W simulator's control room, over twice as many as in the control room in Three Mile Island Unit 1. They are not prioritized in any fashion. The system for " acknowledging" alarms is a poor one. Many instruments are virtually impossi-ble to read. Important instruments are displayed on back panels, away from the main console area. Control room design played at least a minor part in con-tributing to the accident at Three Mile Island. A number of the operators told us that the constant buzzing of audible alarms and the flashing of lights was distracting at important times during the accident and detracted from their ability to identify the true causes of the problems they were encounter ing. One of the operator on duty in the early hours of March 28 had been in the control room during a severe transi-ent at Unit 2 a year earlier and wrote to one of his supervis-ors about that earlier event: (QUOTE TO BE SUPPLIED) Important indicators that might have told operators the pressurizer relief valve was stuck open, even though the con-trol panel light showed it was closed, were the instruments and alarms displaying temperature and pressure in the reactor coolant drain tank, into which hot water from the stuck-open i l 36 1
valve was pouring for over two hours after the accident started. However, these alarms are on a panel remote from the central console that faces backward from tne operator! When the alarms for these indicators went off, the alarm lights could not be seen from the main console or main panels. An audible alarm went off but over the din of other alarms there was no reason for operators to single out the reactor coolant drain tank alarms. And pushing the button on the central con-sole that " acknowledges" alarms causes all the alarms to stop buning. Since the a.ccident, operstors have taken matters into their own hands. Affixed to the back wall of the control room is a large, round convex rear-view mirror -- like those that enable school bus drivers to watch children who have got-ten off the bus cross the road behind them -- so that opera-tors have a direct view of this backward-facing console. The actual design of the Unit 2 control room was a pro-duct of the fragmentation of the industry that we discuss at some greater length in Section 11, below. Principal responsi-bility for control room layout and instrumentation lay with the architect-engineer, Burns and Roe. That company, in turn, consulted with B&W on specific instrumentation. But, in the absence of any NRC criteria, Burns and Roe was obviously sen-sitive primarily to what its customer, Metropolitan Edison, wanted. And what Met Ed wanted in large port was a control room not too unlike those its operators in fossil fuel plants were familiar with. In the end, many features of the control 37
room were the product of three-way input. But no human fac-tors considerations came into play at any stage. For example, the man who laid oct the original placement of panels for the control room did not even know how many people would be required to operate the plant. Imagine flying in an airplane whose cockpit was designed by someone who did not know how many people were going to be flying it! We found that the information readily available to opera-tors of Unit 2 about plant status and important plant parame-ters was far below what one would suppose would be an accepta-ble minimum for such a sophisticated technology demanding quick action in the case of some potential accidents. A short list of instrumentation problems that contributed to the acci-dent would have to include at least the following: No alarm signalled that the emergency feedwater sys-tem was completely blocked off, in violation of NRC regulations. This was not discovered for some eight minutes into the accident, apparently because a paper tag hanging from a handle on the control panel obscured an indicator light that would have shown the operators the position of block valves shutting out this system. While this did not play a signifi-cant role in the overheating of the primary system, it may have played a minor role, and certainly con-tributed to the operators' distraction. In newer plants, NRC requires an alarm that would have sig-nalled this problem. The indicator light on the control panel for the stuck-open pressurizer relief valve was wired not to the valve stem itself but to the valve's electrical circuitry. The light showed only what the valve had been " instructed" by the electrical system to do, not its actual position. Operators were misled for over two hours by this indicator light. The plant did not have instrumentation showing the level of reactor coolant in the main reactor vessel. The only level indicator showed water level in the 38
pressurizer. This indicator showed the pressurizer full of water when in fact coolant was passing through the pressurizer and out the stuck-open valve. Operators were therefore misled into think-ing the primary coolant system was full of water, when it was not. As mentioned above, alarms and indicators for the reactor coolant drain tank were on a backward-facing panel. Incore thermocouples showing temperatures just above the reactor core had to be read with an elec-trical instrument from wires in a cabinet located on the floor below the control room, because most were off the top end of the computer display's scale. Because of this, only a few readings were reported to the station superintendent, and he discounted
- them, in part because they were not regularly
" required" instrumentation. Today, a large panel board in the control room displays constant digital readouts for each of the fifty or so thermocouples, giving operators an easy-to-read, instant tempera-ture profile of the reactor core. Operators might have detected the stuck-open valve f rom high temperature readings in the piping through which coolant was leaking after it passed through the valve. These readings were requested several times by operate s but were misinterpreted, in part because they were thought to be " trending down." Soon after the accident began the read-out and dis-play computer got so far behind in printing out alarms that operators had to " dump" its memory in order to get up-to-date, losing irretrievably information about events and trends that might have helped them diagnose the accident. That a considerable amount of accurate data are now available about what happened during the Three Mile Island accident is due to pure luck. Still connected to the reactor was a "reactimeter' installed by B&W to monitor plant perform-ance during its start-up testing. The reactimeter constantly measures and keeps in its memory several dozen important plant parameters, some of which are not displayed in the control 39
1 room or are not recorded elsewhere over time. The reactimeter does not " display" its information; it has to be "delogged," a task begun on Thursday, March 29, by B&W engineers and others. It was data f rom the reactimeter that helped in reconstructing the accident that Thursday and Friday, and afterwards. We see no reason why every nuclear plant should not have the equivalent of a reactimeter for important plant parame-ters, tied to an information and display computer that can call up these parameters on an instantaneous or trend basis. We have suggested above that such instrumentation not only be installed in every plant, but that the information also be te'.? metered to industry-run data centers and the NRC, where additional technical assistance would be available in case of an accident. At the very least, we recommend that NRC set lainimum standards for both instrumentation and information display for all plants. The agency's previous reluctance in this area is, fra '. y, puzzling to us. A significant problem during the Three Mile Island accident was that much of the instrume.ta-tion was designed for normal, not accident conditions. When things kegan to go wrong, instruments quickly went off scale. This was particularly true for many radiation monitoring instruments. The ACRS has been conducting a running, but unsuccessful battle with the NRC staff for some time to require every plant to install instrumentation sufficient to monitor the course of an accident. Only after the accident -- more than three years from the time a new regulatory guide 40
. providing for such instrumentation was first issued by the staff in December 1975 --has the NRC decided to expedite implementation of such a requirement. (Other specific _ recommendations to supplied; compare NRR Lessons Learned Task Force Final recommendations.) I [ 9 41
e 4. Imoroved NRC Management and Reorganization. We have found in the Nuclear Regulatory Commission an organization that is not so much badly managed as it is not managed at all. In our opinion, the Commission is incapable, in its present configuration, of managing a comprehensive national safety program for nuclear power plants adequate to insure public health and safety. A radical reorganization of the Commission's structure and management are called for, now. The roots of this problem are historical, statutory and to some extent personnel-related. The NRC was created in 1974 by legislation that dismantled the old Atomic Energy Commis-sion, transferring the AEC's promotional activities to the Energy Research Development Administration (now part of DOE), and its regulatory activities to the new NRC. The NRC was primarily constituted out of the AEC's former Division of Regulation, which had always been directed by a single indivi-dual; the AEC as a Commission for years had had little inter-f est or involvement in the licensing aspects of its jurisdic-tien. However, the new NRC was fashic.ad in the image of the old. Commission itself. The NRC has five members, appointed by the President for five year terms with the advice and consent of the Senate, and according to the. statute each of the five Commissioners has " equal responsibility and authority in all the decisions and actions of the Commission." oAs a practical matter, most of the functions of the NRC, including licensing of new reactors and inspection of operat-42
ing plants, are carried'out by the NRC staff. Obviously, one of the Commission's functions must be to manage and set policy for its staff. But in practice the Commission is isolated from the staff. It does not directly supervise the staff's day-to-day work. It is not even officed in the same state: while the Commissioners and their tiny personal
- staffs, together with some other Commission-level offices such as the General Consel, are located in downtown Washington, NRC staff are scattered in a half-dozen office buildings in suburban Maryland, at least a half-hour drive away.
A strong "we-they" feeling has developed on both sides. One staf f of ficial char-acterized relations between the staff and the Commission as not unlike those between sovereign countries; cordial, some-what distant. and conducted for the most part in wricing, but always with the requisite formalities. As for the Commission, the result of its statutorily-pre-scribed structure is that it Jst function as a collegial bodo it can make no decisions and take no action without a majority of at least three Commissioners in agreement. In 1975, the original NRC legislation was amended to make the Chairman of the Commission the " chief executive officer" with rather vaguely described powers to exercise executive and administrative authority. At the same time, however, the Act prescribes that the Chairman shall be governed by the policy of the Commission and gives the Commissioners as a whole approval authority over appointment to the major staff of fices and formulation of the agency's budget. There was also some 43
sentiment that the 1975 amendment was procured by the then-Chairman behind the backs of other Commissioners, so that sub-sequent Chairmen have been reluctant as a political matter to try to exercise whatever authority the law does confer on the office. i I Below the Commission there is no general manager or chief executive of ficer with authority over the staf f. The staff is divided into five major offices, three of which are indepen-dently chartered by the statute, and each of which is headed by ar. office director. Between the office directors and the Conmission is an Executive Director for Operations (EDO). According to NRC regulations, the EDO is authorized to " dis-charge the operational and administrative functions of the Commission." But the statute itself limits his power to restrict the office directors, who by law report directly to the Commission. Indeed, until 1978 they were able to bypass .c the EDO altogether; a sta'utory amendment that year required them at least to keep the EDO informed of their communications with the Commissioners. As a practical matter the EDO does not currently have the authority to manage the staff. l Although the Commission arguably could confer such de facto authority on the EDO, it has not done so in the past few years, and *.he individual who has been turving in that position (who is retiring in the next few months) has not sought to exercise such authority or to serve as a manager. Thus, the EDO has,therefore served primarily as a conduit between the five equally-powerful Commissioners above him, and 44
the five office directors, each with his own independent jur-isdiction, below. The result has variously been describd as "non-management," a " mess," and a situation where "nobody is running the store." As for the staff offices, tney have been characterized as " feudal" baronies and " independent fief-doms." We have sat at public meetingr of the Commission dur-ing our investigation at which the majority of the senior staff of the agency -- of fice directors, tLeir deputies and their senior technical experts -- filled the front rows of the meetiM (afer an hour trip to downtown Washington from Mary-land) waiting in case a Commissioner should pop a question about a particular staf f of fice's " position" on some question. This practice demonstrates an appalling lack of coordination of the agency's resources and a tremendous waste of time for the staff and for the Commission (which as a result is not " staffed" at all in the management sense with briefing memos, alternative decisions and its staff's overall recommenda-tion). 4 The effects of this structure in impeding the effective exercise of management authority by anyone in the agency have been exacerbated in the past several years by the variety of viewpoints amor., the Ccamissioners and their inability to work together. Sometimes there has not been a majority of three for any course, and more often than not when there has been the Chairman of the Commission, until recently Joseph Hendrie, has been in.the minority rather than the majority, further 45
Q complicating effective leadership. The net effect of struc-ture and personnel has often been paralysis. Mcce surprising, tha that the Commission spends very little time managing or setting goals for its staff,' is the fact that until recently it has spent very little time as a Commission deliberating on any issues whatsoever relating to reactor safety -- the subject the public no doubt believes is the Commission's highest priority and certainly its ras' ion d'etre. Instead, it appears that the Commission has tradi-tionally spent the bulk of its public meeting time, at least, on personnel and budgetary matters, administrative chores, and such issues as export licensing. (Even prior to Three Mile Island, however, and certainly afterwards by the necessity of events, this pattern has been changing.) In sum, the Nuclear Regulatory Commission has provided neither leadership nor management of the nation's safety pro-gram for commercial nuclear plants. The question is how this problem can be remedied. The central and overwhelming need is for legislative and/or executive reorganization to establish a single chief executive with the 71 ear authority to supervise and direct the entire NRC staff. An effective reactor safety program abso-l':.ely requires strong and ef fective management of this kind. The NRC is virtually alone in the Federal Government as an agency charged with protecting public health and safety that is headed by a commission. Regulatory commissions such as the FCC, ICC, SEC, CAB and others generally regulate econo-46
O mic behavior.. For the most part, the protection of the public safety and health has been committed to single-administrator agencies: the FDA, EPA, MSHA, OSHA and, in the airline safety area, where the CAB regulates economics, the FAA regulates ~ safety'. Indeed, considering the old AEC's lack of interest in regulation, the management of reactor safety was for all prac-tical purposes a si".gle-administrator agency within the AEC until 1974, origirally under the ACE's General Manager and later run by a Director of Regulation. Two main arguments have been advanced for retaining the Commission: that the Commission-form enhances pilblic visibil-ity of the policymaking process; and that because public opin-ion about nuclear power is divided and uncertain, and quanti-tative assessment of its risks imperfect, the Commission helps insure that a diversity of views will be represented in that policymaking process. Along with these arguments, there are two other considerations, not usually articulated, which we think may prompt members of Congress and anti-nuclear critics to be suspicious of the single Administrator proposal. There are those who fear that if the single Administrator were " pro-nuclear," he might ride rough-shod over legitimate concerns about safety, whereas there are a number of present members of the Commission who are identified as being critical of past safety efforts. And some congressmen may well be concerned that the effectiveness of congressional oversight of a single Administrator directly reponsible to the executive branch would be reduced. 47 I
We do not believe any of these considerations is a valid reason for retention of the present Commission structure. With respect to public visibility of the_ policymaking process, the present Commission does not currently involve itself in the licensing process, and hearing and appeal boards would be retained in any event. The rulemaking and policymaking pro-ceedings that the Commission engages in would be held before a single Administrator in the same public fashion. We have sug-gested in Section 8, below, a series of steps to increase and in. prove the quality of public involvement in the consideration of safety issues; these suggestions would apply equally to the making of broad safety policy decisions by a single Admini-strator. Realistically the general public, if candidly given an assessment of the risks involved and given a full and com-plete opportunity to participais in policy decisions relating to the nature of those risks, is not going to be interested in every dispute over a relatively technical safety issue having to do with one or a few plants. It is intervenor, public interest and scientific groups and experts who will likely press those issues, initially in a forum below the Commission or Administrator level, if they are given the opportunity, the intervenor funding we propose below and the assistance of an Of fice of Public Assistance which we also recommend in Sec-tion-8 be established by the NRC. Diversity of viewpoints is a significant factor, but we do not believe it should prevail when weighed against compet-i ing considerations. First, it is this very diversity of opin-I [ 48 L
ion that Congress itself is supposed to reflect in its over-sight of the level of safety being provided by the NRC's regu-latory program. We do not believe this oversight function would be weakened by making the NRC a single-Administrtor agency. Indeed, given the present management and leadership vacuum at the NRC, congressional input would be better trans-lated into agency policy. Second, we do not believe that the proper function of the Commission should be to weigh and resolve competing public attitudes about nuclear policy in every individual safety decision that it makes. It is prec!.sely this hidden pressure that has played an important role in paralyzing the Commission in the past few years. Decisions about expanding or reducing our country's reliance on nuclear power -- decisions which inevitably involve a balancing of the risks against the bene-should be made by the Executive, fits of this technology with congressional review and approval, as a part of the Administration's overall strategic energy policy. No in pen-A dent regulatory commission determines the extent to which any other component of our nation's energy mix will contribute to overall energy production. For this reason, we think it is appropriate that a single Administrator be responsible directly to the Executive Branch. n ,.w.,
- Third, diversity must,ofteri be weighed against good management, as the history of the NRC has amply demonstrated.
We have found in our investigation that the greatest single improvement in safety can be made by better-coordinated 49 l J
management within the NRC'. We think this need should take precedence. Mounting an affirmative, comprehensive safety program is not a task that requires diversity of opinion. It is a task that requires strong central management controls and unified policymaking. We do not believe that the current Administration's pro-posal to " strengthen" the Chairman of the Commission's execu-tive authority may go far enough to reach the heart of the problem involved here. In our view, a far-reaching management reorganiation is required in which all of the Commission's offices report directly to a single chief executive, who pos-sesses the authority to establish policy, allocate and redis-tribute resco :es within the agency and supervise the day-to-day operations of office and branch chiefs. This, it appears, can only be accomplished by new legislation. In addition to the centralization of management under a single chief executive officer, a recommend the folicwing organization and man gement reforms and improvements: Transfer of non' reactor safety resconsibilities. The NRC currently has responsibility for a variety of matters that do not relate to its central goal of promoting the safety of nuc-lear reactors and handling of nuclear materials. These func-tions, which are time-consuming and distracting, should be transferred to other agencies. For. example, the NRC's anti-trust responsibilities should be transferred to the Department of Justice. Its jurisdiction over export licenses should be ' transferred to the Department of State, which should consult with the NRC on safety-related matters. 50 ~
Consolidation of resources devoted to coerating reac-tors. As described in Section 1, above, we recommend that the Division of Operating Reactors, the new Office of Operational Data Analysis, resources devoted to quantitative risk assess-ment, and some personnel from the Office of Research be conso-lidated in an expanded, strengthened Office of Inspection and Enforcement. Single location. The physical separation of the Commis-sion from the staff, and of staff offices and branches from one another, is not only time-wasting but encourages a poor working relationship and fragmentation in the staff. We recommend that high priority be given to locating the entire agency in a single location. Establishment of a Safety Assessement Board. The sub-stance of the agency's licensing and regulatory functions are carried out almost exclusively by a technical staff trained in the various engineering and scientific disciplines relevant to nuclear power reactors. These individuals are the ones who review license applications, establish safety requirements and recommendations, conduct inspections, take enforcement actions, develop standards, and administer research programs. The safety recommendations and analyses which come from these sources shape and, realistically, control most licensing and regulatory actions. The staff is where the safety die is cast. l We have found that there is really no existing organiza-tion within the agency which has either the responsibility or 51 1 I
the capability of monitoring the effectiveness of the regula-tory staff and of making recommendations of actions needed to establish and maintain a safety review process of the requi-site level of quality. It is a paradox that while the agency has long insisted on quality assurance programs for industry entities associated with nucler power plants, it has never imposed a similar requirement for its own regulatory staff and the licensing review process. With the vast amount of unsu-pervised discretion that exists in the process, it is not sur-prising that senior managers readily accept the status quo and that few, if any have spoken out and demanded institutional organizational reforms. The momentum for that must ccme from outside of the staff. We believe there is a clear and pressing need for an organizational entity within the agency to be responsible for observing, evaluating, and making recommendations to improve the quality of the overall performance of the regulatory staff. This need can bert be satisfied by the establishment of a Safety Assessment Board reporting directly to the head of the agency. This Board would be outside of and dependent of all other Offices in the agency. The Board should be composed of a number of persons who are trained in technical disci-plines associated with nuclear safety and who are thoroughly experienced with the licensing and regulatory process. The Board would be provided with a technical staff appropriate to its functions, and with necessary support personnel. This l Board would not duplicate the functions of any office or pro-52 1
, y, a vide another layer in the e process. It would instead be 1 an identified organizational entity of experts who could: Exercise oversight on the effectiveness of the licensing review process. Monitor the performance of special internal Task Forces and Committees such as the Regulatory Requirements Review Committee and the Technical Activities Steering Committee. Serve as the Agency's liaison on broad safety mat-ters with the ACRS. Advise the Commissioners on regulatory
- goals, important safety issues, and important issues for rulemaking.
Act as an Ombudsman group to receive complaints and as a forum to provide advice on major differing technical views from within and without the Commission. Enhance reactor safety by monitoring the effective-ness of the staff's analysis of precursor events, and of all other operational feedback information from all sources. Monitor the staff's use of and requirements for the use of the latest analytical and design tools. Centers-of-Excellence. There has always been an objec-tive to limit duplication of effort within the regulatory staff. It has long been considered resource-effective to assign experts in common or closely-related technical disci-plines to a single organizational group. This center-of-excellence objective has been neglected in recent years. For example, the Divisions of Systems Safety and Operating Reac-tors in the Office of Nuclear Reactor Regulation have several sub-organizational components of substantially identical dis-ciplines. The same thing on a lesser scale is true for the ( Divisions of Site Safety and Environmental Analysis and Oper-r (~ 53 r
ating Reactors in the same Office. We recommend that the cut-rent organization of the regulatory staff move back toward the center-of-excellence concept to the maximum practical extent. Project Manaament. The licensing project management organization was at one time the strongest technical group in the regulatory staff. With the development of the center-of-technical excellence concept the importance of the project managers was reduced. While the change away from the all-pow-erful project manager was needed, subsequent studies have periodically concluded that the reduction in the role of the project manager went too far. A strong project management organization provided a method for obtaining an overall balance in the staf f's safety evaluations. That is not avail-able in the present NRR organization. No one is assigned that responsibility. In addition, one of the obvious lessons learned from the Three Mile Island accident is the critical need for an overall plant and systems analysis group. There is as much or more of a chance that safety matters will " fall in the cracks" between two or more highly proficient technical groups as there is for a safety error to be made in any of the specific groups. This type of group could investigate systems interactions and man-machine interactions on an integrated basis. The need for this form of analysis has been clearly recognized by NRR, and l should be coordinated through the Project Manager. i ? l 54 r
Periodic Reassignment of Senior Managers. The NRC has never had a planned program for the rotation, exchange, or per8 odic reassignment of senior staff managers. Some senior managers'do move to new assignments but in most cases it is the result if a promotion and a planned exchange. Certain management steps can be taken to insure that the agency per-forms as a team and not as an uncoordinated group of competing offices each unfamiliar with the others personnel functions and capabilities. One such step is the exchange or rotation of senior level managers on a planned basis. We recommend that such a program be developed and implemented promptly. Staff Training. One of the must glaring deficiencies in the NRC is the lack of a program for its staff to acquire actual experience in the actual design, construction and oper-c ation of nuclear power plants. To effectively regulate the safety of such plants, the regulators should have a clear rppreciation of the techniques and procedures used for design, construction, and operation. For example, if a person has never operated a large power plant for a period of time suffi-cient to encounter the spectrum of operational problems that are likely to occur, it is unlikely that that person can develop an effective program to test and license other indivi-duals for operator and operations management position. The staff has in the past considered possible ways in which it might obtain and periodically update a reasonable level of actual design, construction, and operating experi-l ence. Most individuals joining the staff have related indus-i 55
try experience;
- however, for some the experience is not closely related.
Others join the staff upon completian of their university programs and with little or no experience in industry. With time many of these individuals achieve promi-nent managerial positions within the staff where their lack of practical knowledge can have a significant adverse impact on the staff's overall performance and its stature in the eyes of the regulated industry and the involved and interested public. The staff has suggested that an exchange program be set up between the agency and the Tennessee Valley Authority so as to mutually benefit key staff personnel. Similar suggestions have been made involving national laboratories, and military programs. Unfortunately all of these suggestions were rather quickly rejected on the basis of potential conflicts of inter-est or for other unspecified reasons. We have concluded that the need for practical experience and staff personnel overwhelms potential concerns about con-fl. cts of interests and other possible adverse impacts. We recommend that the agency establish a policy that practical experience is a requisite for staf f key personnel, and arra..ge an effectlve program to obtain the requisite experience for the appropriate individuals. 56, 57, 58 l
5.6.1. Remote Siting; Adequate Evacuation and Emergency Planning; Insuring Accurate Information to Protect the Public; Chances in the NRC's Emergency Resoonse. The Three Mile Island accident demonstrated that the evacuation of people living within a 20 to 25 mile radius of a commercial nuclear power plant, or beyond, needs to be consid-ered a realistic, necessary precautionary measure, even at levels of radioactive release well below previously-formu-lated federal " protective action guidelines." The accident also 79monstrated that evacuation may have to be considered or or'dered in a variety of situations where the evaucation decision is far from clear-cut. In particular, the most likely basis for evacuation in the future may be fear or uncertainty about the course an accident will take, as illustrated by the evacuation recommendations made by NRC staff and Commissioners on Sunday, April 1, based on anxiety about the hydrogen bubble problem. The NRC's own lack of preparedness to exercise this kind of decisionmaking was illustrated by the events of Friday
- morning, March 30.
In the space of about three
- hours, Pennsylvania state officials received three completely dif-ferent authoritative recommendations from the NRC:
the first, from an NRC staff official tc *5e state Civil Defense Agency, to evacuate; the second, from the NRC's Chairman to the Gover-nor, to have people stay indoors; and the third, again from the Chairman of the NRC to the Governor less than an hour l l later, agreeing that pregnant women and school-age children i 59 4
should be advised to c .ider leaving the area around the plant. For some years *'7 NRC has been moving, informally rather than by revising its siting standards, toward requiring new reactors to be sited away from large population clusters. However, the formal siting requirement used by the agency does not reflect this concern: it provides only that reactors be sited within a " low population zone," a very small area with a radius of only a few miles round the plant. The low popula-tion zone at Three Mile Island was en area within two miles of the reactor itself. During the accident, as we have seen, both state authorities and the NRC were routinely considering the need for evacuation ten, twenty or more miles out from the Island -- and this for an accident involving very low releases of radioactivity. In the past, the NRC has consistently regarded "engi-neered safeguards," i.e., automatic emergency safety systems within the plant, as a trade-off permitting location of plants near heavily populated areas. That is, the plant's safety equipment, combined with containment, was deemed suf ficient to protect public health and safety. Our analysis of how close the accident at Three Mile Island came to a situation in which evacuation at a far distance from the plant might have been absolutely necessary, at least on a precautionary basis, leads us to conclude that this philosophy is no longer valid. Evac-uation must be considered an independent means of protection for citizens living within 20 or more miles from the plant, 60
over and above the safety and other systems designed to miti-i gate an accident and prevent releases. This leads us to the futher conclusion that, in the future, new plants should be sited only in remote locations, removed by at least 25-40 miles from population centers of any significant size. But the presence of existing reactors and those that will soon come on line near such centers raises difficult questions about what can be done to protect those who live near these plants in the event of an accident. Up until March 28, 1979, it appears that planning for such evacuation around nuclear plants by federal, state and local authorities was uneven, at best, and that the NRC itself did little to encourage such planning in part because of a prevailing attitude that it simply could not and would not happen. The NRC has required utility company licensees to plan only for protective measures within the low population zone, and to show that they have their own emergency plans which include notification to and coordination with local and state authorities. The existence of an effective state emer-gency or evacuation plan in case of accident has not been a condition of granting a reactor operating license. Under cur-rent regulations, states may submit plans to the NRC for com-parison with NRC's own guidelines, but this is not a binding requirement. We agree with the President's~ Commission that federal emergency planning functions for accidents at nuclear reactors 61 m
should be consolidated into a single federal agency. The new Federal Emergency Management Agency (FEMA), rather than the NRC or DOE, appears to us to be the appropriate agency for such planning. FEMA's principal mission is to deal with the logistics and communications involved in protective action and evacuation made necessary by any one of a variety of natural disasters or accidents. FEMA should be in a better position to coordinate planning and action by state and local authori-ties, with whom it deals regularly -- unlike the NRC. Some of our consultants have expressed concern that FEMA is not yet fully organized and may lack the expertise to cope with a radiological emergency. Unquestionably the NRC must retain the decision whether to recommend evacuation, based upon its evaluation of the seriousness of an accident and actual or potential releases. Indeed, it seems inevitable that the Governor of a State and his staf f will look to the NRC for this expertise. But NRC does not possess significant expertise in how to plan for or implementjprotective action once the decision to "go" is made. That should be left to FEMA. The President's Commission recommended that before a reactor is granted an Operating License, the state in which it is located should be required to have had an emergency response plan approved by FEMA. In light of the ;ccd to con-sider evacuation as a credible and significant, independent protection for public health and safety, we agree with this recommendation. But we think it should apply not just to new I 62
reactors but to existing plants as well. And we think that the emergency plan should not just be an abstract document: it should be demonstrably workable and effective in carrying out an actual evacuation. We therefore propose that within a certain period of time, for instance one year, every operating plant be able to demonstrate that state and local authorities have developed a comprehensive plan for (a) protective action and (b) evacua-tion in an area within a considerable distance from the plant, perhaps 30 miles or more; and that this plan can work to effect a total evacuation. Such a requirement would be a very stringent one indeed. In considering it, it has been suggested that a number of plants near large urban areas like New York and Chicago might not be able to meet this standard, no matter how good the planning -- in other words, that there is no realistic pros-pect of being able to evacuate large suburban areas of these cities in any relatively short period of time. Some contrary evidence is provided by the recent success of Canadian author-ities in evacuating nearly half a million people from one of Canada's larger cities af ter a trainwreck threatened the popu-lace with chemical fumes, a brief study of which is contained in our back-up reports. If, however, there are some plants that cannot meet such a standard of realistic evacuation of the surrounding area, serious consideration should be given to shutting them down permanently. 63 L.
Within the NRC, we found that decisionmaking about pro-tective action was confused and ineffective throughout the accident, and that NRC disorganization contributed unneces-sarily to public alarm over radiation levels and the possibil-ity that the " hydrogen bubble" in the reactor might become explosive. Some of this confusion was due to poor communica-tions, a situation which the Commission has improved since Three Mile Island by the installation of " hot lines" from each reactor control room to the NRC's Emergency Response Center in Bethesda, Maryland. A system for telemetering important plant data from each plant to an industry-run data center and to the NRC, such as we have suggested above, would also go a long way toward resolving this deficiency. But a good measure of the NRC's poor performance during the accident must be laid to poor planning and poor management of the emergency response. As we have previously written in a preliminary memorandum to the Commissioners, we found that the NRC Emergency Management Team did not function as a single executive to coordinate the agency's action during the response but as a collection of individuals each of whom represented the office of the NRC staff with which he was affil'ated in day-to-day NRC operations. While the NRC's Emergency Plan specified that the Commis-sioners themselves would "make policy," they were in fact iso-lated from the flow of events and information for two days. When they did get involved, on Friday, March 30, the recom-mendations made by Chairman Hendrie to Governor Thornburg 64 i
reflected little or no deliberation by the Commissioners and were based on a paucity of information. Only when Harold Denton was sent by Chairman Hendrie to Three Mile Island as the NRC's lead official, and at the request of the President became the President's own " representative" at the site, was NRC's emergency response coordinated into one single executive. We recommend that while the Emergency Management Team (EMT) should be retained, it should have a single director -- either the Chairman of the Commission or his designee, if the Commission is retained; or a " duty Commissioner," or the Exec-utive Director for Operations. The.sirector of the EMT should exercise the entire authority of the agency and be able to call on all of the agency's resources during an emergency. A nuclear reactor accident is no time for collegial decisionmak-ing either on the Emergency Management Team or the Commission itself. In any case, a decision to recommend evacuation should be made, if at all possible, by the Chairman or Admini-strator of the agency, even if he is not directing the EMT; where that is not possible, the recommendation made by the Director of the EMT should be ratified by the Chairman as soon as possible thereafter. During early stages of the accident even top NRC offi-cials displayed a good deal of reluctance to demand specific items of information from Met Ed or to make strong recommenda-tions to the company about what operators should do next. The philosophy that "the licensee is in charge," and a fear that 65
NRC would be perceived to have "taken over" control of the plant provided very strong deterrents to active intervention by the agency at any level. From the NRC inspectors who arrived on site about 11:00 a.m. on the first day of the acci-dent through top officials in Washington, the agency placed itself in a position of merely " monitoring" what was happen-ing, and being available to give advice. a.- The NRC in6 h4 not be constrained by its own procedures or 9 attitudes to take such a passive role during an accident if circumstances demand more direct intervention. It appears that the NRC has the authority, under the existing licensing scheme, to require a utility licensee to undertake a particu-lar action on the spot, if necessary to protect public health and safety. At the moment, the agency is far from equipped to "take over" any large commet7ial nuclear plant in an emergency. Hands-on manipulation of the controls in such plants requires familiarity with a particular reactor's unique design, behav-ior and idiosyncracies likely to be possessed only by licensed operators and supervisors of the utility. Plants like these lu-cannot,"run" from afar. And although the public may be reas-sured by knowing that NRC representatives are on site during an emergency, as if the U. S. Cavalry had arrived on the scene in an old Western movie, the fact is that NRC inspectors do not have the working knowledge of the plant or, in most cases, ( the expertise to assume command over reactor operations. Nonetheless, there may arise situations.in which impor-tant strategies for dealing with an accident, such as deci-66
sions about the method of core cooling or about venting radio-active gas to the atmosphere in order to protect the stability / of the cooling system, can be made in a timeframe permitting consideration by NRC engineers or other top officials of the agency. In this kind of situation, NRC's own regulations and guidelines should make it clear that NRC has the authority to impose its own decision on a licensee if there is an ultimate difference of opinion. We suggest that emergency response guidelines might be rewritten to provide that the director of the EMT or any NRC employee directly delegated his authority for this purpose may direct (1) that particular information be provided immedi-ately to the NRC, or (2) that a particular action be taken in the plant, where necessary in his judgment to protect public health and safety. Recognizing the likelihood of evacuation or other protec-tive measures in the future, we are convinced that it is essential to make certain that accurate and up-to-date infor-mation is available on which to make such decisions. The Three Mile Island accident indicated, and our investigation confirmed, that no one --- no federal agency, state agency or the utility -- has primary responsibility in an accident to monitor radioactive releases from the plant, evaluate this information and communicate it to those who must make deci-sions about protective measures. At Three Mile Island, the utility, the NRC, DOE and state officials all participated in monitoring beginning within 67
hours of the accident; HEW and EPA followed later on. By chance as much as by design, the work of teams from these various agencies was fairly well coordinated during the acci-dent, and those at the plant and local level who needed the information received it in timely fashion. Our investigation showed that utility and NRC personnel at the site, the state's Bureau of Radiological Health (which set up a command center that was in contact with the plant and with monitoring teams), the NRC's regional office near Philadelphia, and DOE's local command post maintained good communications and generally shared accurate data, and evaluations of that data, as soon as they were generated. The disorganization and misundersta-Wing on Friday, March 30, that precipitated a local evacuation scare and then the Governor's cautionary warning to pregnant women and children was caused primarily by the fact that the highest-ranking decision makers -- the Governor and Lt. Gover-nor in Harrisburg, and the NRC Emergency Management Team and CommissionersinWashington[~hadbeenoutof the picture and had either received misleading information or did not appreci-ate the significance of accurate information. There is a federal coordinating document for radiological emergency monitoring called the " Interagency Radiological Assistance Plan" (IRAP). But this is a misnomer, for the doc-ument is not a " plan" at all; it is a list of resources pos-sessed by various agencies that can be called upon in an emer-gency. The Department of Energy, which inherited from the AEC 68
among other things a sophisticated nuclear emergency command center in Germantown,
- Maryland, run by the military and designed primarily for weapons accidents, probably has more emergency monitoring equipment and other resources than any other agency.
These include teams that can be transported by plane or van, monitoring helicopters with highly sensitive equipment, and back-up facilities for analyzing samples. NRC also has several mobile monitoring and laboratory vans, as 3 well as equipment and emergency vehicles at each regional office. We reccmmend that a single federal agency, either DOE or NRC but preferably NRC, should be designated by executive order as the lead federal agency to call upon and coordinate the resources of all other federal agencies in case of an accident at a commercial nuclear plant requiring monitoring. We also recommend that serious consideration be given to installation of real-time, on-line monitoring devices around every nuclear plant in concentric circles at various distances from the plant site (for example, from the site boundary out to at least ten or twenty miles) that can be read from the plant control room or some other remote site. Such a system would be expensive but not prohibitively so, and the tech-nology poses no problem. We understand that such devices are currently being installed by requirement of the State of Illi-nois in the Chicago area and environs, to cover potential releases during any accident that might occur at a number of plants in the vicinity. 69
8. Overhaul of the Licensing Process. From its inception, the process of licensing a new com-mercial nuclear plant has involved a two-step procedure. Prior to construction, tha utility company submits an applica-tion for a construction permit (CP) in which it commits to meet certain design criteria acceptable to the NRC staff and describes preliminary designs it proposes to follow in order to do so. NRC's licensing staff then reviews the application and prepares a Safety Evaluation Report, preparatory to a man-datory public hearing before an independent Atomic Safety and Licensing Board (ASLB). The Board considers not only the safety of the design but also issues such as the siting of the proposed reactor. Any party who wishes may " intervene" in the hearing to question or contest some aspect of the application. The Commission's Advisory Committee on Reactor Safegurds (ACRS), a committee of distinguistled expert consultants in the various areas of reactor safety, also review the application and the staff's report, and often call for additional evalua-tion or explanation. If the Licensing Board votes to grant the CP, a party may appeal its decision to the Atomic Safety and Licensing Appeal Board, another independent panel to which the Nuclear Regula-tory Commission itself has delegated most of its final statu-tory authority over licensing. From an Appeal Board decision any party may seek review by the full Commission, which is discretionary with the Commission. The Commission may also 70
review a case on its own initiative. But as a practical mat-ter the Commission, like the AEC before it, seldom has become involved in licensing actions. At a time when the plant is well-along in construction, the utility then submits a second application for an Operating License (OL). The same procedures are then followed again -- including a staff review, preparation of a safety evaluation report, ACRS review, and a hearing if requested by any inter-but a second public hearing is not mandatory if no venor party or intervenor requests one. If a hearing is held, there is once again a right of appeal to the Appeal Board and a dis-cretionary appeal available to the Commission itself. The two-step process reflects the state of the nuclear power industry in its conceptual and developmental years, when there were many first-time applicants, designs and builders, and many unproven designs. But the situation has altered drastically in the intevening years. Final designs for most plant systems can now be described in detail at the precon-struction stage; where only preliminary designs can be submit-ted, there is a much higher degree of reliability that they will be consummated satisfactorily. Insofar as the licensing process is supposed to provide a publicly-accessible, adversary forum for the resolution of safety issues relevant to the construction and operation of a nuclear plant, it is a sham. We reach this conclusion for a number of reasons. 71
First the vast majority of safety issues are resolved during negotiations between the NRC staff and representatives of the utility and vendor which take place while the staff is performing its design review. Theoretically the meetings that take place and correspondence back and forth is a matter of public record, but in fact the public and intervenor groups play no meaningful role 18 this stage of the process. By the time of the public hearing, the NRC's licensing staff has typically won the acquiescence of the applicant for most or all of the changes the staff deems necessary cnd has therefore satisfied itself of the adequacy of the design. At this point, the NRC staff appears as an advocate of the final design; in otherwords, the staff and the applicant are on the same side. Intervenor groups, which have become more vocal, better funded and more able in recent years, still do not have either the technical expertise $br the resour:es to make an effective challenge on technical safety issues at licensing hearings to the combined front of the NRC staff and the applicant's and vendor's experts. Thus, intervenors have tended to focus pri-marily on environmental, seismic, siting and emergency plan-ning issues which can be more readily understood and debt.ted by those who are not reactor safety engineers. Even if intervenors were able to contest safety issues effectively, they would find it dif ficult to reach an array of licensing actions important to safety that are taken by the NRC staff outside of the formal license authorization process. 72
These include granting or denying amendments to cps and OLs; determining that proposed changes in designs or procedures do not involve an "unreviewed safety question" and therefore do not require any license amendment; decisions whether to increase safety requirements at a particular plant or apply new regulatory requirements on a plant-specific basis; and resolution of the question whether certain equipment is " safety-related." The separation of licensing into two stages, a CP and an OL, also frustrates effective challenge to design features of a plant from outside the NRC staf f, and to some extent from the staff as well. At the CP stage only rough design plans -- one intervenor has called them " cartoons" -- are furnished. By the time the utility submits an application for an OL, the plant may be substantially constructed, and systems are eitehr in-place or committed to. Thus, one lengthy safety review is conducted too early to be useful, the other too late to be effective. In between times, the sketchiness of the original design makes the task of the Office of Inspector and Enforce-ment that much more difficult during the construction period. Moreover, consideration of " generic safety issues," such as the adequacy of a standard design fea ture to mitigate cer-tain non-yet-analyzed accidents, has now been withdrawn from the licensing proceedings. Theoretically, these issues are dealt with by rulemaking or other policy decisions implemented 73 l
elsewhere in the NRC; in practice, it appears that many of these issues do not get meaningful atcention anywhere. The Appeal Board, which was originally intended to help coordinate consideration of generic issues, has for a good many years spent a substantial amount of its time and effort trying to interpret the Commission's substantive regulations and apply them to the facts in particular cases. The Board (and others) have repeatedly pointed out that many of these regulations are vague, inartfully drafted, and even in some instances incomprehensible. Other regulations have signifi-cant gaps. The Appeal Board should not, by default of the Commission, have to continue to interpret, " improve" and apply ambiguous standards. The role of the ACRS, which once constituted the main repository of wisdom on thorny reactor safety problems and was supposed to help the Appeal Board deal with generic safety issues, has atrophied in the past decade. The regulatory staff, which has grown termendously in that time period, no longer needs to rely on the ACRS. Since the ACRS is merely an advisory committe3, its concerns and recommendations need not be made a part of the record in a licensing proceeding; in fact, the committee is not allowed to intervene as a party even when it has strong safety concerns. And the ACRS regards NRC licensing staff presentations before it of the staff's analyses of particular license applications as formalistic and uchelpful -- geared to the legalisms rather than the substance of the process. 74
) h Despite these problems, te ACRS probably comes closest to b performing the function that the public probably thinks the Commission itself performs: an independent, high-level review of safety implications of plant design by distinguished experts in various fields of reactor safety. We believe the ACRS should be retained and its role strengthed by relieving the requirement that it advise the Commission on every license application, permitting it to play a more formal role as a party in licensing and rulemaking proceedings, and upgrading its staff. Practically all those familiar with the process, includ-ing most Licensing Board members who responded to a question-naire sent out by the Special Inquiry Group, agree that the formal hearing process does little to enhance the quality of reactor safety. Some of those who answered the questionnaire even believe that these formal proceedings discourage appli-cants and the NRC staff from dealing candidly with all sides of controversial safety issues in their analyses and evalua-ticas. These materials, some say, have become legalistic tracts which recite the same assurances over and over in indi-vidual cases. Co',trary to what the public probably perceives, the Com-missioners themselves play no role in licensing decisions except on rare occasions. In fact, the old AEC created the multiple levels that exist today for consideration of licens-ing decisions -- hearing board, appeal board, ACRS -- in large part to insulate itself from the licensing process. Not only 75
e O was the Commission reluctant to become involved for conflict-of-interest reasons, it simply was less interested in reactor licensing than in other matters within its jurisdiction. The 1974 reorganizatioL creating the NRC, which stripped promo-tional activities from the new regulatory body, might have given the NRC the opportunity to become more involved in the final decision to grant a license -- perhaps the most impor-tant function that it performs. But the statutory and regula-tory framework was kept intact, and prior to TMI the NRC took no steps to change prior practices. At the same time that the Commission holds itself out as the " Supreme Court of licensing," but never grants certiorari to review a case, it isolates its members from detailed con-sideration of case-related safety issues by the so-called "ex parte rule." This rule provides in effect that after a case has been noticed for hearing, no Commissioner or member of a Commissioner's personal staff may consult the NRC staff about an issue in the case. This rule was originally adopted by the AEC, which had by law.been given both promotional responsibilities for nuclear energy and quasi-judicial functions in ruling on licenses. The NRC no longer suffers from this legal handicap. The ex parte rule goes far beyond the statutory requirements that -govern the way independent regulatory bodies must conduct their business, including the Administrative Procedure Act. Its sole function today is to isolate the decision-makers who 76
have final authority to rule on reactor safety questions from those within their own agency who have the most knowledge and expertise about those questions, who presumably have been hired to help the decision-makers carry out their statutory responsibilities. We think that if the Commission is retained, the ex parte rule should be abolished forthwith; if this cannot be done by agency action, as we believe it can, it should be done with legislation. We have come to the conclusion that the two-step licens-ing process should be abolished for nuclear plants of conven-tional design. (For new types of reactors, the two-stage sys-tem could be continued.) Instead, a single licensing proceed-ing should be held prior to construction in which detailed design plans are considered and approved. Once a license is granted, jurisdiction to oversee construction and confirm that that plant is constructed consistent with the design plans should be placed in the Office of Inspection and Enforcement. Where preliminary designs alone have been submitted and approved, final designs should be reviewed and approved by IE, after consultation with licensing staff in NRR. Limited work authorizations and the "immediate effectiveness" rule, two techniques which currently permit construction to begin before a CP is granted, tend to fragment and undermine the credibil-ity of the licensing process and should be abolished. l s 77
In our view it is completely unnecessary to have license applications be subjected to two levels of appellate review. If the Commission is retlined, then the Licensing Appeal boards should be abolished and the Commission abould be required to finally consider and approve every new reactor license. To carry out this task the Commission would probably require talented experts to assist it. We suggest that Appeal Board members could be transferred to a support office to assist the Commission in this work, which would permit the outstanding quality reflected in past Appeal Board decisions to be perpetuated in the decisions of the Commission, perhaps enhanced due to more consistent guidance interpreting regulations. If the Commission is replaced with a single Administra-tor, as we have suggested, and the Appeal Board is retained, its decision on granting a license should be final and any appeal from the.ippeal Board be taken to federal court. It would then become the responsibility of the Administrator to see to it that a comprehensive and unambiguous set of regula-tions was in place for the Appeal Board to apply. Generic safety issues and other important policy issues z should be handled by the Commission or the head of the agency directly, ' through rulemaking and policy directives, with the direct input of the staff, the ACRS and (even in the case of policy issues, in a more limited fashion) by intervenors. In particular, basic policy decisions having a primary impact on -the level of safety provided to the public against the risks l* 78
associated with nuclear power plants, which are now made at various agency management
- levels, chould be implemented through the rulemaking process.
These decisions are often made without the input or knowlege of important parties. For example, the Standard Review Plan was developed and approved by the Office of Nuclear Reactor Regulation; the decision that a nuclear plant which conformed to the requirements of the Plan is " safe enough" from a licensing viewpoint was made by that Office with little or no effective input from segments of the Of fice, f rom other Of fices within the Commission, from the ACS, from the Commission or from the public. Such fundamental decisions that lead to the establishment of required safety levels for the nuclear industry in this country should be pro-mulgated as agency policy through a more open and definitive procedure. Of course, care must be taken to limit the use of the rulemaking process to broad policy considerations. If it is used to promulgate rules of a detailed technical nature it will likely do more harm than good. The detailed methods to achieve conformance to these requirements can be most effec-tively established and implemented by a tightly managed regu-latory staff. The standard argument against the process is the potential cost in time and resources that may result from possible protracted public hearings on individual rules. We believe that steps can be taken to eliminate abuse of the 0 hearing process. We have con,1uded that, in any event, the rulemaking process is on balance a necessary ingredient to 79
f air - and open regulation and that it must be followed even though the costs and impacts are substantial. NRR established a Regulatory Requirements Review Commit-tee (RRRC) several years ago as one of its priracipal efforts to stablize the safety review process. The Committee makes the final decision whether or not to impose a particular new regulatory requirement, and, if so, whether it should be back-fitted to existing plants, required on plants under construc-tion, or only in future plants. The decision to require changes in plants under construction is called "ratchoting"; the RRRC is popularly called the " ratchet Committee." The Committee is composed of individuals at the Of fice or Division Director level. In response to internal and external criticsm the operational procedures of the Committee were revised-some time ago. However, even with the revisions, the peformance of the Committee is in need of further improvement, in three specific areas. First, the Committee's function is of sufficient impor-tance to warrant i. t s deliberations to be reported in some depth, if not actually transcribed completely. The Commit-tee's decisions and the bases therefore should be full documented. Second, the voting members of the Committee are high level managers whose time is at a premium. They are not all able to devote the time necessary to review and assess the merits of the proposed changes submitted to them for decision. 80
The Committee membership should be reduced to the Deputy Divi-sion Director level, that the Committee be provided with a preliminary review and screening task group composed of one member from each of the organizations providing a voting member to th' Committee, and finally that the Committee be provided with a full-time executive secretary. Third, additional steps should be taken to increase the opportunity for industry and public involvement, and for the early and formal involvement of the Advisory Committee on Reactor Safety. If our prior recommendation is implemented, the NRR will have the responsibility for licensing plants for construction and IE will thereafter have the responsibility for all activi-ties associated with plants under construction and in opera-tion. Accordingly, there must be a single integrated Commit-tee established for the entire NRC staff, rather than its con-tinuing to be a component of NRR. At present, there is little or no meaningful public par-ticipation in the determination of individual technical issues relating to reactor safety, whether in licensing cases or in broader policymaking by NRC staff. We propose two steps, in addition to the recommendation above that rulemaking or simi-lar proceedings be conducted to implement major safety policy decisions, to involve the public earlier and more effectively in these issues. 81
First, we recommend that an Office of Public Assistance be established which should report to the head of the agency. The primary functions of the office should be to: Provide a source of legal and technical assistance to potential or actual intervenors and to public interest groups, whether opposed to or supportive of nuclear power in general or a specific application in particular. Intervene directly in agency rulemaking or licens-ing proceedings, where appropriate, to assure that all necessary safety issues are ventilated. Fund and monitor, where appropriate, independent technical peer review by independent outside experts. Handle details of the intervenor financing sug-gested below. This Office, removed from licensing, enforcement, and stan-dards setting, should consist of a number of personnel whose expertise would encompass the technical disciplines and legal talents essential to the licensing process. A staff of about ten senior personnel should be sufficient for the initial operation of the Office. Given adequate staffing and the clear support of the highest level of the agency, the Office of Public Assistance would enhance the Commission's credibil-ity with both the industry and the public. The problem of providing for inceased public involvement in the decisionmaking process cannot be separated from the question of providing public funding for such activity. If citizens or groups contribute materially to rulemaking or licensing efforts by pressing concerns that are not being urged by. other parties, they should. be reimbursed for their expense. Other agencies have programs to fund citizen parti-82 i c
r cipation and even, as under the clean Air Act and Federal Water Act, citizen lawsuits. We recommend that a program of intervenor funding be adopted, for both licensing and rulemak-ing proceedings, that would permit intervenors who advanced contentions not being effectively pressed by other parties to be compensated for the expenses involved. This program could -be administered through the Office of Public Assistance, with the final decision as fJDe reimbursement being made either by that office, the licensing board or, in rulemaking proceed-ings, by the Commission or Administrator. A one-step licensing process should encourage the use of standard designs. The advantages and disadvantages of stan-dard nuclear plants with respect to licensing, 'gn, and operational efficiency and safety effectiveness have received wide attention in the past several years. Since the late 1960's the NRC has evidenced a strong interest in standard designs. In April 1972 the Commission issued a policy state-ment on standardization and since then has actively supported a standardization program through additional policy state-ments and approvals of staff actions. While the Commission has given its support to the staff's efforts to develop procedures for one-step staff approval of . complete standard plant designs for use in construction permit and operating license applications, it has never made its use mandatory. 4 83 i
i We have reviewed much of the information issued during the past decade on standardization and conclude that the use of the agency's standardization program by future applicants should be required unless the Commission itself grants an exception for good cause. We recommend that an appropriate policy statement be issued that would express this viewpoint, indicate the safety bases for the policy, and indicate that the staff has been directed to accelerate and expand its acti-vities to develop the one-step approval process for the con-struction and operation of standard plants. The use of the standard design for both the reactor sys-tem and the " balance of plant" should increase the level of safety, enchance the process of evaluating operating experi-ence, and make for more efficient use of resources. In effect, under the one-step approval process, the NRC would license one or two standard designs by each vendor and AE, after an exhaustive review process of that design. These designs would not be "new designs," but an amalgam of the best features of current, proved designs. A utility would then be recuired, unless the Commission granted an exception, to pur-chase one of these standard designs. Any deviations necessary because of unusual seismic or other features of the site would then be reviewed separately in the licensing process; other-wise, the staff would not be required to go through a lengthy safety review in the case of every license application, having already reviewed and approved the standard design. l I l 84
9. Improvement in Risk Assessment Technicues and in the Bases for Safety Review of Reactor Design. The NRC's statutory mandate in licensing nuclear plants, unchanged from that of the AEC before it, is very general: to insure that the plants will " provide adequate protection to the health and safety of the public." Later interpretation of the word " adequate" makes clear that it does not mean absolute protection, or zero risk, and considerable discretion has been given by the courts to the agency to define this concept itself. In the agency's regulations and practices, the stan-dard usually appears as " reasonable assurance" of safety, or as "no undue risk" to the public. In the developmental period of the industry, when many untried designs were being submitted for licensing approval, the AEC developed a safety review process based on so-called " design basis accidents." A design was considered to be acceptable if its emergency systems could be shown to mitigate a group of specific postulated accidents, classified into eight categories of severity. (A ninth category of major dis-asters, called " Class Nine" accidents, was assumed to include calamities so unlikely -- and so difficult to mitigate -- that designs could disregard their hypothetical occurrence.) In reviewing a particular design, the staf f did not exam-ine all of the systems and components in the plant, but only those deemed " safety related," i.e., those that might be essential to accident mitigation or whose failure could imme-diately cause a design basis accident. i-!' l 85 l I
In judging the reliability of these systems, the staff er. ployed a concept called the " single failure criterion." This criterion is a requirement that a system designed to carry out a specific safety function must be able to fulfill its mission in spite of the failure of any single component within the system, or failure in an associated system that supports its operation. (In reality, the single failure cri-terion is a double failure criterion: it requires the design to bring the plant to a safe shutdown despite occurrence of an accident plus the failure o,f any one other safety component or system.) The purpose of single failure criterion is to pro-mote reliability by requiring redundancy in systems that must mitigate accidents: either two sparate and independent sys-tems of each kind, or a back-up system capable of performing the same function. The NRC inherited and has continued to apply this highly stylized system of determining whether designs are acceptable for licensing, despite the fact that we now have accumulated concrete experience with these designs and a far better basis for estimcting failure rates and pinpointing weaknesses, and despite the fact that our techniques of risk assessment with this t uchnology have improved substancially in the past two decadet. The approach incorporating the three concepts describeu %.a worked admirably to produce reactor designs that have compiled an excellent safety record. But the Three Mile Island accident suggests that this stylized process l I I 86 i L
should now be amalgamated with, or even supplanted by more sophisticated and comprehensive techniques of risk assessment. First, the design basis accidents against which a reactor design is judged are, for the most part, large-scale failures. Analysis in the review process assumes that if a design can handle a big accident, it will a fortiori be able to handle a small one. The smaller accident is regarded as being "within the design envelope," in the jargon of the trade. Yet the NRC has been on notice for some time that the u best quantitative risk-assessment reactor
- plants, using f
" fault free" analysis in which postulated failures are fol-lowed out with a host of different possibilities to determine the likeliest outcomes, shows that the greatest risk of an accident comes not from these major failures but from small loss-of-coolant accidents, and relatively routine transients compounded by multiple failures or human error. This was the conclusion of the Reactor Safety Study or "Rasmussen Report," an independent study of reactor safety commissioned by the agency in 1974 which sougrt to apply quantitative analysis across the board to determine the overall hazards from acci-dents in nuclear plants. These types of potential accident sources have, however, been all but ignored by the NRC in the past few years. The Three Mile Island accident, of course, involved all four elements: a routine loss-of-feedwater tran-sient, which should have been mitigated by safety systems; a 87
stuck-open valve, causing a small loss-of-coolant accident in j an unexpected place, the top of the pressurizer; misleading instrumentation; and operator action to cut down the effec-tiveness of the emergency core cooling system. Second, the Rasmussen study showed that up to ninety per-cent of the risk of an accident at a nuclear plant is associ-ated with the prospect of human error. Although, efforts are made to factor this possibility into the design review pro-cess, ow--4mpeess>ise-is that they Sn're not succeeded on an across-the-board basis. Certainly, there is little considera-tion given in the process to what operators are likely to see on their instruments during various transients and accident sequences, and how they are likely to respond based on their training and procedures, as the Westinghouse analysis of the Beznau accident and the studies of the 1977 Davis-Besse acci-I dent prove. Third, the current classification of systems and equip-ment into " safety-related" and "non-safety-related" is espe-cially unsatisf actory. The distinction is important because systems not "important to safety" are not reviewed by NRC to see whether they will perform as intended cr meet certain cri-teria; they do not require redundancy; and they do not receive continuing supervision or surveillance to see that they are properly maintained or that their design is not changed in ,<,r...' some way that ag( interact negatively with other systems. 88
Historically, it has been the utility rather than the NRC which design'ed, in its own design analysis, which systems were .s " safety-related." Where the NRC disagreerd the final determi-nation'hhs, in the past, often been made on an ad hoc basis. The arbitrary nature of the distinction as a boundary of NRC's attention to design can be seen in the Three Mile Island accident. If the accident had been a mystery story, the punch line might have been, "the water softener did it." Fo'r7 he acci-dent was triggered by. a failure in the condensate polisher units of the secondary or feedwater system in essence, eight parallel resin demineralizers that constantly remove impurities from the feedwater just as a water sof tener removes harsh chemicals from drinking water. The inlet and outlet valves on all eight units closed, causing a total interruption of feedwater flow, automatic shutdown of the feedwater pumps, the heating up of the (independent) primary system when the feedwater system stopped removing heat from it, and the open-ing of the pressurizer relief valve when rising heat in the primary system created additional pressure in that system. Virtually the entire feedwater system, including the con-densate polishers, was regarded as "non-safety related" in the TMI Unit 2 plant. Had,any scrutiny been given to the polish-e..; % v.-- - ers, design flaws and, design changes might well have been identified as potential safety problems. The inlet and outlet valves were originally designed to " fail as is" on any mal-89
I ~ function or loss of power. That is, these valves would " freeze" in whatever position they had been in prior to mal-function, whether open or closed. But during or after the installation of the system, -1979/Niring was altered so that the valves all failed closed in the accident. This same phe-nomenon had occurred on at least one prior occasion during " hot testing" (testing with heat generated by the pump motors, but no nuclear fuel), and Met Ed plant employees had recom-mended that an automatic bypass valve be installed to meet the problem; but this was not done. The pressurizer relief valve that stuck open was also not categorized as " safety-related," even though its failure caused a leak in the primary coolant system. In general, non-safety systems are assumed in the design process to perform in whatever way is least helpful to mitigation of the accident. Since the pressurizer relief valve had a block valve behind it that could be closed, it was assumed operators would shut the block valve if necessary. The fact that the design and instrumentation of the relief valve was not subjected to NRC L.'G G scrutiny meant there was no evaluation of bhe decision by Met Ed to install an indicator light showing only whether the relief valve had been instructed to close, not whether it had actually closed. Thus, the possibility that the operators would be misled and would not cloae the block valve was never considered in the design process -- nor was the possibility that this error could in turn cause the pressurizer water level indicator to show that the reactor coolant system was 90
p. full when in fact it was steadily emptying. To complete the circle, control room design and most instrumentation and oper-ator procedures also were regarded as "non-safety related." After reactor core cooling was stablized on the evening of March 28, the principal threat to the public was from releases of radioactive gases from leaking or overloaded sys-tems in the " auxiliary building," next to the reactor contain-ment building. These systems were never designed to handle the radioactive byproducts of a serious accident to the reac-tor core because such an accident was considered a Class Nine " event" -- so unlikely that, in effect, it was never supposed to happen. Filters, waste gas decay tanks, pump seals and other components in this area, like some equipment in the reactor system itself, had to be relied upon to do more than they were expected to do in the design analysis. tihat these examples demonstrate is that we have come beyond the point at which the existing stylized design basis accident review approach is sufficient -- we now know that that process is not good enough to pinpoint many important design weaknesses or address all the relevant design issues. More quantitative methods of risk assessment have been devel-oped that can be employed in safety assessment of design and operation. But the Commission has been slow to adopt them, even though they have been used in other disciplines and tech-nologies for some years. 91
The Rasmussen Report, although viewed by many critics primarily as an attempt by the Commission to " reassure" the public about the negligible risk of nuclear accidents, rep-resented a prodigious effort to apply quantitative risk assessment to reactor safety. An NRC group (the " Lewis Com-mittee") formed in 1977 to review the accuracy of the Rasmus-sen Report 's conclusions concluded that that methodology was fundamentally sound and should be utilized by the NRC, even though Lewis heavily criticized the ' executive Summary to the Rasmussen Report (the.cnly portion read by the vast majority of the public) and concluded that the Report's ultimate posi-tion about the low risk of accidents could not be accepted. The Nuclear Regulatory Commissioners, seeming not to under-stand these conclusions, then adopted a policy statement in effect discrediting the entire Rasmussen effort. Given the experience gained to date in reviewing designs which have become relatively familiar, and the operating data available on these designs, the NRC ideally should be able to put aside the design basis accident approach and adopt more quantitative approaches which focus on a larger spectrum of plant systems, identifying weak points and upgrading design requirements to eliminate them. However, at the least a tran-sitional or hybrid approach might be employed similar to that by which, under NRC regulations, the efficacy of emergency core cooling systems to cope with large loss-of-corlant acci-dents are noh! evaluated. 92
Some of ' the aspects of a transitional approach could include the following: Expand the spectrum of design basis accidents used for safety assessment purposes by using operational experience, research results, lessons from acci-dents, and advice from the ACRS. Employ mixed quantitative and design basis accident methodologies. Include the effects of multiple equipment and human failures if the likelihood for the occurrence of a set of multiple failures is not substantially less than that for single failures. Provide a rigorous procedure for classification of equipment on the basis of safety significance. Include human factors considerations, operational procedures and the operations management and technical organization and l[, [- personnel in the review process. ~ On a selective basis, determine whether some design feature to mitigate the effects of Class Nine acci-dents should be required. Provide an integrated plant.cystem analysis of the entire plant, insofar as possible. 93 t
I 10. Moratorium on New Construction Permits. We have recommended above that the licensing process, the bases for safety review of designs and the management of the NRC be substantially overhauled. Until these changes are accomplished, we do not believe that new applications should be put through an old process of review. However, we are firmly acainst any moratorium or delay for delay's sake. A commitment should be made to effect the necessary changes, and they should be implemented as soon as possible. If we are going to build additional commerical nuclear power capacity, protracted delay which causes experi-ence'l qualified and highly motivated people in the NRC, the ,e vendors and the architect-engineer firms to seek employment in other fields can only be harmful to safety. There is no need for a " breathing space" to " reconsider the issues" relevant to improving nuclear reactor safety. As far as safety is concerned, the issues are clear. The only question is whether the Executive Branch and Congress are going to take the steps necessary to implement the kinds of fundamental changes discussed in this Report, the Report of the President's Commission and other reports already issued by offices of the NRC and by the congressional oversight committees. l 94
F a 11. Separation of the Generation of Nuclear Electricity from Its Sale. One of our charges was to investigate allegations that Met Ed rushed TMI Unit 2 into commercial operation at the end of 1978 in order to realize tax or other financial advantages, compromising safety in the process. Although we uncovered virtually no evidence to support these particular allegations, our investigation did reveal the extent to which any utility in the latter stages of constructing a nuclear plant (and afterwards) ccmes under diverse and often competing financial pressures from a varietiy of directions -- the IRS, the state's public utility commission (PUC), FERC (formerly the FPC, the f ederal agency that regulater wholesale electric pcwer rates), local ratepayers' organizations, the company's own sharehold-ers, and of course the NRC. Few of these pressures arise from safety concerns; indeed, many many be counterproductive to safety. Yet there is no coordination between the various agencies involved, and little appreciation by any of them of the pressures generated by the others. We also'found surprising fragmentation of responsibility and skilled manpower within the industry. The law places sole responsibility for the safe construction and operation of a nuclear power plant on the utility company that owns it, the NRC's " licensee." But typically, the utility possesses less nuclear expertise than any other participant in the enter-prise. The real engineering talent lies with the " vendors" and architect-engineer companies (AE's) that design and build i the plants, and with the Government. I 95
f. The first commercial nuclear plants were " turnkey" pro-jects in which entire plants, both nuclear and non-nuclear systems were designed and built at a unit by GE or Westing-house for a fixed price and then turned over to an utility company for operation. In this country that pattern has changed. Now the utility hires an architect engineer firm like Bechtel or Stone & Webster to serve as " general contrac-tor," design the overall layout of the plant and serve as the utility's technical advisor in buying the reactor system itself, which in price may amount to no more than 15-20'4 ef the total project. But the pattern is not so different. Except in the case of the largest and most experienced nuclear utilities like TVA and Duke Power, the vendor's experts and those of the AE do battle as the utility's champions with the NRC's experts to win a license, and they also construct and supervise the test-ing of the new plant. In the meantime, these companies are helping the utility build up its operating engineering depart-ment, find and train competent operators and supervisor to run the yet-to-be-completed plant, and write operating proce-dures. When testing is complete and the plant goes into ser-vice, then the utility is on its own. Vendors especially are resentful of the suggestion that they could be analogized to new car dealers who " flip the keys" to the car buyer and then walk of f the lot. But the fact remains that any continuing partnership between the operating utility and the vendor depends in large part upon the utili-96
F ty's willingness to pay for additional services. Of course, to follow the analogy, it does not require the same level of expertise to drive a Cadillac as it does to build one. The point is that the more comprehensive nuclear experience and engineering skills possessed by the vendors and AE's are utilized by the utilities only on an individualized basis. A utility may elect to hire exclusively operators and supervi-sors already trained in the nuclear Navy and retrain them as necessary to pass NRC exams. It may decide to pay to put all of its operators through training programs run by the vendor and to use the vendor's simulator, even though the machine does not precisely duplicate its own plant. Or it may choose to mount its own sophisticated training program and build its own simulator, at considerable expense. We also found that this fragmentation gives rise to some important disincentives to safety. For example, during con-struction a utility may be reluctant to install a "better" sub-system than the one already approved by the NRC lest time be lost to re-review by NRC, or the state PUC not permit the additional expense to be ir.cluded in the rate base on the ground that the improvement is unnecessarily expensive. The vendor, for its part, may be reluctant to stress the import-ance of the improvement lest it be required under its contract with the utility for pay for the change as part of a "licensa-ble plant." Similarly, after construction is complete, the I 97
r ~ vendor may shrink from identifying design deficiencies for fear that the NRC will require a "fix" to be backfitted into existing plants of the same design, either costing the vendor additional money or, if the utilities end up paying, the anta-gonism of its customers. In candid, off-the-record discussions we conducted with our consultants, with senior management of a cross-spectrum of vendors and AE's, and with others we repeatedly heard that-there is a wide diversity in the competence of the various nuclear utilities to. operate existing plants in a safe fashion. Given the financial pressures and disincentives to safety that inhere in the present system, and given the NRC's lack of continuing scrutiny of the technical qualifications and management competence of utilities to operate existing plants, we have serious questions whether this situation can be allowed to continue. The electric utility industry has recently established an industry-wide institute that will undertake to police the management and operating competence of its members. If linked to a plan for co-insurance by the utilities of the cost of replacement power that would result from a nuclear accident, so that a utility that did not receive a passing grade from the institute's own inspectors and auditors would be excluded f rom the co-insurance pool, this plan has some chance for suc-cess. We urge its rapid implementation. t 98
f: The fact remains that nuclear technology is different in kind f rom the traditional technology of electric generation by fossil fuel and hydroelectric means -- more dangerous, more sophisticated and more demandir., of advanced management, main-tenance, and quality control. Ouc 'mpression is that differ-ent utilities accord their nuclear power generation units dif-ferent priorities and different amounts of resources. It may be that some utilities do not have the management or the monev to operate nuclear plants in the safest fashion. All of these considerations lead us to conclude that se ious consideration should be given to separating the cenera-tion of electricity by nuclear reactors (including both con-struction and operation of plants) from the sale of this elec-tricity, either for some or all nuclear plants. There are a number of alternatives that might be consi-dered to accomplish or move toward this goal. Existing plants could be operated (and new plants constructed) by an industry-wide consortium, or by a semi-public corporation such as COF3AT. This entity would manage the plants; select, train er:d employ operators, supervisors and eningeers; standardize operating conditions and procedures; and, with the cooperation of vendors, systematically evluate operating experience and implement changes in design or operations. Operating budgets could then be developed on a system-wide basis. The Company or entity would, in turn, sell electric power to the Utilities for resale to customers. I 99
o -A ' Alternatively, such an entity could be established imme-diately to operate existing plants now owned by the smaller utilities and provide additional technical assistance to these companies, on a contract basis. Such a partial approach would at least meet the most serious part of the problem. t S 100}}