Text

G20130460/LTR-13-0521 - Kay Drey, Beyond Nuclear Ltr. Callaway - Event That Occurred on October 21, 2003
	ML13165A362
Person / Time
Site:	Callaway
Issue date:	06/03/2013
From:	Drey K; Beyond Nuclear
To:	Macfarlane A; NRC/Chairman
Shared Package
ML13165A363	List: ML13165A362;
References
	G20130460, LTR-13-0521
	Download: ML13165A362 (60)
	v • d • e

Kay Drey 515 West Point Ave. St. Louis, MO 63130 tritium3@sbcglobal.net June 3, 2013 Chairman Allison Macfarlane U.S. Nuclear Regulatory Commission Mail Stop: 0-16G4 Washington, DC 20555-0001

Dear Dr. Macfarlane:

First, I would like to wish you success in your position as chairman of the Nuclear Regulatory Commission. The challenges you have agreed to take on, as head of our nation's nuclear power facilities, are so very complex and potentially dangerous. I deeply respect and appreciate your courage, and I wish you well during your tenure.

I am a Board member of a national organization called Beyond Nuclear, located in Takoma Park, MD. We advocate for an energy future that is sustainable and safe. I have been reading, writing and speaking about nuclear power since 1974.

This letter is to request your personal attention to an event that occurred at the C~y__

D!!~l~ar power pi~~ here in Missouri, on October 21, 2003. In February 2013 the International Nuclear Safety Journa/(lNSJ) published a paper on the event. The author of the paper was Lawrence Criscione, a Risk & Reliability Engineer for the Nuclear Regulatory Commission. I have been following the NRC's handling of the October 2003 event since it was first brought to my attention by Mr. Criscione in 2008.

The purpose of this letter is to request the NRC's assessment of Mr. Criscione's paper and to determine where Mr. Criscione's assessment of the event deviates from the NRC's. If possible, I would appreciate it if you would be able to provide answers to the questions below:

In the synopsis of his paper, Mr. Criscione states:

On October 21, 2003 the operators at Callaway Plant failed to notice the pressurized water reactor (PWR) passively shutting down and fission power lowering into the source range. Plant data shows that for 107 minutes the reactor was subcritical with its control rods still at their last critical rod heights; 85 minutes of which were spent in the source range. There were no Source Range Nuclear Instruments (SRNis) energized for the first 45 minutes that the reactor was in the source range, and the US Nuclear Regulatory Commission (NRC) believes that during this time the operators were unaware the reactor was no longer critical. For the last 40 minutes the operators were consciously aware of the state of the reactor and yet chose to informally rely on Xenon-135 to prevent the reactor from inadvertently restarting. The control rods were left withdrawn during these 40 minutes in order to conceal the incident from the utility's upper management.

1

With regard to the above paragraph, sections 2.4 through 2.6 of the paper, sections A.1.5 through A.1.12 of the appendix to the paper, and section A.3, please address the following:

1. Does the NRC agree with Mr. Criscione's analysis? Did the reactor passively shut down? What terms would the NRC use to describe the manner in which the reactor shut down on October 21, 2003? Are reactors such as the one at Callaway Plant typically shut down by inserting the reactor control rods? Is it abnormal for a reactor to shut down due to the buildup of Xenon-135 and then have its control rods inserted 107 minutes later?

2. Does the NRC agree with Mr. Criscione's statement in section 2.4 of his paper that " ... it is the NRC's assessment that the operators did not become aware of the shutdown status of the reactor until the first Source Range Nuclear Instrument (SRNI) energized over an hour {11:25}

after the reactor had passively shut down"? Were the operators cognizant of the nuclear fission reaction shutting down as it was occurring, or, as Mr. Criscione states in section A.1.5, does the NRC believe "the failure of the operators to take any action to actively control reactivity indicates that the operating crew was unaware of the status of the nudear fission reaction as the reactor passively shut down and lowered in power from the POAH to the source range"?

Were the operators cognizant of fission power lowering into the source range?

3. In section A.1.5 of his paper and on Table A.3 Mr. Criscione details what was occurring in the control room while reactor power was lowering into the source range. Does the NRC agree with Mr. Criscione's analysis that "It is unlikely that_ had the Senior Reactor Operators (SROs) realized the reactor was transiting into the source range with its control rods still at their critical rod heights, the SROs would exercise such fundamentally bad judgment as to prioritize the ancillary tasks listed on Table A.3 over actively driving the reactor to a shutdown condition by inserting the control banks"? Did any of the tasks listed on Table A.3 prevent the crew from inserting the control banks? For any of the tasks listed on Table A.3, is it the NRC position that the performance of those activities should have rightly taken precedence over inserting the control banks?

4. Does the plant data show that for 107 minutes the reactor was subcritical with its control rods at their last critical rod heights? Does the NRC believe the data presented in Figures 1-4 is accurate? Does the NRC agree that the reactor passively shut down sometime between 10:13 and 10:18 am? Does the NRC agree the reactor lowered below the Point of Adding Heat around 10:23 am? Does the NRC agree the operators did not begin inserting the control banks until around 12:05 pm?

5. Does the plant data show that for 85 minutes the reactor was in the source range and that there were no Source Range Nuclear Instruments energized for the first 45 minutes of the reactor being in the source range? Does the NRC agree the reactor entered the source range around 10:39 am? Does the NRC agree the first Source Range Nuclear Instrument automatically energized at 11:25 am? Is it normal for a reactor such as the one at Callaway Plant to be in the source range without any Source Range Nuclear Instruments energized? Is it normal for the 2

Control Banks still to be withdrawn as the reactor enters the source range following power operations?

6. In sections A.l.6.1 through A.1.6.5 Mr. Criscione analyzes the tasks "which, from 10:18 to 11:25 supposedly took precedence over inserting the control rods." Does the NRC agree with Mr.

Criscione's position that "if the operators' sworn testimony is to be believed--- that is, if it is believed the operators were aware the reactor had shut down shortly after the manual turbine trip --- then it was gross negligence for them to prioritize the ancillary activities detailed above

[in sections A.1.6.1 through A.l.6.5] over their fundamental duty of actively controlling the nuclear fission reaction by inserting the control banks"?

7. In section A.1.6.6 Mr. Criscione states: "As the body which issues licenses to the operators of US commercial reactors, the NRC presumably has a process for removing the licenses of operators who, by their own sworn testimonies, demonstrated they behaved in a manner which was grossly negligent". Does the NRC have a process for removing the licenses of operators who demonstrated they behaved in a manner which was grossly negligent? When was the last time the NRC removed the license of a Senior Reactor Operator for exercising poor judgment during the operation of a reactor plant? When was the last time that Mr. Lantz's Senior Reactor Operator license was renewed? Was Mr. Lantz's performance on October 21, 2003 ever evaluated prior to renewing his SRO license?

8. Does the NRC agree that" For the last 40 minutes the operators were consciously aware of the state of the reactor"? Does the NRC agree with Mr. Criscione's analysis in section A.1.9 that when the channel 2 Source Range Nuclear Instrument automatically energized it caused alarm window 77E, "Source High Voltage Failure," to flash and audibly annunciate "to indicate one of the input channels feeding the alarm was cleared"? Does the NRC agree with Mr. Criscione's statement in section A.l.9 that "From 11:25 onward, the operators were consciously aware that the reactor was in the source range with its control rods still at their critical rod heights"?

9. Does the NRC agree with Mr. Criscione's assessment that even though the operators were aware the reactor was in the source range from 11:25 onward, for an additional40 minutes they "yet chose to informally rely on Xenon-135 to prevent the reactor from inadvertently restarting"?

On Table A.5 Mr. Criscione lists the activities being performed in the control room from 11:25 through 12:05. Does the NRC agree with Mr. Criscione's statement in section 2.6 that "The NRC determined that none of the activities being performed by the operating crew from 11:25 to 12:05 were required for inserting the control banks nor did the activities justify the 40 minute delay in inserting the control banks"? Does the NRC believe that 40 minutes was a reasonable amount of time for the crew to take to begin inserting the control banks? In section A.1.11 Mr.

Criscione argues that the operators did not have a formal calculation to show adequate shutdown margin unti112:55. Does the NRC disagree with any of Mr. Criscione's statements in section A.1.11? Was there a formal calculation in place prior to 12:55 that there was adequate shutdown margin?

10. Does the NRC agree with Mr. Criscione's assessment that "The control rods were left withdrawn

[by the operators] during these 40 minutes [from 11:25 until 12:05] in order to conceal the incident from the utility's upper management"? Has the NRC uncovered any evidence that, prior to February 2007, upper management at Callaway Plant was aware the reactor was already in the source range when the control rods were inserted at 12:05 pm? One of the reactor 3

operators logged the energizing of the Source Range Nuclear Instruments in the Reactor Operator's log as occurring at 10:34 am. Who at Callaway Plant reviews the Reactor Operator's log following a plant shutdown? Is the Reactor Operator's log routinely reviewed by any member of management beyond the Operations Manager? Section 2.6, section A.l.lO and section A.3, contain Mr. Criscione's arguments that the operators at Callaway Plant intentionally covered up the October 21, 2003 inadvertent passive reactor shutdown. Does the NRC agree with Mr. Criscione's analysis contained in sections 2.6, A.1.10 and A.3? What, if anything, does the NRC disagree with in these sections?

In addressing the above questions, I would appreciate it if you would be as specific as possible. I am aware that the NRC has spent a lot of time investigating the October 21, 2003, event at the Callaway Plant. With so much time invested in this event, I would hope that the NRC has a clear picture of what occurred on that date and will be willing to provide detailed answers to the above questions.

Thank you.

Sincerely,

~v~

Kay Drey Board member-- Beyond Nuclear Enclosure cc: Louis Clark, President, Government Accountability Project The Honorable Edward Markey, U.S. House of Representatives-- Energy & Commerce Committee The Honorable Jeanne Kirkton, Missouri House of Representatives David Lochbaum, Director of the Nuclear Safety Project, Union of Concerned Scientists Tom Voss, Chairman of the Board, President, and CEO of Ameren Corporation Admiral (Ret.) Robert F. Willard, President and CEO, Institute of Nuclear Power Operations 4

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

Analysis of the October 21, 2003 Unintentional Passive Reactor Shutdown at Callaway Plant with regard to aspects of Reactivity Management, Corporate and Regulatory Oversight, Nuclear Safety Culture, and Operating Experience Lawrence S: Criscione, 1 PE Abstract This paper analyzes a reactivity management event at a US NPP (Nuclear Power Plant) which resulted in the unrecognized inadvertent passive shutdown of the reactor. The event was not documented in the NPP's Corrective Action Program by the operating crew involved and was not reported by the utility to the United States Nuclear Regulatory Commission (NRC, the nuclear regulatory authority) or to the Institute of Nuclear Power Operations (INPO, the industry consortium to which the plant is a member and is expected to report significant operating experience). This paper provides: {1) a description and analysis of the event, (2) analysis of the plant's response to the event and the shortcomings of relying on corporate self-regulation, (3) analysis of potential shortcomings in the US nuclear industry's Operating Experience collection efforts, (4) analysis of the regulatory challenges pertaining to the response to events that clearly are adverse to the nuclear Safety Culture yet do not clearly violated any regulations, and (5) the difficulties faced by the regulator with regard to discriminating between and making judgments of "gross negligence" and "dereliction of duty". The description of the event, the organizational responses to it, and the listed references contain valuable examples of shortcomings involving Reactivity Management, nuclear Safety Culture, Nuclear Criticality Safety, Corporate Oversight, and Regulatory Agility.

Key Words: Reactivity Management, Safety Culture, Criticality, Nuclear SYNOPSIS On October 21, 2003 the operators at Callaway Plant failed to notice the pressurized water reactor (PWR) passively shutting down and fission power lowering into the source range.z Plant data shows that for 107 minutes the reactor was subcritical with its control rods still 1

The author was a US NRC licensed Senior Reactor Operator (SRO) at Callaway Plant. His involvement with the 2003-10-21 and 2005-06-17 reactivity management incidents began in early February 2007 when he performed the initial analyses of the two incidents [.J1.]. In addition to working as an operator and engineer at Callaway Plant, the author is a veteran of the US Navy's nuclear submarine force, has worked for the US nuclear utilities Exelon and FirstEnergy, and is currently a Reliability and Risk Engineer in the US Nuclear Regulatory Commission's Office of Nuclear Regulatory Research (RES). The views expressed by the author do not necessarily represent the views of the US NRC. The author can be contacted at LSCriscione@gmail.com for any questions concerning this paper.

2 The source range is a very low rate of fission (about one-millionth the maximum rate at which the reactor is designed to operate) which is characterized by a stable fission rate sustained by neutrons released from non-fission sources.

1

1m:ernat1ona1 Nuclear satety Journal, Vol. 1, No. 1 (2013) at their last critical rod heights; 85 minutes of which were spent in the source range.

There were no Source Range Nuclear Instruments (SRNis) energized for the first 45 minutes that the reactor was in the source range, and the US Nuclear Regulatory Commission (NRC) believes that during this time the operators were unaware the reactor was no longer critical [1]. For the last 40 minutes the operators were consciously aware of the state of the reactor and yet chose to informally rely on Xenon-1353 to prevent the reactor from inadvertently restarting. The control rods were left withdrawn during these 40 minutes in order to conceal the incident from the utility's upper management.

The October 21, 2003 reactivity mismanagement incident was never documented by the operating crew and was thus not analyzed by the utility at the time of its occurrence. A similar inadvertent passive shutdown occurred at Callaway Plant on June 17, 2005 resulting in a generation loss of 35.7 GW-hrs. 4 Both the 2003 and 2005 passive shutdowns were documented in February 2007 in the utility's Corrective Action Program, but the utility's upper management did not investigate the root cause of the incidents and did not question why they had gone undocumented for so many years.

The utility did not submit the incidents to the Institute of Nuclear Power Operations (INPO) when information on such incidents was requested during the distribution of WANOS SOER6 2007-01, Reactivity Management. During 2007 all relevant levels of management at the utility were informed of the 2003 and 2005 incidents. The failure to share this information with INPO/WANO demonstrates severe shortcomings in the utility's implementation of an international communication network for sharing nuclear operating experience.7 The NRC conducted three separate investigations of the October 21, 2003 incident. None of the investigations sought to understand what had occurred; rather, the intent of each investigation was merely to determine what, if any, regulatory requirements were violated.

The sections below and the appendix contain analysis of the October 2003 event with regard to: (1) technical lessons learned for operating reactor plants at low power levels, (2) nuclear Safety Culture, and (3) the regulatory response. Recommendations for improving plant operations and oversight are provided where appropriate.

3 135 Xenon-135 ( Xe} is a radioactive waste gas which builds up as the reactor lowers in power and then 135 later (around 10 hours1.157407e-4 days 0.00278 hours 1.653439e-5 weeks 3.805e-6 months after the reactor has shut down} lowers in concentration. Xe has a much higher affinity for neutrons than uranium and, as long as there is enough of it present, it can temporarily keep the reactor from restarting.

4 This equates to about $1 million in lost revenue. Although this is but a slight fraction of the utility's annual revenue, it was a wholly avoidable loss and not addressing it is indicative of a poorly managed organization.

5 World Association of Nuclear Operators (WANO}

6 Significant Operating Experience Report (SOER}

7 One of the recommendations following the 1979 accident at Three Mile Island was: "There must be a systematic gathering, review, and analysis of operating experience at all nuclear power plants coupled with an industry-wide international communications network to facilitate the speedy flow of this information to affected parties. If such experiences indicate the need for modifications in design or operation, such changes should be implemented according to realistic deadlines."~ p. 68] Per Generic Letter 82-04 the NRC has considered this recommendation met for plants participating in the Significant Event Evaluation and Information Network (SEE-IN} run by INPO [g pp. S-6 of §2].

2

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

1. INTRODUCTION "We note a preoccupation with regulations. It is, of course, the responsibility of the Nuclear Regulatory Commission to issue regulations to assure the safety of nuclear power plants. However, we are convinced that regulations alone cannot assure safety. ... This Commission believes that it is an absorbing concern with safety that will bring about safety - not just the meeting of narrowly prescribed and complex regulations."

- Kemeny Commission, 1979 Around 10:18 on the morning of October 21, 2003 the reactor at Callaway Plant passively shut down due to a sharp rise in temperature while operating near the Point of Adding Heats The reactor became subcritical and its power level lowered into the source range.

Over the next 107 minutes, the passive buildup of l3SXe kept it from restarting. The risk of core damage during these 107 minutes was substantially less than during any given 107 minutes when the reactor is operated at 100% power.

Given the low risk of core damage, there are some who might refer to the 2003-10-21 passive shutdown as a "non-event". Yet there is much more to nuclear safety than risk calculations for core damage. And there is much more to nuclear safety than verbatim compliance to narrowly written technical requirements. Fundamental to nuclear safety is the competence and integrity of the individuals allowed to operate and manage nuclear reactor plants.

In Section 2 and the appendix, this paper will show significant Human Performance (HuP) errors were made on 2003-10-21:

l.A. The event was triggered by a severe reactor coolant temperature excursion (a soc drop in 25 minutes) which resulted from the operators failing to recognize the effect 13SXe was having on core reactivity.

1.B. The passive shutdown of the reactor went unnoticed for approximately 67 minutes.

1.C. For over 45 minutes the reactor was in the source range with no Source Range Nuclear Instruments (SRNis) energized and with the control rods still at their critical rod heights.

8 The Point of Adding Heat {POAH) is the point at which fission power is large enough to appreciably affect other reactor plant parameters {primarily reactor coolant temperature and fuel temperature).

The POAH varies with a number of factors; for example, it typically is much larger during a reactor shutdown than during a reactor startup since during a reactor shutdown there is more heat being produced by the decay of fission product daughters {i.e. the "nuclear waste" inventory in the reactor's fuel cells). Below the POAH, a US designed PWR loses some of its inherent ability to passively mitigate power changes. In the US, pressurized water reactors are designed such that a rising fuel temperature inserts negative reactivity and thereby dampens the nuclear fission reaction. As a corollary, a lowering power level causes temperature to lower which inserts positive reactivity and thereby buffers the lowering reactor power {see Figure 7). Below the POAH, the reactor is significantly more difficult to control since the operator must directly respond to reactivity changes whereas above the POAH the operator can allow slight {i.e. a fraction of a degree) changes in temperature to passively control the reactor and thereby the operator need only respond to the more easy to manage temperature changes and not the harder to manage reactivity changes.

3

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) l.D. Once the passive shutdown was recognized (after a SRNI automatically energized),

for 40 minutes the operators informally relied on 135Xe to keep the reactor from restarting while they completed ancillary tasks. There are strong indications (see sections A.1 and A.3 of the appendix) that this 40 minute delay was effected to conceal the event from the utility's upper management.9 l.E. The operators did not submit condition reports on the passive reactor shutdown or on the 13SXe induced temperature excursion which led up to it. A highly similar passive shutdown occurred on 2005-06-17 which resulted in a 31 hour3.587963e-4 days 0.00861 hours 5.125661e-5 weeks 1.17955e-5 months loss of generation (see Figure 6). If procedure changes effected in March and August 2007 (as a result of the 2003-10-21 shutdown) had been effected prior to June 2005, it is likely that the 2005-06-17 passive shutdown would not have occurred.

The event was not documented in the utility's Corrective Action Program (CAP) until 3¥2 years after it occurred. In section 3 this paper will show that in 2007, when finally informed of the event, the utility's response had numerous shortcomings:

l.F. The initial condition report on the incident was screened at a significance level that allowed it to be closed with no investigation.

l.G. It took over 6 months for the utility to provide procedural guidance for conducting low power operations, which was a corrective action to prevent recurrence of the 2003-10-21 event.

1.H. The Shift Manager and the Control Room Supervisor made unsubstantiated statements concerning the incident in a Quality Assurance record. [.2.]

1.1. The utility has yet to share the event with INPO/WANO, in spite of the INPO request for such events which accompanied WANO SOER 2007-1, Reactivity Management.

l.J. After knowing about the incident for 5¥2 years, as of September 2012 the utility still had not trained its licensed operators on the most significant aspects of the incident:

a. The failure of the crew to recognize that the soc temperature transient which preceded the passive shutdown was being induced by mxe buildup and had nothing to do with recently placing the turbine drains in service.

b. The operation of the reactor in the source range for 45 minutes with no Source Range Nuclear Instruments energized and with the control rods still at their critical rod heights.

c. The failure of the crew to recognize the passive shutdown of the reactor until a Source Range Nuclear Instrument automatically energized after 67 minutes.

d. The gross misjudgment of the crew in choosing, for 40 minutes,1o to informally rely on 13SXe to keep the reactor from inadvertently restarting.

9 The utility's Outage Control Center (OCC) was expecting the reactor to be shut down around noon. By delaying 40 minutes, the crew began inserting the' control banks at 12:05. No one outside the reactor's Main Control Room was informed that instead of using the control rods to actively shut down the reactor, the control rods were instead being inserted into a reactor core which had passively shut down nearly two hours earlier.

10 It should be noted here that the utility still claims (as of September 2012) that their operators were aware of the status of the reactor for the entire 107 minutes that the reactor was shutdown with its control rods at their critical rod heights. So from the utility's position, item 1.J.c does not apply and item l.J.d should read 107 minutes instead of 40 minutes.

4

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

The items listed above make the 2003-10-21 event of grave regulatory concern. In the United States, the utilities which own nuclear reactor plants are responsible for ensuring their plants are safely operated. With just a few exceptions (e.g. the Tennessee Valley Authority), most nuclear utilities are private corporations operated for the profits of shareholders. The public relies on the US Nuclear Regulatory Commission to ensure that these private companies operate their reactors in a manner which does not jeopardize public safety or environmental protection. This is not a straight forward task. As the events at Fukushima Dai'ichi in 2011 highlight, when designing a reactor plant it is not possible to initially predict every hazard which might befall the facility. And as the events Active Reactivity Additions, Average Reactor Coolant Temperature (Tavg), and Reactor Power (4T) during the October 21, 2003 Passive Reactor Shutdown at Callaway Plant 09:70 09:30 09:40 09:50 10:00 10:10 10:20 10:30 58T'F ~ 20%~ 20%

t---t-----1f-'~.-~ g~l -~ !~~

584°F 1 ssrF r 578*F t------l--+--t--"'+~-~~r:-t 560°°Fj / 560oF 575*F f----+~'--+-'"'-.:--+--""~+-,_,.,.......,_~ **-*****-------------~' <.,.... f / lssrF 572°F -+-----.p...;:---+---1--+--1-----=>")5 54 oF l------lllf----T'-4~-+--I-----+--+,---40\o...-!------,**--.,

_____... " I / ss~-:F 569°F

~====--+--.---'"'~:=:_,_' :!+---+---+--+----1'~.-:--t-------."**

-: .._.... _.,.":--/

"'"" ~~....

1 100% r-::;::=~*~*~*r~~*w:---+---+---+---1-~"""4~~

216

~ i

("" ,------,----,

90% f-----1--~~........ ~""'-Lw.,__~--+-+--+--+-~.;o.\..----r----,]'.+--j-l---i----t560*F 80% r-t---t--::r-~......_21-....,~.::::=t--r-t---t-H+-fi-t--f----iSSrF

.., .....,__ \ I l 70% ~-r--+--~-~~~-~~~--r--~~tt+~~--+--~554°F 60% l----t---t--+--+--....... --+-l"-\..~::+--"""'-----t-----f'-""'+/-:+/-----\tiiJH--t---t------lSS1

,, -~ t*

°F 50% ~-+-~-~-~~--+~~=-~-+-~~~.-~~~~100 40% t----+---+--~--+---+--+---1~-t----~-+-+-~--.-~so 30% t----+---+--~--+---+--+---1-~~"=--+,_-+~--l--~~ ~ GOR~

20% ~-r--+--~--+--~--+-~--~-'~~-+~~--~-440 ~

10% r--r--~-+--+--+--+--1---+---+-~--~~~r-r--a--420 ~

0% f----+--+-~-4--+--f---~--+-~~~~~==~~0 0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00

- - Tavg(scale: 3*Fjdivision, maximum: 586.7"F, minimum: 549.9.F)

- CTRL ROD BANK D (scale: 20 steps/div, max: 216 steps, min: 0 steps)

- - LlT power (scale: 10% rated reactor power/div, max: 100.9%, min: 1.6%)

<E------ 20 or 40 gallon additions of boron (220 gallons during first 2X hours)

- - 360gallondilution between 09:47to 10:00 Figure 1: To continue lowering average coolant temperature {Tavg) to its programmed level

{Tret), during the first 8 hours9.259259e-5 days 0.00222 hours 1.322751e-5 weeks 3.044e-6 months of the turbine load reduction the operators were consistently required to either add boron or insert the reactor control rods in order to counteract the positive reactivity inserted by the reductions in turbine load and Tavg* This need to regularly insert negative reactivity likely contributed to the crew's failure to recognize the significant effect 135Xe was having on core reactivity. When the turbine load reduction was stopped at 09:36, the crew did not recognize that the continued buildup of 135Xe would no longer be mitiaged by the load reduction. The only positive addition of reactivity which was actively performed on 2003-10-21 was a 1360L (360 gallon) addition of dilution water which did not occur until after the start of the severe temperature excursion. From the operators' testimonies, it appears this dilution was done as a generic response to a lowering average coolant temperature and not due to any recognition that 135Xe buildup was causing the temperature excursion.

5

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) at Three Mile Island in 1979 and at Chernobyl in 1986 highlight, humans do not always behave in the manner which plant designers assume they will.

Regulations are not easy to write. Regulations must be specific enough to allow clear enforcement, yet not so prescriptive that they prohibit innovative solutions to technical problems. It is not possible to ensure nuclear safety with regulations alone. There is an unavoidable human element which must be present to apply "common sense." That is, to judge when regulations are being technically met but are not adequately preventing unsafe actions and to judge when regulations have been technically violated but did not result in unsafe conditions. The public expects the NRC to ensure reactor plants are safely operated by competent individuals and not to merely bureaucratically judge whether or not narrowly defined regulatory requirements were violated.

In section 4 this paper will show thatthe NRC's response to the 2003-10-21 event calls for improvements in its ability to ensure utilities adequately staff their reactor control rooms with competent and honest people. The NRC's response also calls for improvements in its ability to perform analysis and evaluation of operational data.

In July 1979 as part of the Three Mile Island Action Plan the Nuclear Regulatory Commission established the Office of Analysis and Evaluation of Operational Data (AEOD)

[3.. p. I-5]. Separate from the regional offices, AEOD conducted investigations of significant incidents at the US NPPs. AEOD also evaluated the effectiveness of existing NRC regulations and inspection practices. Having an office specifically dedicated to the analysis and evaluation of operational data provided the NRC with important "defense in depth" with regard to ensuring significant yet low consequent events were adequately identified, evaluated and trended. However, in 1998 as a budget cost cutting measure the NRC did away with AEOD [,1].

Although the staffs within other NRC offices may have been able to perform the basic functions which AEOD had performed, what was lost with the loss of AEOD was independence. Since, unlike the regional offices, AEOD was not tasked with conducting inspections and unlike the Office of Nuclear Reactor Regulation (NRR) AEOD was not tasked with writing regulations, AEOD was able to independently assess whether or not the current regulations and their implementation were having the desired effect towards limiting noteworthy events. AEOD did not have any conflict of interest in its analysis whereas for NRR and the regional offices to state that there is a problem in a given area is for them to admit that their regulations and inspections have not been entirely adequate.

In Section 5 this paper I will discuss how the NRC's response to the 2003-10-21 event demonstrates the need for the NRC to have an independent office, such as the old AEOD, capable of reviewing whether or not current regulations and inspection policies contain loopholes which allow for patently unsafe practices.ll 11 In all correspondence generated on the 2003-10-21 event the NRC is careful to state that at no time was the reactor in an unsafe condition. They make this statement because their Probabilistic Risk 135 Assessment (PRA) methods show that - due to the status of the Xe transient and the fact that the Reactor Protection System (RPS) was operable- risk of an accident was not appreciably elevated during the 107 minutes that the reactor was shutdown with its control rods left withdrawn. However, the reactor being "in a safe condition" is different than "unsafe actions". For example, it was patently unsafe and unacceptable to informally (i.e. without any formal calculations) rely on a transient radioactive waste gas for nearly two hours .to keep the reactor from restarting when equipment and personnel were available to easily complete the reactor shutdown by inserting the control banks.

6

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

The event description in Section 2, Figures 1-7 and Tables 1-7 provide a background of this event to understand the organizational factors associated with it. A more detailed treatment of the event is provided as an appendix so as not to distract from the organizational issues which are the main focus of this paper. In addition to providing the bases for some of the conclusions arrived at in the main body of the paper, the appendix also serves as a reference for those readers desiring a more technical analysis of the event.1 2 Also provided in the appendix are the details of a 2005-06-17 passive reactor shutdown that occurred at Callaway Plant. Details of this shutdown are only available in this paper as the event was neither reported to INPO nor included by the NRC in its 2011-01-31 information notice on reactivity management incidents (IN 2011-02) [2.]. This event is important to the discussion in that it was very similar to the 2003-10-21 passive reactor shutdown both in the way it occurred and in the way it has been dealt with by the utility.

The 2005-06-17 shutdown shows that the handling of the 2003-10-21 passive reactor shutdown was not an aberration but rather standard business practice for the utility.

2. OCTOBER 2003 EVENT DESCRIPTION AND ANALYSIS "Success teaches us nothing; only failure teaches."

-Admiral Rickover, 1954 Both the October 21, 2003 and June 17, 2005 events occurred at Callaway Plant which is a Westinghouse 4-loop Pressurized Water Reactor (PWR) located in Callaway County in the State of Missouri (MO) of the United States. This section is merely a summary of the event to provide the context for analyzing the organizational responses of both the utility and the NRC. For a detailed description and analysis of the event, refer to the appendix.

2.1 Context of the Load Reduction: At 01:00 on October 21, 2003 Callaway Plant started lowering power in preparation for a possible regulatory required shutdown. At 07:21, the plant was operating at just under 40% of rated reactor power when it entered Technical Specification 3.8. 7.B, which required the reactor to be shut down within 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (13:21 ).

2.2 Uncontrolled Drop in Temperature: At 09:36, the plant was two hours ahead of schedule on its required shutdown. The operating crew stabilized turbine loading with the reactor at 9% of its rated full power.

From 09:36 to 10:03 reactor temperature dropped uncontrollably13 at 12°Cjhr, from a starting temperature of 293°C14 (560°F) to a low temperature of 288°C (550.4°F). The Nuclear professionals recognize that such practic~s are "unsafe actions" regardless of whether or not arbitrary increases to the risk of core damage frequency indicated an "unsafe condition".

12 Although this journal is the proper forum for a technical analysis of the human performance errors committed during the 2003-10-21 shutdown, attempting to address those technical aspects along with all the other aspects of this incident {e.g. organizational and regulatory shortcomings) becomes daunting for both the author and the reader. Therefore detailed technical analyses are either provided in the appendix or left for the reader to consult in the references.

13 Uncontrollably in the sense that the operators did not have conscious control of it and not in the sense that it could not be controlled. As can be seen in the Figures 1 - 3, when the operators resumed lowering turbine load between 10:03 and 10:09 temperature recovered.

14 The instrumentation at Callaway Plant uses the United States customary units. Since the graphical data is provided to give the reader a visual depiction of the trends of plant parameters and this trending 7

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

Nuclear Regulatory Commission determined the soc temperature drop was caused by the crew failing to account for the effect that the buildup of the radioactive waste gas 13SXe would have on core reactivity [.§].

The operating crew mistakenly assumed the lowering temperature was due to some turbine drain valves which had recently been placed in service [Z, pp. 9-10] [.8., pp. 36-37]

[2., pp. 13-15]. The crew responded to the lowering temperature by trouble shooting the operation of these valves. The operators' actions did not have any impact on the lowering reactor temperature, and, at 10:00, the reactor's letdown system automatically isolated.

Also at 10:00, the average reactor coolant temperature (Tavg) lowered below its regulatory Minimum Temperature for Critical Operations (MTCO) of 551 °F (288.3°C).

2.3 Temperature Spike and Passive Reactor Shutdown: To assist in recovering Tavg above the MTCO, the Shift Manager directed the Control Room Supervisor to manually trip the turbine-generator. When the turbine-generator was manually tripped at 10:13, average coolant temperature rapidly rose several degrees over the next few minutes: 1oc (1.8°F) in the first 30 seconds and 3.6°C (6.5°F) within five minutes. The increased neutron leakage caused by this rapid rise in temperature caused the reactor to passively shut down. By 10:18 the reactor had a negative period of 163 seconds and was beyond the point at which it could be prudently kept from shutting down.

2.4 Failure to Reco2nize the Shutdown: In sworn testimony to the Nuclear Regulatory Commission, the operators claimed that they were aware of the shutdown status of the reactor during the 107 minute time frame from 10:18 to 12:05 but did not insert the reactor's control banks because they were busy doing higher priority1s items [Z]. The NRC determined that none of the items mentioned by the crew during their testimony prevented them from inserting the control banks [.6.], and it is the NRC's assessment that the operators did not become aware of the shutdown status of the reactor until the first Source Range Nuclear Instrument (SRNI) energized over an hour (11:25) after the reactor had passively shut down [1].

2.5 Operatin~ in the Source Ran~e with no SRNis: At 11:25 the first SRNI energized, causing an alarm to annunciate on the reactor's Main Control Board. For 45 minutes prior to receiving this alarm (from 10:39 to 11:25), the reactor was in the source range with its control rods still at their critical rod heights and with none of the automatic safety features available from the SRNis. The crew's version of events is that, prior to receiving this alarm, they were aware the reactor was no longer operating and they were informally relying on 135Xe to prevent the reactor from inadvertently restarting.16 is irrelevant to the units used, the figures are provided using the units used at the plant. Metric units are used in the body of the paper and are referenced to US units where such reference is helpful in connecting the data on the figures to the data in the text.

15 That is, items which they claimed in their testimony were of a higher priority. It is the position of this paper {and of the NRC [.§.]} that none of these items were of a higher priority than inserting the control banks. Although the NRC does not believe the operators' testimonies [1], they have chosen not to challenge them [n]. It is the position of the NRC that the operators were not confused about the priority of actions, but rather that the operators were - prior to 11:25 - merely unaware that the reactor was no longer critical and therefore had no impetus to insert the control banks [1].

16 There are several examples of commercial reactors inadvertently restarting [!f_] [12]. Although reactor design features result in these events having a relatively low risk level, these events are significant because they demonstrate the failure of the operators to actively control the nuclear fission reaction.

8

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

Table 1: Overview of the October 21, 2003 Incident 07:21 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months had elapsed since the inverter first failed, so Callaway Plant entered TS 3.8.7.8 which required them to either repair the inverter within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months or shut down the reactor. Reactor power was 39%.

09:36 At 9% power the operators quit lowering reactor power. Their intention was to remain at nominally 10% power to allow the electricians more time to repair the inverter.

10:00 The reactor's purification system automatically isolated. Also, reactor coolant temperature dropped below the Minimum Temperature for Critical Operation (MTCO).

11:25 The channel 2 Source Range Nuclear Instrument energized causing an alarm to annunciate on the reactor's Main Control Board. Everyone in the reactor's Main Control Room became aware that the reactor was no longer critical but no one informed the plant's upper man 12:05 The operators began inserting the control banks. No one outside the Main Control Room was aware that, instead of using the control rods to shut down the reactor, the control rods were being inserted into a reactor core that had passively shut down nearly two hours earlier.

9

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

It is the position of the NRC that the crew's version of events is not accurate in that prior to the first SRNI energizing the crew was unaware that the reactor had shut down [1].

2.6 Delay in Insertin&: the Control Banks: The crew did not begin inserting the control banks (i.e. actively shutting down the reactor) until 12:05. This was 40 minutes after becoming aware that the reactor was in the source range (11:25), 85 minutes after the reactor entered the source range (10:39), 107 minutes after the nuclear fission reaction had passively shut down to the point that it could not be prudently recovered (10:18), and 112 minutes after manually tripping the turbine-generator (10:13).17 The NRC believes that for the first 6 7 minutes following the passive shutdown (i.e. from 10:18 to 11:25) the crew did not insert the control banks because they were unaware the reactor had shut down [1]. However, the final 40 minutes - that is, the 40 minutes from the time the operators recognized the reactor was in the source range (11:25) and the time they began inserting the control banks (12:05)- is more controversial.

This 40 minute delay is noteworthy because it caused the control banks to be inserted at about the time the plant's upper managem~nt was expecting the reactor to be shut down.

That is, the Outage Control Center1 8 was expecting the reactor to be shut down around noon and, by delaying 40 minutes, the crew began inserting the control banks around noon (12:05).

Since the plan for the forced outage was to evaluate at noon whether or not progress in repairing the broken inverter was promising enough to justify keeping the reactor critical, the Outage Control Center was expecting the reactor to remain critical until noon. Had the control banks been inserted prior to noon, the operators would have had to explain to the plant's Outage Control Center why the reactor was being shut down early.

It is the position of the utility that (1) the operators were aware of the status of the reactor the entire 107 minutes that it was shutdown with its control rods at their critical rod heights and (2) during the 40 minutes from 11:25 to 12:05 the crew was performing equipment alignments and briefings necessary for inserting the control banks [Z] [.8.] [.l.Q, Actions 5 and 6].

The NRC determined that none of the activities being performed by the operating crew from 11:25 to 12:05 were required for inserting the control banks nor did the activities 17 Some of the references contain differing times. (i.e. differing from these times by +/-1 minute). The Reactor Operator logged the manual turbine trip as occurring at 10:12 and the commencement of insertion of the control banks as occurring *at 12:05. Plant computer data indicates the turbine was tripped at 10:12:35 and the control bank insertion began at 12:04:55. In this paper the turbine trip is taken to have occurred at 10:13 and the control bank insertion to have occurred at 12:05. A minute's difference is inconsequential to the points being made in this paper, but it is mentioned here to avoid confusing the readers who check the references.

18 The Outage Control Center (OCC) was a group of support personnel who gathered in one location (i.e.

the area of desks designated the "Outage Control Center" which in 2003 at Callaway Plant was located in the Technical Support Center) to enable quick support of Operations and Maintenance to minimize the duration of outages. The leader of the Outage Control Center was the same manager who had the responsibility for covering the Emergency Duty Officer (EDO) position during a reactor accident and many of the desks were staffed by the same individuals designated to staff the Technical Support Center (TSC) during an accident. Although the licensed operators in the Main Control Room had ultimate authority over when the reactor would be shut down, they were expected to keep the OCC informed.

10

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) justify the 40 minute delay in inserting the control banks [.6]. Despite not understanding why the operating crew prioritized these activities over promptly inserting the control banks, the NRC did not request more detailed information from the utility on the matter

[11].

For the sake of argument, in the body of this paper the less controversial positions are assumed:

2.6.A. The utility's position that from 11:25 to 12:05 the operators informally relied on 13SXe to maintain the reactor subcrjtical while they aligned plant equipment and briefed the insertion of the control banks is assumed to be accurate.

Notable Parameters during time frame of Passive Reactor Shutdown on October 21, 2003 0 m 1.0 0'> N l.tl QQ ,.; ...r r-. 0 m 1.0 0'> N N l.tl QQ ,.; ...r r-. <;:! <;:! <;:! <;:! ':"'i ':"'i ':"'i <:'l <:'l <:'l !)'l !)'l !)'l !)'l ~

~ ~ ~ ':'1 ':'1 ':'1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0'> 0'> 0'> 0'> 0'> 0'> ,.; ,.; ,.; ,.; ,.; ,.; ,.; ,.; ,.; ,.; ,.; ,.; ,.; ,.; ,.;

- - - - -"--"-*--~-"o"-""-"-""c",

iTref (linear scale, 5<'F/division):

-- --rnL--.,.:; 560°F L-- ----,- ----- -- --- ---- ---- --- I r-- c:_

F~r:.t *~- 1--

---no load Tavg (55r F)-----

10%

MTrAt~ ~ ~ ~-- -- _v jTavg (linear scale, 5°F/division) 555°F I '

~T r-- 1--Ht..

5%

!D.T (linear scale, 5% rated power/div)l :"'~ -----

NFHR-- '

1.E-04 0%

-;;; 1.E-05 ' 1.E-05

~ r--.,..,

Q. '

E '

~ 1.E-06 1.E-06 I)

,Q E 1.E-07

!IRNI channels 1 (log scale, one decade/division)! ~ ----- POAH 1.E-07

~

Ill

-51: 1 . E-08 l.!:i. 1.E-08 0 I IRNI channel2 (log scale, one decade/division) J

~ 1.E-09 1.E-09 a: '0~~

~6' ',

- 1.E-10 (); 1.E-10

,:;o~

1.E-1 l.E-11 Figure 2: Plot of Average Coolant Temperature (Tavg), Primary Calorimetric power (LH) and Intermediate Nuclear Instrument currents (IRNI) on October 21, 2003. Note the sharp rise in Tavg which occurs at 10:12:35 (denoted by the dashed vertical line "TI"). This spike in Tavg was caused by the power mismatch resulting from manually tripping the turbine at 6%

power and 550.4°F (288oC) with the steam dumps set at 1092 psig (557°F). With the steam dumps set to maintain 1092 psig (7.6 MPa}, there was no steam demand until Tavg rose to 557°F (291.TC). Since initially the reactor was still producing 6% power, the absence of any steam demand to remove the heat generated by the reactor resulted in a rapid rise in Tavg.

The negative reactivity inserted by this temperature rise caused the reactor to passively shut down as can be seen on both the linear LlT trace and the logarithmic IRNI traces. The leveling out of the LlT trace at 10:23 indicates the Point of Adding Heat. Once the reactor was below the POAH, there was no longer any natural temperature-reactivity feedback to buffer neutron leakage and the reactor soon attained its nominal shutdown period (varies with core loading and age but nominally -90 seconds). The leveling out of the IRNI traces at 10:39 indicates entry into the source range. See Tables A.2 & A.3 for plant evolutions occurring during this time frame.

11

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) 2.6.B. The utility's position that the activities performed between 11:25 and 12:05 prevented the insertion of the control banks is assumed inaccurate. Instead, the NRC's position (i.e. that the activities performed between 11:25 and 12:05 in no way prohibited the insertion of the control banks) is assumed accurate.

In the appendix of this paper, an argument is made that the 40 minute delay was possibly effected by the operators to conceal the inadvertent passive reactor shutdown from their superiors (refer to sections A.1 and A.3).

2.7 Repeat of an Inadvertent Passive Reactor Shutdown on 2005-06-17: Figures 5-7 and Table 2 detail an inadvertent passive reactor shutdown which occurred at Callaway Plant on 2005-06-17. This event was very similar to the 2003-10-21 shutdown in a number of ways, in particular the procedure changes implemented in February and August 2007 in response to the 2003-10-21 event were also deemed by the utility as suitable corrective actions for the 2005-06-17 event. Details of the 2005-06-17 event are being included in this paper because (1) it is a significant event whose details cannot be found anywhere else other than this paper and (2) it highlights the importance of documenting and investigating events in that a proper investigation of the 2003-10-21 shutdown in 2003 may have prevented the 2005-06-17 event.

3. DESCRIPTION AND ANALYSIS OF AMEREN RESPONSE "The existence of a vast body of regulations by NRC tends to focus industry attention narrowly on the meeting of regulations rather than on a systematic concern for safety.... The analysis of reported incidents by licensees has tended to concentrate on equipment malfunction, and serious operator errors have not been focused on."

- Kemeny Commission, 1979 In this section the response of employees of Ameren to the October 2003 event is analyzed. In the appendix a case is made that from 11:2 5 to 12:0 5 the operators may have intentionally delayed inserting the control banks in order to cover up the passive shutdown from their upper management (refer to sections A.1 and A.3). Since no regulations were violated, this is a nearly impossible case to make in a court of law. Even if proven to be true - that is, even if a court of law were to accept the analysis that the control rods were intentionally left withdrawn to conceal the inadvertent passive reactor shutdown - since such action is not specifically prohibited by regulations it is unlikely to be criminally prosecuted. What matters at this stage is not so much what the operators and the utility did, but whether or not they were honest about it when interviewed by the NRC.

Safe operation of nuclear plants involve more than just adherence to regulations.

Regulations cannot predict everything and therefore cannot be used as the only standard of safety. Inherent in the safe operation of nuclear plants is the active role of the plant management in ensuring that its operators are competent and honest. The purpose of this section is not to expose the management failings at one organization, but rather to present an example of how inefficient corporate oversight can prevent egregious personnel problems (e.g. dishonesty and incompetency) from being addressed.

3.1 Response of the Crew on 2003-10-21 and Negligence: The operators claim that they were aware of the passive shutdown of the reactor as it was occurring (i.e. from 10:18 onward). This contradicts the NRC's assessment that the operators first became 12

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) aware of the passive shutdown when the first Source Range Nuclear Instrument automatically energized (i.e. 11:25). For the purposes of this section, the operating crew's claims are taken at their face value and it is assumed that the operators were aware of the status of the nuclear fission reaction the entire 107 minutes from the passive shutdown at 10:18 to the commencement of control bank insertion at 12:05.

By their own statements, the operators' response to the passive shutdown was to (1) informally rely on 13 SXe to keep the reactor from inadvertently restarting and (2) allow the reactor to remain in the source range for 45 minutes with no Source Range Nuclear Instruments energized. The position of this paper is that these actions amount to negligence on the part of the operators. That is, the reactor operators had a duty to actively monitor and control core reactivity. To informally rely on the passive buildup of a radioactive waste gas to keep the reactor subcritical is negligent. To fail to manually re-energize the Source Range Nuclear Instruments in order to assist in monitoring the nuclear fission reaction while in the source range is negligent.

Control Room Activities, Rod Heights, Average Coolant Temperature, Total Power and IRNI Currents during October 21, 2003 Passive Reactor Shutdown at Callaway Plant

-CTRL ROD BANK AVG POS

--RCLl TAVG

--RCLl DT

--IR DETECTOR CH2 LOG Q

--IR DETECTOR CHl LOG Q TABLE A.l A through C TABLE A.2 D through G 0' @]

TABLE A.3 H through J i[RJ i~

[Q ~

TABLEA.4 K through N

' ~ ::@]' '

TABLE A.S Othrough R

8:00 9:00 10:00 11:00 12:00 Figure 3: The reactor passively shut down shortly after the turbine was manually tripped at 10:13 and reached the source range about 26 minutes later. A nominal -1/3 dpm SUR (i.e.-

90s period) developed as power fell below the POAH. The slight drop in reactor power from 10:39 to 12:05 was caused by a lowering of subcritical multiplication resulting from the continued buildup of Xenon-135. The operators began inserting the control banks at 12:05 and completed at 12:15, resulting in a steep drop in subcritical multiplication of about Yz decade. The control banks consisted of four banks (A, B, C, D) whose insertion is staggered.

The 'D' bank rods were the first to insert and the 'A' bank rods were the last. Note the 107 minute delay between the time the reactor passively shut down (10:18) and the time the operators commenced fully inserting the control banks.

13

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

To be "negligent" in a legal sense, an injurious condition must have resulted. Since no injurious condition resulted from the operators' negligence, in a legal sense they were not negligent. Or, to state it colloquially: "no harm, no foul". The intent of this section is not to argue that they were legally negligent, but rather that they would have been had an accident occurred.

For example, suppose a steam line break occurred which caused the reactor to inadvertently restart. And suppose the reactor protection system failed to trip the control rods. And suppose a shut manual valve prevented the safety injection system from properly operating. If these supposed conditions were to result in the reactor exceeding its power limits and damaging its fuel (i.e. an injurious condition) then it is the assessment of this paper that a federal court would have found the operators negligent for (1) not manually inserting the control rods upon recognizing the reactor was no longer critical and (2) for not manually re-energizing the Source Range Nuclear Instruments and their associated protections (see section A.1.8). This assessment is based on the assumption that, regardless of whether or not any specific regulations were violated, the court would judge the operators had a duty of care with regard to actively monitoring and controlling core reactivity and the operators failed to behave as any reasonable licensed operators in the same situations would have.

Since no injurious condition occurred during the 107 minutes the reactor was subcritical with its control rods withdrawn, we will never know if a court would have judged the operators negligent. The best we can do is to develop a consensus among nuclear professionals as regards the expectations for operators' behaviour in similar situations.

One way to build this consensus is for interested readers to write this journal with their assessments.

Although "no harm, no foul" precludes negligence from a legal standpoint, it is counter to nuclear Safety Culture to preclude negligence based on the absence of a nuclear accident.

Fundamental to nuclear Safety Culture is the practice of analyzing human errors regardless of consequence with the belief that corrective actions taken based on low consequence events might someday mitigate circumstances that might have otherwise resulted in a high consequence event.

3.2 Downplayin~ of Events by Utility Mana~ement: The condition report which first documented the October 21, 2003 and June 17, 2005 passive reactor shutdowns was written in February 2007 and was initially screened, over the objections of the originator, as a "significance level 4" meaning it did not require any analysis as to why the events occurred and could be closed as soon as any necessary revisions had been made to plant procedures [12].

This condition report and its attachments are available to the readers. The readers are encouraged to determine for themselves whether or not they agree with the position that an investigation into the October 21, 2003 and June 17, 2005 passive reactor shutdowns should have been conducted based on the events detailed within the condition report.

Note that the condition report was eventually raised to a "significance level 3" and a limited investigation was performed, but this did not occur until 6 weeks later - after the incident had been brought to the attention of the Nuclear Regulatory Commission.

The utility's failure to adequately address the passive reactor shutdowns was internally brought to the attention of the company's upper management on multiple occasions, including:

14

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) 3.2.A. personal meetings with the Site Vice President on February 22 and November 13, 2007 [13]

3.2.B. personal meetings with the Plant Director in June and October of 2007 [14]

[15]

3.2.C. email correspondence addressed to the Site Vice President and to the utility's Nuclear Safety Review Board and on which the Chief Executive Officer was copied [16]

3.2.D. meetings and correspondence with the Operations Manager [17]

3.2.E. a request to the Chief Nuclear Officer [18]

3.2.F. a meeting with the utility's Employee Concerns Manager and members of the Quality Assurance organization [19]

Table 2: Noteworthy Deficiencies during 2005-06-17 Passive Shutdown IRNis In the 12 minutes between the manual trip of the turbine-generator and the first 6 step pull of the control rods, the ion chamber amp (ica) reading of the Intermediate Range Nuclear Instruments lowered by a decade. Just as during the 2003-10-21 Callaway and 2005-02-04 Surry passive shutdowns, the operators on 2005-06-17 were not monitoring the IRNis and mistook the readings on the calorimetric instruments as indications the reactor was still critical.

External In a report dated 2005-03-25, Surry shared the details of their 2005-02-04 Operating passive reactor shutdown and inadvertent restart with the nuclear industry Experience via INPO's Operating Experience network. Although the details of the Surry event were available to the

Callaway operators 2~ months prior to 2005-06-17, just like at Surry the Callaway operators focused on the calorimetric indications of reactor power and neglected the IRNis. The June 2005 event is an example of failing to incorporate outside Operating Experience in a timely manner.

15

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

A summary of these efforts can be found on pages 1 & 2 of a June 3, 2011 email to the Regional Administrator of the NRC's Region IV [20]; it is left to the reader to review this email and its attachments and decide whether or not they agree with the position that the utility was adequately informed of concerns regarding the plant's response to the October 21,2003 passive reactor shutdown.

3.3 Request for Information from INPO: In July 2007 the World Association of Nuclear Operators released a Significant Operating Experience Report entitled WANO SOER 2007-1, Reactivity Management.19 In their August 10, 2007 cover letter distributing WANO SOER 2007-1, the Institute of Nuclear Power Operations requested that their members "... provide information on similar occurrences and solutions at their plants or on their equipment to /NPO Events Analysis". It should be clear to individuals familiar with WANO SOER 2007-1 that the October 2003 and June 2005 events are similar to the events documented in SOER 2007-1; however, Ameren has yet to submit reports on these two events.

Exactly why Ameren chose not to submit reports on the 2003-10-21 and 2005-06-17 passive reactor shutdowns cannot be determined. In the United States, participation in INPO and WANO is voluntary. Although INPO is aware of these two events, they have no way of compelling the member utility to submit them as Operating Experience [21].

The best that the nuclear community can do is to develop a consensus among nuclear professionals as to whether or not passive reactor shutdowns are clear examples of the types of events which utilities are expected to report to INPO/WANO. Readers with an informed opinion as to whether or not their utilities would submit such events to INPO/WANO are encouraged to write to this journal.

R.3.3 Recommendation: The US nuclear industry should not rely on a voluntary reporting system for amassing Operating Experience, but instead the NRC's requirements for the submittal of Licensee Event Reports (LERs) should be expanded to encompass the submittal of Operating Experience on noteworthy plant transients and human performance errors.

3.4 Inadequate Internal Oversi&ht: It is the position of this paper that the shortcomings in the response of the utility to the October 2003 incident were enabled by an inadequate ability to conduct internal oversight. There is indication that the Operations Manager was in the control room on October 21, 2003 when the operators first recognized the reactor was in the source range (11:25) [22] [2., p. 16] and yet failed to ensure (1) the control rods were immediately inserted and (2) the incident was documented.

Although the US NRC has not investigated the possible complicity of the Operations Manager in concealing this incident [23], the Operations Manager's role is vital to understanding the organization's response:

3.4.A. It was the Operations representative to the daily condition report screening committee meeting who in February 2007 insisted that the original condition 19 WANO has classified SOER 2007-1 as "Limited Distribution" so it is not available publicly. Those readers who do not have access to WANO SOERs can find a publicly available analysis of it on the internet [.1:1, pp. 68-96] which contains, among other things, a summary of the events in the document.

16

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) report on the incident be categorized as a significance level 4 meaning it did not require investigation.

3.4.B. When the significance level of the condition report was raised in March 2007,

the investigation was assigned to Operations. Operations chose not to investigate the cause of the event but rather to focus on process improvements.

3.4.C. Since the event concerns the Operations Department, the utility organization defers to the Operations Manager as to whether or not the incident should be reported to INPO/WANO.

Like all US nuclear utilities, Ameren is required to maintain a Quality Assurance (QA) organization. Usually when a utility believes an independent investigation is warranted, it is up to the QA department to conduct it. However, the operations expert on the QA staff in 2007 was the Shift Manager for the June 2005 passive reactor shutdown and so he recused himself from investigating the October 2003 passive reactor shutdown. The investigation was thus conducted by an individual who had never operated a reactor plant.

As can be seen in internal emails [16] the Chairman of the utility's Nuclear Safety Review Board declined to look into the incident.

It is the position of this paper that with regard to the October 2003 incident Ameren has been negligent in implementing its corporate oversight responsibilities. The reader is encouraged to review the references cited in this section and decide whether the October 2003 event warranted a Root Cause Analysis (or some other type of high level internal Table 3: Summary of Human Performance Errors MTCO The operators did not enter the Technical Specification Limiting Condition for Operation (TS LCO) when Tavg lowered below the Minimum Temperature for Critical Operations.

"" v ? -

~::.:;~~:=~;: -*_,.,_.:;.._~:":--:... :.*:..:. :..:.:,*~---~-<:..:_;:.~:..:: ~-'"'2,--:~::_:: ... ,:,"'"_.,:.,. ~-.~-2-:S~.-~.2 S. ,.._,.:~2~ ."' =--:..*.--.

lo ':::~~~_:_:..~--."* ,::,_.? ,;":. ,"_:_:;: ~,. ::: . . .=.::_..,;;:.:: ,:::.,.,:,.2,."'~ ;:,;;,.* ....."'_,:~::.. __,'";; _,_*::.".. :.-.:..: .. *r-=*~ ** -~~. ,.,'.7:.

~~-" ,.~.~.,~ ~-=;._,_ ~~~;.';; '~,_,:_: ,~,?:;o*-::,2: "'.3:.,-::.*~~r': ~ ~

0 T }* i:> < 't f,) j * ' > ,"i ; ' -1 .-!

IRNis The operators failed to monitor the Intermediate Range Nuclear Instruments (IRNis) when the reactor entered MODE 2 (i.e. less than 5% power but greater than 0.99 Keff). For 67 minutes they mistook the readings of the calorimetric instruments (e.g. the core LH meters and the thermal megawatt computer points) as indications that the reactor was still critical.

,. ' ' :1 ~ ' ' I

S-~~"" . s ~-~.~ ~"'--.:~:--:..:::..'"S _:2.-*.~: :,::; :~:.~~,:-::: ~-"-~ '"~::..:... ""-.::..,. -..2.~ :.* ~"--.::: ~: .....~-::-: '":. ... _s=, ....~ . . * ,

.*.2,:::; ~ *. t : :. .- . 2,.:. ,._ ~.-:: ::. ...."':~ -~. 2 ~ ,::, :..:~'-"- <~--::: "::.2.": ... ...,.._:,,:.. :;_ ~ ~.-:: ....;, ,_, ~.- ..~~.--~ '2 ....

"' , /

'E, ..... :::...":.z:..-;:.:... :::-.~::f.,.:,=::__ ~ . *. :: :2::~:::.~~::,~ .. ::~s :_:r . -::,-::.~2::. .--. ~".2 s.:.."":.::: -2_.:._:3-.:- .*::

_1

.,. , .,~~., ;,~ 1'1'" ~r-~*.£.. .".~.~."'. ~~2:S . . . :*~.*,., :.~ ~.:-:."'.s-~.~-2::::-.::..c:~ t "' ' ~- , - .

SDM For 40 minutes the operators informally relied on 135Xe to keep the reactor from restarting (between 11:25 and 12:05). A formal calculation of Shutdown Margin (SDM) was completed at 12:55; over the next 90 minutes more than 100 kg of boron were added to the Reactor Coolant System.

17

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) investigation) or whether, due to it being concealed for 3¥z years, it should have been downplayed as an old event.

R.3.4 Recommendation: Broadly, nuclear utilities should have a process for bringing in outside organizations (e.g. root cause contractors or peers from other utilities) to conduct investigations on important events for which their own internal oversight may have been compromised. Narrowly, Ameren's board of directors should hire an external contractor or request a peer assist visit (e.g. a peer assessment from INPO or STARS20) to assess Callaway Plant's response to the incident.

4. DESCRIPTION AND ANALYSIS OF NRC RESPONSE "A major flaw in our system of government, and even in industry, is the latitude allowed to do less than is necessary. Too often officials are willing to accept and adapt to situations they know to be wrong. The tendency is to downplay problems instead of actively trying to correct them."

-Admiral Rickover, 1982 This section analyzes the response of the US Nuclear Regulatory Commission to the October 2003 event. From the beginning, the primary goal of the investigation was to determine what, if any, regulatory requirements were violated. Although this approach did yield some very minor findings,2 1 it was severely lacking with respect to addressing the systemic cultural issues which the down playing of the incident suggests.

What was needed from the NRC was an investigation that sought to understand the event and answer the key "regulatory questions which the event exposed (see Table 6). The NRC has argued that every one of the questions on Table 62 2 is not of regulatory concern since none of them involved violations of regulations [.Q] [23] [24] [25]. However, many things are of regulatory concern without violating existing regulations. That is why part of the NRC's role is rule making (i.e. closing loopholes in the current regulations and writing new regulations for unforeseen circumstances).

There is more to regulation than the mere enforcement of regulatory requirements. The NRC licensed the operators at Callaway Plant and has a duty to fully understand this event because it calls into question the competency and honesty of individuals who currently hold Senior Reactor Operator licenses and who are currently in critical leadership 20 Strategic Teaming and Resource Sharing (an industry alliance in which Callaway Plant is a member}

21 The NRC issued two very minor Non Cited Violations (NCVs} in an August 2. 2007 inspection report

~ pp. 40-41 of the Enclosure]. The NCVs were for failing to document the operation of the reactor below the Minimum Temperature for Critical Operations in (1} the control room log and (2} the Corrective Action Program.

22 Although the NRC has answered some of the questions on Table 6- such as in the enclosure to their 2011-11-17 letter to Representative Oxford in which they indicate that it is their determination the operators first became aware the reactor was no longer critical when the first SRNI automatically energized- these answers did not come until after the closure of their final investigation of the incident.

None of the questions on Table 6 were determined by the NRC during their formal investigations. Since no formal investigation is ongoing, pursuing answers at this point has little consequence with regard to addressing deficiencies at both the utility and the regulator with regard to how the 2003-10-21 incident has thus far been handled.

18

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) positions at a nuclear utility. Although competency and honesty are subjective determinations, the NRC has a duty to make these determinations when it involves operators who hold NRC issued licenses.

4.1 Initial Response of US Nuclear ReKulatory Commission: The October 21, 2003 passive reactor shutdown was first brought to the attention of the Nuclear Regulatory Commission in March 2007 [26]. This is an excerpt from Region IV's August 7, 2007 response [27]:

The technical staff determined that the reactor did become subcritical without immediate Operator action and did transition through five decades of power decrease due to the transient in a 20-minute period. No attempts were made to Table 4: Discrepancies in Operators' Testimonies OTO-BG-1 The operators entered the off-normal procedure for Loss of Letdown (OTO-BG-00001) at 09:59 and exited it at 10:18. Although they were not using this procedure during the 107 minutes that the control rods were left withdrawn (from 10:18 to 12:05) they nonetheless point to it several times during their testimony as one of the causes of the de 19

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) restore power and after 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , the procedural requirement to insert control rods was implemented. This time delay was not prudent and did suggest that the operators may not have exercised optimum reactivity management and may not have had adequate plant awareness. The inspector's review of operating procedures did not find any timeliness guidance on performing the steps to insert the control rods.

Region IV of the US NRC is the region which is tasked with ensuring Callaway Plant adequately trains and examines its operators. It is Region IV who initially examines and issues the licenses to individual operators for the reactor at Callaway Plant. Region IV's response merely noted that " ... the operators may not have exercised optimum reactivity management and may not have had adequate plant awareness." It is Region IV's job to ensure that the utility adequately trains its operators to exercise adequate "reactivity management:' and to have "adequate plant awareness". To merely note that these traits

"... may not have ... " been present and then to discount their absence due to the fact that the

"... operating procedures did not find any timeliness guidance on performing the steps to insert the control rods" is not what the public expects of its nuclear regulator.

The correspondence quoted above is publically available [26] [27] to the reader who desires to read them and decide whether or not the NRC recognized the importance of the October 21, 2003 passive reactor shutdown' during its initial investigation.

In addition to the investigation mentioned in the preceding paragraphs, the NRC investigated the incident two additional times [28] [.Q.]. Both these later investigations were done by the same office (Region IV) which had done the initial investigation.

Had separate offices within the NRC (e.g. the Office of Nuclear Reactor Regulation, the Office of Nuclear Regulatory Research, or one of the other regional offices) been tasked with performing the subsequent investigations there would have been less pressure on the inspectors to validate the findings of the initial inspection. It is the position of this paper that with the abolishment of the NRC's Office of Analysis and Evaluation of Operational Data (AEOD) in March 1999, the NRC has lost the ability of having a separate office at NRC headquarters to second-check the findings and determinations of its four regional offices.

4.2 Investigation of the incident by the NRC's Office of Investigations: During the second investigation of this incident [28], investigators from the NRC's Office of Investigations (OI) conducted interviews of the operators who were in the control room during the October 21, 2003 shutdown [Z] [B.] [2.]. These investigators had law enforcement backgrounds and were not formally trained in nuclear engineering or reactor operations.

During the interviews, there was confusion on the part of the interrogator regarding what the term "reactor shutdown" refers to as demonstrated by discussions documented in the transcripts [.8., pp. 9-43, particularly lines 6-13 ofp. 30 and lines 14-22 ofp. 38].

Like many English words and phrases, "reactor shutdown" has multiple meanings.

Broadly defined, it can legitimately be stated that the "reactor shutdown" on October 21, 2003 was the nearly 12-hour evolution which began when the operators commenced lowering reactor power at 01:00 and did not end until the Shutdown Margin calculation was reviewed and signed by the Control Room Supervisor at 12:55. This evolution was coordinated with the utility's load dispatchers in St. Louis, MO, and the utility informed the 20

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

NRC's Operations Officers of their intent to shut down the reactor on several occasions during the early morning hours of October 21. 2003.

More narrowly defined, "reactor shutdown" refers to the cessation of the nuclear fission reaction by the reactor entering a substantially subcritical state from which it will not passively recover prior to entering the source range. It was this more narrow definition which is used when it is stated that an inadvertent passive "reactor shutdown" occurred and was concealed by the operators. To complicate matters, the NRC technical staff consistently uses the standard of Kerr< 0.99 (one of the MODE 3 requirements in Callaway Plant's Technical Specifications) to define the term "reactor shutdown" even when a clearly different context is being used [.Q] [1] [23].

It is evident from the interview transcripts of the Control Room Supervisor that the NRC investigator did not have a sufficient understanding of the technical aspects of reactor Ameren Ameren was negligent is its duty to recognize and address significant human performance problems at its reactor plant. Ameren management both at Callaway Plant and at its St. Louis corporate headquarters have been made well aware of the concerns regarding the 2003-10-21 shutdown yet have still not: (1) conducted a Root Cause Analysis, (2) formally remediated the licensed operators involved, (3) incorporated key aspects of the event into their training programs, and (4) shared the details of the event with INPO/WANO. All four of these items are basic fundamentals of stewardship at a nuclear facility and it is negligence for a utility to not address these items once aware th NRC The Nuclear Regulatory Commission has a duty to ensure the individuals to whom it grants Senior Reactor Operator licenses are competent and trustworthy. The NRC has investigated the 2003-10-21 incident three times and still has not been able to answer uestions concerni of it.

21

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) plant operations to properly interview the operators UU. Assigned to assist her with the technical issues was the plant's NRC Senior Resident Inspector (SRI).

The interview transcript is available to the readers who wish to decide for themselves whether the SRI was adequately assisting with the interview. It appears that the SRI spends more time assisting the operators in explaining their actions than in interrogating the operators to determine the reason why they took 107 minutes to insert the control rods following the passive shutdown.

Since the SRI was the one who originally investigated the incident (leading to the August 7, 2007 closure letter), he may not have had adequate motivation to thoroughly interrogate the operators during the NRC Office of Investigations' interviews. That is, he may have had a conflict of interest because an adverse finding by the NRC OI would call into question his August 2007 closure statements.

4.3 Decision of the NRC not to Re-interview the NRC Licensed Operators: Upon review of the transcripts of the March 31 and April 1, 2008 sworn testimonies of the licensed operators, I submitted a letter to the NRC detailing discrepancies in the operators' testimonies [29]. This letter contained 56 items central to the understanding of the event on which I requested simple comment (e.g. whether the NRC agreed with the item, disagreed with it, or could not answer it). The NRC did not comment on the individual items [.Q].

Table 6: Unanswered Questions from the three NRC Investigations What was going on in the MCR during the 10:18 to 12:05 time frame that delayed the insertion of the control banks?

_2: o.-: ::~~ * -'_', :;, :-. -- ;c~-'(_~ _~_;,;~d:~ ,':-,;. ,-;. ~:t,;.: *,I~;';:,., 2\ *- 0 .: *:;;,: C: ::~o-? *-

' S,.:,...,,: :~'"'~~~" ~~ "2"". <¥,.=.s :;_ ';.-:~"~'"-"?...'" ~-~---;:~_,.,"'; ,u.!::..."._~:;. ,~~:.. ,: ... 2.~.. _:_- -.:~---~~ '"i;".;:,:-: 2-".-:

~... .. ..: ..~ . : :--: ..~~ .:::..::....7~** ..,.,.c~;::.. ~* '*.l~: ~~ , ~ ~ !, .,<>~, .\'"" ** ::.. ,:.~~-~...:. ,',"

40 minute After realizing the reactor was in the source range with its control rods still Delay withdrawn, why did the operators not immediately insert the control banks?

Was it merely a gross oversight? Was the delay intentionally effected in order to time the insertion of the control banks with the expected time of the reactor shutdown?

-:~:2~-~:.':~,~~~ .~:\. ~-~ 22; :. ~~~ *~: 2 ~s . :.~ ~ -~~:c-~~- :-:~;~:~.:~~S;~~~M;:s 2.~~--"~ ~;*~*.= ~: ~s 2 2.;,.*.~ .::.._::. _~ .:2.~~

<:.:..; ~:;: ::.~. ::":': _":' ' ~- '

w

,,- ..._,;..*._::.i::-::: : :- .:: ,::,:_ *: ,:;,:_*. , .. ,;,: :-~*:"<:._;;~ *::. :*:>- s ' ; -: ~-.;-=_; i ..

Outage When was the plant upper management expecting the reactor to be shut Control down? Were they ever made aware that it had shut down early? Is it likely Center the event was concealed from them?

~ ~~:~~--=~- .... ~ _. ~- ~~* :.~*_:_ ~~--.~= ':;::::~'~'_"_;,~¥~'::"*;,__:;::::;.:. ,_".~~ ~-~~*:."~ ~~-.'~--.2~_::...;/~-~ -=~~.'2*):*;*~2 .-::-:..~::.--:

,_ -~-~~~~: ~>-~--'; ,~-:~!/i~-~~:;~~;:*~~~;~~~~*;,;:_~:-~};: --~ --~:;~~::.2*,_*:,_

~ * ~ ""' ~ * *

I *

=.. *.:.~2-*.:_

._.:.~ .::~2:'*: ~ --~-- -~-

22

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

The US NRC has a responsibility to utilize the expertise of its personnel in subjectively assessing incidents which (1) question the competency and/or integrity of NRC licensed operators and (2) questions the integrity and competency of managers at NRC licensed facilities who are responsible for implementing programs which fall under the inspection purview of the licensee's Quality Assurance program. All regulations will have gaps, and a regulatory agency will be ineffective if it refrains from acknowledging and commenting upon aberrant behavior which, although not specifically prohibited by the regulations, is not within the spirit of them.

Additionally, the NRC's final closure document had some deficiencies. For example, after thousands of hours of inspection, the NRC confidently stated:

The inspectors noted that the crew had completed a shutdown margin verification just prior to tripping the main turbine, as required by the shutdown procedure. The shutdown margin verification ensured that had a design basis accident occurred at that time, adequate negative reactivity was available to maintain the plant shutdown. [Q.]

In 2011 the NRC's Office of the Inspector General (NRC OIG) determined that, in fact, no "shutdown margin verification" had been performed until more than 21J2 hours after the main turbine was tripped [30] [24]. This is not a minor error. One of the major aspects of this event was that for the entire 107 minutes which the operators claim they were aware the reactor was shutdown with its control banks still withdrawn, there was no formal calculation showing 13SXe levels were adequate to "... ensure had a design basis accident occurred at that time, adequate negative reactivity was available to maintain the plant shutdown."

It appears the NRC allowed the plant to claim their Xenon-Predict23 was sufficient replacement for an actual Shutdown Margin calculation. The fact that a Xenon-Predict was performed just prior to tripping the turbine is further proof the operators intended to maintain the reactor critical following the turbine trip (one of the uses of a Xenon-Predict) and not to intentionally allow it to passively shut down as they claimed in their sworn testimony.

In September 2010 I submitted a formal request to the NRC to re-interview the Shift Manager and to interview, for the first time, the Operations Manager [31]. The NRC rejected this request based on a claim it had not been shown that the original interviews were insufficient [11]. The request is available to the readers who wish to decide whether there was (and is) reason to demand additional information from the utility regarding the October 21, 2003 passive reactor shutdown.

4.4 Information Notice 2011-02: In May 2010 I petitioned the NRC to write an Information Notice on the October 21, 2003 incident [32]. The NRC rejected the petition; however, based on this petition, the Union of Concerned Scientists (UCS) released an Issue Brief in order to document the important lessons learned from this incident [33]. Nearly three months after the release of this Issue Brief, the NRC included the October 21, 2003 passive reactor shutdown as its primary incident in its January 31, 2011 Information Notice on "Operator Performance Issues Involving Reactivity Management at Nuclear Power Plants" (IN 2011-02) [.5.].

23 See section A.1.11 of the appendix for a discussion on the differences between the Xenon-Predict and the Shutdown Margin calculations.

23

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

Like their investigation reports on the incident, IN 2011-02 did not address why it took the operator "nearly 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months " to insert the control rods after the reactor became subcritical

[5.]. I was a reviewer for IN 2011-02 and submitted a Non-Concurrence form [25] in which it was suggested the information notice should address (1) the operators' claims that they intentionally shut down the reactor by removing steam demand and allowing it to passively shut down and (2) whether or not the operators recognized the reactor was subcritical prior to the SRNis energizing. In answering the non-concurrence, the NRC responded:

There is no benefit (safety or otherwise) to adding information and presenting unnecessary details only detracts from the IN. Each of the above two questions presented by the non-concurring individual ask what operators "recognized" which involves what operators thought versus what operators did [.2.5., p. 5]

The solutions for addressing knowledge errors, judgment errors, negligence and dereliction of duty often vary greatly. If, as the crew claimed, they recognized the reactor passively shutting down and for nearly two hours consciously decided to prioritize ancillary tasks over inserting the control banks, then the focus of the IN needs to be what caused the operators to have such a lapse in judgment and how utilities can minimize the likelihood of such errors. If the crew failed to recognize the passive shut down of the reactor until the first SRNI energized, then the focus of the IN needs to be upon whatever gap in the operators' knowledge and skills allowed this to happen.

I was intimately involved with the preparation of IN 2011-02 [34] and believe internal politics caused the IN to be ineffectively written. Specifically, it should have been readily apparent to the individual at NRC headquarters who prepared the IN that the operators had (1) failed to recognize the reactor would go subcritical following the turbine trip and (2) failed to realize reactor power was in the source range until the channel 2 SRNI energized. However, this position contradicts the sworn testimonies which the operators provided to the NRC in 2008. Since RegionJV had decided not to challenge the operators' claims, they may not have given their concurrence to an IN which contradicted the operators' testimonies. This may have been the reason for which the preparer of the IN avoided addressing the cause of the 107 minute delay in inserting the control banks.

My Non-Concurrence form and the NRC's response to it are available to the reader [25].

The reader is encouraged to review the Non-Concurrence package and to decide whether what the crew did or did not recognize is relevant or whether they agree with the position of the NRC that this is an "unnecessary detail" which "distracts from the IN". Understanding the consensus of nuclear professionals as to what information is relevant to include in information notices on significant human performance errors would be beneficial to the NRC being able to judge whether or not the additional details requested in the Non-Concurrence for IN 2011-02 should have been included in the information notice.

4.5 Ameren Drop-In Visit with NRC: On August 13, 2010 the Chief Nuclear Officer (CNO) at Ameren paid a "Drop-In" visit on the NRC's Executive Director for Operations (EDO).

The primary topic of discussion was:

2003 Reactivity Management Event of Inadvertent Passive Shutdown; Exchange Perspectives; Confirm they are doing everything they can [.3..5., p. 5]

24

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

There are no meeting minutes available from this "Drop-In" visit and the participants with whom I have spoken do not recall what was said so it is unknown what the EDO's response was when the Ameren CNO confirmed "they are doing everything they can".

It is the position of this paper that Ameren has not done "everything they can". The utility has (as of February 2013) not submitted a report on this incident to INPO, and at the time of the "Drop-In" visit Callaway Plant training on the incident failed to even mention any of the significant human performance errors which occurred on 2003-10-21 (see Table 3).

4.6 Reiion IV's Subjective Determination: In a November 17, 2011letter to a member of the Missouri House of Representatives, the US NRC Region IV admitted the subjective determination of its inspectors is that the operators failed to (1) recognize the passive shutdown of the reactor as it was occurring and (2) realize the reactor was in the source range until the first SRNI energized [.1, pp. 1-2 of Enclosure, items 2-4]. This contradicts the sworn statements of the operators that they were aware the passive shutdown would occur following the turbine trip and were always aware of the subcritical status of the nuclear fission reaction [L p. 23].

Note that the determinations made in the 2011-11-17 letter were done after the three Table 7: Shortcomings in Utility's Response Training Although the event has nominally been trained on, the training only mentions the various equipment failures, the failure to document the letdown isolation and the failure to enter the Technical Specification for operating below the MTCO. None of the significant Human Performance aspects listed on Table 3 have been incorporated into the plant's training on this incident for their licensed o Operating By August 2007 all concerned levels of Ameren management were well Experience aware of what had occurred on 2003-10-21 and 2005-06-17 yet neither Network incident was reported to INPO despite INPO making a specific request for such incidents in its 2007-08-10 cover letter distributing WANO SOER 2007-1 on Re Ma nt.

25

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) formal investigations of the NRC and after the NRC decided in January 2011 not to request additional information from Callaway Plant. Since there were no longer any open investigations, Region IV's subjective determinations that conflict with the testimonies of the Callaway Plant operators (see Table 4) have not led to any reprimands of the Callaway Plant licensed operators for providing inaccurate and misleading information to NRC investigators during sworn testimonies.

4.7 NRC Internal Awareness: In the months following Region IV's closure of its third investigation of the October 2003 incident in February 2010, I personally met with the following members of the US NRC to discuss the incident and Region IV's response to it

[34]: Chairman Jaczko, Commissioner Ostendorff, the Director of the Office of Enforcement, two Assistant Executive Directors of Operations, the Director of the Office of Investigations, the Director of the Office of Nuclear Reactor Regulations, the Regional Administrator of Region IV, and the Deputy Inspector General.

These meetings were productive in the sense that they directly led to the preparation and issuance of Information Notice 2011-02. However, they have been unproductive in the sense that the NRC has failed to re-open its investigation of the incident to resolve the contradictions between the subjective assessments of its inspectors and the 2008 sworn testimonies of the operators.

5. DISCUSSION "If responsibility is rightfully yours, no evasion, or ignorance, or passing the blame can shift the burden to someone else."

- Admiral Rickover As summarized in Table 5 and as detailed in the sections below, the Callaway Plant licensed operators, Ameren, INPO and the NRC have all failed in various ways to live up to their public responsibilities with regard to the 2003-10-21 and 2005-06-17 events.

5.1 Callaway Plant Operators Misled NRC during Sworn Testimonies: Senior Reactor Operators at Callaway Plant claimed under oath that on October 21, 2003 they recognized the reactor shutdown which occurred when the turbine was taken off-line [Z, p. 23].

Based on the activities the crew was. performing between 10:18 and 11:25, it was the determination of NRC Region IV that the operators were unaware of the passive reactor shutdown until the first SRNI energized [1] and therefore it can be inferred the NRC Region IV technical staff acknowledge that inaccurate information was provided by the Callaway Plant operators during their March and April 2008 sworn testimonies.

The operators failed to recognize the passive shutdown of the reactor they were monitoring because of knowledge errors: (1) they failed to recognize the buildup of mxe was what was driving average coolant temperature below the Minimum Temperature for Critical Operations, (2) they failed to recognize that the temperature rise they were intending to effect by manually tripping the turbine would also cause the reactor to become substantially subcritical and, in the absence of any action to stop it, proceed below the Point of Adding Heat and into the source range, and (3) they failed to recognize that the 1.75% reactor power indicated by their LlT instruments was entirely due to non-fission heat sources.

26

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

There are those who might criticize the operators for making such errors, but I am not among them. When doing an endeavor as complex as operating a nuclear reactor, knowledge errors on the part of humans will occur. The commission of knowledge errors requires remediation, not disciplinary action.

logarithmic Plots of Total Power (~T} and Fission Power (IRNI} during the October 21, 2003 Downpower and Passive Reactor Shutdown 0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:0011:0012:0013:00 100 _: ~-~~¥ __::]~ ___ ='.:£ ::..=':..:: *:;-;**7-(:*= c::::f :;::;:: .~ :::;:-~ ~;::;cc:~ :::~,:~~: f:':==::J~c ~~::::::::= ~= 5.2 E-04 10 5.2E-05

~T 5.2E-06 5.2E-D7 IRNI 5.2E-08 5.2E-09

~T 5.2E-10 5.2E-11 5.2E-12 Figure 4: Logarithmic plots of Total Power {as represented by LH instrument readings) and fission power {as represented by Intermediate Range Nuclear Instrument currents). On the main plot, note the offset which developed between 00:00 and 10:00 as IRNI currents lowered slightly more than core delta temperatures in response to the down power. Part of this offset is due to an actual divergence and part is due to indication limitations. During the downpower, the programmed lowering of average coolant temperature affects neutron leakage and thereby the neutron signal reaching the IRNis; this causes indicated fission power {e.g. IRNI currents) to lower more than actual fission power. Also during the down power the weighted half-life length of the fission product inventory increases; this slightly buffers total power but does not affect fission power. Because of the offset developed by these effects, IRNI instruments cannot be scaled to give an accurate thermal power level.

However, this does not prevent them from performing their primary task of indicating relative changes in fission rate across several decades of power during relatively short time frames (i.e. several to dozens of minutes). The inset graph displays the departure of total power and fission power as the Non-Fission Heat Rate (NFHR} and Point of Adding Heat (POAH} are approached. The NFHR is marked as a dashed green line on the plots and the POAH is marked by a dashed pink line.

27

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

However, concealing these knowledge errors from NRC investigators is something entirely different: it is dereliction of duty. The Senior Reactor Operators at Callaway Plant were derelict in their duty to (1) promptly insert the control banks once the alarm from the automatic energizing of the first SRNI alerted them to the fact that the reactor was in the source range, (2) document the incident in the plant's Corrective Action Program, and (3) honestly admit to their errors when interviewed by the regulators.

The utility management also failed to live up to their industry obligations by not sharing this significant Operating Experience through INPO.

Additionally, the US NRC did not submit a Demand for Information to the utility in order to resolve the discrepancies which exist between the testimonies provided it and the subjective determinations of their own inspectors.

The mistakes mentioned in the preceding paragraphs are not mere errors in knowledge or judgment; they are conscious decisions of individuals tasked with important responsibilities refusing to carry out those responsibilities to avoid having to admit to past mistakes.

It is important to note here, that no laws have been broken. The operators had a duty to promptly insert the control rods, but no legal requirement. The operators had a duty to document the incident but a literal reading of their procedures did not specifically require it. It is illegal for the operators to lie under oath, but the lies which they told are of a nature that they cannot be objectively proven - only subjectively inferred from the lack of reasonable explanation.

The utility's commitments to INPO -and to the public trust for that matter- are voluntary; Ameren has no legal requirement to admit mistakes for which no regulatory requirements were violated.

The regulator has the final say on what it will accept as closure to an investigation and need not re-open one just because a strong case can be made by a member of the public that it was not properly conducted.

Yet, individuals entrusted with the responsibility of conducting and regulating high consequence activities can certainly be derelict in their duties even when no laws have been violated.

Roy Zimmerman, the Director of the NRC's Office of Enforcement, often points out to colleagues "There is more to regulation than just enforcement." Enforcement of regulations which have not been vioiated may be impossible, but that does not mean nothing can be done. Information Notice 2011-02 is a prime example.

There was nothing requiring the preparation of IN 2011-02; it was prepared and issued because individuals at the NRC knew something should be done to send the message to the executives at Ameren that the operators at Callaway Plant made egregious errors on October 21, 2003 even if they did not violate any regulations. Yet more needs to be done.

The NRC has a duty to formally reprimand the operators whom it licenses when those operators demonstrate gross negligence and dereliction of duty.

R.5.1 Recommendation: The US NRC should issue a Demand for Information to Callaway Plant in order to obtain answers to the questions presented on Table 6.

28

International Nuclear Safety Journal, Vol. l, No. 1 (2013)

If, once the NRC is able to satisfactorily state its positions to the questions on Table 6, the NRC believes the operators at Callaway Plant were either guilty of negligence or dereliction of duty, then the NRC should restrict them from licensed activities as appropriate.

5.2 Analysis and Evaluation of Operational Data (AEOD): The NRC is hobbled in its ability to do more than just enforce the letter of the regulations because it no longer has an office of experienced technical staff dedicated to analyzing and evaluating operational data. When AEOD was dissolved in 1999, the NRC lost its ability to have an independent second check on the work of the regional offices. It was the regions' job to enforce the regulations and AEOD's job to ensure the regulations were working. The regions had the detailed picture on day to day regulation, and AEOD probed the details to get the bigger picture.

Having an office dedicated to the Analysis and Evaluation of Operational Data allowed the NRC to be proactive in its regulations; that is, it enabled the NRC to respond to areas where degraded performance was detected instead of waiting for a seminal event to occur to which it could reactively respond.

R.5.2 Recommendation: As part of any new reactor research and funding legislation, the US Congress should require the establishment of an independent Office of Analysis and Evaluation of Operational Data to act as a complement to the NRC by ensuring that the NRC's reactor regulations and their enforcement are adequate for protecting the health and safety of the public.

5.3 Risked Informed Regulations: The demise of AEOD in 1999 coincided with the development and introduction of the risked informed Regulatory Oversight Process (ROP).

Although risked informed regulations have many benefits,24 there are some instances in which risk calculations are irrelevant (e.g. demonstration of dishonesty or gross incompetence).

In every correspondence it produces regarding the October 2003 incident, the NRC makes a determined effort to note that there was no increased risk to the public during the incident [.Q] [1] [11] [2 3] [2 5] [2 7] [.5.]. Although risk - as measured in terms of typical at power Core Damage Frequency (CDF) - did not substantially increase during the incident, the failure of risk to increase is irrelevant because the issues at hand are competence and integrity.

The operators demonstrated gross incompetence by leaving the control rods at their critical rod heights for 40 minutes after becoming aware the reactor was in the source range. And the operators were dishonest when they misled the NRC Office of Investigations by claiming under oath that they were aware of the shutdown status of the reactor prior to the Source Range Nuclear Instruments energizing. There is no risk threshold below which incompetence and dishonesty on the part of NRC licensed operators is acceptable. The notion that demonstrations of dishonesty and incompetence can be ignored as long as they occurred during an incident which did not substantially increase the risk of core damage is contrary to Safety Culture principles.

24 For example, risk informed regulations allow both the utilities and the regulator to focus their resources on the defenses which have the greatest impact on lowering the risks of a nuclear accident.

29

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

R.5.3 Recommendation: Risked informed screenings should not be done for excluding investigation of incidents involving potential instances of dishonesty or incompetency on the part of NRC licensed individuals or NRC licensed facilities.

Plot of Total Power {aT), Average Coolant Temperature (Tavg), Control Bank '0' Rod Heights, and Intermediate Range Nuclear Instrument currents (IRNI}

during the June 17,2005 Passive Reactor Shutdown at Callaway Plant 35% 35%

~Total Power (%of rated reactor oower) I 30% 30%

25% ~ 25%

20% ~ 20%

15% ~ 15%

-\

10%

5%

~

IAvPr:>.PP {nnl:>.nt TPmnPr:>.ttJrP 1QFi I I I

I I

lo--

10%

5%

0%

560"F

~~

M I 555"F II Control Bank 'D' Rod Heights (steps) I !

114 1.E-04

. 1-'

I I

120 100 g

_l.,"" ;:;

I

_l.E-05 ~ 80 *~

Ill I I c.

~l.E-06 60 Cll c.

I I

g I

.0 I ~ e "C

E l.E-07 40 ~

~

'-I Ill I ::J I Il-L

~ l.E-08 20 ~

..c

~ 1.E-09 I (ij IC:

JI I

\ 0 Ill

.s:;

~ l.E-10 I Channel2 IRNI (ica) I I rtl I I :2 I _\ 1E-10 I rh:>.nnP/1 I ~

I_-~

0 IRNI llr:>.l I I

- l.E-11 I 1E-11 I

I I

l.E-12 1E-12 23:00 23:10 23:20 23:30 23:40 23:50 0:00 0:10 0:20 0:30 0:40 0:50 1:00 June 16, 2005 June 17,2005 Figure 5: Late on June 16, 2005 Callaway Plant was shutting down for a forced outage; by 23:00the reactor was around 33% power with turbine load lowering at nominally 30%/hour. At 00:07 on June 17,2005 the reactor operators manually tripped the main turbine. Immediately following the turbine trip, Tavg rose 2.5°F (1.4°C) in a 35 second time period. Just like on October 21, 2003, the sharp spike in Tavg caused the reactor to inadvertently passively shut down. By 00:10 fission rate had already dropped to half its pre-turbine trip value when the operators were notified that the shutdown was no longer required. Unaware of the passive shutdown, the Reactor Operator withdrew control rods six steps at 00:19 and again at 00:21. Noticing that the reactor failed to respond as expected, at 00:25 the RO informed the CRS that the reactor had passively shut down.

The crew began manually driving in the control rods at 00:39.

30

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) 5.4 Safety Culture: As noted by the Institute of Nuclear Power Operations in its Principles for a Strong Safety Culture [36]: Even though safety culture is a somewhat intangible concept, it is possible to determine, based on observable attributes, whether a station tends toward one end of the continuum or the other. That is, by subjectively assessing object facts (e.g. plant parameter data, control room log entries, statements made during sworn testimony) Nuclear Professionals can determine whether or not a utility adheres to the standards of the nuclear Safety Culture.

Since the determination of an adequate or inadequate nuclear Safety Culture is inherently subjective, it is left to the reader to review INPO's attributes of a strong Safety Culture and assess how Ameren's response to the October 21, 2003 event measures up to those standards. Refer to Table 7 for specific shortcomings in the utility's response.

The NRC has never cited Ameren for failing to implement an acceptable Safety Culture at Callaway Plant. Nor did the NRC mention Safety Culture in its information notice containing the 2003-10-21 event [5.].

Although they do not use the term "Safety Culture", on October 24, 2007 the staff of the Missouri Public Service Commission provided a stern critique of a culture at Ameren which was "reckless" and placed financial goals over plant safety with regard to the 2005 Taum Sauk upper reservoir disaster [37]. It is the position of this paper that the same corporate culture that led to the 2005 Taum Sauk disaster exists in Ameren's nuclear division, but barring an event with a high risk score - or an actual reactor accident - the NRC is unlikely to commit the necessary resources to expose this culture. However, it is better to expose this culture before a serious incident, and low consequence events like the 2003-10-21 passive shutdown and the utility's response to it are opportune vehicles for the regulator to use to proactively expose and address poor Safety Cultures.

5.5 Operating Experience: In response to the Three Mile Island accident, the US NRC commissioned a Special Inquiry Group headed by Mitchell Rogovin. The report of this group made several observations on the shortcomings in the nuclear community's ability to share operating experience, both nationally and internationally, and ways for addressing those shortcomings:

It is clear to us that the systematic evaluation of operating experience cannot be undertaken entirely by individual utilities. ... We have concluded that the systematic evaluation of operating experience must be undertaken on an industrywide basis, both by the utility, which has the greatest direct stake in safe operations, and by the NRC. The utility industry has already put in motion plans to establish an Institute for Nuclear Power Operations (INPO), funded by all the nuclear utilities, that will undertake this task. Whether it will be successful remains to be seen. [JB, p. 97]

That last sentence (i.e. " ... remains to be seen") conveys the skepticism that many industry observers had in 1979 regarding INPO. Many observers did not have faith that a voluntary industry consortium would be effective at improving the performance of the nuclear industry. After 33 years, most of these doubters are likely impressed by the performance of INPO. However, some of these same people will note that, despite INPO's successes, many of the concerns regarding its effectiveness are still valid.

Like most things in this world, you get out of INPO what you put into it. That is, a utility which conscientiously participates in INPO reaps the enormous benefits which the pooled resources of an industry consortium can provide. But a utility that merely nominally 31

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) participates does not receive much benefit at all and regulatory initiatives delegated to INPO will go unfulfilled.

In deference to the suggestions of the Rogovin report, the TMI Action Plan required under Item 1.C.S that:

Each licensee will review its administrative procedures to assure that operating experience from within and outside, its organization is provided to operators and other operations personnel and is incorporated in training programs ... [J].

In March 1982 the NRC issued Generic Letter 82-04 decreeing that utilities automatically meet Item l.C.S if they actively participate in INPO's Significant Event Evaluation and Information Network (SEE-IN). GL 82-04 noted:

The full potential of the SEE-IN program can be realized only if all utilities participate actively, both in furnishing event information to INPO and in taking corrective actions as necessary when potential problems have been identified as a result of INPO efforts.

Note the two stipulations:

S.S.A. furnishing event information to INPO S.S.B. taking corrective actions as necessary when potential problems have been identified as a result of INPO efforts With regard to the second item, in a 2007-01-12 letter the Institute of Nuclear Power Operations requested that the NRC cease inspecting whether or not utilities participating in INPO's nuclear operating experience network actually have been taking corrective actions as necessary when potential problems have been identified as a result of INPO efforts:

We believe it is inappropriate for inspectors to follow up on specific OE reports. [39]

In a 2007-04-27 response the NRC acquiesced to INPO's request [40]. So there is currently no inspection effort to ensure utilities actually incorporate operating experience from INPO into their training and other activities, as required to meet the requirements of GL 82-04.

Additionally, INPO's response to the 2003-10-21 event indicates that the requirement "utilities participate actively... by furnishing event information to INPO" is not always met and cannot be enforced; in January 2009 INPO was informed of the 2003-10-21 passive reactor shutdown by a Missouri state legislator yet has been unable to get Callaway Plant to actively participate in its Operating Experience network by submitting a report on the event [21].

There were individuals within the national nuclear enterprise who were never fully comfortable with the NRC delegating the compilation and evaluation of operating experience to a voluntary industry consortium (e.g. Mitchell Rogovin). For this reason, much emphasis in 1979 and 1980 was placed on the establishment of a NRC office specifically dedicated to the Analysis and Evaluation of Operational Data. When NRC cost cutting efforts in 1998 placed AEOD on the chopping block, part of the NRC's justification 32

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) to dissolve its Office of Analysis and Evaluation of Operational Data was the notion that INPO alone could be entrusted with the evaluation of Operating Experience:

... INPO, which was created in 1979, now provides a strong, credible, and independent capability to evaluate operational experience and feed back lessons learned to licensees. As a result, the rationale for an independent AEOD of its current size is not Plot of Total Power (dT), Average Coolant Temperature (Tavg), and Intermediate Range Nuclear Instrument currents {IRNI} for both the October 21,2003 and the June 17,2005 Passive Reactor Shutdowns 10% ***.. 10%

s%+----P~~~~__

- - - ..... ...-..+.. -...-..-...-..~..-...-..-..~.----+---~--~----+---~---+s%

~*=**-

0%+----r--~----+----r--~----+----r--~----+----r---+o%

560.F+--- ..~.. I?----+---+=~-+~---.....-.:J~J;.;_ ...............r,,.,.....~--+--+--.j.--+S60*F

...... ---r---

sss*F+---t/-----.f"'-/--t---+---t--t----+--+------+---+----1--+ 555 *F sso* F+....._~""9r----+----+----+__,---t,----+----+----+----t,-----+---+- sso* F t-----1.:.!~ ......

l.E-05 +---t-=-...;?t-'""'=-+----l---t---+---+----+---+--I----+1E-05

~K*

";" l.E-06 +---t---t----t--1'---...---""o..;~**_.. _..._...+.._.._"*--=-***"-t-r.:--t----t----+---+--+lE-06

=-~~~~ ""', ****** ...

~ l.E-07 +---+---+--1---+---"'k--""--+--1---*-'-'-**+.-

..-...-...-.. 1---+---+ 1E-07

~ l.E-08 +---+---+--I---+---+-----F..._..._-I---+------t..:.'*"':----+--i-1 E-08

~ l.E-09 +----t---~----+----r----t----+-~---r'-~--t----+--**._**._**.t-*---'*..,....-+ 1E-09

.2 "~ **..

l.E-10 ~-~-~---t----t--t--t--t--t-----==t-~~:::=:::t1E-10 l.E-11 +---+---+-~r--+---+---+---tr--+---+----+--i-1E-11

-3 0 3 6 9 12 15 18 21 24 27 30 minutes after manual turbine trio Figure 6: Comparison of the critical parameter data from the 2003-10-21 and 2005-06-17 passive reactor shutdowns at Callaway Plant. The "dashed" data is the June 2005 data.

Notice that for both shutdowns the reactor was in MODE 1 when the turbine was tripped and for both shutdowns the reactor went substantially subcritical due to a sharp spike in average coolant temperature caused by a momentary loss of steam demand as steam header pressure rose to the lift point of the condenser steam dumps. The Point of Adding Heat and a nominal -1/3 dpm start up rate were reached quicker for the October 2003 transient because the reactor was closer to the POAH when the turbine was tripped and because the negative reactivity insertion was larger due to a larger temperature spike.

33

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) as strong today as it was 20 years ago. [.1, p. 2 of Attachment]

Unfortunately the 2003-10-21 event has demonstrated that INPO, due to its voluntary nature, is not capable of ensuring all significant operating experience is reported and distributed. Just as in March 1979, the NRC is again in dire need of an office capable of comprehensively conducting analysis and evaluation of operational data and ensuring significant human performance errors are identified and addressed during non-consequential events (e.g. the 2003-10-21 passive shutdown) prior to leading to high consequence events.

6. CONCLUSIONS "Any one detail,Jollowed through to its source, will usually reveal the general state of readiness of the whole organization."

- Admiral Rickover Operating events can be difficult to understand and investigate, especially when individuals seek to dishonestly cover up their mistakes. It is important that organizations have autonomous and technically competent oversight departments capable of independently re-investigating events for which the initial investigations were suspect.

Many utilities have this capability within their Quality Assurance departments, provided they are staffed with individuals qualified in event investigation techniques, or even have dedicated departments for processing operating experience, and they also have the ability to bring in industry peers or external contractors to assist with investigations. The NRC used to have the capability of independent oversight through its Office of Analysis and Evaluation of Operational Data. With the demise of AEOD, there is no longer any group of inspectors readily available to perform a "second look" at incidents which the highly burdened regional offices might have let "slide through the cracks".

Although the passive shutdown of a reactor plant is a relatively risk-insignificant incident, US NRC licensed operators recklessly leaving the control rods withdrawn to conceal the incident is extremely significant regardless of any risk calculations. Furthermore, the inability of the NRC to address this recklessness is not an aberration but rather an indication of flaws in its regulatory pr~cesses.

The regulatory system assumes that the corporations operating high consequence endeavors are managed and staffed by honest and competent people. The people at these corporations are the public's first line of defense - any indication of incompetence or dishonesty in the leadership of these corporations needs to be investigated and addressed.

An evaluation of the US NRC's response to incidents described in this paper would provide profound insights in how regulatory agencies respond to egregious events which do not violate current regulations. The regulators of high consequence industries need to be able to proactively learn from sentinel events which demonstrate gaps in their regulations before those gaps allow a more serious event.

7. REFERENCES For references which are publically available through the NRC's Agencywide Document Access and Management System (ADAMS) the document's Accession Number has been 34

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) provided in parentheses (i.e. the designation beginning with an "ML" for all the applicable referenced documents). For references available through the United States' Freedom of Information Act (FOIA) the NRC's FOIA identifier has been provided.

[1] Letter from Elmo Collins to Representative Oxford (ML113220478), 2011-11-17 http://pbadupws.nrc.gov/docs/MLi132/ML113220478.pdf

[2] Letter from Criscione to Borchardt (ML12237A172), 2012-08-15 htt.ps://www.efis.psc.mo.gov/mpsc/commoncomponents/viewdocument.asp?Doc Id=935720296

[3] NUREG-0660, Vol. 1, NRC Action Plan Developed as a Result of the TMI-2 Accident (ML072470526), 1980-May http: 1/pbadupws.nrc.gov /docs /ML0724 /ML072470526.pdf

[4] SECY-98-228, Proposed Streamlining and Consolidation ofAEOD Functions and Responsibilities (ML992870065), 1998-10-01 http: //www.nrc.gov /reading-rm /doc-collections/commission/secys/1998/secy1998-228/1998-228scy.pdf

[5] NRC Information Notice 2011-02: Operator Performance Issues Involving Reactivity Management at Nuclear Power Plants (ML101810282), 2011-01-31 http://pbadupws.nrc.gov/docs/ML1018/ML101810282.pdf

[6] Letter from Vegel to Criscione (FOIA 2010-0227), 2010-02-26 http: 1/xa.yimg.com/kqfgroups /71591228/1931886124 /name /2010 26 Vegel.pdf

[7] Testimony of David Lantz to NRC (FOIA 2009-0064, Exhibit 22), 2008-04-01 http:l/xa.yimg.com/kq/groups/71591228/1514427350/name/2008 01 Lantz.pdf

[8] Testimony of Gerald Rauch to NRC (FOIA 2009-0064, Exhibit 14), 2008-03-31 http: //xa.yimg.com/kq/groups/71591228/977514 733 /name /2008 31 Rauch.pdf

[9] Testimony of Ardell Lee Young to NRC (FOIA 2009-0064, Exhibit 16), 2008-03-31 http: //xa.yimg.com/kq/groups/71591228/1950119069 /name /2008 31 Young.pdf

[10] Callaway Action Request 200702606, Shutdown for NN11, Octoberof2003 (ML12237A172), 2007-03-20 http:l/xa.yimg.com/kq/groups/71591228/1291276787 /name/2007 03 20 CAR 200702606.pdf

[11] Petition Closure Letter to Lawrence S. Criscione Related to Requested Action Under 1 OCFR2.206 Regarding October 21, 2003 Event at Callaway Plant, Unit 1 (ML110140104), 2011-01-19 http://pbadupws.nrc.gov/docs/ML1101/ML110140104.pdf

[12] Callaway Action Request 200701278,Ana{ysis of Past Reactor Shutdowns- RF15 Preparation Concerns (ML12237A172), 2007-02-10 http:/lxa.yimg.com/kq/groups/71591228/1284711188/name/2007 02 10 CAR 200701278.pdf

[13] email from Criscione to Adam Heflin (ML12237A172), 2007-11-13 http: //xa.yimg.com/kq/groups/71591228 /1287 42616 7 /name /2007 13 Heflin.pdf

[14] email from Criscione to Fadi Diya (ML12237A172), 2007-08-30 http:l/xa.yimg.com/kq/groups/71591228/778339094/name/2007 30 Diya.pdf

[15] email from Criscione to Fadi Diya (ML12237A172), 2007-10-01 http:/lxa.yimg.com/kq/groups/71591228/1814612038/name/2007 01 Diya.pdf 35

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

[16] email from Criscione to Ellis Merschoff (ML12237A172), 2007-10-30 http:l/xa.yim~.com/kq/~roups/71591228/2122754980/name/2007 30 Merschoff.pdf

[17] email from Criscione to David Neterer (ML12237A172), 2007-06-01 http:l/xa.yim~.com/kq/~roups/71591228/1750452912/name/2007 01 Neterer et al.pdf

[18] email from Criscione to Charles Naslund (ML12237A172), 2007-05-30 http:l/xa.yim~.com/kq/~roups/71591228/682540558/name/2007 30 Naslund.pdf

[19] email from Criscione to David Hollabaugh (ML12237A172), 2007-05-14 htt.p://xa.yim~.com/kq/groups/71591228/1383497660/name/2007 14 Hollabaugh.pdf

[20] email from Criscione to Elmo Collins (ML12237A172), 2011-06-03 http:l/xa.yim~.com/kq/groups/71591228/209466116/name/2011 03 Collins.pdf

[21] Letter from INPO to Jeanette Oxford, 2009-01-30 http:l/xa.yim~.com/kq/~roups/71591228/1317034104/name/2009 01-30 INPO.pdf .

[22] Report of Investigation 4-2009-043F- Exhibit 1 (FOIA 2010-0338), 2009-05-07

[23] Letter to Honorable Jeannette [sic] Mott Oxford Related to the 10/21/2003, Shutdown at Callaway Plant (ML12167A508), 2012-04-20 http://pbadupws.nrc.~ov/docs/ML1216/ML12167A508.pdf

[24] Letter from Vegel to Criscione (FOIA 2012-0315), 2011-07-25 http:l/xa.yim~.com/kq/~roups/71591228/848354320/name/2011 2 5 Vegel.pdf

[25] Non-Concurrence on NRC Information Notice 2011-02, Operators Performance Issues Involving Reactivity Management at Nuclear Power Plants (ML110420293),

2010-12-15 http://pbadupws.nrc.gov/docs/ML1104/ML110420293.pdf

[26] Letter from Criscione to Michael Peck (FOIA 2010-0109), 2007-03-01 http:/lxa.yimg.com/kq/~roups/71591228/578877493/name/2007-03-01 RIV-2007 -A-0028.pdf

[27] Letter from Harry Freeman to Criscione (FOIA 2010-0109), 2007-08-07 http:/lxa.yimg.com/kq/groups/71591228/1838061834/name/2007-08-07 RIV-2007-A-0028.pdf

[28] Office of Investigations Case No. 4-2007-049, Callaway Plant: Failure to Document a Temperature Transient by Control Room Personnel (FOIA 2009-0011),

2008-05-09

[29] Letter from Criscione to Bill Jones (FOIA 2012-0313), 2009-02-28 http:/lxa.yimg.com/kq/groups/71591228/1892149730/name/2009 28 Iones.pdf

[30] Letter from Criscione to Hubert Bell (FOIA 2012-0314), 2011-01-20 http: //xa.yimg.com/kq/groups/71591228/5407193 71 /name/2011 20 Bell.pdf

[31] Letter from Criscione to Bill Borchardt (ML103280306), 2010-09-17 http:/lxa.yimg.com/kq/groups/71591228/1850256512/name/2010 17 Borchardt.pdf

[32] Letter from Criscione to Bill Borchardt (ML101200401), 2010-04-27 http: 1/pbadupws.nrc.gov /docs/ML1012 /ML101200401.pdf 36

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

[33] Union of Concerned Scientists, Issue Brief, 2003 Segmented Shutdown at Callaway, 2010-11-02 http: //www.ucsusa.org/assets /documents /nuclear power /2 01011 00-callaway-ucs-brief-segmented-shutdown-at-callaway.pdf

[34] Internal NRC emails Concerning October 2003 incident (ML12352A227),

2010-02-08 http://pbadupws.nrc.gov/docs/ML1235/ML12352A227.html

[35] Briefing Package for Drop-In Visit by Union Electric Company Official with NRC Staff on August 13, 2010 (ML11363A113); 2010-08-05 http://pbadupws.nrc.gov/docs/ML1136/ML11363A113.pdf

[36] Principles for a Strong Nuclear Safety Culture, INPO, 2004-November http: //www.nrc.gov /about-nrc/regulatory/enforcement!INPO PrinciplesSafetyCulture.pdf

[37] Staffs Initial Incident Report [re: 2005 Taum Sauk Upper Reservoir Failure],

2007-10-24 http://psc.mo.gov:CMSinternetData/Electric/Taum%20Sauk%20Report%2010-24-07

[38] Three Mile Island, A Report to the Commissioners and to the Public, Rogovin et. al.,

1980-January www. threemileisland.org/ downloads /3 54 .pdf

[39] Letter from INPO to NRC (ML070260180), 2007-01-12 http: 1/pbadupws.nrc.gov /docs /ML0702 /ML070260180.pdf

[40] Letter from NRC to INPO (ML070940486), 2007-04-27 http: 1/pbadupws.nrc.gov /docs /ML0709 /ML070940486.pdf

[41] Callaway, Unit 1, Current Facility Operating License NPF-30, Tech Specs, Revised 6/27/2007 (ML053110040), 1984-10-18 http: 1/pbadupws.nrc.gov /docs/ML0531 /ML053110040.pdf

[42] NRC IN 92-39, Unplanned Return to Criticality during Reactor Shutdown (ML031200314), 1992-05-13 http://pbadupws.nrc.gov/docs/ML0312/ML031200314.pdf

[43] Report of The President's Commission on the Accident at Three Mile Island, Kemeny et. al., 1979-0ctober http: I /www.threemileisland.org/ downloads I 188.pdf

[44] NRC IN 97-62, Unrecognized Reactivity Addition during Plant Shutdown (ML031050177), 1997-08-06 http://pbadupws.nrc.gov/docs/ML0310/ML031050177.pdf

[45] Surry Power Station- NRC Integrated Inspection Report 05000280, 05000281/2005002 and 07200002/2005001 (ML051090591), 2005-04-19 http://www.nrc.gov/NRR/OVERSIGHT /ASSESS/REPORTS/sur 2005002.pdf

[46] Callaway Plant- NRC Integrated Inspection Report 05000483/2007003 (ML072140876), 2007-08-02 http://pbadupws.nrc.gov/docs/ML0721/ML072140876.pdf

[4 7] SOER (WANO- Significant Operating Experience Report) methodology and analysis, Ir. Rene Lauwers, BNEN -University of Ghent, 2009 http: //lib.ugent.be/fulltxt/RUG01 /001 I 418/781 /RUG01-001418781 2010 0001 AC.pdf 37

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

Appendix Technical Analysis of the October 21,2003 and June 17,2005 Passive Reactor Shutdowns at Callaway Plant The intent of this appendix is to provide the technical background data and arguments for the claims made in the body of the paper. This appendix also is meant to serve as a reservoir of data for anyone wishing to analyze the reactivity management aspects of the October 21, 2003 and June 17, 2005 inadvertent passive reactor shutdowns. This appendix contains:

A.l. A description and analysis of the events on October 21, 2003.

A.2. A description and analysis of the events on June 17, 2005.

A.3. An analysis of the claims made by the operating crews as to why it took 107 minutes to insert the control banks following the passive shutdown of the reactor on October 21, 2003.

A.1. OCTOBER 2003 PASSIVE REACTOR SHUTDOWN A.1.1 Backeround: At 07:21 on October 20, 2003 at Callaway Plant an electrical inverter (designated NN11) failed, causing one of its four instrument buses to de-energize. The plant's Technical Specifications permitted the plant to operate for up to 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months with only three instrument buses operable. If the faulted instrument bus could not be restored to service after 24 hours2.777778e-4 days 0.00667 hours 3.968254e-5 weeks 9.132e-6 months , the plant was required to shut down within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months [.11, p.

3.8-33, TS 3.8.7, Inverters -Operating]. In other words, workers had until 7:21 on October 21 to return the instrument bus to service or the reactor would have to be shut down by 13:21 that day.

Repairs were done to the inverter and at 00:37 on October 21, 2003 the inverter was placed back in service as a retest. The inverter again failed and the crew entered off-normal operating procedure OTO-NN-00001, Loss of Safety Related Instrument Bus. Forty-one minutes later (01:18), the crew exited this procedure. In order to ensure the plant could be shut down in an orderly fashion in the event that the inverter could not be repaired, at 01:00 on October 21, 2003 the operators began lowering turbine load at a nominal rate of 10%/hour (approximately 121 MWejhr or 356 MWthfhr).

By 07:21 the inverter was still not yet repaired and the plant entered condition B of Technical Specification 3.8.7 which required that either the inverter be repaired within the next 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months (13:21) or the plant be in MODE 3 (Keff < 0.99). At this time, reactor power was just under 40% rated power and lowering at 10%/hour so, in a sense, the forced shutdown of the reactor was 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months ahead of schedule (i.e. the plant had 6 hours6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months to shut down the reactor but the load reduction was proceeding at a pace that would support a reactor shutdown within 4 hours4.62963e-5 days 0.00111 hours 6.613757e-6 weeks 1.522e-6 months ). Repairs were still being attempted to inverter NN11 because the forced shutdown of the reactor could be avoided if NN11 could be successfully returned to service prior to 13:21.

38

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

There was incentive to keep the reactor operating while workers attempted to repair the inverter before the deadline. If the reactor was shut down and then the inverter was repaired before 13:21, the Technical Specifications and operating procedures required many equipment tests to be performed prior to restarting the reactor. But if the reactor remained operating - even at very low power levels - when the inverter was repaired, it could be returned to full power without delay.

At 08:21 inverter NN11 was returned to service as a retest. The inverter again failed and the crew again entered the off-normal operating procedure for Loss of Safety Related Instrument Bus. It would take nearly 3lh hours for the crew to exit this procedure (11:37).

Analysis of this procedure shows that the actions needed to be performed were likely done by 08:35 with the exception of an equipment lineup of some components in the Auxiliary Feedwater System, which could not be immediately performed due to perceived higher priority activities (e.g. the equipment operator needed to perform the lineup was busy aligning steam plant components to support the plant down power and shutdown) [Jl, pp.

40-54]. When this procedure was performed earlier in the day at 00:37 it had only taken 41 minutes to complete, but during that part of the day the equipment operators did not have many tasks to perform and could immediately dedicate resources to do the valve lineup required to close the procedure.

As can be noted in Figures 1 and 3 and in Table A.1, the performance of the off-normal procedure for Loss of Safety Related Instrument Bus did not affect the ability of the operators to continue to perform the turbine load reduction while completing the procedure; however, the operators would later claim that the need to perform this procedure was the primary reason for the delay in inserting the control banks [Z, pp. 16-18] [.8., pp. 39-40]. During their investigation, the NRC "did not find that the implementation of either off-normal procedure prevented the control room operators from inserting the control rods at any time during the shutdown" 25 [.6., p. 4 of Enclosure].

A.1.2 Xenon Induced Temperature Transient: At 09:36 reactor power was at 9% and the shutdown was about 2lh hours ahead of schedule when the operators quit lowering turbine load. It is unclear why the operators attempted to stabilize the reactor at this point, but a legitimate reason for doing so would have been to give the electricians some additional time to repair the failed inverter (and thus possibly avoid having to shut down the reactor).

Table A.l: Noteworthy Activities on October 21, 2003 Prior to Temperature Transient The "mark" column refers to the letter on Figure 3 which marks the activity/milestone in relation to the plant conditions which were present and the other activities performed.

mark time Activity/Milestone Cooling Tower Blowdown removed from service to support Chemistry evolutions A 08:17 (see items I & J of Table A.3).

Inverter NN11 retested and failed. Crew entered off-normal procedure for "Loss of Safety Related Instrument Bus". The dip in Tavg on the graph of Figure 3 is due to B 08:21 the momentary opening of a Steam Generator Atmospheric Steam Dump when NN11 failed.

Control Room actions for "Loss of Safety Related Instrument Bus" completed except c 08:33 for an auxiliary feedwater valve line up assigned to the Equipment Operators (see item 0 ofTable A.S}.

25 The off-normal procedures being referred to are OTO-BG-00001, "Loss of Letdown" and OTO-NN-00001, "Loss of Safety Related Instrument Bus".

39

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

It should be noted that 9% power with the turbine on-line is an acceptable place to hold power on a Westinghouse 4-Loop PWR; the error made by the crew was not their attempt to hold power at 9% but rather their failure to recognize that the turbine load reduction had been counteracting some of the influence which mxe was having on reactivity (see Figure 1).

In order to maintain a relatively constant steam temperature, Callaway Plant was designed with a ramped average coolant temperature (Tavg); Tavg was programmed to lower 16.3°C (29.4°F) as turbine power lowered from 100% to 0%. Coupled with a negative Moderator Temperature Coefficient of reactivity (MTC), this lowering of Tavg with power inserted positive reactivity as the turbine load was lowered. Additionally, Callaway Plant has a negative power coefficient of reactivity due to, among other factors, less steam voids and a higher resonance escape probability as reactor power lowers. As can be seen on Figure 1, since beginning the turbine down power at 01:00 and since taking the watch around 07:00, both the night and the day crews had consistently needed to actively add negative reactivity to account for the positive reactivity being added as a result of the turbine down power.

Although the operators at Callaway Plant were at least partially trained on the effect mxe has during a reactor down power, they were unable to put theory to practice and recognize that, once they stopped adding positive reactivity through lowering turbine power, the negative reactivity still being inserted by the buildup of 13SXe would need to be countered with active additions of positive reactivity (i.e. either outward control rod movement, dilution of boron, or both).

Those who have never operated a nuclear reactor might fault the operators for their knowledge errors, but it is important to note that during this time period the crew was performing the mentally demanding tasks of coordinating the shutdown of the steam and reactor plants while tracking the progress of the repairs to the failed electrical inverter. At the time, the procedure they were using contained no guidance for what was required to stop the reactor down power at 9% power; the procedure implied that nothing was needed other than to merely steady turbine load at the desired hold point - which is what they did.

With steam demand steady at 9% and with reactor power lowering below 9% due to the buildup of mxe, the excess steam demand was met through a lowering of the bulk enthalpy of the reactor coolant, which caused reactor coolant temperature to lower (that is, the temperature of the reactor coolant lowered because the heat being produced by the reactor was less than the heat being removed by the steam plant).

The lowering reactor coolant temperature added positive reactivity which counteracted the negative reactivity added by xenon. After three minutes (09:39) an equilibrium26 was reached at approximately a 1% power mismatch (i.e. steam demand was 9% and reactor power was 8%); the 1% power mismatch was causing a l2°C/hr drop in average coolant temperature which in turn was adding positive reactivity equal to the negative reactivity being added by xenon. The crew did not recognize this and instead attributed the lowering average coolant temperature to some recently opened turbine drain valves 26 That is, equilibrium in the sense that reactor power was no longer lowering. Note, however, that the plant was not operating at a steady state in that temperature was lowering. Reactor power was steady, yet not equal to steam demand.

40

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) which they believed had not fully shut [.Z, pp. 9-10] [!1 pp. 36-37] [2., pp. 13-15]. Table A.2 details the actions occurring during this xenon induced temperature transient.

Table A.2: Activities Occurring during the Temperature Transient The "mark" column refers to the letter on Figure 3 which marks the activity/milestone in relation to the plant conditions which were present when the activity was being performed.

mark time Activity/Milestone The crew stopped the generator load decrease at 9% rated reactor power. mxe buildup continued to reduce reactor power for another three minutes and stabilize at 8% rated reactor power, resulting in an ~1% power mismatch.

The power mismatch caused Tavg to begin to lower and passively insert positive reactivity. This positive reactivity was inserted at a rate which matched the 135 negative reactivity being inserted by the buildup of Xe, resulting in reactor power remaining stable at 8% rated power while temperature steadily fell at approximately 12.C/hour (about 22.F/hr).

Control banks C and D were inserted 6 steps since, prior to stabilizing the turbine D 09:36 load, the trend in reactivity management was to occasionally actively insert negative reactivity to counteract the passive positive reactivity insertion resultant from the turbine load decrease and the programmed decrease in average coolant temperature. This was the last active insertion of negative reactivity for the next 2Yz hours.

It was at about this time that the operators placed the turbine drains in service per the Reactor Shutdown procedure. About a dozen minutes later the operators mistakenly believed that faulty turbine drains were the cause of the temperature transient [Z].

Operators began adding water to the Volume Control Tank in order to dilute boron from the reactor coolant system to assist in mitigating the temperature decrease; however it does not appear they recognized that the temperature 135 transient was being driven by the reactor plant (i.e. the buildup of Xe in the reactor's fuel rods). Instead their sworn testimonies indicate they believed the steam plant was driving the cool down (i.e. excess steam demand from faulted E 09:47 turbine drain valves) [Z, pp. 9-10] [~ pp. 36-37] [~ pp. 13-15].

Also about this time the operators responded to the lowering reactor coolant temperature by performing an attachment to the Reactor Shutdown procedure for minimizing excessive cooling. One of the steps taken was to reclose the turbine drains. Indication was lost on the turbine drain valve hand switch (which controls 13 different drain valves) so the crew dispatched Equipment Operators to visually identify any valves which were not closing [Z].

Letdown system automatically isolated on low Pressurizer water level; not all valves functioned properly. The crew enters the off-normal procedure for "Loss of Letdown".

09:59 At about this time average reactor coolant temperature fell below 551 *F (288.3*q, the reactor's regulatory Minimum Temperature for Critical Operations F

(MTCO).

Operators discontinued the water addition to the Volume Control Tank. For the next 2 hours2.314815e-5 days 5.555556e-4 hours 3.306878e-6 weeks 7.61e-7 months , no active means were used to control reactivity.

10:00 Operators recommenced lowering turbine-generator loading in preparation for taking the turbine off-line.

Operators manually tripped the turbine-generator at an average coolant temperature of sso.4*F (288*q and 6% rated reactor power. The resultant rise in G 10:13 Tavg caused the reactor to go substantially subcritical. With no operator action, the reactor passively transited towards the source range with the reactor period shortening as the Point of Adding Heat (POAH) was approached.

41

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

R.A.1.2 Recommendation: Although reactor operators are trained on how xenon buildup affects reactivity and temperature, during the confusion of a forced de-rate it can be challenging to place theory into practice. Using plant data from previous shutdowns (or from this event if utility specific plant data is unavailable), utilities should ensure their processes for conducting load reductions and reactor shutdowns include "just-in-time" training for the operating crew on the effect xenon will have on reactivity and how the insertion of positive reactivity from the load reduction can mask that effect.

A.1.3 Loss of Letdown and Manual Turbine Trip: From 09:36 to 10:03 temperature lowered soc (9°F) which at 10:00 resulted in an automatic isolation of the reactor's letdown system (i.e. its purification and volume control system). The soc drop in temperature also resulted in Tavg lowering below the reactor's regulatory Minimum Temperature for Critical OperationsP To assist in recovering average reactor coolant temperature, the operators manually tripped the turbine generator around 10:13 with the reactor operating at 6% rated power (214 MWth). With no steam demand to remove heat, the power still being generated in the reactor core caused the bulk enthalpy of the primary coolant to increase substantially: average coolant temperature rose 1oc (1.8°F) within 30 seconds and within S minutes rose more than 3.6°C (6.S°F).

A.1.4 Passive Shutdown of Nuclear Fission Reaction: As can be seen on Figure 2, the sharp rise in Tavg from 10:13 to 10:18 inserted enough negative reactivity to passively shut down the nuclear fission reaction; by 10:18 fission power had lowered to 1f6th of its value at the time ofthe turbine trip and a -163 second reactor period (-0.16 decades per minute Start Up Rate) had developed.

A.1.5 Failure of Operators to Reco~nize the Passive Shutdown: As fission power approached and dropped below the Point of Adding Heat (POAH) the operators took no action to actively shut down the reactor. Reactor power entered the source range around 10:39 (see Figure 2). Although the Shift Manager reported in sworn testimony to the US Nuclear Regulatory Commission that he was aware manually tripping the turbine would cause the reactor to passively shut down [Z, p. 11], the NRC believes the failure of the operators to take any action to actively control reactivity indicates that the operating crew was unaware of the status of the nuclear fission reaction as the reactor passively shut down and lowered in power from the POAH to the source range [1, pp. 1-2 of Enclosure, items 2-4]. The activities being performed by the reactor operators indicate that they failed to notice the reactor had shut down:

10:34 Reactor Operator completed placing Cooling Tower Blowdown in service 10:34 Reactor Operator stopped the second of three intake pumps 27 The Minimum Temperature for Critical Operations {MTCO) at Callaway Plant is ss1*F (288.3*C). As the reactor coolant entering the reactor lowers in temperature, more neutrons are shielded from the Power Range Nuclear Instruments (PRNis). Below the MTCO, the shielding effect is great enough that the PRNis might not properly respond to power excursions. Callaway Plant is allowed to operate below the MTCO for 30 minutes provided that {1) efforts are underway to restore Tavg above the MTCO and {2) those efforts are likely to be successful. On 2003-10-21 Callaway Plant was operated below or near the MTCO for 15 minutes. Being below the MTCO is what led to the decision to manually trip the turbine-generator. That is, the operators manually tripped the turbine-generator at 10:13 in order to restore Tavg above the MTCO and allow the reactor to remain critical while repairs to inverter NN11 continued.

42

International Nuclear Safety Journal, Vol. 1, No. 1 {2013) 10:38 Senior Reactor Operator (SRO) authorized the start of a trip point and calibration check on the Channel 2 Power Range Nuclear Instrument (PRNI) 10:48 Reactor Operator completes raising letdown flow from 75 to 120 gpm (4.7 L/s to 7.6 L/s) 11:01 Reactor Operator stopped the second of three condensate pumps 11:14 SRO authorizes the start of a trip point and calibration check on the channel 3 PRNI It is unlikely that, had the Senior Reactor Operators (SROs) realized the reactor was transiting into the source range with its control rods still at their critical rod heights, the SROs would exercise such fundamentally bad judgment as to prioritize the ancillary tasks listed on Table A.3 over actively driving the reactor to a shutdown condition by inserting the control banks.

A.1.6 Ne~li~ently Relyin~ on Xenon-135: In their 2008 sworn testimonies [Z] [a] the SROs claim that, prior to manually tripping the turbine-generator, they were aware the reactor would shut down following the turbine trip and would remain shutdown due to the continual buildup of 13SXe. They further claim that the reason it took them so long to insert the control rods is because they needed to complete (1) all the off-normal procedures they were performing, (2) the shutdown of secondary and tertiary plant equipment and (3) the performance of required surveillance procedures (e.g. trip point and calibration checks) on the Power Range Nuclear Instruments (PRNis).

The items listed above in section A.1.5 came from the control room logs. These are the Table A.3: Activities Occurring While Reactor Power Lowered into the Source Range The "mark" column refers to the letter on Figure 3 which marks the activity/milestone in relation to the plant conditions which were present and the other activities performed.

mark time Activity/Milestone The operators placed a 75 gpm letdown orifice in service and exited the off-normal procedure for "Loss of Letdown". Having re-established adequate letdown, in order to optimize plant chemistry by raising letdown flow from 75 10:18 gpm to 120 gpm the Control Room Supervisor assigned the Reactor Operator the H

task of placing the 45 gpm letdown orifice in service per the normal operating procedure.

For unstated reasons, the operators raise the lift setpoint of the condenser steam 10:19 dumps, causing TavK_ to begin to rise from 557"F to 560*F and further lower Keff*

Approximate time fission power lowered below the Point of Adding Heat (POAH}

as indicated by total power (e.g. the LH instruments} leveling out as fission power (e.g. the IRNI currents} continued to lower exponentially. A nominal -1/3 dpm SUR developed at this point due to the absence of temperature-reactivity feedback (i.e. non-fission heat sources were able to maintain temperature as fission power lowered, so a lowering of fission rate did not cause a corresponding I 10:23 lowering of temperature and a subsequent insertion of positive reactivity}. As reactor power passively lowered towards the source range, the licensed operators were assigned. normal procedure tasks for placing cooling tower blowdown in service (which had been removed from service at 08:17) and for stopping an intake pump (two intake pumps were originally running but, with the reduced evaporation rate due to the load reduction, one pump could now be removed from service}.

Licensed operators completed assignments for placing cooling tower blowdown J 10:34 in service and lowering intake flow (see item 1).

43

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) items which, from 10:18 to 11:25 supposedly took precedence over inserting the control rods. An analysis of each of the items is provided in the subsections immediately below. It is the position of this paper that not only do none of the below items justify the delay in inserting the control rods, but their presence indicates there was nothing delaying the insertion of the control rods. That is, if control room conditions were such that licensed operators could be dedicated to performing the ancillary tasks below, then conditions were such that a licensed operator could have been spared to insert the control banks.

A.1.6.1 Intake Pump: Callaway Plant sits on a plateau and has three intake pumps which pump water from the Missouri River up the plateau to a water treatment plant which serves as a source of make-up water to the cooling tower basin. As turbine load is lowered, the evaporation rate from the cooling tower lowers and less make-up water is required; if a full complement of intake pumps (2 of the 3 pumps) had been left running, then excess water would have been sent to the water treatment plant only to be discharged back down the hill to the river. The intake pumps are large industrial pumps and stopping unnecessary intake pumps reduces the in-house electrical usage of the plant resulting in the utility using less of its own electricity and thereby having more to sell. At 10:34 it appears there was nothing driving the need to remove the intake pump from service other than a desire to conserve electricity. Nothing is mentioned in the operators' testimonies as to why stopping an intake pump needed to take precedence over inserting the control banks, but if there was a pressing need which prioritized placing the intake plant above actively controlling the fission reaction in the reactor core, then instead of informally relying on mxe to maintain the reactor subcritical the operators should have tripped the reactor.

A.1.6.2 Cooling Tower Blowdowri: The Cooling Tower Blowdown System at Callaway Plant removes a portion of the water from the basin of the cooling tower and sends it back to the Missouri River. This is done in order to prevent the buildup of sludge in the cooling tower basin due to the continual evaporation of river water. This system was taken out of service at 08:17 to support Chemistry evolutions at the cooling tower. The system is required for the long term health of the cooling tower and delaying its return to service by 10 minutes (i.e. by the amount of time it takes to insert the control banks) would not have appreciably affected water quality at the cooling tower.

A.1.6.3 PRNI Surveillances: There are four Power Range Nuclear Instruments at Callaway Plant which provide high flux reactor trip signals to the Reactor Protection System. The trip points for these signals need to be adjusted at low power levels because colder water in the reactor vessel makes the PRNis less sensitive to high neutron fluxes.

These instruments are taken out of service one at a time to perform these adjustments. As evidenced by the facts that the channel 4 PRNI was being calibrated during the control bank insertions and the channel 1 PRNI was not calibrated until after the control bank insertions, calibration of these instruments was neither something that prohibited the insertion of the control rods nor something that needed to be done prior to the insertion of the control rods.

A.1.6.4 Letdown Flow: From 10:18 to 10:48 the Reactor Operator was busy placing the 45 gpm letdown orifice in service. The letdown system was considered restored to service at 10:18 when a 75 gpm orifice was placed in service using the off-normal operating procedure for Loss of Letdown. At 10:18 the off-normal procedure was exited and, using the normal operating procedure, the 45 gpm orifice was placed in service in order to increase letdown flow from 75 to 120 gpm. This is done to maximize flow through the reactor's Chemical and Volume Control system (i.e. its purification system).

44

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

Although cleaning contaminants from the reactor coolant is important for the long term health of the plant, delaying the addition of the 45 gpm orifice by 10 minutes would not have appreciably affected water quality in the reactor plant.

A.1.6.5 Condensate Pump: Callaway Plant has three condensate pumps, all of which are necessary for the steam plant to operate at 100% power. During load reductions, the condensate pumps are shut down once they are no longer needed. At 11:01 the reactor operators reduced the number of running condensate pumps from two to one since, with the steam plant at 1.75% capacity, rurining more than one condensate pump was a waste of electricity.

A.1.6.6 Negligence or Ignorance: The determination of negligence is subjective. The position of this paper is that if the operators' sworn testimony is to be believed - that is, if it is believed the operators were aware the reactor had shut down shortly after the manual turbine trip - then it was gross negligence for them to prioritize the ancillary activities detailed above over their fundamental duty of actively controlling the nuclear fission reaction by inserting the control banks.

The reason that insertion of the control banks should have taken precedence over aligning balance of plant equipment is simple: the factors that passively took the reactor subcritical (i.e. xenon buildup and temperature increase) could change with the result that the reactor core re-attains a nuclear chain reaction without operator knowledge or control.Z 8 For example, the positive reactivity added from a temperature drop of only a few degrees could have restarted the reactor.

Preventing the uncontrolled and undesired restart of a reactor core has to come before shutting down intake and condensate pumps, but it did not in this event. As expounded upon below, the position of this paper is that the operators - despite their sworn testimony to the contrary - were ignorant of the fact that the reactor had shut down Table A.4: Activities Occurring in Source Range with no SRNis Energized The "mark" column refers to the letter on Figure 3 which marks the activity/milestone in relation to the plant conditions which were present and the other activities performed.

Mark time Activity/Milestone IRNI traces leveled off indicating that most Delayed Neutron Precursors (DNPs) had decayed and neutron population was now being determined by source K 10:39 neutrons and subcritical multiplication. A slight negative startup rate remained 135

(-0.07 dpm) as the continual buildup of Xe lowered subcritical multiplication.

The Reactor Operator completed placing the 45 gpm letdown orifice in service L 10:48 per the normal operating procedure (see item H of Table A.3).

The second of three condensate pumps was removed from service. The basis for this step is to minimize "house" electric loads. While performing this activity, the crew was operating in the source range with: (1) no SRNis energized, (2) the M 11:01 control rods still at their last Critical Rod Heights and {3) no formal calculation 135 completed to verify Xe levels were sufficient to prevent an inadvertent reactor restart during postulated dilution or cooldown events.

The Channel 2 Source Range Nuclear Instrument energized with an initial reading N 11:25 of 3044 cps. This caused the SR HI VOLT FAIL alarm (window 77E) on the main control board to annunciate.

For examples of this, see the events at Cruas in 2006, Surry in 2005 [45], Zion in 1997 [~,Grand Gulf 28 in 1991 [§l], Big Rock Point in 1991 [§l], and Monticello in 1991 [42].

45

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) following the turbine trip rather than negligent in their response to it.

When questioned by the NRC, the operators were unwilling to admit that they had lost situational awareness by failing to realize the reactor had shut down. Instead, they claimed that (1) they recognized the passive shutdown of the reactor would occur once the turbine was tripped and (2) they consciously relied on 135Xe to keep the reactor from restarting while they completed ancillary tasks.

The NRC might not be able to prove they were lied to, but they can certainly take the operators' sworn statements at their words. As mentioned above, it is the position of this paper that the operators' claims amount to gross negligence. As the body which issues licenses to the operators of US commercial reactors, the NRC presumably has a process for removing the licenses of operators who, by their own sworn testimonies, demonstrated they behaved in a manner which was grossly negligent.

R.A.1.6.6 Recommendation: Nuclear utilities should ensure that their reactor operators understand that (1) actively controlling the nuclear fission reaction is one of their fundamental duties, (2) they are negligent of this duty if they prioritize ancillary tasks over this duty, and (3) they should only intentionally rely on passive effects (e.g. mxe buildup) as the primary means to keep the nuclear fission reaction from restarting when those effects have been formally analyzed by an authorized process (e.g. a Shutdown Margin calculation).

A.1.7 Failure to Use IRNis: To understand how the operators could be unaware of the passive shutdown of the nuclear fission reaction, it should be noted that the Intermediate Range Nuclear Instrument (IRNI) current traces of Figures 2 & 3 - which so obviously show reactor power lowering below the POAH and entering the source range - were not the main indication of reactor power which the operators were in the habit of using. The main indications of reactor power used by the operators were the core LlT instruments (primary calorimetric), the Power Range Nuclear Instruments, and a digital display of the thermal megawatts entering the steam plant (secondary calorimetric). From the POAH onward, these instruments indicated a stable reactor power level of around 1.75% rated reactor power.29 Although the IRNI currents and Start Up Rate (SUR) were available to the operators and should have been understood to be the best indications of reactor power near the Point of Adding Heat, these were not the primary instruments which the operators preferred to use for monitoring reactor power:

A.1.7.A. The IRNis are logarithmically scaled which results in minimal needle movement for most power changes A.1.7.B. The IRNis are calibrated in units of ion chamber amps which cannot be readily converted to absolute power levels (see Figure 4)

It is the NRC's analysis that from 10:23 to 11:25 the operators believed the reactor was critical and maintaining a stable power level of 1.75% reactor power [1]. The operators still had until 13:21 to shut down the reactor per the failed inverter timeline, so 29 Since, by definition, once below the Point of Adding Heat the reactor was not producing enough fission heat to appreciably affect plant parameters {e.g. temperature and steam generation}, as fission rate lowered more than ten thousand fold there was no noticeable change in heat production or temperature. Therefore any instrument which calorimetrically measures power {e.g. the core ~T instruments and the thermal megawatt computer points} would have been unaffected by the lowering fission rate.

46

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) maintaining the reactor at low power would allow them to swiftly return the reactor to full power if workers successfully repaired the inverter in time. In addition, because the operators mistakenly believed the reactor was still critical and operating at low power, they felt no need to fully insert the control banks during this period to prevent an uncontrolled restart of the reactor.

R.A.1.7 Recommendation: Nuclear utilities should ensure their turbine load reduction procedures contain instructions to commence regularly monitoring Intermediate Range Nuclear Instruments prior to removing the turbine-generator from service.

A.1.8 Fission Power in the Source Range with no SRNis Energized: Inserting the control banks lowers subcritical multiplication about half a decade (see Figure 3). So an Intermediate Range Nuclear Instrument (IRNI) current which would normally indicate the high end of the source range with the control banks fully inserted would be about half a decade larger with the control banks at their critical rod heights.

At Callaway Plant the Source Range Nuclear Instruments (SRNis) receive power through relay contacts driven by hi-stables on the IRNis. During a reactor shutdown, these hi-stables automatically energize the SRNis at an IRNI reading of nominally 5E-11 ion chamber amps (ica). Typically, with the control banks fully inserted IRNI current readings should be around 5E-11 ica when the source range is entered. However, on October 21, 2003 the source range was entered with the control rods at their critical rod heights, and therefore the IRNis were reading closer to 1E-10 ica when reactor power first entered the source range. As a result, the SRNis did not automatically energize upon entry into the source range (10:39).

It took over 45 minutes of 135Xe buildup for subcritical multiplication to lower to the point at which the channel 2 IRNI automatically energized the channel 2 SRNI (11:25), and it took nearly an hour for the channel 1 IRNI to automatically energize the channel 1 SRNI (11:38). As a result, the reactor was in the source range for 45 minutes with none of the protections3o afforded by the SRNis:

A.1.8.A. Visual indication of neutron flux and Start Up Rate which is a hundred times more sensitive than the IRNis at low count rates A.1.8.B. An audible neutron count rate which quickly alerts the operator to changing core conditions A.1.8.C. A "flux doubling" circuit which provides protection against inadvertent dilutions and cool downs while the reactor is still subcritical A.1.8.D. A neutron flux trip that is set five decades lower than the trip on the IRNis A.1.9 Recoenition of Reactor Power in Source Range: At Callaway Plant, the SRNis are designed to automatically de-energize as 10% reactor power is exceeded. When reactor power lowers below 10% rated power, the SRNis can be manually re-energized; this is signaled by the alarm window 77E, Source Range High Voltage Failure, coming into alarm on the reactor's Main Control Board.

As mentioned in section A.1.8, the SRNis automatically re-energize when their associated IRNI channel passes below 5E-11 ica. When a SRNI channel re-energizes, alarm window 30 The items listed are specific to Callaway Plant. Other Pressurized Water Reactors may have similar protections.

47

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) 77E flashes and audibly annunciates to indicate one of the input channels feeding the alarm has cleared. So at 11:25 on October 21, 2003 when the channel 2 SRNI automatically energized and alarm window 77E audibly annunciated, the operating crew should have all been aware that the reactor was operating in the source range (i.e.

shutdown) with its control bank rods still at their last critical rod heights.

At 11:38, alarm window 77E again audibly annunciated when the other (i.e. the channell)

SRNI automatically energized and caused the alarm to clear. The reactor operators made a log entry stating the SRNis had energized. Although the preceding and following log entries indicate that this entry was made between 11:42 and 11:51, for unexplained reasons the operators annotated it as occurring at 11:34.

No one (i.e. neither I, the NRC, the utility, nor the operating crew) disputes that the operators were fully aware of the status of the reactor once the first SRNI energized. From 11:25 onward, the operators were consciously aware that the reactor was in the source range with its control rods still at their critical rod heights.

There is no advantage to operating in the source range with the control banks still withdrawn. Once reactor power has fallen into the source range it cannot procedurally be recovered without performing the Reactor Startup Procedure which, at Callaway Plant, can only be performed from the starting point of all Control Bank rods fully inserted. Once it is recognized that reactor power is in the source range, there is no honest explanation for why the control rods would be left withdrawn.

A.1.10 Unexplained Delay in InsertinK the Control Banks: Table AS contains a record of actions being performed by the reactor operators during the 40 minutes from 11:25 to 12:05. Note that during this entire time the operators were aware that the reactor was Table A.S: Noteworthy Activities Performed with at least one SRNI energized but with the Control Banks still at their Critical Rod Heights The "mark" column refers to the letter on Figure 3 which marks the activity/milestone in relation to the plant conditions which were present and the other activities performed.

mark time Activity/Milestone The auxiliary feedwater surveillance required to exit the off-normal procedure for 11:34 "Loss of Safety Related Instrument Bus" was completed and delivered to the 0 Control Room Supervisor (see items B & C of Table A.l).

The crew exited the off-normal procedure for "Loss of Safety Related Instrument 11:37 Bus" (see items B & C of Table A.l).

The Channell SRNI energized with an initial reading of 2593 cps. This should 11:38 have caused the SR HI VOLT FAIL alarm (window 77E) on the main control board to annunciate as the alarm cleared.

The motor driven Start Up Feed Pump was started in preparation for removing the 11:40 final turbine driven main feed pump from service.

The reactor operators commenced a Containment Mini purge.

p The Shift Technical Advisor commenced a Shutdown Margin Calculation. This calculation was not completed and reviewed until12:55. From 10:13 (when the 11:42 Shift Manager claims he recognized the reactor would go subcritical) to 12:05 (the 135 time control rod insertion commenced) the crew was informally relying on Xe to ensure that sufficient shutdown margin was present to prevent an inadvertent reactor restart in the event that an unplanned dilution or cooldown were to occur.

Q 11:51 The operators removed the last turbine driven main feed pump from service.

R 12:05 The operators began inserting the control banks.

48

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) operating in the source range with its control rods still at their last critical rod heights.

None of the items listed on Table A.5 explain why it took 40 minutes for the operators to insert the control banks. In fact, if anything, the items listed on Table A.5 indicate the operators had ample time to insert the control banks. For example, at 11:42 the reactor operators completed aligning the ventilation system in order to commence purging the containment atmosphere to support a containment entry later in the day. Aligning this equipment is an involved process which takes about a dozen minutes for a reactor operator to do. Similarly, from 11:40 to 11:51 (eleven minutes) a reactor operator was swapping the feed system from using the turbine driven feed pumps to using a motor driven feed pump - an operation which needed to eventually be done (i.e. within a day) to prevent the plant from cooling down as the decay heat load dropped but which certainly could have been delayed until after the control banks were inserted.

As can be seen from Figure 3, it only takes 10 minutes to insert the control banks. The activities indicated by item P of Table A.5 show that there were at least two reactor operators assigned to tasks of lesser importance who could have been utilized to insert the control banks. A detailed analysis of the activities mentioned on Tables A.1 through A.5 can be found in the 2010-09-17letter to the NRC Executive Director for Operations (EDO)

[31] and in the NRC's response to that letter [11 pp. 26-65 of Enclosure 1 and slides 1-69 of Enclosure 2].

It should be noted at this point that Callaway Plant's Outage Control Center was expecting the reactor to be shut down around noon if it did not appear the repairs to inverter NN11 could be completed before the 13:21 deadline dictated by the plant's Technical Specifications. Had the operators inserted the control banks prior to noon, they would have had to explain to the OCC why they were prematurely shutting down the reactor.

Such an explanation would invariably lead to the operators having to admit that they had inadvertently allowed the reactor to passively shut down while tripping the turbine and had failed to recognize it for over an hour.

Based on the objective data in the references (e.g. the plots of plant parameters, the entries made in the logbooks, the sworn testimonies of the operators, the requirements in the plant's various procedures) it is evident that the operators delayed inserting the control banks in order to cover up the inadvertent passive reactor shutdown from their management:

A.1.10.A. The NRC has determined that the operators were unaware of the status of the reactor from 10:18 to 11:25; yet, despite the evidence to the contrary, the operators have con.sistently claimed that they were consciously aware that the reactor was shut down.

A.1.10.B. The crew chose not to document the inadvertent passive reactor shutdown even though it clearly was a significant incident.

A.1.10.C. The NRC found no indication that anyone else- other than the operators in the reactor's Main Control Room - was aware of the passive shutdown of the reactor. At 12:05, when the plant's upper management was made aware that the control banks were being inserted, they would have had no reason to suspect that, instead of being used to actively shut down the reactor, the control banks were being inserted into a reactor core which had passively shut down nearly two hours earlier.

49

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

A.1.10.D. The 40 minute delay (from 11:25 to 12:05) was not satisfactorily explained by the operators during their testimonies.31 A.1.11 Consciously RelyinK on Informal Estimations ofXenon-135: In 2003, Callaway Plant had a computer-based calculation called Xenon-Predict which, using approximated past and future power levels, estimated mxe levels. They also had a completely separate computer-based calculation for determining Shutdown Margin (SDM).

The Xenon-Predict was used to assist the reactor operators in maintaining the reactor in a critical state; whereas the SDM calculation assisted the reactor operators in ensuring the reactor does not inadvertently return to a critical state.

The Xenon-Predict aids the operator in staying ahead of mxe reactivity by enabling the operator to estimate the rate of xenon reactivity change and proactively dilute boron in response. Towards the end of the fuel cycle Callaway Plant requires significant additions of water to effect meaningful reduction in boron concentrations and the Xenon-Predict assists the operator in using dilutions to compensate for long term trends in xenon thereby freeing the use of control rods for responding to changes in reactor average coolant temperature.

The SDM calculation ensures that there is enough reserve negative reactivity present to prevent the reactor from inadvertently returning to a critical state during a postulated dilution or cooldown event. Although the reactor operators could tell from the Xenon-Predict that over the next several hours xenon levels would be increasing, until they completed the Shutdown Margin calculation they had no way of knowing whether or not there was enough xenon present to overcome the positive reactivity which could be inserted by a postulated cooldown or dilution.

In their sworn testimony to the Nuclear Regulatory Commission the operators acknowledge that they were relying on the continual buildup of mxe to keep the reactor shutdown [Z, p. 13 & 17]. What is not mentioned is how they were confident xenon levels would be sufficient and why. given their stated reliance on xenon, they did not commence a Shutdown Margin calculation until 85 minutes after they began relying on mxe for maintaining the shutdown.

31 See section A.3 and the references for a broader discussion of these 40 minutes. Starting on line 22 of page 19 of the Shift Manager's testimony [1, pp. 19-20] there is a discussion of an update brief that was held prior to inserting the control banks. As those who have operated reactors can attest, update briefs can be extremely important to get the operating crew aligned for complex evolutions. It is not the intent of this paper to in any way minimize the importance of briefs. However, inserting the control banks into a reactor core that has been in the source range for over an hour is not a complex evolution.

When referencing the Shift Manager's testimony, imagine yourself in his position. Imagine discussing the items listed in his testimony while the reactor is in the source range with its control rods still at their 135 critical rod heights and with no formal calculation in place to show that Xe levels are adequate to maintain the reactor subcritical. Although the operators do explain the 40 minute delay in their testimony, their explanations defy common sense. The brief described by the Shift Manager in all likelihood actually did occur, but its purpose may not have been to align the crew for the task of inserting the control banks. Its purpose could have been to delay the insertion of the control banks until after noon in order to avoid having to explain to the Outage Control Center why the reactor was being shut down prematurely.

so

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

A Shutdown Margin calculation was not commenced by the Shift Technical Advisor until 11:42 and not completed until12:SS. After the Shift Technical Advisor (STA) determined the amount of boron needed to meet Shutdown Margin, the crew spent the next 90 minutes adding over 3600 gallons (14 kL) of boric acid to the Reactor Coolant System.

This equated to over 100 kg of boron. Note that these 100 kg of boron were needed to maintain SDM with the control banks inserted whereas, prior to 12:0S, mxe levels were being relied upon with 100 kg less boron and with the control banks still at their last critical rod heights. As a comparison, only about 6 kg of boron had been added during the load reduction to support the reactor in lowering 100% in power and 16°C in temperature.

A.1.12 Failure of Crew to Document Events: The plant's Corrective Action Program required that significant operational transients be documented with condition reports.

Yet the operators never wrote condition reports to document the soc uncontrolled drop in average coolant temperature which occurred from 09:36 to 10:00 or the inadvertent passive shutdown of the reactor which occurred between 10:13 and 10:18.

The crew mistakenly believed that the soc temperature transient was the result of faulty turbine drain valves and as a result initiated a work request to troubleshoot and repair the valves [.8., p. 49]. Additionally, when the letdown isolation occurred at 10:00, there was an isolation valve which did not function properly. This was documented with a condition report [L p. 31]. However, nowhere in the condition report was it documented that the letdown isolation had been the result of a soc uncontrollable drop in temperature which occurred over a 2S minute time franie and resulted in Tavg falling below the Minimum Temperature for Critical Operations. The position of this paper is the crew did not document the letdown isolation with a condition report because they did not wish to bring attention to the event.

Thirty-eight days after the event, an Engineering Department trainer, who was including the letdown isolation event in a lesson plan he was preparing, recognized that the event was never documented with a condition report and wrote one (CAR 200308SSS) to document the event [L pp. 33-3S].

CAR 200308SSS was assigned to the crew to resolve. In their resolution, the crew blamed the letdown isolation on faulty turbine drain valves and appear to have never recognized that the temperature transient which led to the letdown isolation had been caused by their failure to adequately compensate for 13SXe. Had the temperature transient and letdown isolation been documented by the operators, it is possible that the group assigned to review the condition report would have recognized that the cause of the temperature transient was the failure of the operators to compensate for the buildup of 135Xe. It is also possible that the reviewers would have noted that Tavg fell below the Minimum Temperature for Critical Operations and that the operators had failed to log the incident and had failed to enter the appropriate Technical Specification.

More significantly, the operators failed to write a condition report documenting the inadvertent passive reactor shutdown. In their testimony they indicated that the passive shutdown was not inadvertent [Z, pp. 12-13], which would explain why they did not document it. It is the position of this paper that the passive reactor shutdown was unintended and that it was not documented because the operators wished to conceal it.3Z 32 Author's Note: A reviewer of a draft of this paper indicated that it is possible the operators failed to document the passive reactor shutdown because they failed to recognize its significance. While this is 51

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

R.A.1.12 Recommendation: Following failures of the Unit 1 reactor at Salem nuclear plant in New Jersey to automatically trip in February 1983 when plant conditions warranted it, the NRC issued Generic Letter 83-28, "Required Actions Based on Generic Implications of Salem ATWS Events," to all plant owners. Among other things, it required owners to take steps to formalize and upgrade post-trip reviews of unscheduled reactor shutdowns to verify that plant equipment responded as expected. These reviews should be expanded to cover all unplanned reactor shutdowns, not just those involving automatic reactor trips.

A.2. JUNE 2005 PASSIVE REACTOR SHUTDOWN At 13:02 on June 16, 2005, one of Callaway Plant's Main Steam and Feedwater Isolation Actuation cabinets (SA075B) was declared. inoperable due to a failed power supply and the plant entered a 6 hour6.944444e-5 days 0.00167 hours 9.920635e-6 weeks 2.283e-6 months Tech Spec action statement to either restore the cabinet to an operable status or commence shutting down the plant. By 19:02 SA075B had not been restored and the plant commenced lowering reactor power in preparation for shutting down the reactor. Per the plant's Technical Specifications, by 01:02 on June 17, 2005 either the reactor needed to be subcritical with Keff less than 0.99 or SA075B needed to be operable. SA075B was restored to an operable status by 00:10 on June 17, 2005, but, unbeknownst to the operators, the reactor had passively shut down three minutes earlier (00:07). See Figure 5 for a description of the June 17, 2005 inadvertent passive reactor shutdown.

Had the reactor not passively shut down at 00:07 on June 17, 2005, it is possible Callaway Plant could have successfully returned to power and avoided a forced shut down. It took the plant 31 hours3.587963e-4 days 0.00861 hours 5.125661e-5 weeks 1.17955e-5 months to return to MODE 1 (i.e. greater than 5% power) which equates to a loss of 37.5 GW-hrs of electricity generation. As can be seen on Figure 6, the October 21, 2003 and June 17, 2005 passive reactor shutdowns were both caused by a sharp rise in Tavg upon tripping the turbine-generator. Had the October 21, 2003 passive reactor shut down been documented and analyzed with appropriate lessons incorporated into operating procedures and training, it is possible the June 17, 2005 passive reactor shutdown could have been avoided.

The traces on Figure 7 demonstrate how Temperature-Reactivity significantly degrades as 5% reactor power is approached from above (i.e. as the reactor nears entry into MODE 2 from MODE 1). For both the 2003 and 2005 passive shutdowns, this degradation of Temperature-Reactivity feedback is what prevented the reactor from passively recovering from the temperature spikes which followed the turbine trips.

The traces on Figure 4 demonstrate the difficulties encountered in using the Intermediate Range Nuclear Instruments to monitor reactor power near the POAH with a high decay heat load. On October 21, 2003 and June 17, 2005 these difficulties significantly contributed to the operators' failure to notice the reactor becoming substantially possible, it does not explain why 4Yz years later the operators claimed in sworn statements that the reactor had not inadvertently been allowed to passively shut down [Z] [~] [2]. The totality of the evidence (e.g. the failure to document the passive shutdown in 2003, the failure to internally investigate it in 2007, the failure to admit to it in 2008, and the continued failure to submit a report on it to IN PO) indicates that the operators and their utility are consciously striving to conceal and minimize this significant human performance event. Their actions to conceal this event are much more troubling than the event itself.

52

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) subcritical and its power lowering below the POAH. That is, although the IRNis had an accurate indication of the fission power generated in the reactor core, the operators failed to utilize them because the IRNis cannot be easily correlated to units of "percent rated reactor power".

Note that it is not the position of this paper that any changes need to be made to the IRNis.

Figures 4 and 7 have been included in this paper because they help explain how the crews failed to notice the passive shutdowns* of the reactor and because it is hoped that a better understanding of the principles presented in the figures will improve the training of reactor operators.

R.A.2 Recommendation: Utilities should ensure their operating procedures take into account the effect a high decay heat load has on temperature-reactivity feedback. To ensure adequate temperature-reactivity feedback, if the reactor is to remain critical following a load reduction and removal of the turbine from service, then reactor fission power should be maintained at or above 10% rated power to ensure decay heat does not adversely affect temperature-reactivity feedback [.3..3.,

pp. 7-8].

A.3. COVER UP OF THE PASSIVE REACTOR SHUTDOWN BY THE CREW It is not the position of this paper that the operators at Callaway Plant actively colluded to prevent the passive reactor shutdown from being reported (the 11:34 log entry concerning the energizing of the SRNis is proof of this) and this paper does not intend to imply that any organized effort was undertaken to deceive either the plant's upper management or the Nuclear Regulatory Commission. However, it is the position of this paper that the operators each made a conscious decision not to report the event, were not forthcoming during their testimonies to the NRC Office of Investigations, and consciously misled the NRC investigators.

A.3.1 Providin&: Misleadin&: Testimony: Transcripts of the operators' testimonies to the NRC are available through the United States' Freedom of Information Act (FOIA). Most of the information contained on Tables A.1 through A.S comes from the operators' testimonies and from copies of the control room logs obtained via the FOIA. It was the assessment of the NRC [.6.] that none of the items listed on the tables prevented the operators from inserting the control banks during the 107 minute time frame from 10:18 to 12:05. Not only did these tasks not prevent the insertion of the control banks, but the fact that licensed operators were available to perform these tasks is an indication that there were personnel available who could (and should) have been assigned the task of inserting the control rods.

In addition to the tasks listed in the tables, the Control Room Supervisor authorized Instrumentation & Controls technicians (I&C) to perform several trip point and calibration checks on the Power Range Nuclear Instruments [Z, p. 19] [fi, pp. 66-67]. The Shift Manager listed these procedures as items which contributed to the 107 minute delay despite the fact that I&C was performing one of them while the control banks were being inserted (an indication that these procedures were not of such a distraction that the operators could not insert the control banks while they were being performed) and authorized one of them after the control banks were inserted (an indication these procedures did not need to be completed prior to inserting the control banks). Further 53

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) analysis of this issue can be found in the 2010-09-17letter to the NRC EDO [.ll., pp. 9-11 of

§1.2.4].

The Shift Manager claimed [Z, pp. 17 -18] that the biggest contributors to the delay in inserting the control banks were the two off-normal procedures which the crew was performing: Loss of Letdown (OTO-BG-00001) and Loss of Safety Related Instrument Bus (OTO-NN-00001). With regard to the Loss of Letdown, this procedure was exited at 10:18, so this procedure could not have contributed to the 107 minute delay from 10:18 to 12:07 (except for possibly a fraction of a minute between 10:18 and 10:19). However, the operators' focus upon this procedure did substantially contributed to them failing to recognize the reactor passively shutting down between 10:13 and 10:18.

With regard to the Loss of Safety Related Instrument Bus, this procedure was entered at 08:21 and all control room actions were completed by 08:33 (see items B & C of Table A.1), nearly two hours before the passive reactor shutdown. This procedure remained open until 11:37 because it required an Equipment Operator (all of whom were busy aligning steam plant equipment due to the forced de-rate and imminent plant shutdown) to verify that certain valves in the Auxiliary Feedwater system were in their correct alignment. This valve lineup was not completed until 11:34; however the NRC concluded that the fact that this valve lineup kept OTO-NN-00001 open until 11:37 in no way prevented the operators from inserting the control rods [Q, p. 4 of Enclosure]. Further analysis of this issue can be found in the 2010-09-17letter to the NRC EDO [.ll., pp. 50-54].

A.3.2 Author's Analysis: Based on the issues mentioned in the preceding subsection, I consider much of the Shift Manager's April 1, 2008 testimony to the NRC Office of Investigations to be intentionally misleading. The Shift Manager intentionally misled the NRC OI because he had earlier stated in a Quality Assurance record [1Q., Action 5] [2.] that there was nothing inadvertent about the way the reactor was shut down on October 21, 2003 and that he was at all times aware of the status of the nuclear fission reaction. My professional analysis of the event is as follows:

A.3.2.A. Due to the confusion and distraction caused by (1) the loss of letdown, (2) the faulty turbine drain valve indications, (3) the continued 13SXe induced temperature transient, and (4) being below the Minimum Temperature for Criticality, the operators failed to recognize the reactor passively shutting down between 10:13 and 10:18.

A.3.2.B. When the operators completed the letdown system restoration at 10:18, they incorrectly assumed that the reactor was still critical and that Temperature-Reactivity feedback would maintain it critical. For that reason, the Reactor Operator was not assigned to actively insert the control banks but was instead assigned the routine task of placing an additional letdown orifice in service.

A.3.2.C. As the reactor transited below the POAH at 10:23 and transited to the source range, the operators mistook thestable 1.75% rated reactor power which was being indicated by the .!lT instruments as an indication that the reactor was still critical.

A.3.2.D. When the channel 2 SRNI automatically energized at 11:25 and caused Main Control Board alarm window 77E to annunciate, the operators first became aware that the reactor was no longer critical.

A.3.2.E. The Operations Manager was in the Main Control Room at this time [22] [2.],

yet failed to (1) notify the Outage Control Center that the reactor was no longer critical, (2) ensure the crew promptly inserted the control rods, and (3) ensure 54

International Nuclear Safety Journal, Vol. 1, No. 1 (2013) the incident was documented with a condition report and convene an Event Review Team meeting (ERT).

A.3.2.F. Every licensed operator knew that the passive shutdown should be documented with a condition report, but each one also knew that documenting such an event would draw management's attention to their failure to adequately monitor and control reactivity.

A.3.2.G. Instead of giving the order to insert the control rods, the Control Room Supervisor merely continued doing the steps in the Reactor Shutdown procedure which aligned the steam plant for a shutdown lineup and prepared the containment building for personnel entry (steps which were procedurally allowed to be done after the steps for inserting the control rods). The Shift Manager failed to intervene and direct that the reactor be placed in a known safe condition by promptly. inserting the control banks. Instead the crew, with no formal Shutdown Margin in place to demonstrate xenon levels were sufficient, informally relied on 135Xe to keep the reactor from inadvertently restarting.

A.3.2.H. At noon, the Shift Manager informed the Outage Control Center that the crew intended to shut down the reactor since repairs to inverter NN11 could not be accomplished by 13:21.

A.3.2.I. At 12:05 the reactor operators began inserting the main control rods. No one outside of the Main Control Room was aware that instead of using the control rods to actively shut down a critical reactor (as the Reactor Shutdown procedure assumes will be done) the control rods were being inserted into a reactor core that had passively shut down 107 minutes earlier and had been in the source range for the last 88 minutes.

Note that the above analysis is subjective; it is my professional analysis of the objective data (e.g. the plots of reactor plant critical parameter data, the sworn testimonies of the operators, the control room logs) and is open to interpretation. Obviously, what the operators' intentions and motivations were cannot be objectively shown; however, based upon my experience operating and working at reactor plants (including as a licensed Senior Reactor Operator at Callaway Plant), I believe that the operators' intentions can be inferred from the objective data and from the lack of a reasonable counter explanation provided by the crew members during their sworn testimonies.

One shortcoming in the above analysis is it assumes the Shift Manager was competent enough to recognize the importance of promptly inserting the control rods at 11:25.

Although I believe it extremely improbable that the Shift Manager did not recognize that he had a duty to ensure his crew inserted the control rods once they realized the reactor was in the source range with the control rods still at their critical rod heights, I must admit that it is possible. However, if the Shift Manager actually failed to recognize that informally relying on 135Xe is not an acceptable alternative to inserting the control banks (i.e. if the Shift Manager was honest during his April 2008 testimony) then it is evidence of gross negligence on the part of the Shift Manager and evidence of fatal flaws in the INPO and NRC processes that train and license operators.

A.3.3 Ne~li~ence and Dereliction of Duty: The determination of negligence versus dereliction of duty is not easy to make as it hinges on the intent of the individual. Although dereliction of duty might be legally difficult to prove, trained Nuclear Professionals can readily recognize it in instances involving all of the following:

55

International Nuclear Safety Journal, Vol. 1, No. 1 (2013)

A.3.3.A. The incident involved the violation of fundamentals so integral to safe reactor operation that it is difficult to grasp how they could be accidentally violated.

A.3.3.B. The incident involved an individual who was not only highly trained himself but who at times worked in a position to train others.

A.3.3.C. The individuals involved cannot provide reasonable explanations for their actions.

With regard to item A.3.3.C, in section A.3.1 it is argued that no reasonable explanation for the 107 minute delay in inserting the control banks has been offered by the utility.

With regard to item A.3.3.A, most Nuclear Professionals will recognize that the combination of the following conditions is adverse to the proper operation of a commercial pressurized water reactor plant (PWR):

A.3.3.A(1) The reactor known to be in the source range.

A.3.3.A(2) The control rods known to be at their critical rod heights.

A.3.3.A(3) No formal calculation performed to demonstrate 135Xe levels are adequate to prevent the reactor from inadvertently restarting.

A.3.3.A(4) Licensed reactor operators assigned to ancillary tasks (such as aligning ventilation for a containment mini-purge) and thus available to insert the control banks.

A.3.3.A(5) SROs prioritizing ancillary tasks over inserting the control banks.

Whether or not a given Nuclear Professional believes it is likely the above five items constitutes dereliction of duty is based on*whether or not the backgrounds of the SROs indicate they would have clearly recognized their duty.

Based on his background,33 the Shift Manager was well aware of his duties on October 21, 2003. That is, his decision to leave the control rods withdrawn from 11:25 to 12:05 and his decision to not document the passive reactor shutdown with a condition report were not mere errors in judgment.

Accusing a NRC licensed Senior Reactor Operator of dereliction of duty is a serious accusation which should not be taken lightly. Yet nuclear professionals need to be willing to make such accusations when their analysis of the facts point towards it. It is absurd to believe that of the tens of thousands of NRC licensed operators, there are not a fractional percentage willing to unethically conceal significant errors in order to protect their reputations. As a community, nuclear professionals cannot assume that all errors are honestly committed. When a reasonable interpretation of the facts point towards dishonesty, it should be investigated.

Readers are encouraged to review the references and submit a response to this paper. As mentioned, the above assessment is a subjective analysis of the facts. What the operators' true intentions were will likely never be known; the best that the nuclear community can do is arrive at a consensus of professional opinions.

The point of this paper is not to sully the reputations of any individual or organization but rather is to discuss the difficulty faced by nuclear organizations (e.g. utilities, industry consortiums, and government regulators) in responding to instances of unethical behavior.

33 Trainer at a Navy prototype and at Callaway Plant, SRO, STA, Navy RO, IN PO Shift Manager course 56

ML13165A362

Text

Dear Dr. Macfarlane:

Navigation menu

Search