Thursday, May 20, 2010

A Primer on Nuclear Safety: 1.4.3 Complexity and Three Mile Island

A Primer on Nuclear Safety:
1.4.3 Complexity and Three Mile Island
Supplemental View by Thomas H. Pigford

Introduction: As astonishing as it might seem Thomas Pigford was the only member of the Three Mile Island Commission who knew anything at all about nuclear safety. Pigford was Professor of Nuclear Engineering and Chairman of the Department of Nuclear Engineering at the University of California, Berkeley. He had also worked in reactor research at ORNL. Considering the availability of such luminaries as Edward Teller and Alvin Weinberg, both of whom had a long commitment to nuclear safety, as well as deep insight into the problems, the scientific and technical weakness of the Three Mile Island Commission and its staff is nothing short of astonishing. We ought to consider that the astonishing lack of nuclear safety knowledge on the Commission Staff and among the Commissioners to be proof of the incompetence of President Jimmy Carter as President of the United States. It is clear from some of Pigford's comments in his oral history. that some of the other Commissioners were nut cases. Russell Petersen wanted to eliminate Nuclear Power. Ted Taylor claimed to be doing research on solar heating of water, that he believed would make all commercial power plants obsolete. He expected to have his invention ready before the Commission's report was complete. Middletown, Pennsylvania Housewife Ann Trunk was sane, however.

Jimmy Carter appears to have paid little attention to the Commissions Report, did not ask any questions, and ignored their recommendations. Others, including reactor manufacturers, according to Pigford were much more responsive.

Pigford noted the amateurishness of the Commission staff:
"The staff report relies to a considerable extent upon excerpts from a book authored by E. Rolph without establishing the author's qualifications. Ms. Rolph did not testify in this investigation. The undue reliance upon this secondary source, without first establishing a primary source for its support and without establishing its reliability, is a further example of insufficient balance in this part of the investigation."

"In my view, the Rolph book does not express a comprehensive, accurate, and balanced knowledge of the NRC and of the nuclear industry."

Pigford in effect noted the extent to which Rolph unprofessional book, influenced not only the staff report, but also through the staff, the Commission's report.

In his oral history Pigford does state that he was able to request the placement of spacific individuals on his staffand indicated that he was satisfied with the staff he worked with.
Pigford correctly identifies that the the problem at Three Mile Island lay not with the the reactor system, but with the interplay between human judgement and what were relatively minor parts failures. Research on human judgement has demonstrated that the predictions of experts were less likely to correspond to outcomes, than predictions simply based on actuarial data. This research was based on situations in which people were not stressed by constant alarms, as the Three Mile Island operators were.

Pigford also noted that the accident tested a major nuclear safety concept, "defense in depth." Not only did the "Defense in Depth" work, but the overall outcome was better than previous speculative assessments of nuclear accidents (for example WASH-1400) had anticipated.

Supplemental View (to the Three Mile Island Commission Report) by Thomas H. Pigford

I generally concur with the conclusions and recommendations of the President's Commission on the Accident at Three Mile Island. However, some of the principal results of this investigation need clarification and discussion. Among these are some that warrant immediate, but necessarily limited, comment.


The Commission has properly recognized that, with the very heavy emphasis upon equipment to attain reactor safety, there has been too little emphasis upon the adequacy of people to help achieve that safety. The lack of such people emphasis has been properly stressed in this report. However, that stress has now obscured the very important fact that, in spite of the very crucial errors of operators and supervisors at TMI-2, the safety equipment did indeed function. In spite of the open PORV, leaks in the vent gas system, and other equipment failures, the overall system of equipment was sufficiently good that, without the human errors, the accident at TMI-2 would have been only a minor accident.

The reactor containment and its auxiliary equipment did indeed function to protect the public. Except for the small fraction that escaped to the environment, the radioactivity was contained. The off-site radiation doses were small. We have found that the actual release of radioactivity to the atmosphere will have a negligible effect on the physical health of individuals. Equipment failures were not the proximate cause of the TMI-2 accident. The accident was, in fact, a demonstration that the equipment (?) effective.

Although there has been considerable speculation about how near TMI-2 came to a worse accident, our staff analyses show that even if all of the reactor fuel cladding had been oxidized to form hydrogen, or even if appreciable fuel melting or even a meltdown had occurred, the containment would still have survived and protected the public. The accident demonstrated that the "defense-in-depth" approach toward nuclear reactor safety has indeed yielded significant results.

The emphasis in this report upon equipment versus people obscures the fact that the equipment itself is only one product of the defense- in-depth or multiple-barrier design approach, which also encompasses the analysis of how equipment components must perform and how systems of equipment must operate. The accident demonstrated that this system of equipment performed better than expected. Earlier assumptions and studies by AEC/NRC (TID-14844 and WASH-1400) have suggested far greater core damage and greater releases of radioactivity from the fuel and into the containment under such degraded cooling conditions.

The accident also has demonstrated many areas wherein equipment modifications can result in further improvements in safety of existing and future reactors in this country.

These are important positive results from our investigation.


The nature of the people-related problems needs clarification. One such problem -- and a most serious one -- was the errors made by operators and operator-supervisors, whose training was insufficient in scope and understanding. Another was the failure of many individuals to respond adequately to the earlier experience from other reactors and to other advance information that might have alerted the operators and avoided the accident.

Another problem was the errors made by some NRC officials, who misinterpreted the release of radioactivity on March 30 and recommended evacuation, and who erroneously concluded on March 31 that the hydrogen bubble might explode. The public trauma from these mistakes resulted in severe but short-lived mental stress, which was evidently the only serious health effect of the accident.

Having identified the particular people problems involved, many of the necessary direct remedies are apparent. There seems to be some unwillingness to recognize that many of these remedies are already being implemented. The NRC and the nuclear industry have taken and are taking steps on a broad basis to analyze and rectify these problems, as evidenced by the post-TMI NRC bulletins and by the establishment of the utilities' Institute for Nuclear Power Operations (INPO) and the reinsurance program. After experiencing the shock and comprehending the cost of this accident, the nuclear industry clearly has set into motion programs to institute many of the remedies that this Commission seeks. The problem with "attitudes" emphasized in the Commission's report must refer largely to pre-TMI attitudes.

It is reasonable to expect that other such human-related problems, not uncovered by this investigation, may exist. That, and the need to instill and continue a strong emphasis upon reactor safety, suggest some of the broader institutional changes recommended in this study.


The limits of this investigation and the effect thereof upon the Commission conclusions and recommendations need clarification.

This investigation was limited to the accident at TMI-2, and possible variations thereto, and, to a limited extent, similar transients at other places. The many other aspects of reactor safety were not investigated, although we do recommend that these be more systematically studied. The facts of the present investigation provide no basis for concluding that reactors are unsafe. They also show that, although more emphasis is needed on the analysis and planning for small-break accidents, the possibility of an accident of this type was known and had been analyzed and predicted prior to the TMI-2 accident. Therefore, any conclusions as to new fears of reactor safety do not arise from, and imply large extrapolations from, the facts of this investigation.

This investigation has not included a study of reactor siting. Consideration of the calculated "low population zone" occurred only in our consideration of its implication on the specification of radiation doses for evacuation decisions. Therefore, proposals made by some Commissioners to reverse existing site approvals in favor of more remote sites have no justification within the facts of this study.

We have recognized in this investigation that decisions as to whether or not safety improvements are to be implemented must be based, in part upon a weighing of the costs against the benefits. However, we did not evaluate the costs of possible safety modifications, nor did we evaluate the probabilities of some of the large hypothetical releases that have been postulated by some Commissioners. Such proposals, and claims as to risks therefrom, have no basis within the facts of this investigation.

We have not investigated the availability, cost, overall safety, and environmental effects of nuclear energy and of other energy alternatives. Nor have we investigated the effect of various energy alternatives upon the nation's economy and security. We have not examined the effect of a speed-up or delay of nuclear power upon the many energy problems that affect the nation. Therefore, proposals by some Commissioners to impose sanctions that afreet the availability of nuclear energy as an option are based upon their own personal extrapolations, which leap far beyond the facts of this investigation. The Commission, in its final consideration of the moratorium proposals, repudiated the issue by a vote of eight to four.


Through its investigation of the Nuclear Regulatory Commission, the Commission staff has uncovered problems and practices which have suggested extrapolations to those many parts of the nuclear industry not involved directly with the TMI-2 accident. However, little proof of the validity of these extrapolations has been established. Moreover, to my knowledge, no representatives of those other parts of the nuclear industry were interrogated or asked to present evidence on any of the relevant issues, except for one company interrogated within the narrow issue of the Beznau incident. This further limits the validity of the industry-wide extrapolations that are implied in many places in the report and that are implied in some of the moratorium recommendations still endorsed by some of the Commissioners.


The framing of the Commission's overall conclusion around the question of:

attitudes of the Nuclear Regulatory Commission and, to the extent that the institutions that we investigated are typical, of the nuclear industry . . .

requires comment and interpretation. "Attitudes," especially prior to TMI-2, were not directly examined, nor could they be. Valid conclusions can only be drawn on actions taken, i.e., problems addressed and not addressed, regulations issued and complied with, and the occurrence of events that reflect upon the adequacy of those processes. Even if attitudes could be assessed, it is not clear how they could be changed by any recommended rule, reorganization, or other mandated influence. It is more constructive to assume that attitudes are symptomatic of the forces at work in the systems, and it is those forces that must be addressed.

The actions already taken by the industry in setting up INPO, the Nuclear Safety Analysis Center, and the program of self-insurance against the cost of replacement power, with the self-policing actions thereby implied, signal a genuine, if somewhat belated, recognition of the need for greater effort to prevent nuclear accidents and to cope with their consequences. These actions show a significant change in industry attitude that can only be beneficial.

It becomes clear, as the theme of "attitudes" is developed in the Commission report, that what is of concern is an apparent failure of the system to incorporate an effective mechanism to assimilate lessons from plant experience and to incorporate the appropriate up-to-date technology, particularly as it applies to control room design, and to develop sufficiently trained and competent people to manage this technology. This is a more manageable and appropriate focus for the overall conclusion of this Commission.

I believe that such technology is being or will be used by the industry and that changes and improvements in design and operating procedure will be effected, not merely to satisfy critics nor to demonstrate attitudinal penitence, but on the basis of sound judgment resting on sound data.


In its Overview, the Commission acknowledges that it has not examined "how safe is safe enough or the broader question of nuclear versus other forms of energy," recognizing the complexity of the issue and the limitations of staff. However, the Commission soon leaps this hurdle and speaks of the "risks that are inherently associated with nuclear power", and it holds that "equipment can and should be improved to add further safety." Even the conclusion that "accidents as serious as TMI should not be allowed to occur in the future" may imply that an assessment of risk and safety has been made. This conclusion is more understandable if interpreted in terms of what was really serious about this accident.

The only serious health effect was the mental stress resulting from the confusion and public misunderstanding concerning the March 30 release and the March 31 hydrogen bubble. The financial loss to the utility and ultimately to the rate payer is also serious.

Every technology imposes a finite degrees of risk upon society, both in its routine operation and in the occurrence of accidents. Over a long enough time period, even low probability accidents may occur. The essential question is the trade-off between the risks and the benefits. The Commission neither received any evidence nor reached any conclusions that the risks of nuclear power outweigh its benefits.


The NRC's assignment is indeed difficult, but not because of dichotomy of safety, on the one hand, and the industry's convenience, on the other. The problem is more complex. There is in each issue the element of how much cost, how many person years of expert analysis, and how much delay is justifiable to achieve an increment of safety. Seldom are these issues black and white, since the designers and engineers must recognize that absolute absence of risk in any project is unattainable, and that social costs accrue to both inaction and overreaction. Efforts to balance costs and benefits should not be considered evidence per se of a promotional philosophy.

It should be expected that industry will logically resist unwarranted changes proposed in the name of safety.


Finding A.10 may be misinterpreted as suggesting that, because of the experience at TMI, the generation of large amounts of hydrogen gas is an inevitable consequence of small-break LOCAs. This misinterpretation leads to the erroneous conclusion that NRC overemphasis on large-break LOCAs, at the expense of small breaks, is what left the TMI operators unprepared for the hydrogen produced during the accident, since significant amounts of hydrogen are not predicted in the typical analyses of large breaks. Such inference is without basis. Large-break analysis or any-break analysis will predict the generation of large amounts of hydrogen whenever the cooling water added to the reactor core from the emergency systems is reduced to the extent that was done at TMI-2.


Finding G.6 implies that, in the two-step licensing process (construction permit and operating license), safety may be compromised due to the large financial commitment prior to the operating license stage, with the implication that insufficient information is known at the construction permit stage for an in-depth safety review. A review of actual license applications will reveal that major safety features are sufficiently described at the construction permit stage. The issuance of an operating license several years later facilitates consideration of appropriate technological developments and feedback from operating plants which may be factored into the design toward the end of the construction period. Safety review in licensing is not a discrete two step process. There is, and should be, continuing dialogue between the NRC staff and the applicant during this interim period.

SINGLE-FAILURE CRITERION Finding G.8.a that applicants "are not required to analyze what happens when two systems or components fail independently of each other" conveys some misunderstanding of the "single-failure" criterion. The requirement is that the applicant must show that applicable off-site radiation exposure limits will not be exceeded in the event of an accident initiated by:

a. any credible component failure, and in which

b. either all external or all internal power supply to the plant is lost, and

c. there is, in addition, failure of that single active component whose failure would most worsen the results of the accident.

Although confusingly called a "single-failure" criterion, it is clear that this criterion requires the assumption of at least three failures.

It is further required that if failure of one component causes failure of other components, the entire series of failures must be regarded as one failure. The single-failure criterion is applied on a system-by-system basis, which implies single-failure tolerance in each of the systems.


Finding G.5.b concerning NRC's handling of "safety-related" items needs clarification in several respects. First, the well-established practice of the NRC is to require that any component, system, or feature needed for the prevention or mitigation of a serious accident must meet documented requirements of quality, redundancy, testability, environmental qualifications, etc., and must be categorized as "safety-related." Although other components, systems, or features are classed as non-"safety related," they must meet requirements appropriate to their operational function. NRC practice is to subject all "safety-related" items to review. Additionally, non-"safety-related" items are reviewed by NRC to reassess their possible reclassification.

Second, in analyzing postulated accidents, one is not permitted to assume that an active non-"safety-related" item will be capable of performing its function. As a result, either an active item must meet "safety-related" requirements of quality, etc., or no credit can be taken for its functioning in an accident.

In the TMI-2 accident, it appears that the NRC's preoccupation with the "safety-related" item list was not the fault, but rather the safety analyses did not take into account the actual lack of training, the inadequate operating procedures and practices, and their potential capability for producing an accident if the PORV stuck open.

Finally, the NRC is in some degree responsible for the level of safety consciousness in the industry. In this sense, NRC's emphasis on "safety-related" categories has probably been less influential than its reluctance to give credit for safety innovations and its requirement that the industry comply with many technically unreasonable rules. These practices encourage the industry merely to comply with NRC rules.

With regard to finding G.8.C, it is not the reliance on "artificial categories of 'safety-related' items" which has caused NRC to miss important safety problems. Rather, it was the failure to recognize that some items not part of the safety system may challenge that system at an undesirable frequency. Moreover, the capability of the operators to defeat the safety system was not given sufficient attention. These important issues are apart from safety-system classification and the single-failure criterion.

PLANT INSTRUMENTATION Finding G.5.f does not provide a balanced account of all the considerations identified by the Atomic Industrial Forum (AIF) in its 1978 response to an NRC proposal to institute a new guide requiring a wider range of response for in-plant instrumentation, nor does it recognize the seeming lack of technical basis for the NRC request.

The relevance to the TMI-2 accident of the AIF response is not clear, since the range of the in-plant instrumentation at TMI-2 was adequate for diagnosis and plant control during the accident. Instead, the problem during the TMI-2 accident was that only part of the range of the in-plant instrumentation was displayed to the operators, and the manner of display was in some ways inadequate. Additionally, the operators misinterpreted some instrument readings. However, a greater range of instrument response might have aided the later assessment of the core damage that occurred.


Finding G.8.h, that there is no systematic backfitting review on a plant-by-plant basis of operating plants and plants under construction, appears to take too little account of the NRC's Systematic Evaluation Program (SEP), initiated more than 3 years ago. Under this program, operating plants have been categorized by NRC, issues have been identified by NRC, and information about older plants has been supplied to NRC by the utilities. In a number of cases, physical modifications of operating plants have been made in order to comply with updated NRC requirements. In some areas, such as that of the upgrading of emergency plans cited in the Commission's report, progress does appear to have been somewhat slow.


In finding G.9.a and recommendation A.ll.d, the recommended improvement of NRC's inspection and auditing of licensee compliance with regulations, and the need for major and unannounced on-site inspections of particular power plants, is logical. It calls for NRC to do more of what it already does and to do it better. In fact, NRC has, for over a year, stationed full-time inspectors at some operating nuclear power plants. At some plants, unannounced on-site inspections appear to be so frequent as to be commonplace.

The implication that NRC's I&E inspectors should do a substantial amount of independent testing of construction work and should place little reliance on work done by the utility is clearly impractical because of the enormous resources that would be required. Careful auditing of industry's testing is the only practicable and effective approach.


In addition to the fact that some of the existing TMI-2 procedures were unworkable, as indicated in the Commission's report, the procedures did not provide a step-by-step pathway for identifying the problem implied by the information available in the control room. Given the philosophy that the operators had to adhere closely to written procedures, the unavailability of diagnostic procedures and training in their use was a significant factor among the causes of the TMI-2 accident.


The Commission report has identified many mistakes by NRC personnel in their handling of the TMI-2 accident and deficiencies in NRC's regulatory practices. However, this criticism does not reach some essential elements of the problem. I believe that the following are some of the more important problems at NRC:

• Lack of quantified safety goals and objective. When a safety concern is postulated, there is no yardstick to judge the adequacy of mitigating measures.

• Inability to set priorities and to allocate resources in proportion to the estimated risk to the public. In my view, a disproportionate effort is being required for some issues that have only a marginal impact upon risk to the public.

• Lack of experienced staff. An undesirably large proportion of NRC staff and management have little or no practical experience in designing or operating the equipment that they regulate.

• Arbitrary requirements. Too many of the NRC requirements are mandated without valid technical backup and value-impact analysis.

• A stifling adversary approach. The existing process inhibits the interchange of technical information between the NRC and industry. It discourages innovative engineering solutions.

• Ineffective evaluation of operations. NRC has no effective system for evaluating data from operating plants. Data should be analyzed systematically to identify trends and patterns.

• Lack of a comprehensive system approach to the whole plant. A large percentage of the NRC staff are specialists focusing upon narrow topics. There are relatively few systems engineers within NRC who can integrate individual safety features into an overall concept and who can place issues into perspective.

• An overwhelming emphasis on conservative models and assumptions. Realistic analyses are needed to identify the margins of safety and to aid competent decisions.


The tight schedule and deadline for the Commissioners' report has allowed little opportunity for careful review of the staff reports upon which our findings are to be based. Some staff reports are not yet completed. There are several parts of some key staff reports with which I cannot agree, particularly the staff report on the NRC.


The staff report on the Nuclear Regulatory Commission is a companion document published by the Commission. Some deficiencies in this report are already reflected in earlier comments on findings and conclusions concerning the NRC. Having reviewed that report in search for understanding for many of the findings and conclusions adopted by this Commission, I noted several deficiencies, varying from technical error to unbalance in the investigation. Two examples are given below.

Performance Characteristics of Large Light-Water Reactors

The staff report contains generalities by an NRC staff member, who seriously questioned the state of knowledge of the performance characteristics of the larger light-water reactors in this country, an opinion apparently also echoed by some other individuals within NRC. The cited statement was adopted by the authors of this staff report. However, the staff report reflects no attempt by the staff to obtain evidence from the nuclear industry on this issue, even though the various companies in the nuclear industry are the parties impugned by the cited statements.

Statements were recently obtained from Saul Levine, director of NRC's Office of Nuclear Regulatory Research, and from two different companies that design light-water reactors and that are not connected with the TMI-2 accident. It should not be construed from reference to "economy of scale" that the regulators were being asked to accept reduced ; safety margins. Rather, the growth was largely achieved by adding more fuel assemblies of the same or similar volumetric and linear power density, and by adding more heat transfer loops having the same mechanical and hydraulic characteristics as in the plants previously licensed. Saul Levine said, "as far as I know, there have been no size-dependent factors found in the operation of large reactors to affect the safety of the plants adversely." There appears no supportable suggestion that safety was compromised as a result of the extrapolation of technology.

The unqualified acceptance of the cited testimony in the staff report is an indicator of insufficient balance in this part of the investigation.

Reliance on Books and Magazines

The staff report relies to a considerable extent upon excerpts from a book authored by E. Rolph without establishing the author's qualifications. Ms. Rolph did not testify in this investigation. The undue reliance upon this secondary source, without first establishing a primary source for its support and without establishing its reliability, is a further example of insufficient balance in this part of the investigation.

In my view, the Rolph book does not express a comprehensive, accurate, and balanced knowledge of the NRC and of the nuclear industry.


The rather extensive criticism of NRC in the Commission report, and as implied in this supplementary statement, should not obscure the central issue that primary responsibility for nuclear safety lies with the utility, shared to a large extent with the equipment suppliers and the architect engineers. This also reflects my view of the responsibilities for the TMI-2 accident.

However, these criticisms of both the industry and the NRC should not obscure the fact that in 480 reactor years of commercial nuclear power operation in the United States, there has still been no identifiable effect upon the physical health of the public, and that this record has been achieved by the industry and NRC -- the parties that have been criticized -- and under the system that has been criticized.

It must be emphasized that nothing learned from this investigation suggests that the nuclear power option should be curtailed or abandoned as a result of the TMI-2 accident.

Thomas H. Pigford

October 25, 1979

A note on Thomas Pigford: Pigford spent 2 years in Oak Ridge in the early 1950's. He was the brother-in-law of my father'slong time neighbor and Oak Ridger newspaper editor Dick Smyser. He was involved in the ANP project. Pigford described memories of his Oak Ridge days, including some observations on the ANP project in a UC Berkley oral history.


Anonymous said...

Charles, I wonder if you could tell me a bit about the instrumentation systems used on these old reactors, and whether the 60's reactors still running have modernized their instrumentation and control systems. I've heard that CANDU's are still using ancient pneumatic control systems.

Opponents of Nuclear Power just don't realize the Quantum Leap in instrumentation & control that has happened in the past 20 years. I just can't believe how they could even run a reactor with that crappy, mechanical instrumentation and control systems they had in those days. I would expect that by now all operating reactors have upgraded to modern Distributed Control Systems,with redundant Processors, and dozens if not hundreds of LCD Operator Interface Workstations located throughout the plant, and even at a regional monitoring station. And of course deep trending on all variables of significance.

Charles Barton said...

Warren, The Presidential commission Report discusses flaws in instrumental panel design at Three Mile Island. I know that instrument panel problems played a key role in a major reactor accident in Canada in the early 1950's. The advent of mas produced computers probably played a major role in changes in reactor instrumentation.

Anonymous said...

I just hope those automation reactor systems are not interconnected connected via the internet!


Charles Barton said...

Alil, they talk to each other by cell phones.

Friakel Wippans said...

... The advent of mas produced computers probably played a major role in changes in reactor instrumentation. ...

Actually, not that much. The primary sensors and controls are still very much analog in US NPPs, the way they were designed in the 60s and 70s. Hence, miles and miles of cables in those plants, maintenance headaches and more and more problems to get spare electronic parts which are long obsolete and no longer manufactured.

The NRC is still very tentative about using computers for things that relate to safety functions in NPPs. Duke Energy and Areva just got the green light to upgrade the Oconee plant with fully digital I&C, the first time ever in the US that such a system receives its license, two month ago. US nuclear technology boldly enters the 1980s :-)

Not to blame the NRC, that huge technology lag not completely specific to the US. Some of the delays on the Olkiluoto reactor in Finland comes from the same issue. The regulator changed its mind and asked for the digital I&C to be doubled by an old-style analog system.


Blog Archive

Some neat videos

Nuclear Advocacy Webring
Ring Owner: Nuclear is Our Future Site: Nuclear is Our Future
Free Site Ring from Bravenet Free Site Ring from Bravenet Free Site Ring from Bravenet Free Site Ring from Bravenet Free Site Ring from Bravenet
Get Your Free Web Ring
Dr. Joe Bonometti speaking on thorium/LFTR technology at Georgia Tech David LeBlanc on LFTR/MSR technology Robert Hargraves on AIM High