It was one of those days when the beach is living cloisonne. Luminous layers of smooth gold, dappled brown, and rippling indigo. San Onofre State Beach on a bright February afternoon. To the north of me, surfers bobbed between breakers. To the south, the beach curved away to infinity; it could be 1992 or 1492. But the nuclear generating station that loomed behind me — one of the most technologically advanced water heaters in the world — was a reminder that it was truly the end of the 20th Century.
Over the past 25 years, millions of people have driven by the three igloo-like containment buildings of the San Onofre nuclear power station on the road to Los Angeles or ridden by them on the train and, like me, felt the anxiety pangs about what could happen to the people, the beaches, the ocean, and the mountains if one of these babies blew. The question was again in my mind as I stood close enough to the plant to hear workers calling to each other inside. I headed back north through the concrete alleyway Edison was obliged to build for public access to the beach on both flanks of the power plant.
This is a trek through a Stalag-like gauntlet of alarm-rigged fencing, oppressive concrete walls, threatening signs, and stone-faced tower guards. A dead seagull, wings akimbo, was squished against the seawall. The smell of the rotting kelp dangling in the metal fence added spice to the creepiness.
At the other end, with the containment domes rising over their heads, two surf fishermen stowed their tackle and empty — buckets after several hours of fruitless angling. Had they ever wondered about the possibility of a nuclear accident? “Sure, you think about it,” answered one, shooting a side-glance toward the domes. They both shrugged. “But what are you gonna do? If it happens, a lot of us aren’t gonna be around long enough to worry about it."
What are you gonna do? It’s not really an inquiry, it’s an expression of helplessness, a surrender to superior forces. The last time the NRC ordered an estimate of how much damage would result from a major accident at San Onofre, the figures were unspeakable: 27,800 people would die within one year, people within 35 miles of the plant could be injured, and the financial consequences could reach as high as $186 billion, in 1980 dollars.
The man’s remark brought to mind a comment that Admiral Hyman Rickover once made. Rickover, the father of the nuclear Navy and the man who directed the construction of the nation’s first nuclear power plant, was reflecting on the interplay of science and humanity. “Science, being pure thought, harms no one,” he said. “But technology is action, and often potentially dangerous action. Unless it is made to adapt itself to human interests, values, and principles, more harm will be done than good. Never before in all his long life on earth has man possessed such enormous power to injure himself, his human fellows, and his society as has been put into his hands by modern technology.” What are you gonna do?
One thing you can do is try to discover how well the plants are run — a seemingly simple task — and then make a rational decision about the risk of living nearby. It’s not that information about the plant’s operation isn’t available. Every time an unusual or unexpected event occurs inside any nuclear generating station, the utility must file a Licensee Event Report with the federal Nuclear Regulatory Commission. And the reports are public record. But to understand what really goes on inside San Onofre’s three reactors, it’s necessary to dig through reams of tedious and opaque technospeak.
The complexity of the reports is a kind of shield against prying eyes. Because nuclear power was linked to the development of nuclear weapons in the Atomic Energy Act of 1954, secrecy has been a high priority infecting nuclear utilities. And anyone reading through such reports from San Onofre can understand why Southern California Edison, principal owner of the plant (San Diego Gas &. Electric owns 20 percent) does not circulate them through the press to the general public.
Last October I requested from the NRC the summary listing of all event reports filed by San Onofre during the years 1989, 1990, and 1991. It turned out to be more than 80 pages long — a total of 180 events for all three reactors, Units 1, 2, and 3. The list summarizes each event in a few words, and even without a brush-up course in nuclear engineering, I could see that many of the incidents seemed significant. A discomforting number of the synopses included the phrase “Due to personnel error....”
Others were equally disturbing: “Discovered wiring error... Debris found in steam generators...Safety injection tank became inoperable...Auxiliary feedwater pump inoperable due to misassembly...Pipe wall thinning caused by erosion-corrosion processes...Fuel rod control system declared inoperable...Noticed that approximately 9000 gallons drained from spent fuel pool into reactor cavity...” and “Discovered that path permitting free flow of air from inside to outside containment existed; caused by negligence on part of control room operators." No open pathway should exist between a containment structure and the outside air. This particular leak existed in the Unit 2 containment building for ten days during September of 1989 before anyone discovered it.
The printout indicated recurring problems with the handling of radioactive fuel, electrical system breakdowns traceable to bypasses and jumpers inadvertently left in place, numerous accidental actuations of building-isolation systems, and repeated discoveries of Unit 1 design weaknesses. The material did not make for good bedtime reading.
I then requested from the NRC 85 complete Licensee Event Reports for San Onofre. I wanted to see if it was possible, with the help of some consulting specialists, to understand exactly what goes on inside the three reactor units and how this science-tumed-technology really affects us in San Diego.
The safe production of electrical power from nuclear fission depends on maintaining the integrity of a gigantic and bogglingly complicated plumbing system. The heart of the system is a steel chamber called a reactor vessel, which is about 40 feet high and 12 feet in diameter. It contains uranium oxide pellets jacketed inside several thousand fuel rods. These rods are submerged in the reactor’s primary cooling water. Neutrons split from the radioactive fuel and collide with other uranium atoms, setting off a chain reaction that produces tremendous amounts of heat. The now-radioactive primary cooling water reaches about 550 degrees and is kept under 2200 pounds of pressure.
This primary water is routed through pipes and into thousands of smaller tubes inside a steam generator. Like the fuel rods in the reactor, the tubes are also submerged in water in the steam vessel. Heat from the tubes is transferred to this secondary cooling water, turning the secondary water to steam. The radioactive primary water circulates hack into the core to he heated again, while the steam is routed through more pipes to a conventional turbine. The turbine blades spin an electrical generator, which produces electricity.
After exiting the turbine, the steam courses through a condenser, where it is cooled with sea water, converted back to a liquid, and recirculated into the steam generator to be reheated again by the tubes of primary water from the reactor core.
Broadly speaking, potential problems with the system fall into two categories: radiation contamination caused by leaks between two systems (primary water from the reactor core coming in contact with secondary cooling water, for instance) or a buildup of heat in the reactor core caused by a pipe break in the cooling-water circulation system. Because of the tremendous heat generated in the system, any break in a cooling-water line could result in a so-called loss-of-cooling accident. This could cause an overheating of the radioactive fuel, which could then melt the reactor vessel and the concrete foundation of the containment structure and probably end in a steam explosion as the melting fuel vaporized the underground water table.
But the power station has automatic safeguard systems that are intended to short-circuit this process in the event of a loss-of-cooling accident. Water containing boric acid would be injected into the reactor core to stop the nuclear fission process. A backup g supply of water would be pumped into the secondary system to replace the water lost through the escaping steam and to continue the process of cooling the reactor.
To guard against the release of radioactive debris from a loss-of-cooling accident or other event, a concrete containment structure with four-foot-thick walls surrounds each of the reactors. In an accident, radioactivity is supposed to be trapped inside these buildings. The control room, where workers control the plant’s operations, is protected by an isolation system intended to keep the engineers and technicians safe.
One quick word on radiation. It is known to induce all forms of human cancer. And the latest studies have shown that very small exposures, contrary to what was believed for the past 40 years, may be just as dangerous as very high doses. Some scientists think there is no “safe" threshold of radiation exposure. San Onofre, like all nuclear power plants, does emit “legal” levels of radiation. Government and industry spokesmen continually claim that people receive much higher doses from such sources as cosmic rays, rocks, nuclear weapons fallout, and even cigarette smoke.
Nuclear engineers and industry flaks have claimed for years that safety backup systems make infinitesimally remote the chance of a serious accident, with never any question that these backup systems will work. But experts also believed the Maginot Line and the Titanic were failsafe. And only weeks ago, the main sewer pipe funneling the region’s sewage off Pt. Loma broke; one of the inspectors who had helped build it in 1963 once told me he expected the pipe to function perfectly for 1000 years — a prediction that fell short by 9.71 centuries.
For four months I studied the dozens of Licensee Event Reports (LERs) with increasing gloominess. Take, for instance, one report from December of 1988. It states that a design review of the Unit 1 reactor, which was shut down at the time, revealed that between 1976 and mid-1988, most of Unit 1’s backup safety systems possibly would not have worked. Specifically, if a break had occurred in one of the reactor’s major steam lines, it could have knocked out the electrical system that supplies power to the emergency backup system. Worse yet, the report says that San Onofre engineers were unaware of this dangerous design flaw for 12 years.
This LER was dutifully submitted to the NRC, which then filed it away. Theoretically, the public was informed, since the reports are available through the NRC’s public documents room, but how many people have the time or ability to read and understand them?
And consider this paragraph explaining one of the root causes of Unit l’s backup system design problems:
- Opportunities to detect the errors were missed due to an absence on the part of the individuals involved to critically question the assumptions employed, input received, methodology used, or results achieved. Although successful in some organizations, management efforts to develop a questioning attitude have not been fully effective. This may have resulted, in pan, from a lack of formal management statement on this issue.
Two other NRC documents supplied records of fines imposed by the federal government against the San Onofre power plants in the 1980s. Some of the fines grew out of incidents reported in LERs, others were the result of surprise inspections by NRC staffers. Last week the NRC imposed a $50,000 fine against Edison for allowing a fire-extinguishing system to remain broken for two years. Between 1981 and January 1991, San Onofre drew 11 fines totaling $1,275,000. The violations included the exposure of several dozen contract laborers to excessive levels of radiation, crucial safety equipment allowed to remain broken and out of service for eight weeks, and personnel errors and bad management controls that led to breakdowns in emergency systems.
In 1987 a $100,000 fine was imposed after plant workers inadvertently carried highly radioactive panicles, called “fleas,” offsite. These particles were produced in Units 2 and 3 by a batch of faulty uranium fuel. Fleas were a problem in at least 16 nuclear power plants around the country in 1985. Just how many of them made their way into public places remains unknown.
Two violation notices received from the NRC were typical of what was beginning to look like congenital sloppiness at San Onofre. The first involved a $50,(XX) fine imposed in December of 1985 for an “unauthorized and improper repair” of a piece of important safety equipment, and a “failure to identify, report, document, and correct” deficiencies in the equipment. Workers had noticed some mysterious debris collecting in the oil-sight glass of one of Unit 1’s backup cooling-water pumps. Instead of hewing to proper repair procedures by determining the source of the debris and fixing the problem, a maintenance supervisor repaired the sight glass in an unauthorized manner, causing a failure of the pump when it was later called into operation.
In the second incident, when the supply of water to the steam generators became blocked on November 21,1985, five check valves failed to close. The valves are part of a system designed to deliver emergency backup cooling water to the steam generators. But when plant operators used another means to restore flow to the generators, the water rushed in under such pressure that a “water hammer” moved the pipes, causing four of the pipe supports to break. Had the pipes themselves ruptured, the escape of cooling water would have brought on a serious loss-of-cooling accident.
The NRC ascribes a severity level to violations of plant procedures, with five being the least severe and one being the truest. The problem that resulted in the water hammer in Unit 1 was given a severity level of two, and the utility was fined $180,000.
One worrying aspect of San Onofre’s record of fines was the contrast between the company’s assertions that the plant’s problems were being aggressively corrected and the fact that similar breakdowns kept occurring. Just one example: In 1984 the NRC proposed a $250,000 fine — later reduced by half — for weak management actions that led to Unit 3 going to full power while one of its primary safety systems was inoperable. A series of valves had been incorrectly positioned for 13 days, and operators missed many opportunities to detect the problem. The NRC ultimately reduced the proposed fine because of the way utility executives responded and moved to improve their procedures once the problem was revealed.
But seven years later, in January of 1991, San Onofre received a $150,000 fine for, among other things, its managers being unaware that an emergency backup water supply pump in Unit 2 had been incapable of functioning for 55 days.
At the same time, in Unit 3, valves were misaligned, which put a major safety system out of order for four days while the reactor operated at full power. This was the same safety system that had been our of order when Unit 3 was pushed to full power in 1984, prompting the earlier fine. But the situation was even worse this time. Unit 3 was also found to be operating while the containment building had an open flow path to the outside atmosphere. This is a major violation of safety standards since, in the event of a serious accident, radioactive particles could have escaped into the air.
To better understand the patterns of breakdowns and mishaps, and to get a sense of whether these event reports were really as alarming as they first appeared, the Reader retained the services of experts to analyze the computer listing of incident summaries. MHB Technical Associates of San Jose, which was founded in 1976 by three engineers who resigned from General Electric over nuclear power safety issues, agreed to review the summaries and make some general observations. When I mentioned MHB’s name to Dave Barron, spokesman for Southern California Edison, he blurted, “They’re anti-nuke!”
Greg Minor, the M of MHB, chuckled at this response. “Some industry people see an anti-nuke under every rock,” he declared. “The common argument at the time we left GE was that we were out to shut down the industry, but we were really out to make it safer.” Minor took two weeks last fall to go through the synopses of San Onofre’s incident reports, categorizing the mishaps according to the information reported by Edison. He did not review the LERs themselves, which are highly detailed discussions of the causes and corrections of any unplanned occurrence related to nuclear safety.
Minor divided the incidents into seven categories: problems with fire equipment; inadvertent actuation of safety or control systems; violations of plant prix:edures; design errors or breakdowns in design control; personnel or procedure error; electrical problems; and equipment failure. Minor assigned a principal cause to each event, one or more contributing factors, and noted whether or not the event had safety implications.
For example, Minor observed that an incident involving Unit 2 being operated at greater than 102 percent power for various periods of time raised questions of safety, that its principal cause was equipment failure, but errors in design control and personnel errors also contributed to the problem. According to Minor, the corrosion that had built up in sensors used to calculate the power level “is a degradation problem that will probably show up in other ways over time."
MHB’s overall analysis found that, of Unit 1’s 78 incident reports, one-third were attributable to design errors or breakdowns in design control. “Many of them are related to design or analysis errors made in the 1970s but now being discovered." One of those incidents was the electrical wiring design flaw in Unit 1's backup safety systems that had gone undetected for 12 years. Minor observed that “it makes you wonder how safe [the plant] was in the past, before these problems were discovered.”
Human error, a wild card that usually exacerbates accidents in nuclear power plants, was found by Minor to be the principal cause of 16 percent of Unit 1’s incidents. However, 46 percent of Unit 1’s reportable events contained personnel error as a contributing factor. Unit 2 reported 72 events in the last three years, and Minor found 17 percent of them caused by human error, with another 33 percent containing human error as a contributing factor. Unit 3 reported 33 events, one-fourth of which were caused by human error.
Minor stressed that his findings were based on brief summaries of the events, not upon his inspection of the reports themselves. “As an overview, it seems the units get worse with age,” he stated. “The newest [Unit 3, which began operation in 1983) is the best from an LER standpoint; Unit 2 [on-line in 1981) shows operations problems and some equipment problems; and Unit 1 [1967) seems to be having difficulty meeting some of its own design criteria.”
I sent Minor’s data and his comments to Edison for a response. After circulating the material to San Onofre engineers, Edison spokesman Dave Barron had several comments. He said the number of incident reports for all three units had been declining for the last several years, “which is representative of general improvement in plant performance." Barron also stated that “a lot of reportable occurrences do not represent a safety significance” and that Edison, along with the rest of the industry, has paid special attention to eliminating personnel errors. Formal training and a human performance enhancement system are designed to reduce the incidence of human error, Barron explained. He said that the percentages of human error, as well as the proportion of equipment breakdowns identified by Minor, are about what Edison would expect to see if it undertook its own analysis of the reports.
As for the design-related problems, they were partly the result of the fact that San Onofre’s engineering support formerly was based in a department that also supervised engineering for other, nonnuclear branches of Southern California Edison. Under pressure from the NRC, that setup changed three years ago so that an internal Nuclear Engineering and Design Organization now is dedicated solely to San Onofre.
Whether San Onofre will be safely operated in the future is an open question; judging by how it has operated in the past, as recorded in its incident reports, a reasonable person could be skeptical.
In my four-month study of the plant’s LERs, I was surprised to learn that there is such a high degree of human interaction with the workings of the plant. From the control room operators down to the lab technicians who handle samples of the plant’s effluent, people have many opportunities to screw things up.
One of the most vulnerable times for a reactor also turns out to be a period when people are most intimately involved with its functioning. This is when the reactors are “tripped” — a term used to describe a minor emergency in which control rods are dropped into the core to halt the nuclear chain reaction — which happens fairly often. Over the past three years, there have been at least 17 such trips in all three reactors combined. Some were triggered automatically by breakdowns in electrical equipment or when, for some reason that engineers still do not understand, a hank of control rods suddenly fell into Unit 1’s reactor core in September of 1989.
Other trips were instituted by control room operators for various reasons, including a misinterpretation of sensor readings as well as in reaction to an alarm warning of a reduction in the cooling-water level of a steam generator. The problem with reactor trips, according to nuclear experts, is that human interaction with the power plant’s equipment is at its highest level, both in shutting down the reactor as well as in the subsequent start-up. And the more human interaction, the greater chance there is for human error.
Granted, I reviewed only the records of problems and mistakes, not the records of the innumerable times a technician or engineer did something right or prevented a catastrophe. But some of the human errors recounted in the event reports were very disheartening. Twice technicians pushed buttons they shouldn’t have, in May of 1989 and in July of 1991, resulting in the actuation of a system that isolates the control room for Units 2 and 3. This system is designed to protect the operators from radiation and allow them to continue their jobs in the event of a major accident. Apart from the inadvisability of exercising such backup systems too many times, the fact that operators have the opportunity to push the wrong button gave me pause.
Another revelation was even more disturbing. During periods throughout the 1980s, plant operators were not certain at what power level Units 2 and 3 were operating. Because of faulty sensors, the reactors were pushed to 103 percent power for weeks at a time in 1983, 1984, 1987, and 1988, while engineers thought the reactors were at or below 100 percent power. This is like over-revving a car’s engine while the tachometer needle gives safe readings.
Although the event reports almost always claim that there is no safety significance to these incidents, the cumulative effect of reading about so many little mistakes is disillusionment. This feeling turns to aggravated alarm when Edison defends the quality of work that turns out years later to be faulty and even dangerous. A 1989 report on Unit 1’s steam generators perfectly illustrates this corporate overconfidence.
In 1981 Edison undertook a $67 million repair job on the reactor’s leaky steam generators, and many of the people recruited to perform the work on the highly radioactive equipment turned out to he derelicts, drug addicts, and street drunks. I had spoken personally with some of these men, and the NRC had taken testimony from them before issuing the company a $50,000 fine for exposing the workers to illegal levels of radiation. At the time, the laborers had claimed that they were forced to perform work that even they recognized was shoddy. But Edison insisted that the repairs had been inspected, and the steam generators were declared fixed.
The integrity of the 3500 tubes inside each of Unit 1’s three steam generators is crucial. Leaks in the tubes cause radioactive water to escape into the secondary system, which has numerous vents and valves that allow the water to leave the system and pass into the outside atmosphere. It is of supreme importance that leakage inside the steam generators be kept to an absolute minimum.
The 1980-81 repair job consisted of forcing metal sleeves up inside the leaking tubes. Many of the workers complained about not having the proper tools to do the work and criticized engineers for using trial-and-error methods in attempting to complete the difficult task. Edison contradicted their testimony with extensive test data; and who was going to believe a bunch of itinerants going up against the expert testimony of credentialed engineers?
The event report states that on December 12, 1988, with Unit 1 in cold shutdown, it was determined that the structural integrity of at least 156 of the sleeved steam generator tubes did not meet the plant’s design requirements. The unacceptable tubes, which could have come apart during an accident or a water hammer, had been faulty for seven years — since the repair job of 1980-81. The report indicated that the inspection program that certified the tubes in 1981 was flawed.
The report states that when the reactor started up again in August of 1981, leakage was detected in one of the newly fixed steam generators. When the reactor was shut down again, three tubes were found to be leaking and were plugged. Records showed that these three tubes had been tested and certified to be in good condition after the repair job. When the reactor was started up the second time, more leakage was detected, but this was deemed acceptable.
By the time the reactor was shut down in February of 1988, the leakage rate had reached 70 gallons a day from the radioactive primary system into the secondary system. Nineteen sleeved tubes were found to he leaking, 13 of which had satisfied the 1981 testing program. Edison discovered that the other six tubes hadn’t passed the test in 1981 but were certified anyway.
A new evaluation of the 1981 test data found that 156 of the sleeved tubes had not been repaired correctly. And the microfilm records of those tubes were missing from the files kept by Westinghouse, which had supervised the repair. Edison finally plugged all 156 tubes.
What other testing programs, defended by Edison, will turn out to be flawed? What other gauges are giving false readings? What other design problems will turn up, and will they be discovered before a major accident happens? In the end, I was left with only two choices: either take Edison’s word that the design of the reactors is inherently safe and the backup safety systems will work or believe what the incident reports imply. Their message is that much of what goes haywire at San Onofre is unanticipated, and the plant’s workings are so complicated that few, if any, of its overseers truly understand it all. This lack of understanding of the overall plant design by operators was a problem linking the major accidents at Three Mile Island and at Chernobyl. The true story is in the event reports, not the assurances of industry proponents, and it is the eternal one of human botchery.
No new nuclear power plant has been ordered in the United States since 1978. California had four nuclear generating stations in 1976 but has only two today. Owners of the Humboldt Bay plant unplugged it rather than add expensive earthquake upgrades in 1976, and poorly engineered Rancho Seco was closed down by Sacramento voters in 1989. Diablo Canyon and San Onofre are the last of California’s nuclear Mohicans, and Edison recently agreed to shut down Unit 1 by mid-1993. That’s a relief, but from now on when I go to Los Angeles, I’m taking the inland route up I-15.