Severe Accident Mitigation: When Shouldn’t Generic Analyses Suffice?

The Nuclear Regulatory Commission performs and reviews a lot of risk assessments. The D.C. Circuit just upheld its choice to keep many of those in generic form regardless of NEPA’s “hard look” mandate.

This post explains and critiques the D.C. Circuit’s decision on Tuesday to affirm NRC’s refusal to require a licensee to perform updated “severe accident mitigation alternatives” (SAMA) analyses as part of its re-licensing package.  See Natural Resources Defense Council v. U.S. NRC, 2016 WL 1639661 (D.C. Cir. 2016).  SAMA analyses go to what is to be done in the event a reactor loses cooling capacity, melts down, and threatens the surrounding area with radiation.  Good planning ahead of time could, at least in theory, minimize losses.

The NEPA claim rejected on Tuesday, strikingly reminiscent of that heard in the NEPA classic, Limerick Ecology Action v. U.S. NRC, 869 F.2d 719 (3d Cir. 1989), was that NRC took inadequate notice of new and significant information in relicensing a nuclear generating station for 20 years.  The Natural Resources Defense Council (NRDC) alleged that that new, significant information should’ve necessitated updating the station’s 1989 accident mitigation analysis—but didn’t.

Indeed, these two NEPA claims stem from the very same root—Limerick Nuclear Power Generating Station—and arguably even from the same source of risk: Limerick’s boiling water reactors (BWR) and the many paths they can take to catastrophic failure.  As the diagram shows, spent fuel rods (in the spent fuel pool, or SFP) are usually stored in the same containment system as the reactor core itself, necessitating a lot of “active” cooling energy that, if lost, imperils the whole system. BWR Diagram

The Third Circuit’s opinion in Limerick Ecology is famous for having forced NRC to take a better look at its “generic” risk assessments and to be more careful that it wasn’t using generic analyses where site-specific assessment was needed.  Back then, it was the “severe accident mitigation design alternatives” that were allegedly too generic and a local citizens’ group argued they ought to be better tailored to Limerick’s circumstances.  Today, with the plant built, it’s about severe accident mitigation planning more generally.

Why Generic?  Why Specific?

Risks have a way of proliferating around things like nuclear reactors and knowing how to analyze them efficiently is more art than science.  For example, assuming a core melt event occurs—improbable and bad everywhere—how might a core melt event be especially bad?  Right near a maximum security prison?  Check.  Thirty miles from a major city?  Check.  But ‘check’ not just for Limerick with Philadelphia; also for Indian Point outside New York and Zion outside Chicago.  Does that mean one should prepare an analysis of those three? That’d be more generic than a Limerick-specific analysis, but clearly more specific than all generating stations using BWRs.  What about the differences in how these three cities are organized, defended from catastrophe generally, etc.?  And things also change once the plant is built and the planning has to be done by adapting to a changing environment.

In a rebuke that has never received its due for the acuity and clarity with which it attacked NRC in the 1980s, the Third Circuit had this to say about splitting the generic from the site-specific in assessing the risks of a core melt event:

[A]s a logical proposition, because risk equals the likelihood of an occurrence times the severity of the consequences . . . even assuming that all plants are of exactly equal design and construction, which they obviously are not, the risk will vary with the potential consequences.  Because the potential consequences will largely be the product of the location of the plant, the risk will vary tremendously across all plants.

Limerick Ecology, 869 F.2d at 738 (citations omitted).  The Third Circuit was especially attuned to the risk of a core melt event given the accident at Three Mile Island in 1979.  It continued in dicta that it doubted “that likelihood of occurrence is subject to . . . an across-the-board rule” either, id. at 739 n.23, although it left that possibility open for NRC.  Ironically, the court actually deferred to NRC’s refusal to weigh the risks of “sabotage,” a/k/a terrorism, at Limerick in its licensing proceeding.  Id. at 741-44.  Would it have been wrong to presume that terrorists would prefer to target reactors closest to our major cities?  Cf. id. at 754-60 (Scirica, J., dissenting).

Fast Forward: Limerick as BWR—Post-2011

For all those issues NRC deems “generic,” a “generic Environmental Impact Statement” is used to comply with NEPA § 102(2)(C) in license renewal proceedings.  That GEIS was prepared in 1996 and Exelon relied upon it heavily in meeting the NEPA requirements for its Limerick relicensing.

As the D.C. Circuit poignantly noted, though, “the profound human cost of [the Fukushima-Dai-Ichi meltdowns in March 2011] is a powerful reminder that these issues demand our most careful attention.”  NRDC, 2016 WL 1639661 at *8.  Our world differs today from the one where Limerick’s original SAMDA was approved and the GEIS was prepared not just in how that world has changed.  (For example, we now have things like the Internet.)

It also differs in what we know and how confident we are in that knowledge.  For example, we now know to a pretty high degree of confidence that the electrical systems wired into most U.S. reactors are shockingly susceptible to a kind of multi-modal failure, jeopardizing the whole cooling and containment systems along with them.  That’s at least high confidence to a group of seven NRC engineers who took the extraordinary step of petitioning NRC themselves to force immediate rehabilitation of those electrical systems.

Recall that all six of Fukushima’s reactors were BWRs with “Mark I” containment systems.  Many BWRs just like them were up for relicensing in the U.S. in 2011 when catastrophe struck.  Both Limerick units are BWRs with “Mark II” containment systems.  By 2012 NRC had ordered all Mark I and II systems be upgraded to guard against the specific failure that resulted in two Fukushima containment buildings exploding.  But that upgrade was more a function of a known failure pathway, not something cued to the context of a given unit or installation like Limerick.  Moreover, while a tsunami probably won’t be what disables Limerick’s backup power sources, an earthquake might—and seismic risk estimates have remained notoriously soft. (They grew even softer after an unexpected 5.8 magnitude quake not too far from Limerick in 2011.)

NRDC joined this relicensing proceeding for Limerick because, it believed, the plant lacked sufficient accident mitigation plans.  In their words,

[a] SAMA analysis is a comprehensive accident consequence and safety upgrade assessment required of nuclear plant operators by the NRC when they seek to re-license nuclear reactors. In a SAMA study, the benefits of a particular safety upgrade to mitigate the human health, economic and environmental impacts of a nuclear accident are weighed against the financial cost of the upgrade, and typically hundreds of potential safety upgrades are evaluated.  So far 18 SAMA studies have been conducted for the re-licensing applications of BWRs in the United States, and on average four and as many as 11 cost-beneficial safety upgrades have been identified at each plant.

NRDC’s claim, in a nutshell, was that without a Limerick-specific SAMA analysis there’s no way to know whether cost-effective upgrades had become either more feasible or more prudent since 1989.  And, at least on it’s face, that’s a pretty plausible claim.  (NRC also denied NRDC’s request for a hearing, so the claim remained undeveloped in the proceedings.)

When Risk Assessment Goes Wrong

It shocked many to learn—after the fact—that the Minerals Management Service never did take a NEPA “hard look” at the risk of a blowout in the deep waters of the Gulf where well control technologies were inherently compromised nor at the probabilities that once a blowout occurred, the well operator would be able to bring the well back under control.  For MMS had long generated NEPA documents by the ream: risk analyses at the programmatic level, the planning and operations level, and at the smallest tactical level.  At the pre-spill MMS, even the seemingly trivial required a notice to the agency, counter-notices to the operator, and the use of some standing categorical exclusion (CATX) wherever allowed.

Stale Data?

Stale Data?

What the National Commission on the Deepwater Horizon disaster found, however, was that the agency’s close attention to well control in deep water, especially in the deep waters of the Gulf where geologically unstable media like salt and sand predominate, never did meet up with the actual technology of well control then in wide use.  That MMS, with its many programmatic impact assessments of development more generally and microscopic assessments (of choices like whether drilling in one GPS location rather than another down slope a few meters made any relevant difference) didn’t earnestly assess the risks it was enabling became obvious—after the fact.  See Deep Water: The Gulf Oil Disaster and the Future of Offshore Drilling 81-83 (Jan. 2011).

NEPA is the original “alternatives analysis” requirement.  See 42 U.S.C. §§ 4332(2)(C), 4332(2)(E).  CEQ’s rules implementing § 102(2) require that agencies “shall insure the professional integrity, including scientific integrity, of the discussions and analyses” in any EIS, 40 C.F.R. § 1502.24, and that only “high quality” information be used.  Id. at § 1500.1(b).  Is NRC using generic risk assessment as a crutch?  Do stale data and outdated estimates prop up an already fiscally-stressed nuclear industry?

Ultimately, of course, the only check that such norms are followed is by courts hearing arguments that an EIS violates the rules or is in some sense “arbitrary.”  And the Supreme Court has made clear that the latter should be a relatively relaxed check in contexts like nuclear licensing.  See, e.g., Vermont Yankee Nuclear Power Corp. v. Natural Resources Defense Council, Inc., 435 U.S. 519 (1978); Baltimore Gas & Elec. Co. v. Natural Resources Defense Council, Inc., 462 U.S. 87 (1983).  Now might be the time to re-weigh that deference.  Risk assessment isn’t easy for generalist judges to judge.  But it is becoming imperative that they do so.

{Image: Limerick Generating Station, Wikipedia}

I teach environmental, natural resources, and administrative law at Penn State Law. Before teaching I was an enforcement lawyer at U.S. EPA. Along the way I've done work for environmental nonprofits and written a fair bit about NEPA.
No Comment

Leave a Reply