Redundancy and the function of safety regulation
Redundancy is a standard practice in safety engineering. The idea is to provide multiple systems to do an important job, so when one fails, another can do the job safely until the problem can be addressed. A well-known example of a redundant system is the sets of lines that provide steering for aircraft. Modern design requires multiple cables or hydraulic lines, so steering is no lost in the event of failure.
In a nuclear power plant, all systems that can impact safety are supposed to have redundant backup systems. There are redundant backup power systems, redundant cooling systems, redundant instrumentation, and redundant alarm systems.
Redundancy does not mean having a second machine next to the first, but having backup systems that are not subject to the same conditions. At Fukushima Daiichi, the problem was not a lack of redundant equipment, but rather that the redundant systems were all vulnerable to the same problems. When a source of power was lost to flooding, the redundant backup systems were lost to the same flood waters.
A similar issue was discovered at the Maine Yankee plant. Redundant electric lines supplying power to safety equipment ran through the same space, so an event in that space that destroyed one line would almost certainly also destroy the other. Ultimately, this problem was one of the most important issues leading to the plant being closed, in 1997, the year after it last produced power.
The problem at Maine Yankee is an important case in point, however, because it illustrates another problem. The discovery in 1996 that the electric lines were badly routed followed a much earlier discovery of the same flaw. It had been reported by an NRC inspector named Peter Atherton, in 1978. His report lead to the loss of his job and security clearance, but it did not improve safety and only provided an example to other NRC inspectors who might be inclined to do what they were ostensibly paid to do.
Ray Shadis’s short article on the issues at Maine Yankee, “Why Maine Yankee Cashed In,” is available the NRC website. Peter Atherton is recognized for his report, but the report’s contents are not available.
Maine Yankee provides a clear record of a failure that did not kill anyone, but it did put a lot of people at risk. It was the same kind of risk that played out so tragically at Fukushima Daiichi. We cannot know how many people might have gotten sick or died from either, in the one case because the accident did not happen, and in the other because the record is not closed. But we do know that the cost of the Fukushima Disaster was high, and the cost of a Maine Yankee Disaster resulting from Atherton’s report going without action could also have been high.
According to the report on the Fukushima Disaster by the Japanese Parliament, the underlying cause of the disaster was collusion between government, regulators, and the industry. Given that collusion, sooner or later, something was going to go wrong, and the earthquake and tsunami were just the triggers of an event enabled by government and industry.
The problems at Maine Yankee, Fukushima Daiichi, and quite possibly all other nuclear power plants can be reduced by applying the standard safety engineering practice of redundancy. Redundancy does not merely apply to physical components of a system, but also to functions. The NRC provides the very important safety function of outside regulation. The problem is that the US congress reserved all rights to radiological safety to the NRC, eliminating the possibility of redundancy of that function, which is required by safety practice. By preventing functional redundancy, and preventing others from filling the need for safety, the Federal Government is in violation of one of the most important fundamental issues of safety.
Officers of the NRC will doubtless say that its internal Office of the Inspector General provides for proper regulation of the agency. While I would not advocate giving up the OIG’s function, I cannot agree that it provides the function I am calling for. The OIG’s function is to correct problems that appear in the NRC, not to prevent them from happening in the field.
The NRC is notoriously a captive agency, operating according to the perceived needs of the industry it is supposed to be regulating. The NRC is doing precisely the same thing here that went wrong in Japan. And just as failure was guaranteed in Japan, it is guaranteed here.
We can do better. The function regulating safety in the nuclear industry is too important to allow it to be done by a single organization, without redundancy. We should see to it that redundancy is provided, not only in equipment, but in safety regulation.
While it is conceivable that the Federal Government can produce a truly independent second regulatory agency, it seems unlikely that this will ever happen effectively. It would be much more effective to allow a measure of authority over safety to each state. Part of the reason for this is that it makes separation of agencies more surely possible. Part of the reason is that it makes some of the regulators for nuclear plants more closely answerable to the people who live near those plants.
This kind of redundancy is already provided in other areas of government. The states have their own environmental laws, with agencies to enforce them. States also have their own occupational safety laws and inspectors. Even the function of the military has a redundant state compliment in the National Guard.
We need to change the current Federal laws to allow states to assure the safety of their own citizens, since the Federal Government cannot provide for it. I would not claim this is an ideal solution, but it is better than nothing. I would not claim that it is an easily achievable solution, but it will get more support nationwide – worldwide – than Vermont trying to take on Federal preemption in the courts, and this might make it more achievable.