5 Are Terrorists as Dangerous as Management? The Nuclear Plant Threat

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

5 Are Terrorists as Dangerous as Management?
The Nuclear Plant Threat

Nuclear plants in the United States present two sources of cataclysmic danger. One is stored nuclear waste products, planned for Yucca Flats in Nevada, which threaten to contaminate vital water supplies. Given the fearsome predictions associated with global warming, the area may be unsuitable for agriculture in one hundred years anyway. More fearsome in immediate terms is the release of radiation from one of our 103 operating plants because of natural disasters, industrial accidents, or terrorist attacks. Tens of thousands of people might die and land equivalent to half of Pennsylvania become uninhabitable. Terrorists could do this right now with simple weapons. An industrial accident could do it; we have come very close to meltdowns several times in the last three decades. Most likely, the top management in the utility companies and in the plants could bring it about through neglect of maintenance and safety rules, sometimes willful neglect. Two themes will by now be familiar: the failure of regulation in an age of privatization and the downsizing of government; and the inevitable, prosaic failure of organizations. A new one makes its appearance here: industrial concentration. We will examine it in this and the next two chapters. In the case of nuclear power plants, I argue that the willful neglect of safety suggested in two case studies and documented in a third is the result of the consolidation of the electric power industry, magnifying the vulnerability of the bottom line. We cannot expect to downsize or deconcentrate the nuclear power plant itself, but we can do a great deal to make it much safer through better regulation and industry deconcentration. Much safer nuclear power plants can perhaps be built, but I am concerned with the ones operating now, most of which are receiving authorization to extend their plant life by twenty to thirty years.

TERRORISM AND NUCLEAR PLANT SAFETY

In 2000, in St. Petersburg, Florida, the leader of a cell of the Southeastern States Alliance, a radical antigovernment group, was arrested and charged with possessing a cache of arms and planning to take out the nearby Crystal River nuclear plant with a “strike team” of thirty confederates. Presumably he was a domestic terrorist; his motives were unclear but his plan was simple and could have worked. The team planned to use explosives to disable the power grid that fed power to the plant. It is not comforting to learn that the explosives were found to have been stolen from the National Guard armory, where the leader was a regimental commander. (Leisner 2000)

Emergency power at nuclear plants is provided by diesel generators (which have a long history of failing to start and other problems). Clearly visible in some plants, these generators could be taken out with grenades. Or, a hurricane could do the work of the terrorists’ dynamite and take out the power, and the storm could easily render the emergency generators inoperative as well. Or there could be a simple power failure. New York State’s Nine Mile Point Nuclear Station had a sudden power failure in 1996, knocking out vital instruments and warning lights. The backup power generators also failed, and operators were unable to monitor the reactor core for twenty chilling minutes. It was, a state commissioner said, like going seventy miles an hour down a road at night and losing your speedometer, dashboard lights, and headlights. He did not mention that vastly more people were at risk than those in the car. (Staff 1991a)

Disrupting the power supply of the plant is not even necessary if one knows about safety equipment at the plants, which could be gleaned from the diagrams found in Al Qaeda caves in Afghanistan. According to U.S. intelligence, there was “pretty convincing evidence” that Al Qaeda operatives had been “casing” U.S. nuclear plants before the September 11 attacks. (Borenstein 2002; Sagan 2003) U.S. intelligence agencies issued a warning in January 2002 of a potential attack on U.S. nuclear plants and government nuclear facilities. (Gertz 2002) As a U.S. News & World Report story notes, the water supply system needed to cool the reactor core, the emergency generators, and vital controls essential to the plant’s safety are all within easy reach of an attacker who does not even have to enter the plant’s perimeter. Our government’s Sandia Laboratories speculates that a truck bomb outside the (thin) gate could produce catastrophic radiation releases. (Pasternak 2001) Nor are the doors locked. Scott Sagan, in his detailed account of security failures, quotes news accounts to the effect, for example, that it took the Department of Energy (DOE) thirty-five months to write a work order to replace broken locks at a weapons lab facility and forty-five months to correct a broken doorknob that was sticking open and allowing access to sensitive sites. (Sagan 2003) Nor is the White House Office of Management and Budget very cooperative: the DOE requested $138 million in emergency funds to improve the security of weapons and radioactive wastes soon after 9/11, but the OMB rejected 93 percent of the funds. (Sagan 2003)

The spent-fuel storage pools are a particularly attractive target. At one-third of our plants, the pools of frigid water holding the highly radioactive spent fuel rods are outside the main building and vulnerable. If they are not continually cooled, the water will boil off in a matter of two to five days and the radioactive rods will go off like sparklers on the Fourth of July, potentially spreading more radiation than a core meltdown might. The spent-fuel storage pools need outside power to keep cool if the plant fails; the most immediate sources are the emergency diesel generators, but those will run out of fuel in a few hours. If the reactor is leaking radioactive particles, no one could get close enough to refuel the generators. An accident, a terrorist attack, or a severe weather impact could prevent power coming in from the electric power grid. Even without a shutdown of the reactor, a suitcase bomb could disable controls or rupture water supply pipes; a large suitcase bomb could blow a hole in the side of the huge pool, causing the cooling water to disappear, and radioactive releases would begin almost immediately. The highly respected Robert Alverez writes in the Bulletin of Atomic Scientists that this is the single most fearsome vulnerability of nuclear plants. (Alverez 2002) A panel of the National Academy of Sciences is equally worried. (Wald 2005b)

In 2001, the nuclear industry was not worried about the vulnerability of nuclear plants to terrorist attacks. Indeed, a spokesperson for the industry’s trade group, the Nuclear Industry Institute, said, “We believe the plants are overly defended at a level that is not at all commensurate with the risk.” (Alverez 2002, 44) However, overly defended or not, there have been attempted attacks in the United States and other nations. In 2000, Japanese police arrested a man with seven pipe bombs who was planning to blow up a uranium-processing plant; in September 2000, a group planning to sabotage the functioning reactor at Chernobyl was apprehended. In the United States, there were at least thirty threats against nuclear plants between 1978 and 2000. In 1989, four members of the radical environmental movement, Earth First, were charged with conspiring to disable three of the four power lines leading to the Palo Verde nuclear power stations in Arizona. (Wald 2001)

Of course, since all these attempts failed, one might say the plants are “overly defended,” as the industry did. Apparently the Nuclear Regulatory Commission (NRC) agreed, because in the fall of 2001, it introduced a new program that reduced federal oversight of security and allowed the power companies to design their own security exercises, despite reviews that found, in 2000, “alarms and video camera surveillance cameras that don’t work, guards who can’t operate their weapons, and guns that don’t shoot.” (Pasternak 2001) Plant-security plans and their exercises are not encouraging. Several organizations have done studies on the security issue, including the Government Accountability Office and various environmental organizations. Here are some of the disturbing findings:

• The first warning of vulnerability came a few days before terrorists first attacked the World Trade Center in 1993. A former mental patient drove past a guard shack at the “overly defended” Three Mile Island facility, crashed his station wagon through a metal door and managed to drive sixty feet inside the turbine hall. He then fled on foot and it took a few hours to find him. He was unarmed. Security experts observed that a truck with a bomb the size of the one that so severely damaged the World Trade Center could have been detonated at the gate of a nuclear power plant and caused a major radiation calamity. The NRC promised tighter security. (Wald 2002) But as we have seen, it reversed itself in 2001.

• Half of America’s ten nuclear weapons research and production facilities had failed recent security drills as of October 2001. The U.S. Army and Navy commando teams were able to cart away enough weapons-grade uranium to build several nuclear weapons in three cases. (Hedges and Zeleny 2001)

• The GAO reported in 2003 that security guards failed to search people who triggered alarms when going through metal detectors. During exercises to test security, plants used more personnel to defend the plant than are available on a normal day. Unrealistic rubber guns were utilized in these required exercises. (GAO 2003)

• Despite steady reassurance by the NRC that the security system has been upgraded since 9/11, a survey of twenty guards in thirteen plants by an government watchdog group, Project on Government Oversight (POGO), found that in three-quarters of the plants examined, personnel were not confident that an attack could be defeated. The guards said that morale was low; they are paid less than custodians or janitors; their training is far less than regulation requires; and they do not have the automatic weapons and sniper rifles the terrorists would have. If a terrorist with a backpack of explosives jumped the fence and headed for the pump house, the spent-fuel storage pool, the backup generators, or the reactor itself, the guard could only observe and report the event. Exercises run by the NRC found it would take one to two hours for outside responders to arrive with a SWAT team, while a successful attack would be over in three to ten minutes. (POGO 2002)

• Mock attacks, for training and certification purposes, until 2002, employed three attackers, whereas actual terrorists would use an estimated ten to twelve. (Four or five attackers were used in a drill at Indian Point after 9/11, which a member of the NRC declared a great success but POGO ridiculed, and Senator Charles E. Schumer [D-NY] agreed with POGO. Wald 2003a) Speaking of government nuclear installations (and speaking in its usual tortured prose), the GAO announced in 2004, “While the May 2003 DBT [design-basis threat] identifies a larger terrorist threat than did the previous DBT, the threat identified in the new DBT, in most cases, is less than the threat identified in the intelligence community’s Postulated Threat, on which the DBT has been traditionally based.” (GAO 2004d) That is, the experts expect much larger attacks than the plants train for. In some cases, warned of the exercise, the plants had more people available to repel invaders than would work there in a normal shift. Not until February 2002 did the NRC require guards to carry their “primary” weapons (i.e., shotgun or rifle) when on duty. If anything looked amiss, they had been expected to trot over to a building where their equipment was stored in lockers. The utilities can choose the date of the mock attack, the kind of attack, and the attackers (local police or even utility management or training staff); they can script the place of entry and plan of attack; and they can have their security personnel carry the communications equipment and bullet-proof vests, which normally are stored away, on the day of the attack. Attacks are in daylight, and the three “terrorists” doing the attacking have limited weapons. This “dumbing down” of military exercises seems even too tough for the utilities, since nearly half fail. For example, a mock terrorist took a badge from a guard declared dead by those supervising the test and used the badge to enter a building unchallenged. The utility then complained to the NRC commissioners that this was cheating because such a tactic had not been scripted. (POGO 2002)

• Privatizing security drills at regulated sites with catastrophic potential is risky. The contractors conducting the drills of the security personnel they supply to the plant have no incentive to make them tough; they might lose their contract. The plant does not want either the embarrassment of failing to repel the attackers or the added expense of improving its security. And the NRC does not wish to be charged with inadequate regulations and oversight. No one wants failure, so the incentives for the exercises to be unrealistic are great. This became clear in the case of the Oak Ridge nuclear plant that makes warheads, where an investigation disclosed cheating in the mock attacks over a period of two decades. Barricades were set up to alter the outcome; guards deviated from their response plan to improve their performance; guard supervisors from the private company, Wackenhut Corporation, were allowed to see computer simulations the day before the scheduled attacks; guards were improperly told which buildings would be attacked, the exact number of attackers, and that a diversion was being staged. Attackers used guns that send a laser beam, and guards have sensors to see if they have been hit. But the guards disabled their sensors and disabled the weapons used by the attackers beforehand, resulting in a high score for Wackenhut Corporation, the largest supplier of guards for U.S. nuclear facilities. (Mansfield 2004)

The terrorism picture, the third of our three major sources of vulnerability, is much as we would expect (and much as we shall find in the case of another major source of our society’s basic vulnerability: chemical plants). The nuclear power industry denies there is a serious problem (“plants are overly defended now”); the major regulatory agency, the NRC, is hardly mobilized; there are no unscheduled tests; and the implementation of safety programs is comically inept, unmotivated, and even corrupted by safety vendors such as Wackenhut. Government installations concerned with nuclear weapons, which we have only briefly mentioned, appear to be no better in these respects. For society’s most concentrated source of destruction, this is a gloomy picture. As we shall now see, another one of our three sources of vulnerability—accidents in industrial organizations—is not much different.

NUCLEAR PLANTS AND OPERATIONAL SAFETY

When nuclear energy first appeared, the untried and untested plants had a rocky time. There were meltdowns or explosions or serious fires in four U.S. plants within a short time of their start-up. An experimental sodium reactor, the SRE, had a partial meltdown after fourteen months of operation (1959). Commercial plants failed even sooner. The Fermi plant had a partial meltdown within two months of its opening (1966), despite scientists’ claims that it would be impossible; the Three Mile Island plant had a partial meltdown of one-half of the core within three months (1979); the St. Laurent des Eaux A1 plant in France had a partial meltdown within four months (1969); the Browns Ferry plant in Alabama had a serious fire after six months (1974); and the Chernobyl reactor managed to go for one year and seven months before its 1986 melt down that killed as many as 32,000 people by some estimates. (Lochbaum 2004, 5–6) (Some people disputed this estimate, but more important is the luck that the USSR had with the weather that night. The radioactive cloud rose slowly to several thousand feet in the still air before dispersing. Had a wind carried it over nearby Kiev, many more thousands could have died.) Things were so bad in the industry that some plants were never completed, or were completed but never brought online. The NRC itself acknowledged its contribution to the problem in a 1984 report that said there was an inability to ensure adequate control over design and construction and an inability to implement quality assurance controls; that the NRC itself “made a tacit but incorrect assumption that there was any uniform level of industry and licensee competence”; and that the limited inspection resources of the NRC meant that there was inadequate inspection of the design process. (Lochbaum 2004, 10) In short, the emphasis was on getting the plants running, regardless of the construction failures and the basic design failures.

In the United States, the nuclear-plant building program came to an abrupt halt when the Three Mile Island accident revealed the dangers of this philosophy. Fully twenty-seven of the one hundred or so nuclear power reactors have been shut down since 1984 for more than a year for extensive repairs to safety equipment. The year-plus durations of these shutdowns are prima facie evidence that problem identification and resolution programs at these facilities were seriously flawed if not quite totally dysfunctional. Years of overlooking problems and applying “Band-aid” fixes at these plants resulted in a backlog of safety problems that took a long time to resolve. Effective problem identification and resolution programs could save plant operators time and save money in the long run, argues a Union of Concerned Scientists report. (Lochbaum 2004)

With plants designed for twenty years of operation asking to be allowed to extend their life by another twenty years, the problem of aging parts and vessels is mounting. The Union of Concerned Scientists, in reports written by David Lochbaum, considers aging facilities to be potentially a very serious problem. Our database of accidents cannot tell us how serious the aging might be. We don’t even have very good evidence as to whether the reliability of our plants is stable, going up, or going down. Numerous measures are available; but they point in different directions and are hard to interpret. Perhaps the most clear and simple one is the number of serious incidents (i.e., near misses). Here the news is mixed. The number dropped from 0.32 per reactor year in 1988 to a low of 0.04 in 1997, perhaps reflecting a maturing of the industry and few new plants coming online. But it then rose to 0.213 in 2001— about twenty-one serious incidents a year if there are one hundred plants operating all year—perhaps reflecting the aging problem. (Lochbaum 2004, 19)

The problem with this and other statistical measures is that they emphasize the probabilities of failures, whereas with systems that have catastrophic potential, such as nuclear plants, we are also interested in possibilities. (Clarke 2005) The industry and many academic nuclear scientists point out that no one has been killed by a plant failure in the United States, so they say the probability of future deaths is vanishingly low. Environmental groups and many academic social scientists argue that we have given the small number of plants running only a brief chance to reveal their fury—only two or three decades. More important, the latter argue, it is what is possible that counts with such a deadly technology. As the old bumper sticker sardonically put it, “a nuclear plant meltdown can ruin your whole day.”

Nuclear plants occupy a special place in our industrial landscape because their catastrophic potential is so huge that they must be heavily regulated, but their complexity makes regulation difficult (there are so many rules required, and so little experience with all the possible interactions and conditions). It also makes regulation burdensome and intrusive: endless forms and reports are required, and inspectors are constantly on site. European plants have a better safety record because the plants are either state-owned, with safety built in at the start more effectively than the privately built and run U.S. plants, or if private they are chartered by the state, with a less adversarial relation between the government and the private owners in Europe. Our adversarial culture, reflected in our labor relations and regulatory activities, can be attributed to our free-market capitalism. It fosters a short-run perspective and cost-cutting to increase profits. (See the excellent discussion of the difference between U.S. and European plants and regulations in Jasper 1990.) A third model is the former Soviet Union, where the state owned everything and the emphasis was on meeting unrealistic targets by neglecting sound engineering principles and safety. (The fullest account of the Chernobyl accident and the USSR nuclear power program—an alarming account—is by Sonja Schmid [2005].) With deregulation of the energy industry in general, our plants are subject to more intense competition with each other (electricity is now shipped much further over the transmission system), more competition from more traditional sources of energy (which can produce power more cheaply; when all costs are considered nuclear power is much more expensive than other source of power), and widespread consolidation of generating plants and accompanying downsizing of employees and longer workweeks. But even where the state regulation is strong, as in Japan, there will always be an incentive to cheat.

Japan’s nuclear plants for some decades appeared to perform at higher levels of efficiency and safety than those in the United States. But in July 2000, four ominous unexpected shutdowns occurred, some releasing unacceptable radiation levels, in the plants run by Tokyo Electric Power Company (TEPCO), Japan’s largest utility. In 2001, a whistle-blower triggered disclosures of falsified tests at some of the company’s seventeen plants, and the government forced TEPCO to close some plants. In 2002, the company predicted that all of its seventeen plants might have to be shut down for inspection and repairs, because of falsified inspections and concealment of faults found in inspections that the government ordered; some of the faults were potentially catastrophic. A top company official was charged with giving specific orders to hide large cracks in the “shrouds,” or steel casings around the reactor core, in two of the thirteen reactors at which false inspection reports had been filed. (Later I will designate this as an “executive failure,” as distinguished from an organizational failure, when I discuss similar orders in the Millstone nuclear power facility.) The president and vice president of the company resigned, the salaries of three executives were reduced by 30 percent, and those of fifteen others were cut. (Radsafe 2004) I know of no resignations or salary cuts following similar disclosure of executive failure in the United States. (State ownership by itself does not guarantee safe practices; it has not in either Russia or Japan. It seems to have worked quite well in Europe. Private ownership with poor state regulation seems less effective than European state ownership.)

The U.S. economic system favors short-run indicators and mobile capital flows. Managers are both creating this culture and being driven by it. Thus, the short-run savings that accumulate with cutting corners on maintenance and safety can be expected to dominate management thinking at the top, middle, and bottom. Since any untoward consequences of short-run savings are unlikely to appear, if they ever do, until the distant future, management can escape accountability. This has to be expected as a risk that most large organizations will take, and those with the most market power will be able to more easily absorb the consequences or deflect criticism. The organizations supplying our deregulated power are now larger and have more market power, as we shall see in chapter 7 on our power grid.

THE INDIAN POINT, DAVIS-BESSE, AND MILLSTONE EXAMPLES

Our first example, the Indian Point power plant, illustrates the problems confronting what was rated as one of the five worst plants in the United States. We don’t know enough about the role of top management in all these problems, so they may have more to do with failures by operators or managers, lack of skilled personnel or lack of money, or perhaps even technological uncertainties, though that seems unlikely. It will give us the flavor of repeated problems that even the better ones face. It is not encouraging.

The second example, Davis-Besse, presents a case of repeated warnings by engineers that were countermanded by top management, bringing the plant very close to a serious meltdown, along with all the dispersion of deadly radiation that would accompany this. We will also get a closer glance at the ineffectual Nuclear Regulatory Commission, which worried mightily and frequently about safety at this plant, but could not intervene effectively.

The Millstone plant suffered the range of failures of the other two plants but, even more than the Davis-Besse example, it locates conclusively the source of this failure: top management. Organizational theory has not done a good job in distinguishing between the failures of workers or management—part of the difficulty of getting organizations to perform well—and deliberate, knowing malfeasance on the part of executives. This is largely because we rarely have the data to conclusively make the distinction. We are able to document this example of what I will call executive failure because of the extraordinary work of a state public agency. The Millstone plant also came close to a major disaster.

Indian Point

For the first of three examples of our risky nuclear plants, I will draw upon Elizabeth Kolbert’s account in the New Yorker of the Indian Point plant. (Kolbert 2003) The Indian Point nuclear power station is not the worst in the nation, but it is probably typical of the operational problems that these plants still face, including problems due to aging. It is unusual, however, because it is so near to New York City. Half of all nuclear plants are near urban areas, but this is a particularly large urban area with no adequate means of escape. More than twenty million people live within fifty miles of the plant and, depending upon the wind, many millions of these could be severely harmed, and those close at hand, killed. The 300,000 most at risk are in the ten-mile “emergency planning zone,” but there could be thousands of deaths among the several thousand who live within seventeen and a half miles, the “peak facility zone.” The devastation that the old Atomic Energy Committee said could result from a meltdown at Pennsylvania’s Three Mile Island plant— contaminating an area half the size of Pennsylvania—applies to the New York metropolitan area and much beyond.

We pick up the story in 1992 when one of the two reactors was placed on the watch list because of long list of safety lapses in previous years. In the most recent lapse, in 1991, the backup safety system for shutting down the reactor in case the primary one failed, a system essential for safety, was found to have been inoperative for six months. The plant was given a small fine: $225,000. But shortly after the fine, a problem was found with a set of valves, and the engineers rushed to replace them before an upcoming NRC inspection occurred. They put them in backwards, blocking the essential cooling system, and had to shut down the plant.

Under NRC pressure, the New York Power Authority, which owned the plant then, conducted a safety overhaul that was supposed to last six months. But there were so many problems with the plant it had to remain shut for two and a half years. Then, in the late 1990s, the second plant at the Indian Point station went into decline. The electrical breakers had not been inspected or maintained, and a second small fine ensued. A year and a half later, the power to the control room went dead, a serious matter, of course; the earlier breaker problem had still not been resolved. While the NRC was considering what action to take against the utility, a tube in the reactor’s steam generator ruptured, spilling 20,000 gallons of radioactive water into the plant’s sump, and the reactor was taken out of service for most of 2000. A large power company, Entergy, a product of consolidation made possible by deregulation, had bought the two plants in the meantime, bringing their nuclear power production up to nine nuclear plants, and celebrated its purchase in September 2001. A month later, four of the seven control-room operating crews at the number two plant failed an annual re-licensing exam. Four months later, a security guard pulled a gun on a colleague in an argument over a glass of orange juice and was fired. (Kolbert 2003) A trivial matter, of course, but it was a sign of persistent management problems at the operating level.

More problems befell the plant (in addition to a comical terrorist exercise that brought condemnation by a U.S. senator and others). A report by a nuclear engineer declared it one of the five worst plants in the United States. The Los Alamos National Laboratory conducted a study for the NRC, concluding that the chances of a meltdown increased by nearly a factor of 100 because the containment sumps were almost certain to be blocked with debris during an accident. If a pipe broke, the escaping water would go into the basement, and the sump pumps are designed to draw it back into the core to keep it cool. But the tests showed that the cooling water would collect so much debris from the damage as it descended that the debris would clog the mesh screens and prevent recirculation. Within twenty-three minutes at one of the reactors, and fourteen minutes at the other, there could be a meltdown. The NRC knew of this problem as far back as September 1996, but the plant will fix it only by March 2007, giving it eleven years of risky operation. Meanwhile, plant officials said, workers would scour the plant frequently looking for loose material that might become debris. However, the Los Alamos study, which estimated a hundred fold increase in the risk of a meltdown because of the condition, was worried not about debris lying around, but the debris that would be created by a ruptured pipe, fire, or other accidents. (St. Clair 2004)

Finally there was the problem of evacuation after an accident. According to the law, local officials have to sign off on a power company’s evacuation plan. This sensible requirement killed the attempt to start the Shoreham nuclear plant on Long Island. Evacuating that densely populated strip of land linked to New York City would have been impossible. (Clarke and Perrow 1996). Massachusetts was unsuccessful in blocking the start of the Sea-brook, New Hampshire, plant, right on its border, when it claimed warnings would be insufficient and evacuation difficult. In the case of Indian Point, local officials had, in the past, declared the plan feasible. But after 9/11, new plans had to be approved.

In September 2002, New York governor George Pataki commissioned an independent panel, headed by James Witt, whom we met as the head of a revitalized FEMA during the Clinton administration. It studied the problems thoroughly and could not recommend that the population at risk could be evacuated in time, and said further that it was not possible to fix the plan. This has presented a dilemma for the governor, for New York senator Hillary Clinton (the power company, Entergy, is based in former President Bill Clinton’s home state and has been a handsome contributor to Bill Clinton’s past campaigns), and for the NRC, and was still unresolved in 2004. (St. Clair 2004)

One of the five worst nuclear plants in the nation, plagued by near misses, and not planning to fix the emergency cooling system until 2007, with no possibility of evacuation for the hundreds of thousands who live nearby and are in immediate danger of losing their lives, or the millions in the New York City metropolitan area that could be contaminated (the nation’s biggest “backyard” of “not in my backyard” fame), Indian Point illustrates our vulnerability to industrial disasters, not to mention a category four or five hurricane or, as we have seen, terrorism. We don’t have the details, but this would appear to be the case of executive failure as well as the more prosaic management failure.

We Almost Lost Toledo

Our next story is about the failure of top management at utilities and at the NRC to avoid skating perilously close to disaster. The Davis-Besse plant near Toledo, Ohio, was dubbed by the press as the “reactor with a hole in its head.” As a result of unattended corrosion over several years, only a half-inch of stainless steel, instead of seventy pounds of carbon steel, was found to be preventing a nuclear meltdown. But the near meltdown of the plant may also be related to Congressional deregulation and campaign financing and economic power. (Much of this is based on the excellent articles by John Mangels and John Funk, of the Cleveland Plain Dealer, an example of local reporting by the print media that kept up the pressure on the utility and the regulators.) The plant is owned by First-Energy Corporation, based in Akron, Ohio. Though there is no direct connection asserted between the plant’s operation and the political connections of FirstEnergy, it is worth noting that FirstEnergy is the fourth-largest investor-owned utility in the country, and led the other twenty-nine utilities in donations to the campaigns of George W. Bush. The utilities and the Edison Electric Institute, the industry’s technical representative, together raised $6.5 million from 1999 to March 2004 for Mr. Bush or the Republican National Committee. The chief executive officer of FirstEnergy was on Bush’s controversial energy transition team, after being one of Bush’s fund-raising stars. This is the committee whose minutes the press, environmental groups, and congressional members have unsuccessfully tried to make public. (Henry 2004)

In the 1990s, the NRC issued warnings about corrosion in the penetrations of the reactor head (called nozzles) in boiling water reactors (BWRs). In 1998, the required videos taken of the head of the reactor at the Davis-Besse plant showed significant corrosion, but neither the NRC nor the plant did anything about them. In July 1999, Andrew Siemaszko joined the plant as the lead system engineer. During an outage in 2000, boric acid deposits were found on the reactor head and, according to his account, he attempted to clean them off, but could not finish in one day. He was to return to the job the next day but found all the scaffolding and equipment had been removed, and management had signed a report saying that the reactor head had been fully cleaned. He protested to no avail that a substantial part of head remained unexamined; the company cited the costs of further cleaning and said they could wait until the next scheduled outage. At that outage, in 2002, he was finally able to complete a full cleaning of the head, and discovered a pineapple-sized hole in the top of the reactor vessel created by the boric acid. Subsequently it was determined that acid had eaten away seventy pounds of carbon steel in the vessel, leaving only one-half inch of buckled stainless steel to protect Toledo from a nuclear catastrophe. The Government Accountability Office was to declare it the largest near miss since the Three Mile Island accident in 1979. GAO 2004c) Reporting his discovery, documented with videos, he was immediately transferred to another assignment.

There Siemaszko found another problem, this one with leaking reactor coolant pumps. By his account, he persisted in attempts to replace cracked shafts in two of the four that had not been repaired, supported in these efforts by company engineers and an outside expert. Failing to convince the utility that the cracked shafts had to be replaced, he then refused to sign a report saying the issue had been resolved. He was told to sign the report, resign, or be terminated. He chose the last, filed a complaint, and raised his concerns with NRC officials, who, curiously, said his allegations should be handled by FirstEnergy. FirstEnergy denied the allegations and said that he had been fired because poor job performance. He lost a generous salary, excellent health and life insurance benefits, matching retirement contributions, bonuses, paid vacation, and other benefits. In 2005, he was sued by the NRC for failing to report the defects with the nozzle and faces five years in prison and a $250,000 fine, and the company faces a $28 million fine. (Cable 2006) He is fighting the charges. (Funk and Tobin 2006)

The NRC was not unaware of the danger of leaking nozzles that turned up in the Davis-Besse plant. In 2000, before the problems became evident, the NRC had found cooling water leaks from control rod drive mechanism nozzles in many pressurized water reactors. This nozzle sits on top of the vessel and is involved in raising and lowering the fuel rods to decrease or increase the power. Every pressurized water reactor, except Davis-Besse, had inspected the nozzles; many found safety problems with the nozzles and corrected them. The NRC had inspectors who were apprised of the amount of corrosion and the lava-like flows from the top of the Davis-Besse reactor but either did not understand their significance or felt they were not serious, the GAO report noted (with no outburst of incredulity apparent in their report, though one was implied). Worse yet, videos from explorations in 1998 and 2000 had been given to the NRC, showing considerable corrosion. It returned them, presumably without viewing them, despite the several warnings of these problems they themselves had issued. (Mangels and Funk 2004)

In 2001, an alarming case of corrosion was discovered at another nuclear plant, and the NRC ordered that all the vulnerable plants be required to either shut down for inspection before the end of the year or show evidence that full inspections had been recently made. All but Davis-Besse complied. Davis-Besse was now in the hot seat, and was ordered to shut down. According to regulations a plant could only operate for six hours under these conditions, but the plant argued that it could safely wait until the next refueling outage, scheduled for several months hence. A compromise with the NRC was struck, and the scheduled outage would be moved up and occur in four months, and the plant said it would dedicate one worker to the task of turning on a safety system if the nozzle failed.

When the work was finally done they found the pineapple-sized hole in the reactor’s head. As noted, the leaks had been going on so long it left only a thin layer of stainless steel to contain the cooling water in the reactor. The steel was bulging from the severe pressure but had not yet broken. Furthermore, a break would have disabled the safety system the worker was to turn on—the safety program Davis-Besse had proposed in order to keep the plant running. There was so much damage that the emergency sump pump screen would have been blocked by debris, rendering the safety system that was to be turned on inoperable, and the core could have melted. No one should have been surprised; the NRC had issued eleven separate warnings about this danger at plants of this design since September 1988. (Lochbaum 2004; GAO 2004c; Siemaszko 2003)

A subsequent report by the NRC’s inspector general office charged that the NRC “appears to have informally established an unreasonably high burden of requiring” of itself “absolute proof of a safety problem, versus lack of reasonable assurance of maintaining public health and safety.” (Wald 2003c) In 2004, the GAO issued a blistering report on the NRC’s own performance at Davis-Besse, one that rivals the criticisms of the utility that were issued by other government and environmental groups. (GAO 2004c) The GAO’s criticisms of the NRC are more significant than those it made of the utility since the NRC is responsible for more than a hundred plants.

The NRC’s benign approach to catastrophic risk was fairly recent. It had been somewhat tougher in the past. The change may have stemmed from the deregulation of the electric power industry that commenced in the late 1980s. Shutdown orders were common in the 1970s and early 1980s. As we saw, plants often failed within months of starting up, and the complexity of the new technology meant unforeseen problems in the first decade or so of operation. That shutdown orders are now rare may be due to seasoning of the industry, but near misses began rising in the late 1990s. In the 1990s, the period of rapid deregulation in the energy industry, the commission adopted a policy called “risk-informed regulation.” It was designed to pay more attention to the costs it imposed on the plant operators, in order to balance it with the risk reduction that such things as shutdowns afforded. (Wald 2003c)

Documents that reporter Stephen Koff obtained from the watchdog group Greenpeace “show that a special Nuclear Regulatory Commission task force last year [2002] had in fact intended to blame the new regulatory system in part for the slipshod inspections at Davis-Besse. Before the task force’s report was complete, however, NRC staff had removed a section on the shortcomings of the NRC’s new reactor oversight process. . . . The NRC thus avoided the public criticism that most likely would have resulted if it had more clearly linked the Davis-Besse failure to weaknesses in its new regulatory regimen.” (Koff 2003) But the head of the new regulatory regime was promoted two years after his decision to allow the plant to operate without a full inspection of the suspected damage. His new position, the NRC’s chief administrative officer, was one step below that of executive director. (Mangels 2003)

The NRC blamed Davis-Besse for not accepting accountability for safety and for not having a “safety culture.” The NRC installed an evaluation team in the plant to examine the safety culture and hired outside consultants on safety issues. One consultant was discouraged to find that “senior management has not acknowledged their accountability and responsibility” for the reactor corrosion. Workers, he said, “expressed disappointment and frustration that this has not taken place.” (Wald 2003b) The fired Mr. Siemaszko would presumably agree. He would also agree with the more fundamental criticisms of the regulatory agency for relaxing requirements that encouraged FirstEnergy in its risky practices.

In March 2004, the NRC announced that the plant would be allowed to reopen, which was good news that FirstEnergy needed, since it was facing possible lawsuits from its key role in the massive blackout of Northeast the previous August. (Wald 2004) In chapter 7 we will argue that this, too, was related to deregulation and industry concentration.

As noted, we do not have the evidence to show conclusively that top management was aware of the dangerous condition of the plant and blocked remedial action. Reports by a watchdog group strongly suggests this. (Cable 2006; Smith 2005) But we do know that Davis-Besse came very close to a disastrous accident; a thin, buckled sheet of steel was the only thing that prevented a meltdown. The danger was seen by an engineer who was then reassigned, and when he spotted another danger and refused to ignore it, was fired (though the NRC is disputing this, and blaming the engineer). The NRC ignored the evidence of corrosion in the reactor’s head, and when the problem was forcefully brought to its attention again, allowed the plant to run for four more months under dangerous conditions. How many more plants are out there skirting disaster, merely warned by the NRC to develop a “safety culture”? At least one more, as we shall now see.

Inside the Executive Office of the Millstone Plant

Environmental and public interest groups with highly qualified technical people, such as Greenpeace and the Union of Concerned Scientists, have always been critical of the Nuclear Regulatory Commission for not being tough enough on nuclear plants. But according to a lengthy analysis by John Mangels, a science writer for the Cleveland Plain Dealer, the NRC has tried at times, and at times it has succeeded. Of course, we expect it to regulate successfully, but we should not be surprised by its failures. It has a difficult regulatory problem. The commission is financed by government fees imposed on nuclear utilities rather than from tax dollars. The utilities have a double incentive to minimize the intrusiveness and completeness of the regulations: they can avoid costly changes, and the tax they pay the government will not rise to pay for more intensive regulation by the NRC. Industry’s leverage in this respect is through Congress, which sets the taxes that support the NRC and oversees the regulatory process. As we have seen, and will continue to see, unless there is public outrage, Congress is unlikely to demand much of industry and may even demand less regulation.

In the 1980s, largely on its own, the NRC became increasingly concerned about “design-basis” issues, to which it admittedly had paid less attention. These issues involve whether the initial design of the incredibly complex plants met safety considerations. There was simply not a great deal of experience with plants, which, unlike those in Europe and Japan, were of different designs and built by different companies, and even plants built by the same contractor were unique. With increasing experience, the NRC found evidence that plant designs were faulty, that changes in plant hardware and procedures could violate original design requirements, and that records were not being kept about design-based problems. A close call at the Davis-Besse plant, whose troubles we discussed above, in 1985 raised questions about operator behavior, but also about the design of the safety system. In that accident, the plant’s main and backup water supplies to the steam generators failed, sending reactor pressure and temperature to dangerous heights and risking damage to the radioactive core. (There were many such management and operations failures in nuclear plants before 1985, of course, making the whole enterprise risky and suspect. For a brief and frightening review of these prior to 1983, see chapter 2 of my Normal Accidents [Perrow 1999].)

The NRC cracked down, finding many design-based issues and also a lack of record keeping about design information. It asked the nuclear industry’s watchdog group, the Institute of Nuclear Power Operators (INPO), established after the 1979 Three Mile Island accident, to mount an effort to get the plant operators to collect, reexamine, and revalidate their design information. The group declined, saying it was unnecessary since most of their members were doing so voluntarily. Since it was clear that many were not doing so, the NRC pressed on, pledging that it would not fine operators for lesser design deficiencies as long as it was the utilities, and not the NRC, that found them. However, its design-oriented inspections were not just intrusive, but very costly for the plants, and pressure to limit them eventually was successful, as we shall see. (Funk and Mangels 2003)

One of the utilities most concerned about aggressive action by the NRC was Northeast Utilities (NU). Its three nuclear plants in the Millstone facility near New London, Connecticut, had been high performers with good safety records and few unplanned outages (emergency shutdowns, in contrast to the shutdowns for refueling every twelve to eighteen months). But in the mid-1980s, NU’s executives called in the McKinsey consulting firm because they feared the effect of federal deregulation on their profits. Profits would be affected by two aspects of deregulation. First, many industrial plants that generated heat during their operations could use the waste heat to generate electric power. If more power was generated than the plant needed, it would be wasted. With deregulation came a new regulation: the utility that ran the power grid had to purchase the excess power of these industrial plants and put it on the grid, paying the price that would be incurred if the utility had generated the power rather than the industrial plant. This would increase supply, and that would lead to lower prices. It was quite sensible, but not expected to amount to much increased supply for several years, and it didn’t.

The second effect of deregulation that concerned NU was the regulation that any utility could have access to any other utility’s transmission lines. NU’s grid would be open to other wholesaler power producers through a bulk regional power pool. If a utility in New York State offered cheaper power than NU in Connecticut, NU’s large customers could have it sent over NU’s lines and purchase it. NU no longer would have a monopoly with power generation in the region assigned to it. This also would lead to lower prices, though this regulation was expected to have little effect at first.

(In what follows I am following the extremely detailed and well-documented account of NU’s troubles by economists Paul MacAvoy and Jean Rosenthal [2004]. As a result of lawsuits, voluminous company records became available for their research. Unfortunately, there is no comparable inquiry into other nuclear facilities, such as those at Davis-Besse or Indian Point, since no other utilities have had their records exposed so extensively as Northeast Utilities had. This bonanza offers us the only glimpse we have of what takes place in the executive suite of nuclear power plants.)

Utilities throughout the nation formulated strategies to deal with the new competition; they anticipated that prices would fall and they could lose money. The dominant strategy, more talked about than followed, was to diversify. Awash in cash, the utilities could afford diversification. (MacAvoy and Rosenthal 2004, 23– 24) But most utilities and industry authorities thought that falling prices would be in the distant future. NU was highly profitable, but it said it expected intense price competition soon, by 1990. Along with FirstEnergy in Ohio, NU’s management and its board of trustees decided to meet the competitive threat by cutting its operating costs, most particularly those in its three nuclear power plants, where the operating costs considerably exceeded that of its oil and coal-fired plants. Even more specifically, it would reduce operating costs not by improving operating efficiency, as some nuclear plants successfully did, but by reducing maintenance costs and employee costs at these plants. Their management consultants at McKinsey did the justifying study.

MacAvoy and Rosenthal write that NU “took risks with plant operating rates in order to take deep cuts in current maintenance expenses.”(27) (It is disturbing that the two economists defined the risks only in terms of shareholder value, with scant acknowledgment that there would be risks to the laid-off employees and, more important, should the cuts cause a major accident, to the general public near the plant! Economists call such risks “externalities” and rarely consider them.) The top management knew the risks of the cuts. The authors quote an internal memo that notes the consequences of the cuts clearly. While the strategy had produced unprecedented profits by 1990, the memo acknowledged that the plants had excessive overtime, were losing qualified personnel, and were unable to train instructors, to conduct required inspections, or even to do adequate safety reports. (45) As a result, forced outages occurred for extended periods in 1990 and 1991—for example, those due to corrosion in pipes they had failed to maintain— and then they failed to identify the corrosion.

Forced shutdowns are expensive; power must then be purchased elsewhere or generated from more expensive emergency internal sources, and repairs are expensive and may take months. For this reason, economists and engineers regularly reason that firms have an interest in preventing accidents and will do the necessary maintenance and have the necessary workforce. Lewis and Darken are typical. They say: “Continuity of operations already has its own built-in motive—the more reliable the operation, the more money received. Therefore, utility companies are motivated to increase continuity of operations. They do not need governmental incentives to reward them for doing what they do best: deliver services and consumables to the public.” (Lewis and Darken 2005)

But the risk of incurring forced shutdowns is considerably reduced in the short run of a year or two or more by the “regulatory accounting” practices of the NRC. This limits the impact of the shutdowns on earnings, since the expenses are deferred; they are expected to be covered by anticipated future revenues. (61) The cost of the shutdown does not reduce profits because it is charged to the future in anticipation of profits then. In effect these NRC accommodations reduce the incentive to avoid accidents, which is the opposite of what the NRC should be doing.

Alarmed by the forced outages, the NRC augmented its full-time inspection team at Millstone. It also determined that employee morale there was poor, employees were harassed for reporting safety violations, and experienced employees were leaving. The nuclear facilities operated less than half the time in 1991. (48–50) Internal task force reports prepared by the company itself were devastating. One argued that engineering should attain “excellence in performance and not cost containment,” a direct rebuke of the NU/ McKinsey strategy announced in 1986. (53) The NRC was quite aware of what was going on. A special review group report by the NRC charged the company with micromanagement (an aseptic term for telling workers to violate requirements), harassment of employees, and an overemphasis on cost containment. (56) Later, a NRC official worried that if NU succeeded in buying the bankrupt nuclear plant at Seabrook, New Hampshire, the “Millstone virus” (i.e., mismanagement) might spread there. (60) (The cost containment strategy was identified as a “management failure” by the NRC, considering it rather like a poor decision or poor strategy rather than a deliberate act.) Incredibly enough, with this poor record for its nuclear plants, the NRC allowed NU to purchase Seabrook, under the vague conditions that it improve its employee relations and other safety matters at Millstone. But improving conditions at Millstone would mean abandoning cost containment and short-term profit goals by the company, so conditions failed to improve. MacAvoy and Rosenthal dryly note that the commitment to safety would itself “be subject to cost containment later in the decade.” (61)

A stock analyst or potential investor would have no reason to be wary. That fallible index of company health, its profits, increased each year after 1989, when the program was in full swing. The cost containment program continued to generate higher profits. Cost containments in the nuclear facilities realized savings of nearly $70 million a year; payroll savings in 1991 were estimated at $27 million annually since 1987; large workforce reductions of 1,100 were achieved. (62) Maintaining this strategy, MacAvoy and Rosenthal write, “would add to earnings, adding to management’s own salaries, bonuses and stock awards, with expectations of continuation well into the 1990s.” (63) The competition expected in 1986 by the company and McKinsey had yet to arrive.

Where was the regulatory agency in all this, as the plant cut staff and operating costs, neglected safety, angered its employees, and increased profits and management bonuses and stock options? The NRC was busy; it established a full-time oversight group at the Millstone site, increased the number of inspectors, required the utility to respond to a list of requirements, increased the number of fines, and discussed the utility’s performance at eleven NRC senior management meetings between June 1991 and 1993. (74) That should make a difference if the problem was either management failure or operations failure, but it didn’t. Why was the NRC not successful? Because it identified the problem as a management problem that would be responsive to lists of requirements, oversight, and fines. MacAvoy and Rosenthal are not taken in by this analysis, as plausible as it may seem. The problem, they say, was the executive strategy adopted, not the failure of management, and this strategy was adopted because of deregulation. An essay by a well-known energy stock analyst in NU’s 1991 annual report suggests how this could happen: touting American capitalism, he said the electric energy industry “is not a regulated industry any more, it is a dynamic, market-driven enterprise.” (65) With the deregulation this entailed, NU could ignore the NRC’s requirements lists and pay its paltry fines.

In May 1993, the NRC chastised the firm “for the harassment and intimidation of a Northeast nuclear supervisor who had raised safety issues.” (75) NU paid a small $100,000 fine, but operating earnings were up 15 percent that year. A new violation took place from May to August of 1993. Instead of shutting down the plant for two weeks to repair a vital leaking valve, they drilled into it to inject sealant into the gasket, and then kept striking the spot with a pneumatic ball-peen hammer to close the hole. This crude method failed, since the hole would open again. They attempted to close leaks by striking the spot thirty times over the next months, until this caused one of the studs supporting the valve to fail, causing the reactor to depressurize and go into a forced shutdown. The stud breakage, the NRC concluded, risked a “loss of coolant accident” (LOCA) and potential meltdown. (76) This was serious. Since the “errant repair activities” had continued for weeks, one wonders what the full-time NRC inspection team was doing, along with the regular NRC inspectors?

There were other inspectors, hired from a contracting firm, in the plant, and they observed the repair attempts. But they “worried that bringing up safety issues might affect their future employment.” One of these inspectors, who thought there was a “significant safety risk,” still signed off on an inspection of the valve “to prevent a confrontation with management.” (77) One wonders why are they called inspectors, but recall that FirstEnergy fired its chief engineer for refusing to sign off on a faulty valve at the Davis-Besse plant.

The NRC dutifully lambasted the utility (but apparently not its own inspectors) for all sorts of weaknesses and failures. The next year (1994) the two top executives at NU realized 37 percent increases in their compensation packages. (84) In 1995, the industries’ “self-regulator,” the Institute of Nuclear Power Operators— which is funded by the industry and conducts serious investigations but makes none of its findings public—met with the board of trustees of NU, but there is no documented board response to this unusual event. Also unusual was a 1995 meeting of the executive director of the NRC and his staff with the NU board. The NRC participants in the meeting laid out the politely labeled “lingering performance problems” in considerable detail, and the trustees promised to do better and “expressed appreciation for the meeting.” (80) But NU, in the next year, got its board of trustees’ approval for an even more ambitious cost-cutting program, 40 percent over five years. (78) The failure of regulation (or should we say the success of deregulation?) and the profit-maximizing strategy of the plant’s executives continued to put the plant on the brink.

Enter the Whistle-blower and the Media

In 1996, one of those dramatic stories about a near miss at a nuclear plant made the cover of Time magazine, the first cover story of an industry in the magazine’s history. It revealed that the Millstone nuclear plant had operated for twenty years “outside its design base” (violating the operating conditions required by its basic design) by routinely unloading all the spent fuel rods from the reactor core at once, during refueling operations, rather than one-third at a time, as regulations required. It also was doing so without waiting the required time for the radioactive fuel bundles to cool. The unloading was so rapid that it melted workers shoes at times. The cooling system was stressed with so many hot fuel rods being put in the pool at once. (The cooling system was subsequently discovered to be inadequate even with partial insertions, and especially inadequate for what was going on: receiving the contents of a complete unloading of the fuel rods being removed from the core.)

The Time account detailed the stubborn efforts of one employee, George Galatis (with the initially reluctant support of another), who discovered that the routine practice was outside of the design-based limits—that is, should not have been happening. The employee took the case to the Millstone management, which refused to do anything about it. After eighteen months of pressing the safety case, he took it to the NRC itself, only to find that the commission knew about the unsafe practice but had made no move to stop it.

We have to turn to journalistic accounts here; the incredibly detailed work of MacAvoy and Rosenthal is focused on shareholder value, not on the regulation of a plant with catastrophic potential, so it omits many of the following details, though it cites the Time report. The NRC, according to Time, said the practice was common and safe, if the plant’s cooling system is designed to handle the heat load, despite explicit regulations to the contrary. By design-based criteria it was unsafe, but the NRC would ignore that. However, the pool and its cooling system had never been examined to see if it could handle a full dump, and that is what it had been getting. (Pooley 1996)

The outcry occasioned by a dramatic cover story energized the NRC. Its new head commissioner, Shirley Jackson, began a crackdown, scaling back a policy called “enforcement discretion,” which had allowed the agency to set aside hundreds of its own safety regulations. Millstone had received fifteen such waivers since 1990, though none for dumping. The NRC inspector general, who investigates agency wrongdoing but has no power to punish, said, “We shouldn’t have regulations on the books and then ignore or wink at them.” (Pooley 1996) Commissioner Jackson said that with only four inspectors for every three plants they could miss things (but this was a big thing to miss, and they had put on extra inspectors). That would mean fewer than fifty inspectors out of three thousand NRC employees. As one commissioner said defensively in the 1980s, they were not an inspecting organization, but an accounting one—they mainly keep records. But, Commissioner Jackson of course said that having this few inspectors never endangered safety. The watchdog environmental agencies were outraged.

Fortunately, MacAvoy and Rosenthal do give us a lead as to why a plant like Millstone (or the other two we examined), with so many violations and fifteen waivers in six years, could have inspectors that would miss something that several employees were worried about and one of whom had filed a safety report with management concerning dumping. The NRC requested that its Office of the Inspector General investigate the dumping incident. “The investigation determined that NRC resident inspectors at the Millstone site were aware of the practice of full-core offloading, but did not know the design basis well enough to realize that the practice was contrary to the facility’s license. The investigation also determined that there had been no analysis of the heat removal capacity of the Millstone One spent-fuel pool cooling system under conditions of a full-core offload.” (MacAvoy and Rosenthal 2004, 89; italics supplied) Since failure of the storage pool would be catastrophic—widespread radiation would require immediate evacuation of the plant, perhaps kill employees, and leave the nuclear reactor unattended, and could contaminate the surrounding area while killing thousands—one would think that an inspector would inquire into the design basis of such a vital element. But, the Time report charges, it is even worse. The NRC home office was aware of the illegal Millstone practice and even countenanced it at other plants. Perhaps this is why nuclear engineer Galatis resigned his position in 1997. The country lost a nuclear engineer (it is not a well-stocked profession) because he entered divinity school.

Another whistle-blower was not so fortunate. The NRC, though chastising the utility for threatening whistle-blowers in the Millstone case, retaliated against one in another case, as the Time magazine story reports in its cover story. In the early 1980s, when Northeast Utilities’ Seabrook Station in New Hampshire was under construction, Joseph Wampler warned the NRC that many welds were faulty. His complaints went unanswered, and he was eventually fired. He moved to California and sought employment in nuclear power stations. But in 1991 the NRC sent a letter summarizing Wampler’s allegations—and providing his full name and new address—to several dozen nuclear companies. His career was destroyed a second time; he now works as a carpenter. The NRC fined NU $100,000 for problems with the welds. (Pooley 1996) At least the NRC has not tried to jail Mr. Wampler, as they are trying to jail Mr. Siemaszko.

It is apparent that we cannot depend on whistle-blowers to protect us from the NRC or the nuclear power plants. They are fired, and they have trouble suing if they try. And even if they don’t sue, they can be blacklisted or jailed by our protectors, the Nuclear Regulatory Commission.

The utility stumbled on with more problems until finally all three nuclear plants were shut down and the NRC would not let them restart without extensive reorganization, refitting, training, and so on. Millstone One had not been allowed to restart after its late 1995 refueling. Millstone Two had been down for ten months after having restart problems after a 1994 refueling, restarted in August 1995 but failed in December 1995, restarted briefly in February 1996 but had to be shut because of “operating problems,” and underwent extensive review. Millstone Three had even more problems. The four pages that MacAvoy and Rosenthal devote to a detailed analysis of the faults of the company and the three reactors in this short time period is depressing reading, especially since there had been so many warnings and futile efforts by the NRC to secure reforms. (90–94)

One of the themes of redemption in the Millstone saga was changing the “safety culture.” The NRC made a valiant effort; MIT researchers made studies; consultants were hired; and, as happened with the NASA Columbia shuttle disaster years later, a failed safety culture was said to be the root cause of the failures. After a long history of breakdowns and violations, the NRC addressed the issue of organizational culture. As summarized in a New York Times story, the NRC “will not allow the reactors to restart until management completely changes its culture and proves that workers feel comfortable when they raise warnings about nuclear safety.” Plant operation had been so shoddy that managers routinely broke federal rules. “When workers raised concerns about cooling pipes wrapped in duct tape, faulty gauges, torn filters and the mishandling of fuel rods, they were not only ignored, they were punished.” (Rabinovitz 1998) A huge effort over the next two years to change the culture followed.

But was this the root problem? Safety cultures can only be developed where top management wants them, or at least will tolerate them. (Those of us who have worked with NASA after the Columbia disaster will testify that changing a culture is extremely difficult when “efficiency,” “privatization,” and “cost reductions” remain the top management’s primary concern; their culture can trump all others.) The limits to this approach, changing the organization by changing employees’ and operating managements’ culture, are evident in the Millstone case. A safety culture was not in the economic interests of top management, so it could not take root. (For a contrary view on the efficacy of safety cultures in high-risk organizations, see the literature on high reliability theory [La Porte and Consolini 1991; Roberts 1993], and for its application to nuclear power plants, see the fascinating ethnographic account of Constance Perin [2006].)

The Collapse of “Shareholder Value”

The Connecticut Department of Public Utility Control (DPUC) is the hero of this case. It held public hearings and brought suit against Northeast Utilities. This shows what persistent regulatory inquiry can achieve despite the NRC. Also helping was a lawsuit brought by ten small utilities that had contracts to buy power from the company. (MacAvoy and Rosenthal provided expert testimony on the behalf of these utilities, which gave them access to data that researchers normally would not receive.) The public hearings of the DPUC, the data that the NRC was forced to disclose, and the disclosures from the lawsuits provided a rich treasure trove that gave the authors this unprecedented access to executive and board actions.

The Connecticut public utilities authority ruled that NU could not make its customers—households and other consumers—pay for the cost of the shutdowns, declaring that the company was mismanaged and its executives were responsible. In 1999, NU pleaded guilty to twenty-five felony violations of environmental and safety regulations at its power plants between 1994 and 1996, paid a $10 million fine, and declared bankruptcy. The NRC finally allowed two of its reactors to restart, and all three were sold to Dominion Resources of Virginia in 2000. The company sold its fossil fuel plants and Seabrook, and now is only a common carrier, distributing power others produce. (MacAvoy and Rosenthal 2004, 4, 106)

The authors found it depressing that the board of NU failed to oust the head of the company, Bernard Fox, after a disastrous financial collapse. They noted a “stunning” lack of urgency on the part of the board to do anything about the failed leadership. When Fox finally retired later in 1997, he left with a handsome financial package, even though the company was hemorrhaging financially and threatened by lawsuits. The handsome payments to the two top officials upon retirement “were free of penalties against senior management for destruction of the company,” MacAvoy and Rosenthal noted in their understated, bleak style. (108) A litany of organizational failures was acknowledged by a new president of nuclear operations, but as the authors sagely noted, “this litany addressed management process, not the faults in key strategy decisions.” (101–5)

This observation is very important. Enterprises with catastrophic potential are vulnerable to organizational failures, such as bad management and failures at the operating level. But MacAvoy and Rosenthal are raising a more fundamental point, though they do not make it as explicit as I now will. The management failures so often detailed in NRC reports and those of consultants and the Connecticut Department of Public Utility Control—threatening employees, falsifying reports, failing to make mandated changes, cutting maintenance, reducing the workforce unreasonably, providing poor or no training for employees, and so on—were not inadvertent or the result of lack of knowledge, experience, or ability or of overwork or time pressures (the usual causes of poor management) but were intentional, the result of conscious decisions. Top management, with the knowledge and passive support of the board of trustees, knowingly caused these practices.

The “management failures” were an inescapable and very visible consequence of NU’s decision to increase profits by cutting costs. (We do not have the data on Davis-Besse and FirstEnergy to support similar charges, but the cases appear to be very similar.) The managers expected that deregulation would bring about competition that they had not experienced before; in the past, with no competition, their rate proposals were accepted or modified by Connecticut state officials. In anticipation of this competition they chose to meet it by progressively, and ever more drastically, cutting maintenance and operating costs. Under pressure from the NRC, they promised changes but demonstrably never made them; indeed, they prevented their managers from carrying them out.

Management at the organizational and the operating level did not fail; they obeyed.

This entailed a risk. Senior managers ran the risk of having forced outages and even of receiving NRC orders to shut down or not restart (as well as the risk of the collapse of a radioactive core, considerably more dangerous than the “collapse of shareholder value”). For about a decade the risk paid off; profits went up and the company expanded to include the Seabrook reactor. Then the risk stopped paying off. With all three of its reactors closed and the company being sued, and profits turning into losses, the two top managers “retired.” Despite the restart of two of the three Millstone reactors, the company was “destroyed,” that is, forced to sell off its production facilities.

We will see many examples of organizational failures where poor management is to blame; management is difficult, and there will be cases where it fails. But that must be distinguished from what MacAvoy and Rosenthal call “strategic failure,” where top management (and the board) knowingly takes risks in violation of regulatory laws. I prefer the term executive failure to strategic failure, and I will use this term in the rest of the book.

Executive decisions commit the whole organization; decisions by organizational members below the executive level do not do so, though sometimes inadvertently they will. A particular department may make a decision that maximizes its benefits within the organization, and this may weaken the organization as a whole, but this is not the intent. An executive decision to maximize the executive’s interest in his bonus or stock portfolio obviously commits the whole organization; it is hard to argue that this was inadvertently contrary to the organization’s interests. The executive should have only the whole organization’s interests at heart; that is what it means to be the head of the organization.

In contrast to executive failure (knowingly harming the company the executives are responsible for in the face of outside and inside warnings), strategic failure, MacAvoy’s and Rosenthal’s term, means a faulty strategy was selected without awareness of its consequences. If McKinsey had recommended a strategy that some other companies had used to meet the projected competition, such as increasing the efficiency of their plants and spending their ample capital reserves on diversification, that would be a strategic success if the executives adopted it. But something more was operating here, and for those of us interested in the safety of our population, it is more important than these strategic choices. The top executives were ordering their subordinates to break the law and to take risks their subordinates—managers and workers—knew to be unwarranted. Thus, the executives failed, not just their strategy.

“Our general interest is not the technology of safety,” the authors serenely declare, but how the trade-off of profits versus safety “may be part of corporate strategy.” Management, they continue, “for its own advantage, carried out a strategy that was too risky to benefit the corporation,” that is, the financial stakeholders. Management was acting against the interest of investors, “who would not have placed such a high priority on current earnings and executive compensation.” (xi) (But they provide no evidence that investors did not view current earning as a high priority; one might assume investors always put earnings as a high priority.) “The company took on the risk of destruction, while the decision-makers were left relatively unscathed,” they conclude in their final sentence. (111) Reputations were damaged, but the two top executives, Bernard Fox and R. W. Busch, benefited financially, receiving $1.6 and $3.0 million in voluntary separation settlements. (108) The nation was to see much more of this in the corporate scandals of 2000–2004 and beyond, but those risks did not involve the risk of millions of deaths and environmental destruction inherent in our nuclear power plants.

THE NRC AND CONGRESS—CAPTURED?

More was involved than executive failure by officers and top executives of the company, and we have to go beyond our economists to see it. The failures had to be allowed by our government for the executives to carry out ten years of destruction before it was called to a halt. A year after its cover story, Time revisited the case, and found that NU had made the fuel-pool cooling-system changes that employee Galatis had demanded for eighteen months. The NRC only then admitted there was “pervasive noncompliance” that did pose a potential threat to public safety. (Pooley 1997) Perhaps it was the NRC that had been a threat to public safety. How did it allow NU to go on, year after year, pursuing profits and increases in top executive compensation packages at the obvious expense of safety? We probably have to give more thanks to Connecticut’s Department of Public Utilities Control, which badgered the utility for years and sponsored slashing reports by consultants, for bringing NU to its heels, than to the NRC. Connecticut’s actions helped bring about the ignominious demise of the utility. It brought suits.

As we saw with other examples of regulatory failure, there are more actors in the picture than just the regulatory agency. There are the industry trade associations and, most particularly, the congresspeople who receive their campaign donations and other favors. Here is what happened when the NRC got tough, as it sometimes does. Writing of the agency’s actions in 1997 after the publicity about Millstone, journalists Funk and Mangels observe: “After a decade of talking tough about rooting out unaddressed design flaws and uncertainties system wide . . . the NRC was doing something about it.” (Funk and Mangels 2003) In that year, an unprecedented number of thirteen facilities were put on the watch list for extra scrutiny; the more the NRC looked, the more flaws the special inspection teams found; and reactors were shut down. But there was this important consequence of an agency finally doing its job, says Mangels: “operating companies’ profits took a nose dive.”

When this happened, the NRC slackened its inspections. The agency and the industry made the argument that by the latter half of the 1990s, the plants had run long enough to disclose any serious flaws, and the remaining design-basis issues were not threatening public safety. One wonders how so many violations could be insignificant, and if they are insignificant, why are they called violations? There are many such issues. The antinuclear group Public Citizen identified more than five hundred cases of design-based flaws between 1996 and 1999. A NRC study, with much more access to facilities and more manpower, found a great deal more violations: 569 in one year alone. There were more than 3,100 from 1985 to 1997, an average of about 240 per year per reactor. The chief of the NRC’s inspection program branch said of three hundred discrepancies over a year old at the Davis-Besse plant in Ohio, “they’re minor items that, even if they’re not corrected in a short period of time, it’s really not going to contribute to risk.” This is a NRC inspector talking. (They were not all minor, as we saw; some threatened meltdowns.)

In 1997, a year after the Millstone disclosures and forced closing, and in the period when the Davis-Besse plant was ignoring signs of damage to the top of the reactor, all very serious matters, the head of the Institute of Nuclear Power Operators (the private industry “watchdog” research agency) supported the complacent views of the NRC inspector just quoted. The head of the INPO warned that plant managers “are often involved in fairly esoteric issues with the NRC when their time would be better spent focusing on the day-to-day safe and reliable operations of the plant and performance of their people.” (Mangels 2003) But the issues the inspectors at Davis-Besse and Millstone One, Two, and Three should have been focusing on were hardly esoteric. They should have been looking at a design-basis danger the NRC had repeatedly warned of in the 1990s.

I am sure the NRC can engage in nit-picking and be involved in esoteric issues that do not affect safety; one reason is that until the accident unfolds we often do not know what is esoteric and trivial and what is not. The streaking from the top of Davis-Besse reactor dome was considered trivial, but, as we saw it, was not. Full core loading in a storage pool not designed for it might have been trivial, and unrelated to safety (though that is hard to believe), but turned out to be so risky, when examined, that even the utility agreed the storage system had to be greatly modified.

The problem with considering the thousands of regulations issued by the NRC as picky and hamstringing is that the regulations are a response to violations. Initially, the predecessor of the NRC, the Atomic Energy Commission, issued few violations, but as the plants came closer to coming on line, it had to step in with regulations. New problems with the behavior of the contractors, then the operating utilities, engendered more regulations. The variety of designs and the uniqueness of the plants required still more. The multitude of regulations (many became irrelevant, as designs and practices changed) was a response to a multitude of unsafe practices by the utilities. Violations at one plant produced stricter regulations at all similar plants—for example, the boiling water systems and the pressurized water reactor systems, the two major styles. It is similar to civil laws and criminal laws: they are enacted to deter undesirable behavior, not fashioned out of thin air.

With utilities profits falling when the NRC got tough after the Time story, the industry not only argued that excessive regulation was the problem, it did something about what it perceived as harassment. The industry used the Senate subcommittee that controls the agency’s budget, headed by a pro-nuclear Republican senator from New Mexico, Pete Domenici. Using the committee’s funds, he commissioned a special study by a consulting group that was used by the nuclear industry. It recommended cutting back on the agency’s budget and size.

Using the consultant’s report, Domenici “declared that the NRC could get by just fine with a $90 million budget cut, 700 fewer employees, and a greatly reduced inspection effort.” (italics supplied) The beefed-up inspections ended soon after the threat of budget cuts for the agency. (Mangels 2003) And the possibility for public comment was also curtailed, just for good measure. Public participation in safety issues once was responsible for several important changes in NRC regulations, says David Lochbaum, a nuclear safety engineer with the Union of Concerned Scientists, but in 2004, the NRC, bowed to industry pressure and virtually eliminated public participation. (Lochbaum 2004)

As Lochbaum told reporter Mangels, “The NRC is as good a regulator as Congress permits it to be. Right now, Congress doesn’t want a good regulator.” (Mangels 2003)

In a remarkable charge, Time, in 1997 said, with reference to the NRC, “The industry vetoes commission nominees it deems too hostile (two of five NRC seats are vacant), and agency officials enjoy a revolving door to good jobs at nuclear companies such as Northeast.” (Pooley 1997) I have heard such charges from a former NRC regional executive, who left the agency in frustration. The regional executives in particular are said to be informally subject to utility vetoes over appointments. But I know of no evidence that would prove this charge by the magazine.

CONCLUSION

I have argued that nuclear power plants have unusual safety problems, as compared with the rest of industry, because of the complexity of their designs and operations and their catastrophic potential ; that these take time to reveal themselves; and that their aging and the granting of extensions on their operating lifetime pose new risks for which we have no experience. Furthermore, what had once been a fairly comfortable business environment with little or no competition (and undoubtedly uneven pricing and inefficiencies), has, with the deregulation that started in the 1980s and began to take effect in the second half of the 1990s, encouraged a “race to the bottom” in terms of maintenance, inspections, employee staffing and quality, and safety cultures. Not all plants succumbed to the pressures to increase profits in a competitive environment, but enough have to place parts of the nation at serious risk, especially those plants close to major urban areas.

The complexities of these plants makes it particularly hard to prevent operation failures (employee errors, poor teamwork, etc.) and management failures (the organization of work, supplies, facilities, and other resources; the safety culture). Many failures have these roots. In Normal Accidents I argued that because of the complexity of these plants and their tight coupling, serious accidents are inevitable even with the best management practices and attention to safety. (Perrow 1999) (Nuclear power plants with passive safety systems have been proposed and could be built; I am concerned about the ones we are stuck with.) But the most serious failures are those of the top executives, who knowingly require unsafe practices by their managers and workers in the interests of profit maximization.

These vulnerabilities of nuclear power require a vigorous regulatory effort, especially since there is no meaningful liability penalty for a catastrophic accident. The regulatory effort has been mixed and episodic, with suggestions that the regulators are, as the political science literature puts it, “captured by the industry” they are supposed to regulate. We have seen evidence of inspectors who do not inspect, or even understand the system as well as first-line supervisors and workers, of a huge bureaucracy that is committed to bookkeeping rather than on-site inspections and only manages to energize itself after the publicizing of major failures. This suggests a major role for environmental watchdog groups, funded by tiny donations and staffed by dedicated professionals, to watch over the regulated and the regulators alike. It also suggests the vital role of the media, especially the print media, in covering the major failures.

But behind the regulatory failure lies a more basic one, the power of Congress to threaten the regulatory agency with fiscal punishment if it is aggressive. The energy industry is rich and huge, and its campaign contributions are massive. It also contributes to the infusion of an economic ideology of deregulation, free markets, competition, and efficiency. Actually, competition is declining as markets are consolidated and made less free, and the efficiency is aimed at short-term profits rather than long-term investments in safety and reliability. If industry has captured the regulatory agencies and promoted a free-market ideology, we have Congress and our campaign-financing system to blame. Congress writes the regulations and influences the judiciary that enforces the laws.

Nuclear power plants concentrate more lethal potential than anything else in our society. They are vulnerable to natural disasters. There have been emergency shutdowns in the face of hurricanes, for example, though no storms or floods have as yet disabled a plant’s external power supply and its backup power generators. Some plants sit on earthquake faults. This chapter has argued that they are extremely vulnerable to terrorist attacks and to organizational failures. Their electricity is considerably more expensive than alternative means of generation, and while they pollute far less (only in the short run; in the long run of thousands of years, their wastes pollute far more if they are not contained) and release no carbon dioxide, the current difference between oil-and coal-fired plants and nuclear plants in this respect could be greatly reduced if currently available emission reductions were required of fossil fuel plants. And, of course, the federal government invests only a trifling amount in research on solar and wind power and energy conservation, while it continues to handsomely fund nuclear power research. This is an example of increasing our vulnerability to natural, industrial, and terrorist disasters. By supporting pollution reduction from fossil fuel plants, alternative energy sources, and energy conservation, we could phase out our vulnerable nuclear plants in a decade or so.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for 5 Are Terrorists as Dangerous as Management? The Nuclear Plant Threat

Create new playlist

Sign In

Sign Up

5 Are Terrorists as Dangerous as Management?The Nuclear Plant Threat