Québec, 1 August 2013

Honorable Joe Oliver,

Minister of Natural Resources,

Members of Parliament of Canada

Parliament, Ottawa

Re: Probability of a severe nuclear accident 100 times higher than the level of social acceptability

Honorable Joe Oliver and Honorable Members of Parliament,

-1. Introduction

We appreciate the fact that on May 24th you replied to our letter dated April 11th 2013 (see attachment 1 for both letters), in which we had drawn attention to the urgent need to decrease at least tenfold the probability of severe nuclear accidents in Canada, as had been proposed in an article published in October 2009 by former federal employee and nuclear engineer John Waddington (see attachment 2).

Your May 24th letter failed however to address the important issues concerning nuclear safety regulation that our April 11th letter had raised. Your letter had nothing but praise for the Canadian Nuclear Safety Commission (CNSC), despite the fact that the CNSC is itself part of the nuclear risk problem as John Waddington and many other analysts have argued in recent years. In the present letter we wish to convince you that your government is faced with a serious problem regarding safety culture in the field of nuclear regulation.

On the basis of federal data we find that the probability of a severe nuclear accident in Canada is 100 times higher than the level of social acceptability. Over a five-year period in the Toronto area, the probability of occurrence of a nuclear accident with severe core damage may be as high as the probability of getting three sixes on a single throw of three dice. Because of many prevailing uncertainties connected with high-pressure tube degradation mechanisms in CANDU nuclear reactors, the severe accident probability may actually be much higher than the three-dice value. We respectfully and urgently request the Canadian federal government to intervene, before a severe accident takes place.

1

Governmental intervention was indirectly requested by John Waddington in his October 2009 article which we quoted in our April 11th letter. As you read the following quote you might keep in mind that nuclear engineer John Waddington worked for many years for Atomic Energy Canada Limited (AECL) and then at the CNSC; he is an ‘’insider’’ and a promoter of a further expansion of nuclear energy. Waddington wrote:

Waddington : ‘’The paper presents the case that there are major deficiencies in the current regulatory scheme which, if not corrected, will likely prevent the achievement of the new safety goals that have been set for Generation III reactors and beyond, which is a reduction by a factor of ten in the expected frequencies of core damage and of severe accidents.’’

-2. Safety culture deficiencies in many fields.

On July 6th 2013 there occurred in the city of Lac-Mégantic, in south-eastern Québec, a railroad accident which turned into a tragedy with the loss of 50 human lives and the destruction of part of the city center. Television and printed media were quick to point out serious deficiencies in the federal regulation of railway transport which contributed directly to this tragedy. On July 20th the newspaper La Presse published an article by well-known journalist Vincent Marissal who investigated the railway situation in Canada (see attachment 3 for the article entitled «Un drame ineluctable»). Vincent Marissal interviewed Jean-Pierre Gagnon, a railroad security expert who retired in Spring 2013 after 32 years in Transport Canada. Jean-Pierre Gagnon had tried for years to improve Canadian railway regulations, partly in collaboration with the Association of American Railroads, but without much success. Marissal also interviewed many persons in the railroad industry who did not want to be named. Marissal’s article reveals a great deal of laisser faire in the Canadian railroad business. We will use the following two quotes to raise questions later about similar deficiencies in nuclear regulation in Canada.

Marissal : «Ultimement, cela relève de la volonté politique du gouvernement, qui a résolument favorisé la business avant la sécurité, nous disent nos sources.» Translation : ‘’In the final analysis this stems from a political agenda in the government that has definitely chosen to favor business rather than safety, according to our information sources.’’

Vincent Marissal’s article ends with this quote from an employee of a large railroad firm :

«Transports Canada, c’est une parure! Ce sont les compagnies ferroviaires qui font leurs propres règlements.» Translation : ‘’Transport Canada is an ornament ! It is the railroad companies that make up their own rules.’’

In the week following the Lac-Mégantic tragedy the Union des municipalités du Québec (UMQ) formally asked the federal government to immediately carry out a rigorous inspection of railway equipment and to review and modernize its railway regulatory system. Furthermore, the UMQ is planning to collaborate with similar associations in the USA in order to put pressure on all pertinent governments on both sides of the border.

2

As this story is developing there comes more to light the important question of the safety culture in many different fields. Thanks to unusually exhaustive media coverage of the Lac-Mégantic tragedy, the public is beginning to see a broader picture connecting major tragedies with deficiencies in safety culture not only in industry but also at the level of federal regulation. Looking for root causes of the Lac-Mégantic disaster, for example, some newspaper articles have made a connection with other disasters, such as the explosion of the Challenger space shuttle at Cape Canaveral in Florida on January 28th 1986.

Numerous authors in academia and elsewhere have studied the root causes of major accidents such as the two space shuttle tragedies (Challenger in January 1986 and Columbia in February 2003), fatal airplane crashes, large oil spills from tankers and ocean platforms, railroad accidents and nuclear reactor meltdowns (Three Mile Island in 1979, Chernobyl in 1986, and Fukushima in 2011). Many books have been written on these topics, notably ‘’Normal Accidents, Living with High Risk Technologies ’’ (1984, revised in 1999) by Charles Perrow, ‘’The Challenger Launch Decision’’ (1996) by Diane Vaughan, and ‘’Challenger Revealed’’ (2006) by Richard C. Cook. The television series Mayday is most remarkable in explaining the immediate and the root causes of airplane crashes. The Mayday series brilliantly teaches the paramount importance of building and strictly adhering to a safety culture.

In his remarkable October 2009 article nuclear engineer John Waddington emphasized human error and institutional failure as dominant contributing factors to major accidents. Waddington referred to the research work of Emeritus Professor James T. Reason of the University of Manchester in Massachusetts. The description of professor Reason’s research focus at URL http://www.safetyleaders.org/superpanel/superpanel_james_reason.html is :

Reason’s research focus : ‘’For the past 25 years, his principal research area has been human error and the way people and organizational processes contribute to the breakdown of complex, well-defended technologies such as commercial aviation, nuclear power generation, process plants, railways, marine operations, financial services, and healthcare institutions. His error classification and models of system breakdown are widely used in these domains, particularly by accident investigators.’’

This description underlines the fact that safety culture is a concept that applies to many high-technology fields.  A similar idea has been extensively developed by Professor Diane Vaughan of Columbia University starting with her well-researched and broadly praised book ‘’The Challenger Launch Decision’’. In an article on Lac-Mégantic published on July 14 th 2013 in the Canadian Press, Professor Jean-Paul Lacoursière of the University of Sherbrooke drew attention to the exhaustive work carried out by Professor Diane Vaughan of Columbia University on the root causes of major accidents. Much information about Professor Vaughan’s research can be found in a 2008 ConsultingNewsLine (CNL) interview archived at the following URL :

http://www.consultingnewsline.com/Info/Vie%20du%20Conseil/Le%20Consultant%20du%20mois/Diane%20Vaughan%20(English).html

In 2003, in recognition of her excellent work in analyzing the root causes of the Challenger space shuttle disaster, sociologist Diane Vaughan was invited to join the Columbia Accident Investigation Board (CAIB) set up by NASA (National Air and Space Administration). On page 2 of the CNL interview Diane Vaughan said the following:

3

Diane Vaughan : ‘’I’m interested in the dark side of organizations : how things go wrong - mistakes, misconduct, disaster. Research indicates that troubles came not only from individual failures but also from organizational failures.

……… …………………

a long incubation period filled with early warning signs that were either missed or misinterpreted or ignored. Concepts common to all are structural secrecy, the normalization of deviance, signals – missed signals, weak signals, routine signals. All of these are common in failures of all sorts. Primarily, the work has introduced the idea of how deviance becomes normalized in different kinds of organizations.’’

The last line underlines a key contribution, a discovery, made by Professor Diane Vaughan, namely the concept of ‘’normalized deviance’’ in large organizations. On page 3 of the interview she gave the following description of this key concept:

Diane Vaughan : ‘’Social normalization of deviance means that people within the organization become so much accustomed to a deviant behaviour that they don’t consider it as deviant, despite the fact that they far exceed their own rules for the elementary safety. But it is a complex process with some kind of organizational acceptance.’’

In the case of the Challenger disaster the problem of flames burning through O-rings on the giant booster rockets had been observed and well documented by NASA engineers. Prior to January 28th 1986 several engineers, and budget administrator Richard C. Cook, had tried to convince upper NASA management that the O-ring problem needed to be fixed if an explosion was to be avoided during launch. Talking about these engineers Professor Charles Perrow wrote in his book on page 380:

Charles Perrow : ‘’They pounded tables and raised their voices but were told to take off their engineering hats and put on their managerial ones.’’

But as Diane Vaughan writes, the level of ‘’acceptable risk’’ had been redefined by NASA, so that ‘’flying with the flaw was normal and acceptable.’’

-3. Normalized deviance, institutional failure, in the field of nuclear energy.

The major contribution of academic researchers, such as sociology professors Diane Vaughan and Charles Perrow, is to have found common elements that lead to major accidents in many different fields, so that a unified understanding of major accidents becomes possible. In his book Charles Perrow deals explicitly with nuclear power (he had been on the commission that investigated the Three Mile Island nuclear meltdown), petrochemical plants, aircraft and airways, marine accidents and earthbound systems (dams, quakes, mines and lakes). Charles Perrow and Diane Vaughan underline the crucial role played in major accidents by institutional failure, in other words the role played by deficiencies in the safety culture. Here is how Diane

4

Vaughan put it on page 7 of her interview with Consulting News Line:

Diane Vaughan : ‘’The basic lesson that sociologists bring is that the organization matters. If there are problems, the tendency of corporate or public agency administrators is to blame individuals. However, organization characteristics – cultures, structures, politics, economic resources, their presence or absence, their allocation, put pressure on individuals to behave in deviant ways to achieve organization goals. If you want to fix a problem, you can’t just fire the responsible person. You have to fix the organization, or else the next person to take the job will just experience the same pressures. Like Columbia after Challenger, the harmful behavior persists.’’

Note Diane Vaughan’s words ‘’You have to fix the organization’’. That was the central message that nuclear engineer John Waddington conveyed in his October 2009 article. In section 2.4 entitled ‘’Common factors’’, Waddington referred to the work of Professor James T. Reason who found that human error makes a contribution of approximately 75% to major accidents in the fields of jet transport, air traffic control, maritime vessels, chemical industry, U.S. nuclear power plants, and road transportation. Referring to the discovery of a ‘’near miss’’ nuclear event at the Davis Besse nuclear power plant in Ohio in March 2002, John Waddington wrote the following :

John Waddington : ‘’When a serious accident or a near miss occurs, it usually appears at first that human error on the part of control room operators or maintainers (or pilots in the aviation business) - that is, the people at “the sharp end” of operations - played a large part in causing the accident.

But closer inspection and analysis shows that most of the root causes of the accident arise from failings in the way in which complex technological organisations such as airlines or electrical utilities organize themselves. The errors are still human errors, but they arise from latent weaknesses in the way the organization runs, rather than individual error. The usual term for these weaknesses is “Institutional Failure”. It is this type of failure that provides the greatest contributor to real accidents and near misses.’’

Waddington’s conclusion is so important that we repeat it in bold letters:

‘’The usual term for these weaknesses is “Institutional Failure”. It is this type of failure that provides the greatest contributor to real accidents and near misses.’’

The concept of ‘’institutional failure’’ is what Diane Vaughan called ‘’normalized deviance’’.

In section 3 entitled ‘’The issue for the nuclear industry’’, John Waddington reported that the international nuclear power community has been supporting efforts towards reducing the probability of a severe nuclear accident by at least a factor of ten. He wrote:

John Waddington : ‘’The predicted Core Damage Frequency and the Severe Accident Frequency for new plants are derived from detailed, logical analyses of all the components of a plant using Probabilistic Safety Assessment (PSA) techniques that identify and quantify the effects of all component and system failures. These analyses provide an excellent measure of the failure rate that can be expected of the plant design itself. They do not measure the failure rate of the institution that runs the plant.

5

Although the probability of human error is being built into these analyses on a wider basis as tools and knowledge improve, they do not attempt to capture the broader effects of human errors that arise from organizational deficiencies, i.e. Institutional Failures, as is discussed in a recent CNSI paper on the subject.’’

CSNI is the acronym for the Committee on the Safety of Nuclear Installations, which reports to the Nuclear Energy Agency (NEA) of the Organization for Economic Cooperation and Development (OECD). Note John Waddington’s emphasis on the fact that the much vaunted PSAs (Probabilistic Safety Assessments) do not take into account institutional failure.

When we turn to the Canadian situation we observe that the CNSC has so far denied playing a role in what Waddington and others refer to as ‘’institutional failure’’. As the above-mentioned authors have pointed out, it is clear that institutional denial is not the attitude that will lower the part of institutional failure in the root cause of major accidents. At the CNSC Pickering hearing on May 30th 2013 Greenpeace representative Shawn-Patrick Stensil challenged the CNSC to stop denying the reality and importance of institutional failure as a root cause of major accidents.

In the following sections we will give examples of several documented decisions and assertions by the CNSC that render legitimate our asking the question : is the CNSC exempt from institutional failure ?

-4. Dr Greg Rzentkowski and the one hundredfold reduction of accident probability

In the last week of May 2013 the Canadian Nuclear Safety Commission (CNSC) held a public hearing in Pickering, near Toronto, during which much pertinent information on nuclear accident probability was revealed and intensely debated among CNSC Commissioners and staff, Ontario Power Generation (OPG) staff, and interveners from the public and from various public interest organizations. The transcripts of the CNSC public hearing in Pickering on May 27-31 2013 run over 1200 pages (they can be downloaded from the CNSC web site see at this URL : http://www.nuclearsafety.gc.ca/eng/commission/hearings/documents_browse/date.cfm?dt=29-May-2013 ). The CNSC is rendering the Canadian and American public a great service in organizing public hearings with lots of time for discussions, in having very accurate transcripts produced and in archiving them on its web site.

On the basis of an enormous amount of information that has been produced and accumulated by the CNSC over the years and that is now in the public domain on its web site, one can assert that at least a one hundredfold reduction in the probability of a severe nuclear accident in Canada is required if nuclear power is to meet the level of social acceptability encountered in scheduled commercial jet travel.

This assertion is made on the basis of the Nuclear Safety and Control Act of 1997, and on the basis of a previous Ontario court decision going back to 1996. In a court case concerning the seismic risk to nuclear reactors in Ontario, the Weston Geophysical Corporation (Weston GC) of

6

Westboro, Massachusetts, had been mandated by the Canada Department of Justice counsel to assess the seismic risk relevant to nuclear reactors in Ontario and in New Brunswick. A report by Weston GC for this court case is archived by Natural Resources Canada under ‘’Geological Survey of Canada, Open file 2929’’, dated June 1994 (this file can be found at URL http://geogratis.cgdi.gc.ca/download/part6/ess_pubs/194/194336/of_2929.pdf). In order to judge the social acceptability of earthquake-triggered nuclear accidents Weston GC had chosen to compare the probability of occurrence of a severe nuclear accident with the probability of dying in an airplane crash. We adopt the same criterion of social acceptability. This is a well-defined criterion which presents the advantages of having a precedent in court and of not being subject to change by any of the numerous organizations or firms dealing with nuclear reactors.

At the following URL one can find recent accident statistics on scheduled commercial jet flights:

http://planecrashinfo.com/cause.htm the information source being :

OAG Aviation & PlaneCrashInfo.com accident database, 20 years of data (1993 - 2012)

In this data base one reads that the odds of being killed on a single airline flight for the 78 major airlines in the world is one chance in 4.7 million, which we can round off to one in five million per flight. For a fairly frequent flyer who boards five scheduled airline flights per year the probability of dying is one chance in one million per year, or 10 to the minus 6 per year (0.0001% per year). That level of fatal accident probability is accepted by the great majority of the population.

This fatal aviation fatality probability has been steadily decreasing over the years, in great part because agencies such as the National Transport Safety Board (NTSB) in the USA have been doing an outstanding job at finding the root causes of airplane crashes, and at making well-documented recommendations to improve air transport safety. The NTSB excels in many ways, one of them being transparency, the opposite of what Diane Vaughan called ‘’structural secrecy’’, an element of institutional failure. The NTSB is constantly featured on the Mayday television series in a very positive way.

Dr Duguay’s simple calculation. Coming to severe nuclear reactor accidents with core damage, the CNSC enforces for each reactor a safety limit of 10 to the minus 4 per year, which means a 0.01%, or one chance in 10 000, annual probability of occurrence of an accident with severe core damage. One must realize that severe core damage means that the power plant will be permanently shut down, and that there will be some quantity of radioactive elements released into the environment. If we consider a single reactor the probability ratio of nuclear core damage to fairly frequent flyer death is 100 to 1. The deviation from social acceptability for the probability of severe nuclear accidents is therefore a factor of one hundred.

That one hundred to one probability ratio would apply to the single reactor at Point Lepreau in New Brunswick. In the Toronto area, however, there are 10 reactors in operation, four in Darlington and six in Pickering. The probability of a severe nuclear accident with core damage is multiplied by 10, and the deviation from social acceptability is therefore a factor of one thousand for the Toronto area.

In our April 11th letter we had underlined former federal nuclear employee John Waddington’s advocacy of a tenfold reduction in the probability of a severe nuclear accident. But a surprise was waiting for us at the CNSC Pickering public hearing at the end of May 2013, a hearing that

7

dealt with the proposal by OPG to prolong the service life of the four Pickering B reactors substantially beyond the original design life of 210 000 equivalent hours of operation at full power. OPG now wants to operate them up to 247 000 hours, i.e. five years more than the originally planned 30-year figure. At the May 2013 Pickering hearing Dr Greg Rzentkowski, CNSC Director General, directorate of nuclear power reactors, admitted that the simple calculation described above gave a probability of a severe nuclear accident which in his view is high. But Dr Rzentkowski had a surprise for us : he countered the simple calculation by a new way of calculating the severe accident probability that lowers this number one hundredfold and possibly one thousandfold, at least on paper.

We critically examine Dr Rzentkowski’s new way. After alluding on page 31 to the October 2009 paper by John Waddington Dr Greg Rzentkowski said the following on page 35 of the Pickering transcripts for May 30th :

Dr Greg Rzentkowski : ‘’To summarize, Professor Duguay estimated that over the next 30 years the probability of reactor core damage accident in the Toronto area is 3 percent. Not a small number as he says and I agree.

However, as I explained the probability of core damage is in fact 100 times lower. That is once in about 3,000 years. And the probability of an accident leading to limited radiological releases is about 1,000 times lower, that is once in about 30,000 years. It has to be recognized that these numbers are just an approximation. ’’

Let us have a critical look at the three factors of ten which once multiplied allegedly result in a one-thousandfold reduction in the severe nuclear accident probability. On page 34 Dr Rzentkowski explains that one factor of ten would come from post-Fukushima improvements now required by the CNSC and another factor of ten would come from using the safety goal target figure (10 to the minus 5) instead of the safety limit figure (10 to the minus 4) used by Duguay.

Dr Greg Rzentkowski’s wish to lower the accident probability is most welcome, but his method leaves much to be desired. It would not be prudent to use the ‘’safety goal target ’’ figure of ten to the minus 5 per year, because it is not mandatory, as noted by Dr Rzentkowski himself on pages 31 and 32 of the Pickering hearing transcript for May 30 th 2013. It is more prudent to use the 0.01% (10 to the minus 4 per year) ‘’safety limit‘’ figure, which is ‘’absolutely mandatory’’ with the CNSC (see p. 31). These probability numbers and policies have been described in a recent presentation by Dr Greg Rzentkowski, Dr Yolande Akl and S. Yalaoui of the CNSC at the 34th Annual Congress of the Canadian Nuclear Society in Toronto, June 9-12 2013, entitled ‘’Application of Probabilistic Safety Goals to Regulation of Nuclear Power Plants in Canada’’ (see attachment 4).

As for the factor of ten allegedly coming from post-Fukushima safety improvements, Dr Greg Rzentkowski was contradicted at the Pickering hearing by OPG’s Chief Nuclear Engineer Mark Elliott. Following the presentation of Shawn-Patick Stensil of Greenpeace, Mark Elliott asserted the following on page 309 (the acronym PRA stands for Probabilistic Risk Assessment, which is the same as the Probabilistic Risk Assessment (PSA) mentioned earlier) :

Mark Elliott : ‘’One of the things I want to mention is that we haven’t -- in this PRA, we haven’t taken any credit for the Fukushima equipment. And we did that on purpose, actually, at my direction.

8

And what I wanted to make sure is that the engineered features of the plant were assessed and that we -- did we meet our safety goals or not with the plant, the way it’s designed, and the answer was yes. So the plant is safe the way it’s designed now, meets our safety goals.’’

On page 310 Mark Elliott went on to say the following, alluding to the alleged tenfold probability reduction due to post-Fukushima equipment :

Mark Elliott : ‘’Yes, it’s been estimated as a tenfold reduction, but we agree with that because there’s time -- we talked about times today. There’s time to implement, so that’s why we believe there will be a significant impact on safety.

But I didn’t want to put it into the numbers because we don’t know exactly what the event is that will cause us to use that equipment. We don’t know the exact sequence. I wanted to keep it separate.

So bottom line, we meet the safety goals as is and we have the Fukushima equipment separate.’’

The last but one paragraph is crucial : ‘’But I didn’t want to put it into the numbers because we don’t know exactly what the event is that will cause us to use that equipment. We don’t know the exact sequence.’’ We can appreciate Mark Elliott’s prudence in not buying entirely into the allegedly tenfold factor credited to post-Fukushima equipment and also his candidness towards the unpredictability of potential nuclear accidents.

John Waddington, in his October 2009 paper, had an even more convincing argument to be skeptical of post-Fukushima add-on equipment allegedly reducing tenfold the probability of a severe nuclear accident with core damage. John Waddington noted that the contribution of human error to major accidents is estimated to be 70% or more by Professor James Reason and by others as well. This means that 30% is due to malfunctioning equipment. The 70% part includes both individual and institutional failure. Since Dr Rzentkowski, as well as several top managers at the CNSC, deny the role of institutional failure, we may have difficulty in believing that they will modify the nuclear regulatory structure in order to lower substantially the severe nuclear accident probability . We can ask the question : is this CNSC denial another alarm signal about deficiencies in safety culture in nuclear regulation ?

The third factor of ten that Dr Rzentkowski invoked on page 35 of the May 29th Pickering transcript comes from his belief that a severe nuclear core damage accident will be well mitigated by the reactor’s containment and emergency cooling so that only one such accident in ten will lead to a large release of radioactive elements into the environment. However, if a person in Toronto is worried about small releases of radioactive elements he/she will carefully weigh the following statement by Rzentkowski, Akl and Yalaoui in their June 2013 presentation mentioned above:

‘’ In CANDU reactors, some accident scenarios may result in limited core damage, leading to small releases but which can result in severe disruption of public life. These accidents require emergency measures such as sheltering or short term evacuation of an area around the plant. This concern is covered by the Small Release Frequency (SRF) goal.

CNSC staff decided that the small release frequency should be identical to the core damage

9

frequency, as shown in Table 1 below, as both events are characterized with the release that would likely trigger evacuation. ’’

For people worried about severe nuclear core accidents leading to a small release of radioactive elements Dr Rzentkowski’s third factor of ten disappears. With all three alleged factors of ten prudently taken away, Dr Rzentkowski’s calculation becomes the same as Duguay’s simple calculation which gives a 3% probability for one of 10 reactors over a period of 30 years to have a severe nuclear accident with core damage in the greater Toronto area.

At the Pickering hearing on May 30th 2013 Dr Greg Rzentkowski’s final words on nuclear accident probabilities dealt with the dice throw analogy first proposed by mathematician Dr Gordon Edwards and used several times by Dr Michel Duguay in CNSC hearings. Suppose that we adopt the 10 to the minus 4 per year (0.01% per year) probability of a severe nuclear accident for a given reactor. For a reactor in operation during a total of 46 years (as a refurbishment might allow in practice) the probability of a severe nuclear accident over this extended period would be 0.46%. Dr Gordon Edwards, who has taught mathematics for decades, thought that such a probability can be illustrated by the single throw of three dice, a game offered in some casinos. The probability of obtaining three sixes on a single throw of three dice is 1/6 to the third power, that is 0.46%.

On pages 36 and 37 Dr Greg Rzentkowski also went into the analogy with dice and asserted the following (directly from the May 30th transcript, we did not correct the spelling error):

Dr Rzentkowski : ‘’ And just to complete this analogy, a single throw of nine dices giving nine sixes would approximately be equivalent to an accident leading to radiological releases in Toronto area. This is a very, very small probability. ‘’

Our reply. The probability of getting nine sixes on a single throw of nine dice is 1/6 to the ninth power which is 0.99 x 10 to the minus 7, which we round off to 10 to the minus 7. How does that compare with Dr Rzentkowski’s other statements ? Earlier he asserted that Dr Duguay’s 3% (3 x 10 to the minus 2) probability for the ten reactors near Toronto should be reduced by one thousand. That would give 3 x 10 to the minus 5, a number which is 300 times larger than the ‘’very, very small probability’’ corresponding to Dr Rzentkowski’s throw of nine dice; a factor of 300 is a large deviation. It is legitimate to ask : Are we seeing here the kind of deviation that Professor Diane Vaughan has discussed in her book ?

-5. Questions regarding alarm signals in the Canadian nuclear power establishment

All authors mentioned earlier, who have carefully studied the root causes of major accidents, have observed that accidents are often in preparation over a long period of time. Alarm signals appear well ahead of an accident, but when the safety culture is lacking, these warnings are ignored.

The CNSC has held a very large number of public hearings and meetings with private firms, and it has carried out a large number of studies, often in collaboration with the private sector. The

1

most recent annual conference of the Canadian Nuclear Society (CNS) had a web site hosted by the CNSC at this URL http://conf2013.cns-snc.ca/media/uploads/2013-program.pdf?27 and at URL http://conf2013.cns-snc.ca/media/uploads/2013-Technical_Program.pdf . (See attachment 7 for contributions to the Pickering hearing by Shawn-Patrick Stensil, Arnie Gundersen, Chris Rouse, Gordon Edwards, and Michel Duguay).

The CNSC and Canadian electro-nuclear firms appear to form a well-integrated community, which in addition is very well connected with international nuclear organizations. Given the enormous complexity of nuclear reactor technology and the multiple linkages between the CNSC and various firms with a strong nuclear interest, one could prudently expect that the nuclear safety culture is subject to the social phenomena described by all authors mentioned earlier in connection with severe nuclear accidents.

In order to improve the nuclear safety culture in Canada and to dramatically reduce the probability of a severe nuclear accident, a critical re-examination and reforms are needed along the lines suggested by nuclear engineer John Waddington and by other independent persons in Canada and abroad. Just as in the railroad case mentioned earlier, political will is what is most needed. We therefore raise a number of questions here below that will hopefully contribute to an increased awareness of nuclear risk in Canada and in the neighboring American States. Given a severe nuclear accident with release of radioactive elements in Ontario, Québec, New Brunswick, and in the adjacent American States, economic losses would most likely affect large populations on both sides of the border.

The questions here below reflect the deficiencies in safety culture that have been pointed out by many persons in and out of the nuclear establishment.

Question 1 : Design problems with Gentilly-1

Gentilly-1 was the first CANDU nuclear reactor put in operation in Bécancour, Québec, in 1971. In 1977, having operated for only 180 days because of dangerous instabilities, Gentilly-1 was permanently shut down. In its historical review of Canadian nuclear history in 2010 the Canadian Nuclear Association wrote the following about Gentilly-1 :

‘’Built and owned by AECL and operated by Hydro-Québec staff, the reactor had design and operational problems and was not economical.’’

Has the CNSC ever explained to the public, and to elected officials, what the ‘’design problems’’ were with Gentilly-1 and whether these problems also affect currently operating reactors ?

Professor Duguay has been unable to obtain a report from the CNSC that would tell what went wrong with Gentilly-1, more than 35 years after its permanent shutdown. Question : Does that reflect transparency in nuclear regulation in Canada ?

Question 2 : Seven reactors shut down in Ontario in 1997

In 1996, Allan Kupcis, chairman of Ontario Hydro, invited American nuclear engineer Carl Andognini and his team to review the nuclear power situation in Ontario. Following Andognini’s recommendation seven of Ontario’s 20 nuclear reactors were shut down in 1997 for later refurbishment, well ahead of the end of their originally planned 30-year service life.

1

Has the CNSC explained to the public, and to elected officials, what happened, and has it done so in an objective and scientific way in full respect of Article 9 of the Nuclear Safety and Control Act of 1997 ?

Question 3 : On April 7th 2008 the CNSC rejected OPG’s safety report and pointed out numerous problems with CANDU technology; has the CNSC informed the public about the outcome?

On April 7th 2008 T.E. Schaubel, CNSC’s Director, Pickering Regulatory program Division, addressed a letter to Ontario Power Generation (OPG) Senior Vice President D. Patrick McNeil in which he explained why CNSC staff could not at that time recommend acceptance of the Safety Analysis Safety Factors Report submitted earlier by OPG (Schaubel’s letter is identified as E-DOCS # 3232348 / 2.01 at the CNSC) . This report is part of the crucial Integrated Safety Review (ISR) whose acceptance by the CNSC is mandatory before refurbishment activities can be approved. At that time OPG was in the early planning stage for Pickering B refurbishment. Two years later, in February 2010, OPG announced their decision not to refurbish the four Pickering B reactors and instead to invest funds for improvements that would allow operation for a few more years. OPG’s official reason not to refurbish was that it judged this operation to be uneconomic. But there were also the many safety issues plaguing CANDU technology brought up in Schaubel’s letter and in other CNSC documentation.

CNSC Director T.E. Schaubel’s letter included a 48-page Attachment 1 that was highly critical of OPG’s incomplete mastery of CANDU technology and that described several technical safety issues afflicting CANDU technology. Moreover, deficiencies in physics models and simulation software used by OPG were also pointed out. Where Professor Diane Vaughan uses the word ‘’deviation’’ when some component, device or operational procedure does not meet technical requirements, CNSC staff use the word ‘’Discrepancy’’. This word ‘’Discrepancy’’ appears 40 times in the 48-page Attachment 1, a clear indication of the large number of technical and organizational difficulties at play in 2008 at the Pickering B nuclear power plant. The expression ‘’pipe rupture’’ or ‘’tube rupture’’ appears five times, an issue that we deal with below.

Several other reports by the CNSC have described many safety issues that plague CANDU technology. An important one is the 268-page August 2009 report entitled ‘’Application of the CNSC Risk-informed Decision Making process to Category 3 CANDU Safety Issues’’ and identified as E-Doc # 3413831. This report starts with an ‘’Executive Summary’’ whose first paragraph introduces the topic thus :

CNSC : ‘’Regulatory and industry experience with operating CANDU reactors has led to the identification of several generic Safety Issues. Despite continuing efforts directed at ensuring and enhancing safety of operating plants, these Safety Issues remain at various stages of resolution.’’

This voluminous August 2009 report describes sixteen so-named Category 3 safety issues which are potentially risk-significant. Has the CNSC explained to the public, and to elected officials, how these safety problems have been solved, or have not been solved, in an objective and scientific way in full respect of Article 9 of the Nuclear Safety and Control Act of 1997 ?

Question 4 : In June 2011 why did the CNSC grant Hydro-Québec permission to refurbish Gentilly-2 and operate it until June 2016 without having in hand Hydro-Québec’s Safety

1

Analysis Report which is normally a regulatory requirement ?

On June 29th 2011, four months after the Fukushima nuclear catastrophe, the CNSC published the following announcement (only the first paragraph appears below, the full text is at URL

http://www.nuclearsafety.gc.ca/eng/mediacentre/releases/news_release.cfm?news_release_id=386

‘’CNSC : ‘’FOR IMMEDIATE RELEASEJune 29, 2011

The Canadian Nuclear Safety Commission (CNSC) announced today its decision to renew for a five-year period the operating licence issued to Hydro-Québec for its Gentilly-2 nuclear generating station, and to merge it with its waste management facility operating licence. The merged licence will be valid from July 1, 2011 to June 30, 2016, and provides for the refurbishment of the nuclear generating station, if Hydro-Québec decides to proceed with the refurbishment project during this period. ‘’

A prudent person could object to the fact that in June 2011 the CNSC granted Hydro-Québec authorization to refurbish and to operate Gentilly-2 until June 2016, without having in hand the Safety Analysis Report (also referred to as the Integrated Safety Report) that Hydro-Québec was initially expected to deliver in December 2010, i.e. six months prior to the CNSC decision. This comprehensive safety report is a CNSC formal regulatory requirement.

In his testimony at the Gentilly-2 CNSC hearing on April 14th 2011, Professor Michel Duguay had objected to the fact that CNSC staff had recommended in December 2010 approval of Gentilly-2 refurbishment without having the Safety Analysis Report (Integrated Safety Report) and without there being solutions to several outstanding technical problems with CANDU nuclear reactors, these solutions being at that time (December 2010) promised for year 2013. On April 14h 2011 Duguay complained about ‘’time reversal’’ in the decision process at the CNSC, approval being given before solutions to problems have been found and tested.

On June 29th the CNSC had a defensive tactic ready to counter Professor Duguay’s time reversal complaint. Here is the CNSC document that came out in July 2011 giving the details of the CNSC decision. The original French is given first, the translation follows.

« Compte Rendu des délibérations, y compris les motifs de décision »

Paragraphe 8 : «La Commission s’attend fortement qu’Hydro-Québec commence les activités de réfection aussitôt que possible, si elle est décidée à s’engager dans cette voie.»

Paragraphe 18 : «Par conséquent, conformément à l’article 7 de la Loi sur la sûreté et la réglementation nucléaires, la Commission soustrait Hydro-Québec à l’application de la clause 6.4.4 de la norme S-99, Rapport à soumettre par les exploitants de centrales nucléaires, citée à la condition 4.6 du permis d’exploitation de la centrale nucléaire de Gentilly-2, jusqu’au 31 décembre 2011.

La Commission n’acceptera pas d’autres délais pour la soumission de ce rapport, car elle estime qu’elle a accordé à Hydro-Québec suffisamment de temps pour rédiger ce document. »

Translation : Paragraph 8 : ‘’The Commission strongly expects that Hydro-Quebec will start the

1

refurbishment activities as soon as possible, if that is the option that it chooses.’’

Paragraph 18 : ‘’Consequently, in accordance with Article 7 of the Nuclear Safety and Control Act, the Commission exempts Hydro-Québec from the enforcement of clause 6.4.4 of the S-99 regulatory document, namely the Report to be submitted by the nuclear power plant owner, this clause being linked to condition 4.6 of the operational licence for the Gentilly-2 nuclear power plant, until December 31st 2011.

The Commission will not accept any further delay in the submission of this report, for it is of the opinion that Hydro-Québec has been granted enough time to write this document.’’

In order to understand the CNSC’s defensive argument, namely invoking Article 7 of the Nuclear Safety and Control Act (NSCA) of 1997 is the following, one can read it here below :

NSCA, Article 7. ‘’The Commission may, in accordance with the regulations, exempt any activity, person, class of person or quantity of a nuclear substance, temporarily or permanently, from the application of this Act or the regulations or any provision thereof.’’

This defensive tactic employed by the CNSC may be legal. However a prudent person could question the contribution of such an exemption to the safety culture and to lowering the probability of a severe nuclear accident.

In addition, one may ask if Article 7 allows the CNSC to exempt itself from respecting fully Article 9 of the Nuclear Safety and Control Act of 1997 ? If so, it could explain why the CNSC has repeatedly refused to answer many questions that we have asked over the last four years.

To summarize, in June 2011, well before the lessons from the Fukushima nuclear catastrophe had been learned, let alone applied to planned refurbishment activities, the CNSC exempted Hydro-Québec from the Integrated Safety Report, a very demanding document that would show whether Hydro-Québec sufficiently mastered the proposed refurbishment project for Gentilly-2 in order to bring the refurbished reactor to modern nuclear safety standards, a very tall order, especially after Fukushima. Hydro-Québec finally delivered its Integrated Safety Report to the CNSC in December 2011, two years later than originally planned. In September 2012, after the new Parti Québécois government announced its intention to shut down permanently Gentilly-2 at the end of December 2012, the CNSC stopped its ongoing evaluation of Hydro-Québec’s report.

The CNSC has yet to publish its analysis of Hydro-Québec’s safety report. An important piece of information came out on January 30th 2013, when CNSC Executive Vice-President Ramzi Jammal made a presentation on nuclear regulatory matters for Gentilly-2 in a Commission parlementaire in the Québec Parliament building. This multiparty Commission parlementaire discussed the end of service life for Gentilly-2, which took place in December 2012, and its consequences for the regional economy.

During the question period, M. Daniel Breton, deputy of Sainte-Marie/Saint-Jacques, asked Mr. Ramzi Jammal the following question :

Daniel Breton : ‘’Est-ce qu'en 2011 vous aviez tous les documents nécessaires pour autoriser les activités reliées à la réfection? ‘’

1

Translation : ‘’In 2011 did you have all the documents that were needed in order to authorize the refurbishment ? ‘’

Mr Ramzi Jammal answered the following in French :

Ramzi Jammal : «Je voudrais préciser quelque chose. Ça veut dire que c'est pour préparer pour la réfection, le détenteur du permis doit effectuer des analyses physiques de la centrale. Alors, quand on est autorisé dans ce permis à effectuer les travaux liés à la réfection, ça veut dire qu'il... selon ce que la commission et le personnel de la commission a eu comme analyses de sûreté, ils peuvent, comme j'ai déjà mentionné, améliorer le système qui se trouve dans le réacteur. Alors, sans embarquer dans le détail ou bien dans les détails techniques, il était capable à effectuer des améliorations, O.K., qui peuvent aider vers la réfection. C'est jamais être un permis à effectuer la réfection au complet.»

Translation, Ramzi Jammal : ‘’I want to clarify something. This means that in preparing for refurbishment, the permit holder must perform an analysis of the physics involved in the nuclear power plant. So when one is allowed under this permit to perform work related to refurbishment, this means that they, ... depending on what the Commission and the CNSC staff have had in terms of a safety analysis, they can, as I have already mentioned, improve the system that is in the reactor. So, without embarking into detail or into the technical details, they were able to make improvements, OK, that will help the work towards refurbishment. It was never a permit to carry out completely the refurbishment.’’

Mr Ramzi Jammal’s bottom line is very instructive : ‘’It was never a permit to carry out completely the refurbishment.’’ One may legitimately ask : Doesn’t this statement contradict the CNSC’s June 29th 2011 announcement ? Wouldn’t a member of the public, and an elected official, think that the CNSC had approved in June 2011 Hydro-Québec’s blueprint for the refurbishment of Gentilly-2?

One more related question : In paragraph 8 of the July 2011 CNSC Decision document, why did the CNSC urge Hydro-Québec ‘’to start the refurbishment activities as soon as possible’’ ?

Every person following technical nuclear issues knows that following the Fukushima nuclear catastrophe in March 2011 the international nuclear energy community has been trying to learn the important lessons from Fukushima in order to dramatically lower the risk of a severe nuclear accident. Why in July 2011 was the CNSC urging Hydro-Québec to rapidly move into refurbishment before the lessons from Fukushima had been learned and integrated into refurbishment plans ? The CNSC was itself at that time working on the Fukushima lessons. Did the CNSC have in mind that an accelerated refurbishment planning at Hydro-Québec would be exempted from new post-Fukushima safety guidelines by appealing to Article 7 of the Nuclear Safety and Control Act of 1997 ?

One may legitimately ask : In a democracy, how can the need to know be respected if objective scientific information on high-technology projects is not given out by the CNSC, as Article 9 of the Nuclear Safety and Control Act of 1997 clearly stipulates ? Article 9 (see attachment 5) stipulates that the probability of a nuclear accident be at the level of socially acceptability. How can the public judge if it is acceptable if the relevant information is not conveyed in an objective and scientific manner ?

1

Question 5 : Pressure pipe degradation, wall-thinning.

During the Pickering hearing on May 30th 2013, following Professor Duguay’s presentation, Commissioner André Harvey picked up on the troubling problem of pressure tube wall-thinning in CANDU reactors. This problem was addressed by CNSC staff members John C. Jin, Raoul Awad and Thomas Viglasky in a paper given at a technical conference in Toronto in August 2007 (see Transactions, SMiRT 19, Toronto, August 2007 Paper # D02/3, SMiRT stands for Structural Mechanics in Reactor Technology). Their paper (see attachment 5) was entitled ‘’Fitness for service assessment of degraded CANDU feeder piping – Canadian regulatory expectations’’. (See attachment 6).

The second paragraph of the article by authors Jin, Awad and Viglasky is entitled ‘’Flow Accelerated Corrosion (FAC) Wall Thinning’’. FAC is a physico-chemical phenomenon whereby a fast flowing liquid, heavy water in the present case, eats away metal on the inner surface of a pipe or tube. The phenomenon is not completely understood. In the first line of this paragraph the CNSC authors assert the following :

Jin, Awad, Viglasky : ‘’Virtually all outlet feeder pipes at all CANDU plants are experiencing pipe wall thinning due to the FAC at a rate much higher than design allowance.’’

The danger presented by wall-thinning is stated at the end of this paragraph, which reads :

Jin, Awad, Viglasky : ‘’Several feeder pipes have been replaced when their wall thicknesses fell below pre-established minimum thickness criteria. Nevertheless, regulatory staff believes that on-power failure of a thinned feeder pipe cannot be ruled-out. In particular, the staff’s major concern is that, in the absence of an adequate ageing management program, the ultimate failure mode of thinned feeder pipe would be sudden rupture without adequate prior warning by leakage, as has been known to occur in real-world cases.’’

In section III of their paper these authors wrote the following:

Jin, Awad, Viglasky : ‘’ General

Although rupture of single feeder pipe falls within the envelope of design basis accidents considered in Safety Analyses for Canadian CANDU plants, the regulatory staff remains concerned about consequential effects, such as the potential for damage to other core components and the release of radioactivity to the public. Key factors contributing to this

concern are current limitations in both our understanding of feeder pipe degradation mechanisms and in-service inspection capability. It is the regulator’s view that reliable assessment of fitness for service of flawed components requires the integration of different aspects from several different disciplines; for example: a mechanistic understanding of degradation, material behavior, principles of engineering structural evaluation, NDE technology and so on. The limited knowledge regarding the causes of the degradation may lead to susceptible areas that are not inspected. Accordingly, regulatory staff has insisted that inspection planning and structural integrity assessments should take into account of these limitations in a conservative way. In practical terms, this means that regulatory staff allows a utility to continue operating degraded feeder pipes only when they provide a conservative engineering evaluation of the observed degradation, and commit to an expanded inspection scope to identify other feeders with similar or potentially more severe degradation.’’

1

We draw the reader’s attention to these two concerns in the context of a pressure tube rupture : -1 ‘’the potential for damage to other core components’’;

and -2 ‘’Key factors contributing to this concern are current limitations in both our understanding of feeder pipe degradation mechanisms and in-service inspection capability.’’

The first concern includes damage to the tubes holding the neutron-absorbing rods. Damage to these tubes could prevent lowering one or more of these rods to stop the nuclear fission chain reaction. In the absence of a complete shutdown overheating could take place, possibly leading to a partial core meltdown.

The second concern is vital in order to evaluate OPG’s Chief Nuclear Engineer Mark Elliott’s remarks here below.

In order to assess the risk presented by high-pressure feeder pipe ruptures, one must first recall that there is a total of approximately six kilometers of high-pressure pipes or tubes in a CANDU nuclear reactor. A pipe rupture leads to a loss of coolant accident (LOCA), an event most dreaded by nuclear reactor operators. If an earthquake, or an airplane crash, would cause the sudden rupture of several pipes a large LOCA could result.

Upon detecting a sudden LOCA the reactor control system will lower neutron-absorbing rods into the reactor core and shut down the nuclear fission process within two seconds. About 100 megawatts of thermal power, however, will continue to be generated by the radioactive fission products in the reactor core. Broken pipes would hinder cooling and could seriously aggravate a LOCA event. During such an event the challenge would be to prevent the accident from evolving into a core meltdown situation.

During the CNSC Pickering hearing, after Professor Duguay’s presentation on May 30 th, Commissioner André Harvey brought up the question of pressure tube corrosion and wall thinning (see page 45). On page 46 the Chairman, Dr Michael Binder, said the following:

Dr Michael Binder : ‘’We assume that OPG would make a kind of short reply to the thinning of the walls ?’’

OPG Chief Nuclear Engineer Mark Elliott said the following on page 47 of the May 30 th transcript :

Mark Elliott : ‘’The pressure tubes, when they're first installed, are 4.2 millimetres thick. They do thin a little bit towards the end of life and the thickness at the end of life -- 247,000, you know, 2020 -- would be 3.87 millimetres; but the design limit is 3.69.

So this is just another example of where there is ageing going on. We're monitoring it closely. We've projected where we believe it'll be and it's within design limits.

But we're going to continue to check. So on every outage, we'll continue to go back and check that this prediction that I've just given is true and maintains -- maintains its credibility all the way through.

So we will not stop inspecting and every outage, we will verify that we're safe.’’

1

Commissioner André Harvey then asked Mark Elliott the following question:

ANDRÉ HARVEY: ‘’What percentage of all those tubes are you checking?’’

OPG’s Mark Elliott did not answer directly but instead said this (see page 48) :

‘’And then, from then on, it's kind of a statistical approach where we continue to sample all the

-- not all of them but a large number to get a statistically sound basis for continued operation.’’

Dr Greg Rzentkowski then intervened and said this (p.48) :

DR. RZENTKOWSKI: ‘’Greg Rzentkowski, for the record.

I would like to make a last comment on this aspect of thinning of the pressure tubes.

It is very important to understand that the design limit is about 30 percent higher than the operating limit. There's a significant safety margin built in.’’

We note that Mark Elliott did not give a direct answer to Commissioner Harvey on the percentage of pressure tubes that are inspected during a reactor outage. On page 48 Mark Elliott described OPG’s sampling approach aimed at giving a ‘’statistically sound basis for continued operation’’.

Question : why didn’t Mark Elliott give the actual percentage of high-pressure tubes that are inspected during outages ? There are uncertainties in these inspection measurements, as pointed out by Jin, Awad and Viglasky, so that one can only have a limited level of confidence that these inspected tubes will last another five years. But what level of confidence can we have about the tubes that are not inspected ?

As far as wall thinning is concerned we see from Mark Elliott’s figures that the initial 4.2 millimeters will have thinned down to 3.87 mm after 247 000 hours of operation, leaving a 0.18 mm safety margin at the end. Dr Greg Rzentkowski added that the ‘’design limit is about 30% higher than the operating limit. There is a significant safety margin built in.’’ 30% of 4.2 mm is 1.2 mm, which Dr Rzentkowski calls a ‘’safety margin’’.

While Mark Elliott and Dr Greg Rzentkowski seem to be satisfied with ‘’safety margins’’ of 0.18 millimeter (that is 180 microns, the thickness of two sheets of paper) and 1.2 + 0.18 = 1.38 mm, we might look at what John Waddington thought in his October 2009 article about the necessary steel thickness to hold off a 100-atmosphere pressure. In section 2.3 of his October 2009 article John Waddington discussed the near-miss nuclear accident that was discovered in March 2002 at the Davis Besse nuclear power plant in Ohio. He wrote :

John Waddington : ‘’On inspection, it was found that the material of the reactor vessel head immediately adjacent to the nozzle had disappeared over a 20- 30 sq inch surface area, leaving a cavity that went through the full thickness of the PRV head. Only the 3/8-inch thick stainless steel cladding on the inside surface remained to provide the pressure boundary - a very thin membrane indeed that was preventing a major, unanalyzed, loss of coolant accident, and possibly a control rod ejection accident.’’

1

The PRV acronym stands for ‘’reactor pressure vessel’’, which typically has a thickness of 200 millimeters and holds off the 100-atmosphere pressure difference between the reactor core and the ambient atmosphere. The 3/8 of an inch is 9.5 millimeters, which is more than twice the 3.87 mm thickness that OPG seems to be willing to accept as ‘’safe’’. American nuclear safety specialists thought that the reduction of the pressure boundary thickness to 9.5 mm was a state of affairs at Davis Besse that could have led to its sudden rupture and to a severe nuclear accident.

Not only is a 3.87 mm carbon steel thickness somewhat worrisome in view of the many uncertainties about corrosion and microcracks pointed out by CNSC staff members Jin, Awad and Viglasky, but one has to remember that the CANDU nuclear reactor has about six kilometers of high-pressure tubing. As Mark Elliott testified, only a fraction of these six kilometers is inspected during outages, and furthermore Jin, Awad and Viglasky pointed out uncertainties associated with these inspections in their August 2007 paper. The following question is legitimate: do the six kilometers of high-pressure tubing in a CANDU reactor constitute a design weakness ?

Question 6 : Nine-dice throw versus a one-die throw ?

During the CNSC public hearing for the refurbishment of the Darlington nuclear power plant in Courtice on December 2-6, Professor Michel Duguay reported his calculation of the probability of a severe nuclear accident with core damage in the Toronto area as being 100 times higher than for a frequent flyer the probability of dying in an airplane crash. Professor Duguay based his calculation on empirical observations of nuclear core meltdowns at Three Mile Island in 1979, at Chernobyl in 1986 and in Fukushima in March 2011 (three core meltdowns in the latter case). With 15 000 reactor-years of accumulated nuclear reactor operation worldwide (about 430 reactors times 35 years), and five meltdowns, the empirical probability of a core meltdown is 5/15 000, i.e. one meltdown per 3000 reactor-years. If 10 reactors will continue to operate in Toronto for 30 years, that would give 300 reactor-years of operation. Since 300/3000 is equal to 0.1, the empirical prediction is 10% that a severe nuclear accident will take place in the greater Toronto area over a period of 30 years.

Using official CNSC numbers, i.e. a 0.01% annual probability of a severe accident for one reactor, 0.1% per year for 10 reactors, we get 3% over 30 years. At the CNSC hearing In Courtice on December 6th 2012 Professor Duguay chose to compare this to the probability of obtaining two sixes on the single throw of two dice, which is 2.77%.

After Professor Duguay’s presentation CNSC staff member Dr Yolande Akl was given the microphone. She spoke for a long time, but it’s important to read what she said :

Ms. Yolande AKL : ‘’Good afternoon; Yolande Akl, Director of the Probabilistic Safety Assessment and Liability Division. I would like first to start with CNSC -- to say that CNSC staff disagree with this gaming analogy that the intervenor is using. And actually on Tuesday there was another intervenor, a mathematician that supports my opinion, or my statement. It is a wrong application of statistical inference. Comparison with dice is not appropriate in this case because with the dice we know exactly what the outcome is going to be and we also can repeat the experience many, many times infinitely.

So why we cannot use it for reactors. First, we don’t have enough statistical data to obtain a representative set of data. This calculation that was presented today is called The Frequentist

1

Approach, which is only applied when the events are repeated infinitely such as flipping a coin or rolling dice. Suppose that we flip a coin, I will just give an example, 10 times and we had 8 heads. Can we say that the probability of having a head is 80 percent? Of course not.

Now, we go to another difference with dice; that the nuclear power plants that are in the example that the intervenor presented are different design, different types, they were constructed in different years, they have different safety systems, they have different operation conditions, different environment, different safety culture, and different location. For example, let’s suppose we want to know the probability of a hockey stick breaking. Is it right to overlook its size, its brand, the material it is made of? Is it made of plastic, wood, composite? If we just count the number of breaking, what is the value of the number we are going to get?

Thirdly, these accidents are all from different causes. This is a fundamental misuse of statistics. Comparison with dice is not appropriate as I explained because, once more, the dice, we know, have a number of outcomes that is infinite -- definite we know. The experience can be repeated infinitely, but for earthquakes, we are less certain of when they will occur and when these events will happen. They can happen tomorrow or they can never happen in the lifetime of the reactor. Thank you.

MR. DUGUAY : May I reply?

THE CHAIRMAN: ‘’Please.’’

MR. DUGUAY: ‘’So let’s assume my calculation is not to your taste, what is your calculated probability that a core meltdown will occur in a Toronto area over the next 30 years; what is your estimated probability? ‘’

MS. AKL: ‘’The probabilistic safety assessment is not made for predicting. We are not predicting when the next accident --- ‘’

There are three important points to draw out from Dr Yolande Akl’s intervention in Courtice on December 6th 2012 :

-1. As is often the case the CNSC refuses to give an objective answer; in spite of her job title ‘’Director of the Probabilistic Safety Assessment and Liability Division’’ Dr Yolande Akl refused to give a probability estimate for a severe nuclear accident in the greater Toronto area over a 30-year period. An opportunity to respect article 9 of the Nuclear Safety and Control Act of 1997 was not taken.

-2. The U.S. National Transport Safety Board (NTSB) keeps statistics of airplane crashes despite the fact that there are many types of airplane designs. In spite of the fact that CANDU reactors have several features that are different from those of other nuclear reactors in the world, they have the same fundamental physics features. Interveners Michel Duguay and Shawn-Patrick Stensil of Greenpeace have used the world statistics on nuclear reactor meltdowns as empirical evidence. Empirical observation is a key component of modern science.

-3. The single two-dice and the single three-dice throws have been used by mathematician Dr Gordon Edwards and by nuclear physicist Dr Michel Duguay as an illustration of 2.77% and 0.46% probabilities, respectively. Dr Duguay never claimed that the statistics of dice can be used to calculate nuclear reactor accident probabilities.

2

It is interesting to note that six months after the Courtice hearing in December 2012, Dr Greg Rzentkowski himself used an analogy with the throw of nine dice, that we discussed earlier. Dr Rzentkowski’s nine-dice throw gives a 10 to the minus 7 annual probability of a severe nuclear accident. This one chance in ten million per year for a nuclear accident is not credible. It is 1000 times lower than the 10 to the minus 4 (0.01%) annual probability of an accident that is mandatory in the CNSC rulings.

Rather than the nine-dice throw, it is in the opposite direction that the nuclear community should be looking in Canada and in the United States, namely in the direction of two dice and even one die. The latter has a probability of 16% of giving a six, a figure not far from the 10% probability calculated on the basis of the empirical observation of nuclear core meltdowns.

In support of this high probability it is sobering to realize that some 20 nuclear core partial meltdowns have already taken place in the world when one includes research and military nuclear reactors (see the article entitled ‘’Nuclear Fuel in a Reactor Accident’’, by Peter C. Burns, Rodney C. Ewing and Alexandra Navrotsky, in the journal Science, Vol. 335, pp. 1184-1188, 9 March 2012, abstract at www.sciencemag.org).

At this URL: http://en.wikipedia.org/wiki/Nuclear_power_accidents_by_country#Canada

one can read a compilation of the 100 serious nuclear accidents that have occurred so far in the world. On 12 December 1952 the first major nuclear accident in the world took place in Canada at Chalk River where an experimental nuclear reactor was in operation, the NRX. A partial core meltdown and a hydrogen-oxygen explosion took place. Operator mistakes and malfunctioning equipment were the immediate causes of the accident.

The one-die probability is to be reckoned with. On the basis of documentation by CNSC staff members Jin, Awad and Viglasky (see attachment 6) and by many others, it is clear that if a CANDU nuclear reactor is run long enough, the accumulation of corrosion effects on high-pressure tubes will inevitably cause one or more tubes to rupture. The rupture could be sudden without any previous leakage to forewarn operators. Tube rupture could escalate into a severe accident. Already, high-pressure tubes have had to be replaced in several CANDU reactors because of corrosion problems. A sudden tube rupture occurred at the Pickering A nuclear power plant in August 1983 near Toronto, and in March 1986 at Bruce Power in Kincardine on the North shore of Lake Huron. Competent operator actions prevented these tube ruptures from leading to a severe accident. That may not always be the case.

Another factor which increases the risk of pressure tube rupture is metal fatigue. The documents that were prepared by CNSC staff before the CNSC May 2013 Pickering hearing made frequent references to metal fatigue. As Dr Yolande Akl would surely argue quite correctly, the effects of metal fatigue are not described by the statistics of dice. In aviation history the break-ups in flight of the first commercial jetliner, the British Comet 1 once in 1953 and twice in 1954, were found to be due to metal fatigue caused by the cycles of compression and decompression that accompany high-altitude flight. The CANDU reactors are also exposed to these compression and decompression cycles when an outage takes place about once a year.

In preparation for the Pickering B hearing CNSC and OPG staff have written several letters and documents. In two of these reports an expression that comes back frequently is ‘’metal fatigue’’. Metal fatigue has been featured a number of times during the Mayday television series on the causes of airliner crashes. As an example, on 25 May 2002 China Airlines flight 611 from

2

Taiwan to Hong Kong crashed into the Taiwan Strait killing all 225 persons on board. The airplane was a Boeing 747 that had been put in service in 1979. Upon landing in February 1980 the plane had suffered a ‘’tail strike’’ inflicting some damage to the metal skin in the rear of the plane. In the period 23-26 May 1980 the damaged area had been permanently repaired by covering it with a so-called ‘’doubler’’ metal plate. However, Boeing’s instructions to cover not only the damaged area but also 30% beyond, were not followed. Gradually over 22 years, after repeated cycles of pressurization and depressurization during flight, cracks in the damaged skin grew and multiplied, but hidden from view on the ground by the doubler plate. On 25 May 2002, 22 years later, while in flight at an altitude of 35 000 feet, the cracks suddenly expanded and the plane disintegrated.

In the CANDU reactor’s case inspection of components like the hundreds of inlet and outlet feeder tubes can only take place during outage periods. A CANDU reactor has over six kilometers of high-pressure tubes so that it is not possible during an outage period to inspect all parts of all tubes for excessive wall thinning and other degradation effects. OPG’s ‘‘fitness for service’’ mentioned above is done on a statistical basis. If some percentage of the tubes are observed to be fit, then one hopes that all other tubes are fit to last until the next inspection.

These considerations lead to the following question : what is the probability that a pressure tube with a high risk of rupturing will not be detected during the outage inspections ? What fraction of the six kilometers of high-pressure tubes is never inspected ?

Conclusion

Two major and tragic railroad accidents, one in Lac-Mégantic in Canada on July 6th and a second one on July 24th near Saint-Jacques-de-Compostel in Spain, have brought into full view the role of human error in the context of high technology.

A society that wants economic prosperity is well advised to learn from past mistakes and to develop a global understanding of what led to major accidents. In the case of nuclear power, three major nuclear accidents, Three Mile Island in the USA in March 1979, Chernobyl in Ukraine in April 1986, and Fukushima in Japan in March 2011, have taught the whole planet the dire consequences of a major nuclear accident. Even smaller nuclear accidents have had highly undesirable consequences, such as Chalk River in December 1952, Windscale in England in October 1957 and Browns Ferry in Alabama in March 1975, to name a few among nearly 100 important nuclear accidents. In most cases a combination of several factors have played a role, including a dominant role played by human error.

What are we, as a society, to understand as a result of these accidents ? A new level of understanding has emerged from the studies carried out by many analysts and authors who have studied the root causes of major accidents in several modern high-technology fields. In the case of nuclear power, especially in Canada, a remarkable article was published in October 2009 by nuclear engineer John Waddington, a former employee of Atomic Energy Canada Limited (AECL) and of the Canadian Nuclear Safety Commission (CNSC). John Waddington, and a large number of other analysts, have sounded an alarm by arguing that the probability of a nuclear accident in Canada is too high, and possibly much too high.

2

This situation puts an important city like Toronto under a well-documented nuclear threat. The single reactor in Point Lepreau also imposes on the five Atlantic provinces and the State of Maine a well-documented nuclear threat at a level which is well beyond the level of social acceptability.

Given that human error may occur everywhere in the nuclear establishment, including the CNSC, the Federal Government should intervene and exercise its mandate to protect the public to the full extent of its power. The analyses of numerous authors, notably by Professor Diane Vaughan, now at Columbia University, have shown that large organizations in high-technology fields are subject to what she has called ‘’normalized deviance’’, i.e. organizational acceptance of higher risks entailed by deviations from pre-established safety norms. In view of hundreds of pages of CNSC documentation describing deviations from an acceptable performance level, we must raise the question : is the CNSC fully respecting Article 9 of the Nuclear Safety and Control Act of 1997 which stipulates that the nuclear risk must remain at a socially acceptable level, and that the public be informed in an objective and scientific manner ?

QuickTime™ et undécompresseur

sont requis pour visionner cette image.

(s) Dr Michel Duguay, Ph.D. in nuclear physics, Professeur titulaire, Université Laval, Québec

Co-signatories :

Gordon Edwards, Ph.D., President, Canadian Coalition for Nuclear Responsibility.Michel Fugère, Mouvement Vert MauriciePierre Jasmin, Artistes pour la PaixGuylaine Maroist, Cinéaste, Réalisatrice/productriceÉric Notebaert, Professionnels de la santé pour la survie mondiale Willy Nolan, International Institute of Concern for Public HealthPhilippe Giroul, Mouvement Sortons le Québec du NucléaireRose-Anne Gagnon, Ste Foy Sylvie Van Brabant, Cinéaste, Réalisatrice/productriceClaudette Piché, Ste ThècleMarc Fafard, Sept-Îles sans uraniumMonique Meunier, Centricois-Mauriciens pour le déclassement nucléaireFrançois Lachapelle, MontréalRaymond Gauthier, Île-de-la-MadeleineFrançois Lapierre, Association de protection de l'environnement des Hautes-Laurentides.Éric Ferland, ÉchosphèreFrançois Lachapelle, MontréalSébastien Bois, Centricois-Mauriciens pour le déclassement nucléaireMary Lou Harley, PhD, United Church of Canada Robert Duchesne, Trois-RivièresHélène Lamothe, Trois-Rivières

C.C.

2

L’honorable Stephen Harper, Premier ministre du Canada Les Membres du Parlement Canadien Les Premiers ministres des provinces et territoires du Canada Les cadres et les ingénieurs de la CCSN

List of attachments

Attachment 1 : April 11th 2013 open letter to Honorable Joe Oliver, Minister of Natural

Resources, and his reply dated May 24th 2013.

Attachment 2 : paper by John G. Waddington titled ‘’Challenges to the regulation of

Generation III reactors and the nuclear renaissance’’, International Nuclear Law

Association, Nuclear Inter Jura 2009, Proceedings, Toronto, October 2009.

Attachment 3 : Vincent Marissal, ‘’Un drame inéluctable’’, La Presse, 20 July 2013.

Attachment 4 : G. Rzentkowski, Y. Akl, S. Yalaoui, 34th Annual Conference of the

Canadian Nuclear Society 2013 June 9 – June 12, 37th Annual CNS/CNA Student

Conference Toronto ‘’Application of Probabilistic Safety Goals to Regulation of Nuclear

Power Plants in Canada’’.

Attachment 5 : Article 9 of the Nuclear safety and Control Act of 1997, and Article 7.

Attachment 6 : John C. Jin, Raoul Awad and Thomas Viglasky Transactions, SMiRT 19,

Toronto, August 2007 Paper # D02/3 , ‘’FITNESS FOR SERVICE ASSESSMENT OF

DEGRADED CANDU FEEDER PIPING - CANADIAN REGULATORY EXPECTATIONS’’

Attachment 7 : Regarding the May 27-31 2013 CNSC hearing for Pickering, article by

Michel Duguay describing the contributions to the hearing by Shawn-Patrick Stensil,

Arnie Gundersen, Chris Rouse, Gordon Edwards, and Michel Duguay.

2