When it was restarted in mid-December, it was safer still. And a final safety upgrade put in place earlier this month has further reduced the probable risk of a nuclear accident that could affect the public.
The reactor's updated design now yields a 1 in 500,000 risk of a serious accident, which experts say is the best that can be achieved without tearing down and rebuilding it.
Not that new research reactors necessarily perform more safely than old ones. Australia's $320 million OPAL, opened proudly last May, has been shut down since July because of problems with the nuclear fuel bundles.
Bill Garland, a professor of nuclear engineering at McMaster University, posed the obvious question.
"Why did this suddenly flare up as an issue?" he asked in an email. "Individual personalities aside, there should be enough checks and balances built into the CNSC and AECL to approximate rational behaviour – well at least it should prevent sudden irrational behaviour. Maybe a tipping point was reached."
Relations between the safety commission and Atomic Energy of Canada have been stressed in recent years:
In August 2000, safety commission official Barclay Howden said in a public meeting that losses of senior Atomic Energy staff meant the reactor no longer had "the depth to fix the problems or prevent them." Howden heads the CNSC directorate that directly oversees operations at Chalk River.
In May 2001, a safety commission report complained that Atomic Energy of Canada had deliberately concealed test failures of a vital emergency shutdown system at the trouble-plagued new reactors intended to take over isotope production from NRU. Observers said the incident was the most serious breakdown in federal nuclear safety regulation since the 1950s.
In June 2005, a report from Howden's unit fired a verbal broadside at Atomic Energy. The reactor was being run by people prone to "overconfidence," "complacency" and "deficiencies in management oversight and safety culture." Repeated problems at the reactor "erode confidence in the licensee's qualification to safely manage the work," the report concluded in some of the strongest language ever used by the safety commission.
While acknowledging many of the facts in the commission reports, top Atomic Energy officials like Brian McGee, the company's chief nuclear officer, vigorously defended the competence of NRU staff and insisted the reactor had always operated safely.
Although both deal in nuclear matters, AECL and the CNSC are different beasts. Atomic Energy is a federal Crown corporation, which designs and sells nuclear power reactors in the competitive market and also operates extensive research facilities at the sprawling Chalk River site.
The nuclear safety commission is an arm's-length independent regulatory agency, similar to the federal bodies that oversee air safety or telecommunications. Its chief responsibilities are nuclear power reactors, uranium mines, commercial uses of radioisotopes and research reactors, mostly at universities.
Both AECL and CNSC have large numbers of engineers on the payroll who sometimes switch employment between the two places. The volumes of written exchanges between the two also provide several instances of AECL dismissing CNSC concerns as unfounded, sometimes coming close to implying that the regulators didn't fully understand what they were talking about.
Little wonder the air bristled with electricity whenever officials from the safety commission and Atomic Energy of Canada sat at adjacent tables in front of the CNSC tribunal, the government-appointed body that has the final say on licensing nuclear facilities. Only two of the current seven tribunal members work full-time, fired president Linda Keen and her replacement, career public servant Michael Binder. The five other part-time members include two university professors, an engineer, a former N.B. cabinet minister and a physician.
That electric atmosphere ignited Dec. 6 when CNSC officials explained that the reactor had operated for the past two years without two vital cooling pumps being connected to a third power supply – one specifically intended to keep delivering electricity in the event of an earthquake.
Without those pumps connected, safety commission officials considered Atomic Energy was in violation of the reactor's operating licence.
AECL considered connecting the pumps a safety "enhancement" to be added over the next few years, not something that had to be done by the end of 2005 as a licence condition.
Here lies the crux of the misunderstanding between the two bodies. Each one thought the other had agreed with its interpretation of the licensing requirements as presented in numerous letters, reports, studies and face-to-face meetings. In fact, they held diametrically opposed views that ultimately led to the very public showdown.
At the Dec. 6 meeting, a visibly upset Keen tongue-lashed Atomic Energy of Canada for suggesting that connecting the pumps was optional and not a licence requirement.
"This is absolutely revisionist," Keen admonished McGee, AECL's senior vice-president.
The two cooling pumps triggered such a hubbub because they are the foot soldiers in the reactor's last line of defence against "catastrophic" fuel failure. Despite movie depictions of the China Syndrome, such a failure means simply that the uranium fuel bundle splits open, probably from overheating. Scores of other things would have to go wrong before even the slightest risk of a core meltdown.
Here's how the cooling pumps work: The reactor has eight pumps that force heavy water into a "header" in the vessel bottom that channels the cool water up through scores of rods holding the radioactive fuel and isotopes. The water carries away heat generated by the nuclear fission, heat that would be dangerous if it built up. That hot water is then cooled in heat exchangers and recirculates. All eight pumps run on AC power from the Ontario grid.
As a first line of defence, four of those eight pumps are also equipped with DC motors so they can continue forcing through cooling water even if the grid fails. That DC electricity comes from a backup power system consisting of racks of heavy-duty batteries that are automatically recharged by diesel generators.
But the reactor's original DC power backup wasn't built to withstand fires, floods or earthquakes. That's why a new "qualified" emergency power supply was included in seven planned safety upgrades.
Two of the four heavy-water pumps that can run on both AC and DC, numbers 104 and 105, are even more important, constituting a final line of defence.
They are the only pumps with pipe connections to allow them to draw water from the bottom of the reactor, as well as from the top, which is where the other six pumps draw from. If the water level inside the reactor vessel drops because something goes wrong, only pumps 104 and 105 can keep working and avert overheating that might cause a potential fuel failure.
Those two pumps are also critical to another safety upgrade called the New Emergency Core Cooling, which kicks in if all of the heavy water drains from NRU in what is known as a "loss of coolant accident." The safety commission says only 104 and 105 are hooked up to recirculate any spilled heavy water that is caught in a sump underneath the reactor vessel and also to handle ordinary water that could be injected into the cooling circuit in an emergency.
Considering their importance, it is not surprising AECL agreed as far back as 1993 that pumps 104 and 105 had to be connected to the Emergency Power System once the EPS was ready. Three years later, AECL and the safety commission both agreed that connection should be made through earthquake-resistant motor starters.
The reliability of the pump connection depends on having such motor starters in the electrical circuit.
If the motor in a reactor cooling pump has slowed or stopped because of a power interruption, the motor starter gets it going again.
It is this final link that had not been hooked up in November for the simple reason that AECL had not purchased the motor starters, which cost about $500,000 each and fill a metal cabinet roughly the size of two school lockers.
"It's all seismically qualified because, as you know, the weakest link in the chain is the thing that is going to do you," says the safety commission's Howden.
"Do you" in the case of a nuclear reactor means an accident causing harm to a member of the public who is outside the nuclear facility. For modern reactors, the emerging international standard is a design that ensures the probability of such an accident in any one year is less than one in a million.
This is often – and not as accurately – said to be the risk of one such serious accident in a million years.
But the reactor was designed in a different era with different risk expectations. By 1990, with various upgrades, the accident risk at the reactor was likely in the range of one in 10,000.
That wasn't going to be good enough for the 21st century.
Safety upgrades became necessary in the late 1990s when AECL realized it wouldn't be able to close down the reactor as planned in 2000. The reactor had to be patched up and kept running because the company could not meet the launch date for two replacement isotope-producing reactors called MAPLE. They are still not operating today.
In addition, the federal government had turned a deaf ear to AECL requests for a $600 million replacement nuclear facility to test fuel for Candu reactors to allow researchers to probe the innermost structure of materials – two other roles of the multi-tasking NRU.
So the safety upgrades went ahead. They included projects such as flood protection for pumps, a second independent system to automatically shut down the reactor, the emergency core cooling set-up, barriers to confine liquid spills, a "qualified" emergency water supply and the "qualified" new Emergency Power Supply (EPS).
Together, they were supposed to move NRU to a risk range of about one in 500,000, still below the expectations for new reactors but considered good for such an old facility.
Documents that passed between CNSC and AECL are contradictory and even ambiguous about whether connecting the EPS to the reactor's two most critical cooling pumps was an integral part of the safety upgrades. The top legal firm Heenan Blaikie weighed in on AECL's behalf and the whole licensing controversy could still wind up in the courts.
AECL's interpretation was that the pump connection was a nice-to-have, not a need-to-have. This opinion should be seen against the safety commission's attitude toward this particular safety improvement. After both sides had agreed on the necessity of upgraded power backups for pumps 104 and 105 the CNSC nonetheless allowed AECL almost 10 years to make the changes.
As well, there is no indication the documents that CNSC staff based at Chalk River carried out eyeball inspections at the reactor after December 2005 to verify that those two allegedly crucial pumps had been properly connected.
Not until last November did the commission's on-site officials learn the work had not been done – by spotting a chance reference in an operating manual.
What had begun as probably innocent miscommunication rapidly escalated into an institutional and personal standoff. Parliament finally intervened with a law that bypassed the safety commission and authorized AECL to restart the reactor with only one of the two crucial pumps in full safety operating mode.
On Dec. 14, AECL engineers hooked up pump 105 to the Emergency Power System through the earthquake-resistant motor starter, which had been purchased, installed and tested in fewer than three weeks. On Dec. 16, the reactor restarted with only one cooling pump that had a high chance of continuing to operate after a magnitude-6 earthquake, estimated to shake the Ottawa Valley once in 1,000 years.
Was that a safe thing to do?
"Everyone likes the word safety because it's a word people are more comfortable with, whereas what we are looking at is, with that current (NRU) configuration, what was the risk being posed?" says the CNSC's Howden.
Questions about risk, or safety, cannot be answered definitively because the three key reports on the safety of the reactor are being withheld from public view, with both organizations citing federal security prohibitions. These are the Safety Analysis Report, now in its third version; the Probabilistic Safety Assessment, also done previously; and the recently completed Severe Accident Assessment, carried out for the first time.
Without access to these reports, the public can never independently check the risk statistics cited by either AECL or the safety commission, such as Keen's controversial contention that NRU faced a 1 in 1,000 risk of a nuclear fuel failure at the time it was shut down.
Yet Canadians have seen the very public fallout from the dispute, which this week claimed its second high-profile victim.
Brian McGee, AECL's point man on the NRU, announced he was leaving the company at the end of May. McGee had said that both he and the company had performed poorly in the safety pump matter.
Meanwhile, the country's besieged nuclear regulator and the operator of the world's oldest nuclear research reactor appear to be mending fences in the aftermath of the reactor crisis.
Rather than continue with planned separate post-mortems, they've agreed to bring in outside experts and co-operate on a single what-went-wrong report to be made public in the spring.
As well, on April 11 the 120-day hands-off period imposed under Parliament's emergency legislation expires. That means commission inspectors formally regain legal authority to verify the quality of AECL's work on both cooling pump hook-ups, including pump 104, which was finally connected during a maintenance shut-down that ended Feb. 1.
But a regularly scheduled CNSC meeting Thursday heard that AECL has invited the inspectors to carry out those checks right away, rather than wait.
Said the CNSC's new president Michael Binder: "It would be really nice if we could start a new chapter on April 11."