He Named the Nuclear Safety Protocol After Himself — Then the NRC Inspection Team Required the Engineering Stamp She Had Filed
The reactor floor during a refueling outage was a different environment from every other environment Dr. Lin Zhao worked in. The equipment was the same equipment — the same terminals, the same dosimetry, the same procedure binders — but the air moved differently, the lights were brighter, and every person on the floor was following a sequence that she had helped build.
The Unit 2 refueling outage at the plant had been scheduled for eighteen days. She had modeled the thermal-hydraulic behavior for the outage eleven months in advance. The model was a simulation of the reactor’s coolant system under conditions that did not exist in normal operation — the reactor shut down, the fuel rods exposed for exchange, the coolant flow at reduced pressure and volume as the system transitioned through the maintenance states.
The model had identified a 32-second window.
She had found it in September, during the third run of the simulation. At the 4-hour-47-minute mark of the outage thermal sequence, the coolant flow through the reactor vessel’s lower plenum dropped below the design minimum for 32 seconds before recovering. The drop was small — 0.4% below minimum — and it was brief, and in a normal year it would not have mattered. But this outage coincided with a fuel rod batch that had been in the reactor for three cycles, longer than the standard two-cycle interval, which meant the residual heat in the rods was higher than the model’s baseline assumption. She had recalculated with the three-cycle decay heat profile. The 32-second window, under the three-cycle decay conditions, produced a temperature rise at the rod surface of 4.2 degrees Celsius. Below the high-temperature alarm threshold by 1.8 degrees. Not enough to trigger a shutdown. Enough to matter.
She had designed a flow adjustment procedure: a manual coolant bypass valve sequence executed at the 4:46 mark, timed to maintain minimum flow through the 32-second window.
She had put it in the procedure binder as Step 14.
Tom Holt was the operations engineer assigned to the outage. He was 30 and he had been following reactor procedure sequences for three years. He knew how to read a procedure. He did not know what Step 14 was for, specifically, until she explained it.
She said: “At 4:46, you’ll open bypass valve V-14 and hold for 40 seconds. The coolant flow will dip through a window in the thermal profile — V-14 keeps it above minimum.”
He said: “What’s in that window?”
She said: “Residual heat from the three-cycle fuel batch. The decay profile puts the temperature 4.2 degrees above baseline during the 32-second low-flow period. V-14 prevents the temperature from reaching the high-alarm threshold.”
He said: “And if we miss it?”
She said: “You won’t.”
At 4:46:18, Tom opened V-14. She was at the monitoring station, watching the temperature trace on the simulation display and the reactor’s real-time sensor feed simultaneously. The two traces tracked each other within 0.3 degrees for the full 32-second window.
Step 14. She checked it off on the clipboard.
The lead-lined clipboard was standard radiation-work-area equipment — a rigid board with a metal clip at the top and a lead lining in the backing to protect documentation from radiation scatter. She had been using this one for four years. The lead lining was worn through at the bottom left corner from being set on concrete floors during outages and inspections. The worn corner was heavier than the rest of the board, which meant she always felt it in her left hand when she was writing with her right.
She had checked off Step 14. The 32-second window passed safely. The temperature trace peaked at 1.7 degrees above baseline and returned to normal.
She had built the model that predicted the window. She had designed the procedure that managed it. She had been on the floor when Tom executed it.
—
She read the NRC post-event report on a Thursday, from the simulation terminal in the safety analysis section, during her lunch break.
The NRC’s public ADAMS database had posted the report that morning. She had set a search alert for the plant’s facility identifier. The alert had come through at 8:47 AM.
The report was twelve pages. The executive summary described the Unit 2 refueling outage thermal event and the response procedure. The response procedure was described as “the McNair Protocol — a proactive thermal management procedure developed under Chief Nuclear Officer oversight.”
She read “the McNair Protocol.”
She read “CNO oversight.”
She picked up the lead-lined clipboard from her desk. She held it by the clip. The worn corner was heavy in her left hand. She put it back on the desk.
She opened the model file on the simulation terminal. Cover page, top right: NE-PE-6612. Her professional engineer license number, stamped and signed under nuclear engineering. Her legal attestation that the model was accurate.
She went back to the Unit 1 model she was building. She had a thermal-hydraulic analysis to finish.
—
Two weeks after the outage, McNair had called her to his office.
He had shown her the draft post-event report. He had said: “Your model worked perfectly. I want to formalize this as a plant procedure going forward.”
She had said: “The model assumptions need to be reviewed for Unit 1 — the coolant loop geometry is different.”
He had said: “Right. We’ll sort that out. Good work on Unit 2.”
She had said: “Thank you.”
She had left his office.
He had kept the draft. He had called it the McNair Protocol.
—
She had not told McNair about the convergence check.
She had run it in September — three runs, the third producing the dip at 4:47, the convergence check confirming it was not numerical noise. She had then spent two weeks building the isolated simulation to characterize the window precisely. She had sent McNair the updated model on a Monday with a cover note: “Unit 2 outage simulation updated — identified a 32-second low-flow window at 4:47 requiring procedural management. See attached Step 14 proposal.”
He had replied: “Looks good. Moving forward.”
He had moved forward. He had approved Step 14. He had given the order to execute it. He had been in the control room — not on the reactor floor — when Tom executed it at 4:46:18. After the outage, he had come to the reactor floor and said: “Good work, everyone.” He had said it to the general room. He had said it to Tom, specifically, for managing the valve sequence smoothly. He had said it to Lin, standing to her left: “Good work on Unit 2.”
She had said: “Thank you.”
She had meant: the model worked because the model was correct. The model was correct because she had run it three times and found the dip and confirmed it was real and designed a procedure around it. The “good work” that McNair was acknowledging was the model that predicted the outage’s behavior to 0.3 degrees over 32 seconds.
He had called it “Unit 2.”
He had submitted the post-event report calling it “the McNair Protocol.”
The stamp on the cover page was NE-PE-6612.
It had been NE-PE-6612 before the outage, during the outage, and after the outage. The stamp had not changed. The protocol’s name had.
The NRC quarterly compliance briefing was held in the plant’s conference center — a room with a projector, twelve chairs, and a table wide enough that the people at the far end appeared slightly smaller. McNair presented from the front.
The slide deck was Lin’s simulation output — the same color scale she had used in the analysis, the same temperature trace she had designed the visualization for, the same x-axis timeline she had calibrated to the outage sequence. She had sent him the slides in the format she used for internal review. He had used them without modification.
He said: “Our modeling approach identified the flow transient 72 hours in advance of the outage. The thermal-hydraulic analysis allowed us to develop a proactive management procedure that kept the system within operating parameters throughout the event.”
NRC Regional Inspector Kenneth Shaw took notes.
Lin was in the room, at the table.
McNair did not introduce her.
—
The enhanced safety inspection notice arrived by email the following Tuesday.
Subject: NRC Enhanced Inspection — [Plant Name] — Safety Analysis Documentation Request.
The inspection had been triggered by a minor incident in a different unit, unrelated to the Unit 2 outage. As part of the expanded inspection scope, the NRC team required the original thermal-hydraulic simulation model used in the McNair Protocol — specifically, the model file signed under a licensed nuclear engineer’s professional stamp, per 10 CFR Part 50 requirements.
She opened the model file.
Cover page, top right: NE-PE-6612. Her professional engineer license number. Her legal attestation, her signature, her credential. The stamp was her obligation — not McNair’s, not the plant’s general engineering staff. Under 10 CFR Part 50, the engineer who stamps a nuclear safety analysis is the engineer who vouches for its accuracy under regulatory law. The stamp is personal and cannot be transferred.
She looked at NE-PE-6612.
She closed the file. She did not go to McNair’s office. She did not reply to the inspection notice with his name copied. She opened the Unit 1 model on the simulation terminal and kept working. She had a lower plenum thermal analysis to finish before Thursday.
—
McNair read the inspection notice that afternoon. He had handled NRC inspections before — the compliance office managed the documentation, he attended the technical briefings, the plant’s safety record was strong. He told his compliance officer, Margaret, to prepare the standard inspection documentation package.
He did not read the specific documentation request carefully.
He went to his next meeting.
—
She had been building the Unit 1 model for three months.
The Unit 1 coolant loop geometry was the part McNair had said they would “sort out.” She had started sorting it out in October, two weeks after the outage, because the Unit 1 refueling outage was scheduled for fourteen months away and fourteen months was not as long as it sounded when you were building a thermal-hydraulic model that needed to be reviewed, validated, and stamped before the NRC’s pre-outage submission deadline.
The Unit 1 lower plenum had an asymmetric outlet arrangement — the coolant exited through three ports rather than four, with a 15-degree angular offset from the Unit 2 geometry. This changed the flow distribution in ways that made the Unit 2 model’s assumptions inapplicable. She had to rebuild the plenum flow model from the geometry up. She had pulled the original plant design drawings — the 1984 as-built documentation, filed in the plant’s engineering records — and had spent four days extracting the plenum dimensions.
The 32-second window in Unit 2 had been visible in the data because she had been looking for it. She had not been assigned to look for it. She had been running the outage simulation for the standard pre-outage thermal compliance check and she had noticed, in the third run, that the flow trace had a dip at 4:47. The dip was small enough that a less experienced analyst might have attributed it to numerical noise in the simulation. She had run a convergence check. It was not numerical noise. It was the three-cycle decay heat signature interacting with the low-pressure transition.
She had redesigned the simulation to isolate the interaction. She had found the 32-second window. She had designed Step 14.
This was what her work was. Thermal-hydraulic transient modeling was the discipline of finding what would happen before it happened, in conditions that did not yet exist, using mathematics and validated physics. The model was not a description of the outage. It was a prediction of it. The prediction had been accurate to 0.3 degrees Celsius over the 32-second window.
That accuracy was in the NRC inspection report now, under her name.
She opened the Unit 1 model and kept working.
Margaret had been the plant’s compliance officer for nine years. She found the answer in thirty minutes.
10 CFR Part 50, Appendix B, Criterion III: nuclear safety analyses submitted as regulatory documentation must be certified by a licensed professional engineer holding an active engineering license in the relevant specialty. The certifying engineer’s stamp constitutes their legal attestation to the analysis’s accuracy and their professional accountability for it. The stamping engineer must be able to verify the analysis’s underlying assumptions under regulatory inspection.
She looked at the model file.
NE-PE-6612. Dr. Lin Zhao, PE — Nuclear Engineering.
She looked at McNair’s professional credentials on file. His engineering license was management-grade — a facility director’s credential, not an active professional engineering stamp in nuclear safety analysis. He had held it since 2009. He had never stamped a technical analysis.
He could not stamp what he had not built. He could not verify assumptions he did not understand. The NRC inspection team’s request was unambiguous: the stamping engineer must verify the model’s basis assumptions.
Margaret went to his office.
She told him.
He asked: “Can I certify the analysis as the responsible management authority?”
She said: “10 CFR Part 50 requires the stamping engineer. The stamp on the file is NE-PE-6612.”
He said: “That’s Dr. Zhao’s license.”
She said: “Yes.”
He looked at the model file on his desk — the cover page, NE-PE-6612 at the top right. He had reviewed this model four times before the outage. He had signed the implementation authorization. He had given the order to execute Step 14. He had understood those actions as the decisions — the act of approving the procedure and ordering its execution was the responsibility he bore.
He was now understanding that the NRC’s definition of responsibility was different from his. The stamp was the responsibility. The stamp was Lin’s.
He thought about “good work on Unit 2.” He had said it after the outage because it was true and because it was the appropriate thing to say to someone who had done good work. He had not said “your model” or “your procedure” or “your stamp.” He had said “Unit 2,” as if the outage’s safety belonged to the plant rather than to the person who had found the 32-second window and designed the step that managed it.
He called Lin’s extension.
—
She was at the simulation terminal, Unit 1 lower plenum model, when the call came.
She had the geometry parameters for the Unit 1 coolant loops loaded on the second monitor. The Unit 1 geometry was different from Unit 2 — the lower plenum had an asymmetric configuration that changed the flow distribution during low-pressure transients. She had identified this in October, which was why she had told McNair the model assumptions needed review before the procedure could be applied to Unit 1. He had said they would sort it out. She was sorting it out.
He said: “NRC need the model verified by the stamping engineer. Your PE stamp is on the file.”
She said: “I know.”
He said: “Inspector Vasquez’s team will be here Thursday. Can you be available?”
She said: “Yes.”
She put the phone down. She saved the Unit 1 model. She closed it. She opened the Unit 2 model file and began reviewing the basis assumptions from the beginning — the three-cycle decay heat profile, the lower plenum flow geometry, the 32-second window calculation. She had built it. She knew every assumption. Thursday was two days away.
—
She had reviewed the Unit 2 model’s basis assumptions four times before the outage. Not because she was uncertain about them — she was not — but because a nuclear safety analysis submitted to the NRC was a document she was professionally and legally responsible for. The stamp was her obligation. She did not stamp things she had not verified.
The three-cycle decay heat profile was the non-standard element. Everything else in the model used validated, conservative datasets from the NRC’s standard reference library. The three-cycle profile was her own calculation, derived from the plant’s fuel management records and cross-validated against the reactor physics code that the plant’s licensed analysis team used for fuel cycle calculations. She had the validation documentation in a separate file, referenced in the model’s basis assumptions section.
The inspection reviewers would ask about it. She knew they would. It was the element that made the model different from a standard outage thermal analysis.
She had prepared a four-page explanation of the three-cycle profile derivation. She had it ready for Thursday.
She was not nervous. She had built the analysis. She understood every assumption. The 32-second window was real. The temperature margin calculation was correct. The valve sequence had worked. The data was the data.
She saved the Unit 1 model and closed it. She opened the Unit 2 basis assumptions.
She spent two hours on Thursday morning reviewing them before Inspector Vasquez arrived.
NRC Inspector Elena Vasquez arrived Thursday at 8 AM with two technical reviewers.
The inspection session was in the plant’s technical conference room. Lin had the Unit 2 model open on a laptop at the head of the table. McNair was seated to her left. He opened the session: “Dr. Zhao is the engineer of record for the Unit 2 thermal-hydraulic coolant model. Technical questions go to her.” He sat back. He did not answer technical questions.
Inspector Vasquez began with the model’s basis assumptions.
She asked about the three-cycle decay heat profile — why Lin had used the three-cycle dataset rather than the standard two-cycle baseline. Lin walked through the fuel batch records: the Unit 2 fuel rods had completed three operational cycles, not two, and the residual heat decay curve for a three-cycle rod was materially different from the two-cycle baseline in the NUREG-1465 reference used by the plant’s standard thermal analysis. She had recalculated using the three-cycle curve from the plant’s own fuel management records.
Vasquez asked: “When did you identify that the three-cycle dataset was required?”
She said: “September. During the third simulation run. The two-cycle baseline showed no thermal window. The three-cycle profile showed a 32-second window.”
Vasquez said: “And you designed Step 14 in response to that finding?”
She said: “Yes.”
Vasquez said: “What is the temperature margin at peak without Step 14?”
She said: “1.8 degrees Celsius below the high-temperature alarm threshold. The alarm would not have triggered. The temperature rise was below the reporting threshold. The window was a subthreshold event.”
Vasquez said: “But you modeled it anyway.”
She said: “It was in the data.”
The inspection session ran four hours.
At the end, Vasquez said: “Dr. Zhao, your model documentation is thorough. The assumption basis is solid. The three-cycle decay calculation is the most complete residual heat analysis I have reviewed for a refueling outage event.”
The inspection record was filed: Stamping Engineer: Dr. Lin Zhao, PE Nuclear NE-6612. Engineer of Record, Unit 2 Coolant Flow Management Model.
—
Vasquez’s confirmation email arrived Friday morning.
“Dr. Zhao — you will be cited as the engineer of record in the NRC inspection report. The McNair Protocol designation will be replaced with ‘Zhao Coolant Management Procedure’ in the amended plant technical specifications.”
Tom Holt was at the terminal in the corridor when Lin came back from the conference room Thursday afternoon.
He said: “Your stamp in the record.”
She said: “Yes.”
He said: “Step 14 is yours.”
She said: “The model is.”
She went back to the Unit 1 lower plenum analysis.
—
McNair stopped her in the corridor on Friday.
He said: “Good outcome. Vasquez’s team are satisfied.”
She said: “The model held up.”
He said: “It did.” He paused. “I’ve amended the NRC submission. Your name is on the analysis now. I’ve also restructured the reporting format — Lead Safety Analyst on all future NRC submissions involving your models.”
She said: “Okay.”
He said: “Good work, Lin.”
She said: “Thank you.”
She picked up the clipboard from the station desk. She had a new checklist to review — the Unit 1 pre-outage procedure draft. She carried the board in her left hand. The worn corner was familiar against her forearm.
The NRC public ADAMS database had the original post-event report under accession number ML26-138-0047. Both it and the amended version were permanent regulatory records. She had the accession number saved in her bookmarks. She had not opened it since she read it the first time.
She had a Unit 1 model to finish.
—
The NRC inspection report was 22 pages.
She read it on the Tuesday after the inspection. Page 4: “Thermal-hydraulic analysis for Unit 2 refueling outage conducted by Dr. Lin Zhao, PE NE-6612. The analysis correctly identified a 32-second coolant flow reduction at the 4:47 outage mark resulting from three-cycle fuel batch residual heat effects. The basis assumption methodology, including the three-cycle decay heat profile derivation, is technically sound and represents current-best-practice in outage thermal analysis.”
She read “current-best-practice in outage thermal analysis.”
She had built the analysis in a plant where no one had asked for it until the NRC asked for who stamped it.
The amended NRC post-event report was filed as a supplement to ADAMS ML26-138-0047. The revised text read: “Thermal-hydraulic model developed by Dr. Lin Zhao, PE (Nuclear), NE-6612. Procedure designation: Zhao Coolant Management Procedure.” The original report — “McNair Protocol” — remained in the database as the original document. Both were there. Both were searchable. She had looked at the ADAMS database once after the amendment was filed, to confirm the supplement was indexed correctly. The accession number for the supplement was ML26-152-0019.
She had both numbers in her bookmarks.
She closed the bookmark folder.
She opened the Unit 1 model.
She picked up the lead-lined clipboard from the staging area and clipped the Unit 3 procedure checklist to the top. The metal clip caught on the first try. The worn corner at the bottom left rested against her forearm the way it always did — heavier than a standard clipboard, the lead lining radiating a slight cool that she no longer noticed. The new checklist had her name at the top as Lead Safety Analyst. McNair’s name was not on it.
Inspector Vasquez’s inspection report was in the regulatory correspondence file at the office — Engineer of Record: Dr. Lin Zhao, PE NE-6612 in the stamping engineer field. Tom Holt was at the console, running the pre-outage diagnostic. She walked to the procedure start point. She reviewed the coolant flow baseline against the Unit 3 model she had stamped last week. The assumptions were different from Unit 2. She had accounted for that. She checked off Step 1. She kept moving.
—
The Unit 3 coolant loop geometry was different from Unit 2 in two significant ways. The lower plenum was symmetric, unlike Unit 2’s asymmetric configuration, which simplified the flow distribution calculation. But the fuel batch in Unit 3 was a mixed-cycle batch — rods from both two-cycle and three-cycle operations — which meant the decay heat profile was a weighted average that she had spent three weeks calculating from the plant’s fuel management records.
The Unit 3 model had taken six months.
She had found no thermal window in Unit 3. The symmetric geometry and the mixed-cycle averaging produced a smooth flow curve through the outage sequence. Step 14 was not needed here. She had a different step — Step 9, a pressure equalization sequence at the 2:30 mark — that she had added after identifying a minor pressure transient in the Unit 3 geometry.
Step 9 was in the checklist.
She checked off Step 2.
The Lead Safety Analyst designation memo had arrived Monday. She had read it. She had filed it in the NRC correspondence folder, beside the inspection report and the ADAMS amendment notice.
The original NRC post-event report was still in the ADAMS database. ML26-138-0047. The McNair Protocol. The amended version was filed beside it. Both were permanent. She had the accession number in her bookmarks. She had not opened it since she read it the first time. She did not need to open it. The inspection report said what the record was.
Tom called the pre-outage status from the console: “Systems nominal. Ready for outage sequence.”
She walked the first three stations. She checked off Steps 3, 4, and 5.
The coolant flow model for Unit 3 was stamped NE-PE-6612. Her stamp. Her assumptions. Her analysis of the mixed-cycle decay heat profile and the symmetric lower plenum flow distribution.
She kept moving.
