On April 26, Nuclear Regulatory Commission staff did a safety "walkdown" of the Diablo Canyon nuclear power plant on southern California's coast, part of NRC inspections of all U.S. reactors that were triggered by the Fukushima Daiichi nuclear plant disaster in Japan.
The NRC's inspection report, released Friday, did not flag the plant's owner, Pacific Gas & Electric Co. (PG&E) for a serious violation of the rules the commission has imposed to assure the plant's safe shutdown in an anticipated emergency.
But it did list more than a half-dozen issues that could jeopardize the plant if it were confronted with the kind of chain reaction of unexpected and unplanned-for calamities that struck the Fukushima nuclear complex.
The NRC investigators reported:
- The plant had a single diesel-driven pump to provide emergency cooling water to a single reactor in case an earthquake cut off normal water flow. The pump could not have serviced both of the plant's reactors if they lost normal water supply simultaneously, the NRC staff said.
- Some doors at the plant required to protect against flooding of major safety equipment would not self-latch as required. One latch was "degraded," they said.
- The plant's six emergency diesel generators were located in the same plant area, and thus vulnerable to a "common mode" failure.
- An earthquake could cause a structural failure in the building where the fire truck is stored, and debris could block crews from using the truck.
- PG&E planned for a contractor to provide seawater for emergency cooling, but had no backup plan if an earthquake and tsunami blocked highways to the plant. PG&E intended to rely on the California National Guard to deliver diesel fuel for emergency generators if roads were impassable, but had no memorandum of understanding in place for the deliveries.
- Four 20-foot extension cables, used to operate fans that cool portable generators, were missing from their storage location.
Vulnerabilities found at dozens of U.S. reactors
Something under one-third of the 104 U.S. reactors were found to have some vulnerabilities to extreme emergencies, according to the NRC, which is preparing a summary of its post-Fukushima findings.
The NRC says that all issues have been fixed or put on schedule for correction, and that the safety of the reactors was not compromised.
PG&E spokesman Paul Flake said issues reported by the NRC had been identified by the company's own review after Fukushima, and an inspection by the Institute for Nuclear Power Operations, the industry's confidential safety monitor. "All of the issues identified in the [NRC] inspection report are being addressed. We continue to work with the NRC to introduce safety improvements" required to protect the plant, he said.
"Our inspectors found all the reactors would be kept safe even in the event their regular safety systems were affected by these events, although a few plants have to do a better job maintaining the necessary resources and procedures," said Eric Leeds, director of the NRC's Office of Nuclear Reactor Regulation.
But the U.S. plants are now being reviewed in Fukushima's harsher light, that of a disaster far greater than planned for, which spread confusion among plant operators.
"We'll review the plants' responses [to the inspections] to see if they need to take any additional actions to meet our existing requirements, along with seeing what the NRC might need to do to enhance those requirements and continue to protect public health and safety," NRC Chairman Gregory Jaczko said last week.
At a time when the NRC and industry leaders are calling for a rigorous safety culture within the U.S. nuclear industry, the inspection findings raise questions about whether some plants were following the letter of requirements but not prepared for "unthinkable" events.
Among the findings in other reports:
Entergy's Arkansas Nuclear One plant safety plan is directed against the loss of offsite power to one of its units, and does not anticipate a simultaneous additional threat such as an earthquake.
Numerous manhole inspections in the past year have revealed safety-related cables submerged in water, a problem the NRC inspectors identified as minor.
At Duke Energy's Oconee Nuclear Station in South Carolina, pumps that would be used to remove water from auxiliary buildings in a flood could not be used because the plugs did not fit any outlets in the area.
Instrumentation on spent fuel pools would be unavailable if power were lost, which would require workers to visually inspect water levels -- "an unacceptable requirement under some scenarios," the NRC said. One such scenario would be a loss of water in the pool to a level that permitted fuel rods to ignite and release perilously high radiation levels.
The Palo Verde nuclear plant, operated by the Arizona Public Service Co., determined that some seals that were not hardened to withstand seismic shocks could fail in an earthquake, allowing water to enter rooms containing electrical equipment used to shut down the plant. Three tanks at the plant could rupture, leaking water into the plant, and a backup diesel generator and electrical switch gear were vulnerable to flooding in such an emergency.
The report on Dominion Resources' Millstone Power Station in Connecticut noted that some equipment is classified as "seismically qualified" and must function during and after the maximum earthquake anticipated for the site (based on historical data plus a safety margin).
However, most sump pumps and flooding detectors are considered "non-safety related" and thus are not hardened to withstand earthquakes, the report said. Firefighting equipment staged to respond to severe fires or explosions was not stored in hardened buildings because a severe fire and an earthquake "were not assumed to occur coincidentally."
An "isolation valve" for unit 1 would have to be operated to pressure the fire main to fight fire. But the valve would be under water following an anticipated flood that occurred at the same time as a fire. These issues are under review, the NRC said.
At Entergy's Indian Point 2 station on the Hudson River above New York City, inspectors reported that fire fighting equipment is not designed to withstand earthquakes, which could compromise the fire protection system. Generally, plants are not required to survive a simultaneous loss of outside and internal alternating current power ("station blackout") and an earthquake, the NRC said.
In a severe accident at Indian Point, where it was crucial to relieve pressure inside the reactor containment, high pressures could damage equipment required to carry out the venting and "potentially prevent containment depressurization," the NRC said. Workers at Fukushima were forced to vent hydrogen and steam after fuel assemblies melted in order to prevent an even more catastrophic damage to reactor containment structures and a far greater radiation release.
Ameren's Callaway nuclear plant in Missouri assigns operating staff to make up the fire brigade, but trying to fight two fires at once would be "very difficult" because of limited staffing, the NRC said.
The company had not assessed the capability of a halon fire suppression system that protects essential switchgear rooms. "The licensee determined that this equipment does not need to be evaluated based on an industry frequently asked question," the NRC said. The company has trained workers to use water to fight electrical switchgear fires if halon is not available, the report said, raising the risk of flooding in adjacent rooms with electrical controls because flood doors have not been established. The NRC said issues at both Indian Point and Callaway are being evaluated.
Threats not contemplated by designers
The inspections highlight a distinction between safety measures that are required and routinely inspected, based on anticipated risks -- the "design basis" events -- and threats that are considered too unlikely to require the same level of safety ruggedness, or "beyond design basis" events.
"I am really bothered by this separation between design basis and beyond-design basis," NRC Commissioner George Apostolakis said at a commission meeting last week.
"I appreciate the need for a design basis. Licensees know what they have to have to do. We impose all sorts of conditions. This particular pump must deliver this flow rate under these conditions. And then we are going to inspect. We asking them to test it and tell us what they find, all that."
The plant owners' responses to beyond design basis threats are usually voluntary. "We keep saying, 'Oh, these are beyond basis events therefore we don't' get involved.' We are happy that the industry responded. We look at it once. That's it. In the future it's up to them. I am really bothered by that."
"It is a constant challenge we have to deal with," NRC director of operations Bill Borchardt responded. "There is a balance."