Fukushima in Retrospect (2013)
Post on 18-Jul-2015
Fukushima in Retrospect(Lessons in Risk Assessment)
Myths: Stories of Gods, Technology, and Consequences
Prometheus : A central Greek myth ... human technology & associated risks.
Knowledge stolen Progress for humans, but also hubris (angering the gods) and othersubsequent troubles: Endless torture (search for the truth?), and Pandoras box (uncertainty)
Comparative myth (Greek vs. Indian)
Prometheus (name=foreknowledge) Fire (useful, but dangerous) asacquired knowledge , separate from nature [= invention]
Mtarivan: (name=grown from mother)Fire (benevolent), gifted to the people with auspices of the gods, part of nature
Nuclear Power and Prometheus New force of nature (discovery & invention)
1940s Powerful weapon 1950s useful energy source
Longstanding controversy: Dangers, uncertainties & serious accidents.
Advantages for govt & industry
Long term pros & cons continuously debated
Is nuclear power actually safe?
Atoms for peace* swords into plowshares.Not like a bomb: U235 ~5% (vs.~90% for bombs)
Difficult to assure Pu non-proliferation(byproduct of U238 + n reactions)
Cannot explode like an A-bomb (runaway chain reaction); Delayed-neutron critical design; H2O as moderator/coolant = failsafe feedback
Hydrogen/steam explosions, meltdowns canoccur (due to LOCA); Chernobyl type reactors do (did) enable prompt-supercritical reaction.
Fundamentally similar to other power generation(make steam, turn turbines); Proven/reliable.
Complex to control reactor; Decommission difficult (radioactively contam. structures).
Multiple levels of design/engineering safety and redundancy (defense in depth philosophy); Earthquake proof construction (built on bedrock), proved at Kobe, Niigata earthquakes.
Vulnerable to nat. disasters (common cause to knock out all defense levels.)
Human error & human mgt./systems (including biased fault-line data)
Design blind spots (e.g. spent fuel pools)
439 plants around the world operating safely for decades/millions of plant-hours.
Serious Accidents have occurred, with very messy consequences.
Environmentally friendly (CO2, pollution); Much less waste than conventional oil, coal.
Only if accidents are fully prevented; Hi-level waste is a problem (reprocess or storage)
* My country wants to be constructive, not destructive. It wants agreement, not wars, among nations. It wants itself to live in freedom, and in the confidence that the people of every other nation enjoy equally the right of choosing their own way of life. -D.Eisenhower, 1953
Fukushima Status(and scope of damage)
Fukushima 1, 2 : total 6+4 = 10 reactors Meltdowns(3), Fuel recovery(4), decommissioning (10?) 10-year clean-up plan proposed (aggressive?)
Fallout contamination area and evacuation ~60,000 people remain evacuated in 2013 (orig.# 160k in 2011) 1000 sq.km., 15~30million m^3 of soil
Water contamination (ongoing) Ground water contamination by contact with melted nuclear fuel/soil: Water filtration systems remove Sr, Cs, etc. but not 3H Tritium (minor fission product, forms HTO
water), so water must be stored in tanks rather than returned to ocean
Denied permission to restart (ongoing) Most of Japans 50 commercial nuclear power plants are off-line now [20~30% of all electric capacity] About 10 reactors are applying for permission to restart, after safety measures added, data shown Covered by increased imports of LNG/LPG and oil (energy costs up 20%, CO2 up 15%) Early decommission costs also to consider
Japans regulatory authority reorganized/empowered Tougher stance to regain public trust. Reopen fault-line surveys at all plant sites, etc. Recommended to close plants at Hamaoka & Tsuruga due to seismic fault line risks
Huge financial costs to consider (details later in the presentation).
Preventable Man-Made Disaster? Natural Catastrophe?
It was a profoundly man-made disaster that could and should have been foreseen and prevented, Its effects could have been mitigated by a more effective human response.
- Dr. Kiyoshi Kurokawa, M.D. (Chair, Nuclear Accident Indep. Investig. Comm./Prof. Tokyo Univ. )
Most powerful quake in Japans history (350x energy vs. Kobe)9m~40m tsunami height, affected up to 10km inland~18,500 lives lost to Tsunami & Earthquake~1M bldgs. Destroyed/damaged
13~14m tsunami hit Fukushima DaichiSea wall only 5.7m, all station power knocked outincluding control room
Defense in Depth (DiD)*
* DiD: originally military strategy to minimize enemy attack by prolonging/diffusing effects.
Multi-layered design protection philosophy(perhaps not good enough)
1. U02 Oxide Fuel Pellet (Non-volatile, ~2800degC melt temp)
2. Fuel cladding (Zircalloy, ~1800degC melt temp) H2 gas, embrittlement, swelling, at high temp
3. Pressure Vessel (Ni-SUS)Spent fuel is external to PV
4. Containment vessel/steel floor (thick concrete & steel)Containment of molten fuel could fail if structural integrity of CV is compromised by H2 explosion, earthquake, etc.
5. Secondary containment building (std. building materials)
6. Environmental buffer: Land/Forest; Water (sea, river) May contaminate adjacent sea/river ground water
7. Location in remote, unpopulated region (e.g. 30km radius) No longer in common practice!
Preventable Man-Made Disaster or Natural Catastrophe?
What is a black swan event? Example a): Lehmann Shock Example b): Collision/sinking of USS Titanic Example c): M9.0 earthquake + Tsunami
1. Judged Highly improbable from past experience, risk estimations. -Conditional assumptions, extrapolations taken as absolute facts-Hints / early warnings easily ignored or covered up
2. Wipes out multiple levels of safety or redundancy at once-Design basis can be exceededthen what?
Obvious facts about Fukushima: M9.0 has occurred before (e.g. 2004 Sumatra M9.1) Very large tsunami has occurred (e.g. Hokkaido 1993, 32m) LWR nuclear plants are on the shoreline, by design
Rasmussen Study (1975, MIT/AEC)
Historic study to integrate risk severity (public attention) with occurrence frequency (industry focus)
Biased: used to try to convince govt, public of safety of nuclear power.
Millitaristic approach: only considering # of deaths as measurable impact.
* Risk of lethal dose of Chlorine release during domestic transport by train in USA.. (Cl used as example of toxic chemical release in populated areas).
First use of probabilistic method for safety risk assessment (contrib. to FMEA method)
Collateral Risks UnderestimatedPractically zero deaths due to Fukushima accident, howeverHUGE DAMAGES to people, govt, and industry!
Evacuations (indefinite) & resettlement Personal/medical damages and claims Contamination of land (Cs-137, 134) & water (Cs-137, Tritium) Fukushima-1 cleanup/fuel recovery Decommissioning of other nuclear plants Added fossil plants/fuels Oil, LPG Lost tourism (radiation concerns) Limited mfg.supply (power peaks, costs) Kyoto Protocol decommit (CO2 targets) Deaths from heatstroke due to excessive energy conservation (ironically)
Costs and Recovery ($USD equiv.) (paid by TEPCO & govt eventually by citizens) What How Long HowMuch $
On-site clean-up & decommission 10~30yr 250B
Affected lands decontamination 5yrs 10B
Evacuation living costs (housing, etc.) 5yrs 9B
Reparations to evacuees (lost assets, jobs) 3yrs 8B
Purchase contaminated land (20km zone) 5yrs 50B
Medical claims & monitoring (evacuees) 30yrs 1B
Decomm. other reactors (fault line risk, etc.) 5yrs 10B
Upgrade other reactors 5yrs 11B
Rebuild towns/communities over time 10yrs 269B
Added fossil fuel plants & fossil fuels (+100T BTU/yr) 20yrs 460B
Ramp-up solar/renewables infra & incentives 20yrs 100B
Roughly ~$1.2T USD (= avg. 60B/year, or $500/person/year)to be paid for by increased taxes and higher energy prices.
Fukushima- what went well
Despite widespread anger, mistrust, and confusion in Japan, at least (arguably)
Evacuations rapid and orderly
Heroic response on site during disaster to help limit damage
What Failed ? (Quite a lot!)
Technical Blind Spots Protective sea wall too low (5.7m vs. 13m): risk assess insufficient
Backup generators, battery sys., & control/breakers at ground/basement level
No independent backup battery/generator power to control room: electric power required to control key functions and monitor reactor status via lights/gages
Spent fuel pools vulnerable to loss of coolant & exposure/melt
H2 production from overheated Zr cladding
Vents unable to open due to failure of compressed air supply to open the valve, also without filters (despite backfitrecommendations)
Safety relief valves sealed shut under high pressure (unable to open in emergency)
Case Study#1: Isolation Condenser(Backup cooling water system for emergencies)
Unable to confirm operation or not No power to central control room; all metrologies lost
Radiation prevented access Containment Vessel (CV) to check
External steam from Iso-con exhaust seen (misjudgment)
Never tested Iso-con in 40yrs of operation
Unable to notice signs that Isocon not operating Water level dropped, Steam visible was not vigorous
No one had ever seen Iso-con in operation
No emergency ops training
Case Study#2: SR Valves(failed at Reactor#2)
8 valves, to reduce pressure in Reactor pressure vessel (PV) at time of LOCA accident (steam build-up due to cooling system failure, causing excess pressure ) release steam from PV to within Containment vessel (CV).
Operated remotely from main control room Requires electric power to operate & view status via indicator lights.
Insufficient pressure differential between CV and PV can prevent valve opening. (Normally PV is much higher pressure vs. CV). CV reached ~7 Atm or 0.75MPa, vs. typcial 1 Atm. [PV is ~7.5MPa]
FMEA worst case was only single-event LOCA Beyond design-basis, station power outage, etc. not incl. Bigger risks assumed designed-out, or too low probability
Regulatory Independence/Competency Lacking Regulatory agency not having teeth for enforcement Operators voluntarily apply regulations Regulatory agency taking data from operators on faith (without validation) NISA Lacking sufficient org. independence (from MEXT govt branch that
serves to promote the industry and technical expertise to assure quality/safety?
Geological site data uncertainty: Historical tsunami risks underestimated and fault line evidence
conveniently interpreted as low-risk by utilities.
Case Study: Geological Site Surveys
NRA has concerns/investigations about possible active fault lines at or near some reactors: Hamaoka (Shizuoka)
Requested by PM in 2011 to decommission, due to location in earthquake susceptible zone, near 2 tectonic plate boundaries (Utility accepted)
Tsuruga (Fukui) NRA recommended to decommission (Utility disagrees)
Ooi (Fukui) Shika (Ishikawa)
Nuclear fuel cycle program also at risk due to fault concerns: Monju Fast Breeder reactor (Fukui) Rokkasho reprocess facility (Aomori)
Estimations of max Tsunami and protective wall heights are also in contention.
Case Study: JCO Criticality Accident JCO Japan Nuclear Fuel Conversion Company (Sumitomo Metals), working as
subcon for Donen- Nuclear Fuel Development Corporation
1999 Serious nuclear accident (unrelated to TEPCO/Fukushima) Workers were mixing a batch of Uranium for Joyo experimental breeder reactor
(U-235 with 18% enriched solution) Accidental criticality, resulted in workers deaths by irradiation
Serious failures in training , ignorance of SOPs, and lack of safety precautions. Outside of the commercial reactor industry, hence not subject to regular safety
audits, etc. It resulted in ending of Japans U-235 reprocessing activities.
Govts Off-Site Control Center (OFC) unusable
No available emergency pumps and systems for high pressure injection to PV
No training to actually deal with serious accidents of this level.
SPEEDI system results with-held by govt
Initial evacuation based on flawed data
Case Study: Off-Site Control Center (OFC) Govts emergency center, just 5km from Fukushima Daichi
20 such locations in Japan, established after JCO criticality accident in 1999
After only a few days of accident, the site was evacuated (moved to prefectural govt bldg.)
Inadequate radiation protection (no air filters for ventilation system)
Failed Audio/Video communications equipment (only satellite link was operational)
Backup generator with limited fuel, not waterproofed
Siting of OFCs indicates poor accident scenario planning.
5km proximity is too close for case of H2 explosion, etc.
Siting on shoreline, on landfill or potentially unstable grounds
Another OFC (Onagawa, Miyagi) was destroyed by Tsunami
Case Study: SPEEDI SPEEDI (System for Prediction of Environment Emergency Dose
Information) for monitoring & predictive mapping of fallout. SPEEDI was developed by Japnese govt explicitly for use in
nuclear emergencies. Information was not publicly released to citizens for until Apr-25. Also the data was partially compromised due to lost power to
some monitoring stations after the earthquake. (Some data interpolated).
The govt said it wanted to avoid releasing imperfect modeled data, due to potential misinterpretation of the data/maps, etc. Initial govt evacuation (Mar-14~15) was based simply on a simple circular radius, but the SPEEDI data indicated clearly that certain directions were more contaminated than others. It was recommended to expand/modify the evacuation zones.
The failure to release critical info resulted in significant loss of trust/confidence in government information and reporting.
Many local governments and citizens felt that if they had the data, they could have made better decisions to choose sites/directions to evacuate. Hence they felt that the govt exposed them needlessly to radiation risks. (Some evacuation centers outside of 30km but still with significant fallout.)
Other Blind Spots Radiation safety limits on foods and understanding of
internal exposure (vs. external ionizing radiation damage)
Japans Safety Myth Paradise Lost? Context of Japans great industrial prowess (technology & also
quality), including nuclear. As nuclear industry leader, perhaps Japan strove to make rules, rather than follow them.
Japans dependence on foreign oil/gas also underscores nuclear power as a national security priority. Hence a long-term, strong govt agenda to support nuclear energy policy .
1995 Kobe earthquake served to demonstrate robustness of Japanese plants. (2 nearby power plants, were undamaged).
Criticism of safety (site fault line analyses, disaster response plans, etc.) were often brushed aside. Nuclear operators became defensive against no-nukes critics, sometimes perceived as ignorant or irrational. As in US, Chernobyl type accident was considered unconceivable in Japan.
Nuclear operators allegedly utilized $ incentives also mafia connections to secure local govt approval for new plants. It was/is not a healthy economic environment. This also fosters conflicts of interest, and makes criticism difficult.
The nuclear industry promoted itself as absolutely safe and came to believe its own marketing promotion, to the point where tough questions (e.g. tsunami risks) were assumed irrelevant.
Regulatory authority (govt) was believed to be too close to the interests of the nuclear industry. (known as regulatory capture) . It did not promote checks & balances.
Nuclear industry failed to invest in recommended backfits (from IAEA, WANO, NRC); Falsified docs related to Equipment Inspections, and avoided investment in disaster response systems (since it might encourage fears among the public.)
Its a fact that there was an unreasonable overconfidence in the technology of Japans nuclear power generation. -Banri Kaeda (Chief Minister, METI, 2011)
"If culture explains behavior, then no one has to take responsibility," he said. "People have autonomy to choose. At issue are the choices they make, not the cultural context in which they make them. Gerald Curtis, Columbia Univ. prof.
What is Changing? (Japan)Energy policy and nuclear fuel cycle policy re-assessment, but also,Tougher regulations, new design requirements, better oversight.
Nuclear Regulatory Org/Systems More independent, tougher function, enforcement Better communication/reporting to local/nat. govts
Emergency Response Emergency/Disaster response systems/resources Radioactivity filtration systems & power/comms for disasters More robust radiation monitoring and govt communications
Earthquake/Tsunami Proofing Re-assess on-site seismic fault lines
Forced decommissioning of some plants
Higher walls against tsunami Auxiliary gen./battery located higher-up,
Reactor Design Changes : see next page
New Regulations (Japan)Reactor Engineering Design Changes
Filters on external emergency CV vents
Manual operation option for key valves
Auxiliary pumps and water source for spent fuel pools
Additional injection pumps into Containment vessel
Secondary control room & backup power, away from reactor bldg.
What is Changing? (World)
1. Beyond design-basis accident scenarios: Plant design reviews by 3rd party org. (WANO)
Higher safety standards by pop density, multi-plant sites, etc.
Inspection of emergency response systems Bunker style backup safety systems , Trained SWAT response team (France) Backup batteries for 72hrs (rather than 8hrs) Others (USA)
2. Robust fuel storage solutions Spent fuel storage (after 5yrs in pool) in self-contained dry casks (USA/France)
3. Organizational Changes NRC chief Jaczko resigns (USA) partly over push for stronger US regulations
after Fukushima disaster IAEA shakeup after criticism of slow/ineffective response (UN)
Failed to mediate btwn govt reports from JP (downplay) and US (over-react) IAEA Radiological Event Scale also confusing/ineffective
What Have We Learned?
Central problem of conflict of interests must be acknowledged and the bias compensated Experts are mostly insiders/supporters Regulators jobs tied to industry success (regulatory capture)
Civilian-run utilities must open up to govt/international help in a disaster situation
Defense in depth and design basis philosophy can fail by black-swan induced common cause failures Long technical experience/judgment does not justify low-risk
Emerg. response systems are necessary - black swan events. Low ocurrence, high severity risks must be in planning
Risk assessment estimates - large uncertainty; Black swans happen Robust metrologies are critical to know status and make decisions
What Must We Do (Quality/Reliability professionals)
Frequently re-assess systemic/org. biases Keep balance between Lean (reduce data) & Conservative (demand more data) Rotate people to keep fresh viewpoints Checks and balances to compensate org. biases, avoid regulatory capture.
Diligently avoid reality distortion Reject fitting/interpreting data to the requirement Plan ahead to avoid ignoring key info due to short timeline (rushed). 3rd party oversight : Prevent censoring of dissenting/competing views
Ensure planning & systems for black swan events Estimated as low chance of occurrence, hence do nothingis not acceptable. No data or few data points = high uncertainty Probabilistic Risk and FMEA have difficulty to estimate Frequency for rare or
unknown events Supplementary tools required.
Release data quickly during excursions (even with known uncertainties) Dont wait for perfect decisions
Ref: Evolution of Dealing with RiskPast Present Future
Tools Common sense Statistical/ Logical (SPC, FMEA)
Predictive by design; Real-time sensors; X-checking
Bias Subjective Objective Known bias compensation
Lifetime value (DFR, Taguchi loss function, Lean, etc.)
Ref: Further Reading/WatchingOverall Summaries
http://www.iaea.org/newscenter/focus/fukushima/japan-report2/japanreport120911.pdf (IAEA summary)
http://www.bbc.co.uk/news/world-asia-18718486 (BBC summary)
http://www.ifs.tohoku.ac.jp/maru/kougi/thermal-science/data/2013.04.30/2013.pdf (Tohoku Univ. technical analysis)
http://www.tepco.co.jp/en/nu/fukushima-np/images/handouts_111130_04-e.pdf (TEPCO core meltdown technical analysis)
http://spectrum.ieee.org/energy/nuclear/24-hours-at-fukushima (first 24hrs in detail)
http://www.youtube.com/watch?v=ixjlSsUlNBw (Meltdown NHK documentary, English subtitles/narration)
http://e360.yale.edu/feature/as_fukushima_cleanup_begins_long-term_impacts_are_weighed/2482/ (land contamination)
http://www3.nhk.or.jp/nhkworld/english/news/20130706_27.html (Tritium levels in local ocean)
http://www.nature.com/news/france-imagines-the-unimaginable-1.9780 (France, on failure of defense in depth)
http://www.engineeringnews.co.za/article/lessons-from-japans-nuclear-crisis-2011-11-04 (technical lessons)
http://www.nytimes.com/2011/06/02/world/asia/02japan.html?_r=2&ref=world& (NYT analysis)
http://www.youtube.com/watch?v=AG1QmEQ84aY (Gregory Jaczko video interview)
http://ajw.asahi.com/tag/PROMETHEUS%20TRAP?page=4 (Asahi Newspaper, Prometheus Trap series)
Lessons for Risk Assessment Methodology
Ref: LWR Nuclear Plant Safety Design Design Considerations
Negative Feedback mechanism vs. chain reaction criticality (sustainability)
Delayed supercriticality (chain reaction dependent on delayed neutrons rather than prompt)
H2O coolant is also moderator of reaction (i.e. loss of coolant physically stops nuclear reaction)
Temp increase leads to voiding reduces/stops reaction
Control Rods (pull out/up to operate, drop down to stop reaction)
Boric Acid (absorb neutrons to stop reaction, reduce heat)
Scram / Trip (emergency shutdown)
Physical Levels of Containment (DiD) Fuel pellet, Cladding, PV, CV, Building, ( plus surrounding environs ~2km)
Ref: Nuclear Power Plants in Japan ~30% Japans electricity until 2011 (~50% for Tokyo) 50 nuclear reactors (PWR, BWR) at 15 locations. Biggest
sites are: Fukushima (10), Kashiwazaki (7)
Decommissioned Hamaoka (3 of 5); Fugen (1, FBR);
Tokai (1 of 2, GCR)
Others Fast Breeder (FBR)
Fuel process related Rokkasho (Aomori), Tokai (Ibaraki)