Fukushima in Retrospect (2013)

Download Fukushima in Retrospect (2013)

Post on 18-Jul-2015




2 download


  • Fukushima in Retrospect(Lessons in Risk Assessment)

    Brian Landberg


  • Myths: Stories of Gods, Technology, and Consequences

    Prometheus : A central Greek myth ... human technology & associated risks.

    Knowledge stolen Progress for humans, but also hubris (angering the gods) and othersubsequent troubles: Endless torture (search for the truth?), and Pandoras box (uncertainty)

  • Comparative myth (Greek vs. Indian)

    Prometheus (name=foreknowledge) Fire (useful, but dangerous) asacquired knowledge , separate from nature [= invention]

    Mtarivan: (name=grown from mother)Fire (benevolent), gifted to the people with auspices of the gods, part of nature

    [= discovery]

  • Nuclear Power and Prometheus New force of nature (discovery & invention)

    1940s Powerful weapon 1950s useful energy source

    Longstanding controversy: Dangers, uncertainties & serious accidents.

    Advantages for govt & industry

    Long term pros & cons continuously debated

  • Is nuclear power actually safe?

    YES NO

    Atoms for peace* swords into plowshares.Not like a bomb: U235 ~5% (vs.~90% for bombs)

    Difficult to assure Pu non-proliferation(byproduct of U238 + n reactions)

    Cannot explode like an A-bomb (runaway chain reaction); Delayed-neutron critical design; H2O as moderator/coolant = failsafe feedback

    Hydrogen/steam explosions, meltdowns canoccur (due to LOCA); Chernobyl type reactors do (did) enable prompt-supercritical reaction.

    Fundamentally similar to other power generation(make steam, turn turbines); Proven/reliable.

    Complex to control reactor; Decommission difficult (radioactively contam. structures).

    Multiple levels of design/engineering safety and redundancy (defense in depth philosophy); Earthquake proof construction (built on bedrock), proved at Kobe, Niigata earthquakes.

    Vulnerable to nat. disasters (common cause to knock out all defense levels.)

    Human error & human mgt./systems (including biased fault-line data)

    Design blind spots (e.g. spent fuel pools)

    439 plants around the world operating safely for decades/millions of plant-hours.

    Serious Accidents have occurred, with very messy consequences.

    Environmentally friendly (CO2, pollution); Much less waste than conventional oil, coal.

    Only if accidents are fully prevented; Hi-level waste is a problem (reprocess or storage)

    * My country wants to be constructive, not destructive. It wants agreement, not wars, among nations. It wants itself to live in freedom, and in the confidence that the people of every other nation enjoy equally the right of choosing their own way of life. -D.Eisenhower, 1953

  • Fukushima Status(and scope of damage)

    Fukushima 1, 2 : total 6+4 = 10 reactors Meltdowns(3), Fuel recovery(4), decommissioning (10?) 10-year clean-up plan proposed (aggressive?)

    Fallout contamination area and evacuation ~60,000 people remain evacuated in 2013 (orig.# 160k in 2011) 1000 sq.km., 15~30million m^3 of soil

    Water contamination (ongoing) Ground water contamination by contact with melted nuclear fuel/soil: Water filtration systems remove Sr, Cs, etc. but not 3H Tritium (minor fission product, forms HTO

    water), so water must be stored in tanks rather than returned to ocean

    Denied permission to restart (ongoing) Most of Japans 50 commercial nuclear power plants are off-line now [20~30% of all electric capacity] About 10 reactors are applying for permission to restart, after safety measures added, data shown Covered by increased imports of LNG/LPG and oil (energy costs up 20%, CO2 up 15%) Early decommission costs also to consider

    Japans regulatory authority reorganized/empowered Tougher stance to regain public trust. Reopen fault-line surveys at all plant sites, etc. Recommended to close plants at Hamaoka & Tsuruga due to seismic fault line risks

    Huge financial costs to consider (details later in the presentation).

  • Preventable Man-Made Disaster? Natural Catastrophe?

    It was a profoundly man-made disaster that could and should have been foreseen and prevented, Its effects could have been mitigated by a more effective human response.

    - Dr. Kiyoshi Kurokawa, M.D. (Chair, Nuclear Accident Indep. Investig. Comm./Prof. Tokyo Univ. )

    Most powerful quake in Japans history (350x energy vs. Kobe)9m~40m tsunami height, affected up to 10km inland~18,500 lives lost to Tsunami & Earthquake~1M bldgs. Destroyed/damaged

    13~14m tsunami hit Fukushima DaichiSea wall only 5.7m, all station power knocked outincluding control room

  • Defense in Depth (DiD)*

    * DiD: originally military strategy to minimize enemy attack by prolonging/diffusing effects.

    Multi-layered design protection philosophy(perhaps not good enough)

    1. U02 Oxide Fuel Pellet (Non-volatile, ~2800degC melt temp)

    2. Fuel cladding (Zircalloy, ~1800degC melt temp) H2 gas, embrittlement, swelling, at high temp

    3. Pressure Vessel (Ni-SUS)Spent fuel is external to PV

    4. Containment vessel/steel floor (thick concrete & steel)Containment of molten fuel could fail if structural integrity of CV is compromised by H2 explosion, earthquake, etc.

    5. Secondary containment building (std. building materials)

    6. Environmental buffer: Land/Forest; Water (sea, river) May contaminate adjacent sea/river ground water

    7. Location in remote, unpopulated region (e.g. 30km radius) No longer in common practice!

  • Preventable Man-Made Disaster or Natural Catastrophe?

    What is a black swan event? Example a): Lehmann Shock Example b): Collision/sinking of USS Titanic Example c): M9.0 earthquake + Tsunami

    1. Judged Highly improbable from past experience, risk estimations. -Conditional assumptions, extrapolations taken as absolute facts-Hints / early warnings easily ignored or covered up

    2. Wipes out multiple levels of safety or redundancy at once-Design basis can be exceededthen what?

    Obvious facts about Fukushima: M9.0 has occurred before (e.g. 2004 Sumatra M9.1) Very large tsunami has occurred (e.g. Hokkaido 1993, 32m) LWR nuclear plants are on the shoreline, by design

  • Rasmussen Study (1975, MIT/AEC)

    Historic study to integrate risk severity (public attention) with occurrence frequency (industry focus)

    Biased: used to try to convince govt, public of safety of nuclear power.

    Millitaristic approach: only considering # of deaths as measurable impact.

    * Risk of lethal dose of Chlorine release during domestic transport by train in USA.. (Cl used as example of toxic chemical release in populated areas).


    Source: http://www.osti.gov/energycitations/product.biblio.jsp?query_id=6&page=0&osti_id=7134131

    First use of probabilistic method for safety risk assessment (contrib. to FMEA method)

  • Collateral Risks UnderestimatedPractically zero deaths due to Fukushima accident, howeverHUGE DAMAGES to people, govt, and industry!

    Evacuations (indefinite) & resettlement Personal/medical damages and claims Contamination of land (Cs-137, 134) & water (Cs-137, Tritium) Fukushima-1 cleanup/fuel recovery Decommissioning of other nuclear plants Added fossil plants/fuels Oil, LPG Lost tourism (radiation concerns) Limited mfg.supply (power peaks, costs) Kyoto Protocol decommit (CO2 targets) Deaths from heatstroke due to excessive energy conservation (ironically)


  • Costs and Recovery ($USD equiv.) (paid by TEPCO & govt eventually by citizens) What How Long HowMuch $

    On-site clean-up & decommission 10~30yr 250B

    Affected lands decontamination 5yrs 10B

    Evacuation living costs (housing, etc.) 5yrs 9B

    Reparations to evacuees (lost assets, jobs) 3yrs 8B

    Purchase contaminated land (20km zone) 5yrs 50B

    Medical claims & monitoring (evacuees) 30yrs 1B

    Decomm. other reactors (fault line risk, etc.) 5yrs 10B

    Upgrade other reactors 5yrs 11B

    Rebuild towns/communities over time 10yrs 269B

    Added fossil fuel plants & fossil fuels (+100T BTU/yr) 20yrs 460B

    Ramp-up solar/renewables infra & incentives 20yrs 100B

    Roughly ~$1.2T USD (= avg. 60B/year, or $500/person/year)to be paid for by increased taxes and higher energy prices.

  • Fukushima- what went well

    Despite widespread anger, mistrust, and confusion in Japan, at least (arguably)

    Evacuations rapid and orderly

    Heroic response on site during disaster to help limit damage

  • What Failed ? (Quite a lot!)

  • Technical Blind Spots Protective sea wall too low (5.7m vs. 13m): risk assess insufficient

    Backup generators, battery sys., & control/breakers at ground/basement level

    No independent backup battery/generator power to control room: electric power required to control key functions and monitor reactor status via lights/gages

    Spent fuel pools vulnerable to loss of coolant & exposure/melt

    H2 production from overheated Zr cladding

    Vents unable to open due to failure of compressed air supply to open the valve, also without filters (despite backfitrecommendations)

    Safety relief valves sealed shut under high pressure (unable to open in emergency)

  • Case Study#1: Isolation Condenser(Backup cooling water system for emergencies)

    Unable to confirm operation or not No power to central control room; all metrologies lost

    Radiation prevented access Containment Vessel (CV) to check

    External steam from Iso-con exhaust seen (misjudgment)

    Never tested Iso-con in 40yrs of operation

    Unable to notice signs that Isocon not operating Water level dropped, Steam visible was not vigorous

    No one had ever seen Iso-con in operation

    No emergency ops training

  • Case Study#2: SR Valves(failed at Reactor#2)

    8 valves, to reduce pressure in Reactor pressure vessel (PV) at time of LOCA accident (steam build-up due to cooling system failure, causing excess pressure ) release steam from PV to within Containment vessel (CV).

    Operated remotely from main control room Requires electric power to operate & view status via indicator lights.

    Insufficient pressure differential between CV and PV can prevent valve opening. (Normally PV is much higher pressure vs. CV). CV reached ~7 Atm or 0.75MPa, vs. typcial 1 Atm. [PV is ~7.5MPa]

  • Systemic/Political Failure

    FMEA worst case was only single-event LOCA Beyond design-basis, station power outage, etc. not incl. Bigger risks assumed designed-out, or too low probability

    Regulatory Independence/Competency Lacking Regulatory agency not having teeth for enforcement Operators voluntarily apply regulations Regulatory agency taking data from operators on faith (without validation) NISA Lacking sufficient org. independence (from MEXT govt branch that

    serves to promote the industry and technical expertise to assure quality/safety?

    Geological site data uncertainty: Historical tsunami risks underestimated and fault line evidence

    conveniently interpreted as low-risk by utilities.

  • Case Study: Geological Site Surveys

    NRA has concerns/investigations about possible active fault lines at or near some reactors: Hamaoka (Shizuoka)

    Requested by PM in 2011 to decommission, due to location in earthquake susceptible zone, near 2 tectonic plate boundaries (Utility accepted)

    Tsuruga (Fukui) NRA recommended to decommission (Utility disagrees)

    Ooi (Fukui) Shika (Ishikawa)

    Nuclear fuel cycle program also at risk due to fault concerns: Monju Fast Breeder reactor (Fukui) Rokkasho reprocess facility (Aomori)

    Estimations of max Tsunami and protective wall heights are also in contention.

  • Case Study: JCO Criticality Accident JCO Japan Nuclear Fuel Conversion Company (Sumitomo Metals), working as

    subcon for Donen- Nuclear Fuel Development Corporation

    1999 Serious nuclear accident (unrelated to TEPCO/Fukushima) Workers were mixing a batch of Uranium for Joyo experimental breeder reactor

    (U-235 with 18% enriched solution) Accidental criticality, resulted in workers deaths by irradiation

    Serious failures in training , ignorance of SOPs, and lack of safety precautions. Outside of the commercial reactor industry, hence not subject to regular safety

    audits, etc. It resulted in ending of Japans U-235 reprocessing activities.

  • Response/Communication Failure

    Govts Off-Site Control Center (OFC) unusable

    No available emergency pumps and systems for high pressure injection to PV

    No training to actually deal with serious accidents of this level.

    SPEEDI system results with-held by govt

    Initial evacuation based on flawed data

  • Case Study: Off-Site Control Center (OFC) Govts emergency center, just 5km from Fukushima Daichi

    20 such locations in Japan, established after JCO criticality accident in 1999

    After only a few days of accident, the site was evacuated (moved to prefectural govt bldg.)

    Inadequate radiation protection (no air filters for ventilation system)

    Failed Audio/Video communications equipment (only satellite link was operational)

    Backup generator with limited fuel, not waterproofed

    Siting of OFCs indicates poor accident scenario planning.

    5km proximity is too close for case of H2 explosion, etc.

    Siting on shoreline, on landfill or potentially unstable grounds

    Another OFC (Onagawa, Miyagi) was destroyed by Tsunami

  • Case Study: SPEEDI SPEEDI (System for Prediction of Environment Emergency Dose

    Information) for monitoring & predictive mapping of fallout. SPEEDI was developed by Japnese govt explicitly for use in

    nuclear emergencies. Information was not publicly released to citizens for until Apr-25. Also the data was partially compromised due to lost power to

    some monitoring stations after the earthquake. (Some data interpolated).

    The govt said it wanted to avoid releasing imperfect modeled data, due to potential misinterpretation of the data/maps, etc. Initial govt evacuation (Mar-14~15) was based simply on a simple circular radius, but the SPEEDI data indicated clearly that certain directions were more contaminated than others. It was recommended to expand/modify the evacuation zones.

    The failure to release critical info resulted in significant loss of trust/confidence in government information and reporting.

    Many local governments and citizens felt that if they had the data, they could have made better decisions to choose sites/directions to evacuate. Hence they felt that the govt exposed them needlessly to radiation risks. (Some evacuation centers outside of 30km but still with significant fallout.)

  • Other Blind Spots Radiation safety limits on foods and understanding of

    internal exposure (vs. external ionizing radiation damage)

  • Japans Safety Myth Paradise Lost? Context of Japans great industrial prowess (technology & also

    quality), including nuclear. As nuclear industry leader, perhaps Japan strove to make rules, rather than follow them.

    Japans dependence on foreign oil/gas also underscores nuclear power as a national security priority. Hence a long-term, strong govt agenda to support nuclear energy policy .

    1995 Kobe earthquake served to demonstrate robustness of Japanese plants. (2 nearby power plants, were undamaged).

    Criticism of safety (site fault line analyses, disaster response plans, etc.) were often brushed aside. Nuclear operators became defensive against no-nukes critics, sometimes perceived as ignorant or irrational. As in US, Chernobyl type accident was considered unconceivable in Japan.

    Nuclear operators allegedly utilized $ incentives also mafia connections to secure local govt approval for new plants. It was/is not a healthy economic environment. This also fosters conflicts of interest, and makes criticism difficult.

    The nuclear industry promoted itself as absolutely safe and came to believe its own marketing promotion, to the point where tough questions (e.g. tsunami risks) were assumed irrelevant.

    Regulatory authority (govt) was believed to be too close to the interests of the nuclear industry. (known as regulatory capture) . It did not promote checks & balances.

    Nuclear industry failed to invest in recommended backfits (from IAEA, WANO, NRC); Falsified docs related to Equipment Inspections, and avoided investment in disaster response systems (since it might encourage fears among the public.)

    Its a fact that there was an unreasonable overconfidence in the technology of Japans nuclear power generation. -Banri Kaeda (Chief Minister, METI, 2011)

    "If culture explains behavior, then no one has to take responsibility," he said. "People have autonomy to choose. At issue are the choices they make, not the cultural context in which they make them. Gerald Curtis, Columbia Univ. prof.

  • What is Changing? (Japan)Energy policy and nuclear fuel cycle policy re-assessment, but also,Tougher regulations, new design requirements, better oversight.

    Nuclear Regulatory Org/Systems More independent, tougher function, enforcement Better communication/reporting to local/nat. govts

    Emergency Response Emergency/Disaster response systems/resources Radioactivity filtration systems & power/comms for disasters More robust radiation monitoring and govt communications

    Earthquake/Tsunami Proofing Re-assess on-site seismic fault lines

    Forced decommissioning of some plants

    Higher walls against tsunami Auxiliary gen./battery located higher-up,

    water-tight bldgs.

    Reactor Design Changes : see next page

  • New Regulations (Japan)Reactor Engineering Design Changes

    Filters on external emergency CV vents

    Manual operation option for key valves

    Auxiliary pumps and water source for spent fuel pools

    Additional injection pumps into Containment vessel

    Secondary control room & backup power, away from reactor bldg.

  • What is Changing? (World)

    1. Beyond design-basis accident scenarios: Plant design reviews by 3rd party org. (WANO)

    Higher safety standards by pop density, multi-plant sites, etc.

    Inspection of emergency response systems Bunker style backup safety systems , Trained SWAT response team (France) Backup batteries for 72hrs (rather than 8hrs) Others (USA)

    2. Robust fuel storage solutions Spent fuel storage (after 5yrs in pool) in self-contained dry casks (USA/France)

    3. Organizational Changes NRC chief Jaczko resigns (USA) partly over push for stronger US regulations

    after Fukushima disaster IAEA shakeup after criticism of slow/ineffective response (UN)

    Failed to mediate btwn govt reports from JP (downplay) and US (over-react) IAEA Radiological Event Scale also confusing/ineffective

  • What Have We Learned?

    Central problem of conflict of interests must be acknowledged and the bias compensated Experts are mostly insiders/supporters Regulators jobs tied to industry success (regulatory capture)

    Civilian-run utilities must open up to govt/international help in a disaster situation

    Defense in depth and design basis philosophy can fail by black-swan induced common cause failures Long technical experience/judgment does not justify low-risk

    Emerg. response systems are necessary - black swan events. Low ocurrence, high severity risks must be in planning

    Risk assessment estimates - large uncertainty; Black swans happen Robust metrologies are critical to know status and make decisions

  • What Must We Do (Quality/Reliability professionals)

    Frequently re-assess systemic/org. biases Keep balance between Lean (reduce data) & Conservative (demand more data) Rotate people to keep fresh viewpoints Checks and balances to compensate org. biases, avoid regulatory capture.

    Diligently avoid reality distortion Reject fitting/interpreting data to the requirement Plan ahead to avoid ignoring key info due to short timeline (rushed). 3rd party oversight : Prevent censoring of dissenting/competing views


    Ensure planning & systems for black swan events Estimated as low chance of occurrence, hence do nothingis not acceptable. No data or few data points = high uncertainty Probabilistic Risk and FMEA have difficulty to estimate Frequency for rare or

    unknown events Supplementary tools required.

    Release data quickly during excursions (even with known uncertainties) Dont wait for perfect decisions

  • Ref: Evolution of Dealing with RiskPast Present Future

    Tools Common sense Statistical/ Logical (SPC, FMEA)

    Predictive by design; Real-time sensors; X-checking

    Bias Subjective Objective Known bias compensation

    Approach Engineeringexperience

    Conservative(max data)

    Lifetime value (DFR, Taguchi loss function, Lean, etc.)

  • Ref: Further Reading/WatchingOverall Summaries


    http://www.iaea.org/newscenter/focus/fukushima/japan-report2/japanreport120911.pdf (IAEA summary)

    http://www.bbc.co.uk/news/world-asia-18718486 (BBC summary)

    http://www.dipity.com/edyong209/Fukushima-disaster/ (timeline)

    http://www.ifs.tohoku.ac.jp/maru/kougi/thermal-science/data/2013.04.30/2013.pdf (Tohoku Univ. technical analysis)

    http://www.tepco.co.jp/en/nu/fukushima-np/images/handouts_111130_04-e.pdf (TEPCO core meltdown technical analysis)

    http://spectrum.ieee.org/energy/nuclear/24-hours-at-fukushima (first 24hrs in detail)

    http://www.youtube.com/watch?v=ixjlSsUlNBw (Meltdown NHK documentary, English subtitles/narration)

    Impacts/Results/Ongoing Issues

    http://thebreakthrough.org/archive/new_data_japanese_fuel_imports (CO2)

    http://e360.yale.edu/feature/as_fukushima_cleanup_begins_long-term_impacts_are_weighed/2482/ (land contamination)

    http://www.world-nuclear-news.org/RS_Japan_readies_for_restarts_1906131.html (restarts)

    http://www3.nhk.or.jp/nhkworld/english/news/20130706_27.html (Tritium levels in local ocean)

    Global Reactions/Analyses

    http://www.nature.com/news/france-imagines-the-unimaginable-1.9780 (France, on failure of defense in depth)

    http://www.engineeringnews.co.za/article/lessons-from-japans-nuclear-crisis-2011-11-04 (technical lessons)

    http://www.nytimes.com/2011/06/02/world/asia/02japan.html?_r=2&ref=world& (NYT analysis)

    http://www.youtube.com/watch?v=AG1QmEQ84aY (Gregory Jaczko video interview)

    http://ajw.asahi.com/tag/PROMETHEUS%20TRAP?page=4 (Asahi Newspaper, Prometheus Trap series)

    Lessons for Risk Assessment Methodology



  • Ref: LWR Nuclear Plant Safety Design Design Considerations

    Negative Feedback mechanism vs. chain reaction criticality (sustainability)

    Delayed supercriticality (chain reaction dependent on delayed neutrons rather than prompt)

    H2O coolant is also moderator of reaction (i.e. loss of coolant physically stops nuclear reaction)

    Temp increase leads to voiding reduces/stops reaction

    Control Rods (pull out/up to operate, drop down to stop reaction)

    Boric Acid (absorb neutrons to stop reaction, reduce heat)

    Scram / Trip (emergency shutdown)

    Physical Levels of Containment (DiD) Fuel pellet, Cladding, PV, CV, Building, ( plus surrounding environs ~2km)


  • Ref: Nuclear Power Plants in Japan ~30% Japans electricity until 2011 (~50% for Tokyo) 50 nuclear reactors (PWR, BWR) at 15 locations. Biggest

    sites are: Fukushima (10), Kashiwazaki (7)

    Decommissioned Hamaoka (3 of 5); Fugen (1, FBR);

    Tokai (1 of 2, GCR)

    Others Fast Breeder (FBR)

    Monju (Fukui)

    Fuel process related Rokkasho (Aomori), Tokai (Ibaraki)