Nuclear Instruments and Methods in Physics Research A 731 (2013) 3–7

Contents lists available at ScienceDirect

Nuclear Instruments and Methods inPhysics Research A

0168-90http://d

n Tel./E-m

journal homepage: www.elsevier.com/locate/nima

The accident at TEPCO's Fukushima-Daiichi Nuclear Power Station:What went wrong and what lessons are universal?

Akira Omoto n

Tokyo Institute of Technology, 2-12-1-N1-1 Ookayama, Meguro-ku, Tokyo 152-8550 ,Japan

a r t i c l e i n f o

Available online 18 May 2013

Keywords:Nuclear safetyNuclear accidentDefense in depth

02/$ - see front matter & 2013 Elsevier B.V. Ax.doi.org/10.1016/j.nima.2013.04.017

fax: +81 3 5450 7636.ail addresses: akira.omoto@mac.com, omoto@

a b s t r a c t

After a short summary of the nuclear accident at the Fukushima Daiichi Nuclear Power Station, this paperdiscusses “what went wrong” by illustrating the problems of the specific layers of defense-in-depth (basicstrategy for assuring nuclear safety) and “what lessons are universal.” Breaches in the multiple layers ofdefense were particularly significant in respective protection (a) against natural disasters (first layer ofdefense) as well as (b) against severe conditions, specifically in this case, a complete loss of AC/DC powerand isolation from the primary heat sink (fourth layer of defense). Confusion in crisis management by thegovernment and insufficient implementation of offsite emergency plans revealed problems in the fifthlayer of defense.

By taking into consideration managerial and safety culture that might have relevance to this accident,in the author's view, universal lessons are as follows:

a) Resilience: the need to enhance organizational capabilities to respond, monitor, anticipate, and learnin changing conditions, especially to prepare for the unexpected. This includes increasing distance tocliff edge by knowing where it exists and how to increase safety margin.

b) Responsibility: the operator is primarily responsible for safety, and the government is responsible forprotecting public health and environment. For both, their right decisions are supported bycompetence, knowledge, and an understanding of the technology, as well as humble attitudestoward the limitations of what we know and what we can learn from others.

c) Social license to operate: the need to avoid, as much as possible regardless of its probability ofoccurrence, the reasonably anticipated environmental impact (such as land contamination), as well asto build public confidence/trust and a renewed liability scheme.

ll rig

nr.ti

& 2013 Elsevier B.V. All rights reserved.

1. Introduction

On Friday 11 March 2011 at 14:46 local time, a magnitude9.0 earthquake struck near the east coast of Honshu, Japan, causedby multi-segment failures over wide areas in the nearby JapanTrench (Fig. 1-1). The subsequent tsunami left TEPCO's FDNPSwithout AC/DC power and isolated from its primary heat sink(ocean).

Because of flooding and loss of the heat sink, seawater-cooledEDGs failed to function. Even though two air-cooled EDGs startedto operate, flooded electric equipment rooms failed to deliverelectricity (both DC and AC) to safety equipment (Fig. 1-2). All theonsite and offsite power was completely lost but most importantly

hts reserved.

tech.ac.jp

flooding of electric equipment room disabled supply of electricityto components and devices.

By design, under this complete loss of power and heat sink,AC-independent reactor water makeup systems (HPCI and RCIC)are supposed to continue, for a certain period of time, deliveringcooling water by taking advantage of the steam produced by decayheat from the nuclear fuel (Fig. 1-3 and 1-4). When theseAC-independent systems function, AM procedures dictate thatthe reactor operator should maintain fuel cooling by depressuriz-ing the reactor coolant system, thereby enabling injection oflow-pressure water (such as that from fire engines). However, atUnits 2 and 3, the harsh environment and extensive damageprevented timely use of mobile equipment for implementing AMprocedures, and reactor cores were damaged before the AC-independent systems terminated its service on the third and fourthdays following the quake (Fig. 1-5).

Fig. 1-6 heavily contaminated areas were extended toward thenorthwest, probably caused by the deposition of Cs leeward

Nomenclature

AM(G) Accident Management (Guideline)EDG Emergency diesel generatorFDNPS Fukushima Daiichi Nuclear Power StationFP Fission productsJSCE Japanese Society of Civil Engineers

METI Ministry of Economics, Trade, and IndustryNISA Nuclear and Industrial Safety AgencyNSC Nuclear Safety CommissionPSA Probabilistic Safety AssessmentRPV Reactor pressure vesselTEPCO Tokyo Electric Power Company

Fig. 1-1. Source of the great tohoku earthquake in the Japan Trench.

Fig. 1-2. Both onsite and offsite AC and DC electrical power were lost.

Fig. 1-3. Water makeup system failed to cool nuclear fuel in the RPV.

Fig. 1-4. RCIC: an AC-independent water makeup system intended to cool nuclearfuel in the RPV.

Fig. 1-5. Sequence of events during the accident.

A. Omoto / Nuclear Instruments and Methods in Physics Research A 731 (2013) 3–74

following a significant release of radioactivity on the morning ofMarch 15 from Unit 2. More than 140,000 residents were forced toevacuate. The estimated external exposure was less than 10 mSvfor most evacuees (99.3%) [2]. Food control seemed effective inreducing internal exposure, although thyroid exposure neededfurther scrutiny. The overall cost of the accident, includingcompensation, decontamination, and additional decommissioningcosts, is estimated to go beyond 100B USD. An additional 30B USD/year is being paid by power companies to purchase extra oil andgas to compensate for the lost electricity from nuclear power; as ofAugust 2012, only two of the 48 nuclear reactors were inoperation.

There are 14 commercial nuclear power plants located alongthe coast of the Pacific Ocean. Except for Units 1–3 at TEPCO'sFDNPS, all were safe. They were damaged by the tsunami, butreactor safety was maintained primarily because electrical powerremained available to each of them.

Fig. 1-6. Predicted annual dose (as of November 2011) in areas surrounding FDNPS [1].

Fig. 2-1. Relations between AM procedures and plant damage conditions.

A. Omoto / Nuclear Instruments and Methods in Physics Research A 731 (2013) 3–7 5

2. What went wrong?

The prevention of radiological impact on humans and theenvironment due to a nuclear reactor accident follows the basicphilosophy of defense-in-depth. Defense-in-depth consists of fivelayers [3]: the first three are based on design of structure, system,and component, the fourth is based on prevention and mitigationbeyond design (severe accident), and the fifth is based on anoffsite emergency plan. In this paper, I focus on levels 1, 4, and 5 ofthis defense strategy.

2.1. Level 1: design protection against failure

The prevention of radiological impact on humans and theenvironment due to a nuclear reactor accident follows the basicphilosophy of defense-in-depth. Defense-in-depth consists of fivelayers [3]: the first three are based on design of structure, system,and component, the fourth is based on prevention and mitigationbeyond design (severe accident), and the fifth is based on anoffsite emergency plan. In this paper, I focus on levels 1, 4, and 5 ofthis defense strategy.

2.2. Level 1: design for protection against failure

In 2002, Japanese utilities modified the design basis for nuclearpower plants on the basis of the JSCE guideline for designprotection against tsunami [4]. This new guideline was supposedto consider historical tsunami records, seismotectonics, near-fieldearthquakes, and far-removed earthquakes. The process of formu-lating this guideline did not include critical review by public

comment. In July 2002, the government's Earthquake ResearchHeadquarters released a long-term projection of earthquakes,which included tsunami earthquakes that might occur anywherealong the Japan Trench in the Tohoku area. The utilities responsewas to wait for the completion of an ongoing Tsunami ProbabilisticHazard study [5] to assess the relationship between tsunamiheight and the probability of occurrence. TEPCO's analytical resultswere released in 2006 [6], but this did not lead to tangibleprecautionary actions because the analysis was interpreted as atrial study and the probability of a tsunami exceeding 10 mwas setin between 10−5 and 10−6/year [7]. Historically, along the Fukush-ima coast, there were limited Tsunami records of significantinundation heights; this seems to have been attributed to esti-mates of weak coupling between plates and continuous slips ofplates in this region [8]. TEPCO had hypothetically assumed amagnitude 8.3 earthquake source (the same as the “off-Sanriku”earthquake in the north Japan Trench) along the Fukushima coast,which would result in an inundation height of 15.7 m [7]. TEPCOhad asked JSCE to review this result. If this study had beenfollowed by modifications (such as protection of electrical equip-ment rooms from flooding), then the whole story would have beenvery different.

2.3. Level 4: control of accident beyond design basis

According to INSAG-10, level-4 defense-in-depth is defined as“control of severe conditions including prevention of accidentprogression and mitigation of the consequences of severe acci-dent” [3]. AM procedures and associated equipment, prepared forlevel-4 defense in the 1990s by TEPCO, in hindsight, were neithersufficient to protect against the complete loss of AC/DC coupledwith the loss of the primary heat sink nor sufficiently robust underthe damage conditions caused by the earthquake and Tsunami(Fig. 2-1).

Severe damage conditions significantly hampered AM opera-tions, such as containment venting and depressurization of thepressure boundary to enable core cooling by low-pressure injec-tion systems [9] (Fig. 2-2). Nevertheless, TEPCO's report (Appen-dix) [7] illustrates high morale among operators at FDNPS whotook life-threatening risks to arrest the progression of theaccident.

2.4. Level 5: emergency plan and crisis management

According to INSAG-10, level-5 defense-in-depth is defined as“mitigation of the radiological consequences of significant externalreleases of radioactive materials” [3]. However, accident investiga-tion reports [9-11] and other reports identified problems with theEmergency Plan and Crisis Management, including the following:

1.

Loss of functionality at the offsite center due to unavailability ofcommunication systems and lack of radiological protection.

2.

Insufficient implementation of the emergency plan by thepublic sector [12], such as notices to the public regarding

Fig. 2-2. Due to the damaged environment, available resources were limited. (left) Operators collected batteries from automobiles to get the required DC power for (middle)instrumentation and actuation of valves to perform safety functions. (right) A relocated tank blocked transportation of mobile equipment.

A. Omoto / Nuclear Instruments and Methods in Physics Research A 731 (2013) 3–76

evacuation, preparation of vehicles, and distribution of iodinetablets.

3.

Ill-defined delineation of responsibilities, poor communica-tions, and resultant misunderstandings.

4.

Fig. 3-1. Things, values, and assumptions contributing to a safety culture [14].

Insufficient collection, sharing, and dissemination of information.

All these problems suggest the need to revisit issues concern-ing delineation of responsibilities; chain of command; coordina-tion, design, and function of the “offsite center”; off-site emergencyplan; and communication systems.

2.5. Other recognized issues

Many other issues have been identified, such as the lack of aregulatory system that enables independent (safety first) decisionsby competent experts, the use of multiple-unit installations,insufficient accident instrumentation, and tight system interde-pendences. Especially regarding regulation, responsibilities forsafety regulation did not rest with a single regulatory body. Forinstance, development of regulatory guidelines was done by NSC,whereas licensing by their use of them was administered by NISAunder METI. Frequent shuffling of government officials jeopar-dized technical competence and effectiveness of safety regulators.After TEPCO's falsification issue surfaced in 2002, the operatorsand regulators may have focused on quality assurance andcompliance rather than on risks, especially on the formality ofdocuments and evidence rather than on substance. This illustratesone of the key features in Japanese culture to focus on formality,details, not seeing the big picture and eventually forgetting whatwas the ultimate goal.

Fig. 3-2. Causal chain of event and underlying factors.

3. What lessons are universal?

Decision-making in risk management is influenced by variousunderlying factors such as regulations, organizational safety cul-ture (especially assumptions at the basic level, Fig. 3-1), technicalcompetence, and relations with society. These underlying factorsmay be rooted in the accident and linked to vulnerabilities in thedefense-in-depth strategy (holes in the Swiss cheese model, Fig. 3-2),but they have not yet been systematically investigated in depth. Someaccident investigation reports and a study by the University of Tokyo[13] address these possible underlying issues. Nevertheless, the nextnuclear accident, if it occurs, will not duplicate the same pattern. Toavoid another nuclear disaster, human wisdom is expected topreemptively address vulnerabilities that may be linked to underlyingfactors.

In the author's view, both the operator and regulators lackedhumble attitudes toward the limitations of what we know andwhat we can learn from others. Questions such as the followingshould have been raised before making decisions.

Do we really know the assumptions that are implicit in ananalysis done by experts in other disciplinary areas?

What if the assumptions are wrong?What are the best global practices?

Although it is impossible to raise clear evidence, the imple-mentation of the emergency plan may indicate that, at the basiclevel of safety culture i.e. assumptions, people assumed that anaccident cannot happen here. By focusing on equipment reliability,the entire nuclear community might have been overly confidentabout safety. The Government Investigation Committee's report[11] stated that both TEPCO and the government were trapped by a“safety myth” and called for changing the attitude in risk manage-ment to emphasize mitigation of accidents, regardless of theprobability of occurrence. In line with Hollnagel's argument [15]on the history of nuclear safety, the TMI accident highlightedhuman factors and PSA by diverting the previous emphasis on

A. Omoto / Nuclear Instruments and Methods in Physics Research A 731 (2013) 3–7 7

component reliability, the Chernobyl accident highlighted a safetyculture and accident management, and the Fukushima accidenthighlighted the following:

a)

Resilience: the need to enhance organizational capabilities torespond, monitor, anticipate, and learn in changing conditions,especially to prepare for the unexpected. This includes increas-ing distance to cliff edge by knowing where it exists and how toincrease safety margin.

b)

Responsibility: the operator is primarily responsible for safety(responsible use), and the government is responsible for pro-tecting public health and environment. For both, their rightdecisions are supported by competence, knowledge, and anunderstanding of the technology, as well as humble attitudestoward the limitations of what we know and what we can learnfrom others.

c)

“Social license to operate” (if I may borrow the phrase from the“Golden Rule for Golden Age of Gas” [16]): the need to avoid, asmuch as possible regardless of its probability of occurrence, thereasonably anticipated environmental impact (such as landcontamination), as well as to build public confidence/trustand a renewed liability scheme.

The following changes are being considered or are being madeglobally in light of the FDNPS accident:

a)

Safety requirements and review by IAEA's 12 action plans. b) Stress tests to measure capabilities and address vulnerabilities. c) Creation of a new regulatory body in Japan. d) Better preparedness against the unexpected by modifying plant

systems, equipment, and procedures (against, for example,natural hazards, complete loss of AC/DC, loss of the primaryheat sink, and inadequate accident management).

e)

Enhanced self-policing by the nuclear operator.

However, the Kemeny report [17] on Three Mile Island accidentgives us a warning by saying “we have stated that fundamentalchanges must occur in organizations, procedures, and, above all, inthe attitudes of people. No amount of technical “fixes” will curethis underlying problem.” In the author's view, there are a numberof managerial, regulatory and cultural attitudes needing transfor-mation in light of the accident such as priority of risk managementby operating organization (too much focused on business environ-ment), complacency and indifference to best global practices,

transparency and risk communication by not being trapped inprisoner's dilemma, parochialism and so on. The tendencies inJapanese culture may also need scrutiny in this context such asfocus on formality, details, not seeing the big picture, and mono-lith culture by alleviating alternative or opposing views.

4. Conclusions

This paper elaborated what went wrong and what underlyingfactors might have contributed to the accident, and it identifiedcertain universal lessons. Changes to enhance defense-in-depth,improve the regulatory system, and foster a culture of safety areneeded to ensure that another severe accident, via a differentaccident scenario but entangled in similar root causes, willnot occur.

References

[1] ⟨http://www.meti.go.jp/earthquake/nuclear/pdf/111226_01a.pdf⟩, 2011.[2] Evaluation Reports from Fukushima Prefecture. ⟨http://www.pref.fukushima.

jp/imu/kenkoukanri/231213senryosuikei.pdf⟩, ⟨http://www.pref.fukushima.jp/imu/kenkoukanri/240220siryo.pdf⟩, 2011.

[3] INSAG-10, Defense in Depth in Nuclear Safety 1996.[4] JSCE, Tsunami Assessment Methodology for NPS, February 2002. ⟨http://

committees.jsce.or.jp/ceofnp/system/files/TA-MENU-J-00.pdf⟩.[5] T. Annaka, Pure and Applied Geophysics 164 (2007) 577 2007.[6] T. Sakai, Development of a probabilistic tsunami hazard analysis, in: Proceed-

ings of ICONE14, July 2006.[7] TEPCO's Final Investigation Report. 20 June, 2012. ⟨http://www.tepco.co.jp/en/

press/corp-com/release/2012/1205638_1870.html⟩.[8] T. Matsuzawa, Why magnitude 9 earthquake in Tohoku subduction zone?—

Where we made a mistake? Kagaku (Science) 81 (10) (2011) 1020-1-26.[9] Rebuid Japan, Accident Investigation Report, February 2012, ISBN-

10:4799311581.[10] Diet's Accident Investigation Commission [NAIIC] Report, July 2012. ⟨http://

naiic.go.jp/wp-content/uploads/2012/07/NAIIC_report_lo_res2.pdf⟩.[11] Government Investigation Committee [ICANPS], July 2012. ⟨http://icanps.go.

jp⟩.[12] Report on Implementation of Emergency Plan from the Association of

Municipalities having NPPs. ⟨http://www.aec.go.jp/jicst/NC/iinkai/teirei/siryo2012/siryo19/siryo1-1.pdf⟩.

[13] A. Omoto, K. Juraku, S. Tanaka, Safety and Security Issues in the Light of theAccident at TEPCO's Fukushima-Daiichi NPP, in: Proceedings of GLOBAL 2011,December 2011.

[14] Safety Culture in Nuclear Installations, IAEA-TECDOC-1329.[15] E. Hollnagel, A bird's eye view of resilience engineering, in: Proceedings of the

IAEA Technical Meeting, June 2012.[16] Golden Rule for Golden Age of Gas” OECD/IEA, May 2012.[17] Report of The President's Commission on the Accident at Three Mile Island,

1979.