Fukushima

Home > Other > Fukushima > Page 33
Fukushima Page 33

by David Lochbaum


  Defense-in-depth works well—as far as it goes. The concept has succeeded in limiting the frequency of nuclear disasters. Since the 1970s, three nuclear plant accidents have drawn international attention: Three Mile Island in 1979, Chernobyl in 1986, and Fukushima in 2011. Were it not for defense-in-depth, the list could be larger.

  Hurricane Andrew, which pummeled Florida in 1992, extensively damaged the Turkey Point nuclear plant near Miami, but defense-in-depth prevented disaster. The plant lost access to its off-site electric power grid for several days, but emergency diesel generators powered essential equipment in the meantime. And while winds knocked over a water tower and extensively damaged a warehouse and training building on site, more robust structures protected other water supplies and essential equipment.

  A month after Fukushima, a severe tornado disconnected the Browns Ferry plant from the electrical grid. That June, the Fort Calhoun nuclear plant in Nebraska experienced flooding that temporarily made it an island in the Missouri River, and in August the North Anna nuclear plant in Virginia was shaken by an earthquake of larger magnitude than it was designed to withstand. In each case, the conditions caused by the accident did not exceed the safety margins to failure—from a loss of off-site power at Browns Ferry, a flood at Fort Calhoun, or an earthquake at North Anna.

  But did these events prove the inherent safety of nuclear plants, as the U.S. industry and regulators claim? Or did they constitute accidents avoided not by good foresight, but rather by good fortune?

  For all its virtues, defense-in-depth has an Achilles’ heel, one rarely mentioned in safety pep talks. It is known as the common-mode failure. That happens when a single event results in conditions exceeding the safety margins of all the defense-in-depth barriers, cutting through them like a hatchet through a layer cake.

  Common-mode failure is what flooding caused at Fukushima and what fire caused at Browns Ferry. Flooding or fire took out all the redundant systems needed to cool the reactor cores, the systems needed to keep the containments from overheating and leaking, and the systems needed to help predict the path and extent of the radioactive plumes. At Browns Ferry, workers managed to employ ad hoc measures in time to prevent disaster. At Fukushima, time ran out.

  Defense-in-depth is both a blessing and a curse. It allows many things to go wrong before a nuclear plant disaster occurs. But when too many problems arise or a common-mode failure disables many systems, defense-in-depth can topple like a row of dominoes. The risk of common-mode failure can be reduced through enhancing defense-in-depth, but it can never be eliminated.

  The true curse of defense-in-depth is that it has fostered complacency. The existence of multiple layers of defense has excused inattention to weaknesses in each individual layer, increasing the vulnerability to common-mode failure.

  Fukushima Daiichi was a well-defended nuclear plant by accepted standards, with robust, redundant layers of protection. When the earthquake knocked out the off-site electrical grid, emergency diesel generators stood ready as the backup power source. Each of the six reactor units had at least two of these generators (one unit had three). A single emergency generator could provide all the power needed for cooling a core and other essential tasks, but defense-in-depth made sure every reactor had at least one spare.

  It didn’t help. The generators were protected, like the reactors themselves, by the seawall erected along the coast. When the tsunami washed over the seawall, it disabled all but one of the emergency generators or their electrical connections.

  Even without the generators, defense-in-depth offered protection. Banks of batteries were ready to power a minimal subset of safety equipment while damage to the AC power systems was being repaired. The battery capacity at Fukushima was eight hours per unit, assumed to be ample time for workers to either restore an emergency diesel generator or recover the electrical grid. But it took nine days to partially reconnect the plant to the grid and even longer to restore the generators.

  At Fukushima, as in the United States and elsewhere, reactor operators were trained in emergency procedures for responding to severe accidents. These procedures instructed them to take steps like venting the containment to reduce dangerously high pressure and enable cooling water to enter. But the manuals did not envision the conditions the operators actually faced—for example, the need to operate vents manually in darkness—and thus workers could not implement these procedures in time to prevent the meltdowns.

  The last defense-in-depth barrier was evacuation. But at Fukushima, emergency planning proved ineffective at protecting the public. Evacuation areas had to be repeatedly expanded in an ad hoc manner, and in some cases the decisions were made far too late to prevent radiation exposures to many evacuees.

  All of Fukushima’s defensive barriers failed for the same reason. Each had a limit that provided too little safety margin to avert failure. Had just one barrier remained intact, the plant might well have successfully endured the one-two punch from the earthquake and tsunami or at the bare minimum, the public would have been protected from the worst radiation effects.

  The chance that all the barriers might fall was never part of the planning. In effect, the nuclear establishment was riding a carousel, confident that the passing scenery of anticipated incidents would never change. Lost in the process was this reality: the brass ring for this not-so-merry-go-round involves both foreseeing hazards and developing independent, robust defense-in-depth barriers to accommodate unforeseen hazards. One without the other has been repeatedly shown, at tremendous cost, to be insufficient.

  Severe accidents like Fukushima render the status quo untenable for the nuclear establishment. Something has to change. But meaningful change—a true reduction in potential danger to the public—will not occur until regulators and industry look ahead and to the sides, at what could happen, not solely at what has happened.

  But such an approach would be a turnabout for the nuclear establishment. Historically, when responding to events like Three Mile Island, the industry and regulators have worked hard to narrow the scope of the response, simply patching holes in the existing safety net rather than asking whether a better net is needed. To put it bluntly, unless this process is radically overhauled, it will take many more nuclear disasters and many more innocent victims to make the safety net as strong as it should be today.

  Highway departments could put up roadside signs saying “Don’t Go Too Fast” or “Drive at a Reasonable Pace.” Instead, they put up signs reading, for example, “Speed Limit 55” or “Maximum Speed 20” so that drivers understand what is expected and law enforcement officers know when to issue traffic tickets. The former signs would constitute entirely useless measures: a car wrapped around a tree must have been traveling too fast, but another barreling through a school zone at 120 miles per hour must be operating at a reasonable speed if it doesn’t strike any children. Safety requires specificity. Lack of specificity invites a free-for-all.

  Such is precisely what the NRC’s Near-Term Task Force tried to avoid in its proposals for reducing vulnerabilities at U.S. nuclear plants. The NTTF started its report with a recommendation for fundamental change. It called on the NRC to redefine its historical safety threshold of “adequate protection,” this time establishing a clear foundation to guide both regulators and plant owners in addressing beyond-design-basis accidents.

  In essence, the NTTF’s first recommendation urged the NRC to formally recognize that beyond-design-basis accidents need to be guarded against with unambiguous requirements based on robust defense-in-depth and well-defined safety margins. In this way, plant owners as well as NRC reviewers and inspectors would better be able to agree on what was acceptable. Inspectors would have a legal basis for declaring violations should plant owners fail to meet the requirements; at the same time, plant owners would be better protected from arbitrary rulings.

  The NTTF did not propose taking a sledgehammer to the existing system. Instead it recommended creating a new category of accident scenarios to cover
a range of possibilities not envisioned in the design bases of existing nuclear plants. This new category of “extended design-basis accidents” could include aspects of some of the extreme conditions experienced at Fukushima. A new set of regulations would be created for extended design-basis accidents, eliminating the “patchwork” that currently governed beyond-design-basis accidents. However, the requirements themselves would be less stringent than those for design-basis accidents.

  The task force believed that the NRC had come to depend too much on the results of highly uncertain risk calculations that reinforced the belief that severe accidents were very unlikely. That, in turn, had provided the NRC with a rationale to shrink safety margins and weaken defense-in-depth. To remedy the problem, the task force requested that the commission formally consider “the completeness and effectiveness of each level of defense-in-depth” as an essential element of adequate protection. The task force also wanted the NRC to reduce its reliance on industry voluntary initiatives, which were largely outside of regulatory control, and instead develop its own “strong program for dealing with the unexpected, including severe accidents.”

  The task force members believed that once the first proposal was implemented, establishing a well-defined framework for decision making, their other recommendations would fall neatly into place. Absent that implementation, each recommendation would become bogged down as equipment quality specifications, maintenance requirements, and training protocols got hashed out on a case-by-case basis.

  But when the majority of the commissioners directed the staff in 2011 to postpone addressing the first recommendation and focus on the remaining recommendations, the game was lost even before the opening kickoff.

  The NTTF’s Recommendation 1 was akin to the severe accident rulemaking effort scuttled nearly three decades earlier, when the NRC considered expanding the scope of its regulations to address beyond-design accidents. Then, as now, the perceived need for regulatory “discipline,” as well as industry opposition to an expansion of the NRC’s enforcement powers, limited the scope of reform. The commission seemed to be ignoring a major lesson of Fukushima Daiichi: namely, that the “fighting the last war” approach taken after Three Mile Island was simply not good enough.

  Consider the order for mitigation strategies issued by the NRC to all plant owners on March 12, 2012, a year and a day after Fukushima. One part of the order required that plant owners “provide reasonable protection for the associated equipment from external events” like tornadoes, hurricanes, earthquakes, and floods. “Full compliance shall include procedures, guidance, training, and acquisition, staging, or installing of equipment needed for the strategies,” the order read.

  But what is “reasonable protection”? What kind of “guidance” would be adequate, and how rigorous would be the training be? The NTTF’s first proposal would have required specific definitions. Now, without a concrete standard, NRC inspectors will be ill equipped to challenge protection levels they deem unreasonable. Conversely, plant owners will be defenseless against pressure from the NRC to provide more “reasonable” levels of protection.2

  A second example: another order the NRC issued on March 12, 2012, required the owners of boiling water reactors with Mark I and II containments to install reliable hardened containment vents. They left for another day a decision on whether the radioactive gas from containment should be filtered before being vented to the atmosphere.

  Such vents are primarily intended to be used before core damage occurs, when the gas in the containment would not be highly radioactive and filters would not normally be needed. However, as Fukushima made clear, it is possible that the vents will have to be used after core damage occurs, to keep it from getting worse. In that case, filters could be crucial to reduce the amount of radioactivity released. The presence of filters could also make venting decisions less stressful for operators in the event that they weren’t sure whether or not core damage was taking place. In November 2012, the NRC staff recommended that filters be installed in the vent pipes, primarily as a defense-in-depth measure.

  But what might seem a simple, logical decision—install a $15 million filter to reduce the chance of tens of billions of dollars’ worth of land contamination as well as harm to the public—got complicated. The nuclear industry launched a campaign to persuade the NRC commissioners that filters weren’t necessary. A key part of the industry’s argument was that plant owners could reduce radioactive releases more effectively by using FLEX equipment.

  Vent filters would only work, the argument went, if the containment remained intact. If the containment failed, radioactive releases would bypass the filters anyway. And sophisticated FLEX cooling strategies could keep radioactivity inside the containment in the first place. Further, the absence of filters at Fukushima might not have caused the widespread land contamination in any event because it wasn’t clear that the largest releases occurred through the vents; the radioactivity may have escaped another way.

  The NRC staff countered by claiming that the FLEX strategies were too complicated to rely on: they rested on too many assumptions about what might be taking place within a reactor in crisis and what operators would be capable of doing. In contrast, a passive filter could be counted on under most circumstances to do its job—filter any radioactivity that passed through the vent pipes. The staff argued that filters would be warranted as a defense-in-depth measure. The staff also pointed out that many other countries, like Sweden, simply required vent filters to be installed decades ago as a prudent step.

  Without an explicit requirement to consider defense-in-depth, as the NTTF had called for in its first recommendation, the NRC commissioners could feel free to reject the staff’s arguments. In March 2013, they voted 3–2 to delay a requirement that filters be installed, and recommended that the staff consider other alternatives to prevent the release of radiation during an accident. However, at the same time the commissioners voted to require that the vents themselves be upgraded to be functional in a severe accident. This second decision didn’t make much sense: if the commissioners believed the vents might be needed in a severe accident, then what excuse could there be for not equipping them with filters?

  As the Fukushima disaster recedes in public memory, and the NRC sends mixed signals, the nuclear establishment has begun relying on the FLEX program to address more and more of the severe accident safety issues identified by the task force and the NRC staff. It has come to see FLEX not as a short-term measure but as an enduring solution—all that is needed to patch any holes in the safety net.

  Three months before the vote on the filters, the commissioners decided to slow down the development of a new station blackout rule—one they had originally identified as a priority. In part, it was because of their confidence in FLEX. The NRC later notified Congress that it had rejected a number of other safety proposals, such as adding “multiple and diverse instruments to measure [plant] parameters” and requiring all plants to “install dedicated bunkers with independent power supplies and cooling systems,” because it believed that FLEX was sufficient. But it is unclear how FLEX would obviate either the need for additional reliable instrumentation or the desirability of a bunkered emergency cooling system. Indeed, both measures would support FLEX capabilities should a crisis occur.

  Despite the willingness of the NRC to give FLEX a resounding vote of confidence, there were three important defense-in-depth issues that could not be dismissed with a wave of the FLEX magic wand. These issues had been flagged by the NRC staff post-Fukushima as issues that were of great public concern and deserved consideration.

  The first related to the U.S. practice of densely packing spent fuel pools, a situation that some critics had long pointed to as a safety hazard and that the NRC had long countered was perfectly safe.

  In the aftermath of Fukushima, it turned out that the Unit 4 spent fuel pool—the subject of so much alarm during the crisis—had escaped damage after all (see the appendix for more on this). That finding allowe
d some in the industry and the NRC to contend that concerns about spent fuel pool risks were unfounded. Their claims did not take into account the fact that U.S. spent fuel pools typically contain several times as much fuel as Unit 4 did, and therefore could experience damage much more quickly in the event of loss of cooling or a catastrophic rupture. The industry argued in turn that FLEX was designed to provide emergency cooling of spent fuel pools. But that would require operator actions at a time when attention would likely be torn by other exigencies, as happened at Fukushima.

  Accelerating the transfer of spent fuel to dry casks would enhance safety by passive means. The NRC pledged to look at this issue again, but it was accorded a low priority.

  The second and third issues related to emergency planning zones and to distribution of potassium iodide tablets to the public to reduce the threat from radioactive iodine. Fukushima demonstrated that a severe accident could cause radiation exposures of concern to people as far as twenty-five miles from the release site. Indeed, the worst-case projections of both the Japanese and U.S. governments found that even Tokyo, more than one hundred miles away, was similarly threatened.

  Nonetheless, the NRC continued to defend the adequacy of a ten-mile planning zone for emergency measures such as evacuation and potassium iodide distribution. The agency argued that evacuation zones could always be expanded if necessary during an emergency—a position hard to reconcile with the likely difficulty of achieving orderly evacuations of people who had not previously known they might need to flee from a nuclear plant accident one day. (Prodded into action by a petition from an activist group, the Nuclear Information and Resource Service, the NRC agreed to look into the emergency planning question, but it is on a very slow track.)

  One final issue to consider is the risk of land contamination, something that could be an enormous problem even if all evacuation measures were successful. In the past the NRC has assessed potential accident consequences solely in terms of early fatalities and latent cancer deaths, but Fukushima showed that widespread land contamination, and the economic and social upheaval it creates, must also be counted.3

 

‹ Prev