December 31, 2017

Nuclear Disasters and Systems Thinking: Part 3/3: Fukushima, Japan

On March 9, 2011, 70 miles offshore, the Pacific Plate tried to slip under the Okhotsk Plate, 20 miles under the ocean floor. A magnitude 7.2 earthquake hit Japan. All of Japan’s reactors are built on shore and this earthquake caused the reactors on the northeast coast to scram (emergency shutdown) due to indications from ground-motion sensors. It made the news but nobody was hurt and life went on as normal since earthquakes in Japan were a daily occurrence.

 

Two days later, on Friday, March 11, at 2:46:43pm Japan Standard Time, Mikoto Nagai, head of the Emergency Response Team in Sandai, was at his desk on the third floor of an earthquake-proof building when the early-warning earthquake alarm went off.

 

He put down his coffee and looked up at the LED display on the wall. It flashed 100 followed by a 4. It meant that in 100 seconds, a 4.0 magnitude earthquake was expected.

 

This magnitude was nothing to be worried about and he was about to get back to his business when the display changed its mind. It changed to 6.0. Then an 8.0. He stood up just as the earthquake hit and everything in his world went haywire.

 

This was the biggest earthquake ever recorded in Japan. It ended up being a magnitude of 9.0.

 

In three minutes Japan moved about 2.5 meters (8 feet) closer to California. The rotational axis of the Earth tilted by 25.5 centimeters or 10 inches. Roads were churned, high-voltage power lines were downed and more than 350,000 buildings were destroyed.

 

The closest point in Japan to the epicenter of the earthquake was a place called Onagawa which housed the Onagawa Nuclear Plant. The earthquake hit Onagawa Nuclear Plant, initiating an emergency shut down. All three reactors went offline successfully in time.

 

The towns of Okuma and Futaba was about twice the distance from the epicenter. About 22 seconds after the earthquake hit Onagawa, these two towns were hit. They were in Fukushima Prefecture.

 

TEPCO, Tokyo Electric Power Company, completed Fukushima I, also known as Daiichi, power plant on July 25, 1967. It was a General Electric BWR/3 reactor with Mark I containment and is the first of six boiling water reactors built on the same property. It would eventually become one of the world’s biggest nuclear power facilities, which could produce 4.7 billion watts of electricity when everything is running smoothly.

 

At the time GE was in competition with Westinghouse and with the Mark I containment design, GE was able to in a relatively small space what a Westinghouse reactor needed an entire building to accomplish.

 

It seemed an exceedingly clever workaround for the problem of otherwise needing a very large reactor building, but the Mark I containment turned out to be the most controversial engineering object of the 20th century as a test in Germany exposed a lot of its weaknesses.

 

In any case, GE later improved their design and by the 1980s Mark I was supported as a thoroughly vetted, field-modified and improved legacy system. TEPCO also modified their systems accordingly.

 

All reactors in Japan are built on the coast and there is a good reason for that: They use the sea water as a coolant.

 

There were multiple redundancies at play in this power plant:

 

The oldest of the units was equipped with an isolation condenser which was an emergency alternative to the primary cooling loop without needing any external power.

 

In addition, all of the reactors at Fukushima I that were in service were equipped with high-pressure coolant injection systems for emergency use. This system did not rely on external power supply either.

 

As a last-ditch measure, the operators had the ability to send the steam and gas up the ventilation stack and into the environment by opening some valves, possibly containing radioactive fission products. This meant to keep from causing a major break in the containment structure which would allow uncontrollable leakage of the entire reactor contents outside the reactor building.

 

The engineers at GE tried to think of everything that could possibly go wrong. Units 2 through 6 were even equipped with residual heat removal systems. All were dependent on electricity.

 

The redundancies did not end there: All valves in the plant required electricity to open or close. If the plant scrammed in an emergency then it stopped providing electrical power to itself. When this happens, it switches to external power off the grid or to a neighboring reactor.  If still no power is available, then each reactor has two diesel-powered generators, each capable of handling the power needs of the entire plant, that come on automatically. If the backup generators do not start, then the last resort is a room filled with lead-acid storage batteries, kept charged at all times. These batteries could supply direct-current power to the control room for eight hours which was plenty of time to open any valves, start any emergency systems which can run without electricity. The only downside, the condensate or coolant pumps cannot run on batteries.

 

These generators and batteries were all located underground.

 

The power plant’s elevation from the sea level was about 10 meters or 32 feet. The construction location was originally 35 meters or 115 feet high, but was reduced to build the power plant on solid bedrock to make it stronger against the earthquakes. TEPCO also built seawalls about 5.7 meters or 19 feet high.

 

 

The nuclear engineers, mechanical engineers, civil engineers, electrical engineers and seismic specialists in Japan are well trained and experienced.

 

In March 2011, Units 1, 2 and 3 were operating normally and units 4, 5 and 6 were down for refueling and maintenance. When the earthquake hit, all 12 available emergency generators came on after a few seconds with the control rooms running on batteries. The three reactors that had been running at full power experienced orderly shutdowns with the cores being cooled down by usual means and everything was under control.

 

In the opinion of the reactor operators, the isolation condenser was doing its job too well. The temperature was falling too rapidly and with the steam condensing in the reactor vessel, a pipe could have collapsed from the vacuum it created. They decided to override the automatic system that turned it on so they turned off the isolation condenser. This also closed the flow valves.

 

At 3:27pm, 41 minutes after the earthquake, a tsunami hit the beach at Fukushima. The wall built in front of the plant kept the wave from harming anything as it was higher than the incoming waves. However, eight minutes later, a second and then a third wave hit. They were about 12 meters or 40 feet high and did not have any problems going over the seawalls half their size. The whole plant was inundated.

 

The water-intake structures for all six reactors had collapsed by the force of the wave. Any electrical service outside the building was short circuited and torn away.

 

In six minutes, all the underground diesel generators were flooded and the emergency AC power failed. One diesel powered generator located above the ground remained online, providing power for Unit 5 and 6. Units 3 and 4 were on DC power enabling the control room for those units and helping operators to make adjustments to the valves until the batteries lost power. Now was a good time to make any adjustments to prevent Unit 3, which was running at full power, from melting.

 

In Units 1 and 2, the battery room was flooded and the plant was in total blackout. No valves could be turned on or off and since there was no power, the operators had no way of knowing the status of various systems throughout the reactor. They were stuck with whatever configuration they were running when the incident happened. Remember that in Unit 1, the isolation condenser was turned off because the operators thought the reactor temperature was coming down too fast. In Unit 2, at least the reactor isolation cooling system was running, however without any tweaking, it would eventually fail too.

 

What Fukushima I needed was AC power to manage the cooldowns in Units 1, 2 and 3. At this time Unit 1 was in total blackout with no passive systems were running. Unit 2 and 3, had water but it would eventually absorb the heat and warm up.

 

An obvious solution was to bring in portable diesel generators and hook up to whatever wiring is left sticking out from the building. But this was not possible, because all roads to the nuclear plant was either completely washed away or blocked with debris or fleeing people. They were too heavy to be brought in by helicopters. They could only be transported by wide trucks on a smooth highway.

 

Bringing the diesels was not enough either. Cabling was another problem when they each weighed about a ton.

 

By three hours after the earthquake, all the steam-relief valves had pried open and the water had boiled out of the reactor’s core. An hour and a half later, the fuel, still generating power at a fraction of the rate, but naked of liquid coolant, started to melt away the zirconium sleeves on the fuel pins. More chemical reactions followed and fuel elements started to melt. Unit 1 was now a bomb with heavily contaminated with fission products set to go off any moment.

 

Without a cooling system for several hours, the Unit 1 staff knew that they had to vent the Mark I containment but there was no power to open the main valve. It was only possible to open it by hand if they could get to it. At this time, the entire reactor building was radiation-contaminated, but men volunteered to do it anyway.

 

The entire area around Fukushima would have to be evacuated before it was legal to vent the containment, and government permission had to be verified. Everything was taking time. They finally got the OK the next day on March 12 at 9:03am.

 

At 2:30pm, after some heroic effort, the torus (containment building) in Unit 1 was vented up the stack shared with Unit 2.

 

At 3:30pm, against all odds the men at Fukushima I installed external AC power to the standby pump units at Unit 2. Fire hoses were attached to the condensate tanks in Unit 1 and 2 and firetrucks were ready to start pumping water and relieve the heat buildup inside.

 

The men paused for a moment to rest and at 3:36pm, the Unit 1 reactor building exploded sending radiation-contaminated chunks of concrete and steel beams high in the air.

 

Five men were injured, the wiring was ripped out, the generator was damaged and the fire hoses were torn. On top of all that, radioactive dust began to settle down and cover the entire plant. From now on all work would require heavy, bulky radiation suits and respirators, and now there was a new layer of movement-restricting debris on top of the already-established debris.

 

The next day at 2:42am, the passive high-pressure coolant injection system in Unit 3 gave out. By 4:00am the fuel began to degrade. By 8:41am, the operators managed to open the air-operated vent and relieve the pressure that was building up. Steam was seen coming out the vent stack and the radiation readings jumped.

 

At 11:01am on March 14, the Unit 3 reactor building exploded like a fireball. More workers were injured, more of the re-installed hoses were torn and two firetrucks were put out of commission. On top of this there was now new debris on top of the old debris everywhere.

 

To make matters worse, the radiation levels became so dangerous that if a worker stood in the airlock for 20 minutes, he would have to be relieved and sent away, and he could no longer work on the problem at the plant.

 

At 12:40pm, the Reactor Core Isolation Cooling System in Unit 2 had absorbed all the shutdown heat it could handle and gave in. It held out for 70 hours outperforming its design. At 4:30pm, the fuel pins started to melt.

 

Fortunately for Unit 2, the explosion of Unit 1 had blown a large hole on the side of the reactor building, so all the hydrogen leaking out of the torus (containment building) was able to escape freely and not collect near the ceiling. Unit 2 did not explode, but its radioactive steam, iodine, and xenon escaped into the environment along with the hydrogen.

 

Unit 4 was down for maintenance; all of its fuel had been removed and stored in the fuel pool on the top floor in the reactor building. The cooling water surrounding the fuel was at a good temperature and since nothing seemed to be in crisis, the staff of Unit 4 pitched in to help the other units that were in deep trouble.

 

For economic reasons, Unit 4 shared a vent stack with Unit 3. When Unit 3 was vented up the stack, using the correct procedures by the book, half of the vented gas went back through Unit 4’s pipes. Since there was no power, the valves that should have prevented this were open.

 

The hydrogen and radioactive steam eventually ended up collecting on the ceiling of the Unit 4 reactor building waiting for an ignition spark. This only became apparent after the investigation was completed some 5 months after the incident.

 

At 6:14 am on March 15, four days after the earthquake, the Unit 4 reactor building exploded much to the surprise of everyone at the power plant. Having no theory as to what has happened, the operators at Units 5 and 6 quickly climbed to tops of the reactor buildings and hacked large holes in both roofs to let out the hydrogen, which did not exist, thus inflicting the only damage to these newer reactors in the earthquake.

 

After Unit 4 exploded, there was nothing left in Fukushima I Power Plant that could further degrade it.

 

None of the spent fuel at Fukushima I was damaged and no fission products from it leaked into the environment. All of the radioactive contamination was from damaged, hot fuel exposed to steam, which was allowed to escape from Mark I containment structures, stressed beyond the imaginations of the engineers who had designed them.

 

No one had considered that a reactor coming down off full power could be denied electricity for more than a few minutes, given the multi-level, parallel-redundant systems built to prevent it.

 

After Unit 1 blew up, refilling the condensate tanks from external sources and wiring up emergency generators was delayed, and the remaining reactors fell like dominoes. If the workers had been able to refill the condensate tanks in Units 2 and 3, there would have been a lot of steam, but the vapor would not have contained any dissolved fuel, and it would not have been radioactive. With externally provided water and electricity, things could have been different but the tsunami knocked down all the power lines.

 

You might be thinking with so many things going wrong, how can this be a system error. This was obviously a catastrophic accident.

 

Yet, there was nothing like an Act of God in what had happened and it was not impossible to prevent. One can see some of the errors coming from the system and how the system errors, some of them done long before the workers started to work in the reactor, crippled the workers’ efforts.

 

Having backup generators and a battery room is a great idea – especially against tsunamis. However, putting these backup systems in an underground level, where a tsunami can flood easily might not have been the best idea.

 

The plant’s elevation was about 10 meters or 32 feet but this was not always the case.  At the location of the power plant, there was a natural 35-metre (115 feet) high seawall (cliff) in place. Official documents filed with the Japanese authorities in 1967 showed that TEPCO decided to reduce this natural seawall to 10 meters (32 feet) in height. The tsunami that struck the facility was 14-15 meters (46-49 feet) high.

 

When making this decision, TEPCO wanted to make sure that the plant was built on a bedrock to make it more stable against the earthquakes, but the economics played a role as well. During the construction, the heavy equipment was delivered through sea. It would have been very difficult and expensive to lift up all the equipment over the cliff.

 

The second reason was that it was much easier to access sea water to use as a coolant from 10 meters above the sea compared to 35 meters above the sea.

 

 

In 2008, there was a report suggesting that the risk from tsunamis was greatly underestimated in the original study for the power plant. At the time of construction, no large tsunamis damage was recorded in the area. However, it is possible that there never was any tsunami damage recorded in the area because of the original high cliff elevation.

 

The Onagawa nuclear plant which was closest to the epicenter of the earthquake also had a similar natural seawall. That wall was not destroyed and left intact. Onagawa plant did not suffer any damages.

 

With the lowered elevation, the emergency power supplies, including diesel generators and batteries should have been either moved to upper ground or put in watertight bunkers.

 

Systems thinking also suggests that establishing watertight connections between emergency power supplies and key safety systems as well as enhancing the protection of seawater pumps should have been considered.

 

By viewing your organization, be it a factory, or a service office or a nuclear power plant, as a system it is possible to lower the risk of damage to your organization and to the community and achieve higher levels of safety, quality and efficiency.

 

Looking at these three major nuclear accidents, it always looks like it is always an operator pressing the wrong button or making a wrong decision that leads to the disaster. However, once we look a little deeper we see that the chain of errors that lead up to these disasters had started long before. All three accidents covered in these articles were in different parts of the world, making the cultural differences argument obsolete. These events also show us that making the parts perfect or as perfect as possible and safeguarding the components does not work unless you take the system as a whole to improve it.  In other words, making perfect parts does not make the whole perfect.

 

Recommended Reading List:

  • Atomic Accidents, by Mahaffey, James