Public sentiment in many states has turned against nuclear energy following the March 2011 accident at Japan’s Fukushima Daiichi Nuclear Power Station. The large quantity of radioactive material released has caused significant human suffering and rendered large stretches of land uninhabitable. The cleanup operation will take decades and may cost hundreds of billions of dollars.
The Fukushima accident was, however, preventable. Had the plant’s owner, Tokyo Electric Power Company (TEPCO), and Japan’s regulator, the Nuclear and Industrial Safety Agency (NISA), followed international best practices and standards, it is conceivable that they would have predicted the possibility of the plant being struck by a massive tsunami. The plant would have withstood the tsunami had its design previously been upgraded in accordance with state-of-the-art safety approaches.
The methods used by TEPCO and NISA to assess the risk from tsunamis lagged behind international standards in at least three important respects:
- Insufficient attention was paid to evidence of large tsunamis inundating the region surrounding the plant about once every thousand years.
- Computer modeling of the tsunami threat was inadequate. Most importantly, preliminary simulations conducted in 2008 that suggested the tsunami risk to the plant had been seriously underestimated were not followed up and were only reported to NISA on March 7, 2011.
- NISA failed to review simulations conducted by TEPCO and to foster the development of appropriate computer modeling tools.
Steps that could have prevented a major accident in the event that the plant was inundated by a massive tsunami, such as the one that struck the plant in March 2011, include:
- Protecting emergency power supplies, including diesel generators and batteries, by moving them to higher ground or by placing them in watertight bunkers;
- Establishing watertight connections between emergency power supplies and key safety systems; and
- Enhancing the protection of seawater pumps (which were used to transfer heat from the plant to the ocean and to cool diesel generators) and/or constructing a backup means to dissipate heat.
Though there is no single reason for TEPCO and NISA’s failure to follow international best practices and standards, a number of potential underlying causes can be identified. NISA lacked independence from both the government agencies responsible for promoting nuclear power and also from industry. In the Japanese nuclear industry, there has been a focus on seismic safety to the exclusion of other possible risks. Bureaucratic and professional stovepiping made nuclear officials unwilling to take advice from experts outside of the field. Those nuclear professionals also may have failed to effectively utilize local knowledge. And, perhaps most importantly, many believed that a severe accident was simply impossible.
In the final analysis, the Fukushima accident does not reveal a previously unknown fatal flaw associated with nuclear power. Rather, it underscores the importance of periodically reevaluating plant safety in light of dynamic external threats and of evolving best practices, as well as the need for an effective regulator to oversee this process.
Introduction
The accident at Fukushima Daiichi Nuclear Power Station on March 11, 2011, has put safety concerns front and center of the ever-contentious debate about nuclear energy. With large quantities of radioactivity released into the environment, over three hundred thousand residents evacuated from the vicinity of the plants,1 and a cleanup operation that will take decades and cost tens, if not hundreds of billions of dollars, critics have argued that nuclear power is too dangerous to be acceptable. But are they right? Can nuclear power be made significantly safer? The answer depends in no small part on whether nuclear power plants are inherently susceptible to uncommon but extreme external events or whether it is possible to predict such hazards and defend against them.
To date, there have been three severe accidents at civilian nuclear power plants. Two of these led to significant releases of radiation, which averages out to about one major release every seven thousand five hundred years of reactor operation. The International Atomic Energy Agency’s (IAEA’s) International Nuclear Safety Group believes that if best practices are implemented, major releases of radiation from existing nuclear power plants should occur about fifteen times less frequently.2 Indeed, improvement on this scale is probably necessary for nuclear power to gain widespread social and political acceptance.
It is clear that the two major nuclear accidents before Fukushima—Chernobyl in 1986 and Three Mile Island in 1979 (which involved extensive damage to nuclear fuel but a relatively small release of radiation)—were preventable. In each case the cause was inadequate operator training and flaws in reactor design, exacerbated by inadequate understanding of potential risks. Better training and better design (areas in which the global nuclear industry has made significant strides) should prevent a recurrence of similar events.
By contrast, the Fukushima accident—superficially at least—appears to be very different. The plant was hit by a massive earthquake and then a tsunami, triggering a chain of events that led to fuel melting and a significant off-site release of radiation. The accident has reinforced public sentiment worldwide—from Japan to Switzerland, and Germany to India—that nuclear power is unacceptably risky.
One year after the Fukushima accident, however, a picture is emerging that suggests that the calamity was not simply an “act of god” that could not be defended against. There is a growing body of evidence that suggests the accident was the result of failures in regulation and nuclear plant design and that both were lagging behind international best practices and standards. Had these been heeded and applied, the risks to the Fukushima Daiichi Nuclear Power Station would likely have been recognized and effective steps to prevent a major accident could have been taken. In this sense, we believe the Fukushima accident—like its predecessors—was preventable.
The Accident Sequence
On March 11, 2011, at 2:46 pm local time, Japan was struck by a magnitude 9.0 earthquake, centered in the Pacific Ocean about 80 kilometers east of the city of Sendai, that set a powerful tsunami in motion.3 This was the largest earthquake ever recorded in Japan and, according to the United States Geological Survey, the fourth largest recorded worldwide since 1900.4
Three of the six reactor units at Fukushima Daiichi Nuclear Power Station (units 1, 2, and 3) were operating at the time and are shown schematically in figure 1.
When the earthquake hit, these units automatically “scrammed,” that is, control rods were inserted into the reactor cores to suppress nuclear fission. Nonetheless, the reactors still required cooling—as all reactors do immediately after shutdown, since the highly radioactive material accumulated during operation continues to decay and produce heat.
With the reactor shut down and the plant no longer generating electricity, the post-shutdown cooling systems at the Fukushima Daiichi reactors, like at all currently operating power reactors, required an alternative electricity supply (although there was one system in each reactor that did have limited functionality in the absence of a power supply).5 Because all six external power lines from Japan’s grid to the plant were destroyed by the earthquake, the on-site emergency diesel generators began operating. With electricity still available, cooling appeared to proceed normally in units 2 and 3 before the tsunami arrived. In unit 1, for reasons that are not yet known, the temperature and pressure of the core dropped unexpectedly quickly. In order to avoid damage to the reactor vessel and in keeping with the plant’s operating procedure, operators turned the emergency cooling system on and off repeatedly to slow the rate of cooling. The system happened to be disabled at the time all electrical power to the plant was lost following the tsunami.6 Had it been operating, the subsequent accident sequence may have unfolded more slowly at unit 1.7
Even if electricity had been available to drive the emergency cooling systems, there would have been no way of dissipating the heat.
About forty-five minutes after the earthquake, the station was inundated by a series of tsunami waves that caused serious damage. Eleven of the twelve emergency diesel generators in service at the time failed (one connected to unit 6 worked) as they required water cooling, which was no longer possible because the tsunami had destroyed the sea water pumps. This resulted in the complete loss of AC power from both internal and external sources for units 1–5, a situation that is known as a station blackout. The plants were equipped with DC batteries to compensate for the station blackout; however, the batteries in units 1 and 2 were flooded and rendered inoperable. The batteries in unit 3 continued to function for about thirty hours—far beyond their eight-hour design life. In addition, the power distribution buses that would have allowed an external power source to be connected to the plant were also swamped and extensively damaged.8 The seawater pumps and their motors, which were responsible for transferring heat extracted from the reactor cores to the ocean (the so-called “ultimate heat sink”) and also for cooling most of the emergency diesel generators, were built at a lower elevation than the reactor buildings. They were flooded and completely destroyed. Thus, even if electricity had been available to drive the emergency cooling systems, there would have been no way of dissipating the heat.
Over the next three days, one by one, the three reactors that had been operating when the earthquake struck lost core cooling capability, resulting in a loss of coolant accident: without cooling, the water in the reactor pressure vessels boiled, uncovering the fuel, which subsequently melted. In this situation, there was a risk that the “corium” (the molten mix of fuel and reactor components) could burn through the steel reactor pressure vessel and the concrete and steel primary containment vessel into the earth below, thus increasing the likely quantity of radiation released into the environment. Simulations by the plant’s owner, Tokyo Electric Power Company (TEPCO), performed with extremely conservative assumptions, suggest that even in the absolute worst case where corium burned through the reactor pressure vessels in all three of the damaged units at Fukushima Daiichi, it would not have completely penetrated the containment (although in unit 1 it could have come within 37 centimeters, or 15 inches, of the outer steel lining).9 Other simulations suggest that although fuel may have melted and collected at the base of the pressure vessel, it did not burn through.10 It bears emphasizing, however, that the exact extent of the damage will only be known when the pressure vessels and primary containments can be observed directly, several years from now.
A large quantity of radioactivity from the damaged fuel escaped into the environment. As cooling water evaporated and turned into steam, pressure inside the primary containment grew, creating leaks that allowed radiation to escape. More radiation was deliberately released when, after some delays, workers “vented” the containments to try to reduce the internal pressure. Yet more radiation was released by a series of explosions that occurred in the reactor buildings of units 1, 3, and 4 in the four days following the tsunami. As the reactors overheated and the fuel melted, highly flammable hydrogen was generated (mostly by a reaction between steam and zirconium “cladding” that surrounds the fuel). It built up in the reactor buildings of units 1 and 3 before eventually exploding. Hydrogen may also have caused an explosion in unit 4 after it migrated there from unit 3 along their common venting system.11
In its June 2011 report to the IAEA explaining the accident, the Japanese government estimated that the quantity of radiation released into the atmosphere by the accident was about 15 percent of the radiation released from Chernobyl. That accident resulted in the permanent evacuation of over 200,000 people and is ultimately likely to result in thousands of “excess” cancer cases.12 For many days, Soviet authorities were unable to prevent the uninterrupted release of large amounts of radiation after a severe explosion inside the reactor core directly exposed its burning fuel to the environment. By contrast, at Fukushima considerably more of the fuel inventory in the cores was contained, and Japanese authorities were able to far more quickly and effectively limit the accident’s impact to human health. In any case, the quantity of radiation released by the Fukushima accident has proved controversial and estimates may change as more information becomes available. A much smaller quantity of radiation was released into the Pacific Ocean, most of it in the form of overflow of contaminated water that had been used to cool the reactors.
The road to complete recovery will be an extremely long and expensive one.
On December 16, 2011, Japanese officials announced that the plant had been brought into a state of “cold shutdown.” This declaration attracted criticism from some reactor safety experts on the grounds that it gives the false impression that the damaged Fukushima Daiichi units now pose no more risk than any undamaged reactor after shutdown. While there is certainly some truth to this criticism, the declaration is reasonable if it is understood to be a judgment call on the part of the plant’s owner and officials that the remains of the plant cores are now being stably cooled, that radioactive emissions have been brought down to near acceptable levels, and that, barring an unforeseen accident, the status quo can be maintained indefinitely.
Nonetheless, complete remediation of the site is likely to take three or four decades, and the biggest challenge will probably be removing all the melted fuel. The road to complete recovery will be an extremely long and expensive one.
Identifying Key Questions
There is still much to be learned about the accident sequence, including the actions of the plant operators to mitigate it. In contrast to the report by an IAEA fact-finding mission (which was highly complimentary of the plant operators), an interim report by a commission appointed by the Japanese government to investigate the accident expressed direct and significant criticism of plant operators in units 1 and 3 for delays in implementing emergency cooling procedures.13 The commission, however, stopped short of asserting that a swifter response would have prevented the explosions in those units, withholding judgment until more information becomes available. The actions of the operators will undoubtedly come under considerable scrutiny in the months ahead. In assessing these actions, it is necessary to keep two points in mind.
First, the accident progressed extremely quickly. The table below shows estimates, by both the Japanese regulator, the Nuclear and Industrial Safety Agency (NISA), and TEPCO of the length of time that passed after the earthquake until (i) fuel became exposed, (ii) fuel started to melt, and (iii) molten fuel started to damage the reactor pressure vessels. At unit 1, it appears that the emergency cooling system became inoperative immediately after the tsunami and fuel damage began two or three hours later (that is, three or four hours after the earthquake).14 However, the operators were flying blind for much of that time. All instrumentation in the main control room of units 1 and 2 was lost following the tsunami, and it was almost three hours before some instrumentation had been restored and the operators had reason to suppose that the emergency cooling system had failed.15 By the time operators could reasonably have known there was a problem, fuel damage was already imminent.
The accident progressed somewhat more slowly in units 2 and 3. The emergency cooling systems in those units failed after about seventy and thirty-five hours, respectively, and in each case fuel damage began about seven or eight hours later (that is, about seventy-seven and forty-three hours, respectively, after the earthquake).16
Second, the conditions at the plant site confronting plant operators were truly appalling. The IAEA report notes:
[d]uring the initial response, work was conducted in extremely poor conditions, with uncovered manholes and cracks and depressions in the ground. Work at night was conducted in the dark. There were many obstacles blocking access to the road such as debris from the tsunami and rubble that was produced by the explosions that occurred in Units 1, 3 and 4. All work was conducted with respirators and protective clothing and mostly in high radiation fields.17
To regain instrumentation, operators had to scour the plant for cables and batteries (including from their own cars) that they hooked up to the control panel (in the dark in one case—there was no lighting on unit 2’s side of the control room it shared with unit 1).18 Communication between the on-site emergency control center and each control room was limited to a single wired telephone line. The off-site nuclear emergency response headquarters had to be evacuated because it was so underprepared.19 The periodic explosions at the site were not just dangerous but also hampered relief efforts. For instance, a cable and a hose that had been laid to supply power and water to unit 2 were destroyed by fragments from the explosion in unit 1.20 Finally, workers must have been under extraordinary physical and psychological stress. Indeed, during the early stages of the accident, many of them would not have known whether their families had survived the disasters.
These two observations have important implications for assessing the Fukushima Daiichi accident. Given the short time that might be available for operators to take action in the event of a station blackout and the extraordinary stress under which they are likely to be working, actions to be taken after an extreme external event and measures to prevent fuel damage must be prepared in advance, must have been practiced extensively, and must rely only on local resources if they are to have a realistic chance of success. None of these criteria was met at Fukushima Daiichi.21
As a result, we believe it would be unfair to apportion significant blame for the accident on the actions the operators took (or failed to take) after the tsunami, as the official investigation committee has done. Furthermore, given the potential challenges of a complete loss of AC power, it is clear that prevention is the best form of management. To this end, the key questions raised by the accident are why was the tsunami hazard at Fukushima Daiichi so dramatically underestimated? And could changes in plant design (resulting from effective safety reviews) have prevented a severe accident in the event that a tsunami struck the plant? The answers to these questions help shed light on whether the accident could have been prevented.
Underestimating the Threat
The Fukushima Daiichi Nuclear Power Station was not designed to withstand a tsunami even half the size of the one that ultimately struck the Japanese coast in March 2011.
According to the official licensing documents, Fukushima Daiichi’s design basis tsunami was estimated to have a maximum height of 3.1 meters above mean sea level.22 Given this, TEPCO decided to locate the seawater intake buildings at 4 meters above sea level and the main plant buildings at the top of a slope 10 meters about sea level (figure 2).23 In 2002, on the basis of a new methodology for assessing tsunami safety developed by the Japan Society of Civil Engineers, TEPCO voluntarily reevaluated the tsunami hazard and adopted a revised design-basis tsunami height of 5.7 meters. Yet, NISA neither updated the licensing documents to reflect this change nor reviewed TEPCO’s analysis. Given that the revised design-basis tsunami was now 1.4 meters above the seawater pumps, such a review should have been conducted.24
The maximum height of the tsunami that actually hit the plant is not known exactly since the sea-level gauge at the plant was destroyed. However, TEPCO and the Japan Society of Civil Engineers, using computer modeling to re-create the observed pattern of flooding at the plant, have estimated that just before it made landfall, the tsunami had a height of 13.1 meters, over twice the revised design basis.25 Once the tsunami had “run up” the slope on which the main buildings of the plant sit, it reached 14–15 meters above sea level in many areas and, in a few places, more than 17 meters.26
The size of the tsunami at Fukushima Daiichi was the result of a number of factors conspiring together. A tsunami actually consists of a series of waves. In this case, more than about 10 kilometers from the coast, the largest of these had a height of only about 6 meters. However, as it approached the shoreline, earlier waves reflected from the land “reinforced” it (an effect properly known as “constructive interference”), ultimately producing a tsunami of over 13 meters.27 This phenomenon dramatically increased the tsunami height in the vicinity of the plant. (For comparison, at Fukushima Daiini Nuclear Power Station, about 12 kilometers south of Fukushima Daiichi, the tsunami height was 9 meters.28 At Iwaki, about 40 kilometers south of Fukushima Daiichi, it was only 1 meter.29) Although this effect was well understood and had been predicted in advance, the height of the tsunami was underestimated because simulations assumed a considerably smaller earthquake than the one that actually struck on March 11.
The underestimation of the seismic hazard provides evidence of systemic problems in disaster prediction and management.
The earthquake that preceded the tsunami exceeded the seismic design basis of the plant at units 2, 3, and 5.30 TEPCO and NISA have stated that no critical safety-related equipment—such as emergency diesel generators, seawater pumps, and cooling systems—was damaged in the earthquake, although it seems that this claim cannot be conclusively verified until the plant can be inspected much more closely than is currently possible.31 Though the tsunami led to most—if not all—of the damage, the underestimation of the seismic hazard provides evidence of systemic problems in disaster prediction and management.
Predicting Disaster
Because the underlying geophysical phenomena are extremely complicated, accurate hazard assessment for earthquakes and tsunamis is exceedingly challenging. But it is becoming increasingly evident that there were significant flaws in the methodology used to assess hazards to the Fukushima Daiichi plant.
An earthquake offshore of the Miyagi region, where the epicenter of the March 11 earthquake was located, had been long anticipated.32 For example, as recently as January 11, 2011, the Headquarters for Earthquake Research Promotion (a Japanese government–funded organization set up after the 1995 Kobe earthquake to improve seismic modeling) repeated a long-standing prediction that in that region there was a 99 percent probability of a magnitude 7.5 earthquake within thirty years.33 But when the earthquake actually arrived, its magnitude caught seismologists by surprise. The Great East Japan Earthquake on March 11, 2011, was actually a magnitude 9.0 event. This significant underestimation, in spite of Japan’s considerable investments in seismology, is a sobering warning against overconfidence in hazard prediction.
The approach to hazard prediction for Fukushima Daiichi appears to have been at variance with both international best practices and, in some cases, with Japanese best practices.
Indeed, even within the last fifteen years, there are a number of other examples of beyond-design-basis earthquakes and floods at nuclear plants. In December 1999, for example, a storm surge caused flooding at two reactors at the Blayais Nuclear Power Plant in France. The Indian Ocean tsunami of December 26, 2004, flooded seawater pumps at the Madras Atomic Power Station in India.34 On July 16, 2007, an earthquake exceeded the design basis of TEPCO’s Kashiwazaki-Kariwa Nuclear Power Station in Niigata Prefecture. Just five and a half months after the Fukushima accident, on August 23, 2011, an earthquake on the East Coast of the United States marginally exceeded the design basis of the North Anna Nuclear Generating Station in Virginia.35 This series of events illustrates how difficult hazard prediction is. However, the fact that all operating units were brought successfully into cold shutdown suggests that, for most beyond-design-basis events, plant safety margins are probably sufficient to compensate for this difficulty.
Notwithstanding the intrinsic difficulties of hazard prediction, the approach to hazard prediction for Fukushima Daiichi appears to have been at variance, in three important areas, with both international best practices and, in some cases, with Japanese best practices.
First, there appears to have been insufficient attention given by TEPCO and NISA to historical evidence of large earthquakes and tsunamis. Best practice, as promulgated by the IAEA, requires the collection of data on prehistorical and historical earthquakes and tsunamis in the region of a nuclear power plant in order to protect the plant against rare extreme seismic events that may occur only once every ten thousand years.36 Historical data was used in assessing plant safety. The original design-basis tsunami for Fukushima Daiichi of 3.1 meters was chosen because a 1960 earthquake off the coast of Chile created a tsunami of that height on the Fukushima coast.37 However, greater attention should have been paid to evidence from further back in history. Over the last decade or so, evidence of much larger tsunamis in and around Miyagi has emerged. Japanese researchers have discovered layers of sediment that appear to have been deposited by tsunamis and have concluded that the region had been inundated by massive tsunamis about once every one thousand years.38 They have attributed the most recent of these events—in 869 AD—to a magnitude 8.3 earthquake. More generally, given the historical record of tsunamis in Japan, TEPCO and NISA should have been much more conservative in defining the design-basis tsunami. For instance, one compilation of historical tsunamis in and around Japan lists twelve events since 1498 having a maximum amplitude of more than 10 meters, six of which had a maximum amplitude of over 20 meters.39
Of course, such “red flags” are much easier to spot with the benefit of hindsight than they are ahead of a disaster. The challenge of sifting through and evaluating the stream of potentially relevant geophysical studies to extract data important to nuclear power plant safety should not be underestimated. Perhaps not surprisingly, there has been a fairly bitter debate within Japan about whether academia did not provide suitable warnings or whether it did and industry and regulators ignored them. Nonetheless, Japan has a historical legacy of severe tsunamis; it does appear that heeding this record, especially as it relates to the area around the plant, would have led to an upward revision of the design basis for Fukushima Daiichi Nuclear Power Station and perhaps consequently to infrastructural improvements to better defend the installation.
Second, there appear to have been deficiencies in tsunami modeling procedures, resulting in an insufficient margin of safety at Fukushima Daiichi. A nuclear power plant built on a slope by the sea must be designed so that it is not damaged as a tsunami runs up the slope. In 2002, the Japan Society of Civil Engineers developed a detailed methodology for determining the maximum run-up of a tsunami.40 This methodology prompted TEPCO, voluntarily, to revise the design-basis tsunami at Fukushima Daiichi from 3.1 meters to 5.7 meters. However, in at least one important respect, TEPCO does not appear to have implemented the relevant procedures in full.
In keeping with international best practices, the Japan Society of Civil Engineers methodology requires computer modeling based on detailed site-specific data.41 Yet, a report by the IAEA prepared following its expert mission to Japan from May 25 to June 2, 2011, notes that “[i]t seems also that [TEPCO’s] calculation of the run up have [sic] not considered the specific and detailed arrangements of plant layout.”42 In other words, TEPCO’s simulations to determine how far above sea level a tsunami would reach were inadequate.
Moreover, whatever calculation TEPCO did perform seems questionable. During its mission to Japan the IAEA was told by TEPCO that, according to its calculations, a 5.7 meter tsunami would not run up “significantly” above that height. However, preliminary results from a 2008 study by TEPCO (that was not reported to the IAEA and is discussed further below) reportedly indicated that a 9 meter tsunami could have a run-up of over 15 meters.43 Indeed, on March 11, a 9 meter tsunami did flood the neighboring Fukushima Daiini Nuclear Power Station, which is built on a 12 meter slope.44 These observations raise important questions about whether even a 5.7 meter tsunami (like the one TEPCO believed the plant could withstand) would have caused serious damage to Fukushima Daiichi Nuclear Power Station. Given that such a tsunami might have run up higher than anticipated, it is possible it could have damaged vulnerable low-lying components such as the seawater pumps.
Improved modeling of tsunami run-up—had it been heeded—might have provided information that could have prompted TEPCO to take mitigating action in advance of the accident on March 11, even if that modeling had assumed a smaller tsunami than the one that actually inundated the plant. Specifically, it would probably have warned TEPCO that its tsunami defenses were inadequate. Enhanced defenses would have widened safety margins at the plant and might have mitigated the consequences of a tsunami that was larger than the plant was designed to withstand.
Enhanced defenses would have widened safety margins at the plant and might have mitigated the consequences of a tsunami that was larger than the plant was designed to withstand.
Not only did TEPCO not implement the Japan Society of Civil Engineers methodology in full, but the methodology itself is flawed because it focuses exclusively on evaluating run-up on the grounds that “other phenomena are less important than that of the water level.”45 “Other phenomena,” which include the hydrodynamic force of the tsunami and the effects of any debris and sediment it may be carrying, can cause extensive damage to a nuclear power plant. International best practices, as promulgated by the IAEA, requires such phenomena to be considered, as does the U.S. Nuclear Regulatory Commission.46 The failure to consider them at Fukushima may have given plant operators a false sense of the safety margins at the plant in the event of a beyond-design-basis tsunami.
To be fair, it appears that there were no suitable tools available in Japan for TEPCO to analyze the full range of effects of a tsunami. But given the prevalence of tsunamis in Japan, NISA should have encouraged the development of such instruments in keeping with international standards.
Since the IAEA mission it has emerged that, in 2008, TEPCO did in fact perform some preliminary computer modeling that tentatively suggested the tsunami hazard to the plant had been severely underestimated.47 TEPCO stated that, at the time, it was not convinced of the simulations’ reliability and intended to pursue them further in collaboration with the Japan Society of Civil Engineers.48 This follow-up appears not to have taken place. TEPCO informed NISA of its results only three years later on March 7, 2011.
These simulations assumed a repeat of the 869 AD earthquake.49 Because this event was larger than the earthquake on which previous simulations were based, the resulting tsunami was predicted to be higher. Given the new simulations were based on an actual historical earthquake, they should have been followed up on immediately. Had the results been verified, TEPCO may have been able to take corrective action in time to avert the disaster of March 11, 2011.
Further evidence of NISA’s insufficiently conservative strategy for assessing safety margins comes from its approach to seismic safety. Following the 2006 publication of new earthquake safety guidelines and the 2007 earthquake that affected the Kashiwazaki-Kariwa station, the seismic design basis for all Japanese nuclear power plants was reevaluated and at some, including Fukushima Daiichi, it was increased. Under a process known as back checking, no work was required at plants—including Fukushima—that already met the revised guidelines. The problem with this approach is that it narrows margins of safety and could lead to “cliff edge” effects in the event of a beyond-design-basis earthquake. Indeed, there was clearly some concern about this problem among Japanese utilities. For instance, when Chubu Electric Power Company chose to expand the seismic design basis for its Hamaoka Nuclear Power Plant (actually prior to 2006), it did undertake physical improvements at the plant, even though they were not required under the back-checking process, in order to widen safety margins and hence mitigate the consequences of a beyond-design-basis earthquake.50
Japan’s regulators appear to have been inattentive to tsunami risks.
Third, a fundamental principle of nuclear safety is the existence of an effective and independent regulator to set safety rules and to ensure compliance with them. Japan’s regulators, however, appear to have been inattentive to tsunami risks. NISA’s guidelines for reviewing nuclear power plant safety were set by a separate body, the Nuclear Safety Commission (the two bodies will be merged as part of an ongoing regulatory reform). Remarkably, the basic guidelines, The Regulatory Guide for Reviewing Safety Design of Light Water Nuclear Power Reactor Facilities (last updated in 1990), do not mention tsunami safety specifically. The issue is captured only by a catch-all clause about ensuring safety in the event of “other postulated natural phenomena than [an] earthquake.”51 An official methodology to assess tsunami safety was only developed as late as 2002, and tsunami safety was finally mentioned explicitly for the first time in a 2006 revision to a specific guide dealing with seismic safety.
By contrast, computer modeling of tsunami safety was called for as early as the first IAEA guide on flooding hazards at coastal nuclear power plants published in 1983.52 (And indeed utilities, including TEPCO, had carried out such studies even before then.53) Moreover, the Japan Society of Civil Engineers’ methodology that was developed in 2002 appears to have been employed solely by Japanese utilities and not by NISA’s technical support agency, the Japan Nuclear Energy Safety Organization, for review purposes.
A senior NISA official has confirmed to us that NISA neither “commissioned nor reviewed” numerical studies of tsunami run-up at Fukushima Daiichi.54 NISA’s failure to update the licensing documents for the plant when TEPCO voluntarily changed the design-basis tsunami from 3.1 to 5.7 meters is yet more evidence of its inattention to tsunami safety. In short, NISA appears to have failed in its responsibilities to review compliance with tsunami safety standards and also to update them in light of both emerging new evidence and evolving international standards.
NISA appears to have failed in its responsibilities to review compliance with tsunami safety standards and also to update them in light of both emerging new evidence and evolving international standards.
Had international standards and best practices been followed, the scale of the natural disaster on March 11, 2011, might have been predicted, giving TEPCO the opportunity to enhance plant defenses. We say “might” rather than “would” because while it is often possible after the fact to point to indicators of an impending disaster, we also recognize that, in practice, hazard prediction is challenging. In any case, the accident sequence dramatically demonstrated that the plant was not equipped to cope with the events of March 11. Could the plant have been better prepared? Could prior actions by TEPCO and regulators have prevented a severe accident?
A Missed Opportunity
In theory, during the decade before the accident, NISA might have urged or required TEPCO to significantly strengthen the design of the Fukushima Daiichi Nuclear Power Station. NISA had been reviewing the safety of unit 1 related to a TEPCO request to extend its operating lifetime. Just a few weeks before the accident, NISA gave unit 1 the green light to operate for an additional ten years.
Japan is a densely populated, highly industrialized country with few energy natural resources. Beginning in the 1990s, and especially thereafter in response to the realities of global climate change, Japan’s government and industry planned to significantly increase the country’s reliance on nuclear energy. An important component of Japan’s nuclear strategy was to extend the operating lifetime of a score of reactors that by 2012 would be at least thirty years old and that produce about a third of Japan’s nuclear electricity.55 Fukushima Daiichi unit 1 began operating in March 1971. Under Japanese rules, to operate it beyond an initial forty-year period, TEPCO required the approval of regulators. Japanese regulations do not impose an absolute legal limit on the operating lifetimes of the country’s nuclear power plants. Under an agreement between regulators and plant owners, before the end of a plant’s thirtieth year of licensed operation, a so-called “soundness assessment” is carried out to determine whether it can continue operating for a longer period, foreseen by owners to be as long as sixty years. The assessment is mainly focused on equipment and structures having a safety function and specifically addresses aging issues. A plant deemed sound enough would be eligible to be operated for an additional ten or more years, on the basis of a “long-term maintenance plan” that would include component monitoring. The focus is on selected equipment that may suffer age-related degradation and failure, not on safety weaknesses related to the design or configuration of the installation.
Japan is not unique in concentrating attention on the status of aging equipment during reactor lifetime extension examinations. This is also the case in other advanced nuclear programs. In fact, IAEA peer reviews of some countries’ national regulatory systems have criticized that procedures for extending the lifetime of older reactors have neglected other safety issues and are too specifically focused on plant aging.
Procedures for extending the lifetime of older reactors have neglected other safety issues and are too specifically focused on plant aging.
In February 2011, just one month prior to the Fukushima accident, NISA granted TEPCO a ten-year operating license extension for unit 1 after a technical review and some modifications that were carried out the year before.56 The license extension was permitted on the basis that TEPCO would monitor the condition of critical components during the term of the extended license.57 It was not based on a reevaluation of the tsunami safety of the plant and did not require that TEPCO take significant actions to increase tsunami resistance of the installation before the unit began operating under its extended license. In the view of one senior Japanese executive, it would have been “difficult to detect the vulnerability of [the plant’s] design to a tsunami using this system.”58
Japan’s nuclear regulatory guidelines themselves made clear neither what level of protection against a tsunami threat was required nor what steps TEPCO should undertake to protect the plant from a tsunami. When Japan’s Nuclear Safety Commission in 2006 included tsunami risk for the first time in its guidelines for nuclear power plant seismic safety, the requirement for tsunamis was loosely worded: “Safety functions of facilities shall not be affected by a tsunami which could be appropriately postulated to occur even if rarely during the operation period of the facility.”
After the Fukushima accident, the chairman of the Nuclear Safety Commission stated that the body’s seismic safety guidelines should be revised to reflect a “dramatic improvement of the present measures for ensuring safety.”59 The Japanese government is currently in the process of revising its requirements for nuclear power plant life extension. Draft legislation containing far more stringent requirements and procedures has been approved by the cabinet60 and submitted to Japan’s national parliament for its consideration.61
How Could the Plant Have Been Protected?
Though Japan was quite slow to adopt firm regulations for protection against the tsunami threat, it was not for lack of knowledge of proper guidelines and review processes. Japan, like many other advanced countries, requires periodic safety reviews to assess and update the safety status of nuclear installations at ten-year intervals. According to executives and safety experts with many years of experience in nuclear power programs outside of Japan and at the IAEA, and who have knowledge of Japan’s nuclear power program, Japanese industry and government would have been familiar with, and in some cases participants in, international efforts to review the safety of nuclear power plants concerning severe externally caused events. On the basis of this activity, TEPCO and Japanese regulators should have taken well-understood and straightforward engineering measures to better protect the Fukushima Daiichi Nuclear Power Station before the accident occurred.
TEPCO and Japanese regulators should have taken well-understood and straightforward engineering measures to better protect the Fukushima Daiichi Nuclear Power Station before the accident occurred.
According to these experts, on the basis of international knowledge accumulated during the four-decade operating lifetime of the Fukushima Daiichi Nuclear Power Station and put into practice at nuclear power plants elsewhere, TEPCO, encouraged by Japanese regulators, could have taken some or all of the following actions to have protected the plants against a tsunami:
- Moving emergency diesel generators and other emergency power sources to higher ground on the plant site
- Establishing watertight connections between emergency power supplies and the plant
- Building dikes and seawalls to protect against a severe tsunami
- Installing emergency power equipment and cooling pumps in dedicated, bunkered, watertight buildings or compartments
- Assuring that seawater-supply infrastructure is robust and providing additional robust sources to serve as the plants’ ultimate heat sink.
When the Fukushima Daiichi station was constructed, the emergency diesel generators and emergency batteries were installed on the floor inside the plant building to afford protection against earthquakes. Ventilation ducts in the compartments where this equipment was located were not waterproofed. Moving this emergency power equipment to higher ground, safety experts said, would not have increased its vulnerability to seismic shock, provided it was fixed to a platform designed to resist earthquakes.62
The value of taking such action was demonstrated by upgrades that one Japanese utility, Japan Atomic Power Company (JAPC), was in the process of carrying out when the tsunami struck Japan’s east coast. JAPC’s Tokai-2 plant is located about 100 miles south of Fukushima, and the tsunami that ravaged Fukushima also caused flooding at Tokai-2. Prior to the tsunami, JAPC had partially implemented plans to erect a wall to prevent tsunami water from flooding two pits at the plant where seawater pumps were located and to make the pump rooms watertight. The wall was erected before the tsunami occurred. Water entered one of the pits because spaces where pipes penetrated into the pit had not yet been made watertight before the accident. In that pit, a seawater pump that provided cooling for an emergency diesel generator was damaged and unable to function, forcing JAPC to shut down the generator. But no flooding occurred at the other pit where pipe penetrations had been made watertight.63 This saved the cooling pumps for two more diesel generators. Had JAPC not carried out these upgrades, it would almost certainly have lost all three emergency diesel generators, potentially resulting in a much more serious accident.
Within just a few weeks after the accident at Fukushima, Japanese nuclear power plant owners began announcing concrete plans to make widespread and significant plant design changes and other upgrades.64 In April 2011, for example, Chubu Electric Power Company, Japan’s third-largest utility company, initiated work on surveys, measurements, and ground clearance to erect an 18-meter-high seawall to defend its Hamaoka nuclear power plant against a tsunami; construction is expected to be completed by the end of 2012.65 Separately, the company plans to waterproof the diesel generator rooms and the seawater pumps, install pumps in the basement of the buildings, double the plant’s connections to the electricity grid, and add another set of emergency diesel generators behind the main plant building at an elevation of 25 meters above sea level. On site, spare equipment for the seawater pumps will be stored in a bunkered facility and heavy earth-moving equipment will maintained.66 Similar measures are being undertaken or considered at other nuclear power stations in Japan.67 And according to Japanese executives and officials, shortly after the accident NISA ordered nuclear power plant owners to erect seawalls around their coastal installations with a minimum height of 15 meters.68
Some senior Japanese government and industry experts interviewed for this paper privately concurred that, had TEPCO and regulators taken these steps before, a severe accident with significant off-site radiation releases could have been avoided. Said one nuclear industry executive: “If the occurrence of the tsunami was assumed, I believe that it would have been possible to take technical measures” to prevent a severe accident. But before the accident the will to make these changes was not there.
International Best Practices
During the four decades that the Fukushima Daiichi Nuclear Power Station was in operation, nuclear safety authorities and nuclear power plant owners in several countries were establishing requirements and configuring nuclear power plants in ways that could potentially have saved the Fukushima Daiichi nuclear station from disaster had they been heeded. In particular, some regulatory bodies outside of Japan reassessed the safety of installations in the event of extreme flood hazards, a station blackout, and the loss of the ultimate heat sink. In the view of safety experts participating in such assessments, had Japan acted on these developments, the plant could have survived the tsunami that struck in March 2011.
Defense Against a Station Blackout
Compared to some nuclear power plants in other countries, the units at Fukushima Daiichi were considerably less protected against a loss of internal and external AC power on the site. In addition to the lack of waterproofing and bunkering that proved fatal to the emergency power supplies at Fukushima Daiichi, most of this equipment was water cooled, not air cooled as is the case for more modern nuclear power plants. The water-cooled diesel generators required a cooling water system connected to the ultimate heat sink.
There are ample instances of international review processes that have led to upgrades that can help protect nuclear power plants against station blackouts. For example, in the United States beginning in 1988, the Nuclear Regulatory Commission required that a nuclear power plant withstand a complete loss of AC power for between four and eight hours, depending on specific conditions. It then instituted a program to improve plants’ protection against station blackouts, and after 9/11, made further improvements, mandating so-called B.5.b measures. However, little information about post-9/11 measures has been made public, and the extent to which these measures have significantly reduced risk associated with a station blackout at a nuclear power plant in the United States is subject to debate.
Some senior European nuclear safety experts expressed the view that the Fukushima Daiichi units in fact likely met the U.S. station blackout criteria. Unit 1 featured an isolation condenser and units 2 and 3 were equipped with reactor core isolation cooling systems using turbine-driven pumps.69 In many plants in the United States, one expert said, the on-site AC power supply is not stronger than that at Fukushima Daiichi.
Despite this, one Japanese executive asserted that, compared to Japan, the post-9/11 reinforcement of power supply systems in the United States was considerable. Compared to the United States and Europe, he said, “In Japan there has been no large-scale reinforcement [of power supplies] against a station blackout.”70 One U.S. safety expert said that after 9/11 the U.S. government had encouraged Japan to implement similar measures, and that post-Fukushima inspections at some U.S. nuclear power plants demonstrated that those plants had made B.5.b upgrades that might have saved the reactors at Fukushima Daiichi.71
In Germany, the requirements to protect a nuclear power plant against a station blackout are specified in the regulatory document KTA 3701.72 Over the years these requirements have been amended and they now compel owners to provide for several layers of redundancies in emergency diesel generators and batteries including, for all plants, a group of bunkered generators.
According to an assessment last year by Germany’s Reactor Safety Commission, “the electricity supply of the German nuclear power plants is more robust throughout than Fukushima [Daiichi]. All German plants have at least one additional standby grid connection and more emergency diesel generators, with at least two of them being protected against external impacts.”73 Most German power reactors have at least four emergency diesel generators, plus additional diesel generators that are designed to expressly cope with external events.74
The situation in some nuclear power plants in some other European countries is similar.75 Each of the two-unit Doel-3/4 nuclear power plants in Belgium, for instance, is equipped with three backup diesel generators in the case of loss of off-site AC power, plus three more in bunkers. The older Doel-1/2 plant, built during the 1970s on a site located on a coastal estuary, is outfitted with four first-level diesel generators in the case of loss of off-site power, plus two more emergency diesel generators should these fail. These generators are not bunkered but are located in a separate “emergency systems building,” that has been upgraded to be protected against external events.76
Each unit at the three-unit Olkiluoto Nuclear Power Station in Finland, to give another example, is equipped with four emergency diesel generators necessary for a safe shutdown in all postulated conditions. Each emergency diesel generator is in a fireproofed compartment located well above the design-basis flood level calculated for the plant. There is also an air-cooled gas-turbine power plant backing up the emergency diesel generators. That power plant is located above the design-basis flood level for the station, is in a separate building, and features two separate generator units, each having two gas turbines. Each of the four gas turbines can supply more than enough power for all three nuclear power plants at Olkiluoto.77
In the aftermath of the accident at Fukushima, Japanese experts have drafted new, revised, and more stringent requirements for coping with a station blackout at a nuclear power plant.78
Loss of Ultimate Heat Sink
The March 11 tsunami disabled seawater pumps and all associated electrical and mechanical equipment at Fukushima Daiichi. Without an alternate heat sink, the plant was left without a way to cool its reactors. As it turns out, this absence of an alternate heat sink is a problem in other countries as well. Unlike the case for hardware defenses against a station blackout, post-Fukushima examinations by European Union country regulators testify to an absence of national requirements for providing backup alternate heat sinks to cope with a severe external event.
For German nuclear power plants, for example, “there is no requirement in the regulations for a diverse [alternate] heat sink.”79 The French nuclear safety authority noted in its report that, “in France, no power reactor with the exception of the [reactor] at Flammanville-3 now under construction has an alternate heat sink” such as the water table, a lake, or cooling tower.80 Alternate heat sinks in nuclear power plants in some other countries are, according to stress test reports, only partially available or have not been qualified under national nuclear safety regulations.81 At one Swiss nuclear power plant, featuring a boiling water reactor with some design features similar to that at Fukushima, regulators after March 2011 found that, in case of a failure of the primary riverine heat sink, at the time of the Fukushima accident, the plant would have needed an alternate heat sink. Regulators ordered a mobile pump–based system installed at the plant in 2011 and, for the longer term, they “required the installation of a new heat sink as a full-scale alternative to the river water supply.”82
Post-Fukushima examinations by European Union country regulators testify to an absence of national requirements for providing backup alternate heat sinks to cope with a severe external event.
But several owners of nuclear power plants in these countries, in consultation with regulators well before the accident in Japan, had provided alternate heat sinks that would be available in the case of a severe external event. These include the Borssele nuclear power plant in the Netherlands, which in the case of the loss of the main riverine heat sink is served by a system designed to be redundant and hardened against the impact from external events that vents steam via relief valves. It is also served by eight deep water wells designed to be seismic and flood resistant.83 Several nuclear power plants in Switzerland prior to the Fukushima accident were equipped with groundwater wells and, in one case, with an emergency cooling tower. River water pumping and intake equipment for the Swiss and Dutch plants is also designed to maximize reliability in case of postulated severe external events.84 The United Kingdom’s one pressurized water reactor, Sizewell B, has a reserve ultimate heat sink in the form of an air-cooled heat exchanger that is designed to remove decay heat from the core after shutdown should the primary seawater-cooled heat sink become disabled. This reserve system is situated in a separate building from the seawater pumps, enhancing redundancy (although the EU-mandated stress test on this reactor did identify some potential flooding vulnerabilities that need to be rectified).85
Particularly noteworthy are measures taken by Taiwan to protect its nuclear power plants against a severe tsunami by taking advantage of the physical geography of the plant layout. Like Japan, a number of reactors on Taiwan are located on the Pacific coast and the plant sites are vulnerable to extreme seismic events. To avoid the loss of the ultimate heat sink in the first place, the two-unit Chinshan boiling water reactor nuclear power station, built during the 1970s to essentially the same design as Fukushima Daiichi units 2 and 3, was designed to withstand a tsunami having a maximum amplitude of 10.73 meters above sea level. The plant was therefore built at 12 meters. In addition to emergency diesel generators located inside the plant and above the level of the postulated design-basis tsunami, two gas turbine electricity generators are available at an elevation of 22 meters. In the case of the loss of the primary heat sink, for emergency cooling, two water reservoirs were installed at an elevation of 62 meters. At Kuosheng, another site on Taiwan hosting two older boiling water reactors, the nuclear power plant was constructed at an elevation of 12 meters above sea level, above the design-basis tsunami of 10.28 meters. Two emergency gas turbine generators were installed at 22 meters, and two water reservoirs are located at 90 meters.86 By comparison, the physical geography of the Fukushima Daiichi site is more level, and critical equipment to provide the heat sink and emergency power was located at elevations too low to afford severe tsunami protection.
Protection Against Severe Flooding
NISA and TEPCO failed to heed relevant warnings from elsewhere in the world about the risk from flooding. In December 1999, a storm surge at high tide exceeded the design-basis flood scenario for the Blayais Nuclear Power Station in France, causing flooding at two units and a partial loss of power. The storm also resulted in the loss of some telecommunications links and road access to the site. Examination by French authorities revealed that dikes were too low and that rooms containing emergency equipment were insufficiently protected from flooding.
Recognizing that the Blayais event represented a systemic failure in hazard assessment, all nineteen nuclear power stations in France were thereafter ordered by regulators to identify all phenomena that could cause a flood, and to reassess site-specific flood management protection with regard to loss of off-site power, communications, and heat sinks. Some plants were required to raise dikes and walls. All had to waterproof building substructures, plant areas where floodwater could intrude, and rooms containing emergency equipment. Finally, plants’ safety was reassessed for the postulated case that a combination of extreme natural phenomena could simultaneously threaten any given plant. Upgrading of the French plants was carried out over seven years in a program monitored by regulators and at a cost of 110 million euros to the plants’ owner, Electricité de France.87
Between 1999 and 2001 the Blayais event was also studied at the Nuclear Energy Agency of the Organization for Economic Cooperation and Development, of which Japan is a member.88 The Blayais incident led some other countries to reassess the safety of their own plants against flooding, resulting in plant owners and regulators adopting measures to significantly improve protection.89 For example, analysis of the flooding at Blayais was included in a reassessment of the defense against external events at Belgium’s seven nuclear power plants undertaken in 2006–2007. It made some recommendations to upgrade the plants, not all of which had been implemented by the time of the Fukushima accident. By contrast, according to Japanese industry officials, Japanese safety experts were aware of the Blayais event but they did not rigorously reexamine the flood protection situation at the country’s own nuclear power plants.90
Protection against flooding and other external events are assessed during the periodic safety review process for many nuclear power plants worldwide. The Doel-1/2 nuclear power plants mentioned above were not originally designed to cope with a station blackout or a loss of ultimate heat sink in the case of a design-basis earthquake. But after an initial periodic safety review for these plants was carried out during the 1980s, a separate building was built to house additional cooling sources and emergency diesel generators and to protect these in the case of an external event. Other upgrades at Doel-1/2 were also required after the periodic safety review to better manage decay heat removal. These reviews considered specific scenarios where more than one external cause resulted in a severe event; thereafter, the height of the design-basis flood was increased from 9.13 meters to 9.35 meters (still well below the height of the river embankment built at the plant site at just over 12 meters).
Tsunami Risk Assessment
Finally, a growing divergence between their practices and evolving international standards should have alerted NISA and TEPCO to potential problems in their approach to tsunami risk assessments. In 2003, the IAEA published a safety guide on flood hazards for nuclear power plants, which contains guidance concerning all factors that must be considered in assessing the risk from tsunamis.91 The Japanese methodology did not meet this guidance since it focused only on evaluating tsunami run-up and ignored other salient factors such as the effect of debris.
The IAEA more forcefully injected itself into the issue of tsunami safety following a December 2004 tsunami that ravaged many seacoast areas in the Indian Ocean and shut down a nuclear power plant in India. A revision of the 2003 safety guide was developed with the participation of the World Meteorological Organization incorporating updated criteria and recommendations and integrating meteorological and hydrological hazards. A specific project, mainly supported by Japan and the United States, was launched in relation to tsunami hazard assessment methodologies.
Japan participated actively in the implementation of the project, but the IAEA findings were not translated into practice in time to protect Fukushima Daiichi from the tsunami in 2011. Nonetheless, given Japan’s participation in the project, it should have been well aware of how far its own practice was lagging behind international standards, and this should have prompted remedial actions.
Why Weren’t These Practices and Actions Carried Out at Fukushima Daiichi?
There is no simple answer to the question of why there were major safety deficiencies in the protection against tsunamis at Fukushima Daiichi and other Japanese nuclear power plants. On the basis of information provided by Japanese government and industry experts for this paper, there appears to be no consensus in Japan about what were the most important contributory factors and, in the most general sense, who was to “blame” for the accident. This paper does not intend to provide conclusive answers to these questions.
Regulatory Quality and Independence
It has been frequently asserted, including well before the accident, that NISA’s lack of independence from the Ministry of Economy, Trade and Industry’s Agency for Natural Resources and Energy, the government body responsible for promoting nuclear power, deterred NISA from asserting its authority to make rules, order safety improvements, and enforce its decisions.
During the 1990s and 2000s, Japan’s nuclear program was punctuated by several incidents that foreign nuclear regulators interpreted as a signature for a lack of effective and persistent oversight. These included a fatal criticality accident at a nuclear fuel production complex at Tokai in 1999, which the IAEA said was caused by “human error and serious breaches of safety principles.”92 The U.S. Nuclear Regulatory Commission reported internally that the cause of the Tokai accident was “inadequate regulatory oversight.”93 In 2002, top management executives at TEPCO resigned after the company and NISA confirmed that, for over a decade, nuclear power plant personnel systematically ignored regulatory procedures in failing to report engineering plant changes and falsifying installation status reports to regulators. In response to these events, Japanese industry and government made changes that were intended to restore public confidence in Japan’s nuclear power program, but the relationship between NISA and the Japanese government, on the one hand, and that between NISA and industry, on the other, was not fundamentally challenged.
Regulatory deficiencies in Japan were ultimately rooted in the lack of accountability in Japan’s “nuclear culture” and in low tolerance in Japanese society for challenging authority.
Following the Fukushima accident, there has been much more extensive domestic and international criticism of the Japanese regulatory system. This criticism has largely focused on NISA’s lack of independence from government. But NISA’s lack of independence from industry is perhaps even more problematic. Japan has put new rules in place to prevent the practice of amakudari (“descent from heaven”) in which senior regulators are appointed as senior executives in major utilities. Yet, a lesser-known practice—amaagari (“ascent to heaven”)—in which industry safety experts are employed by NISA’s technical support agency, the Japan Nuclear Energy Safety Organization, is also troublesome.94 To be clear, it would be both impractical and problematic for Japanese regulators not to use industry experts. However, until now, a comparative lack of independent expertise in Japan may have rendered NISA overreliant on them. Most obviously, industry experts on loan to the regulator may be reluctant to criticize their employers. Even those who have severed their formal association with industry may be less able or less willing than experts without much nuclear industry expertise to “think outside the box” and identify new potential safety issues. Solving this problem will require a large and long-term investment in human resources.
Japan’s regulatory system is currently being reorganized and a new, more powerful regulator under the Environment Ministry will be constituted in the spring of 2012. Establishing the formal independence of Japan’s regulatory body however will not result in stronger nuclear oversight if Japanese regulators will not assert themselves. Persons with many years of experience in Japan’s nuclear energy program have suggested to us that regulatory deficiencies in Japan were ultimately rooted in the lack of accountability in Japan’s “nuclear culture” and in low tolerance in Japanese society for challenging authority.
Ignoring Safety Threats
The U.S. Nuclear Regulatory Commission concluded that the 1999 criticality event at Tokai happened because during licensing of the facility, regulators “incorrectly concluded that there was ‘no possibility of criticality accident occurrence due to malfunction and other failures.’” The “resultant belief that a criticality accident was not credible,” the commission said, complicated management of the accident and may have led to radiation exposure of personnel.95 NISA and TEPCO likewise played down the threat of a tsunami and also, more broadly, the threat that an external event could cause a severe accident at a nuclear power plant.
When the era of commercial nuclear power generation began nearly a half century ago, safety experts initially were most concerned about the possibility that a serious accident would be caused by a sequence of events unfolding inside the plant—such as that leading to the Three Mile Island accident in the United States in 1979 and to the explosion at Chernobyl in 1986. Only gradually did concern become focused on the possibility that an extreme external event could cause a reactor to fail. And in some nuclear programs over time specific threat assessments for external events have changed. In Germany, for example, during the 1970s regulators and industry designed nuclear power reactors to withstand the impact from an F-104 jet aircraft because during the 1960s 292 of the Luftwaffe’s 916 F-104s had crashed. Germany’s reactors were not explicitly designed to withstand the impact of a crash of a passenger jet. After 9/11, German regulators and industry focused on defining, and then addressing, the threat of a severe accident caused by terrorists aiming a passenger jet into a reactor.96
The lack of clarity in defining responsibilities of industry and regulators permitted both sides to assert that the other was amiss in fulfilling its responsibilities.
Japan’s attitude to the threat of external events was extremely selective. On the one hand, Japan’s entire industrial and engineering culture is highly informed by the danger of seismic activity, and Japan has firm and robust technical requirements for all its civil engineering structures, including nuclear power plants. By contrast, Japan has been much slower to appreciate the potential danger of some other external events, especially tsunamis. A government-appointed investigation committee, headed by Yotaro Hatamura, Professor Emeritus at the University of Tokyo, explained in an interim report from December 2011, that
in the past, risks of tsunamis were not fully considered in the context of severe accident[s dealing] with incidents exceeding design standards. . . . The risk of [a] tsunami exceeding design basis [was] not considered. Therefore no preparation was made for eventualit[ies] such as “simultaneous and multiple losses of power” and “[station blackout] including DC power supplies.” No operational manuals were in place for recovering instrumentation equipment and power supplies, [primary containment vessel] venting, etc., in such conditions. Staff education was not organized for such [an] eventuality and equipment and materials for such recovering operations were not ready for use. . . . TEPCO did not take precautionary measures in anticipation that a severe accident could be caused by a tsunami such as the one [in March 2011]. Neither did the regulatory authorities.97
Why this should be the case might be explained at least in part by deficits in regulatory quality and independence as discussed above. Some Japanese government officials interviewed for this paper asserted that NISA had no authority to impose tsunami-related standards and plant design modifications on nuclear power plant owners. Some industry executives claimed instead that NISA did have this authority. If Hatamura’s above analysis is correct, the point may be moot. Neither NISA nor TEPCO were inclined to force the issue of tsunami safety because they didn’t believe an extreme tsunami was a serious threat. One foreign expert involved in peer reviews of Japan’s nuclear regulatory system said that the lack of clarity in defining responsibilities of industry and regulators has permitted both sides to assert that the other was amiss in fulfilling its responsibilities.98
Risk Assessment
One apparent difference between Japan’s nuclear culture and that in many other countries is its attitude toward risk. This may account in part for Japan’s reluctance to embrace methodologies that examined external events in risk-informed and probabilistic ways.
In numerous countries outside Japan, plant-specific probabilistic safety assessments routinely estimate the contribution of both internal and external events to core damage frequency—a common yardstick for nuclear power plant safety. In some of these countries, regulators required owners to design their installations to withstand a thousand-year flood event, and probabilistic methods were used to calculate the height of that flood. After the Blayais event in France, some countries imposed the requirement that nuclear power plants withstand a ten-thousand-year flood. European regulations for some events require that a one-million-year event is considered. IAEA guidelines encourage including both external and internal events in plant-specific probabilistic safety assessments.
The reluctance of authorities to reevaluate tsunami risk may reflect a more general Japanese cultural bias against open discussion of worst-case scenarios or contingencies for which Japanese society and its authorities may be unprepared.
According to Japanese government and industry officials, most Japanese safety rules follow from deterministic assessments. Regulations do not require probabilistic safety assessments to demonstrate that plants are protected against the threat of severe external events. Japanese experts said that especially after a severe earthquake damaged the Kashiwazaki-Kariwa Nuclear Power Station in 2007, plant-specific seismic probabilistic safety assessments in Japan have been carried out on an experimental basis but as of the date of the Fukushima accident, the results had not been used by owners or regulators in decisions about making design modifications.99 In the view of one Japanese executive, the bottom line was that Japan’s “utilization of risk information was insufficient, and the risk of [a station blackout] was not widely recognized by the management.”100
Still more broadly, Japanese nuclear officials and executives said the reluctance of authorities to reevaluate tsunami risk may reflect a more general Japanese cultural bias against open discussion of worst-case scenarios or contingencies for which Japanese society and its authorities may be unprepared. While earthquake safety is a subject that has generated wide public interest and debate in Japan for many decades, before the Fukushima accident tsunami safety was never singled out for intensive public or media scrutiny.
When public and political pressure was brought to bear on the Japanese government to take effective action in response to the accident, NISA quickly reacted by requiring reactors in Japan to erect 15-meter-high seawalls. According to Japanese experts in both government and industry, NISA’s order, as well as the decision by Chubu Electric Power Company to erect an 18-meter wall at Hamaoka, was made under political duress, not on the basis of the application of a scientific methodology to identify a design-basis tsunami at any specific location.
Ultimately, in the view of some Japanese experts queried for this paper, the accident at Fukushima Daiichi was an expression of supreme overconfidence by decisionmakers that Japan’s nuclear power program would never suffer a severe accident. The station blackout condition is covered by the 1990 safety guide established by Japan’s Nuclear Safety Commission, which states that “nuclear reactor facilities shall be designed such that safe shutdown and proper cooling of the reactor after shutting down can be ensured in case of a short-term total AC power loss.” According to a senior Japanese nuclear executive, “short-term” was interpreted to mean thirty minutes or less. A long-term loss of power was not included in the design basis of nuclear power plants, meaning that their owners did not have to demonstrate that it would be prevented. (In practice, Japanese power plant operators provided emergency power supplies for a longer period, but most emergency DC batteries at Fukushima Daiichi did not survive the tsunami.)
Another illustration of this excessive confidence is that, unlike nearly all other power reactor owners worldwide, Japanese utilities face unlimited liability in the event of an accident. This provision was apparently implemented at the request of plant owners, who wanted to demonstrate their confidence in the safety of their power plants to local populations.
Japanese utilities face unlimited liability in the event of an accident, a provision that was apparently implemented at the request of plant owners, who wanted to demonstrate their confidence in the safety of their power plants to local populations.
One executive said that, compared to the United States and Europe, in Japan there is less concern about station blackout risk because of the great reliability of the Japanese power supply system. “We fundamentally believed that if we lost off-site power, we would be back up on the grid in no more than about half an hour,” he said. Compared to the United States and Europe, he also said, Japan’s nuclear program was not convinced that there was a direct relationship between nuclear safety and nuclear security. For this reason, he said, “Japan was negligent in evaluating the approaches taken by the U.S. after 9/11 from the viewpoint of nuclear safety.”
Corporate and Nuclear Culture
Some safety experts in Japan suggested that the lack of concerted attention to tsunami safety at Fukushima over several decades may have been less an expression of general Japanese safety culture deficiencies and at least partially attributable to deficiencies in TEPCO’s management culture.101 A few suggested that TEPCO tolerated or encouraged the practice of covering up problems. They described TEPCO’s concealment of actions from regulators prior to 2002 as a systematic effort to bypass rules and procedures that require plant owners to provide regulators detailed documentation of plant activities and to obtain regulatory approvals for actions that have little or no safety significance.
In many other nuclear programs, a so-called in-service inspection rule permits nuclear power plant owners to repair or replace equipment having little safety significance without having to shut down the plant and obtain regulatory approval for such actions. In one case, however, the results of a leak-tightness examination for a reactor containment—clearly a safety-significant issue—were falsified at Fukushima Daiichi.102 It must also be said that personnel at other utility companies likewise engaged in these deceptive practices, albeit apparently to a lesser degree.
The generally low priority awarded to tsunami safety in Japan’s nuclear program is also reflected in funding arrangements for risk research.
More generally, some nuclear industry executives and officials in Japan have blamed bureaucratic and professional stovepiping, as well as insularity and elitism attributed to Japan’s nuclear energy sector, for the unwillingness of nuclear professionals to take advice from experts outside the nuclear field. That, they said, might partly explain why Japanese nuclear installations are well protected against earthquakes but may be far more vulnerable to tsunamis.
The generally low priority awarded to tsunami safety in Japan’s nuclear program is reflected in funding arrangements for risk research. An official from NISA noted that much of the agency’s funding was devoted to earthquake safety, thereby marginalizing tsunami safety. In 2005, Japan’s leading nuclear safety research center, the Japan Atomic Energy Research Institute, was merged with another government agency, the Power Reactor and Nuclear Fuel Development Corporation, to form the Japan Atomic Energy Agency. Some Japanese experts assert that the merger inhibited support and funding for pioneering investigation into tsunami-related nuclear risk.
As one government official said, “there are many tsunami experts in Japan,” but their findings as a rule have “not been taken seriously” by industry and government agencies responsible for making rules on nuclear safety issues. This is borne out by the Japanese commission’s investigation, which noted that no tsunami experts were involved in drafting the tsunami-related safety clauses in the 2006 guidelines on seismic safety.103 In a similar vein, Japanese media reports asserted that TEPCO’s top management ignored warnings from Japanese experts that tsunamis were a serious safety threat.104
For nuclear safety decisionmaking, the most significant tsunami awareness in Japan may be local. In 1979, the Tohoku Electric Power Company relocated the site for its three-unit Onagawa Nuclear Power Station prior to construction in light of tsunami concerns. The March 2011 earthquake and tsunami devastated the town of Onagawa, located about 75 miles north of Fukushima. The event knocked out four of five power lines connecting the power station to the grid. Unlike at Fukushima Daiichi, where turbine buildings hosting emergency diesel generators suffered a direct assault from the tsunami, the Onagawa station was better protected. According to Japanese safety officials and the plant owner, it escaped serious damage because prior to construction, a civil engineer employed by the owning utility company, having personal local knowledge of tsunami dangers, insisted that the plant site be moved to higher ground and farther back from the seacoast.105
One official suggested that because decisionmaking for the Onagawa nuclear plant project at Tohoku Electric Power Company involved local personnel, top management there may have been more receptive to making costly siting changes. But that knowledge may be underutilized elsewhere. The lack of follow-through by TEPCO at Fukushima prior to March 2011, despite voluntary initiatives its staff undertook beginning in 2002 to investigate tsunami risk, may have reflected a high concentration of decisionmaking and lack of local knowledge at corporate headquarters in Tokyo.106
Conclusion
The combined earthquake and tsunami that struck the Fukushima Daiichi Nuclear Power Station was not simply the Japanese nuclear power program’s bad luck, nor was the event an unpredictable act of god that the power reactors at the site—or nuclear power–generating infrastructure in general—could not possibly have withstood.
Intensive investigation of nuclear safety issues in nuclear power programs worldwide in the aftermath of the accident in Japan has revealed potential vulnerabilities of many reactors to extreme external events. In France alone, regulators will issue about one hundred new rules, and plant owner Electricité de France will implement scores of actions at 58 plants concerning issues such as the possible loss of power and loss of heat sinks during extreme events107 costing an estimated 10 billion euros.108
Had TEPCO and NISA heeded timely warnings and good practices elsewhere, they might have realized that the tsunami threat to Fukushima Daiichi had been underestimated and that they could have defended the plant against the natural forces that fatally crippled three reactors at the site without such advance preparations.
But in Japan, which unlike some other countries did not systematically revisit issues critical to tsunami safety during the last two decades, the weaknesses—in hazard assessment and in plant design—were greater. Had the plant’s owner, TEPCO, and the Japanese regulator, NISA, heeded timely warnings and good practices elsewhere about the dangers discussed above, they might have realized that the tsunami threat to Fukushima Daiichi had been underestimated and that they could have defended the plant against the natural forces that fatally crippled three reactors at the site without such advance preparations.
Accurate hazard prediction is extremely challenging. It is always possible, after the fact, to spot indicators of an impending disaster that, in this case, included evidence for massive tsunamis inundating the region once every one thousand years. However, the clearest warning signs of potential risk before the accident were procedural: Japan’s methodology for assessing tsunami risks lagged markedly behind international standards, TEPCO did not even implement that methodology in full, and NISA showed little concern about the risks from tsunamis. Given Japan’s historical legacy of tsunamis, this last point—NISA’s inattention to tsunamis—should have warned the Nuclear Safety Commission (which was supposed to act as a check on NISA) that potential risks might have been underestimated.
Akira Omoto, a member of Japan’s Atomic Energy Commission, said that a Gedankenexperiment to identify what engineering design attributes could have “saved Fukushima” might conclude that these included—as our foregoing treatment suggests—“protection against natural hazards” and “plant capability against [a station blackout] and against isolation of the ultimate heat sink.”109
Regardless of a certain homogenization of nuclear safety practices and standards among advanced nuclear programs worldwide during the last half century, significant differences remain in the safety approaches among nuclear programs in Japan, Europe, and the United States. In general, European regulators appear to have most consistently and expressly required nuclear power plants to undergo expensive engineering modifications to enhance safety. In the United States, one European regulator said, the approach is not to enhance safety but to maintain it. There, decisions to make engineering upgrades at nuclear power plants—especially significant and costly ones—are routinely based on calculations of costs and benefits and safety margins. This approach is based on a so-called “backfit rule,” which in the view of some safety experts and regulators discourages safety upgrades requiring expensive engineering changes at U.S. nuclear power plants.
Japan has no such “backfit rule,” but regulators have not routinely required making hardware modifications at nuclear power plants. Post-Fukushima draft amendments to Japan’s nuclear safety law and atomic energy act include provisions giving Japan’s new regulatory body the express authority to require power plant owners to make hardware upgrades.110 In view of concerns about tsunami protection, TEPCO began reinvestigating the matter in 2002 but as of March 2011 its investigations had not been brought to a conclusion such that management and regulators were motivated to make engineering modifications that might have saved three units at Fukushima Daiichi.
Given that Japanese industry and government during the 2000s had been exposed to expert doubt that Japanese nuclear power plants were fit to cope with tsunami risk, had decisionmakers then taken the tsunami threat seriously, NISA and TEPCO could have made some or all of the hardware upgrades discussed in this paper well before regulators gave TEPCO a green light to operate the oldest of six reactors at Fukushima Daiichi for an extended ten-year term just weeks before the accident. In the absence of clear regulatory authority and the political will to require these modifications, such a decision would have had to be predicated upon TEPCO’s understanding that the nuclear power station, without these modifications, was not adequately defended against a severe tsunami. In the absence of evidence of any decisions by TEPCO to order those upgrades to be carried out prior to the accident, we must assume that before March 2011 the company did not conclude that the tsunami risk was unacceptably high.
A former IAEA safety official with many years of experience in assessing the safety of nuclear power plants against extreme events said that the failure of NISA and TEPCO to make sure that Fukushima Daiichi Nuclear Power Station had been better prepared for what happened in March 2011 raised questions about Japan’s political will to effectively enforce a growing international consensus that an array of potential external threats must be addressed. Measures to improve resistance to flooding, a loss of the ultimate heat sink, and a station blackout could have been identified in a straightforward manner and in accordance with internationally recognized methodologies as recommended by the IAEA. Indeed, immediately after the accident, Japan’s nuclear power plant owners announced plans to take steps that experts interviewed for this paper said could have averted a severe accident with significant off-site radiation releases.
With appropriate foresight by Japan’s authorities and industry, it appears that the accident could have been avoided or prevented.
It would be wrong to conclude that the accident at Fukushima revealed a fatal and uncovered intrinsic risk associated with nuclear power technology and infrastructure. With appropriate foresight by Japan’s authorities and industry, it appears that the accident could have been avoided or prevented. At the time of the accident, it appears that Japanese industry and government were taking tentative steps toward what might have emerged as a consensus view that Japan’s nuclear power plants were not prepared to cope with an extreme tsunami. But they had not overcome impediments inhibiting TEPCO and NISA from taking effective action sooner.
External threats to nuclear installations are dynamic. In recent years, threats due to natural causes have been augmented by threats from sabotage and terrorism. In the future, they will include local threats resulting from global climate change. In the aftermath of the Fukushima disaster, Japan, as well as all other nuclear power–generating countries, should make sure that nuclear power plants can withstand all such threats, including multi-threat scenarios that the Fukushima accident dramatically underscored were credible but until then had not been considered in the threat assessments of many nuclear programs worldwide.
1 Reconstruction Unit Secretariat, “Report on the Number of Evacuees Across the Country, Prefectural and Other Refugees,” February 1, 2012, www.reconstruction.go.jp/topics/20120201zenkoku-hinansyasu.pdf.
2 International Nuclear Safety Advisory Group, “Basic Safety Principles for Nuclear Power Plants,” 75-INSAG-3 Rev. 1, 1999, www-pub.iaea.org/MTCD/publications/PDF/P082_scr.pdf, para 27.
3 The description of the accident presented in this section is largely drawn from the IAEA report on Fukushima, except where otherwise stated. IAEA, “IAEA International Fact Finding Expert Mission of the Fukushima Dai-ichi NPP Accident Following the Great East Japan Earthquake and Tsunami,” June 16, 2011, www-pub.iaea.org/MTCD/meetings/PDFplus/2011/cn200/documentation/cn200_Final-Fukushima-Mission_Report.pdf.
4 U.S. Geological Survey, “Largest Earthquakes in the World Since 1900,” http://earthquake.usgs.gov/earthquakes/world/10_largest_world.php.
5 The systems with limited functionality in the absence of power were an isolation condenser (in unit 1) and a reactor core isolation cooling (RCIC) system (in units 2 and 3). An isolation condenser takes steam from the reactor core, passes it through a tank of water to cool and condense it, and then feeds it back as water into the reactor pressure vessel. The flow is gravity driven (i.e., no pumps are needed). The system in unit 1 had a thermal capacity of about eight hours. RCICs use steam from the core to drive a turbine and pump that replenishes the water in the pressure vessel. Although electricity is not required to drive pumps in either an isolation condenser or an RCIC, it is needed for instrumentation and to open and close the valves used for control. Moreover, RCICs will only function if the steam is above a certain pressure. In addition to an IC or RCIC, all units at Fukushima Daiichi contained various cooling systems that did require electricity. One of these, the HPCI (high-pressure coolant injection) system was activated in unit 3 (where some battery power was available) after the RCIC in that unit had failed.
6 Institute of Nuclear Power Operators (INPO), “Special Report on the Nuclear Accident at the Fukushima Daiichi Nuclear Power Station,” INPO 11-005, revision 0, November 2011, www.nei.org/filefolder/11_005_Special_Report_on_Fukushima_Daiichi_MASTER_11_08_11_1.pdf, 14.
7 According to one experienced nuclear power regulator, the fail-safe position for the relevant valves was closed, i.e., the isolation condenser was designed to be disabled in the event that control of the valves was lost. In this case, the state of the valves just prior to station blackout may have been immaterial. Personal communication, February 2012.
8 TEPCO, “Fukushima Daiichi Nuclear Power Station: Response After Earthquake,” June 18, 2011, www.tepco.co.jp/en/press/corp-com/release/betu11_e/images/110618e15.pdf, 4.
9 Justin McCurry, “Fukushima Fuel Rods May Have Completely Melted,” Guardian, December 2, 2011, www.guardian.co.uk/world/2011/dec/02/fukushima-fuel-rodscompletely-melted.
10 INPO, “Special Report on the Nuclear Accident at the Fukushima Daiichi Nuclear Power Station,” 9–10.
11 TEPCO, “Fukushima Nuclear Accident Analysis Report,” summary of interim report, December 2, 2011, www.tepco.co.jp/en/press/corp-com/release/betu11_e/images/111202e13.pdf, 10.
12 This includes 1.6x1017 Bq of I-131 and 1.5x1016 Bq of Cs-137 leading to a total emission of 7.6x1017 Bq I-131 equivalent. By comparison, the total emission from Chernobyl was 5.2x1018 Bq I-131 equivalent. Nuclear Emergency Response Headquarters, Government of Japan, “Report of the Japanese Government to the IAEA Ministerial Conference on Nuclear Safety: The Accident at TEPCO’s Fukushima Nuclear Power Stations,” June 2011, available from www.iaea.org/newscenter/focus/fukushima/japan-report, VI–1.
13 Investigation Committee on the Accidents at Fukushima Nuclear Power Stations of Tokyo Electric Power Company, “Executive Summary of the Interim Report,” December 26, 2011, http://icanps.go.jp/eng/111226ExecutiveSummary.pdf, 7–9. For a good discussion of the effects of the Chernobyl accident see David Bodansky, Nuclear Energy: Principles, Practices and Prospects, second edition (New York: Springer, 2004), 426–36.
14 Investigation Committee on the Accidents at Fukushima Nuclear Power Stations of Tokyo Electric Power Company, “Executive Summary of the Interim Report,” 7.
15 Ibid. See also TEPCO, “Fukushima Daiichi Nuclear Power Station,” 2–5.
16 The RCIC (see note 5) in unit 2 failed at about 1 pm on March 14. The HPCI in unit 3 was stopped at 2:42 am on March 13. TEPCO, “Fukushima Daiichi Nuclear Power Station,” 26 and 36.
17 IAEA, “IAEA International Fact Finding Expert Mission of the Fukushima Daiichi NPP Accident Following the Great East Japan Earthquake and Tsunami,” 30.
18 TEPCO, “Fukushima Daiichi Nuclear Power Station,” 2.
19 Investigation Committee on the Accidents at Fukushima Nuclear Power Stations of Tokyo Electric Power Company, “Executive Summary of the Interim Report,” 4.
20 TEPCO, “Fukushima Daiichi Nuclear Power Station,” 17. For other examples see 26 and 30.
21 Investigation Committee on the Accidents at Fukushima Nuclear Power Stations of Tokyo Electric Power Company, “Executive Summary of the Interim Report,” 4–7.
22 IAEA, “IAEA International Fact Finding Expert Mission of the Fukushima Daiichi NPP Accident Following the Great East Japan Earthquake and Tsunami,” 74.
23 Contrary to some media reporting there is not a proper sea wall at Fukushima Daiichi. There is a shallow breakwater around the plant, but it was apparently not designed to play any role in tsunami protection and is not regulated by NISA. Its role was simply to create a calm harbor for shipping.
24 IAEA, “IAEA International Fact Finding Expert Mission,” 75.
25 Masafumi Matsuyama, “Outline of Tsunami Evaluation Technology,” Nuclear Civil Engineering Committee, November 2, 2011, http://tinyurl.com/6qpuko9, 42.
26 TEPCO, “Report on Investigation Results Regarding Tsunami Generated by the Tohoku-Taiheiyou-Oki Earthquake in Fukushima Daiichi and Daini Nuclear Power Stations,” vol. 2 [outline], July 8, 2011, www.tepco.co.jp/en/press/corp-com/release/betu11_e/images/110708e18.pdf, 3.
27 Matsuyama, “Outline of Tsunami Evaluation Technology,” 51–70.
28 TEPCO, “Report on Investigation Results Regarding Tsunami Generated by the Tohoku-Taiheiyou-Oki Earthquake in Fukushima Daiichi and Daini Nuclear Power Stations,” 2.
29 Japan Weather Association, “Overview of the Tsunami caused by the 2011 off the Pacific coast of Tohoku Earthquake (bulletin report),” March 29, 2011, www.jwa.or.jp/static/topics/20110329/touhokujishin110329.pdf. For an alternative slightly different data set provided by the Japan Meteorological Office see Japan Meteorological Agency, Monthly Report on Earthquakes and Volcanoes (edition on disaster prevention), March 2011, www.seisvol.kishou.go.jp/eq/2011_03_11_tohoku/tsunami_jp.pdf.
30 IAEA, “IAEA International Fact Finding Expert Mission,” 70. Because of local geology, the ground motion at units 1, 4, and 6 was less severe than at units 2, 3, and 5.
31 IAEA, “IAEA International Fact Finding Expert Mission,” 71. It should be noted that damage to non-critical equipment can prove very problematic. For instance, highly radioactive water drained out of a pit at the plant and into the Pacific Ocean through a crack that was, presumably, created by the earthquake. David Batty, “Radioactive Water From Japan’s Fukushima Plant is Leaking Into the Sea,” Guardian, April 2, 2011, www.guardian.co.uk/world/2011/apr/02/japanfukushima-radioactive-water-leaking-sea.
32 Denis Normile, “Devastating Earthquake Defied Expectations,” Science, vol. 331, no. 6023 (2011): 1375–1376.
33 Nuclear Emergency Response Headquarters, Government of Japan, “Report of the Japanese Government to the IAEA Ministerial Conference on Nuclear Safety,” III-3 and III-16.
34 See Nuclear Power Corporation, “Impact of Tsunami that struck Kapakkam on 26 December, 2004,” press releases, www.dae.gov.in/press/tsunpcil.htm.
35 U.S. Nuclear Regulatory Commission, “North Anna Earthquake Summary,” www.nrc.gov/about-nrc/emerg-preparedness/virginia-quake-info/va-quake-summary.pdf.
36 For example, IAEA, Site Evaluation for Nuclear Installations, NS-R-3 (Vienna: IAEA, 2003), www-pub.iaea.org/MTCD/publications/PDF/Pub1177_web.pdf, paras. 3.2, 3.6(a), and 3.24–3.38.
37 IAEA, “IAEA International Fact Finding Expert Mission,” 74.
38 K. Minoura, F. Imamura, D. Sugawara, Y. Kono and T. Iwashita, “The 869 Jogan Tsunami Deposit and Recurrence Interval of Large-Scale Tsunami on the Pacific Coast of Northeast Japan,” Journal of Natural Disaster Science, vol. 23, no. 2 (2001), www.jsnds.org/contents/jnds/23_2_3.pdf, 83–88. See also K. Satake, Y. Sawai, M. Shishikura, Y. Okamura, Y. Namegaya, and S. Yamaki, “Tsunami Source of the Unusual AD 869 Earthquake off Miyagi, Japan, Inferred From Tsunami Deposits and Numerical Simulation of Inundation,” paper presented to American Geophysical Union, Fall Meeting 2007, December 2007, http://adsabs.harvard.edu/abs/2007AGUFM.T31G..03S.
39 Ludger Mohrbach et al., “Earthquake and Tsunami in Japan on March 11, 2011 and Consequences for Fukushima and Other Nuclear Power Plants,” VGB Power Tech (Germany), April 1, 2011, www.vgb.org/vgbmultimedia/News/Fukushimav15VGB.pdf.
40 The Tsunami Evaluation Subcommittee and the Nuclear Civil Engineering Committee, Japan Society of Civil Engineers (JSCE), “Tsunami Assessment Method for Nuclear Power Plants in Japan,” February 2002, www.jsce.or.jp/committee/ceofnp/Tsunami/eng/JSCE_Tsunami_060519.pdf.
41 JSCE, “Tsunami Assessment Method for Nuclear Power Plants in Japan,” 61.
42 IAEA, “IAEA International Fact Finding Expert Mission,” 75.
43 “TEPCO Warned of Big Tsunami 4 Days Prior to March 11,” Asahi Shimbun, August 25, 2011, http://ajw.asahi.com/article/0311disaster/quake_tsunami/AJ201108257639.
44 TEPCO, “Report on Investigation Results Regarding Tsunami Generated by the Tohoku-Taiheiyou-Oki Earthquake in Fukushima Daiichi and Daini Nuclear Power Stations,” 1–2.
45 JSCE, “Tsunami Assessment Method for Nuclear Power Plants in Japan,” 3.
46 For IAEA guidance see IAEA, Flood Hazard for Nuclear Power Plants on Coastal and River Sites, IAEA Safety Standard Series, NS-G-3.5, (Vienna: IAEA, 2003), www-pub.iaea.org/MTCD/publications/PDF/Pub1170_web.pdf, paras. 11.21– 22.3. For a description of U.S. practice see IAEA, Meteorological and Hydrological Hazards in Site Evaluation for Nuclear Installations, SSG-18, (Vienna: IAEA, 2011), www-pub.iaea.org/MTCD/publications/PDF/Pub1506_web.pdf, 120–26.
47 “TEPCO Warned of Big Tsunami 4 Days Prior to March 11.”
48 TEPCO, “Fukushima Nuclear Accident Analysis Report,” 2–4.
49 TEPCO, “Fukushima Nuclear Accident Analysis Report,” 4.
50 Personal communication, July 2011.
51 Nuclear Safety Commission of Japan, “Regulatory Guide for Reviewing Safety Design of Light Water Nuclear Power Reactor Facilities,” NSCRG: L-DS-I.0, August 30, 1990, www.nsc.go.jp/NSCenglish/guides/lwr/L-DS-I_0.pdf, para. 2.(2).
52 IAEA, Design Basis Flood for Nuclear Power Plants on Coastal Sites, Safety Series 50-SG-S10B (Vienna: IAEA, 1983), 26.
53 IAEA, “IAEA International Fact Finding Expert Mission,” 75.
54 E-mail communication from senior NISA official, August 25, 2011.
55 “Japan’s Uncertain Nuclear Energy Outlook in 2012,” Institute for Energy Economics Japan (IEEJ) Energy Brief, January 31, 2012, www.siew.sg/energyperspectives/alternative-energies/japans-uncertain-nuclear-energy-outlook-2012.
56 World Nuclear Association, “Nuclear Power in Japan,” February 2012, www.worldnuclear.org/info/inf79.html.
57 Hiroko Tabuchi, Norimitsu Onishi, and Ken Belson, “Japan Extended Reactor’s Life, Despite Warning,” New York Times, March 21, 2011, www.nytimes.com/2011/03/22/world/asia/22nuclear.html?_r=2&pagewanted=all.
58 Personal communication, January 2012.
59 “To Chairman of Special Committee for the Nuclear Safety Standards and Guides, Chairman of the Nuclear Safety Commission, About the Examination of the Regulatory Guides for Safety Review (Direction),” 43rd Session of the Nuclear Safety Commission of Japan, Document no. 1, www.nsc.go.jp/NSCenglish/geje/doc_dis/2011_43rd/2011_0616_43th_doc1.pdf.
60 Mari Yamaguchi, “Japan Cabinet OKs Bill to Cap Nuke Reactor Life,” Associated Press, January 31, 2012, www.google.com/hostednews/ap/article/ALeqM5jZtFBo8gzMIAnhRe2JwCmPdslsbw?docId=d575cdf0ba5c402a8ead3083b623a8d0.
61 Personal communication, January 2012.
62 Personal communication, November 2011.
63 “Receipt of a Report Regarding a Legally Reportable Event that Occurred at the Tokai-Daini Power Station, Owned by Japan Atomic Power Company,” News Release, Ministry of Economy, Trade and Industry (METI), September 2, 2011, www.atomdb.jnes.go.jp/content/000119422.pdf.
64 “Reactor Operators Accelerate Anti-Tsunami Defenses,” Asahi Shimbun, March 30, 2011, http://ajw.asahi.com/article/0311disaster/fukushima/AJ201103313751.
65 “Overview of Seawall Construction Work and Installation Schedule,” Chubu Electric Power Company, Incorporated, www.chuden.co.jp/english/corporate/ecor_releases/erel_pressreleases/__icsFiles/afieldfile/2011/12/16/111101.pdf.
66 World Nuclear News, “Hamaoka Protection Plans,” July 22, 2011, www.worldnuclear-news.org/RS_Hamaoka_protection_plans_2207112.html.
67 Atoms in Japan, “Power Utilities Announce Earthquake and Tsunami Measures Following Fukushima NPS Crisis,” April 3, 2011, www.jaif.or.jp/english/aij/member/2011/2011-04-03a.pdf.
68 Personal communication, January 2012.
69 See note 5 for explanation.
70 Personal communication, January 2012.
71 Personal communication, January 2012.
72 “Übergeordnete Anforderungen an die elektrische Energieversorgung in Kernkraftwerken” (General Requirements for Electrical Energy Supply in Nuclear Power Plants), Kerntechnische Ausschuss (German Nuclear Safety Standards Commission/KTA) 6/99, www.kta-gs.de/d/regeln/3700/3701.pdf.
73 “Plant-Specific Safety Review (RSK-SÜ) of German Nuclear Power Plants in the Light of the Events in Fukushima-1 (Japan),” (translation of Chapter 1 of the RSK statement entitled “Anlagenspezifische Sicherheitsüberprüfung (RSK-SÜ) deutscher Kernkraftwerke unter Berücksichtigung der Ereignisse in Fukushima-I [Japan]”), www.rskonline.de/English/downloads/memrskstnuezusammenfassungreven.pdf.
74 According to German safety experts, currently operating German pressurized water reactors have four emergency diesel generators plus four more to cope with external events. Pressurized water reactors shut down since 2011 have four emergency diesel generators (some of which are protected against external hazards) plus between one and three more emergency diesel generators designed to cope with external events. Operating German boiling water reactors have five emergency diesel generators (some of which are protected against external hazards) plus one more expressly designed to cope with external events. Boiling water reactors shut down since 2011 have between four and six emergency diesel generators (some of which are protected against external events) and some of these have up to two additional emergency diesel generators which are protected against external events.
75 Personal communication.
76 Federal Agency for Nuclear Control, “Belgian Stress Tests, National Report for Nuclear Power Plants,” December 23, 2011, www.ensreg.eu/sites/default/files/National_report_Master_2011.12.29.pdf.
77 Tomi Routamo (ed.), “European Stress Tests for Nuclear Power Plants, National Report, Finland,” Radiation and Nuclear Safety Authority, December 30, 2011, www.ensreg.eu/sites/default/files/EU_Stress_Tests_-_National_Report_-_Finland.pdf.
78 Personal communication, January 2012.
79 Federal Ministry for the Environment, Nature Conservation, and Nuclear Safety, “EU Stresstest National Report of Germany, Implementation of the EU Stress Tests in Germany,” www.ensreg.eu/sites/default/files/EU_Stress_test_national_report_Germany.pdf.
80 Autorité de Sûreté Nucléaire, “Complementary Safety Assessments of the French Nuclear Power Plants (European Stress Tests),” December 2011, www.ensreg.eu/sites/default/files/120106%20Rapport%20ASN%20ECS%20-%20ENG%20validated.pdf.
81 Routamo (ed.), “European Stress Tests for Nuclear Power Plants, National Report, Finland.”
82 Swiss Federal Safety Inspectorate, “EU Stress Test: Swiss National Report, ENSI Review of the Operators’ Reports,” http://static.ensi.ch/1326182677/swissnational-report_eu-stress-test_20111231_final.pdf.
83 Ministry of Economic Affairs, Agriculture and Innovation, “Netherlands’ National Fukushima Stress Test for the Borssele Nuclear Power Plant,” December 2011, www.ensreg.eu/sites/default/files/NetherlandsNatRep-StressTest2011-sec-v2.pdf.
84 Swiss Federal Safety Inspectorate, “EU Stress Test: Swiss National Report, ENSI Review of the Operators’ Reports.”
85 EDF Energy, “EU Stress Test, Sizewell B,” www.edfenergy.com/about-us/energygeneration/nuclear-generation/documents/sizewell-b-stress-test.pdf, 66.
86 Wen-Chun Teng, “Safety Re-assessment of Taiwan’s Nuclear Power Plants After Fukushiima Daiichi Accident,” presentation at the 26th Japanese-Sino Seminar on Nuclear Safety, Tokyo, Japan, July 26–27, 2011, www.aec.gov.tw/www/english/international/files/sino25-02.pdf.
87 Eric de Fraguier, “Lessons Learned from 1991 Blayais Flood,” RIC 2010 External Flood and Extreme Precipitation Hazard Analysis for Nuclear Plant Safety Session, March 11, 2010, www.nrc.gov/public-involve/conference-symposia/ric/slides/th35defraguierehv.pdf.
88 International Nuclear Information System (INIS), “Results of study and reference list regarding the Blayais nuclear power plant accident,” www.google.com/url?sa=t&rct=j&q=&esrc=s&frm=1&source=web&cd=3&ved=0CDIQFjAC&url=http%3A%2F%2Fjolisfukyu.tokai-sc.jaea.go.jp%2Fird%2Fsanko%2Ffile07.xls&ei=xjcYT9LhDY-CtQawqP3mDQ&usg=AFQjCNGm28eaR-IRKmbFVfgxOJ95h7wEiw&sig2=phQrE8LWTQoHh0ojtNxwog.
89 Personal communication, January 2012.
90 Personal communication, January 2012, with reference to the article, “Why Were Regulations on Station Blackout Delayed?” in the January 2012 edition of the Journal of the Atomic Energy Society of Japan, which documented that the author had found few references to the Blayais event in Japanese nuclear safety literature and official reports.
91 International Atomic Energy Agency, “Flood Hazard for Nuclear Power Plants on Coastal and River Sites.”
92 World Nuclear Association, “Tokaimura Criticality Accident,” July 2007, www.world-nuclear.org/info/inf37.html.
93 Division of Fuel Cycle Safety and Safeguards, Office of Nuclear Material Safety and Safeguards, Nuclear Regulatory Commission, “NRC Review of the Tokai-Mura Criticality Accident,” April 2000, www.nrc.gov/reading-rm/doc-collections/commission/secys/2000/secy2000-0085/attachment1.pdf.
94 Norimitsu Onishi and Ken Belson, “Culture of Complicity Tied to Stricken Nuclear Plant,” New York Times, April 20, 2011, www.nytimes.com/2011/04/27/world/asia/27collusion.html?pagewanted=all.
95 Division of Fuel Cycle Safety and Safeguards, Office of Nuclear Material Safety and Safeguards, Nuclear Regulatory Commission, “NRC Review of the Tokai-Mura Criticality Accident.”
96 Federal Office for Radiation Protection, “Sicherheit deutscher Atomkraftwerke gegen gezielten Absturz von Großflugzeugen mit vollem Tankinhalt” (Safety of German Nuclear Power Plants Against a Deliberate Crash of Large, Fully Fueled Aircraft), www.rskonline.de/downloads/snabsturzgroflugzeugen111001.pdf. In the view of some European safety officials, German nuclear power plant owners’ efforts to protect existing nuclear power plants against air crashes relied upon methods—such as use of smoke generators to disguise the location of critical infrastructure—which are unreliable and intended primarily to increase public acceptance.
97 Investigation Commission on the Accidents at Fukushima Nuclear Power Plant Station, Provisional Report, December 26, 2011, Executive Summary of the Interim Report, 16–18, http://icanps.go.jp/eng/111226ExecutiveSummary.pdf.
98 Personal communication, February 2012.
99 Personal communication, January 2012.
100 Personal communication, November 2011.
101 One safety official said that TEPCO had apparently disguised a track record of common-cause failures in equipment problems at its nuclear power plants by repairing equipment found to be faulty and then not recording the flaws. The practice became apparent, he said, when data from other Japanese utilities became available, documenting that they had experienced repeated failures in similar equipment but had kept records of the failures.
102 “TEPCO Admits Leaktightness Test Falsification,” Nuclear Engineering International, November 3, 2002, www.neimagazine.com/story.asp?storyCode=2017707.
103 Investigation Commission on the Accidents at Fukushima Nuclear Power Plant Station, Provisional Report, December 26, 2011, Executive Summary of the Interim Report, 14.
104 For example, “TEPCO Ignored Latest Research on Tsunami,” Asahi Shimbun, March 25, 2011, http://ajw.asahi.com/article/0311disaster/fukushima/AJ201103253443.
105 “Japanese Nuclear Plant Survived Tsunami, Offers Clues,” Reuters, October 19, 2011, www.reuters.com/article/2011/10/20/us-japan-nuclear-tsunamiidUSTRE79J0B420111020.
106 Personal communication, January 2012.
107 “Complementary Safety Assessments of the French Nuclear Power Plants (European Stress Tests).”
108 Max Colchester, “EDF Pegs Nuclear Upgrade Cost at $13 Billion,” Wall Street Journal, January 3, 2012, http://online.wsj.com/article/SB10001424052970203550304577138392366526910.html.
109 Omoto also included more robust accident management procedures, supported by design provisions, more advanced systems for hydrogen management, and enhanced enabling systems (such as for back up air supply for valves) as potentially contributing to “saving” the plant in such a case. We excluded these considerations from this paper. Officials from a leading government nuclear safety agency told us that currently the Fukushima accident is not well enough understood to estimate whether improved accident management would have stabilized the reactors without fuel melting and significant off-site releases.
110 “Japan’s Uncertain Nuclear Energy Outlook in 2012.”