This analysis do with the catastrophic incident at the Fukushima-Daiichi nuclear power plant was first published as an article at this site in the year 2017. The event itself took place on March 11th 2011. At first it was headline news. Then publicity to do with what happened receded into the background and new crises arose and captured our attention. Yet the event provides process safety professionals with important insights to do with the concept of “Common Cause Events”, i.e., those events that wipe out safety systems that were thought to be independent of one another.
On March 11th 2011 north eastern Japan was devastated by the Tohoku subsea earthquake - the most powerful ever to have hit Japan since records have been kept. The earthquake was followed about 50 minutes later by a tsunami of 14 meters in height. It is estimated that the earthquake and tsunami together resulted in 15,883 deaths, with many others injured or missing. Up to 1 million buildings were destroyed or damaged. Many videos on YouTube and elsewhere illustrate the enormity of these two events: the earthquake and the tsunami. They are not easy to watch.
The earthquake caused extensive damage to the structures of the Fukushima-Daiichi power plant and knocked out the pump systems that supply cooling water to the reactors and the spent fuel pools. The tsunami then overwhelmed the facility's inadequate 5.5 meter seawall and, most important from a process safety point of view, the tsunami knocked out the safety systems whose function was to keep the reactors cool. Consequently the cores of the reactors overheated, leading to partial meltdowns and the generation of hydrogen gas that exploded. A considerable amount of radioactive material leaked to the ground, the sea and the air. Those leaks are on-going.
At least six consequences
Although this catastrophe occurred nearly a decade ago, the current state of the facility is still a long way from being properly understood. One reason for this is that there are at least six separate events that need to be considered, and they are all different from one another. They are:
- The presumed partial meltdown in Reactor #1;
- The presumed partial meltdown in Reactor #2;
- The presumed partial meltdown in Reactor #3;
- The removal of spent fuel from the Reactor #4 storage facility;
- The on-going flow of ground water; and
- The integrity of the temporary water storage tanks, which are not seismically rated.
(Items not included in the above list are the newer Reactors #5 and #6, which seem to have suffered less damage, and the long-term storage of the nuclear fuel rods after they have been recovered.)
In summary, three large nuclear power plants have probably suffered a partial meltdown and the structure containing the spent fuel rods of Reactor #4 is seriously damaged, and could collapse and/or allow cooling water to escape - particularly were there to be another large earthquake. Given that this this structure is 30 meters above grade and is outside the containment building, and given that the rods are clad in zirconium that catches fire when exposed to air, this is, to say the least, a tricky situation.
This is not a good situation.
There are number of inherent safety/process safety issues to do with the above events. For example, the decision to locate the spent fuel storage pool at a high elevation is a concern, as is the fact that the basement sections of the Reactors 1-4 are below sea level. Briefly, a common cause event is one that causes two separate, supposedly independent systems to fail simultaneously. For example, solid materials in a liquid system may cause both a pressure controller instrument and the high pressure shutdown system to be blocked at the same time. The normal control and the interlock are not independent of one another.
It is critical that the cores (and spent fuel pools) of nuclear reactors be kept cool by a continuous flow of cooling water, even if the reactor is shut down. If this does not happen then a Loss of Coolant Accident (LOCA) takes place.
We do not have copies of the Fukushima-Daiichi P&IDs (Piping and Instrument Diagrams). Therefore, just for sake of argument, we make the assumption that there are two sets of pumps: three operating pumps (O1, O2 and O3) driven by electricity and two backup pumps (B1 and B2) that are diesel-powered pumps and that do not require grid electrical power. The Fault Tree for this assumed set up consists entirely of AND Gates.
We then make the further assumption that the operating pump, O1, fails twice a year and that the two backup operating pumps have a failure to start on demand of 0.05 (i.e., the likelihood that they will start on demand is 95%). Hence the overall failure rate for the operating pumps is (2 * 0.05 * 0.05) yr-1, or 0.005 yr-1 or once in 200 years.
If this system were to fail then the backup diesel pumps would take over. Assuming a failure on demand probability for each backup pump of 0.01 then the failure rate of the backup system is 0.0001. Combining the two systems we get an overall failure rate of one in 20 million years. Which is a big number.
Now comes the earthquake; it knocks out electrical power. Hence all three of the operating pumps fail due to the first common cause: Electrical Power Failure caused by the earthquake. This is bad, but the backup pumps, which together have a probability of failure of 1 in a 1000, can be trusted to work since they have their own, independent source of power (diesel). But, 40 minutes later, the tsunami disables the backup pumps due to a second common cause: sea water flooding. The reactor core continues to generate substantial amounts of heat, but there is no means of removing that heat.
Probabilistic Risk Analysis
The Fault Tree shown in Figure 2 is a highly simplified version of a Probabilistic Risk Analysis (PRA). As can be seen from the example, PRAs often give very low values for the likelihood of a major event taking place. They provide some of the justification for statements such as the following from the Japanese Nuclear Commission in the year 2003,
A fatality due to radiation exposure from an accident at one of its facilities should happen less than once per million years.
The probability of complete core meltdown about 1 in 20,000 per reactor per year.
Although there are no indications to date of there being a fatality due to radiation exposure at Fukushima-Daiichi some of the workers have been exposed, so the possibility of a fatality is real. The 'once per million years' has become 'once per thirty years'.
And within the last three decades there have been three major nuclear power plant events:
- Three Mile Island (1979)
- Chernobyl (1989)
- Fukushima-Daiichi (2010)
One reason for the disconnect between expected failure rates and actual failure rates is that PRA analysts may overlook common cause events such as earthquakes and tsunamis.