— NASA’s system failure case study of Fukushima

From Mining Awareness

July 16, 2016

the NAIIC concluded that “the disaster was man-made and the result of collusion between government, the regulators and TEPCO, and a lack of governance by said parties,” citing that the organizational and regulatory systems supported faulty rationales for decisions and actions. Regulators served TEPCO’s business interests through tailored regulation and weak enforcement.“(NASA)
Nasa Fukushima failure

NASA Failure Studies [Comments added in brackets]:
October 2015 Volume 8 Issue 7

PROXIMATE CAUSE

• Loss of electricity and backup power left the Fukushima complex crippled and unable to adequately cool the reactors

UNDERLYING ISSUES

• Disregard of Regulations

• Poor Safety History

• Lack of Response to Natural Disaster Concerns

AFTERMATH

• Recommendation pertaining to the creation of a permanent committee to deal with issues regarding nuclear power in order to supervise regulators and provide security to the public.

The Great Wave of Reform The Prophetic Fallacy of the Fukushima Daiichi Meltdown

March 11, 2011, off the Pacific coast of Tohoku, Japan: At 14:46 (2:46 p.m.) Japan Standard Time (JST) a magnitude 9.0 earthquake occurred 43 miles east of the Oshika Peninsula. The undersea megathrust earthquake shifted the mainland of Japan an estimated 8 feet east and deviated Earth’s axis by estimates between 4 to 10 inches. The Great East Japan Earthquake generated massive tsunami waves that peaked at heights of 133 feet and travelled up to 6 miles into areas of mainland Japan… The disaster also triggered the second Level 7 International Nuclear Event (after Chernobyl) in history — the Fukushima Daiichi nuclear disaster.

Background

The Fukushima Daiichi Catastrophe

Analysis of the safety history of the Fukushima Daiichi nuclear power complex reveals a catastrophic failure of prediction on behalf of the plant’s Tokyo Electric Power Company (TEPCO) management. How could planners overlook the tsunami?

Hazards of Predicting the Future

In 1958, Arthur C. Clarke, already recognized for major contributions to the fields of rocketry and space flight, began writing a series of magazine essays that were later combined and published in 1962 as Profiles of the Future; a lexicon of universal scientific possibilities.

The book’s introductory essay, “Hazards of Prophecy, ” concerned itself with the two traps of assumptions: “failures of nerve” and “failures of imagination. ”

Failure of the imagination manifests when presently known facts are respected but vital truths are still unknown, and the possibility of the unknown (the unknown unknowns) is not confessed.

Failure of nerve, the more common fallacy (noted by Clarke), “occurs when given all the relevant facts the would-be prophet cannot see that they point to an inescapable conclusion. ”
Figure 1. Debris from the upper levels of Unit 4 lies beside the building. Source: IAEA via NASA

What happened

The seismic activity of the Great East Japan Earthquake forced the emergency shut-down feature on reactors 1, 2 and 3. Off-site electricity to the power plant was also disrupted by the tremors and backup power was tapped from a 66kV transmission line from the Tohoku Electric Power Company Network. However, the back-up line failed to power reactor 1 due to a mismatched circuit connection.

Beginning at 15:37 (3:17 p.m.) JST, the peak tsunami waves broke upon Japan and flooded and destroyed the emergency diesel generators at the Fukushima complex. Seawater cooling pumps and electric wiring system for the DC power supply for reactors 1, 2 and 4 failed shortly after. All power was effectively lost except for emergency diesel generator power to reactor 6. The tsunami also destroyed vehicles, heavy equipment and many installations.

Without power, the operators at the complex worked tirelessly to monitor and cool the overheating reactors, at one point salvaging car batteries from destroyed vehicles to power necessary equipment. Hydrogen explosions from emptying coolant reservoirs led to interruptions in the recovery operations, which failed when the Unit 2 reactor suppression chamber failed and discharged radioactive material.

Proximate cause

The loss of electric power after flooding made it difficult to effectively cool down the reactors in a timely manner. Cooling operations and observing reactor temperatures were heavily dependent on electricity for coolant injection and depressurization of the reactor and reactor containers, and removal of decay heat at the final heat sink. Lack of access due to the disaster obstructed the delivery of necessities like alternative seawater injection via fire trucks“.
[Note: Loss of cooling made it impossible to cool the reactors, not difficult.]

Underlying issues

The Nuclear Accident Independent Investigation Commission (NAIIC), formed on Oct. 30, 2011 to investigate the direct and indirect causes of the Fukushima accident, was the first independent commission created in the history of Japan’s constitutional government. In its legal investigation, the NAIIC concluded that “the disaster was man-made and the result of collusion between government, the regulators and TEPCO, and a lack of governance by said parties,” citing that the organizational and regulatory systems supported faulty rationales for decisions and actions. Regulators served TEPCO’s business interests through tailored regulation and weak enforcement.

Disregard of Regulations

The 1967 constructions plans for the Fukushima Daiichi isolation condenser deviated from the original reactor plans submitted to the government in 1966. The changes were not reported in violation of regulation. TEPCO’s configuration control was scrutinized in February 2012 by Japan’s Nuclear and Industrial Safety Agency (NISA). NISA requested explanation by March 12, 2012; however, TEPCO, unable to supply an official explanation, only speculated on why the change occurred.” [1966 to 2012 is how many years? FORTY-SIX YEARS.]

In 2002, employees of General Electric (GE), the contractor responsible for designing the reactor, reported to the Japanese government that TEPCO injected air into the containment vessel of Fukushima reactor Number 1 to artificially lower the rate of a leak. The resulting scandal, in addition to a fuel leak at Fukushima Daini, forced TEPCO to temporarily shut down all 17 reactors. Falsified safety records and inspections in conjunction with the number 1 unit dating back to 1989 were revealed by other GE employees. Contractors admitted to falsifying reports at the request of TEPCO. The exposure led to numerous resignations of senior TEPCO executives and more disclosures of previously unreported issues, some of which imply that GE ignored warnings of major design failings from members of its contract staff (who later resigned in protest of negligence) in 1976.

Poor Safety History

On Dec. 29, 2011, TEPCO officials admitted to events occurring in 1991” [TEN YEARS LATER AND AFTER THE START OF THE FUKUSHIMA DISASTER IN MARCH], “where one of two backup generators for Number 1 failed after it was flooded with seawater leaking into the turbine building from a corroded seawater cooling pipe. Superiors were informed about the accident, and of the possibility that a tsunami could inflict similar damage to the generators in the turbine-buildings near the sea. In lieu of moving the generators to higher ground, TEPCO installed leak-proof doors in the generator rooms. After the event, the Japanese Nuclear Safety Commission stated its intent to enforce the installation of additional power supplies and that it would modify safety guidelines for future nuclear plant designs.

According to the NAIIC, regulators and TEPCO were aware of the risk that a total loss of electricity at Fukushima Daiichi would occur if flooding from a tsunami were to reach the level of the site since 2006, and that they were doubly aware of a risk of reactor core damage from loss of seawater pumps in the case of tsunami waves over 10 meters high. The NISA understood the TEPCO had not taken any protective or mitigating measures, but did not provide instructions to TEPCO to do so.

Lack of Response to Natural Disaster Concerns

A 2008 study performed by TEPCO’s nuclear supervisory department concluded that there was an immediate need for improved seawater flooding protection. The study additionally mentioned the possible threat of tsunami waves over 10 meters tall. TEPCO headquarters officials dismissed the perceived risk as unrealistic; concluding that, even when presented with historical data, there was a failure to imagine that such conditions would recur.

Concerns from outside of Japan came from the International Atomic Energy Agency (IAEA) regarding the abilities of Japan’s nuclear plants to withstand seismic activity; citing that an earthquake of a 7.0 or higher magnitude posed a serious threat at a 2008 G8 Nuclear Safety and Security Group assembly.

Figure 3. Storage tanks for contaminated water, a major challenge at the Fukushima Daiichi site. Source: IAEA Via NASA
[They pose the biggest risk to the Pacific,where Japan has continued to dump or let leak large amounts of the radioactive water.]

Figure 4. A view from the top of Unit 4, towards Units 3, 2 and 1. The twisted metal and rubble in the middle distance is the top of Unit 3, where cranes have to clear the debris remotely because of high radia-tion levels. Source: IAEA via NASA

On Oct. 2, 2011, the Japanese government released a report from TEPCO to NISA that proved TEPCO was aware of the possibility that the plant could be hit by a tsunami with waves far higher than the 5.7 meters which the plant was designed to withstand. The 2008 simulations based on the destruction caused by the 1896 earthquake in this area, revealed the likelihood of waves between 8.4 and 10.2 meters capable of flooding the site.

Further studies by scientists and an examination of the plant’s tsunami resistance measures were not planned by TEPCO before April 2011, and no mitigation was planned before October 2012“.
[THIS IS WHAT THE US NRC DOES – THEY ALLOW THE UTILITIES TO PUT OFF IMPLEMENTATION OF SAFETY MEASURES FOR MONTHS OR SOMETIMES YEARS, EVEN POST FUKUSHIMA. AND THEY ACTIVELY FIND WAYS TO HELP UTILITIES AVOID HAVING TO EVER IMPLEMENT THEM.]

TEPCO stated that the company did not feel the need to take prompt action on the estimates, which were still tentative calculations in the research stage. An official of NISA said that these results should have been made public by TEPCO, and that the firm should have taken measures right away; however, NISA believed these actions should have been taken on by the operator and not demanded by regulators. NAIIC viewed this a tacit consent on behalf of NISA to allow for a delay in TEPCO’s planned work. After the tsunami, a TEPCO spokesman conceded that TEPCO would have been better prepared if it had taken the study seriously and reinforcement of its reactor houses.

In contrast, the Tokai Nuclear Power Plant protective dike was raised to 6.1 meters after simulations showed the possibility of higher than expected tsunami waves. Even unfinished at the time of the March 11, 2011, tsunami, the dike protected two seawater pumps and emergency diesel generators and allowed for the reactor to be kept in cold shutdown even though external power was lost.

Aftermath

The Nuclear Safety Commission Chairman told a parliamentary inquiry in February 2012 that, “Japan’s atomic safety rules are inferior to global standards and left the country unprepared for the Fukushima nuclear disaster last March.”There were flaws in, and lax enforcement of, the safety rules governing Japanese nuclear power companies, and this included insufficient protection against tsunamis.

The NAIIC made a recommendation pertaining to the creation of a permanent committee to deal with issues regarding nuclear power in order to supervise regulators and provide security to the public. The committee should be responsible for conducting regular investigations and explanatory hearings of regulatory agencies, academics and stakeholders and for establishing an advisory body to stay abreast of industry and government dealings.

The new regulatory body must be independent from the chain of command of the government, operators, and politics; transparent in decision making processes to the national government and exclude involvement of stakeholders in decision making; and technically proficient in nuclear technology.

The NAIIC also made recommendations pertaining to the reforming of nuclear energy laws to adhere to global standards, including the monitoring of operators and backfit of outdated reactors.

Many other organizations and think tanks have suggested possible corrective actions and future improvements after the disaster. Some of the actions relate to failure management such as having at least one diesel generator, fuel, and related switch gear isolated at high elevation or in a waterproof room (or both) to preserve onsite AC power in an emergency. Emergency response organizations could also maintain diesel generators or gas turbine generators that could be rapidly transported to a site to restore power.

[This doesn’t work if the diesel generator fails to start. Whereas Waterford Nuclear Power Station near New Orleans ran off of generators for a week post-Katrina, it appears to have had one or both diesel generators inoperable (2013, 2015) or potentially so (2014: in the event of heavy rain) for at least 3 years (2013, 2014, 2015) in a row, including 2014 and 2015 hurricane seasons. At least one of the defective parts was from Japanese Toshiba-owned Westinghouse. See more below. The US backup response allows 24 hrs for backup equipment to arrive, which may be too late. For Katrina they brought in extra generators and fuel ahead of time.]

Regulators could demand more on-site personnel to have independent and timely sources of information and the ability to influence the owner/ operator behavior during the accident. Current spent fuel pools could be retrofitted with passive cooling systems that can survive the initiating external event.

Relevance to Nasa

Fukushima-Daiichi planners used of a narrow slice of historical environmental data when estimating the risk of external initiating event which contributed to a failure of imagination that a tsunami beyond the design basis of the Fukushima-Daiichi break wall could happen again. Beyond the multiple failures on behalf of TEPCO and Japanese nuclear regulatory agencies, the critical question remains of when to draw the line — when safe is safe enough— in the design basis process.

Teams with diverse viewpoints and broad, deep experience can overcome individual cognitive biases that can carve a path toward failure of imagination from the very beginning. Additionally, policy checks and balances on teams, such as NASA technical and safety requirements, are only as effective as the accountability behind them and depend upon how well both operators and regulators understand the technical basis behind such requirements.

Sometimes the rationale behind a requirement stems from the context surrounding a failure. If the rationale (the context) is lost to history, it can rob a team of the technical argument (and nerve) to defend safety margins…

harder to overcome is the instance when a regulator itself places public safety below the business interests of a powerful industry. Safety hazards needing thorough mitigation can be perceived instead as business problems that demand efficiencies” (By NASA-Steve Lilley – See References below info on Waterford, etc.; emphasis and comments in brackets added; things which made the point less clear; and seriously dim-witted or BS statements by Mr. Lilley were removed and replaced with …. Original found here:https://nsc.nasa.gov/SFCS/SystemFailureCaseStudyFile/Download/606 )

Re Waterford Nuclear Power Station backup generator; Toshiba owns Westinghouse:
PART 21 – WESTINGHOUSE TYPE KIR-60 CURRENT TRANSFORMER
The following is excerpted from LER 2015-007 submitted by the licensee:
“On October 9, 2015, Waterford 3 received information from the external evaluation concerning the Generator Differential Current Transformer. The evaluation concluded that a manufacturing defect internal to the current transformer was the cause of the failure. On October 22, 2015, engineering evaluation determined the manufacturing defect could create a substantial safety hazard, as defined in 10 CFR 21, and provided the site vice president information of the defect the same day. Additional information identified in the report is as follows:
“Constructor – Westinghouse Type KIR-60 current transformer, style 7524A01 Gi6, serial number 28218571; Defect and safety hazard – There were voids found in the insulation, and the thickness of the insulation material around the fault area appeared reduced when compared to the other areas of the current transformer. There is only one transformer of this type remaining installed in the plant. Scheduled replacement is no later than November 15, 2015.
http://www.nrc.gov/docs/ML1530/ML15303A004.pdf

Another Diesel Generator failure: “General Electric CR1 05X300 auxiliary contactor. The auxiliary contactor was manufactured by General Electric Company and supplied by Nuclear Logistic, Incorporated, as an auxiliary part of a General Electric CR305 contactor.
http://www.nrc.gov/docs/ML1219/ML12199A222.pdf GE is approximately half owned by Japan’s Hitachi. (In the US it’s GE-Hitachi at 60/40 and in Japan it’s Hitachi GE at 60/40 ownership.)

Both Emergency Diesel Generators at Waterford Steam Electric Station, Unit 3 (Waterford 3) were declared inoperable in the peak of Hurricane Season
On August 26, 2015, both Emergency Diesel Generators at Waterford Steam Electric Station, Unit 3 (Waterford 3) were declared inoperable, causing entry into Technical Specification 3.8.1.1 action f.
https://adamswebsearch2.nrc.gov/webSearch2/view?AccessionNumber=ML15296A464
Waterford 3… is receiving additional NRC oversight based on … a violation issued March 31, 2014, for failing to ensure the operability of an exhaust fan in a room housing the plant’s emergency diesel generators.http://www.nrc.gov/reading-rm/doc-collections/news/2014/14-019.iv.pdf(Found here: https://miningawareness.wordpress.com/2014/08/20/nuclear-safety-failure-open-house-re-killona-waterford-nuclear-reactor-in-louisiana/ ) See: http://www.nrc.gov/docs/ML1325/ML13254A168.pdf

Yet another problem found in late Hurricane Season: “During a walkdown of the Emergency Diesel Generator Feed Tank A and B vent lines on October 22, 2014, an NRC Component Design Basis Inspection inspector identified corrosion on the Emergency Diesel Generator Feed Tank A and B vent lines where the vent lines pass through the roof. A visual inspection was performed and revealed that the corrosion had created through wall holes that could allow water into both the train A and B Emergency Diesel Generator Feed Tanks.

Follow up analysis has determined that some rainfall amount less than the postulated Probable Maximum Precipitation event could have resulted in water intrusion into the Emergency Diesel Generator A and B Feed Tanks that exceeds the 0.1 percent water content allowed by the vendor technical manual. This could have potentially affected the operability of both the A and B Train Emergency Diesel Generator Feed Tanks and subsequently both trains of the Emergency Diesel Generators. It is unknown how long this corrosion has existed. Compensatory measures were put in place to prevent water ingress should a large rainfall event occur.

This condition is reportable under the following criteria: 10 CFR 50.73(a)(2)(i)(B), 10 CFR 50.73(a)(2)(v)(D), and 10 CFR 50.73(a)(vii)“.http://www.nrc.gov/docs/ML1435/ML14352A449.pdf

During and After Hurricane Katrina Waterford Nuclear Reactor ran for a week or more on diesel generators.https://miningawareness.wordpress.com/2014/08/20/nuclear-safety-failure-open-house-re-killona-waterford-nuclear-reactor-in-louisiana/

Another example at another nuclear power station: “For instance, although the reactors were supposed to have back-up electric power in case the main electricity source was disrupted, there were many occasions in which both the emergency diesel generator and the emergency gas turbine were down, but officials kept operating the reactor. That meant a critical safety measure needed to insure that the reactor would be kept cool and not suffer a meltdown was not in place in the event of an emergency, officials of the regulatory agency said.http://www.nytimes.com/1997/12/11/nyregion/government-fine-on-nuclear-plant-is-largest-ever.html

NASA References:
“References

Acton, James M.; Mark Hibbs. Why Fukushima Was Preventable. The Carnegie Papers, Carnegie Endowment for International Peace. March 2012.

Buongiorno, J.; R. Ballinger; M. Driscoll; B. Forget; C. Forsberg; M. Golay; M. Kazimi; N. Todreas; J. Yanch. Technical Lessons Learned from the Fukushima- Daichii Accident and Possible Corrective Actions for the Nuclear Industry: An Initial Evaluation. Center for Advanced Nuclear Energy Systems, Massachusetts Institute of Technology. July 26, 2011.

Caldwell, Cindy. Reflections on Sensemaking at Fukushima Daiichi. Highly Reliable Performance: Office of C o rporate S a fety A n alysis, D e partment of Energy. September 10, 2012. http://hsshpi.wordpress. com/2012/09/10/ reflections-on-sensemaking-at-fukushima-daiichi/, accessed June 5, 2013.

Fukushima Daiichi: Two Years On: Photo Essay. IAEA. March 11, 2013.https://www.iaea. org/newscenter/multimedia/photoessays/fukushima-daiichi-two-years, accessed May 5, 2015.

Hultman, Nathan. Fukushima and he Global “Nuclear Renaissance. ” Brookings Institute March. March 14, 2011. http://www.brookings. edu/ research/opinions/2011/03/14-japan-nuclear-hultman, accessed July 1, 2013.

Kuroda, Hiroyuki. Lessons Learned from the TEPCO Nuclear Power Scandal. Tokyo Electric Power Company. March 27, 2004.

TEPCO, Reports on the reflection of the changes in the connection method of the drain pipe in Isolation Condenser in Unit 1at Fukushima Daiichi Nuclear Power Station to the re-circulating system, March 12, 2012.

SYSTEM FAILURE CASE STUDY
Responsible NASA Official: Steve Lilley steve.k.lilley@nasa.gov
This is an internal NASA safety awareness training document based on information available in the public domain. The findings, proximate causes, and contributing factors identified in this case study do not necessarily represent those of the Agency. Sections of this case study were derived from multiple sources listed under Ref-erences. Any misrepresentation or improper use of source material is unintentional. Visit nsc.nasa.gov/SFCS to read this and other case studies online or to subscribe to the Monthly Safety e-Message.
https://nsc.nasa.gov/SFCS/SystemFailureCaseStudyFile/Download/606

In the original but excluded because it doesn’t add much: “Figure 2. Workers in protective clothing and masks outside the Emergency Response Centre, the main control hub at the Fukushima Dai-ichi site. Source: IAEA

Advertisements