|
    
                         Website in Spanish       Website in Portuguese coming soon
Member Area

Nonproliferation for Global Security Foundation - NPSGlobal

Tuesday
May 22nd
Home
Print E-mail
Share

The Fukushima-Daiichi Accident: Lessons Learned So Far

Leonam dos Santos Guimarães

30 March 2011

Fear is the most efficient form of social control: frightened societies react as a herd, getting carried away after the first cry of alarm. In the name of decreasing an overestimated threat leaders can act freely in pursuit of other goals unrelated to the reduction of self threat

At 14:46 last Friday, local time, northeastern Japan was hit by an earthquake of 9,0 degrees in the Richter scale which epicenter was located exceptionally near to the coast and just a few kilometers below the earth crust, the largest quake ever registered in history to affect a highly populated area with a large industrial development. Even for a high-seismic-risk-level country which culture and technology have been adapted to decrease that risk, such an event, on a probability scale of 1 out of 1.000 years, exceeded any response capacity developed by Japan throughout centuries.

As expected, since no engineering design is intended to resist an event of such magnitude, most part of the buildings and industrial facilities with explosions or release of toxic waste risks, such as oil refineries, fuel deposits, thermoelectric plants and chemical industries, located at the affected region collapsed immediately causing dozens of thousands of deaths and an environmental damage of yet undetermined proportions.

Only the 14 electric generating plants distributed along the three nuclear centrals on the affected region (Onagawa – 3 units, Fukushima Daini – 4 units, Fukushima Dai-ichi – 6 units and Tokai – 1 unit), all of them of BWR type, which represents 25% out of the total of 440 plants worldwide (65% of PWR type, among which there are Brazilians and 10% of other types ) resisted the titanic forces released by nature, all of them having automatic closure and being placed under refrigerating safety mode, even after a total loss of external power.

However, 1 hour approximately after the earthquake, there was a collateral effect of unexpected magnitude: a 10-meter-high tsunami wave that swept across the coast, entering several kilometers in the particularly flat Japanese land. This new event of incredible probabilities dragged the rubble from buildings and industrial facilities along with the hundreds of thousands that were left homeless by the quake .

The 8 central nuclear plants in Onagawa, Fukushima Daini and Tokai managed to resist this event even though they were not design to do so. Meanwhile the 6 plants from Fukushima Dai-ichi were not able to come through. The tsunami left over a dozen diesel generators inoperative at the location, along with its fuel tanks, altering the cooling process that had been conducted successfully so far. This situation led to several important issues which have prevented, at the moment, the plants from reaching a safety condition . However, the recent news about the reestablishment of the external electric supply source allows us to believe that it can be reached in a few days.

In response to the initial problems faced by unit 1 from Fukushima Dai-ichi, the Japanese government executed the External Emergency Plan for the Centrals, preemptively evacuating the already homeless population from the area within 5 kilometers around the damaged reactor. Anticipating that the situation on the unit 1 deteriorates and that similar problems could emerge on units 2 and 3, the preemptive evacuation radio was expanded to 10, at first, and then 20 kilometers (with populations between 20 and 30 kilometers sheltered), which exceeds the planned actions by international standards that rule nuclear emergency plans (evacuation within 5km, shelter within 15km), noticing that those procedures were conceived for a mayor accident in one plant and not for several simultaneously on the same central.

These actions from the Japanese government are consistent with the fact that the accident was initially classified by the National Nuclear Security Authority (NISA) as Class 4 and the further aggravated as Class 5 within the international INES scale (International Nuclear Event Scale) . The news broadcasted by the media about a class 6 classification are not based on official data.

The Japanese government, on a unimaginable effort, managed to evacuate over 100.000 victims that survived the earthquake and tsunami on a 20-kilometer-radio around the nuclear plant in a few days, meanwhile facing all the destruction previously caused in the region. Such a herculean task guarantees that, even if an important release of radioactive materials were to happen, the threatened populations would be safe. The outcomes of a recent dose rates control 30 kilometers around the center showed that the levels are not alarming and are actually decreasing, which means that all the eyes are set on the restoration of the external supply source and the resumption of the cooling process in optimal conditions.

What lessons can be learned by the nuclear industry so far? The first one is that nuclear plants are the best adapted human constructions to withstand natural events of extraordinary magnitude, as demonstrated by the centrals of Onagawa, Fukushima Daini and Tokai. Another is that the endurance of nuclear plants located in high seismic risk regions, especially those on near the coast and therefore exposed to tsunamis, which are the minority among the 440 plants in operation worldwide , must be reevaluated and, eventually, reinforced.

Certainly, once we surpass the accidental phase we are still living, deep technical analysis of the event will generate many more applicable lessons not only on BWR plants, but also in every other functioning plant, and the ones that are still on the design or construction stage, perfecting security in a process of continuous improvement. This occurs systematically in the nuclear industry for both insignificant events and other much more serious as the one we are living today. So it was with the accidents at Three Mile Island in 1979 in the U.S. and Chernobyl in the former USSR .

Note that any comparison of what might happen at Fukushima Dai-ichi to what happened in Chernobyl is not technically correct, to the extent that, in that tragic accident, radioactive materials were dispersed in large quantities and over long distances due to the energy released by the burning of hundreds of tons of graphite existing inside the reactor, which took days to be contained and that took the lives of dozens of heroic “terminators”. In a water-based reactor, which does not use graphite or other form of accumulation of large amount of energy released in a short period, as are the affected BWR plants and the PWR plants that combined represent 90% of the total worldwide, there is not enough energy available to cause such release. In the worst case scenario, that dispersion would be limited to the evacuation radio and, in lesser extent, to the shelter radio established in the region.

The demands for immediate action seeking to stop the operation and/or the construction of new plants are driven by doomsday climate that dominates the media coverage of the event, which heavily influence public opinion, caused by reasons of political and ideological nature, which, although legitimate in democratic societies, finds no technical basis to support them.

This is because, even in the context of the tragedy that hit Japan, most nuclear plants affected remain in safe conditions, without implying that any additional consequence of those already affected and those in the minority, who did not fully resist, had their consequences mitigated by a the execution of an External Emergency Plan, that protects evacuated populations from both the current conditions and the worst case scenario of a radioactive material release, which so far has not occurred and that updated reports indicate that won’t happen.

Obviously, those few technical arguments don’t close the debate. In democratic societies, as Brazil, is barely starting and should promote a safer nuclear industry. In the meantime, we must avoid hasty decisions taken in the heat of emotion or opportunism, which harms the same societies that claims to defend, as in the case of the "prohibition" of nuclear power generation, which involves closure of operating plants and of the projects under construction and planning.

1. View the characterisitics of this type of reactors on attachment 1
2. View status of all Japanese nuclear plants in attachment 2
3. View the accident sequence attachment 3
4. View the INES scale in attachment 4
5. View seismic risk map and location of nuclear plants in attachment 6
6. View brief description of the Three Miles Island accident in attachment 7
7. View brief description of the Chernobyl accident in attachment 8

ATTACHMENT 1




CONTAINMENT SYSTEMS

BWR

PWR

ATTACHMENT 2

ATTACHMENT 3
ACCIDENTAL SEQUENCE

ATTACHMENT 4
HOW ARE THESE EVENTS CLASSIFIED WITHIN THE INES SCALE?

These events are classified within an eight-level scale:
Deviation (0) – Below the scale. No importance in relation to security.
Anomaly (1) – Can occur due to equipment failure, human error or inadequate procedures. These situations are typically considered "Below the scale".
Incident (2) – incident with a major failure of safety devices, but where sufficient depth defense mechanisms remain in order to cope additional failures. Event resulting from a dose received by an employee above the annual dose limit established and / or an event involving the presence of significant amounts of radioactivity in areas of location a fact that according to the design, would not justifiable and requires corrective action.
Serious Incident (3) – external release above the authorized limits, resulting, for the most exposed individual off-location area at a dose in the order of tenths of millisieverts (the dose is expressed in terms of effective dose, whole body dose). Where appropriate, these criteria can be expressed in terms of annual limits for wastewater discharge, permitted by the national authorities. Probably, the protective measures outside the installation will not be necessary. The events in the area of placement, involving employees’ doses sufficient to cause sharp health effects and/or events that cause serious pollution, for example, the release of a few thousand terabequeréis of activity in a secondary containment where the material can be returned to a satisfactory storage area. Incidents in which a further failure of safety systems could lead to conditions for an accident or a situation in which safety systems would be unable to prevent the accident.
Accident with Local Consequences (4) – External release of radioactivity that is, for the most exposed individual off-placement area, registered at a dose order of a few millisieverts. With this release, it is unlikely the need to implement security measures outside of placement, executing, perhaps a local food control. An accident of this kind could result in damage to the nuclear plant, such as partial melting of the core of a power reactor or similar events in facilities other than reactors, creating serious problems to return to normalcy in the area of placement. Irradiation of one or more workers overexposure involving high probability of early death.
Accident with Wider Consequences (5) – External release of radioactive materials. This release would probably result from partial implementation of countermeasures covered by emergency plans aiming to reduce morbidity health effects. It can include serious damage to an important part of a nuclear power reactor, a major critical incident or a major fire or explosion, which released large quantities of radioactivity within placement.
Serious Accident (6) – External release of radioactive materials. This release would be the result, probably, of the full implementation of countermeasures covered by local plans for emergency cases, seeking to limit serious health effects.
Major Accident (7) – External release of a significant fraction of radioactive material from a large placement. Would be constituted, typically, by a mixture of radioactive fission products of short and long lives. Such a release could result in late effects on the health of the population of a large area, in possibly more than one country, and long-term consequences for the environment. An example of this is the accident at Chernobyl, Ukraine (1986).
Regarding the population, a level 5 event (the full scale is 7), which corresponds to a limited external release of radioactive material, requires the partial implementation of planned safety countermeasures, and is considered a moderate risk accident for the outer area of the plant. Only events of level 6 (Serious accident) and level 7 (major accident), should lead to wide and unrestricted measures to avoid risks to populations near the plants.

ATTACHMENT 5

ATTACHMENT 6
WORLD SEISMIC RISK MAP AND NUCLEAR PLANTS LOCATION

ATTACHMENT 7
THREE MILE ISLAND NUCLEAR ACCIDENT

Two hundred and two nuclear Angra type (PWR) reactors have been constructed and are operational, occurring in one of them a serious nuclear accident, prevented in the design, without consequences for the environment. It was the accident at Three Mile Island (TMI), in the United States.

On this accident, water and steam leaked from the primary circuit, but both were contained. With the loss of this cooling water, the fuel overheated and partially melted, but remained confined to the reactor pressure container.

The city was partially evacuated (which was not really necessary). The Governor recommended the departure of women and children, who returned to their homes the next day. Unexpectedly, many people wanted to see the accident up close, being contained by military forces and the police.

Although the Angra 1 reactor is the same type of TMI, it is not in danger of suffering a similar accident, because preventive measures have been taken place in order to prevent recurrence of the human errors that caused the accident.

The same accident could not happen in the Angra 2, because its design provides mechanisms to prevent failures from happening.

The picture shoes how the Three Miles Island’s pressure container was left after the accident, where one is able to observe the fuel elements and control rods melted and the fact that the container was not damaged.

ATTACHMENT 8
CHERNOBYL ACCIDENT


At 1h 26min of April 26 1986, Saturday morning, the worst accident in the history of the nuclear energy industry generation took place. Two explosions, one after the other, launched into the air 1.000 tons of concrete from the sealing cover of Chernobyl’s nuclear reactor 4. Melted pieces of the core “rained” over the neighboring region and fission products were released into the atmosphere. The accident probably took hundreds of lives and polluted huge regions of Ukraine.

Several reasons contributed to the disaster. Certainly, the reactor’s project was not new nearing 30 years of age at the time of the accident and had been conceived before the time of sophisticated security systems controlled by computer; because of this, the procedures for dealing with reactor emergencies strongly depended on the skills of the operators. This type of reactors also had a tendency for “going out of control” when operated on low capacity. For this reason the operational procedures for the reactor strictly prohibited the operation under 20% of its maximum capacity. The accident was mainly caused by a combination of circumstances and human errors. Ironically, the events that led to the disaster where projected to make the reactor safer. The tests, planned by a special team of engineers, were conducted to evaluate whether the core’s emergency cooling system could be operated during an inertial spin of a possible reduction of the turbogenerator production, in the event of an interruption of the external power source. Even though this security device had been tested before, it had not worked satisfactorily and new tests of the modified device were conducted with the reactor operating under reduced capacity during the test period. The tests were programmed for Friday’s afternoon, April 25th 1986, and the plant’s production reduction started at 13hs. Nonetheless, after 14hs, when the reactor was operating with near half of its total capacity, Kiev’s controller requested that the reactor continued to produce electricity for the local network. They continued connected to the network until 23h10. The reactor should have been stopped for its annual maintenance the following Tuesday and Kiev’s controller request actually reduced the “window of opportunity” available for the tests.

Below, you will find a chronological report of the last hours before the disaster that was publish on the British Psychological Society Bulletin on the following year. The meaningful operators’ actions are on italic. They are of two kinds: mistakes (marked with a “M”) and procedures violations (marked with a “V”).

April 25 1986

13h00 Capacity reduction started with the goal of achieving 25% capacity for testing conditions.
14h00 The emergency core cooling system (ECCS) was disconnected from the main circuit (as part of the test)
14h05 Kiev’s controller requested that the unit continued supplying the network. The ECCS was not reconnected (V). (This specific violation is not considered to have contributed materially to the disaster; but it shows a neglection of the operators with regard of the observance of security procedures)
23h10 The unit was disconnected from the network and the capacity reduction continued in order to achieve the 25% capacity level, planned for the testing program.

April 26th 1986

00h28 An operator overpassed the lowest adjustment point for the intended production (E). The production dropped to a dangerous 1% (the operator had disconnected the “automatic pilot” and had tried to achievedthe desired level through manual control)
1h00 After a long and intense effort, the reactor’s production was finally stabilized at 7%, below the intended level and within the danger zone of low capacity. At this moment, the experiment should have been abandoned, but it was not (E). This was the biggest mistake (as opposed to the violations): it meant that every following activity would be conducted within the maximum instability zone of the reactor. Apparently, this was not perceived by the operators.
1h03 All eight pumps were activated (V). The security procedures limited to six the maximum number of pumps on simultaneous use. This shows a deep misunderstanding of the reactor’s physics. The consequence was an increase of the water flow (and the reduction of the steam fraction) that absorbed more neutrons, demanding that more control elements to be withdrawn to sustain the low level of production.
1h19 The water feed flow was increased threefold. It seemed that the operators were trying to deal with a decreasing steam pressure and water level. The result of their actions, however, was to further reduce the amount of steam that went through the core, demand even more control elements to be withdrawn. They also suppressed the automatic shutdown of the steam collector (V). The effect of this was to deplenish the reactor of its automatic security systems.
1h22 The shift supervisor demand a printed report to establish how many control elements were actually in the core. The report showed that only six to eight elements remained. It was strictly forbidden to operate the reactor with less than 12 elements. In spite of that, the shift supervisor decided to continue with the tests (V). This was a fatal decision: this is why the reactor was left out of “brakes”.
1h23 The steam valve lines for the turbogenerator number 8 were closed (V). The aim of this was to establish the necessary conditions for repeated tests, but its consequence was to disconnect the automatic security brakes. This might have been the most serious violations of all.
1h24 An attempt was made so as to suddenly shut down the reactor;
Foi feita uma tentativa para desligar repentinamente o reator; atuando nos elementos de parada de emergência, irias estes emperraram nos tubos já deformados.
1h24 There were two explosions. The roof of the reactor blew up, causing 30 fires in nearby regions.
1h30/ Firefighters were called into service. Other units were called from Pripyat and Chernobyl.
5h00 External fires were extinguished, but the core graphite fire continued for several days.

The subsequent investigation clarified many significant points that contributed to the disaster:

• The testing program was poorly planned and the section on security measures was inadequate. Because the reactor’s cooling emergency system (ECCS) was closed during the tests, the reactor’s safety actually declined substantially.
• The test design was implemented without approval by the project group that was responsible for the reactor.
• The operators and technicians who were conducting the experiment should have had different rather than overlapping skills
• The operators, though highly qualified, probably thought that completing the assessment before closing would enhance their reputation. They were proud of their ability to deal with the the reactor even in unusual conditions and they were aware of the rapid reduction of the "window of opportunity" within which they should have completed the test. Surely they lost any sensibility regarding the dangers involved in the operation of a the reactor.
• Technicians who had planned the evaluation were electrical engineers from Moscow. Their goal was to solve a complex technical problem. Despite having planned the test procedures, they probably did not know much about the operation of a nuclear plant itself.

Altogether, made a dangerous mix: A group of engineers from a specialization, that were not nuclear engineers, leading a team of dedicated, and therefore overconfident, operators. Each group probably assumed that the other knew what they were doing. In addition, both parties had little or no understanding of the hazards that they were causing or of the system they were abusing.

Back
 
Follow us on