04/01/2011 - 11:22

Fukushima, risk, and probability: Expect the unexpected

Charles Perrow

Charles Perrow

Perrow is an emeritus professor of sociology at Yale University, and a visiting professor at Stanford University's Center...


We continue to populate our planet with technologies that have catastrophic potential. We have vulnerable concentrations of humans, economic power, and hazardous materials. The most fearful concentrations of hazardous materials are in nuclear power plants. A serious accident there could kill hundreds or even thousands of people, and contaminate large areas of land for as long as a century.

Natural disasters and deadly viruses can have devastating impacts that may be impossible to prevent or control, but nothing that we build -- except nuclear bombs -- has as much catastrophic potential as nuclear power plants. Since we have them, the least we can do is change our attitude toward risks and do much more to prevent failures. Few nations have the institutional capacity to contain the catastrophic potential of nuclear energy, and we now know that Japan is not one of them.

Currently our approach to risk is "probabilistic," and the probability of a tsunami seriously damaging the Fukushima Daiichi plant was extremely small. But we should also consider a worst-case approach to risk: the "possibilistic" approach, as Rutgers University sociologist Lee Clarke calls it in his 2005 book Worst Cases: Terror and Catastrophe in the Popular Imagination. In this approach, things that never happened before are possible. Indeed, they happen all the time.

In what should be considered a classic case of the failure to take a possibilistic approach, consider this statement by Tsuneo Futami, a nuclear engineer who was the director of Fukushima Daiichi in the late 1990s: "We can only work on precedent, and there was no precedent. When I headed the plant, the thought of a tsunami never crossed my mind."

Futami was not alone in his thinking. Experts throughout the nuclear industry and government regulatory agencies not only failed to predict the likelihood of a giant earthquake and tsunami, but also failed to examine the vulnerabilities of Fukushima Daiichi's design to a natural disaster of this scale. Instead, they relied on a history of successful operation as an assurance of future safety. As a result, they ignored or underestimated a number of major risks that have since doomed the plant:

Large earthquakes. The northeast area of Japan's biggest island, where the Fukushima and Onagawa nuclear power facilities sit a few miles apart, is known for its seismic activity. Called the Japan Trench subduction zone, it has experienced nine seismic events of magnitude 7 or greater since 1973, according to the US Geological Survey (USGS). There was a 5.8 earthquake in 1993, 30 kilometers from the Onagawa facility; a 7.1 in 2003, causing a temporary shutdown of the Onagawa facility; a 7.2 earthquake in 2005 that shut down three Onagawa reactors; and a 6.2 earthquake offshore of the Fukushima facility just last year, close calls all. Even relatively small earthquakes can be devastating for nuclear plants: a 6.8 quake on Japan's west coast in 2007 cost the Tokyo Electric Power Company $5.62 billion.

The March 11 earthquake, with a 9.0 magnitude, was special; the USGS labeled it an "infrequent catastrophe" for the area. It was the first quake to cause a tsunami that seriously flooded a nuclear power plant. But a proper risk analysis will consider infrequent events, and large quakes are hardly rare in the Pacific Ocean. Geologists predict increased probability for a major earthquake in the near future.

Large tsunamis. There was ample evidence that an earthquake in the Fukushima area could cause a tsunami -- a word given to the world by the Japanese. Four of the five "megaquakes" in the past century have generated tsunamis, but an earthquake does not have to be gigantic to create a tsunami: Japan had a 30-foot-high tsunami from a 7.8 earthquake on the west coast in 1993.

The Nuclear Safety Commission, the Japanese equivalent of the US Nuclear Regulatory Commission, had never officially recognized the tsunami issue. In 2002 a Japanese engineering group concerned with safety issued a warning, and the group revisited the topic shortly before last month's tsunami. But the word "tsunami" did not appear in government safety guidelines until 2006. Those guidelines, updated in January of this year, merely recommend that utilities take the danger into account. The commission reassuringly concluded: "Even for a nuclear plant situated very close to sea level, the robust sealed containment structure around the reactor itself would prevent any damage to the nuclear part from a tsunami, though other parts of the plant might be damaged. No radiological hazard would be likely."

Despite the lack of government guidance, the initial plant designs for Fukushima Daiichi did take tsunamis into account. But engineers expected a maximum wave height of 10.5 feet, so the plant was thought to be safe sitting on a 13-foot cliff, and that was apparently the end of the matter. The cliff defense proved to be totally inadequate; the facility received a wave estimated to be between 30 and 46 feet in height.

Power outages. Even if they were able to survive the twin disaster of an unprecedented earthquake and a huge tsunami, the six Daiichi plants had a serious design failure. The emergency power source -- diesel generators to be used if offsite power failed -- were reportedly in a basement vulnerable to flooding, though their location has not been confirmed. In any case, it is likely that their diesel fuel supply was compromised.

Flooding should not have come as a surprise. Most of the area subject to earthquakes lies beneath the ocean, and underwater earthquakes can be expected to cause tsunamis that are capable of flooding buildings on the shore. Diesel generators can be unreliable, and should not be in areas subject to flooding. If they must be, they and their fuel supply should be protected from floods, and they should be accessible in an emergency. It would not be expensive to protect this first line of defense in case of power loss. (The plants have long since recovered their capital investment and have been "cash cows" for decades; the cash for increased protection, once the chance of a tsunami was finally recognized, would be a trivial dent in profits.)

Flooding also disabled the wiring for the electrical power supply. This has made it very difficult to restore offsite power once a new transmission line was installed. A larger system vulnerability is the island's electricity grid. The east and west parts of the island use different voltages, and the single conversion facility does not have the capacity to draw much from the western half to compensate for the huge power losses in the eastern half.

Containment failure. The boiling water reactor (BWR) design at Fukushima, called Mark 1, has another flaw in addition to its unprotected emergency power source. The Mark 1 design was the subject of much controversy when it was first developed in the 1960s by GE. Compared with pressurized water reactors (PWRs), the BWR was cheaper and easier to build because of its thinner and smaller containment shell over the reactor vessel.

But in the 1970s some critics warned that the BWR containment vessel, the "last line of defense" in an accident, was inferior to the PWR design. (GE disputes these criticisms.) The chairman of what was to become the US Nuclear Regulatory Commission agreed that the BWR was more dangerous than the PWR, but said that banning the design "could well be the end of nuclear power," because it was already widely accepted. (It is currently used in 23 US plants.)

According to a report in The New York Times, "internal company documents dating back to 1975 [suggest] that the containment vessel designs were either insufficiently tested or had flaws that could compromise safety." But it is not clear yet whether this deficiency played an important role in the Japanese disaster.

It is true, as is often now said, that the reactors in the six plants at the Fukushima Daiichi facility stood up remarkably well to an enormous earthquake -- 15 times stronger than anticipated by designers. There were no immediate meltdowns in the three plants that were in full operation, nor massive radioactive releases from the rods in the six spent-fuel cooling pools and one huge storage pool in the facility. But as of April 1, three weeks after the accident, the containment structure at three of the plants appears to have failed, and there are serious radiological leaks.

The accident has also revealed another vulnerability in the design for the Fukushima plant: The storage pools for spent fuel rods were placed on the fourth floor of the reactor building so that rods could be easily transported from the reactors to the pools. But this design makes the storage pools unapproachable if radiation levels are high, and leaves the pools without independent power sources to keep the rods from overheating. The pools are more lethal than the reactor cores, because they contain a greater volume of uranium.

Multiple reactors. Fukushima Daiichi has six reactors, and its owners planned to build two more at the same location. This concentration makes all of the reactors vulnerable to a "common mode" failure such as a power loss. Even if only one reactor had a serious failure, radiation levels might have climbed too high to safely monitor the other reactors at the facility. Had the utility been required to disperse its plants -- at some small economic penalty -- earthquake and tsunami risks, and the risk of collateral damage to adjacent plants from an industrial accident, would be greatly reduced.

Ignored warnings. The Japanese nuclear industry has a history of falsifying data and hiding accidents. An engineer acknowledged that he falsified documents when casting one containment vessel for the Fukushima complex, and received a large bonus for saving the company the expense of making a new one. The vessel sits in reactor number 4 at the Fukushima Daiichi plant. Tokyo Electric Power Company (Tepco), the utility that owns the facility, saw ritual resignations by the utility's chairman in 2002, and by its president in 2007, after scandals involving falsified data and unreported accidents.

In 1990, the US Nuclear Regulatory Commission and international agencies sounded warnings of unsafe practices in Japan. A representative in the Japanese national parliament, concerned that the six reactors at the Fukushima Daiichi facility were required to withstand only a 19-foot-high tsunami, discussed his concerns at least 20 times with Tepco in 2003 and sent a warning to Japan's president. A seismology professor at Kobe University resigned in protest from a nuclear safety board in 2006 because of lack of attention to earthquake and tsunami risks. After the Fukushima Daiichi disaster, he observed: "Nuclear power is national policy, and there's a real reluctance to scrutinize it."

GE denies the containment risk, pointing to 40 years of successful operation of the Mark 1 in 32 Japanese installations. By that same logic, Tepco can point to 40 years of operation without a direct tsunami hit on any of its many plants. But as my colleague John Downer of Stanford University points out, the database for nuclear plants is so small as to be statistically meaningless. The number of reactors in operation in the world is very small, and there are many different designs and configurations. Equally statistically meaningless is the limited experience with tsunamis hitting nuclear plants. The reliability required for a complex and tightly coupled nuclear power plant is hugely greater than that required for, say, an automobile manufacturing plant. If there is a potential for catastrophic failure, placing risky systems such as nuclear plants in risky settings such as storm-washed coasts is risk squared.

Japan and the United States have weak central governments, so regulating hazardous activities has always been difficult. In the United States, the first body to regulate the nuclear industry, the Atomic Energy Commission, was also responsible for promoting it -- an obvious conflict of interest that was resolved with the formation of the Nuclear Regulatory Commission. But the NRC was soon compromised by its close connections to the nuclear industry -- a problem known as "regulatory capture."

The NRC has a history of blackballing whistleblowers, and in one egregious case secured a fine and jail sentence for the person most responsible for preventing a meltdown at the Davis-Besse nuclear plant. We should not expect more vigorous regulation from the equivalent Japanese organizations, the Nuclear Safety Commission and especially the Nuclear and Industrial Safety Agency, where both promotion and safety still reside. (India also has a compromised regulatory body and a poor safety record.)

The nuclear industry is highly centralized, giving it political clout in all countries. Toshiba bought Westinghouse; the French company Areva dominates in Europe and is now in joint projects in the United States; Exelon and Entergy run most of the plants in the United States; Tepco accounts for 30 to 33 percent of the generating capacity in Japan, and is the fourth largest utility in the world. Vast amounts of capital, and potential profits, are concentrated in nuclear plants. They supply a third of Japan's electric power and a fifth of the US market; this gives them substantial power over their governments.

Lessons learned. Will the industry learn anything from this event, particularly if those lessons might reduce profits in either Japan or the United States? On March 12, the American Nuclear Society noted the dire events, but continuing the tradition of risk analysis in the industry, it reassured us: In an event like this, "containing the radioactive materials could actually be considered a 'success' given the scale of this natural disaster that had not been considered in the original design. The nuclear power industry will learn from this event, and redesign our facilities as needed to make them safer in the future."

The industry necessarily has a longer time perspective than most -- after years of permissions and planning, it may take 10 years to build a facility that will have a life span of 40 to 60 years. One would think that this time span would make it easier to guard against operator error or sloppy work, faulty designs, tsunamis, hurricanes, and terrorist attacks. The lengthy process should also make it easier to avoid the rare but inevitable "normal" accident where, even if everyone plays safe and tries hard, small failures can interact in totally unexpected ways to defeat all safety devices -- as happened at Three Mile Island.

But the interests of shareholders, at least in the United States, are very short term. Legally obedient to them, managers must maximize quarterly profits, and this means riskier designs, less-vigilant maintenance, operating shortcuts, and lobbying to prevent expensive regulatory rules. In the United States political lobbying and congressional campaign contributions have ensured weak and delayed regulation by the NRC.

The Japanese regulatory regime is at least as weak. Private ownership does not appear to encourage safety and long-range hazard analysis; government ownership, as in Sweden and France, seems to do better but will not necessarily guarantee it.

It is true that the Fukushima plants' performance exceeded design standards in three respects: they kept running without offsite power longer than required; they survived a wave that may have been three times as high as they were expected to confront; and they survived an earthquake much larger than their design anticipated. But in this "success," hailed by industry and academic nuclear experts alike, we are seeing radiation levels that -- if not yet catastrophic -- are devastatingly high. The American Nuclear Society claims that we will "learn from this event." The Japanese radiation victims and the dead plant workers will be glad to know that in their disaster lies our salvation.