fukushima in retrospect (2013)

34
Fukushima in Retrospect (Lessons in Risk Assessment) Brian Landberg 2013-Jul-17

Upload: brian-landberg

Post on 18-Jul-2015

128 views

Category:

Engineering


2 download

TRANSCRIPT

Page 2: Fukushima in Retrospect (2013)

Myths: Stories of Gods, Technology, and Consequences

Prometheus : A central Greek myth ... human technology & associated risks.

Knowledge stolen Progress for humans, but also hubris (angering the gods) and othersubsequent troubles: Endless torture (search for the truth?), and Pandora’s box (uncertainty)

Page 3: Fukushima in Retrospect (2013)

Comparative myth (Greek vs. Indian)

Prometheus (name=foreknowledge) Fire (useful, but dangerous) asacquired knowledge , separate from nature [= invention]

Mātariśvan: (name=grown from mother)Fire (benevolent), gifted to the people with auspices of the gods, part of nature

[= discovery]

Page 5: Fukushima in Retrospect (2013)

Is nuclear power actually safe?

YES NO

Atoms for peace* … “swords into plowshares”.Not like a bomb: U235 ~5% (vs.~90% for bombs)

Difficult to assure Pu non-proliferation(byproduct of U238 + n reactions)

Cannot explode like an A-bomb (runaway chain reaction); Delayed-neutron critical design; H2O as moderator/coolant = failsafe feedback

Hydrogen/steam explosions, meltdowns canoccur (due to LOCA); Chernobyl type reactors do (did) enable prompt-supercritical reaction.

Fundamentally similar to other power generation(make steam, turn turbines); Proven/reliable.

Complex to control reactor; Decommission difficult (radioactively contam. structures).

Multiple levels of design/engineering safety and redundancy (“defense in depth” philosophy); Earthquake proof construction (built on bedrock), proved at Kobe, Niigata earthquakes.

• Vulnerable to nat. disasters (common cause to knock out all defense levels.)

• Human error & human mgt./systems (including biased fault-line data)

• Design blind spots (e.g. spent fuel pools)

439 plants around the world operating safely for decades/millions of plant-hours.

Serious Accidents have occurred, with very messy consequences.

Environmentally friendly (CO2, pollution); Much less waste than conventional oil, coal.

Only if accidents are fully prevented; Hi-level waste is a problem (reprocess or storage)

* “My country wants to be constructive, not destructive. It wants agreement, not wars, among nations. It wants itself to live in freedom, and in the confidence that the people of every other nation enjoy equally the right of choosing their own way of life.“ -D.Eisenhower, 1953

Page 6: Fukushima in Retrospect (2013)

Fukushima Status(and scope of damage)

• Fukushima 1, 2 : total 6+4 = 10 reactors – Meltdowns(3), Fuel recovery(4), decommissioning (10?) 10-year clean-up plan proposed (aggressive?)

• Fallout contamination area and evacuation– ~60,000 people remain evacuated in 2013 (orig.# 160k in 2011)– 1000 sq.km., 15~30million m^3 of soil

• Water contamination (ongoing)– Ground water contamination by contact with melted nuclear fuel/soil: – Water filtration systems remove Sr, Cs, etc. but not 3H Tritium (minor fission product, forms HTO

water), so water must be stored in tanks rather than returned to ocean…

• Denied permission to restart (ongoing)– Most of Japan’s 50 commercial nuclear power plants are off-line now [20~30% of all electric capacity]– About 10 reactors are applying for permission to restart, after safety measures added, data shown– Covered by increased imports of LNG/LPG and oil (energy costs up 20%, CO2 up 15%)– Early decommission costs also to consider

• Japan’s regulatory authority reorganized/empowered– Tougher stance to regain public trust. Reopen fault-line surveys at all plant sites, etc.– Recommended to close plants at Hamaoka & Tsuruga due to seismic fault line risks

• Huge financial costs to consider (details later in the presentation).

Page 7: Fukushima in Retrospect (2013)

Preventable Man-Made Disaster? Natural Catastrophe?

“It was a profoundly man-made disaster — that could and should have been foreseen and prevented,” Its effects could have been mitigated by a more effective human response.”

- Dr. Kiyoshi Kurokawa, M.D. (Chair, Nuclear Accident Indep. Investig. Comm./Prof. Tokyo Univ. )

Most powerful quake in Japan’s history (350x energy vs. Kobe)9m~40m tsunami height, affected up to 10km inland~18,500 lives lost to Tsunami & Earthquake~1M bldgs. Destroyed/damaged

13~14m tsunami hit Fukushima DaichiSea wall only 5.7m, all station power knocked outincluding control room

Page 8: Fukushima in Retrospect (2013)

Defense in Depth (DiD)*

* DiD: originally military strategy to minimize enemy attack by prolonging/diffusing effects.

Multi-layered design protection philosophy(perhaps not good enough…)

1. U02 Oxide Fuel Pellet (Non-volatile, ~2800degC melt temp)

2. Fuel cladding (Zircalloy, ~1800degC melt temp)… H2 gas, embrittlement, swelling, at high temp

3. Pressure Vessel (Ni-SUS)…Spent fuel is external to PV

4. Containment vessel/steel floor (thick concrete & steel)…Containment of molten fuel could fail if structural integrity of CV is compromised by H2 explosion, earthquake, etc.

5. Secondary containment building (std. building materials)

6. Environmental buffer: Land/Forest; Water (sea, river)… May contaminate adjacent sea/river ground water

7. Location in remote, unpopulated region (e.g. 30km radius)… No longer in common practice!

Page 9: Fukushima in Retrospect (2013)

Preventable Man-Made Disaster or Natural Catastrophe?

• What is a black swan event?• Example a): Lehmann Shock• Example b): Collision/sinking of USS Titanic • Example c): M9.0 earthquake + Tsunami

1. Judged “Highly improbable” from past experience, risk estimations. -Conditional assumptions, extrapolations taken as absolute facts-Hints / early warnings easily ignored or covered up

2. Wipes out multiple levels of “safety” or “redundancy” at once-Design basis can be exceeded…then what?

Obvious facts about Fukushima:• M9.0 has occurred before (e.g. 2004 Sumatra M9.1)• Very large tsunami has occurred (e.g. Hokkaido 1993, 32m)• LWR nuclear plants are on the shoreline, by design

Page 10: Fukushima in Retrospect (2013)

Rasmussen Study (1975, MIT/AEC)

Historic study to integrate risk severity (public attention) with occurrence frequency (industry focus)

Biased: used to try to convince gov’t, public of safety of nuclear power.

Millitaristic approach: only considering # of deaths as measurable impact.

* Risk of lethal dose of Chlorine release during domestic transport by train in USA..

(Cl used as example of toxic chemical release in populated areas).

*

Source: http://www.osti.gov/energycitations/product.biblio.jsp?query_id=6&page=0&osti_id=7134131

First use of probabilistic method for safety risk assessment (contrib. to FMEA method)

Page 11: Fukushima in Retrospect (2013)

…Collateral Risks UnderestimatedPractically zero deaths due to Fukushima accident, howeverHUGE DAMAGES to people, gov’t, and industry!

– Evacuations (indefinite) & resettlement – Personal/medical damages and claims– Contamination of land (Cs-137, 134) & water (Cs-137, Tritium)– Fukushima-1 cleanup/fuel recovery– Decommissioning of other nuclear plants– Added fossil plants/fuels Oil, LPG– Lost tourism (radiation concerns) – Limited mfg.supply (power peaks, costs)– Kyoto Protocol decommit (CO2 targets)– Deaths from heatstroke due to excessive energy conservation (ironically)…

http://whenthecrisishitthefan.com/2012/02/

Page 12: Fukushima in Retrospect (2013)

Costs and Recovery ($USD equiv.) (paid by TEPCO & gov’t eventually by citizens…) What How Long HowMuch $

On-site clean-up & decommission 10~30yr 250B

Affected lands decontamination 5yrs 10B

Evacuation living costs (housing, etc.) 5yrs 9B

Reparations to evacuees (lost assets, jobs) 3yrs 8B

Purchase contaminated land (20km zone) 5yrs 50B

Medical claims & monitoring (evacuees) 30yrs 1B

Decomm. other reactors (fault line risk, etc.) 5yrs 10B

Upgrade other reactors 5yrs 11B

Rebuild towns/communities over time 10yrs 269B

Added fossil fuel plants & fossil fuels (+100T BTU/yr) 20yrs 460B

Ramp-up solar/renewables infra & incentives 20yrs 100B

Roughly ~$1.2T USD (= avg. 60B/year, or $500/person/year)…to be paid for by increased taxes and higher energy prices.

Page 13: Fukushima in Retrospect (2013)

Fukushima- what went well

Despite widespread anger, mistrust, and confusion in Japan, at least… (arguably)

• Evacuations – rapid and orderly

• Heroic response on site during disaster to help limit damage

Page 15: Fukushima in Retrospect (2013)

Technical Blind Spots• Protective sea wall too low (5.7m vs. 13m): risk assess insufficient

• Backup generators, battery sys., & control/breakers at ground/basement level

• No independent backup battery/generator power to control room: electric power required to control key functions and monitor reactor status via lights/gages

• Spent fuel pools vulnerable to loss of coolant & exposure/melt

• H2 production from overheated Zr cladding

• Vents unable to open due to failure of compressed air supply to open the valve, also without filters (despite backfitrecommendations)

• Safety relief valves sealed shut under high pressure (unable to open in emergency)

Page 16: Fukushima in Retrospect (2013)

Case Study#1: Isolation Condenser(Backup cooling water system for emergencies)

• Unable to confirm operation or not – No power to central control room; all metrologies lost

– Radiation prevented access Containment Vessel (CV) to check

– External steam from Iso-con exhaust seen (misjudgment)

• Never tested Iso-con in 40yrs of operation

– Unable to notice signs that Isocon not operating• Water level dropped, Steam visible was not vigorous

• No one had ever seen Iso-con in operation

• No emergency ops training

Page 17: Fukushima in Retrospect (2013)

Case Study#2: SR Valves(failed at Reactor#2)

• 8 valves, to reduce pressure in Reactor pressure vessel (PV) at time of LOCA accident (steam build-up due to cooling system failure, causing excess pressure ) release steam from PV to within Containment vessel (CV).

• Operated remotely from main control room– Requires electric power to operate & view status via indicator lights.

• Insufficient pressure differential between CV and PV can prevent valve opening. (Normally PV is much higher pressure vs. CV).– CV reached ~7 Atm or 0.75MPa, vs. typcial 1 Atm. [PV is ~7.5MPa]

Page 18: Fukushima in Retrospect (2013)

Systemic/Political Failure

• FMEA worst case was only single-event LOCA– Beyond design-basis, station power outage, etc. not incl.– Bigger risks assumed designed-out, or too low probability

• Regulatory Independence/Competency Lacking– Regulatory agency not having “teeth” for enforcement– Operators voluntarily apply regulations– Regulatory agency taking data from operators on faith (without validation)– NISA Lacking sufficient org. independence (from MEXT gov’t branch that

serves to promote the industry and technical expertise to assure quality/safety?

• Geological site data uncertainty: – Historical tsunami risks underestimated and fault line evidence

conveniently interpreted as low-risk by utilities.

Page 19: Fukushima in Retrospect (2013)

Case Study: Geological Site Surveys

NRA has concerns/investigations about possible active fault lines at or near some reactors:• Hamaoka (Shizuoka)

– Requested by PM in 2011 to decommission, due to location in earthquake susceptible zone, near 2 tectonic plate boundaries (Utility accepted)

• Tsuruga (Fukui)– NRA recommended to decommission (Utility disagrees)

• Ooi (Fukui)• Shika (Ishikawa)

Nuclear fuel cycle program also at risk due to fault concerns:• Monju Fast Breeder reactor (Fukui)• Rokkasho reprocess facility (Aomori)

Estimations of max Tsunami and protective wall heights are also in contention.

Page 20: Fukushima in Retrospect (2013)

Case Study: JCO Criticality Accident• JCO – Japan Nuclear Fuel Conversion Company (Sumitomo Metals), working as

subcon for Donen- Nuclear Fuel Development Corporation

• 1999 Serious nuclear accident (unrelated to TEPCO/Fukushima)• Workers were mixing a batch of Uranium for Joyo experimental breeder reactor

(U-235 with 18% enriched solution)• Accidental criticality, resulted in workers deaths by irradiation

• Serious failures in training , ignorance of SOPs, and lack of safety precautions.• Outside of the commercial reactor industry, hence not subject to regular safety

audits, etc.• It resulted in ending of Japan’s U-235 reprocessing activities.

Page 21: Fukushima in Retrospect (2013)

Response/Communication Failure

• Gov’t’s Off-Site Control Center (OFC) unusable

• No available emergency pumps and systems for high pressure injection to PV

• No training to actually deal with serious accidents of this level.

• SPEEDI system results with-held by gov’t

– Initial evacuation based on flawed data

Page 22: Fukushima in Retrospect (2013)

Case Study: Off-Site Control Center (OFC)• Gov’t’s emergency center, just 5km from Fukushima Daichi

• 20 such locations in Japan, established after JCO criticality accident in 1999

• After only a few days of accident, the site was evacuated (moved to prefectural gov’t bldg.)

– Inadequate radiation protection (no air filters for ventilation system)

– Failed Audio/Video communications equipment (only satellite link was operational)

– Backup generator with limited fuel, not waterproofed

• Siting of OFCs indicates poor accident scenario planning.

– 5km proximity is too close for case of H2 explosion, etc.

– Siting on shoreline, on landfill or potentially unstable grounds

– Another OFC (Onagawa, Miyagi) was destroyed by Tsunami

Page 23: Fukushima in Retrospect (2013)

Case Study: SPEEDI• SPEEDI (System for Prediction of Environment Emergency Dose

Information) for monitoring & predictive mapping of fallout.• SPEEDI was developed by Japnese gov’t explicitly for use in

nuclear emergencies.• Information was not publicly released to citizens for until Apr-25. • Also the data was partially compromised due to lost power to

some monitoring stations after the earthquake. (Some data interpolated).

• The gov’t said it wanted to avoid releasing imperfect modeled data, due to potential misinterpretation of the data/maps, etc. Initial gov’t evacuation (Mar-14~15) was based simply on a simple circular radius, but the SPEEDI data indicated clearly that certain directions were more contaminated than others. It was recommended to expand/modify the evacuation zones.

• The failure to release critical info resulted in significant loss of trust/confidence in government information and reporting.

• Many local governments and citizens felt that if they had the data, they could have made better decisions to choose sites/directions to evacuate. Hence they felt that the gov’t exposed them needlessly to radiation risks. (Some evacuation centers outside of 30km but still with significant fallout.)

Page 25: Fukushima in Retrospect (2013)

Japan’s Safety Myth – Paradise Lost?• Context of Japan’s great industrial prowess (technology & also

quality), including nuclear. As nuclear industry leader, perhaps Japan strove to make rules, rather than follow them.

• Japan’s dependence on foreign oil/gas also underscores nuclear power as a national security priority. Hence a long-term, strong gov’t agenda to support nuclear energy policy .

• 1995 Kobe earthquake served to demonstrate robustness of Japanese plants. (2 nearby power plants, were undamaged).

• Criticism of safety (site fault line analyses, disaster response plans, etc.) were often brushed aside. Nuclear operators became defensive against ‘no-nukes’ critics, sometimes perceived as ignorant or irrational. As in US, Chernobyl type accident was considered unconceivable in Japan.

• Nuclear operators allegedly utilized $ incentives also mafia connections to secure local gov’t approval for new plants. It was/is not a healthy economic environment. This also fosters conflicts of interest, and makes criticism difficult.

• The nuclear industry promoted itself as absolutely safe… and came to believe its own marketing promotion, to the point where tough questions (e.g. tsunami risks) were assumed irrelevant.

• Regulatory authority (gov’t) was believed to be too close to the interests of the nuclear industry. (known as “regulatory capture”) . It did not promote checks & balances.

• Nuclear industry failed to invest in recommended backfits (from IAEA, WANO, NRC); Falsified docs related to Equipment Inspections, and avoided investment in disaster response systems (since it might encourage fears among the public.)

“It’s a fact that there was an unreasonable overconfidence in the technology of Japan’s nuclear power generation.” -Banri Kaeda (Chief Minister, METI, 2011)

"If culture explains behavior, then no one has to take responsibility," he said. "People have autonomy to choose. At issue are the choices they make, not the cultural context in which they make them.“ –Gerald Curtis, Columbia Univ. prof.

Page 26: Fukushima in Retrospect (2013)

What is Changing? (Japan)Energy policy and nuclear fuel cycle policy re-assessment, but also,Tougher regulations, new design requirements, better oversight.

Nuclear Regulatory Org/Systems– More independent, tougher function, enforcement– Better communication/reporting to local/nat. gov’ts

Emergency Response– Emergency/Disaster response systems/resources– Radioactivity filtration systems & power/comms for disasters– More robust radiation monitoring and gov’t communications

Earthquake/Tsunami Proofing– Re-assess on-site seismic fault lines

Forced decommissioning of some plants

– Higher walls against tsunami– Auxiliary gen./battery located higher-up,

water-tight bldgs.

Reactor Design Changes : see next page

Page 27: Fukushima in Retrospect (2013)

New Regulations (Japan)Reactor Engineering Design Changes

– Filters on external emergency CV vents

– Manual operation option for key valves

– Auxiliary pumps and water source for spent fuel pools

– Additional injection pumps into Containment vessel

– Secondary control room & backup power, away from reactor bldg.

Page 28: Fukushima in Retrospect (2013)

What is Changing? (World)

1. Beyond design-basis accident scenarios:– Plant design reviews by 3rd party org. (WANO)

• Higher safety standards by pop density, multi-plant sites, etc.

– Inspection of emergency response systems– Bunker style backup safety systems , Trained “SWAT” response team (France)– Backup batteries for 72hrs (rather than 8hrs)– Others (USA)

2. Robust fuel storage solutions– Spent fuel storage (after 5yrs in pool) in self-contained dry casks (USA/France)

3. Organizational Changes– NRC chief Jaczko resigns (USA) – partly over push for stronger US regulations

after Fukushima disaster– IAEA shakeup after criticism of slow/ineffective response (UN)

• Failed to mediate btw’n gov’t reports from JP (downplay) and US (over-react)• IAEA Radiological Event Scale also confusing/ineffective

Page 29: Fukushima in Retrospect (2013)

What Have We Learned?

• Central problem of conflict of interests must be acknowledged and the bias compensated– Experts are mostly insiders/supporters…– Regulators’ jobs tied to industry success (“regulatory capture”)

• Civilian-run utilities must open up to gov’t/international help in a disaster situation

• “Defense in depth” and “design basis” philosophy can fail by black-swan induced common cause failures– Long technical experience/judgment does not justify low-risk

• Emerg. response systems are necessary - “black swan” events.• Low ocurrence, high severity risks must be in planning

– Risk assessment estimates - large uncertainty; Black swans happen– Robust metrologies are critical to know status and make decisions

Page 30: Fukushima in Retrospect (2013)

What Must We Do (Quality/Reliability professionals)

• Frequently re-assess systemic/org. biases– Keep balance between Lean (reduce data) & Conservative (demand more data)– Rotate people to keep fresh viewpoints– Checks and balances to compensate org. biases, avoid “regulatory capture”.

• Diligently avoid reality distortion– Reject fitting/interpreting data to the requirement– Plan ahead to avoid ignoring key info due to short timeline (rushed). – 3rd party oversight : Prevent censoring of dissenting/competing views

(intentional/unintentional)

• Ensure planning & systems for black swan events – ‘Estimated as low chance of occurrence, hence do nothing’…is not acceptable.– No data or few data points = high uncertainty– Probabilistic Risk and FMEA have difficulty to estimate Frequency for rare or

unknown events Supplementary tools required.

• Release data quickly during excursions (even with known uncertainties)– Don’t wait for perfect decisions

Page 31: Fukushima in Retrospect (2013)

Ref: Evolution of Dealing with RiskPast Present Future

Tools Common sense Statistical/ Logical (SPC, FMEA)

Predictive by design; Real-time sensors; X-checking

Bias Subjective Objective Known bias compensation

Approach Engineeringexperience

Conservative(max data)

Lifetime value (DFR, Taguchi loss function, Lean, etc.)

Page 32: Fukushima in Retrospect (2013)

Ref: Further Reading/WatchingOverall Summaries

• http://world-nuclear.org/info/Safety-and-Security/Safety-of-Plants/Fukushima-Accident-2011/#.Udpomm2yzAA

• http://www.iaea.org/newscenter/focus/fukushima/japan-report2/japanreport120911.pdf (IAEA summary)

• http://www.bbc.co.uk/news/world-asia-18718486 (BBC summary)

• http://www.dipity.com/edyong209/Fukushima-disaster/ (timeline)

• http://www.ifs.tohoku.ac.jp/maru/kougi/thermal-science/data/2013.04.30/2013.pdf (Tohoku Univ. technical analysis)

• http://www.tepco.co.jp/en/nu/fukushima-np/images/handouts_111130_04-e.pdf (TEPCO core meltdown technical analysis)

• http://spectrum.ieee.org/energy/nuclear/24-hours-at-fukushima (first 24hrs in detail)

• http://www.youtube.com/watch?v=ixjlSsUlNBw (Meltdown – NHK documentary, English subtitles/narration)

Impacts/Results/Ongoing Issues

• http://thebreakthrough.org/archive/new_data_japanese_fuel_imports (CO2)

• http://e360.yale.edu/feature/as_fukushima_cleanup_begins_long-term_impacts_are_weighed/2482/ (land contamination)

• http://www.world-nuclear-news.org/RS_Japan_readies_for_restarts_1906131.html (restarts)

• http://www3.nhk.or.jp/nhkworld/english/news/20130706_27.html (Tritium levels in local ocean)

Global Reactions/Analyses

• http://www.nature.com/news/france-imagines-the-unimaginable-1.9780 (France, on failure of “defense in depth”)

• http://www.engineeringnews.co.za/article/lessons-from-japans-nuclear-crisis-2011-11-04 (technical lessons)

• http://www.nytimes.com/2011/06/02/world/asia/02japan.html?_r=2&ref=world& (NYT analysis)

• http://www.youtube.com/watch?v=AG1QmEQ84aY (Gregory Jaczko video interview)

• http://ajw.asahi.com/tag/PROMETHEUS%20TRAP?page=4 (Asahi Newspaper, “Prometheus Trap” series)

Lessons for Risk Assessment Methodology

• http://thebulletin.org/beyond-our-imagination-fukushima-and-problem-assessing-risk

• https://qir.kyushu-u.ac.jp/dspace/bitstream/2324/20493/1/p001.pdf

Page 33: Fukushima in Retrospect (2013)

Ref: LWR Nuclear Plant Safety Design • Design Considerations

– Negative Feedback mechanism vs. chain reaction criticality (sustainability)

• Delayed supercriticality (chain reaction dependent on delayed neutrons rather than prompt)

• H2O coolant is also moderator of reaction (i.e. loss of coolant physically stops nuclear reaction)

• Temp increase leads to voiding reduces/stops reaction

– Control Rods (pull out/up to operate, drop down to stop reaction)

– Boric Acid (absorb neutrons to stop reaction, reduce heat)

– Scram / Trip (emergency shutdown)

• Physical Levels of Containment (DiD)– Fuel pellet, Cladding, PV, CV, Building, ( plus surrounding environs ~2km)

http://en.wikipedia.org/wiki/Nuclear_safety

Page 34: Fukushima in Retrospect (2013)

Ref: Nuclear Power Plants in Japan• ~30% Japan’s electricity until 2011 (~50% for Tokyo)• 50 nuclear reactors (PWR, BWR) at 15 locations. Biggest

sites are:– Fukushima (10), Kashiwazaki (7)

• Decommissioned – Hamaoka (3 of 5); Fugen (1, FBR);

Tokai (1 of 2, GCR)

• Others– Fast Breeder (FBR)

• Monju (Fukui)

– Fuel process related• Rokkasho (Aomori), • Tokai (Ibaraki)