Weakness in the Application of Defense-in-Depth Concept

Table of Contents:

Since defense-in-depth is the key concept for better assurance of nuclear safety by compensating for uncertainties and incompleteness in our knowledge, the review will start where there were weaknesses in the application of the defense-in-depth concept and why. For levels 1, 4, and 5 of the defense-in-depth concept, lessons learned, possible cultural attitudes, and others issues are discussed. However, the reader should note that this chapter does not touch upon technical lessons related to safety designs such as accident instrumentation, location of spent fuel pool, multi-unit installation, conflict between containment isolation, and use of heat removal system.

Level 1

Level 1 in the defense-in-depth concept is about Prevention of abnormal operation and failures.

8.2.1.1 Setting Design/Evaluation Basis

Guide for Licensing Review of Safety Design of LWR (de facto General Design Criteria in Japan, originally issued in 1970 and last updated in 1990 by Nuclear Safety Commission (NSC) [15]) required that, for SSC to perform safety functions, it must be designed to withstand postulated natural hazards and to maintain its safety functions under these and other loadings, such as due to an accident. Though tsunami was raised as one of the natural hazards to be considered in the note [15], unlike for earthquakes, no specific guide for how to define its design basis nor how to evaluate its impact on nuclear facilities, etc. was provided on tsunami neither by NSC nor industry until 2002.

The height of a tsunami depends on specific local characteristics such as subduction plates, faults, depth of the sea near the coast, and the shape of coastline. For instance, indented areas in Sanriku historically frequently experienced high tsunami following earthquakes [16]. Therefore, each NPS site has its own unique definition of DBT. A construction permit and a license to operate the Fukushima Daiichi NPS was given based on TEPCO's licensing basis document (Establishment Permit) that set DBT at 3.0 m by using the highest level ever historically recorded at this site by 1960 Chile Tsunami. With the rising concern over tsunami hazard (especially after the tsunami that hit Okujiri Island, Hokkaido, in 1983 and 1993) and the advent of knowledge about plate tectonics, the nuclear industry with the help from academia started studies to re-assess DBT. This resulted in the guide [17] by the Nuclear Power Division of Japan Society of Civil Engineers (JSCE) in 2002.[1] Based on this deterministic guide, TEPCO redefined DBT as 5.7 m and modified the design of components in the seawater intake structure and control logics to secure net positive suction head of pumps required to function during and after a tsunami attack.

In hindsight, the JSCE guide had some problems: (a) Modeling of tsunami source started with historical (literature) tsunami records, rather than study of tsunami deposit sediments, which can cover records of time periods before written records existed; (b) The guide did not appropriately (other than those historically experienced) deal with fracture of multiple segments occurring within a narrow time window as they had occurred on March 11, 2011 (the EPRI report [11] also points this out); and (c) JSCE had not asked for public comment to invite alternative views.

In July 2002, the Research Committee of the Headquarters for Earthquake Research Promotion (HERP) released “Long-Term Projection” [19] of possible earthquakes along the coastline off of Sanriku to Bōsō Peninsula facing the Pacific Ocean, in which it said a large scale (M8.2) earthquake can occur anywhere along the Japan trench. This coastal stretch includes Fukushima. TEPCO had expressed concern over this projection and had communicated [3] with this Committee. Also, TEPCO started further study on possible tsunami hitting the Fukushima coast, not necessarily to change the design basis but for evaluation, including (Fig. 8.1):

• Refinement of tsunami model;

• Probabilistic study (in 2006) of tsunami hazard (probability of exceeding 6 m would be less that 10−2/year in the coming 50 years and exceeding 10 m less than 10−5/year) [20];

• Calculation (in 2008) of maximum tsunami height by hypothetically placing the epicenter of the earthquake off the Fukushima coast (15.7 m inundation height);

• Tsunami deposit study;

• Possible new installation of tall break water wall off the Fukushima site; and

• Creation of an expert panel and internal Working Group.

Fig. 8.1 Re-evaluation of design basis and possible maximum tsunami height

It must be noted that:

• The tsunami deposit studies, including that of Jogan Tsunami (AD 869) [21], did not necessarily help model construction for TEPCO, and JSCE's guide did not encourage a deposit study nor base its model on a deposit study;

• TEPCO regarded JSCE's “Methodology for Probabilistic Tsunami Hazard

Analyses” [22] as being in the development stage, although it provided an opportunity for considering multi-segment failure given by logic-tree analysis;

• TEPCO also started to hypothetically place an earthquake source off the

Fukushima coast where no record existed, got estimation that inundation height could be 15.7 m, and consulted with external experts;

• The idea of installation of a tall breakwater wall was abandoned due to concern

over possible increase of tsunami height hitting the neighboring municipality adjacent to the Fukushima Daiichi site. No action was successfully taken before March 11, 2011 when the site was hit by the earthquake with magnitude 9.0 and tsunami with around 14–15 m inundation height; and

• TEPCO had regarded the results from external-event probabilistic risk analysis

(PRA) as not much useful due to significant uncertainty, rather than thinking it represents the state-of-art of their knowledge, and that the Operator needs to address possible consequences of beyond design basis by considering where the “cliff edge” exists when hit by a high tsunami as described before.

Meanwhile, stimulated by the Sumatra Earthquake and Tsunami (2004) and others, the Nuclear and Industrial Safety Agency (NISA), then the regulatory body, and Japan Nuclear Energy Safety Organization (JNES), which provided NISA with technical support, jointly established in 2006 a study group on flooding. Experts in JNES recognized the risk of SBO if Fukushima Daiichi were hit by a significantly high tsunami, and their concern seems to have been shared with TEPCO, according to the Diet's Accident Investigation Report [3].

Furthermore, the revised licensing review guide on seismic design (2006) [23] called for minimizing residual risk and mentioned tsunami as follows:

safety functions of the Facilities shall not be significantly impaired by tsunami which could be reasonably postulated to hit in a low probability in the service period of the Facilities.

NISA, in a meeting with operators, also called for attention to potentially small margins against high tsunami in the current fleet of nuclear power plants [3].

Defining design/evaluation basis of external events for its NPS sites is the responsibility of the Owner/Operator, although it may outsource necessary investigations to consulting companies. To fulfill this task, the Owner/Operator usually consults with experts and researchers, such as seismologists.

It appears that opinions of seismologists split, though not evenly, when it comes to a possible earthquake off the Fukushima coast: one camp considered that continuous slip of the Pacific plate could explain the absence of giant earthquakes in this area [24] with due attention to GPS data somewhat contradictory to the “continuous slip” theory, whereas another camp considered such earthquakes can occur anywhere along the Japan trench, such as the 2002 long-term prediction made by the Headquarters for Earthquake Research Promotion (HERP) [19], but this view was not adopted by the Central Disaster Management Council (CDMC) as a basis for Disaster Management. It also must be understood that the theory based on tsunami deposit study failed to predict the tsunami height as the one TEPCO saw on March 11. Fracture of multiple fault segments within a short time period that occurred on March 11 did not seem to be the basis for the JSCE guide in 2002 [17] or for HERP's long-term prediction in 2002 [19]. Tsunami height off the Fukushima coast was amplified due to superposition of waves from multiple segments.

On the matter of failure of the earthquake hazard map, which resulted in around 20,000 casualties on March 11, a retrospective paper [24] describes “the presumed absence of giant a earthquake was implicitly interpreted as indicating that much of the subduction occurred aseismically,” and “the revised idea about the maximum earthquake and tsunami size were not yet fully appreciated and incorporated into the Japanese hazard map.” IAEA Safety Standards SSG-9 [25] describes: “comparison with similar structures for historical data which are available should be used in this determination” (design basis earthquake). Given the ring of subduction zone surrounding the Pacific Ocean, should Japan have assumed M9.5 (Chile, 1960), or M9.2 (Alaska, 1964), or M9.1 (Aleutian, 1957) anywhere along the Japanese trench?

Comparative subductology by Japanese and American seismologists [26, 27] suggested the magnitude of the biggest earthquake in a certain subduction zone depends on local characteristics of the subducting plate (convergence rate and the age of the plate). Given this theory, it was considered that subduction zones like Mariana or Northeast Japan were different from that of Chile, or Alaska, or Aleutian. This notion seems to have prevailed, and apparently, influenced guides by JSCE and CDMC. However, the Sumatra earthquake in 2004 (M9.2) was a big challenge to this theory, since the expected magnitude there was much smaller (M7.9) [28, 29]. Given the Sumatra earthquake, Japanese seismologists reevaluated model, reviewed GPS data for status of asperity, and so on, until 3.11 occurred.

8.2.1.2 Technical Lessons

There are many lessons as to how to define design basis earthquakes in subduction zone and postulated tsunami in the design of NPS: use of data from similar structures (SSG-9), study of deposit sediments, rupture of multi-segment in an almost simultaneous manner and consequential superposition of waves. Had CDMC changed its position after the Sumatra earthquake, things might have been different and the casualty number of 20,000 might have been much less. Had TEPCO, under advice from some scientists, taken a conservative view and consideration of earthquakes in similar subduction zones, as indicated by the IAEA Safety Standard SSG-9, things might have been different. Now, based on this lesson, the Japanese regulatory body, Nuclear Regulatory Authority (NRA), has published a new tsunami guide which requires for Northeast Japan to assume M9.6 as a plate boundary earthquake with a note about giant slip and possibly released accumulated strain by the 3.11 earthquake [30].

Since there remains a certain possibility that earthquakes or tsunami greater than the design basis can occur, consideration must be given to preparedness for the unexpected by:

• Where is the cliff edge leading to degraded core conditions?

• What means are possible to increase the distance to cliff edge?

Had TEPCO's study, rather than focusing on what is the new design basis tsunami or waiting for uncertainty to be reduced, addressed the location of the cliff edge that may render the NPS to be in a serious situation and how to increase the distance to the cliff edge, then the accident might not have occurred. The cliff edge to go to core melt was flooding of the Electric Equipment Room. Even an assessment of internal flooding by a rupture in low grade piping in the turbine building could have found this vulnerability, especially given the experience of flooding of a part of the turbine building in December 1991 at Fukushima Daiichi Unit 1.

The Operator is responsible for defining design basis external hazards and for preparing for the unexpected that may go beyond the design basis, and needs to discharge this responsibility by continuous re-assessment of such hazards based on updated information and listening to experts' views including minority views. Since decision-making on external hazards is based on multi-disciplinary knowledge, implicit assumptions even in a professional society's guide need scrutiny by experts in other disciplines and the guide must be, before making it official, subject to public review and comment.

8.2.1.3 Possible Cultural Attitude Issue in the Background

Basically, a possible underlying issue could be that there was not enough consideration to preparedness for unforeseen events by increasing the distance to the cliff edge, thinking “Beyond Design Basis” can really occur. When TEPCO decided to raise DBT height to 5.7 m, TEPCO had also studied what might happen if a tsunami was 10 m high. The study was relatively optimistic due to the availability of the Air-Cooled Emergency Diesel-Generator (EDG) located at a high place and to consideration of possible use of the ultimate heat sink (atmosphere) instead of seawater by containment feed and bleed operation.

Critical and reflective thinking was missing in the JSCE guide, evidenced by its insufficient study of deposit sediments and assumption of multi-segment failure. Sound decision-making on multi-disciplinary issues is not possible when experts in each disciplinary area do not critically review the work done in other disciplinary areas (called “vertical silo situation” [31, 32]) in the organization or among the professional societies. Compared with the JSCE study on tsunami, the Atomic Energy Society of Japan (AESJ) did not act to formulate a safety assessment guide by considering the possibility of higher tsunami beyond DBT.

Plant engineers could have asked civil engineers questions on these points. Civil engineers also could have listened more carefully to a wide variety of views including alternative views by soliciting public comments.

Difficulty in decision-making under uncertainty and incomplete knowledge is a common issue in the area of natural hazards. Delaying decision by expecting that uncertainty would be reduced and more information would be available unfortunately often results in fatal accidents. A huge uncertainty should not be used to justify not using insights from probabilistic hazard analysis. Construction of a logic tree could have given new insights, especially on multi-segment rupture. Since supposedly around 10 % of tsunami occur by land-sliding of the seabed such as Storegga slides [33] that presumably occurred 8,000 years ago near Norway, tsunami deposit study should have been considered for all the NPS located along the coastline at an early stage.

8.2.1.4 Possible Institutional Issue in the Background

Since Government officials (such as in NISA) are frequently rotated to different positions, it is difficult for them to develop expertise in specific technical areas such as tsunami. Also, regulators have no real plant experience in the absence of a nuclear Navy, unlike some other countries, and the limited number of staffers recruited from Operators due to concern over conflict of interest.

JSCE did not invite comments publicly before releasing its tsunami guide in 2002, which is not the ordinary practice in establishing consensus standards by professional societies.

  • [1] Still existent in Annex II (Assessment of Tsunami Hazard: Current practice in some states) to the IAEA Special Safety Guide No. SSG-18 [18], the guide describes “The first step is to conduct literature surveys for dominant historical tsunamis affecting the target site, and then the validity of recorded tsunami heights needs to be examined. On the basis of the results, fault models for numerical simulations for historical tsunamis can be set up.”
 
< Prev   CONTENTS   Next >