How the Fukushima Daiichi accident changed (or not) the nuclear safety fundamentals?

In this presentation, the fundamentals of nuclear safety that the Fukushima Daiichi accident did and did not change will be discussed. While the most basic strategy of defense-in-depth principle is still valid, some problems have emerged after Fukushima, preparedness for all-hazards and multiple disasters, and importance of the administration of emergency response. From this observation, enhancing the resilience of nuclear systems is a critical issue after Fukushima. The safety enhancement measures considered in nuclear facilities will be reviewed referring to the elementary characteristics of systems resilience, and a new framework will be proposed for dealing with unsafe events, where unsafe events are classified into three categories.


INTRODUCTION
After the Great East Japan Earthquake (Tohoku Earthquake) and the Fukushima Daiichi accident (Fukushima), people used a word "unanticipated" for describing the disaster. It is true that the up-to-date seismology at the time of disaster could not foresee that such a huge earthquake and tsunami can ever occur in the area, and the main cause of the accident was insufficient preparedness of the plants against tsunamis. It seems an improper remedial action, however, just reevaluating the risk of tsunamis more precisely and increasing the height of seawalls. It seems wrong also to think that the fundamentals of nuclear safety has broken down and it should be replaced with another one. Having reviewed the experiences of the disaster, what we have to do is rather renovating the basic strategy of nuclear safety, defense-in-depth principle, from a viewpoint of systems resilience.

WHAT DID NOT CHANGE AFTER FUKUSHIMA
After Fukushima, many people including the press condemned that the myth of nuclear safety was over and the thoughts of experts were totally wrong. The accident, however, has shown clearly that the most basic strategy of defense-in-depth principle is still valid, because the accident was caused exactly from the lack of defense-in-depth. The single safety barrier that had protected the Fukushima Daiichi plants against tsunamis was the seawalls. Since the maximum scale of tsunamis that may possibly occur in the area is uncertain, multiple barriers should have been installed for protecting the plants against tsunamis. In this situation, the tsunami caused by Tohoku Earthquake that exceeded the design basis was fatal.
In addition to the seawalls of an insufficient height, the areas of safety-relevant equipment in the plants were not watertight. The emergency power supply such as metal clad switchboards as well as diesel generators were located under the ground level. All these equipment were therefore submerged and lost functions. The backup systems against station blackout were insufficient, either, both in the emergency power supply and the means of water injection.
Safety barriers were not well prepared for mitigation of the consequence of an accident. Before the JCO criticality accident (JCO), which occurred in 1999, emergency response that requires evacuation of nearby residents had been a taboo in Japanese nuclear development. As an aftermath of JCO, Act on Special Measures Concerning Nuclear Emergency Preparedness was enacted, and emergency response drills were enforced in each prefecture of major facility sites. It was revealed, however, in Fukushima that these efforts were ineffective, because the scale of accident was far beyond the prescribed scenarios of emergency response plans.
As described above, the disaster of Fukushima occurred, not because the very basis of nuclear safety was wrong, but because it was not maintained properly. Defense-in-depth is the most basic strategy of nuclear safety that had been established at an early stage of nuclear development, before sophisticated methods of risk-informed safety management were introduced. After Fukushima, some people claim that we should rely more on risk-informed methods for safety management and we should evaluate more precisely the risks of external hazards. It is necessary to do so, but only introducing more sophisticated risk-informed methods is not the final answer. Fig. 1 shows an overview of the safety management based on a probabilistic concept of risk, which is a combination of the scale and probability of damage. A certain risk limit can be chosen as the curve shown on the scale-probability plane in the figure. If the system status is located above this curve, one must make all efforts to reduce the risk. Even if the system status is located below the curve, however, it does not mean that the risk has vanished. The risk that still remains after having satisfied the risk limit is called the residual risk. We also have to deal with the residual risk after having satisfied the risk limit. Occurrence of an unanticipated event often leads to reduction of the risk limit and then to elevation of safety regulation, but this process is an endless loop. Management of the residual risk is performed by risk retention and risk transfer, which are often out of the scope of ordinary safety regulation, and the strategy of their application is to be established. Renovating deterministic approaches following the defense-in-depth principle will be a key. After Fukushima, the Nuclear Regulation Authority (NRA) of Japan enforced new regulatory standards for commercial power reactors in July 2013. The new standards request enhancement of design basis, protection against earthquakes and tsunamis, and new requirements for severe accidents. In order to fulfil the standards, Japanese utility companies are now taking remedial actions to their plants and installing various safety measures such as follows, and these measures are in line with enhancement of defense-indepth rather than introducing new principles.


Reevaluation of the maximum scale of earthquakes and tsunamis;  Installation of watertight structures and countermeasures against submerging;  Reinforcement of emergency power supply;  Reinforcement of emergency water supply including that for spent fuel pits;  Prevention of reactor containment vessel damage, e.g., installation of filtered containment venting;  Preventing dispersion of radioactivity.

All-Hazards and Multiple Disasters
Though the basis of nuclear safety did not change even after Fukushima, some problems have emerged that caused the lack of defense-in-depth. We should learn lessons on these points and reflect them in taking concrete measures for safety enhancement.
Firstly, we must be concerned more about preparedness for all-hazards and multiple disasters than had been. The safety barriers against tsunamis were very fragile, because people in the nuclear industry were so concerned about seismic motion that less attention was paid to the risk of tsunamis. Almost all of the equipment for emergency power supply and emergency water injection are located below the ground level, because the location is the best for protecting them from seismic motion. Such consideration, however, did harm for protecting them from tsunamis. We should have been more concerned about natural disasters other than seismic motion.
The backup systems against station blackout were insufficient, because the reliability of power grid is extremely high in Japan and station blackout for a long period of time was unthinkable before Fukushima. The multiple disasters over a very wide area after Tohoku Earthquake easily denied such expectation and the external power supply from the grid became completely unavailable. Relying just on the quality of power grid is vulnerable in front of such multiple disasters.
Preparedness for all-hazards, unrestricted to natural disasters, is now a critical issue of nuclear safety in Japan after Fukushima. Aircraft crashes and terrorists' attacks should be considered also. Progress of these events may easily exceed the conventional event scenarios, and it is difficult to take preventive countermeasures to achieve prescribed design bases, in particular by installing some hardware equipment. It is therefore unsuitable to cover all these hazards by safety regulation. Meteorite strikes are out of the scope of design bases at present, but some response scenario should be imagined as an unforced activity. What can we do if most of the plant staff are down due to pandemic?

Administration of Emergency Response
Secondly, we should attend more to the administration of emergency response rather than preventive measures with hardware equipment. While no casualties from radiation exposure have been reported, many people died during or just after evacuation due to improper evacuation planning and operation in Fukushima.
An offsite center, which is expected to be the local headquarter of nuclear emergency response, was constructed in each area of major nuclear facility sites after JCO. But the offsite center in the Fukushima area did not function at all due to the blackout and a high radiation dose. The administrator failed to collect monitoring data of radiation dose and could not use SPEEDI (System for Prediction of Environmental Emergency Dose Information) for decision-making in evacuation planning, in particular for deciding which areas to be evacuated. In addition, information sharing was so poor between different organizations such as TEPCO, the central government, Self-Defense Force, police, and the local governments, that evacuation planning and operation were carried out on an ad hoc basis. The most symbolic and miserable case of the consequence from the poor administration was 50 deaths in the evacuee patients from the Futaba Hospital.
The disaster described above could have been avoided if we had elaborated the administration of emergency response considering accident scenarios that really match the crisis. Different from engineering design of hardware equipment, however, no systematic or technical design methods have been established for the administration of emergency response. Techniques for optimal planning or normative decision-making have been developed in Operations Research and applied to emergency response problems such as evacuation planning. Most of them do not work in ill-structured situations of emergency, because they rely on complete and accurate information to set up mathematical models and obtain solutions. In addition, the conventional mathematical methods cannot deal with organizational interactions, which play a very important role in emergency response as described so far. Some new approaches of administration design therefore are expected such as agent-based organizational simulation or application of bio-inspired design of complex social systems.

ENHANCING RESILIENCE
Resilience, which is the ability of a system to absorb changes and to maintain its functionality, has attracted interests of experts in many areas after Tohoku Earthquake and Fukushima. While the conventional safety design of artifacts focuses just on the within design-basis region, resilience sheds light also on the beyond design-basis regions. Resilience of a system is often represented by the speed of recovery from a degraded state of system functionality after a crisis. It is, however, multifaceted features of a system, and Woods enumerated the following four essential characteristics of resilience:  Buffering capacity: the size or kinds of disruptions the system can absorb or adapt to without a fundamental breakdown in performance or in the system's structure;  Flexibility: the system's ability to restructure itself in response to external changes or pressures;  Margin: how closely or how precarious the system is currently operating relative to one or another kind of performance boundary;  Tolerance: how a system behaves near a boundary, whether the system gracefully degrades as stress/pressure increase, or collapses quickly when pressure exceeds adaptive capacity.
Following his proposal, Fig. 2 shows a summary of how the safety enhancement measures adopted in Nuclear Power Plants (NPPs) before and after Fukushima contribute to enhancing resilience. The conventional within design-basis approaches of safety design are for enhancing margin. Accident management is a typical enhancement measure of tolerance for beyond design-basis events. Nuclear disaster prevention appears at two places in this figure, tolerance and buffering capacity. The scale of disaster differs between the two and they correspond respectively to the 4th and 5th level of defense-indepth. Buffering capacity is related to the recovery process from damaged conditions after a disaster, while flexibility contributes to the improvement above the previous performance level by organizational learning and reengineering. The remedial actions undertaken by the utility companies for satisfying the new regulatory standards can be classified in the same manner.

THREE CATEGORIES OF UNSAFE EVENTS
Though the basic strategy of nuclear safety has not changed even after Fukushima, now we are requested to deal with a wider scope of events including beyond design-basis. This situation is described in Table I, where unsafe events that occur in NPPs are classified into three categories.
The author made the original version shortly after JCO. Category 1 corresponds to unsafe events of relatively a high frequency and low consequence and they do not differ from work accidents in the ordinary industries. The risk of these events can be evaluated statistically and remedial actions are taken in ergonomics and work management. In contrast, Category 3 includes design basis events of a low frequency and high consequence and they are unique to the nuclear industry. The countermeasures for this category are evaluating their risks theoretically and installing some engineering safety features. Category 2 is a new type of unsafe events that emerged in the past decades. This category includes complex events of systemic or organizational accidents, and they sometimes exceed the design bases.

Status in nuclear industry
Already resolved Unresolved Already resolved * ALARA: As Low As Reasonably Practicable A locus of interest will be the trade-off with economy. Since NPPs are protected from Category 3 events with engineered safety features, most of which are out of service during the normal operation, their enhancement conflicts with the plant economy. In contrast, safety enhancement measures for Category 1 events often contribute also to the improvement of efficiency and productivity of works, and they can be compatible with the plant economy. It differs from the natural image that safety and economy are in a trade-off relationship. Those for Category 2 are located between the both, i.e., if safety enhancement measures using engineered safety features are necessary, the investments are costs. Otherwise, they are sometimes compatible with the plant economy.
When this table was created a term of resilience was unknown among the community of nuclear safety, but now it has become clear that enhancement of resilience contributes to solving a problem how to prevent and mitigate Category 2 events. General principles as well as practical methods, however, to do so are not yet enough established, and resilience engineering should challenge to solve this issue.

CONCLUSIONS
The Fukushima Daiichi accident was caused mainly by the breach of defense-in-depth against tsunamis, which is the very basis of nuclear safety, and it is unnecessary to substitute it with a new concept. The accident rather showed that defense-in-depth is effective even in unanticipated emergency conditions of beyond design-basis, and the remedial actions now undertaken by the utility companies in Japan are in line with the principle. It must be taken into consideration, however, that the breach occurred due to insufficient preparedness for all-hazards and multiple disasters. The administration of emergency response rather than preventive measures by hardware equipment should be more concerned about than before. Enhancing the resilience and renovating the defense-in-depth of NPPs are crucial and Category 2 unsafe events will be the targets of these efforts.