Fukushima Dai-ichi Accident: Sociologist Needed!


I have been working this year with sociologists, in a research group composed largely of visitors to Bielefeld’s residential research institute ZiF. The group is working on Communicating Disaster. Then one happened – an enormous natural event triggered a disaster. Let me look at part of it, namely the system-safety disaster at the Fukushima Dai-ichi (Number 1) nuclear power station.

A nuclear power plant is what I call a teleological engineered system. Like a car, or an airplane, it has a purpose, and it is designed by one (or a few) legal actor to fulfil that purpose. As a system, it distinguishes itself from, say, a town, which is a collection of houses, shops, workshops and offices, mostly designed and constructed piecewise, for divergent purposes, indeed purposes which are often contrary, by many actors. Fukushima Dai-ichi has people swarming all over it, designing, specifying, building, operating, maintaining, and filling out all the paperwork which somehow gives us a comfy feeling of organisation aiming to fulfil the purpose. But no longer. Here it is, not producing two watts of what it is supposed to produce, but instead injuring people, threatening to distribute large amounts of its highly toxic component substances above ground, below ground, and in the water. What went wrong?

The technology behind fissive nuclear power is exothermic. The plant requires active cooling at all times, even when not operating. If it is not cooled then an accident is inevitable. Cooling requires power. When the plant is working, maybe from itself. When it is shut down, then from somewhere else. It follows that power supply must be unfailingly reliable in order to avoid an accident.

Primary power comes from outside. The existence of a secondary power system tells us that someone foresaw circumstances in which primary power would be interrupted. (They were right! An earthquake cut primary power; the live reactors, Units 1-3 of 6, shut down as planned.) Can secondary power be interrupted? If so, we need tertiary power… and so on. The tertiary power is trivial – batteries with a life of 8 hours. It follows no one thought secondary power could be interrupted for longer than that. But it was! It was taken out.

Everything else about this disaster follows from that one event: Secondary power was taken out. How? It was in a “basement”, which was flooded by the tsunami. Let us focus on the tsunami for a moment. At time of construction, it seems no one evaluated the tsunami hazard (Kopflos in die Katastrophe, Marlene Weiss, Süddeutsche Zeitung 19-10.03.2011). Later they did, but “no one thought of a tsunami that high!”. Not so – a tsunami expert brought it up at a meeting at the regulator, NISA, in 2009. He recounts that his concern was – in my words, not his – peremptorily dismissed (Japanese nuclear plant’s safety experts brushed off risk of tsunamic, David Nakamura and Chico Harlan, Washington Post, 23.03.2011). Tsunami experts have expressed their astonishment at the lack of apparent tsunami awareness at the regulator or plant operator (Japanese Rules for New Plants Relied on Old Science, Norimitsu Onishi and James Glanz, New York Times, 27.03.2011). It is important to keep in mind that this is just one way the secondary power can be taken out, but not the only way.

Engineers designing, building and operating safety-critical systems are required by standards to perform a hazard analysis (HazAn). A hazard is, roughly speaking, a precursor of an accident, so you have to know first what the accidents are – what the events are which constitute accidents. It is pretty clear to everyone in the nuclear industry that meltdown is an accident and it is equally clear that lack of cooling leads directly to meltdown. (It’s not the only one: you have to keep the spent fuel pools cooled, else they evaporate and burn. It’s clear that that constitutes an accident event also.) So losing all cooling for a long enough period of time is an event that leads inevitably to an accident. Your secondary power just cannot be taken out for longish periods of time when your primary power is not available. There, that’s (part of) a HazAn, with the derived safety requirement. HazAn is no more, and certainly no less, than this kind of reasoning, but you must systematically cover everything.

The next formal step is to ask about mitigation. What can happen to secondary power to take it out? It can fail because it is poorly maintained (mitigation: maintain it properly. This is a known quantity). It can fail because on-demand systems often fail on demand (mitigation: run it continuously, at low power, so you know it runs when it is asked to cut in). It can fail because a large airplane crashes into it (mitigation: design the building accordingly. This was a consideration for English gas-cooled nuclear plants in the early 1970’s). It can fail because of a bomb (mitigation: good security at the gates and perimeters). It can fail because it’s flooded. Before someone says “thousand-year tsunami”, recall that there are two and a half million gallons of water perched in the air in the spent-fuel pools of the six reactors, which pools just might be breached during an earthquake – but weren’t, as it turns out. You should think of that, even if a tsunami doesn’t occur to you. (Mitigation: design the secondary power to function while submerged. They do it in submarines, this is a known quantity.)

Maybe such HazAns weren’t state of the practice when the plant was built decades ago? HazAns are also required by standards during operations, which were continuing up to March, 2011.

But no one can think of everything!” That is, though, the purpose of a HazAn. You may make a mistake, of course, in your HazAn. But the reasoning above is routine, one thing following from another; I would require from my students no less.

Now to the point of this shaggy dog story. How did the builders, owners and operators of this plant miss all this for forty years? To answer that question, you don’t need an engineer, you need a sociologist! There, I said it!

Do you need to answer it? Most certainly you do. It helps you to find other plants, other power companies, where similar things could have happened and could be happening, so we can step in before something equally extreme happens.

You also need somebody to tell you what the consequences of such an extreme event are. Engineers work on experience. Commercial jet transport airplanes are thought of, justifiably, as maybe the most highly reliable complex artifacts ever built. Wings used to fall off (say, from Wellingtons, seventy years ago). They don’t any more (or only as a consequence of some other unrecoverable event). Experience makes the difference: we have five to twenty fatal accidents with commercial jet airliners per year to learn from. Compare with nuclear power: we have had three, maybe four, extreme events in fifty years (Windscale, maybe Three Mile Island, Chernobyl, Fukushima 1). Who can tell us what the consequences are? Two engineering colleagues said: Chernobyl, 60+ fatal. Some medical researchers say: 6000+ fatal. Greenpeace says: 200,000+ fatal. If the weather had been different, maybe tens of thousands more in Kiev. When the serious estimates of fatalities (alone! Then there is the damage to the environment to consider) differ by four orders of magnitude, as here, then the answer seems to be that no one can tell us reliably. Or even what the possible consequences are. The engineering risk calculus of probability times severity doesn’t work, either. It gives one answer before Chernobyl, another answer after Chernobyl, and yet another answer after Fukushima. A decision aid is useless if it gives you different answers each time you have an unwanted event. An engineer can’t tell you.

Can a sociologist tell us? Maybe not. Then who?

Acknowledgement

I thank Lee Clarke, who has a note at nj.com, Charles Perrow, who pointed out the susceptibility of the design to flooding secondary power, Bernd Sieker, who as usual delved into the physical details of everything, and Werner U., who has been scouring the press, and the participants of the ZiF research group Communicating Disaster for useful comments on the first version of this note.


Leave a Reply

Recent Comments

No comments to show.

Archives