In Risks-26.86, Tobin Macginnis pointed to a Japanese documentary on the continuing dangers of SFP4, via Dave Farber’s IP list and PGN’s redaction. In Risks-26.87, Dan Yurman claimed in response that

this nonsense has been thoroughly debunked by a special post at the blog of the American Nuclear Society

as well as

Scare the socks off people propaganda is never a substitute for engineering reality. You might just as well try to build railroads on snow drifts

He linked to the post, by a former navy nuclear technician Will Davis. When you look at the post, please do note the URL: “spent-fuel-at-fukushima-not-dangerous“. What guff! Of course it’s dangerous. The actual written headline is more benign: “Spent fuel at Fukushima Daiichi safer than asserted“.

Yurman’s claim of “propaganda” got my goat, for his post itself seemed to me to be little more than that. I sent PGN and Yurman a message saying so. Yurman responded that

No one on the [ANS Fukushima commentary] team is interested in propaganda. The article went through two rounds of fact checking.

I replied that I thought he (and Davis) were ignorant of basic safety engineering techniques and suggested

* he [and colleagues at ANS] perform a hazard analysis, followed by

* enumerating the worst-case outcome from each hazard identified, and

* giving some kind of assessment of the chance that that worst-case outcome will be realised

Yurman replied that he was sorry to see that I had “chosen to make emotional insults over engaging in dialog“.

Such reactions are why I prefer to avoid such “dialog”. Yurman had publicly asserted that people worried about the worst-case outcome of an SFP4 structural failure were engaging in “propaganda”. When I suggest he was ignorant of system safety techniques and might like to try a hazard and risk analysis, he takes that as an insult. It is rather a statement of fact, followed by a sensible suggestion. He is right about the emotion, though – I strongly believe that people who comment in public on matters of engineering detail should both possess and use the appropriate engineering knowledge, and I didn’t think either Yurman or Davis were exhibiting it.

The steps above are recommended by ISO/IEC Guide 51: Safety aspects – Guidelines for their inclusion in standards, 1999. Guide 51 says that a hazard analysis should be performed, followed by an assessment of the risk, and a step to introduce measures for risk reduction (mainly avoidance and mitigation of the risk). I regard an assessment of the worst-case outcome of a hazard as part of such a risk assessment, as do most system safety engineers (for example, it is built in to the definition of “risk” in Leveson’s book Safeware, Addison-Wesley 1995) and sociologists concerned with technological risk (see, for example, Lee Clarke’s book Worst Cases, University of Chicago Press, 2005).

So, this approach is standard in system safety engineering and I think Yurman is ignorant of it. He is by no means the only one. Had the operator Tepco performed such an analysis of the tsunami risk before March 2011, rather than, say, peremptorily dismissing the concerns of a tsumani expert at a meeting at the regulator two years before, we would likely not be discussing an accident at all and the prospects for the future of nuclear power would still seem rosy. Indeed, Tepco had no need to perform such an analysis: it had been done for them. Dave Lockbaum of the UCS had pointed out the dangers of station blackout through flooding the basement equipment of BWRs as early as 1992, and this specific danger, of essential equipment being rendered susceptible to flooding, resulting in a station blackout, was also written out explicitly in Charles Perrow’s book The Next Catastrophe, Princeton University Press, 2005. (Perrow was maybe wrong; it wasn’t the next catastrophe, it was the next-but-one, if you count Deepwater Horizon as a catastrophe).

Davis argues in the ANS article that

there’s no basis to assertions of shaky buildings, or a structurally failed 1F-4 plant, or the chance of zircalloy cladding fire, or billowing of the released material to the entire earth

and recommends

Realistic, practical analysis, performed by personnel on site (TEPCO/NISA), nuclear professionals here in the United States with decades of experience in both theory and practice, and official peer-reviewed studies and documents (e.g., NUREG /CR-4982)

Yes, there is nothing like an appeal to authority to sound authoritative. Keep in mind former Prime Minister Naoto Kan’s recent comments, reported by Martin Fackler in the New York Times on May 28, about the difficulties he had getting reliable information and advice from the operator Tepco in the days of emergency just after the accident, and his conclusion that these characteristics are so entrenched in the power companies and their support structure (the “nuclear village” as he called it) that Japan cannot safely run nuclear power operations. Consider also that Tepco manifestly missed the tsunami risk for 46 years. One can well wonder at the wisdom of taking Tepco at its word. As for those US “nuclear professionals” and “official peer-reviewed studies and documents“, how many of those people have actually performed an on-site inspection of the SFP4 structural modifications, followed by an analysis and assessment? As far as I know, only the operator and its contractors know the details of the structural modifications.

Davis thinks there is “no basis to assertions of….shaky buildings“. I would feel more comfortable if the operator’s design and execution of the structural modifications (including the ad-hoc cooling system) had been assessed by a qualified independent third-party and the results made publicly available. That “independent” bit appears, from recent history, particularly hard to achieve. Tepco claims, according to Davis, that the structural mods have been simulated in design-basis earthquake conditions. One wonders as usual about the assumptions made for the simulation, which obviously include how strong earthquakes behave; our current knowledge of such matters is not particularly reliable. There is also some reason to question whether the plant even adequately withstood the Tohoku quake itself, which is claimed to be within “design basis”.

Davis oddly suggests that “there is no basis for assertions of… billowing of the released material to the entire earth“. In fact, most radioactive material released to the atmosphere becomes circumglobal, as would be apparent to anyone who has looked at such distributions.

Enough of the background chatter. Let’s actually do what I suggested system safety engineers do, from the relative safety of our armchairs thousands of miles away. It’s not hard – it’ll fit into a couple of hundred words.

1. What is the hazard we are concerned with at SFP4? There are actually two.

a. Permanent loss of coolant and thus fuel-rod cover at SFP4 because of a leak or cooling-system failure;

b. Collapse of the SFP4 structure.

2. How could this happen? The structure could be compromised or collapse by itself, people having mistakenly assessed its stability. Or a major earthquake could compromise it.

3. What would be the outcome?

Concerning a: The fuel rods would heat up. The fuel itself is contained in a zirconium cladding, which is under internal pressure from gas (some is intentional; some more gas may have been produced as a result of the high temperatures attained during the cooling emergency in the early weeks of the accident). Zirconium begins to corrode at temperatures of around 100°C, which as far as I can tell are quite likely to be obtained if there is no coolant. After a while, the cladding would be compromised and the hot radioactive material in the fuel rods would be exposed to the atmosphere.

Concerning b: Fuel elements, which are some 4m long and not intended to be dropped from a height, could be damaged through impact if parts of SFP4 collapsed (recall SFP4 is many stories in the air) and could well break open, again exposing the radioactive fuel to the atmosphere.

Exposing this fuel directly to the atmosphere would result in radioactive material being released into the air. How much is released is anyone’s guess – it depends on how many rods are compromised. Once that process starts, it is going to be very difficult to get anyone near enough to it to be able to hinder its progression.

Those are the conclusions that Davis and Yurman would come to if they were able and willing to perform basic system safety analyses of the sort we teach to our undergraduates.