Nuclear Safety: Probability Theory Is Unsafe

KENICHI OHMAE |  The Japan Times

A year has now passed since the complete core meltdowns of three boiling water reactors at Tokyo Electric Power Co.’s Fukushima No. 1 plant. Because of the limited and biased information issued by the Japanese government, the world does not know what really happened when the earthquake and the tsunami hit the six Fukushima nuclear reactors. There are many important lessons that must be learned to avoid a future disaster. These lessons can be applied to all the nuclear reactors globally. People around the world deserve the right to know what happened.

Nuclear nightmare: The destroyed No. 3 reactor building at Tokyo Electric Power Co.’s Fukushima No.1 nuclear power plant on Feb. 20. The earthquake and tsunami that struck March 11, 2011, crippled Nos. 1, 2 and 3 reactors at the plant, triggering the world’s worst nuclear crisis since the 1986 Chernobyl incident. AP

As a nuclear core designer and someone who earned a Ph.D. from the Massachusetts Institute of Technology in nuclear engineering, I volunteered to look into the situation at Fukushima No. 1 in June of 2011. Mr. Goushi Hosono, minister of nuclear power and environment, personally gave me access to the information and personnel who were directly involved in the containment operations of the postdisaster nuclear plants. After three months of investigation, I analyzed and wrote a long report detailing minute by minute how the nuclear reactors were actually disabled (

Here are the highlights of my findings:

1. Three of the six reactors of Fukushima No. 1 had a complete core meltdown a few days after the tsunami hit. The molten fuel penetrated not only through the bottom of the thick pressure vessel, but also poked holes at the bottom of the containment vessel, thus releasing fission materials into the environment. The meltdown itself started at 11p.m. on the day of the tsunami, March 11, 2011.

2. As expected, the meltdown caused the fuel cladding material, zircaloy (zirconium alloy), to react with vapor and to create large quantities of hydrogen and zirconium oxide, which caused the catastrophic hydrogen explosion that blew out three reactor buildings. The hydrogen explosion took place on March 12, 14 and 15. The Japanese Government did not admit to the meltdown until three months later, nor did they admit to the damage to the containment vessels until a half year later. Our government tried to hide this important information for some reason, though judging from the amount of fission material released and from the size of the hydrogen explosion, the meltdown of the entire core was undeniable for anyone who has studied reactor engineering.

3. The earthquake on March 11 damaged all of the five independent external power supply systems, and the 15-meter-high tsunami damaged all of the pumps and motors of the main and emergency cooling systems that were constructed along the shore line, thus disabling the cooling system that pumps in sea water.

4. The tsunami also sent massive amounts of water into the reactor buildings and the turbine housing, thus soaking the emergency diesel engines and batteries, which were stored in the basement of these buildings. This meant that all sources of emergency backup power stored in the basement of the reactors were totally destroyed.

5. There was an air-cooled diesel engine sitting atop a hill close to Reactor No. 6. Its airfins were too big to fit into the basement and was luckily placed outside, and as such, this engine started to generate electricity. With a pump brought in from outside, it started to cool not only Reactor No. 6, but had enough power to cool Reactor No. 5. Of the 13 emergency generators associated with the six plants, this was the only one of the three air-cooled backups, and hence not dependent on water as the heat sink. This air-cooled diesel engine was the only one not entirely submerged in water, but in fact at one point the water level did reach up to half its height. A few weeks later Reactors No. 5 and No. 6 were brought to a cold shutdown.

6. The buildings of reactors No. 1 and No. 3 were blown away by an explosion of hydrogen generated by the core meltdown. Reactor No. 4 eventually exploded, though its core had no fuel inside due to a periodic inspection that meant the fuel rods were stored elsewhere. It turned out that the Reactor No. 4’s building filled with hydrogen that leaked from Reactor No. 3 through their common gas release ducts. Reactor No. 2 escaped from the massive explosion, although its core had completely melted. Its windows were blown away most likely by the explosions from neighboring reactors No. 1 and No. 3 and the hydrogen inside Reactor No. 2 escaped into the air.

These facts teach us one important lesson: The Fukushima accident could have been avoided if the plant had had the capacity for electricity generation of any form along with the appropriate heat sink.

It is also clear that it was not the “unexpectedly high” tsunami that caused the accident. Reactors No. 5 and No. 6 remained intact, even though they were damaged to the same extent as the other four reactors by the earthquakes and tsunami. The difference was that they had a source of electricity through the air-cooled emergency diesel engine that had been was installed ad hoc by the management because they wanted to save money when the government demanded increased back up from two to three emergency generator sets.

The most important lesson of Fukushima No. 1 plant, therefore, is that we should have multiple sources of electrical supply and cooling heat sinks. This is not to say that “you should not put all of your eggs in one basket.” What I want to say is that we should have eggs and apples in a few different baskets.

The Japanese government has tried to explain and offer excuses for the disaster in Fukushima, but no one in the government has accurately analyzed the situation. They continue to claim that the magnitude of the earthquake and tsunami was a natural disaster far beyond anything anyone could have imagined or planned for. But is this true? Was it a catastrophe that could not have been avoided?

My analysis takes a totally different point of view. It shows in documented detail ( that if you want to operate a nuclear reactor, then you should not assume anything about potential disasters — be they earthquakes, tsunamis, terrorists or a plane crash. No matter what happens, if you are operating a nuclear reactor, you must find a way to bring it down to a cold shutdown in any type of emergency. We now know from the Fukushima disaster that this will require electricity and heat sinks. It is a pretty simple principle.

But there is also another important lesson to be learned, and it applies to all operating nuclear facilities around the world: If you have to assume something, then you are not prepared.

All nuclear reactors in the world have been designed using probability assumptions. This idea was originally proposed by professor Norman Rasmussen of MIT. Put to use, it is a scientific way of expressing what the public will accept.

For example, what is the probability of a plane crashing into Yankee stadium with a full audience during the World Series? This can be calculated if one assumes that there is a level of probability for each element leading to the eventual accident. And, despite the probability, because it is infinitely small, the public tacitly accepts it. This principle was followed at Fukushima. Assumptions were made about possible causes of nuclear plant accidents. Engineering precautions were taken accordingly so that everyone could feel rest assured knowing “the reactor is safe.”

In Japan, the Nuclear Safety Commission made this fatal mistake by relying casually on this probability theory. They assumed that the probability of a long-term stoppage of the external electric supply “in a country like Japan” was very unlikely, so they did not have to assume and plan for a prolonged power breakdown. With this assumption in mind, they insisted on having three emergency generator sets per reactor. They gave no further thought to the possibility of a situation that could include the breakdown of all external electrical connections.

Fukushima No. 1 had five different paths for the grid to come in, but all of them were destroyed by the powerful earthquakes 45 minutes prior to the tsunami. It would have taken only one active electrical connection to stabilize the reactors after the tsunami hit.

The government did its best and brought in mobile generators from outside. There were two problems with this tactic. First, all of the three electric panels in the reactors that needed to receive outside power were submerged in water. To make matters worse, the mobile generators couldn’t plug in. The final straw was that the GE-built plants were on a 660-volt power line needed to run the plants, but the mobile generators brought in by the government were usually used on construction sites and they were limited to only 220 volts, the standard voltage in Japan. The mobile generators were useless in this situation.

Had the Commission made assumptions about the possible loss of the external electrical supply and ordered the plant to be equipped on site with other external power generation, be that solar, wind, gas turbine or even small LNG power stations to back up the six gigantic reactors, this disaster could have been averted.

It is very important to note that the one small gas turbine generator that was on site worked, but unfortunately, the one generator that worked was only connected to the control room for administration, and this power could not be shared with the reactors.

There has been a lot of useless discussion about the tsunami’s power and size. Historically, people have assumed that the maximum height of observed tsunamis along the eastern shore of Japan is no more than 10 meters. Until this disaster occurred, the probability of a 15 meter tsunami hitting the Japanese coast was so low that one did not have to plan for such an unlikely event. It was known in some circles that a major tsunami could in fact hit the Tohoku coast. History shows that extreme tsunamis hit Tohoku at least once every 10,000 years. What we learned in Fukushima is that even if an event is predicted to happen infrequently, it will happen! To then talk about the probability is moot. The probability is now 100 percent and we have to face the challenge at hand and find a way to safeguard the reactors.

As a nuclear core engineer I can tell you that reactors are built to withstand the expected hardships. In light of what happened in Fukushima No. 1, the assumptions were completely wrong. In order to make nuclear energy work we must build reactors that can reach cold shutdown with 100 percent certainty, no matter what happens.

Assumptions and probability are for the theoretical dreamers. If you have a hot reactor, submerged in water and this reactor is without the power to circulate the coolant that can shut it down, then you have to find another way to cool it no matter what. If you have lost your last resort of power and heat sink, you should not have taken on the responsibility to operate a nuclear plant in the first place. That is the lesson of Fukushima.

In this world nothing is absolutely safe. The public approval for nuclear reactor construction is normally very hard to get. To this end the reactor engineers have constructed what is now called the containment vessel. They explained that should something “unimaginable” happen and fission materials leak from the nuclear core, the containment vessel will confine them and nothing will escape into the external environment. People living near the reactor were told to rest assured that they would never be exposed to radiation.

Many people compare this disaster to Chernobyl. The Russian reactor was very different. The Russians did not build a containment vessel to cover their reactor. They did not see a need for that precaution. Because Chernobyl did not have a containment vessel, when that nuclear accident occurred, the result was a massive release of radiation materials that were carried away into whichever direction the wind was blowing.

In the case of Three Mile Island, it did have the needed containment vessel and practically all of the fission materials were held inside the dome. Many long-held myths have been broken as a result of the Fukushima No. 1 meltdown.

As the molten fuel made its way through the pressure vessel and the molten “lava” melted the bottom of the containment vessel, it released huge amounts of fission gasses and particles to the air and water.

The assumed role of the containment vessel proved to be faulty against this type of melt through. If you go back to the original public discussions for the construction of these early nuclear plants, none of the safety devices, such as emergency cooling systems (ECCS), boric acid spray, etc., worked in Fukushima in 2011. What we found, regrettably, is that even the most critical emergency devices are dependent on the availability of power, either in alternating or direct currency.

In the case of Fukushima, all power was lost for a prolonged period of time and the complete core meltdown could not be stopped.

My recommendation is very simple. We should not assume anything in the design of a nuclear reactor. We should be prepared to cool down the reactor and bring it to cold shutdown with at least one reliable power supply and heat sink. This means that the emergency power should be provided by a multiple of means and locations, and the heat sink should not be dependent on prevailing water alone, but on air and alternative water reservoirs.

If this is established, then the reactor can be safe not only against natural disasters but also against man-made catastrophes such as sabotage, plane crashes and terrorist attacks.

The Japanese government’s official explanation of the Fukushima disaster focuses only on the inability of anyone to predict an extreme natural disaster. Because of this focus, the rest of the world is not taking notice of the important lessons we need to understand to make the world a safer place. Many countries rely on nuclear energy, and yet these same countries assume that because they do not have to worry about earthquakes and tsunamis, what happened in Japan on March 11, 2011 does not apply to them. This could become a fatal mistake.

All reactors should be scrutinized against the possible loss of power and coolants, regardless of the cause of the disaster. Nuclear reactors are all built around the same probability assumptions. This pattern of thinking developed in the 1970s to gain the otherwise hard-to-come-by public acceptance of nuclear generated energy. Nuclear engineers, utilities and pronuclear governments around the world needed to persuade their public of the safety of nuclear energy.

With the hindsight of Fukushima, all of us who are engineers must challenge ourselves to once again think through the worst possible situation, such as a complete loss of power and coolant for a prolonged time, and we must work together to remedy the situation.

We must show how we can avoid core meltdowns under any circumstance. The challenge is no longer just the gaining of public acceptance but to realize that we are being tested by nature, and that God will keep testing us, checking to see if we are ready to ask the right questions.

Kenichi Ohmae — an MIT-trained nuclear engineer who is also a well-known management consultant — is dean of Business Breakthrough University. He was a founder of McKinsey & Co.’s strategic consulting practice and is the author of many books including “The Borderless World.”

Join discussion: leave a comment