- © 2013 by the Seismological Society of America
On 11 March 2011 the Great Tohoku earthquake (Mw 9.1, Global Centroid Moment Tensor) struck northern Japan’s Pacific coast. The estimated number of deaths (including missing) was more than 18,000, and the estimated economic losses were on the order of at least 2×1013 Yen (about US$ 2.5×1011). The tsunami caused a Level 7 nuclear disaster at the Fukushima Dai‐ichi Nuclear Power Station (NPS) which required the evacuation of a large region due to radioactive contamination, and necessitated ongoing efforts to stabilize the situation with the long term goal of decommissioning the destroyed reactors. For a significant period after the accident all nuclear power plants in Japan were shut down; at this moment, two reactors at the Ohi NPS in Fukui Prefecture have been restarted.
The Fukushima calamity prompted extensive reexamination and soul searching by the Japanese government, stakeholders, and a variety of public and nongovernmental entities. Scores of reports have been written by individuals, regulators, and organizations worldwide. Now that almost two years have passed, it is time to sum up the lessons learned and to start moving forward—to move from discussions of what went wrong to discussions about what we must do right. In this article, a seismologist (R. J. G.), a probabilistic risk practitioner (W. E.), and a nuclear safety expert (J. N.) pool their respective knowledge to provide a unified view of where we are and where we should go. Some of the lessons to be learned apply particularly to Japan, but in many cases the lessons apply everywhere.
THE MYTH OF SAFETY
In the mid‐1960s Japan, an earthquake‐prone island nation without significant petroleum deposits, was faced with the question of how to secure reliable electric power supplies. The government, with the cooperation of major industry groups, opted to commit heavily to nuclear power. In the face of considerable public anxiety, the government could have conducted in‐depth, public, and transparent assessments of the safety issues and obtained a public consensus that the risks of nuclear power were acceptable in view of other risks (such as the inability to import petroleum due to political instability or wars in oil‐producing regions). However, the government instead made the fateful choice to tell the public that nuclear power was 100% safe, thereby creating what is called the anzen shinwa (myth of safety) in Japan.
The “safety myth,” which made it politically, academically, and socially impossible to conduct public and open discussions of possible nuclear accident scenarios and countermeasures that could be taken to prevent or mitigate them, must be regarded as the root cause of the Fukushima disaster.
In our opinion, the existence of the “safety myth,” which made it politically, academically, and socially impossible to conduct public and open discussions of possible nuclear accident scenarios and countermeasures that could be taken to prevent or mitigate them, must be regarded as the root cause of the Fukushima disaster.
Attempts to explain the Fukushima disaster primarily in terms of cultural or systemic predilections of Japan as compared to Europe or the United States, cannot explain how Japan could also have the success story of the shinkansen (bullet train) operations. In contrast to Japan’s nuclear industry, the railway companies have never denied the possibility of a serious accident such as a derailment, but are continually reexamining and strengthening their safety measures, while keeping the public informed of their efforts. In fact, there have never been any serious accidents involving passengers in the 40‐some odd years of bullet train operations, and public confidence is high. (This is partly due to luck, as the 1995 Kobe earthquake hit at 5:46 a.m., before the start of daily operations at 6:00 a.m.)
RISK ASSESSMENT AND ITS LIMITATIONS
The three fundamental questions of risk analysis are: (1) “What can go wrong?” (2) “How likely is it?” and (3) “What would be the consequences?” These provide a basis to answer the fundamental question of risk management, “What can we do to further reduce the risk?” A risk assessment considers the likelihood of unwanted events occurring and the potential risk if they do occur. Organizations (regulatory agencies, governments, insurance companies, etc.) use the results of a risk assessment to decide where they will place their marker on the graph in Figure 1. In effect, they are saying “Here is where the number of deaths is tolerable, since the likelihood of the event occurring is sufficiently small that we’ll bet it won’t happen.” For obvious reasons they may not explain their choice to the public in such blunt terms. But by the act of picking a point—one coordinate on the likelihood axis and one coordinate on the consequence axis—a decision maker is making an operational, normative statement of what risks are acceptable.
If the details are incorrect, the results of a risk analysis will be meaningless. Disasters can occur not only due to unknown risks, but also because of risks that were known by working‐level scientists or engineers but were not properly considered by the responsible decision makers. For example, the explosion of the space shuttle Challenger occurred due to the failure of rubber gaskets (O‐rings) at low ambient temperatures. As documented by Feynman (1988), the risk was well‐known to NASA’s engineers but was ignored by NASA’s top officials. In the case of Fukushima, one obvious question that should have been addressed, but regrettably was not, was the question of what could be done in the event of a station blackout (complete loss of all external and internal electrical power sources and heat sinks) due to an earthquake or tsunami. In fact some scientists, such as Katsuhiko Ishibashi, of Kobe University, attempted to raise this issue but were brushed off by the regulators and utility companies, with disastrous consequences. Furthermore, the risk of a mega‐tsunami, similar to the one that hit the Sendai plain in 869 (in Japan’s “Jogan” era), was brought up at a hearing in 2009, but this too was brushed off by the regulator and plant operator (Nöggerath et al., 2011).
In view of the recent failures of hazard maps, earth scientists should be cautious in making definitive statements about the probabilities of earthquakes at specific sites.
Many risk analysts place excessive trust in their models without strong scientific confirmation of the models’ verisimilitude. For example, extensive efforts have been put into making earthquake hazard maps, but many recent damaging earthquakes have occurred in areas of low expected hazard (Stein et al., 2012). The failure of these hazard maps is probably due to flaws in the models (e.g., the “characteristic earthquake” hypothesis) being used to make them (Kagan et al., 2012). In view of the recent failures of hazard maps, earth scientists should refrain from making overly specific statements about the maximum size of earthquakes or tsunamis that can be expected at particular sites and also should be cautious in making definitive statements about the probabilities of earthquakes in, say, the next 30 years at specific sites. One factor that contributed to the disaster at Fukushima was excessive reliance by the plant operator and the regulators on the Japanese national hazard map, which stated that the risk of a large earthquake in the Tokai region was much greater than that at Fukushima (Geller, 2011).
DEFENSE IN DEPTH
The principle of an effective defense in depth, which requires independent safety provisions on different levels, was developed in an early phase of nuclear energy to protect plants against unexpected events and rare accidents. Characteristics of safety systems, like redundancy (single failure safe), diversity (multiple failure safe), multi barriers, spatial distribution, fail‐safe conditions, and inherent safety have been designed to assure their very high reliability. These safety features are the basis for withstanding a broad spectrum of internal and external event initiators and for fulfilling the principal safety functions of “shut down,” “cooling,” “containing radioactivity,” and “limiting radioactive release,” even in the event of an accident with core damage.
Unfortunately, the debilitating influence of the “safety myth” prevented the responsible officials of the plant operator and regulator from fully realizing the obvious and high risk of a mega‐tsunami on Tohoku’s Pacific coast. Tragically, reactors #1 through #3 at the Fukushima Dai‐ichi plant had extremely weak basic nuclear safety design with undiversified ultimate heat sinks, comparatively low redundancy, and nearly unprotected emergency diesel generators with insufficient spatial configuration. These poor safety provisions, in combination with the extremely large tsunami, led to severe core damage.
The safety myth also blocked the development of effective emergency provisions to mitigate the radiological consequences of the accident. The lack of recombinators in the reactor building and an ineffective, unfiltered primary containment venting system gave rise to concentration of large amounts of hydrogen and its detonation, with widespread release of atmospherically borne radioactive material into the environment. Furthermore, deficiency in Severe Accident Management (SAM) prevented the containment and mitigation of the accident.
Japanese public discourse has extensively considered the question of whether nuclear power should be continued or abandoned in the distant future, but in the near future there seems to be little or no alternative to restarting at least some of Japan’s NPSs, many of which have already been in operation for 20 or 30 years. We now consider how this should be handled. Stein and Geller (2012) pointed out that in discussing natural hazards it is important to tell the public not only what we know, but also what we do not know, and how uncertain our knowledge is; this applies equally here.
A restoration of public confidence is an absolute prerequisite for further operation of NPSs in Japan. To achieve this, major upgrades of safety at Japanese NPSs should be made over the next several years. These should include (1) flooding‐protected diverted (mobile) diesel generators to guard against extended station blackouts; (2) mobile cooling units to guard against extended loss of the ultimate heat sink; (3) redundant and diversified safety systems to guard against multiple failures; (4) technical provisions to achieve a rapid pressure relief of the reactor; (5) reliable hydrogen elimination systems to guard against hydrogen explosions; and (6) stand‐alone filtered primary containment venting systems with sufficient passive feed and bleed capability to prevent severe radioactive releases. It is also essential to develop a well‐trained and comprehensive emergency preparedness organization with procedures in place for SAM to prevent or mitigate very rare and unknown events.
It's time to change the terms of the debate from the oversimplified "safe/unsafe" dichotomy to an honest and open discussion of what the risks are and what is being done to mitigate them.
Even now, after the Fukushima accident, expert panels of scientists and engineers are being asked by the Japanese government to attest that restarting nuclear reactors is “safe.” But after Three Mile Island, Chernobyl, and Fukushima everyone knows that nuclear power has some risks. It’s time to change the terms of the debate from the oversimplified “safe/unsafe” dichotomy to an honest and open discussion of what the risks are and what is being done to mitigate them. In this context the risks of nuclear power have to be considered in a balanced comparison with other risks. And at the end of the discussion, the public and the leaders they have elected, rather than technical experts, should make the final call.