The March 11, 2011, Great East Japan Earthquake and tsunami sparked a humanitarian disaster in northeastern Japan and initiated a severe nuclear accident at the Fukushima Daiichi nuclear plant. Three of the six reactors at the plant sustained severe core damage and released hydrogen and radioactive materials. Explosion of the released hydrogen damaged three reactor buildings and impeded onsite emergency response efforts.
At the time of the Fukushima Daiichi accident, the Blue Ribbon Commission on America’s Nuclear Future was completing an assessment of options for managing spent nuclear fuel and high-level radioactive waste in the United States (BRC, 2012). The Commission recommended that the National Academy of Sciences (NAS) conduct an assessment of lessons learned from the Fukushima Daiichi accident. This recommendation was taken up by the U.S. Congress, which subsequently directed the U.S. Nuclear Regulatory Commission to contract with NAS for this study.
The statement of task for this study is shown in Sidebar S.1. Study charges 1, 3, and 4 are addressed in this report; study charge 2 (on spent fuel safety and security) will be addressed in a future report.
A committee of 21 experts was appointed by NAS to carry out this study (see Appendix A). The committee held 39 meetings during the course of this study to gather information and develop this report (see Appendix B for a list of the committee’s information-gathering meetings). One of these meetings was held in Tokyo, Japan, to enable in-depth discussions about the accident with Japanese technical experts from industry, academia, and government. The committee also visited the Fukushima Daini, Fukushima Daiichi, and Onagawa nuclear plants (see Chapter 3) to learn about their
The National Research Council will provide an assessment of lessons learned from the Fukushima nuclear accident for improving the safety and security of nuclear plants in the United States. This assessment will address the following issues:
1. Causes of the Fukushima nuclear accident, particularly with respect to the performance of safety systems and operator response following the earthquake and tsunami.
2. Reevaluation of the conclusions from previous National Academy of Sciences studies on safety and security of spent nuclear fuel and high-level radioactive waste storage, particularly with respect to the safety and security of current storage arrangements and alternative arrangements in which the amount of commercial spent fuel stored in pools is reduced.a
3. Lessons that can be learned from the accident to improve commercial nuclear plant safety and security systems and operations.
4. Lessons that can be learned from the accident to improve commercial nuclear plant safety and security regulations, including processes for identifying and applying design-basis events for accidents and terrorist attacks to existing nuclear plants.
The study may examine policy options related to these issues but should not make policy recommendations that involve nontechnical value judgments.
a This task will be addressed in a subsequent report. It is not addressed in this report.
designs, operations, and responses to the earthquake and tsunami. Subgroups of the committee visited two nuclear plants in the United States that are similar in design to the Fukushima Daiichi plant to learn about their designs and operations.
S.1 CAUSES OF THE FUKUSHIMA DAIICHI ACCIDENT
(Study Charge 1)
NAS’s examination of the Fukushima Daiichi accident is provided in Chapters 3 and 4 of this report. Chapter 3 describes the March 11, 2011, Great East Japan Earthquake and tsunami and their impacts on Japanese nuclear plants. Chapter 4 describes the accident at the Fukushima Daiichi plant, including the accident time line, key actions taken by plant personnel, and challenges faced in taking those actions. One finding emerged from this examination:
FINDING 4.11: The accident at the Fukushima Daiichi nuclear plant was initiated by the March 11, 2011, Great East Japan Earthquake and tsunami. The earthquake knocked out offsite AC power to the plant and the tsunami inundated portions of the plant site. Flooding of critical plant equipment resulted in the extended loss of onsite AC and DC power with the consequent loss of reactor monitoring, control, and cooling functions in multiple units. Three reactors sustained severe core damage (Units 1, 2, and 3); three reactor buildings were damaged by hydrogen explosions (Units 1, 3, and 4); and offsite releases of radioactive materials contaminated land in Fukushima and several neighboring prefectures. The accident prompted widespread evacuations of local populations and distress of the Japanese citizenry, large economic losses, and the eventual shutdown of all nuclear power plants in Japan.
Personnel at the Fukushima Daiichi plant responded with courage and resilience during the accident in the face of harsh circumstances; their actions likely reduced the severity of the accident and the magnitude of offsite radioactive material releases. Several factors prevented plant personnel from achieving greater success—in particular, averting reactor core damage—and contributed to the overall severity of the accident:
1. Failure of the plant owner (Tokyo Electric Power Company) and the principal regulator (Nuclear and Industrial Safety Agency) to protect critical safety equipment at the plant from flooding in spite of mounting evidence that the plant’s current design basis for tsunamis was inadequate.
2. The loss of nearly all onsite AC and DC power at the plant—with the consequent loss of real-time information for monitoring critical thermodynamic parameters in reactors, containments, and spent fuel pools and for sensing and actuating critical valves and equipment—greatly narrowed options for responding to the accident.
3. As a result of (1) and (2), the Unit 1, 2 and 3 reactors were effectively isolated from their ultimate heat sink (the Pacific Ocean) for a period of time far in excess of the heat capacity of the suppression pools or the coping time of the plant to station blackout.
4. Multiunit interactions complicated the accident response. Unit operators competed for physical resources and the attention and services of staff in the onsite emergency response center.
5. Operators and onsite emergency response center staff lacked adequate procedures and training for accidents involving extended loss
1 The first digit denotes the chapter in which the finding (or recommendation) appears; the second digit denotes the serial order of the finding (or recommendation) in the chapter.
of all onsite AC and DC power, particularly procedures and training for managing water levels and pressures in reactors and their containments and hydrogen generated during reactor core degradation.
6. Failures to transmit information and instructions in an accurate and timely manner hindered responses to the accident. These failures resulted partly from the loss of communications systems and the challenging operating environments throughout the plant.
7. The lack of clarity of roles and responsibilities within the onsite emergency response center and between the onsite and headquarters emergency response centers may have contributed to response delays.
8. Staffing levels at the plant were inadequate for managing the accident because of its scope (affecting several reactor units) and long duration.
S.2 LESSONS LEARNED FOR THE UNITED STATES
(Study Charges 3 and 4)
1. Seek out and act on new information about hazards.
2. Improve nuclear plant systems, resources, and training to enable effective ad hoc responses to severe accidents.
3. Strengthen capabilities for assessing risks from beyond-design-basis events.
4. Further incorporate modern risk concepts into nuclear safety regulations.
5. Examine offsite emergency response capabilities and make necessary improvements.
6. Improve the nuclear safety culture.
S.2.1 Seek Out and Act on New Information About Hazards
FINDING 3.1: The overarching lesson learned from the Fukushima Daiichi accident is that nuclear plant licensees and their regulators must actively seek out and act on new information about hazards that have the potential to affect the safety of nuclear plants. Specifically,
1. Licensees and their regulators must continually seek out new scientific information about nuclear plant hazards and methodologies for estimating their magnitudes, frequencies, and potential impacts.
2. Nuclear plant risk assessments must incorporate new information and methodologies as they become available.
3. Plant operators and regulators must take timely actions to implement countermeasures when such new information results in substantial changes to risk profiles at nuclear plants.
S.2.2 Improve Nuclear Plant Systems, Resources, and Training
Many national governments and international bodies initiated reviews of nuclear plant safety following the Fukushima Daiichi accident (see Table 1.1 in Chapter 1). Two major initiatives are now under way in the United States—one by the U.S. Nuclear Regulatory Commission and the other by the U.S. nuclear industry—and are resulting in changes to U.S. nuclear plant systems, operations, and regulations.
FINDING 5.1: Nuclear plant operators and regulators in the United States and other countries have identified and are taking useful actions to upgrade nuclear plant systems, operating procedures, and operator training in response to the Fukushima Daiichi accident. In the United States, these actions include the nuclear industry’s FLEX (diverse and flexible coping strategies) initiative as well as regulatory changes proposed by the U.S. Nuclear Regulatory Commission’s Near-Term Task Force. Implementation of these actions is still under way; consequently, it is too soon to evaluate their comprehensiveness, effectiveness, or status in the regulatory framework.
RECOMMENDATION 5.1A: As the nuclear industry and its regulator implement the actions referenced in Finding 5.1, they should give specific attention to improving plant systems in order to enable effective responses to beyond-design-basis events, including, when necessary, developing and implementing ad hoc responses2 to deal with unanticipated complexities. Attention to availability, reliability, redundancy, and diversity of plant systems and equipment is specifically needed for
• DC power for instrumentation and safety system control;
• Tools for estimating real-time plant status during loss of power;
• Decay-heat removal and reactor depressurization and containment venting systems and protocols;
• Instrumentation for monitoring critical thermodynamic parameters in reactors, containments, and spent fuel pools;
2 The term “ad hoc” refers to responses that are not planned and trained on in advance but rather are developed on the spot.
• Hydrogen monitoring (including monitoring in reactor buildings) and mitigation;
• Instrumentation for both onsite and offsite radiation and security monitoring; and
• Communications and real-time information systems to support communication and coordination between control rooms and technical support centers, between control rooms and the field, and between onsite and offsite support facilities.
The quality and completeness of the changes that result from this recommendation should be adequately peer reviewed.
RECOMMENDATION 5.1B: As the nuclear industry and its regulator implement the actions referenced in Finding 5.1, they should give specific attention to improving resource availability and operator training to enable effective responses to beyond-design-basis events, including, when necessary, developing and implementing ad hoc responses to deal with unanticipated complexities. Attention to the following is specifically needed:
1. Staffing levels for emergencies involving multiple reactors at a site, that last for extended durations, and/or that involve stranded-plant conditions.3
2. Strengthening and better integrating emergency procedures, extensive damage mitigation guidelines, and severe accident management guidelines, in particular for
• Coping with the complete loss of AC and DC power for extended periods,
• Depressurizing reactor pressure vessels and venting containments when DC power and installed plant air supplies (i.e., compressed air and gas) are unavailable,
• Injecting low-pressure water when plant power is unavailable,
• Transitioning between reactor pressure vessel depressurization and low-pressure water injection while maintaining sufficient water levels to protect the core from damage,
• Preventing and mitigating the effects of large hydrogen explosions on cooling systems and containments, and
• Maintaining cold shutdown in reactors that are undergoing maintenance outages when critical safety systems have been disabled.
3. Training of operators and plant emergency response organizations, in particular,
3 That is, when the plant is cut off from outside supply of materials and personnel.
• Specific training on the use of ad hoc responses for bringing reactors to safe shutdown during extreme beyond-design-basis events, and
• More general training to reinforce understanding of nuclear plant system design and operation and enhance operators’ capabilities for managing emergency situations.
The quality and completeness of the changes that result from this recommendation should be adequately peer reviewed.
S.2.3 Strengthen Capabilities for Assessing Risks from Beyond-Design-Basis Events
A “design-basis event” is a postulated event that a nuclear plant system, including its structures and components, must be designed and constructed to withstand without a loss of functions necessary to protect public health and safety. An event that is “beyond design basis” has characteristics that could challenge the design of plant structures and components and lead to a loss of critical safety functions. The Great East Japan Earthquake and tsunami were beyond-design-basis events.
FINDING 5.2: Beyond-design-basis events—particularly low-frequency, high-magnitude4 (i.e., extreme) events—can produce severe accidents at nuclear plants that damage reactor cores and stored spent fuel. Such accidents can result in the generation and combustion of hydrogen within the plant and release of radioactive material to the offsite environment. There is a need to better understand the safety risks5 that arise from such events and take appropriate countermeasures to reduce them.
RECOMMENDATION 5.2A: The U.S. nuclear industry and the U.S. Nuclear Regulatory Commission should strengthen their capabilities for identifying, evaluating, and managing the risks from beyond-design-basis events. Particular attention is needed to improve the identification of such events; better account for plant system interactions and the performance of plant operators and other critical personnel in responding to such events; and better estimate the broad range of offsite health,
4 The term “extreme event” refers to high-magnitude environmental events, such as large earthquakes or floods, that occur very infrequently, for example, on the order of once every few centuries to millennia. The Great East Japan Earthquake and tsunami are examples of extreme events.
5 Risk is defined and discussed in Appendix I.
environmental, economic, and social consequences that can result from such events.
RECOMMENDATION 5.2B: The U.S. Nuclear Regulatory Commission should support industry’s efforts to strengthen its capabilities by providing guidance on approaches and by overseeing independent review by technical peers (i.e., peer review).
RECOMMENDATION 5.2C: As the U.S. nuclear industry and the U.S. Nuclear Regulatory Commission carry out the actions in Recommendation 5.2A, they should pay particular attention to the risks from beyond-design-basis events that have the potential to affect large geographic regions and multiple nuclear plants. These include earthquakes, tsunamis and other geographically extensive floods, and geomagnetic disturbances.
S.2.4 Further Incorporate Modern Risk Concepts into Nuclear Safety Regulations
A design-basis accident is a stylized accident—for example, a loss-of-coolant accident or transient overpower accident—that is required (by regulation) to be considered in a reactor system’s design. The Fukushima Daiichi accident was a beyond-design-basis accident. Other major nuclear accidents (Three Mile Island in 1979 and Chernobyl in 1986) are also considered to be beyond-design-basis accidents.
FINDING 5.3: Four decades of analysis and operating experience have demonstrated that nuclear plant core-damage risks are dominated by beyond-design-basis accidents. Such accidents can arise, for example, from multiple human and equipment failures, violations of operational protocols, and extreme external events. Current approaches for regulating nuclear plant safety, which traditionally have been based on deterministic concepts such as the design-basis accident, are clearly inadequate for preventing core-melt accidents and mitigating their consequences. Modern risk assessment principles are beginning to be applied in nuclear reactor licensing and regulation. The more complete application of these principles in licensing and regulation could help to further reduce core-melt risks and their consequences and enhance the overall safety of all nuclear plants, especially currently operating plants.
RECOMMENDATION 5.3: The U.S. Nuclear Regulatory Commission should further incorporate modern risk concepts into its nuclear reactor safety regulations. This effort should utilize the strengthened
capabilities for identifying and evaluating risks that are described in Recommendation 5.2A.
The committee uses the term “modern risk concepts” to mean risk that is defined in terms of the risk triplet (What can go wrong? How likely is that to happen? What are the consequences if it does happen?) and subject to the limitations for quantitative analyses discussed in Section 5.2 in Chapter 5. Implementing this recommendation fully would likely require changes to some current U.S. Nuclear Regulatory Commission regulatory procedures, for example, those used for backfit analyses.
S.2.5 Examine Offsite Emergency Response Capabilities and Make Necessary Improvements
Emergency response to the Fukushima Daiichi accident was greatly inhibited by the widespread and severe destruction caused by the March 11, 2011, earthquake and tsunami. Japan is known to be well prepared for natural hazards; however, the earthquake and tsunami caused devastation on a scale beyond what was expected and prepared for. Twenty prefectures on three of Japan’s major islands (Hokkaido, Honshu, and Shikoku) were affected by the earthquake and tsunami.
FINDING 6.1: The Fukushima Daiichi accident revealed vulnerabilities in Japan’s offsite emergency management. The competing demands of the earthquake and tsunami diminished the available response capacity for the accident. Implementation of existing nuclear emergency plans was overwhelmed by the extreme natural events that affected large regions, producing widespread disruption of communications, electrical power, and other critical infrastructure over an extended period of time. Additionally:
• Emergency management plans in Japan at the time of the Fukushima Daiichi accident were inadequate to deal with the magnitude of the accident, requiring emergency responders to improvise.
• Decision-making processes by government and industry officials were challenged by the lack of reliable, real-time information on the status of the plant, offsite releases, accident progression, and projected doses to nearby populations.
• Coordination among the central and local governments was hampered by limited and poor communications.
• Protective actions were improvised and uncoordinated, particularly when evacuating vulnerable populations (e.g., the elderly and sick) and providing potassium iodide.
• Different and revised radiation standards and changes in decontamination criteria and policies added to the public’s confusion and distrust of the Japanese government.
• Cleanup of contaminated areas and possible resettlement of populations are ongoing efforts 3 years after the accident with uncertain completion time lines and outcomes.
• Failure to prepare and implement an effective strategy for communication during the emergency contributed to the erosion of trust among the public for Japan’s government, regulatory agencies, and the nuclear industry.
FINDING 6.2: The committee did not have the time or resources to perform an in-depth examination of U.S. preparedness for severe nuclear accidents. Nevertheless, the accident raises the question of whether a severe nuclear accident such as occurred at the Fukushima Daiichi plant would challenge U.S. emergency response capabilities because of its severity, duration, and association with a regional-scale natural disaster. The natural disaster damaged critical infrastructure and diverted emergency response resources.
RECOMMENDATION 6.2A: The nuclear industry and organizations with emergency management responsibilities in the United States should assess their preparedness for severe nuclear accidents associated with offsite regional-scale disasters. Emergency response plans, including plans for communicating with affected populations, should be revised or supplemented as necessary to ensure that there are scalable and effective strategies, well-trained personnel, and adequate resources for responding to long-duration accident and/or disaster scenarios involving
• Widespread loss of offsite electrical power and severe damage to other critical offsite infrastructure, for example, communications, transportation, and emergency response infrastructure;
• Lack of real-time information about conditions at nuclear plants, particularly with respect to releases of radioactive material from reactors and/or spent fuel pools; and
• Dispersion of radioactive materials beyond the 10-mile emergency planning zones for nuclear plants that could result in doses exceeding one or more of the protective action guidelines.
RECOMMENDATION 6.2B: The nuclear industry and organizations with emergency management responsibilities in the United States should assess the balance of protective actions (e.g., sheltering in place,
evacuation, relocation, and distribution of potassium iodide) for offsite populations affected by severe nuclear accidents and revise the guidelines as appropriate. Particular attention should be given to the following issues:
• Protective actions for special populations (children, ill, elderly) and their caregivers;
• Long-term impacts of sheltering in place, evacuation and/or relocation, including social, psychological and economic impacts; and
• Decision making for resettlement of evacuated populations in areas contaminated by radioactive material releases from nuclear plant accidents.
S.2.6 Improve the Nuclear Safety Culture
The term “safety culture” is generally understood to encompass a set of attitudes and practices that emphasize safety over competing goals such as production or costs. There is universal acceptance by the nuclear community that safety culture practices need to be adopted by regulatory bodies and other organizations that set nuclear power policies; by senior management of organizations operating nuclear power plants; and by individuals who work in those plants.
FINDING 7.1: While the Government of Japan acknowledged the need for a strong nuclear safety culture prior to the Fukushima Daiichi accident, TEPCO and its nuclear regulators were deficient in establishing, implementing, and maintaining such a culture. Examinations of the Japanese nuclear regulatory system following the Fukushima Daiichi accident concluded that regulatory agencies were not independent and were subject to regulatory capture.6
FINDING 7.2: The establishment, implementation, maintenance, and communication of a nuclear safety culture in the United States are priorities for the U.S. nuclear power industry and the U.S. Nuclear Regulatory Commission. The U.S. nuclear industry, acting through the Institute of Nuclear Power Operations, has voluntarily established nuclear safety culture programs and mechanisms for evaluating their implementation at nuclear plants. The U.S. Nuclear Regulatory Commission has published a policy statement on nuclear safety culture,
6 The term “regulatory capture” refers to the processes by which regulated entities manipulate regulators to put their interests ahead of public interests.
but that statement does not contain implementation steps or specific requirements for industry adoption.
RECOMMENDATION 7.2A: The U.S. Nuclear Regulatory Commission and the U.S. nuclear power industry must maintain and continuously monitor a strong nuclear safety culture in all of their safety-related activities. Additionally, the leadership of the U.S. Nuclear Regulatory Commission must maintain the independence of the regulator. The agency must ensure that outside influences do not compromise its nuclear safety culture and/or hinder its discussions with and disclosures to the public about safety-related matters.
RECOMMENDATION 7.2B: The U.S. nuclear industry and the U.S. Nuclear Regulatory Commission should examine opportunities to increase the transparency of and communication about their efforts to assess and improve their nuclear safety cultures.
All committee members agree with the safety culture findings and recommendations (i.e., Findings 7.1-7.2 and Recommendations 7.2A, B), but members have a range of views about the current status of the nuclear safety culture in the United States. A selection of views is provided in Section 7.4 in Chapter 7.