The focus of this chapter is on the March 11, 2011, accident at the Fukushima Daiichi nuclear plant: the accident time line key events during the accident, actions taken to bring the plant’s reactors to cold shutdown, and challenges faced in taking those actions. This chapter has two objectives:
1. To address the first charge of the statement of task for this study (see Sidebar 1.1 in Chapter 1) on the “Causes of the Fukushima nuclear accident, particularly with respect to the performance of safety systems and operator response following the earthquake and tsunami.”
2. To provide information and analysis to support the committee-identified lessons learned in Chapter 5.
It is not the committee’s intention to place blame for the accident or to find fault with how personnel at the Fukushima Daiichi plant responded to the earthquake and tsunami. With the benefit of hindsight, it is easy to second-guess the decisions and actions taken during the accident. In reviewing the accident response, the committee came to appreciate the overwhelming challenges that plant personnel faced in responding to the accident. Some of those challenges are described in the next section of this chapter. Indeed, the conditions at the Fukushima Daiichi plant following the earthquake and tsunami would have challenged any nuclear plant operator.
Many accounts of the Fukushima Daiichi nuclear accident have already been published. These accounts provided the factual information used in this chapter and informed committee judgments about accident causes and
lessons learned. The following reports, papers, and presentations were particularly useful for these purposes:
• Post-accident investigation reports by Japanese and U.S. organizations, especially INPO (2011, 2012), Investigation Committee1 (2011, 2012), NAIIC2 (2012), TEPCO (2011a,b, 2012b, 2013), ANS (2012), and EPRI (2012a). The Investigation Committee (2011, 2012) and TEPCO (2011a,b, 2012b) reports provide detailed documentation of the decisions and actions taken during the accident as well as key thought processes behind those actions.
• Technical papers on the accident, most notably Gauntt et al. (2012a,b), Levy (2012), Phillips et al. (2012), and EPRI (2013).
• Slides from technical presentations by Japanese researchers at International Atomic Energy Agency conferences in 20123 and 2014,4 technical workshops in Japan, and other international meetings (e.g., 11th International Probabilistic Safety Assessment and Management Conference and The Annual European Safety and Reliability Conference, Helsinki, Finland, June 25-29, 2012).
• Discussions with Japanese technical experts at the committee’s November 2012 meeting in Tokyo, Japan.
• Site visits to the Fukushima Daiichi, Fukushima Daini, and Onagawa nuclear plants in November 2012.
• Discussions with U.S. technical experts at the committee’s meetings in the United States.
1 The Investigation Committee on the Accident at Fukushima Nuclear Power Stations of Tokyo Electric Power Company was established by the Japanese Government by Cabinet Decision on May 24, 2011. The committee was chaired by Dr. Yotaro Hatamura, professor emeritus of the University of Tokyo and professor at Kogakuin University. The committee published an interim report in 2011 and a final report in 2012.
2 The Fukushima Nuclear Accident Independent Investigation Commission (NAIIC) was established by the National Diet of Japan on October 30, 2011. The commission was chaired by Dr. Kiyoshi Kurokawa, academic fellow, National Graduate Institute for Policy Studies. The commission published its report in 2012.
3 International Experts’ Meeting on Reactor and Spent Fuel Safety in the Light of the Accident at the Fukushima Daiichi Nuclear Power Plant, March 19-22, 2012. IAEA, Vienna, Austria. Information available at http://www-pub.iaea.org/iaeameetings/43900/International-Experts-Meeting-on-Reactor-and-Spent-Fuel-Safety-in-the-Light-of-the-Accident-at-the-Fukushima-Daiichi-Nuclear-Power-Plant.
4 International Experts’ Meeting on Severe Accident Management in the Light of the Accident at the Fukushima Daiichi Nuclear Plant. March 17-20, 2014. IAEA, Vienna, Austria. Information available at http://www-pub.iaea.org/iaeameetings/46832/International-Experts-Meeting-on-Severe-Accident-Management-in-the-Light-of-the-Accident-at-the-Fukushima-Daiichi-Nuclear-Power-Plant.
Appendix B identifies the technical experts who participated at committee meetings in Japan and the United States.
It is important to acknowledge that there are information gaps and uncertainties about some details of the accident progression. The accident time line presented in this chapter represents the committee’s best collective technical judgments informed by the information sources cited above.
This chapter is organized into five sections. The first section provides a time line for the accident. Additional details on the time line are provided in Appendix C. The second section describes some of the challenges in responding to the accident. The third section describes key accident events and responses by plant personnel. The fourth section provides a discussion of six issues that stand out from the committee’s analysis of the accident. The fifth and final section provides a committee finding on the causes of the Fukushima Daiichi nuclear accident to address the first charge of the study task.
Table 4.1 provides a committee-constructed summary time line for the accident in Units 1, 2, and 3 at the Fukushima Daiichi nuclear plant. A more detailed description of this time line is provided in Appendix C. A simplified time line of key events is depicted graphically in Figure 4.1.
TABLE 4.1 Time Line of Key Events in Units 1-3 at the Fukushima Daiichi Nuclear Plant
|Event/Condition||Unit 1||Unit 2||Unit 3|
|Prior to earthquake
Earthquake (3/11/11 @ 14:46)
|Operating at rated power level T = 0 Reactor scram MSIVs close Loss of offsite AC power EDGs start|
|Tsunami warnings (Fukushima Prefecture) and estimated wave heights||14:49 (+3 min): 3 m 15:15 (+29 min): 6 m 15:30 (+44 min): >10 m|
|Tsunami arrival times (1st/2nd waves)||+41 min/+50 to +51 min (15:27/15:36-15:37)|
|Event/Condition||Unit 1||Unit 2||Unit 3|
|Loss of onsite AC power (EDGs) and DC power (batteries)||AC lost at +51 min (15:37) DC lost at +60 min (15:46)||AC lost at +55 min (15:41) DC lost at +60 min (15:46)||AC lost at ~+51 min (15:37) DC available until ~+36 h|
|IC performance||Failed on loss of AC and DC power||NA||NA|
|RCIC performance||NA||Real-time status uncertain; evidence of ~70 h of running time||~20 h of running time; failed w/o restart at +20 h|
|HPCI performance||Unavailable due to loss of DC power||Unavailable due to loss of DC power||~16 h of running time beginning at +20 h|
|RPV depressurization||Depressurized due to assumed RPV failure at +12 h||Depressurized at +75.2 h and +78.3 h||Depressurization occurred at ~+42 h|
|Time of max containment pressure (Max containment pressure/design pressure)||+11.7 h (0.84 MPa/0.43 MPa)||~+80 h (~0.75 MPa/0.38 MPa)||~+42 h (0.64 MPa/0.38 MPa)|
|Estimated time of core damage||+4 h to +7 h||+75 h to +85 h||+36 h to +40 h|
|First indication of offsite release of radioactive materials||+8.2 to +14.1 h|
|Containment venting preparation/success||+9.7 h/~+24 h||+26.7 h/not successful||+29.5 h/+42 h|
|Hydrogen explosion||+24.8 h||None||+68.2 h|
|Initial injection of freshwater/seawater||+15.0/+28.8 h||None/+77.2 h||+42.6/+46.4 h|
|Restoration of offsite AC power||March 20||March 20||March 22|
NOTES: EDGs = emergency diesel generators, HPCI = high-pressure coolant injection system, IC = isolation condenser, MSIV = main steam isolation valve, RCIC = reactor core isolation cooling system, RPV = reactor pressure vessel.
FIGURE 4.1 Graphical depictions of accident time lines for Units 1-4 at the Fukushima Daiichi plant. The key events shown in the time lines are described in the text.
The committee’s time line was developed from previously published accident accounts, primarily INPO (2011), Investigation Committee (2011, 2012), TEPCO (2011a,b, 2012b, 2013), and ANS (2012). The committee gathered additional information through discussions with Japanese and U.S. technical experts to better understand some details of the time line.
The zero point of the time line is the afternoon of March 11, 2011, just before the Great East Japan Earthquake struck Japan. Chapter 3 of this
report describes the status of the six reactor units at the Fukushima Daiichi nuclear plant at this time:
• Units 1, 2, and 3 were operating at licensed power level.
• Unit 4 was in an outage for replacement of the reactor core shroud. Fuel from the Unit 4 reactor had been relocated to the spent fuel pool in the reactor building.
• Units 5 and 6 were in inspection outages. Fuel remained in their cores and the reactors were being actively cooled. The Unit 5 containment was open and the primary system was undergoing pressure testing; because the reactor was at elevated pressure, it was not strictly in cold shutdown.
The earthquake initiated the following chain of events at the plant (Table 4.1):
• The reactors in Units 1-3 shut down automatically (scrammed) as designed when high seismic accelerations (i.e., ground shaking) were detected in the units.
• Offsite AC power to the site was lost because of the collapse of one transmission tower and severe damage to equipment in a substation as a result of ground shaking.
• Following offsite AC power loss, the main steam isolation valves (MSIVs) in Units 1-3 closed automatically to isolate the reactors, limiting the potential loss of coolant, release of radioactivity, and the rate of reactor vessel cooldown.
• Within about a minute of offsite AC power loss, the onsite emergency diesel generators automatically started and were connected to the power distribution system as designed to supply onsite emergency AC power to reactor safety systems.
Normal reactor cooldown and decay-heat removal functions were in place and operating at the plant when the tsunami wave arrived starting about 41 minutes after the earthquake (Table 4.1). The tsunami flooded portions of the plant site (see Chapter 3), damaging pumps, electrical distribution panels, batteries,5 and emergency diesel generators. Units 1, 2, 3, 4, and 5 lost AC power within 5 minutes after the tsunami and Units 1, 2 and 4 lost DC power shortly thereafter. Unit 3 lost AC power but did not lose DC power immediately after the tsunami because its power distribution panels and backup battery were not damaged by flooding. Once power was
5 As noted in Chapter 2, nuclear plants have large backup batteries (or banks of batteries) to supply DC power to operate and monitor critical monitoring equipment and safety systems.
lost, the units’ control rooms lost lighting, indicators, instrument readouts, and controls.
Although there were intermittent signs of power on some indicators in Units 1 and 2, reliable DC power was only available by connecting arrays of scavenged vehicle batteries to selected systems and instrumentation in the control rooms. Vehicle batteries also had to be employed in Unit 3 to operate critical systems after the installed backup battery was depleted (see Section 4.3.2 for details).
An emergency diesel generator at Unit 6 survived the tsunami because it was air-cooled and was located above flood level. It continued to supply emergency AC power to Unit 6 and was used to supply power to Unit 5 through a crosstie that had been installed during the evening and early morning following the earthquake (see Section 4.3.4 of this chapter for additional details). The crosstie was prepositioned prior to March 11, but installation was not started until after the tsunami and was not completed until 05:00 on March 12.
Three tsunami warnings were issued by the Japan Meteorological Agency following the earthquake6:
• Warning 1, indicating a major tsunami with 3-m wave amplitude for Fukushima Prefecture, was issued at +3 min (14:49). This warning was based on an initial analysis of earthquake strong-motion data.
• Warning 2, indicating a major tsunami with 6-m wave amplitude for the Fukushima Prefecture, was issued at +29 minutes (15:15). This warning was based on observed tsunami amplitudes at tsunami meters and tide gauges.
• Warning 3, indicating a major tsunami with 10-m or greater wave amplitude for the Fukushima Prefecture, was issued at +44 min (15:30), again based on observed tsunami amplitudes at tsunami meters and tide gauges.
According to the Investigation Committee (2011), the site superintendent at the Fukushima Daiichi plant (Mr. Masao Yoshida) learned about the first two tsunami warnings from TV news reports. As a result of these warnings, field personnel at the plant were evacuated to the onsite Emergency Response Center (onsite ERC; see Appendix D) or to higher ground. The third tsunami warning came after the first tsunami wave had already arrived at the Fukushima Daiichi plant (see Table 4.1). The tsunami warn-
6 Information on tsunami warning is from a presentation by Osamu Kamigaichi, Japan Meteorological Agency, at the February 2012 meeting of the Intergovernmental Oceanographic Commission. This presentation is available at http://ioc-tsunami.org/index.php?option=com_oe&task=viewDocumentRecord&docID=8619.
ings affected the site superintendent’s thinking about accident management because he was concerned that the tsunami might damage seawater pumps.
Just before the earthquake occurred, there were about 6,400 personnel, including 750 employees of the plant owner-operator (TEPCO), onsite (TEPCO, 2012b, p. 163). Many TEPCO and contractor workers left the plant on their own on March 11. Those who could not leave were evacuated to the seismic isolated building. TEPCO (2012b, p. 166) estimates that an additional 300-400 people were evacuated in buses from March 12 to 14, and some additional unknown number of people self-evacuated during that time. By March 15, there were about 700 people left onsite (TEPCO, 2012b, p. 102). These included people who had no direct role in the emergency response.
Appendix D describes the organization of personnel at the plant at the time of the accident. Ninety-seven personnel were working in the main control rooms at the time of the earthquake. These personnel performed initial actions following the earthquake and tsunami. Additional personnel arrived to support control room staff in the following hours and days.
Staffing reinforcements were dispatched to Fukushima Daiichi by TEPCO following the earthquake and tsunami to support restoration work. They started arriving on March 11 and arrivals continued over the next several days, averaging approximately 400 additional personnel onsite each day. These included “primarily [the] recovery team responsible for restoring power and monitoring instruments, fire brigade units that used fire engines to inject cooling water into reactors, a health physics team that controlled radiation levels within the Fukushima Daiichi NPS [Nuclear Power Station] and its surroundings, and procurement team that provided material support” (TEPCO, 2012b, p. 303). In addition, in accordance with prior agreements, personnel from other utilities arrived to provide support starting on March 13.
Early on March 15, 650 personnel temporarily evacuated to Fukushima Daini following a hydrogen explosion in Unit 4, leaving approximately 70 workers required for station monitoring and restoration activities (TEPCO, 2012b, p. 166). Some of the personnel that had evacuated to the Fukushima Daini plant returned by noon on March 15. These included operators responsible for monitoring data from the main control rooms, the health physics team responsible for performing radiation-level measurements in the field and for access control to the seismic isolated building, and the security guidance team responsible for controlling station access (TEPCO, 2012b, p. 166).
The earthquake and tsunami resulted in three fatalities at TEPCO’s plants: two fatalities occurred at Fukushima Daiichi and one at Fukushima Daini.
The Fukushima Daiichi accident occurred in the midst of a regional disaster involving the largest loss of life and civil disruption in Japan since World War II. The accident is historically unique in this regard. The earthquake and tsunami overwhelmed offsite emergency response efforts (see Chapter 6) and added greatly to the challenges of responding to the accident at the plant.
Japanese investigations of the accident (Investigation Committee, 2011, 2012; NAIIC, 2012) concluded that the Fukushima Daiichi nuclear plant’s owner-operator (TEPCO) was not adequately prepared for an earthquake and tsunami of this magnitude. The plant lacked survivable onsite power supply, water pumping, and communications equipment. Moreover, its accident-management emergency operating procedures did not address accident scenarios involving the complete loss of onsite power, instrumentation, and reactor controls; and reactor operators had not been trained to respond to such scenarios. Indeed, the Fukushima Daiichi nuclear accident was “off the map” in terms of preparation, planning, and training for severe nuclear accidents.
Personnel involved in the accident response had to improvise, a fact highlighted by the Investigation Committee (2011, pp. 110-111):
The shift team7 used lights with portable batteries and LED flashlights to read the event-based and state-based “Emergency Operating Procedure.” However, the content of the material could not be applied directly to the actual events taking place. The team members also checked the “Emergency Operating Procedure” for accident management (AM) to identify the operating procedure necessary to control Units 1 and 2. However, the “Emergency Operating Procedure” for AM contained only internal events as causal events for AM and did not consider external events such as an earthquake or tsunami as causal events. There was no reference taking into account the events where all AC and DC power sources would be lost. In addition, the descriptions of the standards were written on the assumption that the state of the plants can be monitored by the control panel indicators and measuring instruments in the main control room and that the control panel could be manipulated. As a result, the shift team was forced to predict the reactor state according to a limited amount of information and take such procedures [that] operators think best on the spot instead of following the instructions described in the standard manuals.
7 The shift team comprised the personnel in the control room of each reactor unit. See Appendix D.
Staff in the onsite ERC were stunned to learn of the complete failure of power in three of the reactor units. Their reaction is described by the Investigation Committee (2011, pp. 108-109):
The NPS [nuclear power station] ERC8 received reports from the three main control rooms that the nuclear reactors were successively losing their power supplies and Units 1, 2 and 4 in particular had lost all of their power sources. Everyone at the NPS ERC was lost for words at the ongoing unpredictable and devastated state.
Site Superintendent Yoshida understood that a situation that far exceeded any expected major accident had actually taken place. He could not think of anything on the spot and so decided to implement the procedure stipulated by the law.
Plant personnel confronted many challenges in responding to the earthquake and tsunami:
• Flooding in the turbine buildings and lower portions of Units 1 and 2 rendered reactor control and safety systems inaccessible or unusable.
• Damage to the site from the tsunami made roads impassable and generally hindered personnel access.
• Loss of instrumentation readouts in the Unit 1 and 2 control rooms and loss of the safety parameter display systems9 in the Unit 1-3 control rooms and the onsite ERC and offsite center (OFC) made it impossible to obtain timely information about the condition of the Unit 1-3 reactors and Unit 1-4 spent fuel pools. Control room personnel reported basic reactor parameters to the onsite ERC using fixed-line telephones. These data were manually recorded on whiteboards to facilitate the sharing of information within the ERC.
• Loss of lighting made it difficult to work, forcing control room and field personnel to use flashlights.
• Limited means of communication between the control rooms and the onsite ERC and between the control rooms and the field made it difficult to plan and carry out response efforts across the site.
• Hydrogen explosions, radioactive contamination, and high temperatures limited access to some parts of the Unit 1-4 reactor buildings. Field personnel wore standard anti-contamination suits and self-contained
8 This report uses the term “onsite ERC” to refer to this facility.
9 The safety parameter display system provides detailed real-time plant parameter and component status information.
breathing apparatus, which made their work and communications even more difficult. At one point during the accident the Unit 1 reactor operators had to don full face masks with charcoal filters, anti-contamination coveralls, and at times had to move to the Unit 2 side of the control room and crouch down to avoid excessive radiation exposure.
• The lack of food, working toilets, and relief personnel during the early stages of the accident as well as the extended length of the accident response added greatly to personnel fatigue and distress.
Plant personnel who responded to the accident exhibited a strong degree of self-sacrifice: Many suffered personal losses (homes destroyed or damaged, family members displaced or lost) but continued to work, in some cases for weeks following the tsunami. Personnel volunteered to enter high-radiation zones and many received exposures well over permissible levels.
The OFC, located in Okuma about 5 km southeast of the plant, did not function as intended following the tsunami. It was never fully staffed because of access difficulties owing to transportation system damage and traffic congestion. Additionally, all of its telecommunications circuits except a satellite connection were inoperable.10 The OFC had to be evacuated on March 14 because of elevated radiation levels following the hydrogen explosion in the Unit 3 reactor building.11
The coordination activities that would normally be performed at the OFC were conducted at the TEPCO headquarters ERC, which was located in Tokyo (Appendix D), and at Japanese government offices. This reduced the effectiveness of communications between the onsite ERC, TEPCO, and local and national government agencies (INPO, 2011). According to NAIIC (2012), the loss of telecommunication infrastructures led to the increased involvement of the central government in the response to the accident, partly because the government perceived that it was not receiving accurate and timely information. The Japanese government contacted the headquarters and onsite ERCs directly to get information.
The following sections describe some of the major events during the accident and key response actions by plant personnel. These descriptions are not intended to be comprehensive; rather, they are intended to illumi-
10 Personnel in the OFC were unable to use the videoconferencing system, the Emergency Response Support System, the System for Prediction of Environmental Emergency Dose Information, e-mail, Internet, or ordinary telephone/fax lines.
11 The OFC was not equipped with filtered ventilation for removing radioactive material even though it was intended for use in nuclear emergencies.
nate the factors that prevented a more successful response to the accident. These factors informed the committee’s finding on the causes of the accident (see Section 4.5 in this chapter) and discussions of lessons learned (see Chapter 5). The Investigation Committee (2011, 2012) and TEPCO (2011a,b, 2012b) served as the main sources of information for the descriptions in the following sections.
4.3.1 Unit 1 Reactor
Following the earthquake and scram of the Unit 1 reactor, its two isolation condensers (Figures 4.2 and 4.3) started automatically as designed (see Section 2.2 in Chapter 2). Following established operating procedures, the Unit 1 operators12 used these isolation condensers to control reactor pressure and cooldown rate. They initially shut down both isolation condensers because reactor cooldown rates were too high; they then cycled one of the isolation condensers (the Train A isolation condenser in Figure 4.3) to maintain reactor pressure and cooldown rates within prescribed specifications.13
The Train B isolation condenser was on standby at the time of the tsunami. It was inoperable after the tsunami because the operator had closed off the return line valve (valve MO-3B in Figure 4.3) before the tsunami and was unable to open it afterward due to the lack of AC and DC power (Investigation Committee, 2011, p. 117; TEPCO, 2012b, p. 195).
Subsequently, the tsunami flooded the Unit 1 emergency diesel generators and power panels (Figure 4.2), cutting off all AC and DC power to the unit. With no power for instrumentation or controls, the Unit 1 operators lost the ability to monitor plant indicators from the control room. Most critically, they were unable to check the status of the isolation condenser valves14 or to actuate them from the control room. Attempts to check the status of the valves in the field were unsuccessful because of access limitations and high radiation fields. Attempts to start up the high-pressure coolant injection system (Figure 4.2) also were unsuccessful due to the loss of DC power.
The loss of AC and DC power in Unit 1 caused its isolation condenser to shut down because of failsafe control logic (this logic is described later in this section). As a consequence, Unit 1 essentially lost all cooling function.
12 The committee uses the following terms to describe TEPCO and contractor staff involved in the response to the accident at the Fukushima Daiichi nuclear plant. The term operator refers to personnel stationed in the main control rooms at the plant. The term ERC staff refers to personnel stationed in the onsite or headquarters ERCs. The more general term plant personnel is used when the locations of personnel at the plant are not specified or important.
13 That is, maintained reactor pressure between 6 and 7 MPa and a cooldown rate of 55ºC (100ºF) per hour.
14 That is, to determine whether the valves were open or closed.
FIGURE 4.2 Schematic illustration of major safety systems in Unit 1 of the Fukushima Daiichi plant. SOURCE: Courtesy of TEPCO.
FIGURE 4.3 Schematic of the isolation condenser systems for Fukushima Unit 1. The unit contains two systems, labeled A and B. Motor-operated (MO) valves are indicated by connected triangles. Black indicates valve closed during normal operations; white indicates valve open during normal operation. The valves inside of primary containment are operated by AC power. The valves outside of containment operate with DC power. A fuller description of isolation condenser operation is provided in Chapter 2. SOURCE: Government of Japan, 2011b (Fig. IV-2-4).
However, operators and onsite ERC staff did not understand at first that the isolation condenser had stopped functioning because plant indicators and controls were not available. In fact, the Unit 1 operators initially assumed that the isolation condenser was working.
Because of the failure of the safety parameter display systems and lack of definite information from the Unit 1 operators, the staff in the onsite ERC and the site superintendent could not determine if the isolation condenser was functioning. Site Superintendent Yoshida was sufficiently concerned that he immediately reported to Tokyo that there was a failure of the emergency core cooling systems for Units 1 and 2 (Investigation Committee, 2011, p. 114).
The onsite ERC began to take proactive actions to restore the Unit 1 monitoring systems and establish alternative water injection sources. The site superintendent directed onsite ERC staff to give priority to restoring plant indicators, particularly reactor water level and pressure. At approximately 17:10 on March 11, he instructed onsite ERC staff to begin preparation for two alternative water injection strategies: water injection via the diesel-driven fire protection system (this system is depicted in Figure 4.2), a mitigation strategy specified in the plant’s accident management procedures, and water injection through the fire protection system using fire engines, a strategy not specified in those procedures.
Around 18:00 on March 11, some DC power was restored in Unit 1. Operators discovered that the isolation condenser valves outside of containment (i.e., valves MO-2A and MO-3A in isolation condenser A; see Figure 4.3) were closed. The fact that valve MO-2A read closed, when it normally should be open (see Section 2.2 in Chapter 2), caused operators to suspect that all of the isolation condenser valves had closed after loss of AC and DC power. At 18:18, operators decided to open valves MO-2A and MO-3A on the possible chance that the valves in containment (MO-1A and MO-4A) had not fully closed.
At this point the operators inferred that the isolation condenser was functioning; this inference was based on indirect audible (i.e., steam generation was heard) and visual (i.e., a steam plume was observed) cues. The operators informed the onsite ERC that the isolation condenser was functioning. However, operators closed the condensate return valve (valve MO-3A in Figure 4.3) shortly thereafter (at 18:25). The reason for this action is unclear15 and the onsite ERC was not informed that it had been taken.16
15 The Investigation Committee (2011) and TEPCO (2012b, 2013) discuss possible reasons for this action. The reasons are not relevant to the present discussion, and so they are not described here.
16 Valve MO-3A was opened again at 21:30.
By around 18:30 on March 11 the Unit 1 operators became convinced that the isolation condenser was not functioning. They recognized then that water injection into the reactor was the only option available to cool it. Preparations for injecting water into the Unit 1 reactor using the diesel-driven fire protection system (Figure 4.2) had already been under way for over an hour; these preparations were completed by 20:50. However, the reactor pressure vessel had to be depressurized first (by opening the safety relief valves; see Figure 4.2) before low-pressure water from the fire protection system could be injected.
The operators asked the onsite ERC to provide batteries so that the safety relief valves could be opened from the control room. However, the ERC team member who received this request did not understand its urgency, possibly because the ERC believed that the isolation condenser was still operating normally. In fact, the onsite ERC did not act on this request for several hours.
Miscommunications, combined with misleading water-level indicators in the reactor pressure vessel (e.g., at 21:19 the water level was shown to be 200 mm above the top of active fuel,17 which was likely not the case18), caused the onsite and headquarters ERCs to continue to believe that the isolation condenser was operating. By about 22:00 on March 11, rising radiation levels were observed in the reactor, drywell, and turbine buildings, suggesting that fuel degradation and core damage were occurring.19 By 23:50 the site superintendent and other onsite ERC personnel fully understood that the isolation condenser was not operating.
At approximately midnight on March 12, the Unit 1 operators began preparations for venting the containment (Figure 4.2). Operators consulted piping and instrumentation diagrams, valve drawings, and accident management procedures. These procedures assumed that power would be available for remote valve control; consequently, they were not applicable to the then-current situation in Unit 1. The operators needed to develop (in real time) a plan for venting the containment by manual valve operation. This required study of the layout and configuration of the vent valves to determine which valves needed to be opened, their locations, and whether and how they could be opened manually.
Operators confronted a number of additional obstacles for venting containment. These included a need to perform dry runs to keep field work time as short as possible (because of high radiation levels); the need
17 Top of active fuel, usually denoted TAF, is the uppermost point in a fuel rod that contains uranium fuel. It serves as the reference point for water-level readings in the reactor.
18 Reactor pressure vessel water-level sensors likely provided misleading values because of sensor degradation.
19 TEPCO (2013, p. 11) suggests that water levels in the Unit 1 reactor dropped to the top of active fuel at about 18:10 on March 11 and that core damage was initiated at about 18:50.
to gather equipment (fireproof clothing, personal air supply, flashlights, full face masks); and the need to perform the work in shifts (three teams of two people) because the reactor building was pitch dark and radiation levels were high.20 Team 1 completed its assigned task but teams 2 and 3 had to turn back because of high radiation levels. Venting was eventually performed from the control room after a compressor was procured and installed to enable remote operation of the large air-operated suppression chamber vent valve (see Figure 4.2). Because of these delays venting did not begin until 14:30 on March 12 when containment pressure had reached over 0.75 MPa (110 psig), almost twice the design value of 0.43 MPa (63 psig).
By 02:45 on March 12 the pressure in the reactor pressure vessel was determined to be near containment pressure21; freshwater injection was initiated at 05:46.22 By this time, however, the fuel in the reactor had already been damaged and hydrogen and radioactive materials had likely already leaked into the reactor building. At 15:36 on March 12 a hydrogen explosion occurred on the refueling floor of the Unit 1 reactor building outside of containment. Further discussion of hydrogen generation and the explosion in Unit 1 is provided in Section 4.3.5.
The isolation condenser in Unit 1 most likely lost its ability to effectively cool the reactor when AC and DC power were lost.23 However, it was not until approximately 3 hours later (at 18:30) that operators in the Unit 1 control room fully understood that the isolation condenser was not functioning effectively. It took the onsite ERC staff even longer—until about 23:50—to fully understand this fact.
20 The three teams consisted of shift supervisors, deputy managers, and older workers. Younger workers were not permitted to participate because of the danger involved even though they volunteered to do so.
21 It is not clear whether depressurization occurred because of damage to the reactor pressure vessel, a pipe break, or safety relief valves that had stuck open due to thermal fatigue failure.
22 Only a fraction of the water injected using the fire truck pumps appears to have reached the reactor. Water may have been lost from leaky fire hoses, open valves, and branches in the piping system that diverted water. See TEPCO (2013, Attachment 1-4) for additional details.
23 TEPCO has concluded that the valves on the System A isolation condenser did not close fully because some water was lost from the Train A tank; it was measured to be 65 percent full in a post-accident inspection, a decline from the previous, and normal, level of 80 percent. However, as noted by TEPCO (2012b, p. 197), since a substantial amount or water remained in the shell side of the isolation condenser, the amount of heat removal during the accident must have been limited. The Investigation Committee (2011, p. 121) also supports this observation.
In hindsight, shutdown of the isolation condenser was an unanticipated side effect of the design of the failsafe control logic circuit that operates the isolation condenser valves. This circuit is powered by instrumentation DC. If this power is lost, the logic circuit acts as if there were a pipe break in the isolation condenser system and commands all four of its valves to close (see Figure 4.3).
Whether the valves actually close, however, depends on the timing of power loss to three circuits:
• instrumentation DC, which powers the logic circuit,
• 125VDC, which opens and closes the two valves outside containment,24
• AC, which opens and closes the two valves inside containment,
as well as the time required to close the valves (20-30 s) once the actuation signals are received by them (Investigation Committee, 2011, p. 118).
The two valves inside containment (i.e., valves MO-1A and MO-4A in Figure 4.3) are of greatest concern for operator control of the isolation condenser because they are not physically accessible. Consequently, once closed, without AC power they cannot be reopened by operators. Based on currently available information (see Footnote 23), it appears that the two valves inside containment received enough AC power to close most of the way, indicating that instrumentation DC power failed first (Craig Sawyer, General Electric (retired), written communication, January 14, 2014). However, the status of the valves inside containment will not be known for certain until they can be inspected, which will require physical entry into containment.
Communications difficulties between operators and onsite ERC may have delayed recovery efforts. As noted previously, they did not communicate effectively about the operation of the isolation condenser. Additionally, the apparent miscommunication between operators and onsite ERC about the urgency of supplying batteries for opening the safety relief valves quite possibly led to delays in depressurizing the reactor pressure vessel.
TEPCO has argued that efforts to vent and set up alternative water sources were initiated in spite of these communication problems. Indeed, the site superintendent and onsite ERC initiated actions to identify alternative water injection means early in the accident.25 However, the severe conditions at the plant apparently prevented a faster response.
There is some suggestion of lack of clarity in roles and responsibilities
24 If 125VDC is available, it can be routed through inverters to produce AC power to operate the valves. However, such power was not available in this case because of flooding.
25 The site superintendent directed the onsite ERC staff to develop plans for alternative water injection as early as 17:12 on March 11.
within the onsite ERC, particularly with respect to allocating responsibilities for responding to situations that are not covered by accident management procedures. This led to delays, for example, in developing and implementing the procedure for using fire engines to inject water into the reactor pressure vessel through the fire protection system. Preparations for this procedure (e.g., verifying the availability of fire engines, locating water discharge ports, positioning the fire engines, and laying fire hoses) did not get under way until dawn on March 12.
4.3.2 Unit 3 Reactor
Unit 3 did not lose DC power immediately after the tsunami. Consequently, until its batteries became depleted, operators were able to monitor plant indicators from the control room, including reactor pressure and water levels. They were also able to activate, monitor, and control the reactor core isolation cooling and high-pressure coolant injection systems (Figure 4.4).
Unit 3 operators activated the reactor core isolation cooling system at around 16:00 on March 11. They also cut unnecessary loads on the battery to extend its life. Steam exhaust from the reactor core isolation cooling system to the suppression chamber raised its pressure, prompting operators to initiate suppression chamber spray cooling using the diesel-driven fire protection system (Figure 4.4).
At around 11:36 on March 12, after running for approximately 20 hours, the reactor core isolation cooling system stopped and could not be restarted.26 The safety relief valves cycled to control reactor pressures; as a result, water levels in the reactor pressure vessel dropped and the high-pressure coolant injection system started automatically at 12:35.
The high-pressure coolant injection system was aligned in full-flow test mode with almost all of the pump flow going back to the suppression pool; only enough flow was directed to the reactor pressure vessel to maintain water levels.27 This avoided the constant starts and stops that would have occurred had all of the flow been directed to the reactor pressure vessel. However, in this mode of operation, the system turbine consumes enough steam to depressurize the reactor pressure vessel. The turbine had to be shut down when pressures decreased to the point where operators became concerned about the turbine’s ability to work without being damaged.
Starting at approximately 20:36 on March 12, operators could no longer monitor water level in the Unit 3 reactor because the 24VDC power
26 The root cause of the failure of the reactor core isolation cooling system is not known.
27 This mode of operation was unusual but effective and showed creativity on the part of the operators.
FIGURE 4.4 Schematic illustration of major safety systems in Units 2 and 3 of the Fukushima Daiichi plant. SOURCE: Courtesy of TEPCO.
source for the water-level gauge became depleted. Operators became concerned about the continued availability of the high-pressure coolant injection system,28 so they developed an alternative plan for water injection into the reactor. This plan involved
• Shutting down the high-pressure coolant injection system;
• Depressurizing the reactor pressure vessel using the safety relief valves, which would vent steam from the reactor pressure vessel to the suppression pool; and
• Injecting water into the reactor pressure vessel using the diesel-driven fire protection system (Figure 4.4).
The Unit 3 operators informed the members of its team in the onsite ERC of their plan. The team members concurred with the plan but failed to communicate it to the site superintendent and other ERC staff.
Operators stopped the high-pressure coolant injection system at 02:45 on March 13 and switched the fire protection system from suppression chamber spray cooling to reactor pressure vessel injection. Operators attempted but were unable to open the safety relief valves, either because the pressure in the reactor pressure vessel was too low29 or because the batteries were depleted.30 Attempts to restart the high-pressure coolant injection system also failed probably because the battery was depleted.
The operators informed their team members in the onsite ERC that they had stopped the high-pressure coolant injection system but were unable to open the safety relief valves; this information was not immediately passed on to the site superintendent and other staff in the onsite ERC. It was not until 03:55 on March 13 that the site superintendent and the headquarters ERC learned these facts.31
The onsite ERC immediately recognized the need to obtain batteries to operate the safety relief valves and fire engines to inject water into the reac-
28 The operators were concerned specifically about the potential for a steam leak resulting from damage to the high-pressure coolant injection system caused by excessively low speed of the turbine.
29 The safety relief valves can be manually opened by remote control only if the pressure in the reactor pressure vessel is over 0.686 MPa (gauge); the valves close on their own at 0.35 MPa.
30 Different trains of battery-powered 125V sources powered the reactor core isolation cooling system, high-pressure coolant injection system, and safety relief valves. The battery may have been depleted from 34 hours of use since the start of the accident.
31 There was a further miscommunication that led the site superintendent and headquarters ERC to initially believe that the high-pressure coolant injection system had stopped automatically. Because the onsite ERC was so noisy the Japanese word for “manually” was misheard as “automatically.” The high-pressure coolant injection system is designed to turn on and off automatically to control pressure and water level. Consequently, automatic stopping would not necessarily be a cause for concern.
tor through the fire protection system (Figure 4.4). Plant personnel salvaged batteries from personal automobiles; it took almost 2 hours to collect them and another hour to connect them to the Unit 3 control panel.32 Personnel also repaired an onsite road so that the fire brigade could drive a fire truck to the dock by Unit 3.33
According to TEPCO (2013, p. 38), reactor pressure reached about 7 MPa (abs) at about 04:30. Reactor pressure then decreased abruptly to below 1 MPa (abs) at about 09:00. The reason for this decrease is not understood at present. Depressurization enabled the injection of freshwater starting at 09:25. By that time, however, the reactor core had been without cooling for over 6 hours34 and was probably already damaged.
The Unit 3 operators and onsite ERC made preparations for venting the containment through the suppression chamber vent valve (Figure 4.4). This valve is operated with compressed air. These preparations were completed at about 08:41 on March 13. At about 09:24, a drop in drywell pressure was noted, leading the onsite ERC to assume that venting had initiated around 09:20.
At approximately 12:20 on March 13 the store of freshwater used for injection ran out so workers proceeded to hook up a previously constructed seawater injection line. Seawater injection began at 13:12 on March 13 but was interrupted when the Unit 3 reactor building exploded at 11:01 on March 14. Seawater injection was restarted at 15:30. As in the case for Unit 1, only a fraction of the injected water appears to have reached the reactor.
The Unit 3 reactor was cooled by water injection for approximately 30 hours, but cooling was inadequate. There may have been insufficient compressed air pressure35 and capacity to keep the suppression chamber vent valve open; consequently, pressure in the containment stayed too high to allow the reactor pressure vessel to be depressurized. The high pressure reduced water injection flow rates into the reactor pressure vessel and likely caused hydrogen and fission products to leak from the containment into the reactor building.
A hydrogen explosion occurred in the Unit 3 reactor building at 11:01 on March 14. The explosion caused severe structural damage to the reactor building and destroyed the fire engine and hoses being used to inject water into the reactor. The explosion also prompted the evacuation of field personnel and delayed recovery efforts.
32 Executed while wearing full protective suits and face masks and using flashlights and improvised tools.
33 Other fire trucks on the plant site were injecting seawater into Unit 1.
34 The plant superintendent had done a hand calculation at 06:00 on March 13 which showed that the top of active fuel was likely reached at 04:00 on March 13.
35 First air tanks and then compressors taken from contractor warehouses were used for this purpose.
It is questionable whether the operators’ plan for injecting water would have worked even had they succeeded in their initial efforts to open the safety relief valves: the maximum pressure output of the pump in the fire protection system (0.45-0.60 MPa) was likely insufficient to overcome the rapidly climbing pressure in the reactor pressure vessel. The Investigation Committee (2011, p. 221) noted that a
hasty conclusion should be avoided about whether or not the damage of Unit 3 could have been prevented or mitigated by depressurization and/or earlier alternative water injection because there were many uncertain factors…. It could be presumed that, however, if depressurization of Unit 3 had been performed much earlier than it actually had and the alternative method of water injection using fire engines had been conducted smoothly, the progress of core damage might have been slower, radiation dose in the RPV [reactor pressure vessel] would have been less and subsequent work might have been easier.
Several factors contributed to the severity of the accident in Unit 3:
1. The Unit 3 operators apparently did not assess the viability of their alternative water injection plan before turning off the high-pressure coolant injection system. Once the system was stopped, the operators would have had less than 2 hours to initiate water injection into the reactor before initiation of core damage. The operators turned off the system before working water injection sources and means for depressurizing the reactor pressure vessel and venting the containment were in place.
2. The operators informed team members in the onsite ERC of their plan. However, the team members did not pass this information on to the site superintendent and other ERC staff. Consequently, the onsite ERC was unable to check the plan’s viability.
3. The reason for stopping the high-pressure coolant injection system was miscommunicated to the onsite ERC. The onsite ERC did not learn that the Unit 3 operators had manually stopped the system until about an hour later.
4. Work on constructing an alternative water injection line was not started until the onsite ERC learned that the high-pressure coolant injection system had been stopped.36
36 According to the Investigation Committee (2011, p. 218), a major contributor to delays in establishing water injection via fire engines was the fact that the staff organizational structure within the onsite ERC did not effectively support activities that were not explicitly called out in accident management procedures.
5. The hydrogen explosion in Unit 1 further complicated accident management in Unit 3. TEPCO (2012b) reported that the onsite ERC became fearful when this event, which was not initially understood to be an explosion, occurred. The explosion damaged cables that were prepared to recover power in Unit 3.
4.3.3 Unit 2 Reactor
The tsunami flooded the Unit 2 emergency diesel generators, power panels, and batteries, cutting off all AC and DC power to the unit.37 Control room lighting, alarms, plant indicators, and controls were lost as a result. Fortunately, the Unit 2 operators had started the reactor core isolation cooling system (Figure 4.4) just before power was lost. As a consequence, the system’s isolation valves failed in the “as is” position (i.e., open) thereby allowing it to continue to operate.38 The system functioned for almost 3 days, although operators could not monitor or control it.39
Operators were unable to verify visually that the system was operating because it was not physically accessible.40 They were also unsure of the water level in the reactor pressure vessel. As a consequence, the onsite ERC staff and site superintendent initially doubted that the system was operating and believed that Unit 2 was in more serious difficulty than Unit 1.
The tsunami also flooded the diesel-driven pump for the fire protection system.41 The onsite ERC requested that the Unit 2 operators locate the fire protection system connections, which are accessible from outside the reactor building, so that water from the makeup-water condensate system (Figure 4.4) could be injected into the reactor pressure vessel using fire trucks. The operators also had to line up the system valves manually (they are normally motor operated) by entering the reactor building; they had great difficulty accomplishing this operation because of a lack of knowledge about the location of the valves, missing keys for locked doors, and the
37 Flooding completely submerged the large 120V battery system that supplied DC power to the high-pressure coolant injection system. Seawater pumps used for reactor heat removal and containment cooling were also unavailable.
38 It appears that flooding by the tsunami caused the loss of actuation power in the reactor core isolation cooling system’s isolation valves before the activation of the interlocking logic circuit function. Evidently, all of the isolation valves remained open so the system was able to maintain its cooling capability after AC and DC power was lost. More details on the reactor core isolation cooling system and failsafe control logic are provided in Section 184.108.40.206 in Chapter 2.
39 Specifically, operators could not monitor or control the rate at which the system delivered water to the reactor pressure vessel.
40 The system is located in a basement room in the reactor building. Flood waters prevented access to this room.
41 The pump was located in the flooded basement of the turbine building.
physical effort required to turn the valve wheels. Nevertheless, this operation was completed in Unit 2 late on March 11 after it was first performed in Unit 1. The early timing of this operation was fortuitous because the reactor buildings later became too contaminated for extended entry.
At about 22:00 on March 11, workers entered the Unit 2 reactor building to manually read the reactor pressure vessel water level; they found it was 3,400 mm above the top of active fuel. At this point the onsite ERC staff realized that the reactor core isolation cooling system must be functioning; the ERC’s focus then shifted away from providing emergency injection water for Unit 2. By 23:35, operators obtained further indirect confirmation that the reactor core isolation cooling system was functioning when they were able to connect emergency power to a drywell pressure gauge; the gauge reading was 0.14 MPa (abs), as expected for normal operation of the reactor core isolation cooling system.42
During the early hours of March 12, workers visited the equipment room in the basement of the Unit 2 reactor building to check on the status of the system.43 They were equipped with self-contained air breathing sets, small flashlights, and rubber boots. Their attempt to confirm system operation was unsuccessful. However, at approximately 02:55 on March 12 the shift supervisor reported to the onsite ERC that he believed the system was operating because the system pump discharge was higher than the pressure in the reactor. At this point the site superintendent decided to give priority to Unit 1 containment venting.44
Operators noticed a decrease in water level of the condensate storage tank (Figure 4.4), which was then being used as the water source for the reactor core isolation cooling system. Operators switched the system water supply from the tank to the suppression pool at around 04:00 on March 12. Operators again checked on the operation of the system during this changeover. However, the operation of the system was not checked again until about 2 days later (at 04:30 on March 14). By that time the pressure
42 The exhaust from the reactor core isolation cooling system turbine is discharged below water level in the suppression pool. After the steam condensing capacity of the water in the suppression pool is partially lost, pressure in the upper space of the suppression chamber would start to rise and in turn cause the drywell pressure to increase.
43 TEPCO has not confirmed whether there were any attempts to check the status of the system before about 02:00 on March 12.
44 TEPCO upper management was given information that led it to believe that the Unit 1 isolation condenser was working and that the Unit 2 reactor core isolation cooling system was not. This created substantial misunderstandings between the plant regulator (Nuclear and Industrial Safety Agency [NISA]), which understood that the Unit 2 system was functional, and TEPCO upper management. These misunderstandings were manifested in announcements to the press about venting on the morning of March 12. This is one of many miscommunications during the response to the accident.
in containment had reached 0.4 MPa (abs), approaching its design pressure of 0.48 MPa (abs).
Somewhat surprisingly, the pressure in Unit 2 increased much less rapidly than in Unit 3, suggesting that there was either a leak in the Unit 2 containment or an unusually effective cooling mode, such as external cooling of the suppression pool due to flooding of the torus room. Analyses using MAAP and MELCOR (see Section 4.3.5) by groups in the United States and Japan have been used to support both hypotheses, alone or in combination.
The reactor core isolation cooling system in Unit 2 continued to operate until about 13:30 on March 14.45 After the system stopped, the safety relief valves operated mechanically to vent steam from the reactor pressure vessel to the suppression pool. Steam loss from the reactor pressure vessel caused its water levels to drop continuously for the next 5 hours.
At 17:45 on March 14, a safety relief valve was manually actuated to depressurize the reactor pressure vessel. This reduced pressure in the reactor pressure vessel from 7.8 MPa to 0.7 MPa within 45 minutes. Depressurization also discharged a substantial fraction of the reactor pressure vessel’s water inventory to the suppression pool, uncovering the reactor core. After the valve was closed the reactor immediately started to repressurize. The safety relief valves were manually actuated several times over the next 10 hours46 to keep reactor pressure sufficiently low for water injection to be effective.
Preparations for water injection had begun on March 11. Valves in the fire protection system had been aligned to make it possible to inject water into the reactor pressure vessel using fire trucks (Figure 4.4) once the reactor had been depressurized. However, fire trucks were not hooked up to the Unit 2 fire protection system until after 23:00 on March 14. Prior to that time, all available fire trucks were being used at Units 1 and 3. Moreover, there was not sufficient space in the valve backwash pit (from which seawater was being pumped) to place another suction line.
Additional fire trucks and staff arrived at the site at 05:00 on March 14, and a pumping path from a valve backwash pit was established. However,
45 The reactor core isolation cooling system can, under ideal circumstances, inject at full reactor pressure, but it was unable to do so after noon on the March 14. There is evidence (Investigation Committee, 2011, pp. 258-259) that pressure increased above the discharge pressure of the reactor isolation cooling system pump at about noon on March 14. At this point the flow of cooling water into the reactor would have stopped.
46 The core remained either completely or partially uncovered during this time according to reactor accident simulations. Because of uncertainties in injected water flow rates, the amount of reactor cooling during this time period is poorly understood.
the fire trucks were placed on standby while seawater in the valve backwash pit was being used to supply Unit 3.47
Operators and onsite ERC staff also began making preparations on the evening of March 11 for depressurizing the Unit 2 containment. They had previously vented the containment in Unit 1 through its air-operated suppression chamber vent valve (Figure 4.2). They knew that a powerful compressor and DC batteries would be needed to open this vent in Unit 2. The site superintendent instructed staff to complete preparations for venting Unit 2 by 17:30 on March 12.
Workers located and connected air cylinders that could be used to operate the suppression chamber vent valve. An emergency generator in the control room was used to energize the air solenoid. By 23:00 on March 13 all the valves had been prepared for actuation or actuated; only the rupture disk needed to be broken to vent the unit. The rupture disk was set to break at 0.528 MPa (abs). According to the drywell pressure readings, which continued to increase, it was presumed that the valves failed to stay open. Venting on March 13 or 14 was apparently never successfully accomplished from either the suppression chamber or drywell in Unit 2 (Investigation Committee, 2011, p. 266).
The Prime Minister’s office, Nuclear Safety Commission, and TEPCO upper management became concerned about the delays in venting the containment in Unit 2. TEPCO’s president ordered the site superintendent to depressurize the reactor pressure vessel without waiting to vent containment. The site superintendent accepted the president’s directive and gave instructions to start venting and water injection into the Unit 2 reactor pressure vessel while concurrently continuing preparations for containment venting.48
Operators struggled to depressurize the reactor pressure vessel. They had trouble opening the safety relief valves and keeping them open once they were actuated. Additionally, steam exhausted to the suppression pool
47 In one of many miscommunications, NISA staff in Tokyo became impatient because Unit 2 was not being cooled with seawater as ordered by METI Minister Kaieda. NISA staff had not realized that the pumps were unable to take water directly from the ocean (pump suction was not adequate to lift water directly from the ocean, which was more than 10 m below the fire engine inlet) and that the supply of seawater was a limitation (Investigation Committee, 2011, p. 230).
48 Site Superintendent Yoshida’s reaction is apparently visible on the video tapes of teleconferences that have been released to the media (Asahi Shimbun, August 12, 2012): “The videos did show Yoshida on that date frustrated at one point with questioning and advice from TEPCO officials and asked them to let him have his own way to vent the core in the No. 2 reactor to reduce mounting pressure.” According to an August 7, 2012, article in Asahi Simbun, Yoshida told TEPCO headquarters during the video conference “Don’t ask us any questions,” he says. “Don’t disturb us, because we are now in the middle of trying to open the vent for the containment vessel.”
from the reactor did not condense efficiently because pool temperatures were high. Water injection became possible around 19:00 when the reactor pressure was 0.630 MPa (gauge).49 However, the fuel in the reactor had likely been uncovered for some time prior to water injection.
Although the pressure gauges were probably unreliable, the drywell pressure at one point was indicated to be as much as 0.85 MPa (abs), more than twice its design pressure. Reactor pressure was in excess of the maximum fire truck pump head (about 1 MPa; TEPCO, 2013, Attachment 1-4), for substantial periods of time, preventing seawater injection from taking place and placing the containment vessel under significant thermal and pressure stresses.
The operators and onsite ERC struggled through the evening of March 14 and early morning of March 15 to vent containment. Their attempts to open both small and large vent valves in the suppression chamber were unsuccessful.50 Attempts to vent the drywell (Figure 4.4) were also unsuccessful.
Pressure in containment remained high until early on March 15 (06:14) when the explosion in the Unit 4 reactor building occurred.51 Because of the evacuation and the confusion following the explosion, it took some time to understand what had happened. There were apparently two events that occurred on the morning of March 15: (1) a hydrogen explosion in Unit 4 and (2) and a loud noise accompanied by an apparent drop in the suppression chamber pressure in Unit 2. This noise was subsequently determined by TEPCO to be associated with the hydrogen explosion in Unit 4. The drop in suppression chamber pressure appears to be an instrument malfunction (the drywell pressure did not drop and remained above atmospheric for some time). The actual condition of the Unit 2 containment system is still unknown.
Once the Unit 2 reactor core isolation cooling system shut down, measures to cool the Unit 2 reactor were ineffective. The Unit 2 containment was never deliberately vented and it is unclear how or when depressurization occurred. Some fraction of the core is almost certainly highly degraded but the amount and location of core material is unknown. Also unknown are the timing, mechanisms, and magnitude of releases of fission products from Unit 2, although it appears likely that fission products did leak from containment during the period of time that it exceeded its design pressure.
49 TEPCO (2013, p. 21) suggests that not all of the injected water reached the reactor but instead went to other systems and equipment.
50 High radiation levels prevented workers from entering the reactor building to hook up alternative air sources to the vent valve, for example.
51 At that point about 600 staff evacuated to Fukushima Daini (50 staff remained at the Fukushima Daiichi plant); the staff that evacuated did not return until the morning of March 16.
Several factors contributed to the severity of the accident in Unit 2:
• The onsite ERC staff were trying to manage responses at multiple reactor units, which taxed their ability to maintain awareness of the rapidly changing conditions at Unit 2 and appropriately prioritize and direct response activities. ERC staff were occupied with Unit 1 through the morning and afternoon of March 12. Staff attention then focused on the Unit 3 reactor. The hydrogen explosion in the Unit 3 reactor building on March 14 caused extensive damage to the site and temporarily halted response activities at Unit 2.
• The Unit 2 operators had to depressurize the reactor pressure vessel and vent containment to enable injection of low-pressure cooling water.52 Venting of the Unit 2 containment was difficult to implement on an ad hoc basis: emergency air supplies were inadequate; the torus room environment was too hot, humid, and contaminated for the staff to manually operate the suppression chamber vent valves; and the rupture disks were designed to operate at higher containment overpressures than were achieved and could not be bypassed. The hydrogen explosion in the Unit 3 reactor building further impeded efforts to vent the Unit 2 containment.
• Water injection methods and alternative water supplies were limited. Water injection into the Unit 2 reactor came too late to prevent core damage.
• Miscommunication between the onsite ERC, headquarters ERC, and NISA contributed to misunderstandings and lack of confidence by the Prime Minister’s office in TEPCO’s ability to manage the accident.
The transition from installed cooling equipment (e.g., the reactor core isolation cooling system and high-pressure coolant injection system) to ad hoc cooling measures (i.e., injection of low-pressure water) was not carefully orchestrated in Unit 2. This transition requires
• Timely depressurization of the reactor pressure vessel and venting of containment,
• Maintenance of the reactor and containment at low pressures after initial depressurization, and
• Provision of an adequate and reliable water supply and sufficiently high injection pressures.
52 The fire truck pump pressure heads were not high enough to inject water into the reactor pressure vessel without first depressurizing it. This also required venting of the containment. The pressure in the reactor pressure vessel and contanment had to be less than the pressure of the fire truck pump minus the pressure losses in the water piping system. See also footnote 22.
Coordination of depressurization and low-pressure water injection proved impossible to accomplish under the conditions at the plant following the tsunami, even with advance planning and some on-the-ground experience with depressurization of the Unit 1 and Unit 3 reactors. Only a few hours separated success (i.e., timely depressurization and water injection) from failure (core damage due to the rapid boiloff of the water once cooling systems stop). More time was available to achieve success in preventing the release of fission product aerosols from containment; however, this success was only partial because the delays in venting containments allowed them to spend long periods of time above their design pressures, causing substantial releases into the reactor buildings and the environment. Indeed, the events at the Fukushima Daiichi plant demonstrate the extraordinary difficulty of executing a successful response to accidents involving multiple reactor units under the difficult conditions that existed at the site.
4.3.4 Unit 5 and 6 Reactors
Both Units 5 and 6 were shut down at the time of the earthquake and remained so thereafter. The units experienced thermal transients following the earthquake when active cooling was temporarily lost,53 as described below. The reactors were eventually brought to cold shutdown without damage to the fuel in the core or spent fuel pool. The events at these reactors would likely have been a major story in the annals of nuclear safety had they not occurred in the shadow of the accidents in Units 1-4. In fact, the events at Unit 5 have important implications for safety risks during reactor shutdown conditions.
Unit 5 was undergoing pressure testing54 on the day the earthquake occurred. The unit lost all AC power due to flooding of seawater pumps and power panels. As a consequence, lighting and AC-powered instrumentation on the Unit 5 side of the common control room were inoperable; the Unit 5 side of the control room went dark after the batteries for emergency lighting were depleted.
The containment in Unit 5 was open so that visual inspections for leaks could be carried out during pressure testing. The MSIV apparently was also open. A number of safety systems were either unavailable (i.e., reactor core isolation cooling system, high-pressure coolant injection system; residual heat removal system) and some other safety features (e.g., the automatic depressurization system) had been disabled for pressure testing.
53 Although both reactors were shut down, they still required active cooling to remove decay heat from the fuel in their cores; see Chapter 2.
54 The Unit 5 reactor vessel was being pressure tested to 7 MPa, but the temperature was only 90ºC.
The safety relief valves had been deactivated by pulling circuit breakers and depressurizing nitrogen lines. Additionally, as part of the pressure test, the low-setpoint safety relief valves had the manual operation locked out by inserting tools into the mechanisms. However, the high-setpoint safety relief valves could still be actuated once nitrogen and power were restored.
The shift supervisor for Unit 5 appears to have taken a strong role in managing the response to the flooding and loss of power because the onsite ERC was occupied with other units at the plant. Nevertheless, the Unit 5 operators and onsite ERC worked together to identify a strategy for depressurizing the reactor. This strategy was identified by 05:00 on March 12 and implemented about an hour later. It involved brute-force prying open of the nitrogen supply line to the vent valve on top of the reactor head from outside the containment.55
Workers apparently had to enter the reactor building or containment to connect an ad hoc nitrogen supply line that could be used to activate the safety relief valve that was ultimately used to maintain the reactor pressure at desired levels (Investigation Committee, 2012, p. 110).
A 125V battery that was being used to power some monitoring equipment was depleted at 01:00 on March 12.56 The operators used another gauge with independent power to read the reactor water level until the AC crossties to Unit 6 (described below) were completed. A 250V battery was depleted at about 17:00 on March 12, shutting down additional monitoring equipment including the process computer.
An air-cooled emergency diesel generator in Unit 6 survived the tsunami. It was cross-tied to Unit 5 using a cable that had been prepared as part of the unit’s accident management strategy. The generator was then able to supply emergency AC power to both units. This was a key element of the successful outcome for these two units relative to Units 1-3. (This was also key evidence that advanced preparation, including advanced positioning of portable equipment, enabled a more effective response than was possible for Units 1-3.) Power was restored to Unit 5 at around 05:00 on March 12, allowing reactor parameters to be read in the main control room.
The Unit 5 operators had decided to use the makeup water condensate system as an alternative cooling method but needed AC power to operate its pump. The laying of the power cables for the pump required cooperation between the electrical contractors and onsite ERC recovery teams. There was also cooperation in laying power cables for instrumentation. The
55 The shift supervisor judged that it was too dangerous for workers to enter the containment vessel because of aftershocks and lack of lighting (Investigation Committee, 2012, p. 107).
56 Roughly in agreement with 8-hour coping time that is possible with DC power.
Investigation Committee (2012, p. 112) noted that “Since Units 5 and 6 were undergoing routine inspections, a number of cables were stored in the warehouse of contractors and were used for this task. Regarding the task of interconnecting the power, four members of the ERC Recovery Team laid and connected about 70 m length of cables.”
Some personnel from Units 5 and 6 had been sent to other units to support the accident response. They were recalled on March 16 to restore the residual heat removal system by installing submersible seawater pumps and using portable diesel-driven generators to supply electric power. Cold shutdown of the Unit 5 reactor was achieved on March 20.
The response at Unit 6 was more straightforward given the continued availability of AC power following the earthquake and tsunami. The Unit 6 containment was closed but its vent line was open. Water was supplied to the reactor pressure vessel and the spent fuel pool on a reliable basis from March 13 onward. Cold shutdown was achieved on March 20.
TEPCO attributed the successful achievement of cold shutdown in Unit 5 to close cooperation between the onsite ERC and operators, the early restoration of monitoring instruments, reactor depressurization, coolant supply via seawater, and the restoration of AC power. TEPCO noted that the response utilized concepts learned via training and work experience. That is, TEPCO’s accident management abilities were sufficient for the challenges at these units.
In fact, it took several ad hoc measures (such as brute-force opening of the nitrogen line and laying of cables) and fortuitous conditions (such as the working emergency diesel generator in Unit 6 and low decay heat in the Unit 5 reactor) to bring Unit 5 to cold shutdown. Although the report by TEPCO (2012b) minimizes or does not mention many of these measures, it is clear that a successful response might not have been mounted without them. It is also clear that emergencies in other units at the plant impacted the timeliness of response in Unit 5.
The response in Unit 5 points out the need once again for specialized training and appropriate prepositioned equipment (i.e., power cables in this case) to carry out ad hoc solutions that require going beyond prepared measures. The challenges encountered during the Unit 5 response demonstrate the importance of developing severe accident management guidelines (SAMG; see Chapter 5 and Appendix H) specifically for reactors in shutdown or maintenance conditions, that is, SSAMG.
4.3.5 Hydrogen Explosions
Perhaps the most conspicuous and dramatic aspects of the Fukushima Daiichi accident were the hydrogen explosions in the Unit 1, 3, and 4 reactor buildings. These explosions took place at +24.8 hours, +68.2 hours, and about +87.2 hours, respectively (Table 4.1). A hydrogen explosion did not occur in Unit 2, although there were precursor conditions similar to those in Units 1 and 3.
There is a good general understanding of the basic chemical processes that generated the hydrogen that led to these explosions (see Sidebar 4.1); however, there is substantial uncertainty about how hydrogen leaked from reactor containments into the buildings and the specific conditions that led to its ignition. Although no measurements of hydrogen concentrations in Units 1-3 were made, it is likely that large quantities of hydrogen were produced because the reactor cores in these units were not actively cooled for long periods: about 14 hours in Unit 1, 6 hours in Unit 3, and between 5 and 15 hours in Unit 2 (Phillips et al., 2012). Further forensic studies and analyses of hydrogen distribution, combustion, and structural damage to the units are needed to improve the understanding of these explosion events.
Video recordings of the explosions in Units 1 and 3 and the visible damage in Units 1, 3, and 4 indicate that significant overpressures consistent with hydrogen combustion occurred. At the present time it is not known if the combustion events were deflagration, detonation (see Sidebar 4.1 for definitions of these terms), or more complex events. The explosions caused extensive damage to the reactor buildings (Figure 4.5), opening up an easier path for the direct release of radioactive materials to the atmosphere and spreading contaminated debris inside and around the units.
The explosions also had a significant impact on the accident response: they injured workers; destroyed equipment and temporary water-line and power cables; prompted evacuations to onsite buildings or offsite facilities that slowed and in some cases halted recovery work; and created a general atmosphere of fear at the plant, throughout Japan, and in other parts of the world. The extensive damage and contamination were totally unexpected by the operators at the Fukushima Daiichi plant and in the view of two U.S. safety experts was a “game changing” event57 in the accident.
The current understanding of the accident progression in the Fukushima Daiichi reactors depends substantially on computer simulations of the accident. These simulations are used to make predictions about the state
57 The event was “game changing” because it made already difficult access to reactor buildings essentially impossible and inhibited travel throughout the plant, hampering accident recovery and mitigation measures (Jeff Gabor and Doug True, Erin Engineering, communications with the committee on April 23, 2013, and February 11, 2014).
Hydrogen is generated in a reactor when zirconium in the fuel cladding reacts with steam at elevated temperatures:
2H2O + Zr → 2H2 + ZrO2.
This reaction is highly exothermic, releasing 5.6 megajoules per kilogram of zirconium. The reaction heat increases zirconium temperatures, accelerating the reaction and generation rate of hydrogen (Lee and McCormick, 2011, pp. 266-267). This reaction can become self-sustaining at high enough temperatures. The USNRC limit of 1,204ºC (2,200ºF) during accident conditions was established (in 10 CFR § 50.46) in part to address concerns of runaway oxidation above that temperature (Hache and Chung, 2001).
Once a significant amount of hydrogen is released, a risk of explosion exists because hydrogen–air–steam mixtures are flammable over a wide range of compositions (Camp et al., 1983) and are easily ignited by sparks and hot surfaces (Gelfand et al., 2012). Combustion of hydrogen and air,
H2 + ½O2 → H2O,
releases 120 megajoules per kilogram of H2 burned and produces hot steam. Combustion of hydrogen in confined spaces can generate severe overpressures leading to structural failures of confining structures. This failure process was observed in Units 1, 3, and 4 at the Fukushima Daiichi nuclear plant.
A hydrogen–air–steam mixture will ignite and burn when its composition is within a critical range, illustrated in Figure S4.1. If there is too much or too little hydrogen or too much steam, there will not be enough energy to sustain combustion; in such cases the mixture is said to be nonflammable. As the amount of steam decreases, the mixture enters the flammable range and combustion will occur if a sufficiently strong ignition source is available.
Combustion starts at the ignition source and propagates through the mixture as a chemical reaction wave. If this wave moves through the mixture at less than the speed of sound then combustion is said to be a deflagration. If the wave moves through the mixture faster than the speed of sound, then combustion is said to be a detonation. The more general term explosion encompasses both deflagration and detonation combustion.
Hydrogen deflagration results in much lower pressures and less structural damage to confining structures than detonations; the latter produce very damaging overpressures and are likely to result in structural failures. A deflagration can, under certain circumstances (discussed in NEA, 2000), accelerate and transition to a detonation wave. Regardless of combustion speed, hydrogen explosions can be very destructive when large volumes of combustible gas within confining structures are involved, as was the case for Units 1, 3, and 4 at the Fukushima Daiichi nuclear plant.
FIGURE S4.1 Flammability diagram for a nominal temperature of 100°C and a pressure of 1 bar. Values on the x axis represent the steam concentration as a percentage of the hydrogen–air–steam mixture and the values on the y axis represent the hydrogen concentration as a percentage of the hydrogen–air mixture. Steam concentration can be as high as 100 percent at 100°C. The distances L are the characteristic dimensions of a compartment or room in the reactor building or containment that will allow detonation to occur. Note that the boundaries in the diagram are guidelines intended only to indicate possible outcomes of ignition of a mixture. A wide range of behaviors—including no explosion, deflagration, high-speed flames, and detonation—can be observed in the flammable region depending on the strength and location of ignition sources as well as the spatial distribution of hydrogen and steam (see NEA  for further discussion). For large volumes, such as the refueling areas on the upper floors of the Fukushima Daiichi reactor buildings, there may be potential for transition to detonation for some mixtures that are within the blue-shaded region marked “deflagration” (see Chapter 3 of NEA (2000) for further discussion).
SOURCE: Adapted from NEA (2000, Fig. 7.1.1-3). Based on data from Figure 7.1.1-3 from Breitung et al. (2000).
FIGURE 4.5 Photos showing damage to the reactor buildings at the Fukushima Daiichi plant from the Unit 1, 3, and 4 hydrogen explosions. (A) Unit 1 exterior; (B) Unit 3 exterior; (C) Unit 3 interior at the operating floor level (i.e., the upper floor of the building where the spent fuel pool is located); (D) Unit 4 exterior; (E) Unit 4 interior at the operating floor level. SOURCE: Courtesy of TEPCO.
and location of the reactor core and generation of hydrogen during the accident. They are based on detailed physical models of the reactor units (e.g., models of the reactor core, reactor pressure vessel, containment, and reactor building) and information about important operational events that occurred during the accident (e.g., operation of various safety systems and the timing and rates of water injection).
Two simulation tools have been used for this purpose: MELCOR, developed for the U.S. Nuclear Regulatory Commission (USNRC) by Sandia National Laboratories; and MAAP, developed for industry by the Electric Power Research Institute. These models have been extensively compared against a wide range of experiments with simulated accident conditions as well as analysis of the 1979 Three Mile Island accident.58 Simulations of the accident using these tools have been carried out to date by Gauntt et al. (2012a,b), TEPCO (2012c), Yamanaka (2012), and EPRI (2013). Some of the key results of these simulations for Units 1-3 are described below.
There is extensive experience with modeling severe accidents in Mark I containments59 for the relatively simple accident scenario that occurred in Unit 1: the reactor pressure vessel was isolated except for mechanical venting into the suppression chamber through automatic operation of the safety relief valves, and there were no active cooling measures for at least 14 hours after the earthquake. Consequently, the MELCOR and MAAP simulations for Unit 1 likely have better fidelity to reality than the simulations for the other units.
The results of simulations for Unit 1 are summarized in Table 4.2. They agree reasonably well even though the groups doing the simulations used different assumptions about operator actions, equipment behavior and effectiveness, cooling-water flow rates, and other key events. These simulations are being refined as new information is emerging from TEPCO’s continuing investigations into the accident (e.g., Kawabe, 2012; TEPCO, 2013).
The simulations suggest the following sequence of events for the accident: With the isolation condenser valves closed and no cooling to the reactor after the loss of all electrical power (see Section 4.3.1 of this chapter), decay heat generated in the fuel boiled the water in the reactor pressure vessel, increasing its pressure and causing the safety relief valves to open. This allowed steam to exit the reactor pressure vessel, dropping its liquid water level. The steam was exhausted to the suppression pool. Condensa-
58 The accident involved the partial meltdown of the Unit 2 reactor core.
59 U.S. severe reactor accident consequence studies (USNRC, 1990, 2013c,d) have modeled core-melt accidents at the Peach Bottom Atomic Power Station, which also has a Mark I containment.
TABLE 4.2 Key Results for Accident Progression Simulations in Unit 1
|Event||Time After Earthquake
|Core exposure (TAF)||+2.5 to +3|
|Core damage begins||+4||Core damage timing is nominal and based on Sandia MELCOR analysis (Gauntt et al., 2012a)|
|Core fully uncovered||+4.5 to +5|
|MSL ruptures||+6.5||Considered by Sandia MELCOR analysis only (Gauntt et al., 2012a)|
|RPV damage||+9 to +11|
|RPV melt-through||+14||Probably occurred at +13 h, could have been as late as +16 h|
|Containment leaks||+3 to +6||Depends strongly on assumed failure modes|
|Hydrogen generated (kg)||900 kg; amount depends on extent of core–concrete interaction|
|Containment venting||+23.7||Known from actions of operators and pressure records|
|Explosion||+24.8||Known from both seismic and video recordings|
NOTES: MSL = main steam line; RPV = reactor pressure vessel; TAF = top of active fuel.
SOURCE: Estimates based on MELCOR and MAAP simulations by Gauntt et al. (2012a), TEPCO (2012c), Yamanaka (2012), and EPRI (2013).
tion of steam in the pool raised its temperature and also increased pressure within the suppression chamber.
Continued depressurization lowered water levels in the reactor pressure vessel. At about +2.5 to +3 hours, all simulations predict that the water level in the Unit 1 reactor pressure vessel dropped enough to expose the active portion of the fuel in the reactor core; within +4.5 to +5 hours, the liquid level dropped below the bottom of the active portion of the fuel. Uncovering of the fuel in the reactor core likely initiated the following sequence of events:
• The temperature of the fuel cladding increased quickly, which accelerated the highly exothermic oxidation reaction between the cladding
and steam in the reactor. This reaction generated hydrogen (see Sidebar 4.1) and released heat.
• As temperature continued to increase, pressures inside the fuel rods (from buildup of gaseous fission products) also increased and cladding strength decreased. This caused the cladding to balloon and fail, releasing fission products.
• As temperature increased further, the fuel cladding (and eventually the fuel itself as well as the cladding, control rods, and reactor internals) began to melt, forming a molten mixture referred to as corium.
• The corium flowed downward onto the lower head of the reactor pressure vessel causing it to melt and fail.
• The molten mass flowed onto the concrete floor of the containment. (The simulations estimate that about 139 tonnes of molten material were released into containment.)
• The molten material attacked the concrete and was further oxidized by water that was injected into the reactor starting at about +15 hours.
MELCOR simulations predict that about 900 kg of hydrogen was generated in Unit 1. Production of hydrogen likely started 12-15 hours before the explosion in the unit. The hydrogen and fission product aerosols (particularly iodine and cesium) probably leaked into the reactor building over a similar period of time. Sandia (Gauntt et al., 2012b) proposed that the extended period of high pressure within the containment caused stretching of the bolts fastening the containment head, opening a gap and allowing gas and fission products to flow directly from the containment into the reactor building. TEPCO (2012b, p. 340) suggests a number of potential leakage pathways in addition to the containment head seal, including equipment and personnel access hatches, and/or electrical cable penetrations; or through the standby gas treatment system when the containment was deliberately vented.60
The hydrogen explosion in Unit 1 occurred at 15:36 on March 12. The steel siding covering the upper portion of the building (above the refueling floor) was blown off (see Figure 4.5A); five workers were injured and preparations for connecting water injection and power were disrupted. The ignition source for the hydrogen explosion is unknown but could have been
60 TEPCO (2012b, pp. 351-352) notes that the standby gas treatment system may not have been isolated from the stack at the time of venting.
a hot surface, an electric arc from damaged electrical wiring, or a spark from exposed contacts on a motor.61
The explosion was quite disturbing to the plant personnel, who did not initially understand what had happened. Once they recognized that a hydrogen explosion had occurred and realized (Investigation Committee, 2011, pp. 244-247) that explosions could occur in the other units, they began to fear more explosions could take place. Methods were considered for venting the reactor buildings such as removing blowout panels. However, it was not feasible to send personnel into the buildings to remove the panels because of high radiation levels and explosion hazards. Plant personnel considered using a water jet to cut holes in the building, but this type of complex operation was not feasible under the working conditions at the plant.
Videos of the explosions were captured on a camera set up by a local television station and replayed over the Internet and evening news. This contributed substantially to the public’s anxiety, particularly in Japan. The videos were, however, useful to the site superintendent and the staff in determining what had happened to the unit.
Simulations similar to those carried out for Unit 1 have been performed for Units 2 and 3. They are not described in detail here in the interests of brevity.
As noted previously, there was no hydrogen explosion in Unit 2. The reasons for this are unclear. Based on the amount of time that the core was uncovered and the estimated hydrogen generation rates, a substantial amount of hydrogen is likely to have been generated. The containment pressure in Unit 2 reached the extreme values (0.75 MPa) between +80 and +90 hours after the reactor core isolation cooling system stopped (at +70 hours) and seawater injection was initiated. This pressure is similar to that reached in Unit 1, and so similar venting of hydrogen from the containment to the reactor building might have occurred.
There is speculation (Investigation Committee, 2012, p. 70; TEPCO, 2012b, p. 342) that a hydrogen explosion was prevented in Unit 2 because a building panel was blown out62 from the upper level, just above the refueling deck. The presence of an opening in the building may have created
61 An extensive discussion of possible ignition sources is given by the Investigation Committee (2012, pp. 65-70). Just prior to the explosion, efforts were nearing completion to reconnect power to the standby liquid control system. It is possible that an electrical fault in equipment attached to the buses being energized caused the ignition (2012, pp. 68-69).
62 The panel was apparently knocked out by the pressure wave from the explosion in Unit 1 and was hanging by its restraining chains. The pressure differential required to cause this is about 3.5 kPa (0.5 psi). Following the explosion in Unit 3, the chains were observed to be broken and the panel had dropped to the roof of the turbine building (Investigation Committee, 2012, p. 70).
a pathway for hydrogen to flow outside the building, thereby preventing a buildup of an explosive atmosphere. Although plausible, this scenario needs more careful analysis to understand the effectiveness of this vent. Further information about hydrogen generation and transport will likely be obtained as the Unit 2 reactor is dismantled and studied.
The vent effectiveness will depend on the location, rate, and duration of the gas release from the containment, the hydrogen content, and the gas motion within the upper volume of the reactor building. It is unclear if the panel opening (approximately 4.3 × 6 m; see Investigation Committee, 2012, p. 70) would be effective in preventing a flammable atmosphere from being formed. The panel was near the refueling floor, and a substantial portion of the fifth-floor volume was above the upper edge of the opening.
There may be other reasons that an explosion did not occur in Unit 2: for example, insufficient hydrogen may have been generated and released within the Unit 2 reactor building. Alternatively, there may have been a special set of circumstances that resulted in an inert atmosphere or the lack of an ignition source.
The hydrogen explosion in Unit 3 occurred at 11:01 on March 14. It destroyed the upper portion of the reactor building (floors 3 and 4 were heavily damaged and floor 5 was demolished; see Figure 4.5B,C) and injured 11 workers. As noted previously in the chapter (see Section 4.3.2), the debris from this explosion damaged equipment and spread radioactive debris. It also forced field workers to retreat to the onsite ERC, further delaying the accident response.
The hydrogen explosion in Unit 4 (see Figure 4.5D,E) caused much concern at the time of the accident because the reactor did not contain any fuel; it had been offloaded to the spent fuel pool in the reactor building. There was initial concern that spent fuel in the pool had become uncovered and had reacted with the steam to form hydrogen.63 This would have likely resulted in large uncontained fission product releases.
In fact, it now appears that the hydrogen in Unit 4 reactor building came from Unit 3, through an unexpected path. There was substantial destruction on the fourth and fifth floors of Unit 4. The pattern suggests that the hydrogen reached the building by flowing back through the ventilation system for the standby gas treatment system.
4.3.6 Spent Fuel Pools
As noted in Chapter 1, the committee has deferred its analysis of spent fuel safety and security to a subsequent report. Consequently, this section
63 Currently, there is no evidence of fuel damage in the Unit 4 spent fuel pool, but this was not immediately known at the time of the accident.
TABLE 4.3 Spent Fuel Storage at the Fukushima Daiichi Nuclear Plant on March 11, 2011
|Storage Location||Spent Fuel (Assembliesa)||Fresh Fuel (Assemblies)|
|Cask storage building||408||0|
a A boiling water reactor fuel assembly contains about 170-185 kg of uranium.
SOURCE: TEPCO (2012b, p. 299).
provides only a brief discussion of events in the spent fuel pools at the Fukushima Daiichi plant.
A large amount of spent fuel was in storage in pools in the Unit 1-6 reactor buildings at the time of the earthquake and tsunami (Table 4.3). The September 2011 supplemental report by the Japanese government to the International Atomic Energy Agency (Government of Japan, 2011a) concluded that it is a highly likely that spent fuel was not exposed to air in the Unit 1-3 spent fuel pools and that mass damage did not occur in the Unit 4 pool.64 Power was restored to the Unit 5 and Unit 6 pools and the common spent fuel pool before their temperatures increased significantly.
Investigations of the Unit 1-4 spent fuel pools have to date uncovered no evidence to contradict the Japanese Government’s initial conclusions. Efforts are now under way by TEPCO to move spent fuel from the Unit 4 pool into the common pool.
Nevertheless, the events at the Fukushima Daiichi plant highlight concerns about the vulnerability of spent fuel pools to severe accidents. These pools are located outside plant containment; consequently, accidents involving loaded spent fuel pools have the potential to produce substantial radioactive material releases.
64 TEPCO was transferring spent fuel from the Unit 4 pool to the common spent fuel pool when the present report was being completed. There have been no indications of damage to the fuel to date.
In the committee’s judgment, the severity of the accident at the Fukushima Daiichi nuclear plant following the March 11, 2011, earthquake and tsunami were the result of six factors:
1. The loss of all AC/DC power in Units 1-4 narrowed options for responding to the accident.
2. Operators lacked resources, procedures, and training to promptly reestablish reactor cooling and to vent containments using alternative methods for accidents involving loss of all AC/DC power.
3. Multiunit interactions complicated operator responses.
4. Communication failures hindered responses to the accident.
5. Confusion about ERC roles and responsibilities delayed and in some cases prevented effective responses to the accident.
6. Staffing levels were insufficient for responding to the accident.
These factors are discussed briefly in the following sections.
4.4.1 Loss of Power
The Fukushima Daiichi accident significantly exceeded the beyond-design-basis events that TEPCO postulated and resulted in different conditions than those assumed when accident management strategies were developed (TEPCO, 2012b, p. 51). Neither the plant’s engineered systems nor severe accident management procedures were sufficient to handle the situation; in fact, a majority of the “preplanned” response options as embodied in the TEPCO accident management procedures were not applicable to the situations that the plant’s operators confronted.
For example, procedures to cool the reactors using various installed emergency core cooling systems (e.g., isolation condenser system, reactor core isolation cooling system, high-pressure coolant injection system) were specified in accident management procedures. Other means of emergency cooling via control-rod-drive hydraulic pressure systems, makeup water condensate system, and the fire protection system were also identified options in these procedures. However, once power was lost, all of the motor-operated systems became inoperable.
Provisions were in place in the plant’s accident management procedures to handle loss-of-power incidents. These included multiple emergency diesel generators in each unit to cope with loss of offsite power. In addition, plans were in place to allow high- and low-voltage AC power supply to be fed from adjacent units. This was intended to cope with delays in AC power restoration or unavailability of DC power at one of the units. In spite of
these provisions, AC and DC power could not be restored to some plant units for several days.
Loss of AC and DC power also had unanticipated systems effects. The best example is the isolation condenser system and its complex interlocks described in Section 220.127.116.11. In fact, nuclear plants have numerous systems containing complex interlock and failsafe logic that are not readily apparent from user interfaces. It can be a challenge to anticipate the effects of power losses on such systems. Experience in the aviation industry has led to development of principles and guidelines for how to design automated systems so that their behavior can be more readily anticipated (e.g., Norman, 1990; Sarter et al., 1997). This experience base can be leveraged in design of next-generation nuclear plant control rooms, as well as control room upgrades to existing plants, to enable operators to maintain better situational awareness of the status of automated systems and how systems are likely to be affected by events such as loss of power. The nuclear industry’s FLEX initiative (NEI, 2012) and the USNRC’s station blackout order (USNRC, 2012b) are intended to address potential systems effects in current-generation nuclear plants. (The FLEX initiative and USNRC actions are discussed in Chapter 5 and Appendix F.)
4.4.2 Resources, Procedures, and Training
The majority of the “preplanned” response options embodied in the TEPCO accident management procedures were not applicable to the situations that operating staff confronted following the earthquake and tsunami. Although operators underwent extensive training, that training did not cover the accident scenarios that unfolded at the plant following the March 11 tsunami. For example, although there were procedures and training for venting, these procedures assumed that power would be available to operate the venting valves from the control room. Procedures and training also assumed that plant indicators would be available in the control room. Onsite ERC staff training assumed that the safety display parameter system and communication lines with control rooms would provide good situational awareness of plant state and operator actions.
Operators could not take critical control actions from the control room; instead, they had to take manual actions in the field. Radiation releases in the plant and limited access to personnel dosimeters65 hampered the ability of personnel to perform their duties, both in the control room
65 TEPCO (2012b, Attachment 2, pp. 13-14) notes that approximately 5,000 personnel dosimeters that were stored at the plant were rendered inoperable by the tsunami. TEPCO was able to recover about 320 dosimeters from various sources at the plant by the night of March 12.
(see Section 4.2) and in the field. Some field activities required multiple teams because of difficult onsite conditions. Flooding, debris, and other hazards caused by the tsunami challenged the field response; hydrogen explosions further set back response activities. The operators encountered situations that went well beyond their training for responding to off-normal conditions.
Unit operators and the onsite ERC staff had to fall back on “first principles” reasoning and problem solving to respond to the rapidly unfolding events at the plant.66 This required active diagnosis and tracking of plant conditions, goal identification and prioritization, adaptive problem solving, and development and rehearsal of ad hoc response plans. Plant personnel displayed creativity in responding to the accident. For example, plant operators
• Restored some control room lighting, instrumentation, and control systems using batteries from employee automobiles and portable generators from contractor warehouses;
• Used fire engines to inject cooling water into the reactor, an option not specified in accident management procedures;
• Injected seawater into the reactors when freshwater supplies became unavailable; and
• Developed and implemented a plan to vent containment without power.
Some of these response actions are similar to the accident response actions required under Section B.5.b of the Order for Interim Safeguards and Security Compensatory Measures (described in Chapter 2). These include the use of fire engines for water injection and batteries to restore water-level gauges and operate steam safety relief valves (TEPCO, 2012b, p. 54). However, TEPCO (2012b, p. 54) notes that B.5.b information was not available to private electrical utilities in Japan.67
Accidents frequently involve a confluence of interacting faults resulting in situations that have not been previously anticipated, placing a premium on the ingenuity and adaptability of plant personnel. In the committee’s judgment, the personnel at the Fukushima Daiichi nuclear plant showed
66 This type of “on-the-spot” reasoning and problem solving is referred to as “knowledge-based” performance in the human factors literature.
67 As noted in Chapter 2, Section B.5.b was designated by the USNRC as Safeguards Information and so it was exempt from public release. Consequently, TEPCO would not have had direct access to this information. However, as discussed in Chapter 7, the USNRC shared some B.5.b information with Japanese government authorities. Moreover, as noted in Appendix H, information about B.5.b requirements was released to the public as a result of a 2009 rulemaking by the USNRC.
TEPCO’s Fukushima Daini nuclear plant (see Chapter 3) sustained severe damage from the March 11, 2011, earthquake and tsunami. However, operators were able to bring the plant’s four reactors to cold shutdown by the morning of March 15. Their actions illustrate the successful application of emergency operating and accident management procedures in response to a severe external event.
The earthquake shut down two of the three available offsite AC power lines to the plant (another line was shut down for inspection at the time of the earthquake). Flooding from the tsunami damaged power distribution systems and pumps for the emergency core cooling and residual heat removal systems in the Unit 1, 2, and 4 reactors. However, AC power from one offsite power line and onsite DC power remained available following the earthquake and tsunami. Consequently, operators were able to maintain instrument and control room command over critical plant systems.
Operators used safety relief valves and reactor core isolation cooling systems to lower reactor pressures in Units 1, 2, and 4 following the tsunami; reactor pressures were less than 1 MPa 8 hours after the tsunami. Cooling was then transitioned seamlessly to low-pressure water injection with an alternative water supply (the makeup water condensate system) by midnight of March 11. The water levels in the reactors were maintained at or near the “L8” level, over 5 m above the top of active fuel, during the cooldown phase. Drywell and suppression chamber sprays were used to control containment pressures to less than 0.4 MPa until power was restored to the residual heat removal systems on the morning of March 14.
Operators were able to quickly and successfully execute several critical tasks that operators at Fukushima Daiichi attempted but could not complete. These included lining up vent valves, arranging alternative water supplies, controlling reactor core isolation cooling systems, and, most important for recovering the residual heat removal system, laying and connecting alternative power cables and replacing damaged motors, all carried out by hand or by using crane trucks. Operators took some actions (e.g., lining up vent valves) in anticipation that the accident
courage and resilience in responding to the March 11, 2011, accident under extraordinarily difficult conditions. Their actions potentially prevented even more severe outcomes at the plant.
The response of operators at the Fukushima Daini plant to the earthquake and tsunami (Sidebar 4.2) demonstrate the successful application of accident management/emergency operating procedures and operator training to extreme accident scenarios. The response at Fukushima Daini was a huge success story in its own right (albeit because some power sources survived the tsunami). However, this success was overshadowed by events at the Fukushima Daiichi plant.
might become more severe; however, existing emergency operating procedures were adequate for bringing the reactors to cold shutdown. Only one ad hoc measure suggested by the onsite ERC—water injection into the suppression chamber using an alternative water source—was employed (TEPCO, 2012b, p. 54).
Although operators at Fukushima Daini faced some of the same challenges as those at Fukushima Daiichi—most notably onsite access difficulties due to tsunami-related flooding and damage and earthquake aftershocks—there were some key differences: flooding at the Fukushima Daini plant was not as severe, AC and DC power were continuously available in functioning control rooms, and onsite response efforts were not hindered by debris and radioactive contamination from hydrogen explosions. Operators also did not have to enter dark and contaminated reactor buildings to mount a response, but could monitor and control reactors from their control rooms. The communications and command structure functioned properly: the onsite ERC had a functional safety parameter display system and continuous communication with the control rooms.
According to TEPCO (2012b, p. 55):
During the accident, the decision-making procedure where the Shift Supervisor made determinations and the ERC at the power station made verifications was generally adhered to. This allowed operational manipulations to be implemented in a timely manner according to plant conditions and also was effective in allowing the ERC at the power station to fulfill its function of keeping a big-picture perspective to maintain oversight of response strategies and to manage equipment restoration activities.
Comparing the responses at the Fukushima Daiichi and Daini plants, where operators presumably received the same levels of training, it is clear that the loss of all AC and DC power at Fukushima Daiichi precipitated a series of cascading failures that simply overwhelmed operators. In a sense, the events at Fukushima Daiichi represent a “cliff edge” in accident management capabilities.
TEPCO anticipated and trained its operators for the situations they encountered at Fukushima Daini and the response was effective. TEPCO never anticipated or trained its operators for the events at Fukushima Daiichi; the response was ineffective and the consequences were disastrous.
In discussing the difficulties experienced at Fukushima Daiichi, the Investigation Committee (2011, p. 141) noted:
[T]hey did not assume that a situation in which multiple nuclear reactors losing all power sources almost simultaneously would occur and thus did not provide the training and education necessary to implement measures to control such a serious situation.
Koichio Kitazawa (Chairman of the Rebuild Japan Foundation Investigation Commission; see RJIF, 2014) put it more succinctly (NPR interview,
March 9, 2012): “You can’t adequately prepare for a disaster that you don’t admit can ever happen.”
4.4.3 Multiunit Interactions
The colocation and close spacing of Units 1-4 and the extensive sitewide impacts from the tsunami and earthquake also hindered the accident response. In particular, harbor-side tsunami damage, earthquake damage to cisterns and water-supply piping, displacement of road surfaces, landslides, and blockage of roads and building access by debris are examples of damage common to Units 1-4 at the site. This damage impeded efforts to establish alternative cooling water, power, and compressed air sources.
Control rooms at the Fukushima Daiichi plant are shared between pairs of reactor units (see Appendix D). The ventilation systems in Units 1 and 2 and 3 and 4 are also paired together. This pairing apparently allowed hydrogen generated in the damaged Unit 3 reactor to flow into the Unit 4 reactor building. Hydrogen explosions in the Unit 1, 3, and 4 buildings scattered debris and caused substantial ground contamination around the buildings, damaged temporary installations for water injection and electric power, and injured workers. The hydrogen explosions in the Unit 3 and Unit 4 buildings also affected the management of the accident at all units because personnel at the site were reduced to a bare minimum for a time and recovery operations at the reactor units were halted.
The units also competed for physical resources and attention and/or services of the onsite ERC staff. Some of these resource competitions were described previously in the chapter: the competition for fire trucks to pump water into the Unit 1-3 reactors and the limited space in a valve backwash pit to siphon water. These limitations made it impossible to supply seawater to both Unit 3 and Unit 2 simultaneously.
Interviews with onsite ERC staff as reported by the Investigation Committee (2011) suggest that at different points in time, the onsite ERC focused attention on one unit at the possible expense of others. For example, the delay in recognizing that the isolation condenser was shut in Unit 1 was partly explained by the fact that ERC was initially focused on Unit 2 because it could not confirm that its reactor cooling isolation system was functioning.
In contrast, colocation had great value for the accident response at Units 5 and 6 at the Fukushima Daiichi plant and at the Fukushima Daini plant despite the sitewide earthquake and tsunami damage. Colocation enabled power to be cross-connected between units and also enabled mutual aid for the timely recovery of cooling and reactor pressure vessel depressurization, thereby preventing reactor damage.
Failures to transmit information and instructions in an accurate and timely manner played an important role in shaping actions at certain points during the accident response. These include the inability of operators to get appropriate attention and clear instructions from the onsite ERC. Lack of cooperation between operators and contractors’ “partner companies” was also a challenge. The overwhelming nature of the accident and the lack of training to cope with its many challenges may have played key roles in these communication and coordination failures.
The earthquake and tsunami damaged physical communications (voice and data transmission) systems and hampered travel on the site. As noted previously, the failure of instrumentation within the control rooms and lack of operational safety parameter display systems required that data be relayed verbally over a single telephone line between the control rooms and onsite ERC. Data had to be written on whiteboards in the ERC and reported by video or telephone conference to Tokyo. Radios and cell phones had limited functionality in many parts of the site, requiring plant personnel to traverse the debris-strewn site to report findings, coordinate activities with unit operators, and obtain instructions from the onsite ERC.
As the accident progressed the site became progressively contaminated due to the spread of radioactive materials. This further hampered communications, particularly when site personnel were temporarily evacuated following the hydrogen explosion in Unit 3. These same factors also made it difficult for site personnel to communicate with the outside world, including with their families. (A notable aspect of the accident was the fact that the plant personnel remained onsite and worked diligently without news about their families.)
Some notable examples of communication failures were mentioned previously in this chapter:
• Miscommunications about operations of valves and status of the isolation condenser in Unit 1;
• Miscommunications about the need for batteries to operate the safety relief valves in Unit 1;
• Lack of coordination between shift team and firefighters because neither understood the responsibility given to them by the site superintendent for hooking up the fire truck pump to the Unit 1 fire protection system;
• Incorrect battery types (2V instead of 12V) were supplied to depressurize the safety relief valves in Unit 2; plant personnel had to scavenge their automobile batteries instead;
• Portable generators were delivered with incorrect voltage and connectors;
• Miscommunications about why the high-pressure coolant injection system was halted in Unit 3 and the need for an alternative water injection supply; and
• Breakdown in communications among the shift teams, onsite ERC, offsite ERC, NISA, and the prime minister’s office about the situation inside and outside of the plant.
4.4.5 ERC Roles and Responsibilities
The lack of clarity about roles and responsibility within the onsite ERC as well as between the onsite ERC and the headquarters ERC in Tokyo proved to be a source of distraction for members of the onsite ERC and may have contributed to response delays. TEPCO personnel, in their presentations to this committee, indicated that there was confusion in the chain-of-command structure due to the complexity and multiunit nature of the accident. In particular, the organizational structure within the onsite ERC (which defined 12 function teams) was effective for situations that were explicitly covered by the accident management procedures, but they proved to be inadequate for the performance of tasks that fell outside the procedures. In particular, defining roles and responsibilities for tasks that were not covered by the procedures (e.g., water injection using fire engines) proved challenging and resulted in substantial response delays.
4.4.6 Staffing Plan
A presentation from TEPCO (Kawano, 2012) and discussions with TEPCO personnel during the committee’s November 2012 meeting in Tokyo indicate that staffing levels were inadequate for managing the accident (see also TEPCO, 2012b, pp. 472, 474). TEPCO had not anticipated accident scenarios where multiple units were impacted simultaneously. The staffing plan assumed that operators from one unit could cover for another unit. Consequently, the plan did not cover accidents that involved multiple units.
The staffing plan also did not anticipate accident situations that extended over multiple days. TEPCO indicated to the committee that there were no handoffs during the initial days of the Fukushima accident: The first shift was present for the next three shifts, and the shift manager was present for 2-3 days straight during the accident. TEPCO recognized that this situation was not sustainable.
TEPCO also indicated to the committee that one of the lessons learned was the need to provide additional shifts and shift handovers in a prolonged emergency. TEPCO’s plan for the future is to have two shifts in the ERC. They also plan to increase shift team staffing because there were so many
things that needed to happen quickly. TEPCO noted to the committee that had the accident occurred at night or on a weekend, the response could have been worse because fewer people would have been present onsite. TEPCO indicated that it plans to increase the number of operators in the night shift from six to eight.
TEPCO also indicated to the committee (Kawano, 2012) that it is taking measures to strengthen the organizational structure for handling simultaneous and compound accidents at multiple units. This includes increasing the number of technical support personnel at the onsite ERC and establishing two technical support rooms in the headquarters ERC to handle the simultaneous occurrence of a nuclear accident and a natural disaster. In a presentation to the committee at its November 2012 meeting in Tokyo, TEPCO General Manager Mr. Arika Kawano specifically noted that TEPCO would
• Designate personnel responsible for individual units to the operation support team and restoration team in the Emergency Response Organization;
• Enhance the night duty structure to strengthen the functions of collecting plant information and external communications immediately after a disaster strikes; and
• Have personnel on standby at each plant 24 hours a day to quickly restore emergency power or inject cooling water.
FINDING 4.1: The accident at the Fukushima Daiichi nuclear plant was initiated by the March 11, 2011, Great East Japan Earthquake and tsunami. The earthquake knocked out offsite AC power to the plant and the tsunami inundated portions of the plant site. Flooding of critical plant equipment resulted in the extended loss of onsite AC and DC power with the consequent loss of reactor monitoring, control, and cooling functions in multiple units. Three reactors sustained severe core damage (Units 1, 2, and 3); three reactor buildings were damaged by hydrogen explosions (Units 1, 3, and 4); and offsite releases of radioactive materials contaminated land in Fukushima and several neighboring prefectures. The accident prompted widespread evacuations of local populations and distress of the Japanese citizenry, large economic losses, and the eventual shutdown of all nuclear power plants in Japan.
Personnel at the Fukushima Daiichi plant responded with courage and resilience during the accident in the face of harsh circumstances; their actions likely reduced the severity of the accident and the magnitude of offsite radioactive material releases. Several factors prevented plant personnel from achieving greater success—in particular, averting reactor core damage—and contributed to the overall severity of the accident:
1. Failure of the plant owner (Tokyo Electric Power Company) and the principal regulator (Nuclear and Industrial Safety Agency) to protect critical safety equipment at the plant from flooding in spite of mounting evidence that the plant’s current design basis for tsunamis was inadequate.68
2. The loss of nearly all onsite AC and DC power at the plant—with the consequent loss of real-time information for monitoring critical thermodynamic parameters in reactors, containments, and spent fuel pools and for sensing and actuating critical valves and equipment—greatly narrowed options for responding to the accident.
3. As a result of (1) and (2), the Unit 1, 2 and 3 reactors were effectively isolated from their ultimate heat sink (the Pacific Ocean) for a period of time far in excess of the heat capacity of the suppression pools or the coping time of the plant to station blackout.
4. Multiunit interactions complicated the accident response. Unit operators competed for physical resources and the attention and services of staff in the onsite emergency response center.
5. Operators and onsite emergency response center staff lacked adequate procedures and training for accidents involving extended loss of all onsite AC and DC power, particularly procedures and training for managing water levels and pressures in reactors and their containments and hydrogen generated during reactor core degradation.
6. Failures to transmit information and instructions in an accurate and timely manner hindered responses to the accident. These failures resulted partly from the loss of communication systems and the challenging operating environments throughout the plant.
7. The lack of clarity of roles and responsibilities within the onsite emergency response center and between the onsite and headquarters emergency response centers may have contributed to response delays.
8. Staffing levels at the plant were inadequate for managing the accident because of its scope (affecting several reactor units) and long duration.
68 See Chapter 3 for a discussion. NAIIC (2012) criticized TEPCO for the lack of adequate tsunami countermeasures at the Fukushima Daiichi plant.