Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
V Lessons-Learned Processes and Implementing Change The fifth session at the conference was on lessons-learned processes and implementing change. The session included presentations from Michael Cor- radini, Paulo Cesar da Costa Carneiro, and Donald Alston and was moderated by Leonam dos Santos Guimarães. Lessons Learned from Vulnerability Assessments for Safety and Security Culture Undertaken after Fukushima (and the NAS Fukushima report) â Michael Corradini, University of Wisconsin Dr. Corradini presented on the U.S. National Academy of Sciences (NAS) Report on Lessons Learned from the Fukushima Accident. 1 The study was re- quested by the U.S. Congress, sponsored by the U.S. Nuclear Regulatory Com- mission (NRC), and carried out over 2 years by an expert committee appointed by the National Academy of Sciences. Dr. Corradini and Dr. Bari served on the committee of 24 experts with chair Norman Neureiter, vice chair John Garrick, and study director Kevin Crowley from the NAS Nuclear and Radiation Studies Board. Dr. Corradini recommended that the workshop participants read the re- portâs detailed chapter on safety culture because it accurately reflects the com- mitteeâs discourse on safety culture. He focused his talk on lessons learned to improve safety and security systems and operations, and lessons learned to im- prove regulation on safety and security. The report draws upon past reports con- ducted in the United States and in Japan, and presents many findings and rec- ommendations on key topics at a relatively high level. 1 National Research Council, 2014. Lessons Learned from the Fukushima Nuclear Ac- cident for Improving Safety of U.S. Nuclear Plants. National Academies Press. Available at http://www.nap.edu/catalog/18294/lessons-learned-from-the-fukushima-nuclear-accident -for-improving-safety-of-us-nuclear-plants. 53
54 Brazil-U.S. Workshop on Strengthening the Culture of Nuclear Safety and Security The Fukushima nuclear accident was caused by the Great Tohoku Earth- quake and ensuing tsunami. The accident and response time line, as well as the interviews of the operators on site and in emergency response centers (both offsite in Fukushima and in Tokyo), showed that the plant personnel responded with courage and resilience. Some of the operators could not determine what was happening in the darkness, so they took batteries from their cars to power their portable instruments so that they could determine pressures, temperatures, and conditions in various parts of the plant and continue their emergency actions and operations. However, several factors related to management, design, and operation of the plant prevented personnel from achieving greater success. A large part of the Japanese government report 2 focused on management and culture. The NAS report borrowed extensively from those discussions and investigations. Both reports make observations similar to those raised in this workshop on expecting the unexpected and having a robust operator development training program that actively seeks out new information about potential plant safety hazards. At the beginning of the report process, many of the NAS study committee members believed that Japanâs ability to withstand seismic events was large. The accident surprised many in Japan, and Dr. Corradini believes it should lead to better un- conventional thinking about the potential for extreme external events. He then discussed several categories of recommendations from the report. The first category, nuclear plant systems, notes that the concept of nuclear safety is different from conventional safety ideas. Nuclear power is a unique technolo- gy because of the constant presence of residual heat 3 that must be removed to an ultimate heat sink. If heat is not removed, an accident can become unmanagea- ble. Most of the recommendations in the nuclear plant systems category involve the ability to detect, measure, and understand what is occurring during an acci- dent, and to control the system enough to remove the decay heat to the ultimate heat sink. This mitigation step requires direct current power for instrumentation and the ability to maintain real-time monitoring of the plant, even under a loss of power. In addition to instrumentation monitoring and critical parameters like hydrogen monitoring and mitigation, the most important step is to maintain communication and real-time information flow. As the U.S. NRCâs report and other reports note, the inability of plant personnel to communicate with the owner-operator, Tokyo Electric Power Company, and back to officials in Tokyo contributed significantly to the accident. 2 National Diet of Japan Fukushima Nuclear Accident Independent Investigation Commission (NAIIC), 2012. Available at http://warp.da.ndl.go.jp/info:ndljp/pid/3856371/ naiic.go.jp/en/report/. 3 Nuclear fuel continues to generate heat due to radioactive decay even after the shut- down of the nuclear chain reaction in the reactor core. The fuel generates heat at dimin- ishing levels for years after reactor shutdown.
Lessons-Learned Processes and Implementing Change 55 The second relevant category of recommendations is training. Because the site has multiple reactors, it is important to train for an emergency with multiple reactors under stress. Three reactors were under stress in a site of six, and that caused enormous difficulties, as personnel were trying to control unit one at the same time that they were trying to stabilize units two and three. Much of the response was ad hoc, and the committee thought that the operators should have trained for a full range of conditions under emergency operation. Plants all around the world should be looking to improve operations and abilities in this area. The committee recommended that the U.S. NRC and the industry strengthen risk assessment capabilities for extreme events that challenge the plant systems and impair critical functions. The regulatory structure needs modern risk analysis techniques, which can identify unnecessary measures so that an organization can better prioritize resources. Finally, a number of the committee members pointed out that there are advantages and disadvantages to probabilistic risk assessment, 4 and we have to understand both as we proceed to use it. The committee also offered recommendations on offsite emergency re- sponse. The United States conducts site training exercises involving all of the relevant parties: plant operators, the U.S. NRC, the Federal Emergency Man- agement Agency, and the states where the plants are located. The committee believed it was very important to have clear emergency management responsi- bilities, to know who is in charge of what when an event occurs. Training should also assess and evaluate emergency preparedness over time and be evaluated continually and revised in case of an extreme external event. Finally, Dr. Corradini mentioned a few points from the chapter on safety culture. There were strong views on the committee about safety culture and whether it exists and should be improved in the United States. The consensus view was that it should be examined and closely monitored within the U.S. NRC and the nuclear industry. The committee built on a number of reports from the Japanese, the Near-Term Task Force of the Nuclear Regulatory Commission, the American Nuclear Society, and other groups. 5 Many of the findings and recom- mendations on what occurred at Fukushima are not different from these reports, but the committee tried to be comprehensive in connecting what was done in the past to important new observations, such as on safety culture. The committee 4 See page 188 of National Research Council, 2014. Lessons Learned from the Fuku- shima Nuclear Accident for Improving Safety of U.S. Nuclear Plants. National Acade- mies Press. Available at http://www.nap.edu/catalog/18294/lessons-learned-from-the- fukushima-nuclear-accident-for-improving-safety-of-us-nuclear-plants. 5 See U.S. Nuclear Regulatory Commission, 2011. Recommendations for Enhancing Reactor Safety in the 21st Century: The Near-Term Task Force Review of Insights from the Fukushima Dai-Ichi Accident. Available at http://pbadupws.nrc.gov/docs/ML1118/ ML111861807.pdf; and American Nuclear Society, 2012. Fukushima-Daiichi: ANS Committee Report. Available at http://fukushima.ans.org/report/Fukushima_report.pdf.
56 Brazil-U.S. Workshop on Strengthening the Culture of Nuclear Safety and Security also used the term regulatory capture to describe the insufficient independence in Japan between the regulator and the regulated utility. The importance of a strong safety culture and of an independent regulator that is transparent cannot be overemphasized. While many members of the committee believed that the United States has a strong safety culture, transpar- ency, and an independent regulator, many members also suggested that relevant facts were not readily accessible. From a communication standpoint, the system has not been as effective as needed. Fukushima Response Plan by Eletronuclear: An Overview â Paulo Cesar da Costa Carneiro, Eletrobras Eletronuclear Dr. Carneiro gave an overview of Brazilian studies and the Brazilian re- sponse to the Fukushima accident. He first explained the layout of the Angra Nuclear Power Station in Brazil and its three reactors, including one under con- struction to become operational in 2018. Immediately after the Fukushima acci- dent, Eletronuclear reacted by establishing a Fukushima Response Management Committee of broad experts to evaluate safety at the site. Working groups of specialists gathered and evaluated information about the Fukushima accident onset, development, and consequences; identified lessons learned applicable to Brazilian nuclear power plants; performed safety assessments; participated in national and international discussion forums on these lessons learned; and sub- mitted a 5-year executive plan to the Comissão Nacional de Energia Nuclear (CNEN, the National Nuclear Energy Commission) in December 2011. This Fukushima Response Plan consisted of 56 initiatives, studies, and design modi- fications, totaling an estimated $150 million in recommended safety improve- ments. The plan also included developing stress tests to improve understanding of site safety, and these results formed the basis for the safety review and re- sponse. Many of the initiatives were aimed at protection from hazardous events, provision of cooling capacity, or mitigation of radiological consequences. In the first area, protection from hazardous events, the plan considered both external events (earthquakes, rainfalls, landslides, tidal waves, and tornadoes) and inter- nal events (fires and internal flooding). External event analysis led to updating of databases, reevaluation by updated methodologies using a probabilistic ap- proach, and the verification of safety margins. For internal events, the plan reevaluated the plants, taking into consideration up-to-date safety requirements, and identified design gaps. The Angra site was characterized as a âlow seismic siteâ with a similarly low tornado probability, though action plans for further evaluation of the latter hazard are under way. Given a prospect of large rainfalls and the potential for landslides around the site, the plan recommended an enlargement of the slope drainage system and reinforcement of stabilization works protecting the station. A reevaluation of flooding levels under more severe conditions was conducted
Lessons-Learned Processes and Implementing Change 57 and concluded that the current design flooding level includes a sufficient safety margin. To counter the threat of tidal waves, a protection jetty allows the site to withstand waves up to 4.4 meters tall, and one initiative is expected to recom- mend structural reinforcement for this jetty. The review reevaluated core cooling emergency scenarios, including sta- tion blackout scenarios and loss of heat sink conditions. Both emergency power systems met U.S. NRC requirements, and Dr. Carneiro also provided an over- view of additional emergency supply alternatives. The plan encompassed three assessment areas. Firstly, it assesses the safe- ty margins of the project. Secondly, it determines what to do with loose safety systems, and thirdly, it evaluated the response to a broad group of natural disas- ters using probability approaches for safety margins. Actions range from inter- connecting the emergency equipment to using external diesel generators to re- charge the batteries and mobile pumps and backup generators for redundancy. All the people onsite are sensitive to the importance of these measures, Dr. Car- neiro said. The 2012 Security Breach at the Y-12 National Security Complex â Donald Alston, Alston Strategic Consulting General Alston presented a security culture case study of an incident at the Y-12 National Security Complex in Oak Ridge, Tennessee. He detailed the breach, how the security forces at the Y-12 National Security Complex respond- ed, and the fundamental circumstances that set the conditions for failure. His content was drawn from websites in the public domain, mostly from the De- partment of Energy (DOE). He then described the initial recovery actions at Y- 12 to shore up gaps in security and his personal observations and their implica- tions for security culture. The event began in the predawn hours on the morning of July 28, 2012, when three trespassers came through the first barrier into the secure area of the Y-12 National Security Complex. They came over a hill and began to cut the first of three fences. After cutting a second and a third, they entered the com- plex. They approached the Highly Enriched Uranium Materials Facility. They defaced it with the name of their organization. They threw blood on it, painted it, and hammered on the walls. Their goals were to deface the facility and then get arrested. Unfortunately, the latter took too long. As soon as they touched the fence, the system operated as designed. Im- mediately, alarms alerted the proper areas and the security response began. There were cameras dedicated to that particular area, but both were inoperative at the time and had been inoperative for months. The integrated security system that included both the sensors on the fence and the cameras was already subop- timal for the incoming threat. An innovative security guard knew that there was another camera that could see this area. It was not part of the integrated system because it was a pan-tilt-zoom camera. These rotating cameras have blind spots
58 Brazil-U.S. Workshop on Strengthening the Culture of Nuclear Safety and Security when looking in the wrong direction, so fixed cameras are thought to be harder for an adversary to evade. It was the only camera available, so the guard seized the moment and looked right at the area with the camera, but did not see the trespassers. While the alarm had sounded and the dispatching process had begun, a slow response was under way. When the first responder arrived and he saw the trespassers, he had already been conditioned to respond lethargically. Alarms sound all the time without an intruder, and he was told that the camera did not see anyone. So he did not respond with urgency, and he did not follow protocol when he found the trespassers. He did not get out of his vehicle and draw his weapon to put them at a disadvantage. All the training he had just escaped him at this crucial moment. Another opportunity was lost when the guards inside the large storage building heard hammering on the wall. They had the opportunity to investigate the noise by looking out a gun port, but they chose not to. The cam- eras were inoperative, but the guards presumed that they were down for mainte- nance. Because the guards were conditioned that they do not always get notified when maintenance is being performed, they did not challenge this assumption. So even though they heard a disturbance, they did not react appropriately either. Ultimately, there was a vast and substantial response by the overall securi- ty team, but it was too late. One of the fundamental problems with this overall set of conditions at the Y-12 facility is that the system had problems from the moment it was deployed and there was inadequate developmental and opera- tional testing. The sensors were generating many false alarms, so the security forces were being conditioned not to run to the sound with guns, but rather to log entries to fortify the documentation for the shortcomings in the security sys- tem. The high false and nuisance alarm rates were not being addressed through maintenance. They were being logged very effectively, in very detailed logs kept by the security forces, but the problems were not being solved. The inoper- ative cameras were not given a high maintenance priority at Y-12, which was inconsistent with other Department of Energy facilities. Extended outages of essential integrated features in the security system were not considered problems. These prolonged outages drove compensatory measures in order to cover the loss of these critical features while the maintenance backlog grew on several different aspects of the integrated security system. Management had been warned a year before the incident that there was going to be reduced security funding. This reduced funding started to reduce the number of compensatory measures that had been put in place to cover the short- comings in the original integrated security system. Overall, this negligence cre- ated a growing acceptance of suboptimal capabilities generating vulnerabilities. The culture accepted this. In addition, the contractor responsible for management and operations at Y-12, Babcock and Wilcox, was responsible for maintaining the security sys- tem. A different contractor, Wackenhut, was in charge of security and responsi- ble for the security personnel. One contractorâs personnel could identify short-
Lessons-Learned Processes and Implementing Change 59 falls, but another contractor had to perform the maintenance on those shortfalls and the operational testing on the overall system. This relationship was not working well. One of these contractors was in competition to renew its contract, and so had an incentive to not make waves. This hesitance was exacerbated by the federal âgovernance transformationâ initiative going on at the time. While well-intended, this initiative sought ways to reduce detailed oversightâto pro- vide broad direction on requirements, but then rely on contractor assurance sys- tems to ensure that work was getting done. The federal officer on the site was put in a position where the mantra was âeyes on, hands off.â This attitude al- lowed the contractors to create their own report cards and score themselves on how effectively they performed against their report card. After the incident the facility repaired the weaknesses and plugged the holes. They immediately fortified the facility to increase the difficulty of its ac- cess by other trespassers. They reduced the false and nuisance alarm rate. Their motivation increased greatly, and suddenly things that seemed to be low priority and had been put off were getting fixed. The security personnel and the man- agement, previously in two different reporting chains to the Department of En- ergy, became part of one contract, where personnel and systems were managed by a single function. The security maintenance priority system was revamped with the highest priority and immediate attention. Months later the secretary of energy asked General Alston and two col- leagues to examine the Y-12 incident, looking across the U.S. nuclear enterprise. They learned that some locations use federal marshals for security, others use contractors like Wackenhut. Another model put the security apparatus under- neath a larger management and operations contract. They offered the secretary a common way ahead to secure nuclear materials in the Department of Energy. 6 One colleague described the situation well: âThere was a pervasive culture of tolerating the intolerable and accepting the unacceptable.â Clearly, the culture at Y-12 had to change. General Alston observed that conditions for successful security culture are as follows: ⢠Responsibility for success is shared by all. ⢠Lines of authority and accountability are clear. ⢠Performance testing focuses on operation effectiveness. ⢠Information flow and self-criticism are incentivized. 6 See Alston, C. Donald and Richard A. Meserve, March 13, 2013. âStatement before the U.S. House of Representatives Committee on Energy and Commerce, Subcommittee on Oversight and Investigations. Hearing on DOE Management and Oversight of Its Nuclear Weapons Complex: Lessons of the Y-12 Security Failure.â Available at http://democrats. energycommerce.house.gov/sites/default/files/documents/Testimony-Alston-Meserve-OI- DOE-Nuclear-Complex-2013-3-13.pdf.
60 Brazil-U.S. Workshop on Strengthening the Culture of Nuclear Safety and Security ⢠Circulate assignments between HQ and the field. ⢠âWalk the talk.â Creating a good security culture is about being able to pass on security culture to others. In a safety context, an environment where everyone is responsible for safety has fewer safety vulnerabilities. The same is true for security. General Alston and his colleagues found that nuclear facility personnel identified with their vital, pivotal role in safety, but that most thought security was the respon- sibility of the security forces. When the team visited the commercial nuclear power generating plant on the Chesapeake Bay at Calvert Cliffs, Maryland, they saw a culture where em- ployees were encouraged to step beyond their functional responsibilities in order to focus on mission success with security or other operations within the com- plex. When security professionals saw something that was out of line, even if it was outside of their functional expertise, they were encouraged to report it. They took on the responsibility to cross those lines to ensure mission success. That kind of ownership of mission success and mission outcomes was missing from Y-12. When they looked up the chain of command at Y-12 to the Department of Energy, it was unclear who was accountable for daily mission success. There were multiple organizational charts, and none of them showed who was ac- countable for security success on a daily basis. Without a self-critical approach to performing testing, such as develop- mental testing or operational testing, an integrated system is impossible. In some cases there was rigorous component testing, but there was no system test done in a disciplined, repeatable fashion. The security mission at Y-12 requires them to be able to answer two ques- tions: How ready are we? And how do we know? A productive security culture feeds a good communication flow. In this particular case, bad news was not flowing up. When there is distrust between headquarters and subordinate units, there can be a sense that headquarters cannot fully understand and relate to what is happening on the ground. In this particular case, scientists move throughout the Department of Energy. Security personnel do not. No security detailees from Oak Ridge, Tennessee, go to headquarters in Washington, D.C., to convey their special concerns, and no one at headquarters can relate to them. Additionally, no one from headquarters comes to Y-12 to recognize their distinctive needs, but also to explain that there are reasons for central influence on particular activities. The failure to develop and circulate security professionals in and out of the headquarters allowed the mistrust that existed to persist. There was no regular, consistent emphasis on the pivotal role of security from the top that was propa- gated down to every member of the organization. Leadership had a serious chal- lenge.
Lessons-Learned Processes and Implementing Change 61 General Alston closed by presenting a list of virtuous attributes of a posi- tive security culture. Culture does not exist in a static environment, and there are pressures, both positive and negative, at all times. Organizations need to deliber- ately consider their capacity to nurture, sustain, and pass on their culture. It can- not be left to chance. They need to develop people; control and influence the factors that create a culture enabling mission success every day; add value on a regular basis; and create leaders with the competency to pass these virtues onto the following generations. The perpetrators of the Y-12 incident were convicted in 2014. The woman was sentenced to 35 months in jail, and the two men were sentenced to about 60 months. DISCUSSION A participant asked about criticism of the regulatory system, those in charge of making this security plan, and whether the regulator had sufficient independence to protect the facility? General Alston explained that the National Nuclear Security Administra- tion (NNSA), a semiautonomous agency within the Department of Energy, has responsibility for the nuclear weapons complex, including all activity at Y-12. DOE regulates itself. NNSAâs performance is verified both by the DOE inspec- tor general and through the regulatory organization within DOE. Two months before the security breach at Y-12, this organization per- formed a field inspection and graded the complex as having a high probability of detection of intruders. The inspectors did not do a comprehensive evaluation of the entire integrated security system and failed to anticipate the problems, for which there were early indicators: There was a growing backlog of maintenance; there was too much distance between the site federal officer and the contractor; and the main contractor responsible for testing and for security maintenance was not aggregating the shortfalls and performing a risk analysis of what each addi- tional backlog meant for overall security. To fix these problems NNSA proposed to have an organic role in the eval- uation and inspection process and not depend on someone outside their organi- zation for this information. This fix was not accepted, however, and the contrac- tor assurance system enabled the contractor to grade itself. With the inspector general and this outside organization working for the secretary of energy, the independence and transparency is present, but the com- petence of these other organizations were debated throughout General Alston and his teamâs examination. On the importance of rotating security personnel from the field back to DOE headquarters, General Alston said that Y-12 participates in a DOE working group bring- ing together individuals from different facilities to discuss processes and meth- odologies and form vulnerability assessments, but that a few days or a week at
62 Brazil-U.S. Workshop on Strengthening the Culture of Nuclear Safety and Security headquarters does not necessarily address the problem. Science officials in the Department of Energy gain experience in a variety of positions and locations, but there was no evidence of security personnel transferring between the field and the headquarters security team. The growing separation between the nuclear laboratories and the production efforts at Pantex Plant and at Y-12 led to a situa- tion where facilities were not implementing common standards in common ways. These discrepancies would have been overcome if security personnel from Y-12 routinely took headquarters and other assignments. Such immersion broadens perspectives, normalizes the evaluation of security, and helps transmit the value of maintaining common standards. Another complicating factor is that a close and friendly dynamic between the federal office and the contractor run- ning the facility might adversely affect objectivity and transparency. 7 A participant asked if maintenance typically begins at predawn times or whether this practice was a deviation from the norm. General Alston responded that it is fair to correlate the rising of the sun with the start of maintenance, but for the facility in which America stores highly enriched uranium, there needs to be strong coordination on maintenance schedules. There should be vigilance by the guards that no maintenance is authorized without their knowledge and ap- proval. The conditions to allow uncoordinated maintenance existed before the incident, and the guards were not empowered to stop this maintenance. In the breach case, this lack of coordination and empowerment was consequential. Mr. Tobey stated that it seemed that the greatest failures of the incident were not of the guard who failed to show up in a timely fashion or to protect his weapon when he did so, or even of the management that tolerated the intolera- ble. The greatest failure was of the DOE-NNSA, which was oblivious to a dan- gerous situation that had been going on for a long time. He asked what has been done to improve NNSAâs knowledge of the situation on the ground and what should be done? General Alston recounted a personal opinion from his work with the De- partment of Energy while he was in the Air Force. There is a legacy in the DOE where the laboratories are very important and very powerful. Los Alamos, Law- rence Livermore, and Sandia National Laboratories have extraordinary national security work to perform, and there is occasionally a criticism that the depart- ment gets in the way of performance in the field. Over time, that message throughout headquarters not to interfere with the performance in the field eroded the appropriate centralized control, and broad direction replaced specific direc- tion for the production sites. The officer abandoned all his training and proto- colâhe saw an 80-year old person looking at him, not a hostile threat. It was a difficult position, but if he had followed protocol, this incident would have had a different outcome. 7 The national security laboratories and the nuclear production facilities in the United States are owned by the government, but operated by contractors.
Lessons-Learned Processes and Implementing Change 63 Dr. Lowenthal asked Dr. Carneiro to comment on how his findings and ac- tions have been received inside and outside of Eletronuclear. Dr. Carneiro re- sponded that this reception was a concern since the beginning. To be transparent means to provide enough information internally and externally about the studies and the actions that the company was performing. Internally, Dr. Carneiroâs team has been integrated into the Safety Future Project, making presentations and giving updates on studies and results. Exter- nally since the beginning, he tried to integrate different areas of the company, not only to achieve the highest competence but also to sensitize groups to the measures when implemented. It was a strong policy of the company to partici- pate in all the meetings and budgets in Congress, in the ministries of mines and energy, inside the company, and in outside communities. They took every op- portunity in a transparent way to address concerns, studies, and results. Looking back after three years, there were social factors that might have been better. But it is hard to judge the policy response to Fukushima because the government was not involved in the performance of company activities. The over- all reception of their actions was very positive with no problems in continuing operations. Dr. Carneiro credits the comprehensive and consistent nature of the initiatives, as well as the very open way they were explained and discussed with their success. Admiral Ellis asked for Dr. Corradiniâs personal views on the events that continue to unfold at Fukushima. Dr. Corradiniâs personal impression, since mitigation was not within the scope of the NAS Fukushima report, is that onsite the biggest problem is water management. The magnitude and scale of the prob- lem is enormously complex. Firstly, they have an open cooling system, where they inject water, which drains from the dry well and the wet well back from breaches and that water is then taken, cleaned up, filtered and reinjected. While not using additional water is an advantage, a disadvantage to the system is that they have yet to implement closed cooling on all three of the units. Secondly, there is an issue as to what to do about wastewater cleanup, as they had great difficulty in cleaning and filtering the water. Thirdly, there is an inability to develop a policy on what to do with solid waste, which is currently being stored, and even the results of tsunami debris, which is not necessarily radioactive, but may contain chemical toxins. Their only onsite success has been in dealing with the problems associated with the rainy season. Due to Fukushimaâs location at the bottom of a large slop- ing hill, rain flows through the site and into the sea, filtering through the soil and carrying residual radioactive elements into the sea. They have dealt with this issue and with the open pooling, but have yet to deal with waste disposal. The Japanese are looking for international guidance on appropriate standards for waste disposal. Dr. Corradini then added that his largest concerns were the lin- gering effects of Fukushima: While the health effects are minimal, that they are lingering is an enormous issue. Dr. Guimarães cited the major lessons learned from the Three Mile Island and Chernobyl accidents. The main lesson learned from Three Mile Island is the
64 Brazil-U.S. Workshop on Strengthening the Culture of Nuclear Safety and Security importance of human factors, that taking the time to learn rules and procedures is important. The central lesson from Chernobyl was the importance of safety culture. He posed the question of what the central lesson from Fukushima will be 10 years later. Dr. Corradini answered on a personal level that he and others are con- cerned about the lack of understanding, knowledge, or appreciation of societal risk related to nuclear power. He explained that in the Fukushima accident, im- mediate fatalities were not the issue, as much as the evacuation and the way in which the emergency planning was conducted. Even now, there is no policy to allow the displaced individuals to return to their homes. The major lesson learned is that a lack of robust emergency planning and the presence of lingering effects that drag on and on raise concerns over whether nuclear technology is a worthwhile investment. Fukushima was a very severe accident, not from the standpoint of the radioactivity released and direct health effects, Dr. Corradini said, but because of how it affected the population. If we are unable to adequate- ly address these known effectsâby an approach to evacuation planning, emer- gency planning, and offsite response, or at least a risk assessment to evaluate signs at certain sitesâit is simply not appropriate to have a nuclear plant on these sites. Dr. Carneiro concluded the discussion by echoing the importance of an emergency plan that pays particular attention to evacuation. Without this type of planning, the impact of these disasters never ends, and there is no way to fully bring comfort to those evacuated.
