From a hillside behind the reactor complex to which they had evacuated, employees watched as the murky gray water roared up and around the buildings. Cars and machinery bobbed like corks, and debris borne on the surging water crashed into structures like battering rams. Then, with as much force as it had slammed into the plant, the water surged back into the roiling ocean, carrying away equipment and leaving enormous damage behind.
In the capital, officials at Tokyo Electric Power Company, known as TEPCO, assembled their own command center on the second floor of corporate headquarters. More than two hundred employees, hastily summoned, took their places at long rows of desks.
At 3:37 came the call from Fukushima Daiichi. Not only was Unit 1 without AC power, but it had also lost DC power: flooding had destroyed its backup batteries. The control room for Units 1 and 2 went dark; instrument panels faded to black. All power to these reactors had been lost or couldn’t be delivered where needed because of damage to power panels and cables. This was now the most severe type of station blackout. Without DC power to control cooling systems like the isolation condenser, only a very narrow time window was left before core damage began.
One by one, in the space of a few minutes, Units 1 through 5 lost AC power supplies, and high-voltage electrical panels were flooded. (Only one generator, located on higher ground near Unit 6 and cooled by air rather than seawater, continued to work.) For the first time in history, a nuclear accident was unfolding in multiple reactors at the same time.
This was a situation no one had prepared for—or even thought possible. TEPCO’s station blackout guidelines were incapable of addressing the challenge now playing out, because they assumed that only one unit would be affected and it could draw on the power supplies of adjacent units. Nor did the guidelines contemplate the simultaneous loss of both AC and DC power. “We encountered a situation that we had never imagined,” Yoshida would say later.
To compound the crisis, these reactors had just been subjected to a record-breaking earthquake and tsunami that may have caused structural damage. And now, with power gone, there was no way to know what was happening inside them.
If a natural disaster could trigger a crisis like the one unfolding at Fukushima Daiichi, then, one might wonder, why aren’t even more safety features required to prevent such a catastrophic thing from occurring?
The short answer is that developers of nuclear power historically have regarded such severe events as so unlikely that they needn’t be factored into a nuclear plant’s design. The experts could not imagine that such a cascading failure of safety systems would really occur. So the regulations required only that reactors be able to survive conditions occurring during far less severe accidents, known as “design-basis accidents.” As defined by the U.S. Nuclear Regulatory Commission (NRC), design-basis accidents were scenarios that were unlikely to occur during the lifetime of a nuclear reactor but were nonetheless conceivable enough to warrant measures to limit their severity. Reactor designs are equipped with emergency cooling systems and containment structures intended to function during design-basis accidents to limit core damage and radioactive release to a level regulators consider acceptable.
If these systems don’t work, then the plant enters the realm of “beyond design-basis” accidents, also called “severe” accidents. Severe accidents challenge plant operators in part because they involve complex and poorly understood phenomena. What is known comes primarily from tests and computer simulations that provide only limited insight. The postmortem review of the 1979 beyond-design-basis loss-of-coolant accident at the Three Mile Island reactor in Pennsylvania confirmed some predictions but raised questions about others. Fukushima Daiichi has raised even more questions, and one day should provide additional answers.
Well before Fukushima, critics argued that predicating reactor safety on the ability to handle design-basis accidents left nuclear plants vulnerable to far worse events that are more probable than the industry would like to believe and than the public would be willing to accept. Even so, design-basis accidents do create a stiff set of requirements. Reactor containments must be rugged enough structures to withstand the high pressures and temperatures that could occur in a design-basis accident without developing large leaks or rupturing. Containments are typically made of steel shells or steel-reinforced concrete with leak-tight steel liners. Because of their size and strength requirements, they don’t come cheap.
When GE designed its boiling water reactors, it equipped them with “pressure suppression” containments to reduce construction costs. These containments featured additional systems for converting excess steam to water and thus, the theory went, did not need to be built to withstand very high accident pressures.
After GE began selling the first boiling water reactors with this feature, safety critics called attention to what they believed was a dangerous vulnerability: the complex pressure suppression system was not well understood. If it failed to sufficiently reduce steam pressure during an accident, the too-small primary containment surrounding the reactor vessel might burst, releasing radioactive material into the environment.
And that was not the only threat. The Three Mile Island accident raised awareness of the danger of hydrogen. During that accident, hydrogen produced by the reaction of steam with the fuel rod cladding caused an explosion in the containment. Although the Three Mile Island containment was sufficiently large and robust to withstand the shock, engineers realized that the explosion would have been powerful enough to rupture the smaller, weaker pressure suppression containments. As a result, the NRC required that reactors with pressure suppression containments be retrofitted to control hydrogen accumulation in accidents either by filling the containments with nitrogen, an inert gas, or by activating spark plug–like devices called igniters to gradually burn off any hydrogen. The Japanese were monitoring U.S. developments closely and also required Mark I containments to be “inerted.” That addressed one accident contingency, but neither the NRC nor the Japanese worried about what would happen should hydrogen escape the containment and leak into other areas of the plant.
Fukushima Daiichi Unit 1 was a Mark I reactor that began service in March 1971 and ran for forty years. Units 2, 3, 4, and 5 were more advanced BWR models but also had Mark I containments. Unit 6 was a BWR with a Mark II containment, which also used pressure suppression. Across Japan, there were twenty-eight boiling water reactors. The United States has thirty-five, of which twenty-three have the GE Mark I containment. (See p. 279 for a list.)
In Tokyo, Prime Minister Kan was also struggling to grasp what was happening. The capital hadn’t been included in the initial earthquake alert because the Japan Meteorological Agency had underestimated the earthquake’s size and subsequent hazard zone. But when the shaking hit Tokyo, Kan had hustled out of the hearing room and headed across the street to his office. There, he gathered a small group of advisors in a basement situation room.
Kan had won election to the office of prime minister just ten months before. A member of the Democratic Party of Japan, he had served as finance minister and had campaigned on a promise to improve the nation’s weak economy. He also pledged to lessen the influence of the powerful but unaccountable bureaucracy that has long run the government.
When it came to nuclear energy in Japan, that bureaucracy was large. Responsibility was divided among multiple government agencies, whose missions sometimes overlapped—or conflicted. Japan’s fifty-four commercial nuclear power plants were regulated by the Nuclear and Industrial Safety Agency (NISA), which operated under the jurisdiction of the Ministry of Economy, Trade and Industry (METI). NISA shared some responsibilities with the Ministry of Education, Culture, Sports, Science and Technology (MEXT), which had a dual role: to promote nuclear energy and to ensure its safe operation. MEXT performed environmental radiation monitoring and assisted local governments with radiation testing in the event of an accident.
Also in the mix was the Nuclear Safety Commission (NSC), an independent agency
that operated within the executive branch. The NSC supervised the work of MEXT and METI and provided policy guidance, but also worked to promote nuclear power. And finally, there was the Japan Nuclear Energy Safety Organization, which inspected nuclear facilities, conducted safety reviews, and, in the case of an emergency, made recommendations on evacuations.
Japan’s prefectures had a role, too. They were responsible for radiation monitoring and directing evacuations if needed. On paper, all these duties and responsibilities may have seemed clear. In practice, however, the system proved unworkable.
At 3:42 p.m., Tokyo Electric Power Company declared a “first level” emergency, a legal threshold meaning that an accident is predicted or has occurred. By law, TEPCO had to notify the head of the Ministry of Economy, Trade and Industry along with the governor of Fukushima Prefecture and the mayors of the towns of Okuma and Futaba, the communities in which the plant is located. The procedural requirements were clearly spelled out. The notification, according to the plant’s emergency plan, was to be done by sending a fax “all at once, within fifteen minutes.” (Plant managers were advised to follow up by phone.)
But the emergency plan didn’t fit this emergency. There was no power. Phone lines and cellular towers were damaged or destroyed. Faxes or phone calls would be difficult, if not impossible. No one apparently had thought that an event fierce enough to damage a reactor might also disrupt basic communications.
Inside Fukushima Daiichi’s emergency response center, a generator powered a video link to TEPCO headquarters. But communications within the plant itself were difficult. The paging system was disabled; TEPCO had provided only one-hour batteries for some of the mobile units and there was no way to recharge them. Crew members often had to return to the emergency center to report simple details—a time-consuming and risky procedure. In many respects, the emergency communication system at Fukushima Daiichi reflected the underlying premise of the plant’s comprehensive accident management plan, which read: “The possibility of a severe accident occurring is so small that from an engineering standpoint, it is practically unthinkable.” The follies resulting from this complacent attitude began to build catastrophically.
Under the provisions of Japan’s Act on Special Measures Concerning Nuclear Emergency Preparedness, regulators from NISA were to staff an off-site command post and help coordinate the emergency response. At Fukushima Daiichi, the designated center was located about three miles from the reactors. When three NISA workers arrived there, they discovered no power, phone service, food, water, or fuel; additional staff couldn’t reach the facility because of damage to roads and massive traffic jams. Equally problematic, the building was not equipped with air filters to protect those inside in case of a radiation release. (The lack of filters had been cited two years earlier by government inspectors, but NISA had failed to install them.) It seemed nobody in government imagined a nuclear accident could produce a cloud of radiation intense enough to pose a hazard a few miles away.
Back in Tokyo, things were not going much better. Kan was in the situation room with his close advisors, few of whom knew much about nuclear power plants. Cell phones didn’t work in the basement, making contact with the outside world difficult. Five floors above, the government’s nuclear experts had gathered in another emergency response center. Some senior managers from TEPCO joined them. But the two groups were not communicating with each other, despite being in the same building. Nor did anyone from the government head to TEPCO to ascertain what the utility was doing. In many respects, government officials were functioning much like the operators in the control rooms: without information to guide them.
Under normal circumstances, the reactor operators at Fukushima Daiichi had access to a wide range of information about the status of critical systems via the Safety Parameter Display System for each unit. But when the control rooms were disabled by the loss of electrical power, the steady flow of information had largely ceased.
At 3:50 p.m., someone in the shared control room for Units 1 and 2 wrote on a whiteboard about their reactor cores: “Water levels unknown.” Without DC power, operators could no longer monitor or manipulate the isolation condensers at Unit 1 or the RCIC at Unit 2 remotely from the control room. Even worse, if those systems were not working and water levels dropped significantly, operators could not start up the emergency core cooling systems at either unit to pump water into the reactors quickly. Things appeared to be a little better at Unit 3. There, control room operators still had some backup battery power that provided readings on pressure and water levels and enabled them to operate steam-driven cooling systems. At about 4:00 p.m., they were able to restart the RCIC system and add water to keep the fuel rods in the Unit 3 core covered.
Units 3 and 4 also shared a control room. With Unit 4 shut down for maintenance, that team focused primarily on Unit 3. The team’s colleagues in the Units 1 and 2 control room had their hands full with both reactors, although early on Unit 2 seemed to pose a greater threat because operators could not confirm whether the RCIC was operating or measure the water level in the core. In contrast, the operators believed the isolation condensers in Unit 1 were working, but they could not confirm this either.
To operate the instruments that could provide the information they needed most—the water, temperature, and pressure levels inside the reactors—the engineers at Fukushima Daiichi badly needed power. They thought they had one backup source left: emergency batteries. Soon workers would be roaming the muck- and debris-laden plant grounds, scavenging batteries from undamaged cars and buses in a desperate attempt to jury-rig some sort of power system.
But hooking up the batteries was a challenging task. With much of the plant’s electrical infrastructure damaged or destroyed, crews sometimes had to search for working connections behind control room panels or find circuitry elsewhere. Darkness and the presence of standing water made this a delicate and difficult task. Batteries were scarce and too small to provide adequate voltage. The few hours’ cushion the operators thought they might get was fast disappearing.
At 4:30 p.m., TEPCO issued a press release announcing that “a big earthquake” had occurred at 2:46 p.m. More than 4 million households were without power. “Due to the earthquake, our power facilities have huge damages, so we are afraid that power supply tonight would run short. We strongly ask our customers to conserve electricity.”
The apologetic press release included a reassuring status report on TEPCO’s various generating stations in the affected area, including the company’s seventeen nuclear reactors: six at Fukushima Daiichi, four at nearby Fukushima Daini,7 and seven at Kashiwazaki-Kariwa, located on the western coast of Japan. “At present, no radiation leaks have been confirmed,” the release noted.
But at Fukushima Daiichi and the utility’s command center in Tokyo, the tone was far less confident. At 4:46 p.m., exactly two hours after the first tremors had been detected, TEPCO officially notified the government that the emergency was worsening. Operators could not determine the water level in the reactor cores of Units 1 and 2 and had no assurance that the systems to supply additional water were working. Specifically, emergency core cooling had been lost at Units 1 and 2. This, under law, required the declaration of a “second level” emergency.
The highest priority for the harried team in the darkened Units 1 and 2 control room became restoring water-level indicators. At least then team members might have a better idea of the status of the two units. They salvaged two twelve-volt batteries from buses and additional batteries and electrical cables from a contractor’s on-site office.
For a few tantalizing moments, a water-level gauge returned to life, showing that the level was dropping inside the Unit 1 reactor vessel. Minutes later, the gauge died. But this fleeting indication pointed to the possibility that soon water would have to be injected from outside the reactor using portable pumps. A diesel-powered fire pump was started and allowed to idle, ready to inject water into the Unit 1 reactor through a portal normally intend
ed for use in firefighting, not core cooling. In addition to a diesel-driven fire pump at each reactor, there were three fire engines at Fukushima Daiichi that potentially could be used. TEPCO had ordered fire engines deployed to all its reactor sites after a fire broke out at the Kashiwazaki-Kariwa plant following an earthquake in 2007. But the utility did not contemplate that the fire engines might have to be used for something other than firefighting.
Unfortunately, as the plant operators knew, trying to get water into the reactor using either the fire pump or the fire engines would not be easy. These sources could supply water only at a relatively low pressure compared to the pressure within the overheating reactor vessel. Unless operators could depressurize the vessel, they wouldn’t be able to force water into it.
As pressure increased inside the reactor vessel, steam flowed out through safety relief valves designed to keep the vessel from rupturing. Pipes leading into the torus carried the steam downward. If the pressure suppression system had been working properly, the steam would have been cooled and turned back into water in the torus, which would reduce pressure throughout the containment. To keep the torus itself from overheating, its water would be routed through tubes into heat exchangers, where seawater flowing around the tubes would absorb the heat and carry it away to the Pacific. But because the seawater pumps were destroyed, there was no effective way to remove heat from the torus.
With no access to the Pacific and no electrical power, there was only one way left to reduce the pressure within the containment: by venting some of the steam into the atmosphere. That would make it easier to inject water into the reactor and would lower the likelihood of a containment breach. Fortunately, the Mark I boiling water reactor was equipped with an emergency vent that, when opened from the control room, would release steam into the environment through a three-hundred-foot-tall stack. As part of the response to a safety review that took place after the 1986 Chernobyl nuclear plant accident, TEPCO had taken measures in the 1990s to improve the effectiveness of the vent system.
Fukushima: The Story of a Nuclear Disaster Page 3
