The Abnormal Distribution

I have been working this year with sociologists, in a research group composed largely of visitors to Bielefeld’s residential research institute ZiF. The group is working on Communicating Disaster. Then one happened – an enormous natural event triggered a disaster. Let me look at part of it, namely the system-safety disaster at the Fukushima Dai-ichi (Number 1) nuclear power station.

A nuclear power plant is what I call a teleological engineered system. Like a car, or an airplane, it has a purpose, and it is designed by one (or a few) legal actor to fulfil that purpose. As a system, it distinguishes itself from, say, a town, which is a collection of houses, shops, workshops and offices, mostly designed and constructed piecewise, for divergent purposes, indeed purposes which are often contrary, by many actors. Fukushima Dai-ichi has people swarming all over it, designing, specifying, building, operating, maintaining, and filling out all the paperwork which somehow gives us a comfy feeling of organisation aiming to fulfil the purpose. But no longer. Here it is, not producing two watts of what it is supposed to produce, but instead injuring people, threatening to distribute large amounts of its highly toxic component substances above ground, below ground, and in the water. What went wrong?

The technology behind fissive nuclear power is exothermic. The plant requires active cooling at all times, even when not operating. If it is not cooled then an accident is inevitable. Cooling requires power. When the plant is working, maybe from itself. When it is shut down, then from somewhere else. It follows that power supply must be unfailingly reliable in order to avoid an accident.

Primary power comes from outside. The existence of a secondary power system tells us that someone foresaw circumstances in which primary power would be interrupted. (They were right! An earthquake cut primary power; the live reactors, Units 1-3 of 6, shut down as planned.) Can secondary power be interrupted? If so, we need tertiary power… and so on. The tertiary power is trivial – batteries with a life of 8 hours. It follows no one thought secondary power could be interrupted for longer than that. But it was! It was taken out.

Everything else about this disaster follows from that one event: Secondary power was taken out. How? It was in a “basement”, which was flooded by the tsunami. Let us focus on the tsunami for a moment. At time of construction, it seems no one evaluated the tsunami hazard (Kopflos in die Katastrophe, Marlene Weiss, Süddeutsche Zeitung 19-10.03.2011). Later they did, but “no one thought of a tsunami that high!”. Not so – a tsunami expert brought it up at a meeting at the regulator, NISA, in 2009. He recounts that his concern was – in my words, not his – peremptorily dismissed (Japanese nuclear plant’s safety experts brushed off risk of tsunamic, David Nakamura and Chico Harlan, Washington Post, 23.03.2011). Tsunami experts have expressed their astonishment at the lack of apparent tsunami awareness at the regulator or plant operator (Japanese Rules for New Plants Relied on Old Science, Norimitsu Onishi and James Glanz, New York Times, 27.03.2011). It is important to keep in mind that this is just one way the secondary power can be taken out, but not the only way.

Engineers designing, building and operating safety-critical systems are required by standards to perform a hazard analysis (HazAn). A hazard is, roughly speaking, a precursor of an accident, so you have to know first what the accidents are – what the events are which constitute accidents. It is pretty clear to everyone in the nuclear industry that meltdown is an accident and it is equally clear that lack of cooling leads directly to meltdown. (It’s not the only one: you have to keep the spent fuel pools cooled, else they evaporate and burn. It’s clear that that constitutes an accident event also.) So losing all cooling for a long enough period of time is an event that leads inevitably to an accident. Your secondary power just cannot be taken out for longish periods of time when your primary power is not available. There, that’s (part of) a HazAn, with the derived safety requirement. HazAn is no more, and certainly no less, than this kind of reasoning, but you must systematically cover everything.

The next formal step is to ask about mitigation. What can happen to secondary power to take it out? It can fail because it is poorly maintained (mitigation: maintain it properly. This is a known quantity). It can fail because on-demand systems often fail on demand (mitigation: run it continuously, at low power, so you know it runs when it is asked to cut in). It can fail because a large airplane crashes into it (mitigation: design the building accordingly. This was a consideration for English gas-cooled nuclear plants in the early 1970′s). It can fail because of a bomb (mitigation: good security at the gates and perimeters). It can fail because it’s flooded. Before someone says “thousand-year tsunami”, recall that there are two and a half million gallons of water perched in the air in the spent-fuel pools of the six reactors, which pools just might be breached during an earthquake – but weren’t, as it turns out. You should think of that, even if a tsunami doesn’t occur to you. (Mitigation: design the secondary power to function while submerged. They do it in submarines, this is a known quantity.)

Maybe such HazAns weren’t state of the practice when the plant was built decades ago? HazAns are also required by standards during operations, which were continuing up to March, 2011.

“But no one can think of everything!” That is, though, the purpose of a HazAn. You may make a mistake, of course, in your HazAn. But the reasoning above is routine, one thing following from another; I would require from my students no less.

Now to the point of this shaggy dog story. How did the builders, owners and operators of this plant miss all this for forty years? To answer that question, you don’t need an engineer, you need a sociologist! There, I said it!

Do you need to answer it? Most certainly you do. It helps you to find other plants, other power companies, where similar things could have happened and could be happening, so we can step in before something equally extreme happens.

You also need somebody to tell you what the consequences of such an extreme event are. Engineers work on experience. Commercial jet transport airplanes are thought of, justifiably, as maybe the most highly reliable complex artifacts ever built. Wings used to fall off (say, from Wellingtons, seventy years ago). They don’t any more (or only as a consequence of some other unrecoverable event). Experience makes the difference: we have five to twenty fatal accidents with commercial jet airliners per year to learn from. Compare with nuclear power: we have had three, maybe four, extreme events in fifty years (Windscale, maybe Three Mile Island, Chernobyl, Fukushima 1). Who can tell us what the consequences are? Two engineering colleagues said: Chernobyl, 60+ fatal. Some medical researchers say: 6000+ fatal. Greenpeace says: 200,000+ fatal. If the weather had been different, maybe tens of thousands more in Kiev. When the serious estimates of fatalities (alone! Then there is the damage to the environment to consider) differ by four orders of magnitude, as here, then the answer seems to be that no one can tell us reliably. Or even what the possible consequences are. The engineering risk calculus of probability times severity doesn’t work, either. It gives one answer before Chernobyl, another answer after Chernobyl, and yet another answer after Fukushima. A decision aid is useless if it gives you different answers each time you have an unwanted event. An engineer can’t tell you.

Can a sociologist tell us? Maybe not. Then who?

Acknowledgement

I thank Lee Clarke, who has a note at nj.com, Charles Perrow, who pointed out the susceptibility of the design to flooding secondary power, Bernd Sieker, who as usual delved into the physical details of everything, and Werner U., who has been scouring the press, and the participants of the ZiF research group Communicating Disaster for useful comments on the first version of this note.

The conclusion first, as well as at the end. For safety-critical infrastructure, there should be required a continuously-maintained, public safety case. Members of the public may at any time look it up. A wise government will make provision for commentary and rework where necessary.

I am well aware that this sets the importance of a safety case differently from that suggested by Charles Haddon-Cave in his inquiry into the RAF Nimrod accident. This is a different case. The UK MoD is a closed organisation and I am talking about critical public infrastructure.

I am running a private discussion group on the Fukushima accident. One of the main questions, raised by sociologist Charles Perrow on the Monday after it happened, is why on earth was backup power put in a place at which it could be incapacitated by a common-cause event (Perrow phrased it somewhat differently). He suggested it was a design accident, not a “normal accident” in his technical use of that phrase.

I thought there had been an obvious failure of hazard analysis (HazAn), which is a required step (rather, series of steps) in development and deployment of most safety-critical systems. I thought the idea of a public safety case was a useful suggestion even then. It was partly based on news at the time that tsunami researchers had recently discovered evidence of a comparable historical tsunami in the area some 1200 years ago.

But it turns out to be worse than that.

On Wednesday, the Washington Post contained reports of comments at a NISA meeting in 2009 by a tsunami expert, Yokinobu Okamura, who brought up the issue of tsunamis, and, reading between the lines, was peremptorily dismissed.

But it turns out to be much worse than that.

The NYT contains the story today.

* The word “tsunami” did not appear in government guidelines until 2006.

* People have been saying “well, it was a big quake!”, but it turns out one of magnitude 7.5 would have sufficed to breach the high-water defences at the plant.

* Recommendations in 2002 led TEPCO to raise its “maximum projected tsunami” to 17.7-18.7 feet, which was higher than the 13-ft bluff on which the plant is built. Yet all they did is to raise an electrical pump 8 inches.

Here is the text

Japanese government and utility officials have …. said that engineers could never have anticipated the magnitude 9.0 earthquake — by far the largest in Japanese history — that …. generated the huge tsunami. Even so, seismologists and tsunami experts say that according to readily available data, an earthquake with a magnitude as low as 7.5 …. could have created a tsunami large enough to top the bluff at Fukushima.

After an advisory group issued nonbinding recommendations in 2002, Tokyo Electric Power Company, the plant owner and Japan’s biggest utility, raised its maximum projected tsunami at Fukushima Daiichi to between 17.7 and 18.7 feet — considerably higher than the 13-foot-high bluff. Yet the company appeared to respond only by raising the level of an electric pump near the coast by 8 inches, presumably to protect it from high water, regulators said.

Then there is some further wonderful stuff on how hazards were thought about, in the following quote.

“We can only work on precedent, and there was no precedent,” said Tsuneo Futami, a former Tokyo Electric nuclear engineer who was the director of Fukushima Daiichi in the late 1990s. “When I headed the plant, the thought of a tsunami never crossed my mind.”

1. If one is following safety-engineering practice, one is supposed to work on a HazAn, not on “precedent”, whatever that might be.

2. Tsunamis never thought of? How about performing a HazAn? Then maybe there is somebody in the room, say by the name of Yokinobu Okamura, who does.

3. And when the question is raised, finally in 2009, why is a dismissive reply acceptable? Is that the way continuous hazard assessment is performed in Japan? When they perform an FMEA, do they just look at the system and not at the system environment? Let me recommend our course on how to perform HazAns. It is System Safety and Security 2 in our university catalog and we give it every year.

The NYT article makes it clear that TEPCO and NISA were well aware that they were not always sufficiently prepared.

…. For decades …..Japanese officialdom and even parts of its engineering establishment clung to older scientific precepts for protecting nuclear plants, relying heavily on records of earthquakes and tsunamis, and failing to make use of advances in seismology and risk assessment since the 1970s.

For some experts, the underestimate of the tsunami threat at Fukushima is frustratingly reminiscent of the earthquake — this time with no tsunami — in July 2007 that struck Kashiwazaki, a Tokyo Electric nuclear plant on Japan’s western coast.. The ground at Kashiwazaki shook as much as two and a half times the maximum intensity envisioned in the plant’s design, prompting upgrades at the plant.

“They had years to prepare at that point, after Kashiwazaki, and I am seeing the same thing at Fukushima,” said Peter Yanev, an expert in seismic risk assessment based in California, who has studied Fukushima for the United States Nuclear Regulatory Commission and the Energy Department.

TEPCO and NISA knew in 2007 that their hazard criteria needed review. Presumably this was the reason for the meeting that Okamura attended at which his question was trivially rebuffed.

And now for what was known about tsunamis by the scientific establishment. And what TEPCO did.

When Japanese engineers began designing their first nuclear power plants more than four decades ago, they turned to the past for clues on how to protect their investment in the energy of the future. Official archives, some centuries old, contained information on how tsunamis had flooded coastal villages, allowing engineers to surmise their height.

So seawalls were erected higher than the highest tsunamis on record. At Fukushima Daiichi, Japan’s fourth oldest nuclear plant, officials at Tokyo Electric used a contemporary tsunami — a 10.5-foot-high wave caused by a 9.5-magnitude earthquake in Chile in 1960 — as a reference point. The 13-foot-high cliff on which the plant was built would serve as a natural seawall, according to Masaru Kobayashi, an expert on quake resistance at the Nuclear and Industrial Safety Agency, Japan’s nuclear regulator.

Eighteen-foot-high offshore breakwaters were built as part of the company’s anti-tsunami strategy, said Jun Oshima, a spokesman for Tokyo Electric. But regulators said the breakwaters — mainly intended to shelter boats — offered some resistance against typhoons, but not tsunamis, Mr. Kobayashi said.

……….

Two independent draft research papers by leading tsunami experts — Eric Geist of the United States Geological Survey and Costas Synolakis, a professor of civil engineering at the University of Southern California — indicate that earthquakes of a magnitude down to about 7.5 can create tsunamis large enough to go over the 13-foot bluff protecting the Fukushima plant.

Mr. Synolakis called Japan’s underestimation of the tsunami risk a “cascade of stupid errors that led to the disaster” and said that relevant data was virtually impossible to overlook by anyone in the field.

………………

…… even through the narrow lens of recorded tsunamis, the potential for easily overtopping the anti-tsunami safeguards at Fukushima should have been recognized. In 1993 a magnitude 7.8 quake produced tsunamis with heights greater than 30 feet off Japan’s western coast, spreading wide devastation, according to scientific studies and reports at the time.

On the hard-hit island of Okushiri, “most of the populated areas worst hit by the tsunami were bounded by tsunami walls” as high as 15 feet, according to a report written by Mr. Yanev. That made the walls a foot or two higher than Fukushima’s bluff.

But in a harbinger of what would happen 18 years later, the walls on Okushiri, Mr. Yanev, the expert in seismic risk assessment, wrote, “may have moderated the overall tsunami effects but were ineffective for higher waves.”

And even the distant past was yielding new information that could have served as fresh warnings.

Two decades after Fukushima Daiichi came online, researchers poring through old records estimated that a quake known as Jogan had actually produced a tsunami that reached nearly one mile inland in an area just north of the plant. That tsunami struck in 869.

To my mind, this catalog of astonishing engineering practice makes the case for a continuously-maintained, public safety case for safety-critical infrastructure-components to be overwhelming.

There were lots of people around who knew about tsunamis, and were prepared to say. Had TEPCO been required publically to justify any countermeasures it had implemented, then I imagine the inadequacy of the case would have been apparent to any high-school student who decided to look at it for her public affairs class, let alone geologists, hydrologists, or other engineers.

PBL