European Commission DG for Energy (ENER/D2)
Transcription
European Commission DG for Energy (ENER/D2)
European Commission DG for Energy (ENER/D2) How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background material Annex A ENCO FR-(12)-44 July 2012 Specific Contract No. ENER/ 2011/NUCL/SI2.599383 in How w to Im mprove Safety S ndustrie es Regullated In What Could We Lea arn From Eac ch Othe er Backgground Material Fina al Repo ort Annex A EN NCO FR R-(12)-4 44 July J 201 12 Und der the Fram mework Serrvice Contract forr Technical Assistance TREN/R1/3 350-2008 Lo ot 3 Specific Contract No. ENER R/ 2011/NUC CL/SI2.5993 383 Prepared by: b Prep pared fo or: E European Commissiion DG G for Enerrgy (ENE ER/D2 Nuclear Energ gy) DISCLAIM MER The con ntent of thiis report is the sole ressponsibility y of the Con ntractor andd can in no way be tak ken e views of the Europea an Union. to reflect the Annex A. Overview Fukushima Dai-ichi Accident TABLE OF CONTENTS 1. INTRODUCTION ..................................................................................... 1 2. BACKGROUND – PLANT CHARACTERISTICS .................................................... 2 2.1. 2.2. 3. SEISMIC AND TSUNAMI DESIGN BASIS ........................................................... 6 3.1. 3.2. 4. EARTHQUAKE ................................................................................................ 7 TSUNAMI .................................................................................................... 8 PLANT CAPABILITIES AND RESPONSE .......................................................... 9 5.1. 5.2. 5.3. 5.4. 5.5. 5.6. 5.7. 5.8. 6. SEISMIC...................................................................................................... 6 TSUNAMI .................................................................................................... 6 MARCH 11 EARTHQUAKE AND TSUNAMI ....................................................... 7 4.1. 4.2. 5. GENERAL ARRANGEMENTS OF FUKUSHIMA DAI-CHI PLANT ..................................................... 2 DESIGN CHARACTERISTICS OF THE UNITS ..................................................................... 2 PLANT STATUS BEFORE THE EVENT ........................................................................... 9 LOSS OF POWER ............................................................................................ 11 CORE COOLING ............................................................................................. 13 HYDROGEN EXPLOSIONS..................................................................................... 14 CONTAINMENT PRESSURE CONTROL ......................................................................... 15 SPENT FUEL POOLS AND DRY CASK STORAGE ............................................................... 16 ALTERNATIVE INJECTION SOURCES .......................................................................... 16 RADIOLOGICAL CONSEQUENCES ............................................................................. 17 CAUSAL ANALYSIS................................................................................. 17 6.1. EXISTING STUDIES .......................................................................................... 18 EPRI analysis .................................................................................................. 18 NRC recommendations ...................................................................................... 19 6.2. CAUSE MAPPING ............................................................................................ 21 Step 1 - Definition of the problem ........................................................................ 21 Step 2 – Analysis of causes (Causal Map) ................................................................. 24 Step 3. Analysis of solutions ............................................................................... 30 6.3. SUMMARY CONCLUSIONS .................................................................................... 31 7. REFERENCES FOR ANEX .......................................................................... 33 1. Introduction On March 11, 2011 at 14:46 Japan standard time, the Fukushima Dai-ichi nuclear power plant experienced a seismic event and subsequent tsunami [A-1]. The accident and the ensuing mitigation and recovery activities occurred over several days, involved a number of incidents, and might provide several opportunities for lessons learned. The initiating seismic event involved multiple ruptures of seismic sources over an area of about 400 km x 200 km. The earthquake was very significant (magnitude ~9 on the Richter Scale), considered the fourth largest in recorded world history. Although the earthquake did not cause significant structural or operational damage to Fukushima Dai-ichi NPP, the event did cause major infrastructure damage to areas around the plant. The offsite damages led to loss of offsite power. The earthquake caused a series of tsunamis, the largest of which arrived at Fukushima Daiichi approximately 41 minutes after the earthquake, reaching a wave height of approximately 15 m. The associated volume of water – and the related hydrodynamic forces – caused extensive and deep flooding in and around all major structures of operating Units 1 - 3. The design basis seismic definitions were – in magnitude and frequency content – not significantly different than the actual seismic event. However, the nature of the seismic event (that is, occurring across a large area and involving multiple ruptures of seismic fault segments) was not incorporated into the design basis tsunami definition. The earthquake and tsunami produced widespread devastation across northeastern Japan, resulting in approximately 25,000 people dead or missing, displacing many tens of thousands of people, and significantly impacting the infrastructure and industry in the northeastern coastal areas of Japan. The combination of the massive earthquake and devastating tsunami at Fukushima were well in excess of external events considered in the plant design. The Fukushima accident also challenged the plant’s mitigation capabilities and emergency preparedness. Evaluation of the Fukushima accident presented in this Annex addresses the essential elements of the regulatory framework that play a role in providing protection from designbasis events, as well as events as severe and complex as the Fukushima accident. Those elements include protection against seismic and flooding events (considered as designbasis events), protection for loss of all AC power (considered as a beyond-design-basis event), and mitigation of severe accidents (addressing beyond-design-basis topics of core damage and subsequent containment performance), as well as emergency preparedness. The Fukushima accident highlights the full spectrum of considerations necessary for a comprehensive and coherent regulatory framework. It worth noting that similar issues were raised by the TMI accident and that many beyonddesign-basis requirements, programs, and practices were derived from that experience. This Annex presents evaluations that address specific elements of protection, mitigation, and preparedness and evaluate their current capabilities, limitations, and potential enhancements. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 1 2. Background – Plant characteristics 2.1. General arrangements of Fukushima Dai-chi plant Fukushima Dai-ichi site is located along the northeast coast of Japan, bordering the western edge of the Pacific Ocean. Initial siting occurred between 1967 and 1973, with each of the six units coming on-line between 1971 and 1979. Operational startup dates, power output, and general design information are shown in Table 1. Table 2-1. Comparison of Units 1 to 6 *) Unit Startup MWe Output Reactor Type, Containment High Pressure Cooling* 1 1971 460 BWR-3, Mark I IC, HPCI 2 1974 784 BWR-4, Mark I RCIC, HPCI 3 1976 784 BWR-4, Mark I RCIC, HPCI 4 1978 784 BWR-4, Mark I RCIC, HPCI 5 1978 784 BWR-4, Mark I RCIC, HPCI 6 1979 1100 BWR-5, Mark II RCIC, HPCS IC - Isolation Condenser; HPCI - High Pressure Coolant Injection, RCIC - Reactor Core Isolation Cooling , HPCS - High Pressure Core Spray Fukushima Dai-ichi Units 1 through 4 are located in the southern part of the station; Unit 1 is the northernmost and Unit 4 is the southernmost. Fukushima Dai-ichi Units 5 and 6 are located farther north and at a somewhat higher elevation than the Unit 1–4 cluster, and Unit 6 is located to the north of Unit 5. The grouped units share some common facilities and structures, such as control rooms, and vent stacks. This commonality applies to Units 1 and 2, Units 3 and 4, and Units 5 and 6. In addition to individual unit spent fuel pools, the plant also has a shared spent fuel pool and a shared dry cask storage facility. The shared pool and the dry cask storage are for all six units. The shared spent fuel pool is located on the inland side (west) of Unit 4. The dry cask storage facility is located between Units 1 and 5 along the coast. The general arrangement of the units prior to the earthquake and the tsunami is shown in Figures 2-1 and 2-2. 2.2. Design characteristics of the units The main design features of Units 1-6 are presented in Table 2. List of core cooling systems that can be used in emergency conditions is provided in Table 3. The latter information is limited to Units 1 to 3 - units that experienced the most severe problems during the event. Configuration of the primary and secondary containment systems and the reactor vessel is shown on Fig. 2-3. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 2 Table 2-2. Unit-specific design characteristics Design Parameter General Unit 1 Unit 2 Unit 3 Unit 4 Unit 5 Unit 6 460 784 784 784 784 1100 Mar-71 Jul-74 Mar-76 Oct-78 Apr-78 Oct-79 Reactor type BWR-3 BWR-4 BWR-4 BWR-4 BWR-4 BWR-5 Containment type Mark I Mark I Mark I Mark I Mark I Mark II Main Contractor GE GE/Toshi ba Toshiba Hitachi Toshiba GE/Toshi ba Heat output, MW 1380 2381 2381 2381 2381 3293 No of fuel assemblies (FA) 400 548 548 548 548 764 Full length of FA, m 4.35 4.47 4.47 4.47 4.47 4.47 Number of control rods 97 137 137 137 137 185 RPV inner diameter, m 4.8 5.6 5.6 5.6 5.6 6.4 RPV hight, m 20 22 22 22 22 23 Design pressure, MPa 8.24 8.24 8.24 8.24 8.24 8.62 PC Vessel height, m 32 33 33 34 34 48 Diameter part), m (cylindrical 10 11 11 11 11 10 Diameter part), m (spherical 18 20 20 20 20 25 1750 2980 2980 2980 2980 3200 0.43 0.38 0.38 0.38 0.38 0.28 Design temperature, C 140 140 140 140 138 171 (DW) 105 (SC) Steam temperature, oC 282 282 282 282 282 282 Steam pressure, MPa 6.68 6.68 6.68 6.68 6.68 6.68 Type UO2 UO2 UO2 (MOX) UO2 UO2 UO2 69 94 94 94 94 132 2 1/1* 2 1/1* 2 2/1* Electric output, MW Start of operation Reactor Primary Cont. (PC) Water in Pool, t commercial Suppression Design pressure, MPa o Turbine Fuel Core inventory, t AC Distributi on EDGs (* cooled) indicates air Electrical grid, # of lines How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 4 (275 kV) 4 (275 kV) 4 (275 kV) 4 (275 kV) 2 (500 kV) 2 (500 kV) © ENCO Page 3 FIG. 2-1. Fukush hima Daiichi Units beforee earthquake and tsunam mi (Source: EEPRI report [A1]. [ Table 2--3. Unit-speccific Emergency Core Co oling System ms Emergency Core Coo oling system ms (1) Oth her potentia al cooling syystems High Pressure Low Pressures Hig gh Pressure Low Prressure 1 HPCI, IC CS, CCS, C CCSW, SSHC SLC C, CRD MUWC,, SFP, FP 2 HPCI, RCIIC LPCI,, CCS, CCSW , SLC C, CRD MUWC,, SFP, FP SLC C, CRD MUWC,, SFP, FP Unit (1) (2) RHR, RHRW 3 HPCI, RCIIC LPCI,, CCS, CCSW , RHR, RHRW 1) Syste em Abbrevia ations: IC - Isolation Condenser system; HPCI - High Presssure Coolantt Injection; R RCIC - Reac ctor Core Isola ation Cooling g system; SLC – Standby Liquid Conttrol system; CRD – Contrrol Rod Drive e system; CS - Core Spray; CCS – Con ntainment C Cooling syste em; CCSW – Close Coolinng Sea Wate er; LPCI Low Pressure Co oolant Injecttion; SHC – SShutdown Co ooling system m; RHR - Ressidual Heat Removal; RHRSS - Residual Heat Removal Seawate er; MUWC - Makeup M Watter system; FP - Fire Protection syste em, SFP - Sp pent Fuel Poo ol Cooling syystem; 2) Syste ems that can n be used in emergency (based on a special line--up) How to Improve Safety in Regulated Indu ustries What Could We Learn Fro om Each Other Background Material, ENC CO FR-(12)-44 © ENCO Page 4 F FIG. 2-2. Gen neral arrange ements of Fu ukushima Da ai-ichi NPP (S Source: INPO O Report [A2]]). FIG. 2-3. Generic cro oss-section oof a BWR4 wiith a Mark I containmentt similar to Unit 1-5 (SSource: INPO report [A2])) How to Improve Safety in Regulated Indu ustries What Could We Learn Fro om Each Other Background Material, ENC CO FR-(12)-44 © ENCO Page 5 3. Seismic and Tsunami Design Basis Because seismic and tsunami events were important factors in the accident at Fukushima Dai-ichi the following sections summarize the methods used to define the design bases for seismic and tsunami hazards at the plant. Criteria, methods, guidance, standards and regulations referred to in this report are those used in Japan. The design bases discussions take into consideration evaluations that have been performed since the original design and any associated upgrades that have been implemented. It is worth noting that treatment of the design bases differed for earthquake and tsunami. Changes in the original seismic design basis resulted from a revised Japanese Regulatory Guide issued in 2006 [A-3]. A tsunami assessment method document issued by the Japan Society of Civil Engineers (JSCE) in 2002 [A-4] did not result in changes to the original design bases, but TEPCO did perform a voluntary reassessment of the tsunami design bases and implemented some plant design modifications. 3.1. Seismic Japanese regulators first issued general seismic design guidance in 1978, with subsequent revisions in 1981, 2001, and 2006 based in part on significant seismic events that occurred after 1978 [A-3]. All plants, including Fukushima Daiichi, were required to be reviewed (and upgraded structurally if necessary) for conformance with this guidance. The 2006 requirements for seismic event definition and qualification are specified in the Japan Nuclear Safety Commission (NSC) Regulatory Guide NSCRG: L-DS-I.02, entitled “Regulatory Guide for Reviewing Seismic Design of Nuclear Power Reactor Facilities” [A-3]. The earthquakes that were defined for Fukushima Daiichi were upgraded after the issuance of NSCRG: L-DS-I.02. The new earthquakes taken into account were much stronger than the original earthquakes in the region, with frequencies less than 5 Hz. The zero period accelerations are approximately 500 cm/s2, which is approximately 0.5 g. The probability of occurrence of these earthquakes, an approach to quantifying “residual risks”, has also been reported. The annual probability of exceedance for the response spectra was reported to be 10-4 to 10-6 [A-5]. 3.2. Tsunami When the original licenses were issued for Fukushima Dai-ichi, Japanese regulatory guidance only stated that “(the effect of the) tsunami should be considered in design” [A3]. There were no specific tsunami assessment numeric simulation methods available. For design purposes, therefore, the tsunami height was set at 3.1 meters above sea level, based on the observed wave height at Onahama port from the Chilean earthquake and tsunami of May 24, 1960. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 6 Current Japanese regulatory guidance (in NSCRG L-DS-I.02 [A-4]) states that the “Safety functions of the Facilities shall not be significantly impaired by tsunami which could be reasonably postulated to hit in a very low probability in the service period of the Facilities.” More detailed technical guidance for nuclear power plants in Japan was provided in 2002 by the Japan Society of Civil Engineers (JSCE). An important aspect of the 2002 JSCE guidance was that it did not consider as credible that a tsunami could be caused by ruptures across several fault segments in the vicinity of the plant. The JSCE guidance stated that combined fault segments did not need to be considered for faults along the Japan Trench (that encompasses the region of Fukushima) [A-4, A-6]. The March 11 earthquake occurred across numerous of the geological fault segments within the Japan Trench, resulting in a larger-than-expected tsunami. TEPCO applied the methods described in JSCE document [A-4] considering tsunamis generated from eight different near-field sources off the coast of Japan. From this, it was determined that the wave height could reach 5.7m at Fukushima Daiichi. As these changes in criteria were voluntary, the licensing basis was not changed, although TEPCO made changes to assure that all vital seawater pump motors were installed higher than 5.7 m. In conjunction with the revised Japan seismic Regulatory Guide [A-3] issued in 2006 TEPCO conducted a tsunami reevaluation using the methods in [A-4]. From this reevaluation, that incorporated updated submarine topography and tide level data, it was determined that the wave height could reach 6.1 m at Fukushima Daiichi and additional plant actions such as sealing of pump motors were taken [A-6]. In 2008, calculations by TEPCO to characterize a potential tsunami source without an established wave source model resulted in an estimated tsunami wave height of up to 10.2 m and a resulting flood inundation height of over 15 m at Fukushima Daiichi. Another method that applied a wave source model of the Jogan tsunami in 869 A.D. resulted in an estimated wave height exceeding 9 m. Neither of these estimates was applied to update the design basis. In 2009, the Nuclear and Industrial Safety Agency (NISA) asked that operators take into account the Jogan earthquake for evaluating tsunami height “when new knowledge on the tsunami of the Jogan earthquake is obtained”. The new TEPCO survey results were reported in January 2011 and were inconsistent with the estimate using the Jogan tsunami wave source model used in earlier calculations; therefore TEPCO considered that it was necessary to conduct further investigation to determine the Jogan tsunami wave source [A-6]. In the event of March 11, 2011 the actual tsunami maximum height of approximately 15°m, was about 5 m above plant grade. Based on the operational responses, this height differential – along with the impact forces of the water (hydrodynamic effects) and debris – was the dominant cause for eventual loss of all practical cooling paths, damage to the reactor cores and uncontrolled release of radioactive materials to the environment. 4. March 11 earthquake and tsunami 4.1. Earthquake The earthquake that occurred on March 11, 2011 at 14:46, was of magnitude 9.0 in Richter scale. The epi-center of the earthquake was 180 km from the Fukushima Daiichi site and How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 7 the hypocenter was 24 km under the Pacific Ocean. The earthquake lasted approximately three minutes and resulted in the Japanese coastline subsiding an average of 0.8 meters. The peak ground acceleration in the horizontal direction was 0.561 g and in the vertical direction was 0.308 g, as measured at Unit 2. This exceeded the design basis acceleration of 0.447 g in the horizontal direction. The design basis maximum acceleration was also exceeded in units 3 and 5. Ratio of Measured to Design Basis acceleration was in the range of 1.15 (Unit 3 – 1.26 (Unit 2). The design basis maximum acceleration in the vertical direction was not exceeded in any of the units. According to the government of Japan, the probability for exceeding the design basis acceleration was in the range of 10-4 to 10-6 per reactor-year. The response spectra at Units 2, 3, and 5 had the largest spectral discrepancy (exceedance of the actual acceleration over the design acceleration) of the six units. It needs to be noted that the exceedance of the actual spectra over the design spectra occurs primarily at frequencies between 2.5 and 5 Hz. These are considered low frequencies and only a small amount of safety-related equipment that has natural frequencies in this range. The ground motion exceeded the reactor protection system setpoints, causing automatic scrams. Control rods were inserted as expected. The power lines connecting the site to the transmission grid were damaged during the earthquake, resulting in a loss of all off-site power. The emergency diesel generators started and loaded as expected in response to the loss of off-site power to supply electrical power, with the exception of one emergency diesel generator on Unit 4, which was out of service for planned maintenance. Feedwater and condensate pumps, which are powered by nonvital AC sources, were not available because of the loss of AC power. As the shaking from the earthquake subsided, the operators began their scram response. All normal operator actions were taken to respond to the automatic plant shutdown. Reactor pressure, reactor water level, and containment pressure indications for units 1, 2, and 3 appeared as expected following a scram and did not indicate any potential breach of the reactor coolant system (RCS) from the earthquake. However, no detailed walkdowns or further investigation has been performed. TEPCO activated its Headquarters for Major Disaster Countermeasures (Corporate Emergency Response Center) in Tokyo to assess damage from the earthquake and to support recovery efforts. The Station Emergency Response Center was activated on site to respond to the event. 4.2. Tsunami The earthquake generated a series of seven tsunamis that arrived at the site starting at 15:27, 41 minutes after the earthquake. The first wave was approximately 4 meters high. The height of this wave did not exceed the site design basis tsunami of 5.7 meters and was mitigated by the breakwater. A second wave arrived at 15:35; however, the wave height is unknown, because the tide gauge failed (maximum indicated level of the gauge is 7.5 meters). At least one of the waves that arrived at the station measured approximately 14 to 15 meters high (based on water level indications on the buildings). The tsunami inundated the area surrounding units 1-4 to a depth of 4 to 5 meters above grade, causing extensive damage to site buildings and flooding of the turbine and reactor How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 8 buildings. Figure 5-1 shows the general elevations (typical for units 1-4) and the approximate inundation level. The grade level of units 1-4 is 10 meters and is 13 meters at units 5 and 6 above mean sea level (commonly referred to as OP, for the level in the Onahama Port). The intake structures were at an elevation of 4 meters for all units. FIG. 5-1. General elevations and inundation level; Source EPRI Report [A-1] The seawater intake structure was severely damaged and was rendered non-functional. Intake structures at all six units were unavailable because the tsunamis and debris heavily damaged the pumps, strainers, and equipment, and the flooding caused electrical faults. The damage resulted in a loss of the ultimate heat sink for all units. The diesel generators operated for a short time; but by 15:41, the combination of a loss of cooling water, flooding of electrical switchgear, and flooding of some of the diesel generator rooms (located in the basement of the turbine buildings and not designed to withstand flooding) caused a loss of all AC power on site for units 1-5. 5. Plant capabilities and response 5.1. Plant status before the event On March 11, 2011, Units 1, 2, and 3 were in operation at rated power output before the event. Unit 1 had been in operation since September 27, 2010, Unit 2 – since September 23, 2010 and Unit 3 – since November 18, 2010. In Units 1 – 3 all safety systems and both emergency diesel generators were operable. All high pressure coolant injection systems (HPCI and both isolation condensers in Unit 1 and HPCI and RCIC in Units 2 and 3) were available and in standby. Reactor water level and pressure were normal for power operations. In Unit 3 the startup transformer was out of service for planned modification work. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 9 FIG. 5-2. Plan view w of the site (Units 1 to 4 only) show wing flooded regions follow wing the tsun nami; Source e EPRI Reporrt [A-1] ueling and maintenanc m ce activitiess. Unit 4 Units 4,, 5, and 6, were shut down for rooutine refu had bee en in an outtage since November N 330, 2010, Unit U 5 – sinc ce January 33, 2011, an nd Unit 6 – since A August 14, 2010. The Uniit 4 reactor fuel was off-loaded to the Uniit 4 spent fuel f pool too facilitate reactor pressure e vessel shroud work.. The cavitty gate wass installed, isolating tthe spent fuel pool from th he upper po ools. The 4A A emergenccy diesel generator was w out of sservice for planned mainten nance, with h the 4B em mergency die esel genera ator operable and in sttandby. In Unit 5 fuel had d been loa aded into tthe reactorr and the reactor r preessure vesse el (RPV) reassem mbled. Reacctor water level l was h igh, reacto or coolant sy ystem tempperature wa as 89°C, and rea actor pressu ure was 7.15 MPa gaugge to suppo ort RPV leak k testing. D Decay heat removal was seccured at 07::44 in prepa aration for the leak te esting. Both h emergenccy diesel generators were op perable. In Unit 6 fuel had been loaded into the e reactor and the RPV V reassemblled. Reacto or water level w was normal,, and reacttor coolantt system te emperature e was 26°C C with the reactor coolant system de epressurized d. Residuall heat removal (RHR) system B was being used as needed for decay heat h remov val. All thre ee emergenc cy diesel ge enerators w were operab ble. How to Improve Safety in Regulated Indu ustries What Could We Learn Fro om Each Other Background Material, ENC CO FR-(12)-44 © ENCO Page 10 5.2. Loss of power All off-site AC power was lost as a result of the earthquake. The emergency diesel generators started at all six units providing alternating current (AC) electrical power to critical systems at each unit, and the facility response to the seismic event appears to have been normal. The tsunami resulted in extensive damage to site facilities and a complete loss of AC electrical power at Units 1 through 5, a condition known as station blackout (SBO). Unit 6 retained the function of one of the emergency diesel generators (air-cooled). The operators were able to successfully cross-tie the single operating Unit 6 air-cooled diesel generator to provide sufficient AC electrical power for Units 5 and 6 to place and maintain those units in a safe shutdown condition, eventually achieving and maintaining cold shutdown. All DC power was lost on units 1 and 2, while some DC power from batteries remained available on Unit 3. The loss of on-site AC power was caused by the submergence of the emergency diesel generators and electrical distribution system equipment inside the plants. Water penetrated to the reactor building through DG louvres, doors, hatch, trenches and ducts. Loss of DC power in Units 1 and 2 was caused by submergence of electrical distribution system equipment. The loss of DC power in Unit 3 to some systems was caused by submergence of electrical distribution system equipment and then eventually by full discharge of the batteries. Table 6-1 shows causes of power supply problems for Units 1-3 in more detail. Table 6-1. Causes for Unavailability of Power Source Following the event, [A-2] Unit Unit 1 Power source Off-site power EDG 6.9 kV AC 480V AC Unit 2 125V DC Off-site power EDG 6.9 kV AC Description of unavailability cause The receiving circuit breaker of the Ookuma Line 1L in the Unit 1 / 2 switchyard was damaged by the earthquake Submergence of both emergency diesel generators due to the tsunami Submergence of the 6.9 kV high voltage AC power supply panels due to the tsunami Submergence of the 6.9 kV high voltage AC power supply panels due to the tsunami Submergence of the 480V low voltage AC power supply panels due to the tsunami Submergence of the 125V DC power supply panels due to the tsunami The receiving circuit breaker of the Ookuma Line 2L in the Unit 1 / 2 switchyard was damaged by the earthquake The circuit breaker for the Ookuma Line 2L in the New Fukushima substation was damaged by the earthquake One emergency diesel generator was submerged in water due to the tsunami and the power source panels for another, air cooled emergency diesel generator, was submerged due to the tsunami Submergence of the 6.9 kV high voltage AC power supply panels due How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 11 Unit Power source 480V AC Unit 3 125V DC Off-site power EDG 6.9 kV AC 480V AC 125V DC Description of unavailability cause to the tsunami Submergence of the 6.9 kV high voltage AC power supply panels due to the tsunami Partial submergence of the 480V low voltage AC power supply panels due to the tsunami Submergence of the 125V DC power supply panels due to the tsunami Ookuma Line 4L was damaged by the earthquake between the plant switchyard and the off-site substation, Ookuma Line 3L was out of service for planned renovation work Submergence of both emergency diesel generators due to the tsunami Submergence of the 6.9 kV high voltage AC power supply panels due to the tsunami Submergence of the 6.9 kV high voltage AC power supply panels due to the tsunami Submergence of the 480V low voltage AC power supply panels due to the tsunami The DC power supply batteries were exhausted Three air-cooled emergency diesel generators (EDGs) had previously been installed at the station as a modification (2B, 4B, and 6B EDGs). These EDGs had independent fuel systems and were capable of providing power to vital AC systems following a complete loss of the seawater ultimate heat sink. The air-cooled EDGs were located above grade, and some of them survived the tsunami. The distribution systems for the Unit 2 and the Unit 4 aircooled EDGs flooded and failed during the tsunami. The Unit 6 air-cooled EDG and portions of the electrical distribution system survived the tsunami and were used to reestablish cold shutdown on units 5 and 6. When all AC power was lost, TEPCO was able to secure some mobile generators from the Tohoku Electric Power Company. These generators, along with some TEPCO generators, began to arrive at the site late in the evening of March 11 and continued to arrive into the next morning. The portable generators were limited in their effectiveness because they could not be connected to the station electrical distribution system as a result of the extensive damage the tsunami and flooding caused. Workers checked motors and switchgear in an attempt to find usable equipment to support cooling the reactors. The testing revealed that the Unit 2 standby liquid control (SLC) pumps were not flooded or damaged. Based on the inspection results, the first mobile generator was placed adjacent to Unit 2, and workers began to lay temporary cables from the generator to the associated distribution panel for the SLC pumps. The temporary power cables were approximately 10 cm in diameter and 200 meters long and weighed more than 1 ton. Aftershocks and subsequent tsunami warnings further slowed progress. In spite of the challenges, the workers completed the task on Unit 2 and terminated the temporary cable to the associated power panel on March 12 at 15:30. At 15:36, an explosion occurred in the Unit 1 reactor building. The explosion injured five workers, and debris from the explosion struck and damaged the cables and mobile How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 12 generator that had been installed to provide power to the standby liquid control pumps. The debris also damaged the hoses that had been staged to inject seawater into Unit 1 and Unit 2. Fieldwork had to be suspended. The explosion significantly altered the response to the event and contributed to complications in stabilizing the units. 5.3. Core cooling With all off-site AC power lost as a result of the earthquake and loss of on-site power caused by submergence of electrical distribution system equipment following tsunami. Without AC power, the operators were relying on batteries and turbine-driven and dieseldriven pumps. Steam-driven injection pumps were used to provide cooling water to the reactors on Units 2 and 3, but these pumps eventually stopped working; and all cooling water to the reactors was lost until fire engines were used to restore water injection. Operators were trying to maintain core cooling functions well beyond the normal capacity of the station batteries. Without the response of offsite assistance, which appears to have been hampered by the devastation in the area, among other factors, each unit eventually lost the capability to further extend cooling of the reactor cores. Cooling was lost to the fuel in the Unit 1 reactor after ~11 hours, the Unit 2 reactor after about 71 hours, and the Unit 3 reactor after about 36 hours, resulting in damage to the nuclear fuel shortly after the loss of cooling. Core cooling was eventually established when a fire engine was used to inject seawater. With no core cooling to remove decay heat, core damage begun on Unit 1 on the day of the event. As a result of inadequate core cooling, fuel damage also occurred in units 2 and 3. Inadequate core cooling resulted in subsequent fuel damage. Conservative calculations indicate that some of the fuel may have relocated to the bottom head of the reactor vessel, although this has not been confirmed. Sequence and timing of events is presented in Table 6-2 [A-2]. This overview of the events as they occurred is limited to Units 1–3 and shows only those items considered of significance. Table 6-2. Timeline of Key Cooling Systems Failures Unit All All All All All 1 1 1 1 1 System* AC power DC power HPCI SLC, CRD CCS, CCSW, MUWC, SFP How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 Hrs 0.00 0.02 0.02-0.03 0.68 0.82 0.85 0.85 0.85 0.85 0.85 Action Earthquake Scram signal initiated, control rods inserted EDGs start on loss of offsite power First tsunami wave Second tsunami wave Unit 1 AC lost Unit 1 DC lost Non-functional due to loss of AC power Non-functional due to loss of AC power Non-functional due to loss of AC power © ENCO Page 13 Unit 1 1 2 2 2 2 2 2 2 3 3 3 3 3 3 3 System* IC AC power DC power CS, RHR, RHRS SLC, CRD HPCI RCIC AC power DC power CS, RHR, RHRS SLC, CRD RCIC HPCI - Hrs 11.03 24.83 0.92 0.92 0.92 0.92 0.92 70.65 87.23 0.87 0.87 0.87 0.87 35.93 35.93 68.25 Action Unit 1 IC lost Unit 1 reactor building hydrogen explosion Unit 2 AC lost Unit 2 DC lost Non-functional due to loss of AC power Non-functional due to loss of AC power Non-functional due to loss of AC power Unit 2 RCIC lost Unit 2 loss of primary containment Unit 3 AC lost Unit 3 DC lost Non-functional due to loss of AC power Non-functional due to loss of AC power Unit 3 RCIC lost Unit 3 HPCI lost Unit 3 reactor building hydrogen explosion *) See Table 6-1 for information on system abbreviations The overview of the events provides the timeline on a per Unit basis. This sequence of events provides only the level of detail necessary for generating input to the analysis of accident causes and consideration of potential solutions. The time of the first seismic ground motion is considered the baseline and all subsequent events are identified in terms of differential time from this baseline. The timelines are not inclusive, but focus on systems that could provide cooling functions (as presented in Table 2-3). Information on the unavailability of emergency core cooling systems refers also to those systems that could provide alternative core cooling sources based on special line-ups (such as SLC, CRD, etc.). The timelines continue until the safety systems become unavailable. Information on timing of hydrogen explosions is also included. 5.4. Hydrogen explosions Hydrogen generated from the damaged fuel in the reactors accumulated in the reactor buildings - either during venting operations or from other leaks - and ignited, producing explosions in the Unit 1 and Unit 3 reactor buildings and further damaging the facilities and primary and secondary containment structures. The Unit 1, 2, and 3 explosions were caused by the buildup of hydrogen gas within primary containment produced during fuel damage in the reactor and subsequent movement of that hydrogen gas from the drywell into the secondary containment. The source of the explosive gases causing the Unit 4 explosion remains unclear. The most widely accepted theory is associated with the backflow of gases from Unit 3 during venting. The containment vent exhaust piping from Unit 3 is connected to the Unit 4 exhaust piping. The dampers on the Unit 4 standby gas treatment system (SGTS) are airHow to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 14 operated and fail open on a loss of power or air (except the cross-connect between SGTS filter trains). Additionally, the system does not have a backflow damper installed in the piping that connects to Unit 3. With no power or air, and no fans in service to direct the gases from Unit 3 up the exhaust stack, the exhaust gases from Unit 3 would be directly aligned to the Unit 4 SGTS filters. This piping arrangement may have allowed gases from the Unit 3 containment to be vented to the Unit 4 reactor building via reverse flow through the Unit 4 standby gas treatment system. Hydrogen explosions significantly complicated the response to the accident. In addition, the operators were unable to monitor the condition of and restore normal cooling flow to the Unit 1, 2, 3, and 4 spent fuel pools. 5.5. Containment pressure control Without heat removal systems containment pressure and temperature started to increase as energy from the reactor is transferred to the containment via safety relief valves or systems such as RCIC and HPCI. The TEPCO severe accident procedures allow venting when containment pressure reaches the maximum operating pressure if core damage has not occurred. If core damage has occurred, venting the containment will result in a radioactive release, so containment is not vented until pressure approaches twice the maximum operating pressure. In this case, the Emergency Response Center personnel could not verify the integrity of the core and this guidance was applied. The decision to vent Unit 1 was made by the site superintendent with concurrence from government agencies. This was planned for March 12 after evacuation that was scheduled to be completed at 9:00. The first indication of increasing containment pressure was not available until 23:50 on the night of the event, when workers connected the temporary generator – which was being used to provide some control room lighting – to the containment pressure instrument. The indication read 600 kPa. By this point, access to the reactor building had already been restricted because of high dose rates. The lack of available containment pressure indications early in the event may have prevented the operators from recognizing the increasing pressure trend and taking action earlier in the event. Unit 1 containment was not vented successfully until approximately 14:30 on March 12. Additional challenges occurred because of high dose rates and a lack of contingency procedures for operating the vent system without power, as well as the lack of equipment, such as an engine-driven air compressor. The decision to complete evacuations before venting containment, and the subsequent equipment and radiological challenges encountered as operators attempted to establish a vent path, delayed injection of water into the Unit 1 reactor. At approximately 02:30 on March 12, as Unit 1 depressurized, pressure in the reactor and in containment equalized at approximately 0.84 MPa abs. This pressure is above the discharge pressure of the station fire pumps and fire engines. Once pressure had equalized, further reductions in reactor pressure were not possible until containment pressure had lowered. As a result, little to no injection was achieved until after the containment was vented successfully, which occurred at approximately 14:30 on March 12. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 15 High containment pressures in Unit 1 contributed to the amount of time Unit 1 did not have adequate core cooling. In units 1, 2, and 3, the extended duration of high temperature and pressure conditions inside containment may have damaged the drywell head seals, contributing to hydrogen leaks and the subsequent explosions. Containment leakage also contributed to ground-level radiation releases from units 1, 2, and 3. 5.6. Spent Fuel Pools and Dry Cask Storage Fukushima Daiichi had spent fuel stored in pools at each unit, in a common spent fuel pool, and in on-site dry cask storage. Spent fuel pool cooling flow was lost for all spent fuel pools following the loss of off-site power and was not immediately restored when the emergency diesel generators started. The explosion in the Unit 4 reactor building caused structural damage to the Unit 4 spent fuel pool, but it is not clear if the integrity of the pool liner was compromised. Subsequent analysis and inspections performed by TEPCO personnel determined that the spent fuel pool water levels did not drop below the top of fuel in any spent fuel pool and that no significant fuel damage had occurred. Current investigation results indicate that any potential fuel damage was likely caused by debris from the reactor building explosions. The dry cask storage building was damaged by the tsunami, and some of the casks were wetted. An inspection confirmed that the casks were not damaged by the event. 5.7. Alternative injection sources Fukushima Daiichi had three fire engines available that had been added to improve firefighting capabilities following the 2007 Niigata-Chuetsu-oki earthquake. These fire engines could also be used as an alternative low-pressure water source for injecting into the reactors. However, one was damaged by the tsunami and a second could not reach units 14 because of earthquake damage to the road. Only one fire engine was immediately available to support the emergency response on units 1-4. Using this fire engine was complicated because the fire engine did not have sufficient discharge pressure to overcome the elevation differences and reactor pressure. To compensate for this, the truck loaded water at the fire protection tank, then drove to the Unit 1 reactor building to inject into the fire protection system. This operation was slowed by debris on the road. Finally, a suction hose was installed to provide connection from the fire protection tank to the track, and then discharging to the fire protection system piping and into the reactor via an installed modification to the low pressure coolant injection system. The fire protection tank, however, only had one hose connection. As a result, injection into the reactor had to be stopped each time the tank needed to be refilled so another fire engine, now available, could attach a hose and fill the tank. Seawater injection was eventually switched to a flooded pit, then to the harbour itself. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 16 5.8. Radiological consequences The loss of primary and secondary containment integrity resulted in ground-level releases of radioactive material. Following the explosion in Unit 4 and the abnormal indications on Unit 2 on the fourth day of the event, the site superintendent directed that all nonessential personnel temporarily evacuate, leaving approximately 70 people on site to manage the event. During releases, dose rates as high as 1,193 millirem per hour (mrem/hr) (11.93 mSv/hr) were measured at the site boundary, approximately 1 km from units 1 - 4. The windows for the emergency response center had to be covered with lead shielding to reduce dose rates in the center. Organized off-site radiation surveys began on March 16. Radiation levels off site at that time ranged from 0.1 mrem/hr (1 μSv/hr) to 20 mrem/hr (200 μSv/hr). 60 km northwest of the station, the dose rate was 0.8 mrem/hr (8 μSv/hr). Water and soil samples indicated the presence of strontium, iodine, and cesium. Food and water restrictions were implemented in some areas as a result of radioactivity. People within the 20 km surrounding the station were evacuated, and those living up to 30 km away were directed to shelter inside their homes as the releases of radioactive gases and materials increased as the event progressed and more fuel damage occurred. Potassium iodide tablets and powder were distributed to local governments beginning March 21. Because the evacuations had already been completed, however, the potassium iodide was not issued to the population. Radiation surveys of the on-site areas surrounding units 1 - 3 showed dose rates as high as 13 rem/hr (0.13 Sv/hr) in areas around Units 2 and 3. More detailed surveys performed over the following weeks discovered localized dose rates greater than 1000 rem/hr (10 Sv/hr) around equipment and debris outside units 1 and 3. Some personnel who responded to the event received high doses of radiation. Two control room operators received the highest doses a calculated internal and external dose of 67.8 rem (0.678 Sv) and 64.3 rem (0.643 Sv). The majority of dose received by these workers was internal (85-87 percent). Potassium iodide was provided to some station personnel on March 13. As of the end of March, approximately 100 workers had received doses eceeding 10 rem (0.1 Sv). The Fukushima event was rated as a level 7 event on the International Nuclear and Radiological Event (INES) scale. The Nuclear Safety Commission of Japan estimated approximately 17 million curies (6.3 E17 Bq) of iodine-131 equivalent radioactive material was released into the air and 0.127 million curies (4.7 E15 Bq) into the sea between March 11 and April 5. 6. Causal analysis Generally, the causal analysis is performed as an important step to finding effective solutions to identified problems in order to prevent similar problems from recurring. Analysis of this type is well known as Root Cause Analysis (RCA). RCA is intended to identify specific causes and the associated solutions through which the problem owner may have control of these causes in order to eliminate problem or reduce its consequences. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 17 Appropriate application of Root Cause Analysis techniques can yield significant organizational and individual benefits in every human endeavour. RCA conducted in this project is intended to provide lessons that could be of value for the nuclear sector, but also those that could be shared across the other regulated industries. From this point of view, the analysis should be broad enough to identify causes (and potential solutions) related to organizational aspects, including general issues of human performance and safety culture. Due attention will also be put on the regulatory concept of dealing with low probability high consequence events. From technical point of view, focus is on specific elements of protection, mitigation, and preparedness and evaluation of current capabilities, limitations, and potential enhancements. 6.1. Existing studies EPRI analysis The technical analysis performed by EPRI [A-1] traced the cause for the eventual loss of all practical cooling paths for the reactors to the tsunami’s flooding of the plant protection. Specifically, the analysis identified the significant difference between the design basis tsunami height and the actual tsunami height, as well as the limitations of beyond-designbasis tsunami protection or mitigation that could address the effects of the actual event. From a causal analysis perspective, these were caused by a methodology that specified that the rupture of combinations of geological fault segments in the vicinity of the plant need not be considered in establishing the design basis tsunami height. The tsunami that occurred was caused by a combined rupture of multiple offshore fault segments. The analysis identified other causes of condition type that were important from the point of view of the accident severity, mainly "elevations of critical SSCs … below the actual tsunami level", limited historical records for tsunami, and "limited regulatory guidance for beyond design basis accidents". The Cause and Event Chart shown in Fig. 6-1 displays the underlying technical causal factors. Technical analysis of the Fukushima Daiichi March 2011 accident conducted by EPRI [A-1] was intended to determine the fundamental cause for the loss of substantial systems needed to maintain reactor cooling. The loss of these systems resulted in core damage to reactors at the site and uncontrolled release of radioactive materials to the environment from the site. From this information and review of the capabilities needed to provide core cooling, it is clear that essentially all plant equipment needed to support core cooling was damaged by the initial effects of the tsunami event. Other factors outside of the initial effects of the tsunami may have contributed to the extreme challenges encountered in attempts to sustain and/or reestablish cooling. However, the focus of this analysis was on the cause of the loss of the safety systems that would normally be used to maintain the integrity of the core. The loss of those safety systems was a result of a tsunami that exceeded the design basis of the plants. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 18 F FIG.6-1. Cau usal analysis chart (the source: s EPRI report [A-1]]) unami prote ection strategy for th he plant co onsisted of locating ccritical equ uipment, The tsu such as vital seaw water pump motors, ab bove the ellevation of the assesseed tsunamii height. The asssessment off the tsunam mi height w was based on o the 2002 2 tsunami aassessment method for Nucclear Powerr Plants in Japan, the e accepted methodolo ogy by the Japanese industry. Followin ng the guid dance of thiis methodollogy, offsho ore fault segments we re not combined in the tsunami assessment. Durring the eaarthquake event e nume erous fault segments acted a in combina ation, and thus the ac ctual tsunam mi caused by b the earth hquake signnificantly ex xceeded the tsun nami assesssment for th he plant. Fundam mentally, fo ollowing the e accepted d tsunami assessment a technical guidance in Japan resulted d in under--prediction of the sizze of the tsunami. t Ass a result, the plant tsunami protection strategy was not adequaate and beyond-design-basis tssunami protection adequatte to mitiga ate the effe ects of the tsunami tha at occurred d was not avvailable. NRC re ecommend dations The stu udy was prepared p by b the Neaar-Term Task T Force establisheed in response to Commisssion directtion to con nduct a syystematic and a method dical review w of U.S. Nuclear Regulattory Commission proce esses and re egulations to t determin ne whetherr the agency y should make additional im mprovemen nts to its re egulatory sy ystem and to make reecommenda ations to the Com mmission fo or its policy y direction,, in light off the accide ent at the Fukushima Dai-ichi Nuclearr Power Pla ant [A-9]. The study was condu ucted by te eam of in-hhouse expe erts who collectively had ovver 130 years of reactoor regulatorry experience. How to Improve Safety in Regulated Indu ustries What Could We Learn Fro om Each Other Background Material, ENC CO FR-(12)-44 © ENCO Page 19 In examining the Fukushima Dai-ichi accident for insights for reactors in the United States, the Task Force addressed protecting against accidents resulting from natural phenomena, mitigating the consequences of such accidents, and ensuring emergency preparedness. As part of its undertaking, the Task Force studied the manner in which the NRC has historically required protection from natural phenomena and how the NRC has addressed events that exceed the current design basis for plants in the United States. In general, the Task Force found that the current NRC regulatory approach includes: - Requirements for design-basis events with protection and mitigation features controlled through specific regulations or the general design criteria (10 CFR-50)) Requirements for some “beyond-design-basis” events through specific regulations (e.g., station blackout, large fires, and explosions) Voluntary industry initiatives to address severe accident features, strategies, and guidelines for operating reactors This regulatory approach, has been established and supplemented piece-by-piece over the decades, addressed many safety concerns and issues, using the best information and techniques available at the time. The result is a patchwork of regulatory requirements and other safety initiatives, all important, but not all given equivalent consideration and treatment by licensees or during NRC technical review and inspection. Consistent with the NRC’s organizational value of excellence, the Task Force believes that improving the NRC’s regulatory framework is an appropriate, realistic, and achievable goal. The current regulatory approach, and more importantly, the resultant plant capabilities allow the Task Force to conclude that a sequence of events like the Fukushima accident is unlikely to occur in the United States and some appropriate mitigation measures have been implemented, reducing the likelihood of core damage and radiological releases. Therefore, continued operation and continued licensing activities do not pose an imminent risk to public health and safety. However, the Task Force also concludes that a more balanced application of the Commission’s defense-in-depth philosophy using risk insights would provide an enhanced regulatory framework that is logical, systematic, coherent, and better understood. Such a framework would support appropriate requirements for increased capability to address events of low likelihood and high consequence, thus significantly enhancing safety. Excellence in regulation demands that the Task Force provide the Commission with its best insights and vision for an improved regulatory framework. The report, among other things, recommends: - Requiring plants to reevaluate and upgrade as necessary their design-basis seismic and flooding protection of structures, systems and components for each operating reactor and reconfirm that design basis every 10 years; - Strengthening Station Black Out (SBO) mitigation capability for existing and new reactors for design-basis and beyond-design-basis natural events – such as floods, hurricanes, earthquakes, tornadoes or tsunamis – with a rule to set minimum coping time without offsite or onsite AC power at 8 hours; establishing equipment, procedures and training to keep the core and spent fuel pool cool at least 72 hours; and preplanning and pre-staging offsite resources to be delivered to the site to support uninterrupted core and pool cooling and coolant system and containment integrity as needed; How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 20 - Requiring that facility emergency plans address prolonged station blackouts and events involving multiple reactors; - Requiring additional instrumentation and seismically protected systems to provide additional cooling water to spent fuel pools if necessary; and requiring at least one system of electrical power to operate spent fuel pool instrumentation and pumps at all times. The Task Force noted it will take some time for a full understanding of the sequence of events and condition of the spent fuel pools. The report said based on information available to date the two most cogent insights related to the availability of pool instrumentation and the plant’s capability for cooling and water inventory management; - Requiring reliable hardened vent designs in boiling water reactors (BWRs) with Mark I and Mark II containments; - Strengthening and integrating onsite emergency response capabilities such as emergency operating procedures, severe accident management guidelines and extensive damage mitigation guidelines. - 6.2. Cause Mapping This section of the report provides the results of causal analysis performed specially for this project. The results are presented in the form of Cause Map (CM). It displays the whole structure of causes in a graphical form. This form of presentation is believed to facilitate effective communication and documentation of causes of the problem (accident) [A-10]. It is worth noting that communication of findings to experts from different industries and of different professions is an important aspect in this project. The CM for the Fukushima accident was developed and presented in MS Excel using the worksheet / template prepared by "ThinkReliability" Consulting Company available at web site page http://www.thinkreliability.com [A-11]. The CM was prepared for the accident at Fukushima Unit 3. Although there are some minor differences among the units the causal map prepared for this unit represents very well the situation at other units. A similar analysis could be put together for all of the units affected by the earthquake, tsunami and resulting events. Parts of this cause map could be reused as many of the issues affecting the other plants and units are similar to the analysis shown here. Step 1 - Definition of the problem The first step of the Cause Mapping approach is to define the problem by asking the four questions: What is the problem? When did it happen? Where did it happen? And how did it impact the goals? Answer to these questions are provided in Table 6-1. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 21 Table 6-1. Definition of the problem What Problem(s) Fukushima/Daiichi tsunami When Date March 11, 2011 Time Where Different, unusual, unique Large earthquake/ tsunami; State, city Fukushima, Japan Facility, site Daiichi nuclear power plant Unit, area, equipment Unit 3 Task being performed Operating at full power Impact to the Goals Safety 11 workers injured Public Safety Potential for health impacts Environmental Release of radiation to the environment Cust. Service Evacuation of public within 20 km Rolling blackouts Production-Schedule Loss of electrical production capacity Property, Equip, Mtls Catastrophic damage to plant Labor, Time Massive efforts to cool reactor Frequency Very rare The impact to goals needs to be determined prior to building a Cause Map. As a direct result of the events at Unit 3, 11 workers were injured. This is an impact to the worker safety goal. There is the potential for health effects to the population, which is an impact to the public safety goal. The environmental goal was impacted due to the release of radioactivity into the environment. The customer service goal was impacted due to evacuations and rolling blackouts, caused by the loss of electrical production capacity, which is an impact to the production goal. The loss of capacity was caused by catastrophic damage to the plant, which is an impact to the property goal. Additionally, the massive effort to cool the reactor is an impact to the labor goal. The issues surrounding Unit 3 are extremely complex. In events such as these, where many events contribute to the issues, it can be helpful to make a timeline of events. A timeline of the events is shown in Fig. 6-2. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 22 Table 6-2. Timing of events (Unit 3) Diff. (hrs) Date Time March 11, 2011 14:46 0.00 Earthquake of magnitude 9 14:47 14:47 14:48 15:05 0.02 0.02 0.03 0.32 15:25 0.65 15:27 15:35 15:38 15:38 15:38 15:38 16:03 20:15. 21:58 0.68 0.82 0.87 0.87 0.87 0.87 1.28 5.32 6.20 22:00 07:00 6.23 16.23 Scram signal initiated, control rods inserted Off-site power at Fukushima Daiichi lost Automatic startup of emergency diesel generators (EDG) Operators initiated RCIC to maintain reactor pressure and water level RCIC automatically shut down because of a high reactor water level The first of a series of tsunamis The largest tsunami hits Flooding in the turbine building basement Loss of all AC power Loss of all DC power Partial loss of the control board instrumentation and controls RCIC manually restarted Emergency declared at Daiichi power plant A small portable generator used to restore lighting in the units 3-4 MCR Evacuation of local residents within 3 km radius Evacuation of local residents within 10 km radius 11:36 12:35 15:36 17:00 19:11 20:36 21:00 22:35 02:42 20.83 21.8 24.83 26.23 28.42 29.83 30.2 31.82 35.9 02:42 35.93 04:15 04:50 37.48 38.1 05:00 38.23 05:10 07:35 38.39 40.8 8:41 9:20 09:10 09:25 42.4 42.65 11:17 44.51 March 12, 2011 March 13, 2011 Description RCIC shut down unexpectedly and could not be restarted HPCI automatically started on a low-low reactor water level signal Hydrogen explosion at the Dai-ichi Unit 1 reactor building Reactor pressure indicated 2.9 MPa gauge and lowering. Evacuation expands to 20 km around the Daiichi plant Reactor water level indication lost Operators started a review of the vent procedures Iodine tablets distributed HPCI system tripped, DC power was failing and RP was low (0.58 MPa gauge), HPCI could not be restarted due to depleted batteries, failure to restart RCIC locally The reactor core started to uncover Unsuccessful attempt to open the large AOV to vent suppression chamber Reactor pressure > 7.38 MPa gauge, reactor water level 2,000 mm below TAF and lowering, and containment (CT) pressure - 0.36 MPa abs. Unable to confirm level of water injection to the reactor by RCIC Reactor water level had lowered to the bottom of the fuel zone, the core uncovered Both CT vent valves open; SRV manually opened to depressurize the reactor The maximum indicated containment pressure - 0.637 MPa abs SRV open; the RP decreased sufficiently to start borated fresh water injection; The suppression chamber vent valve (AO-205) was found closed. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 23 Date March 14, 2011 March 16, 2011 March 17, 2011 Time Diff. (hrs) 13:12 06:50 46.43 64.06 Injection of sea water and boric acid into reactor vessel Pressure in the reactor containment vessel increased to 0.53 MPa 11:01. 08:30 68.25 113.7 6 135.3 8 139.0 3 Hydrogen explosion at the Dai-ichi Unit 3 reactor building Reports of steam coming from the reactor building 06:15 09:48 March 18, 2011 19 20:09 14 14:45 16:00 169.2 3 Description Increase in pressure of the suppression chamber Water discharge by Self-Defense Force's helicopters Water discharge by HP water cannon trucks and Self-Defense Force's fire engines Water discharge by Self-Defense Force's fire engines and US army's fire engines New electrical transmission line connected Step 2 – Analysis of causes (Causal Map) Catastrophic damage to the plant was caused by the hydrogen explosion and severe core damage. Release of radioactive material to the environment was caused by venting of the containment and in the later phase of the accident by the loss of containment boundary due to hydrogen explosion in the reactor building. Venting of the containment was undertaken in order to decrease the containment pressure that was too high. Buildup of the containment pressure was caused by the lack of containment cooling and heating of the containment. Without heat removal systems (no AC power and a loss of ultimate heat sink), containment pressure and temperature increases as energy from the reactor is transferred to the containment via safety relief valves (SRV) or systems such as RCIC and HPCI. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 24 Why? Effect Possible Solutions: Cause Cause Evidence: Start with the Goals (in red) that have been impacted. Read the map to the right by asking Why questions. Step 2. Cause Map - Page 1 Customer Service Goal Impacted Rolling blackout Workers Safety Goal Impacted 11 workers injured Hydrogen explosion Loss of electrical power capacity Public Safety Goal Impacted Production Goal Impacted Potential for health impact Customer Service Goal Impacted Labor Goal Impacted Evacuation of people within 20 km Significant efforts to cool the reactor Catastrophic damage to the plant Property Goal Impacted Release of radioactivity to environment Environmental Goal Impacted Severe core damage Loss of containment boundary AND / OR Venting radioactive steam CT pressure too high Following loss of RCIC and HPCI, the release of steam from the reactor system via SRV was performed by the personnel in an attempt to depressurize the system. Reactor pressure was too high and had to be reduced to allow injection using a fire pump – at this moment the only available means to maintain the reactor vessel water inventory and to prevent uncovering of the reactor core. Depressurization of the reactor system was achieved by releasing steam through the relief valve that was open manually by the personnel. This action was difficult to achieve due to a high radiation level and the lack of lighting in the plant compartments. Opening of vent line required electric power to energize the valve solenoid for the large air-operated suppression chamber vent valve that was done using a small portable generator. Completion of this work required also replacing the temporary air bottle for the AOV vent. These actions took about 4 hrs and contributed to the delay in providing water injection to the reactor system. Severe core damage occurred because there was no cooling of the core for a long time. TEPCO estimates that following the loss of high pressure coolant injection (approximately 36 hours after reactor trip) there was no injection into the reactor for 6 hours and 43 minutes. This led to severe overheating and partial melt of the fuel. Residual heat was at a relatively high level as the Unit 3 was under operation at the onset of the event. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 25 Step 2. Cause Map - Page 2 Difficult working environment Relief Valve stack open? Hydrogen penetrated to CT Hydrogen explosion AND AND Leakage through penetrations and seals Extended duration of high temperature and pressure in CT H generated due to chemical reaction Consequence of normal operation Residual heat Release of steam from RV Connection of portable power generator Replacement of depleted AOV air bottle Reactor core severly overheated Severe core damage CT pressure too high CT venting delayed RP too high for backup cooling pumps AND AND Unit was operating at power AND Loss of reactor cooling Loss of CT cooling Significant efforts to cool the reactor Hydrogen explosion in the reactor building was caused by the formation of explosive mixture of hydrogen and air in the reactor building. The lack of core cooling to compensate for decay heat resulted in excessive fuel temperatures and oxidation of the zirconium cladding. The oxidation of zirconium in a steam environment creates significant additional heat from the exothermic reaction and large quantities of hydrogen. This hydrogen contributed to the increases in containment pressure and to the subsequent hydrogen explosion. The extended duration of high temperature and pressure conditions inside containment may have damaged the drywell head seals, leading to hydrogen leaks and the subsequent explosions. Venting of containment was delayed because of difficulties with providing power and compressed air for opening of vent valves (MOV and AOV). In addition, all work had to be conducted in a difficult working environment. The torus room was very hot because of the previous use of RCIC, HPCI, and SRVs and the room was completely dark. Increased radiation level also contributed to these difficulties. Loss of reactor cooling was caused by the loss of high pressure emergency core cooling systems HPCI and RCIC. RCIC shut down unexpectedly and could not be restarted. HPCI tripped and could not be restarted due to depleted batteries. Other potential high How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 26 pressure cooling systems (SLC, CRD) as well as low pressure systems (CS, RHR, RHRS) were non-functional due to loss of AC power as well as the loss of heat sink sources. Step 2. Cause Map - Page 3 Damage to seawater intake structures Impact of debris and wawes Alternative cooling systems unavailable On-site power unavailable AND HPCI tripped Loss of reactor cooling HPCI could not be restarted Depleted batteries AND RCIC tripped RCIC could not be restarted AND Cooling using portable (fire) pumps delayed Lack of plant controls & indications On-site power unavailable AND No lighting at the plant locations AND Non-routine connections difficult Connections made in difficult environment AND Routes for transport of portable units blocked Impact of debris and wawes AND Need to depressurize reactor and CT Pressure head of the portable pump too low There were also problems with using portable fire engines. Out of the three fire engines Fukushima Daiichi had available, one was damaged by the tsunami and a second could not How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 27 reach units 1-4 because of earthquake damage to the road. Only one fire engine was immediately available to support the emergency response on units 1-4. Use of this fire engine required non-routine connections that had to be established in a difficult environment (increased temperature, radiation and in darkness). Additional problem, caused by the loss of on-site power, was the lack of indications and controls of valves involved in the implementation of the required lineup. Step 2. Cause Map - Page 4 Off-site power supply unavailable Damage of lines and off-site substation Tsunami of the hight ~15 m AND On-site AC distribution degraded On-site power unavailable Earthquake AND Submergence of critical SSCs AND DB tsunami underpredicted On-site DC distribution degraded AND Emergency DGs lost The fire engine did not have sufficient discharge pressure to overcome the elevation differences and reactor pressure. Personnel actions associated with depressurization of reactor and venting of the containment, necessary for reducing reactor pressure to the level acceptable for the use of fire engine, were not accomplished in time and failed to prevent core damage. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 28 On-site power was lost because of the loss of off-site power and the loss of emergency diesel generators (EDGs). Off-site power was lost because of earthquake which damaged breakers and distribution towers. Following the earthquake, the on-site power relayed on EDGs which started on loss of offsite power. This source was lost because of tsunami. Tsunami resulted in flooding of both the EDGs and the on-site electrical distribution system (switchgear rooms). Submergence of critical SSCs in the power supply system resulted in the complete loss of AC power and led to a partial loss of DC power. All DC power was lost on units 1 and 2, while some DC power from batteries remained available on Unit 3. Step 2. Cause Map - Page 5 Limited historical data? DB tsunami underpredicted Multiple seismic faults not considered AND Limited regulatory guidance? Regulatory framework in Japan AND O-V-R interfaces and communication Organization of regulatory system in Japan Extensive damage of the electrical power supply system at the site was caused by the tsunami impacting the site that exceeded the design basis of the plant. The maximum tsunami height was estimated to be 14 to 15 meters as compared to the design basis tsunami height of 5.7 meters. This was above the site grade levels of 10 meters at units 14. The seawater intake structure was also severely damaged and was rendered nonfunctional. The tsunami protection strategy for the plant consisted of locating critical equipment, such as vital seawater pump motors, above the elevation of the assessed tsunami height. The assessment of the tsunami height was based on the 2002 Tsunami Assessment Method for Nuclear Power Plants in Japan, the accepted methodology by the Japanese industry. Following the guidance of this methodology, offshore fault segments were not combined in the tsunami assessment. During the earthquake event numerous fault segments acted in combination, and thus the actual tsunami caused by the earthquake significantly exceeded the tsunami assessment for the plant. Fundamentally, following the accepted tsunami assessment technical guidance in Japan resulted in under-prediction of the size of the tsunami. As a result, the plant tsunami protection strategy was not adequate and beyond-design-basis tsunami protection adequate to mitigate the effects of the tsunami that occurred was not available. The issue of specifying appropriate tsunami design basis is not straightforward. This issue should be considered in the light of existing historical data consistently with the risk How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 29 considerations. It seems that the regulatory framework that could be used by the nuclear industry in Japan for adequate protection of NPPs against tsunami was lacking clarity. Appropriate regulatory strategy and framework for protection of NPPs against natural hazards, which would appropriately balance defense-in-depth and risk considerations, was lacking. One of the reasons may be the structure of regulatory authority that is composed of several organizations. This issue requires further analysis. Step 3. Analysis of solutions The Cause Map is used to identify all the possible solutions for the problem so that the best solutions can be selected. Potential solutions correspond to those causes which can be controlled by the problem owner (Operator, Vendor, TSO organization, Regulator) so that the problem is prevented from recurring. The following causes, which can be subject of interest in this context, can be identified on the Cause Map for the March 11 Fukushima tsunami accident (as developed in Step 2): Design Basis tsunami under-predicted; Submergence of critical SSCs due to flooding; Limited regulatory guidance on the seismic and flooding protection of structures, systems, and components for operating plants; 4. Regulatory framework for adequate protection; 5. Organization of regulatory system in Japan; 6. Depleted batteries; 7. Cooling using portable pumps delayed; 8. Containment venting delayed; 9. Limited number of portable generators available at the site; 10. Non-routine connections of portable cooling pumps difficult and not realized in time. 1. 2. 3. These causes are related to various elements of the defense-in-depth protection of safety of nuclear power plants. The potential solutions are briefly discussed below. Clarifying the Regulatory Framework A logical, systematic, and coherent regulatory framework for adequate protection against external events that appropriately balances defence-in-depth and risk considerations should be established. Such framework should clearly specify the requirements that allow the industry to determine the protections covered within the design basis and those to be considered as beyond-design-basis (i.e. part of the emergency preparedness plan). In particular, appropriate regulatory endorsed guidance should be available to specify the design basis tsunami. Such guidance should provide a clear basis for answering the question "What should be the design basis tsunami given the existing historical data and plant specific seismic information?" How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 30 Ensuring Protection Given the design basis tsunami the licensees should ensure that the critical SSCs are adequately protected against seismically induced flooding. Licensees need to re-evaluate and upgrade as necessary the design-basis seismic and flooding protection of structures, systems, and components for each operating plant. The regulator should enforce appropriate corrective actions and ensure adequate oversight of their implementation. Enhancing Mitigation The licensees should strengthen station blackout mitigation capability at operating and new plant for design-basis and beyond-design-basis accidents induced by external events, including: Increasing the capability of batteries; Ensuring availability of portable generators and enhancement of their use during prolonged station blackout conditions; Enhancement of methods to reduce reactor pressure and feed cooling water to the reactor using portable cooling means /pumps; Ensuring additional sources of coolant water for the reactor; Enhancement of methods for non-routine connections of portable cooling means and ensure plant features to facilitate their realization during prolonged station blackout conditions; Enhancement of the containment venting system so that it is independent of AC power and operates with limited operator actions from the control room. 6.3. Summary conclusions Some of these issues mentioned above can be of general interest to different industries to be discussed during the workshop. One of such issues is the concept of protection based on the combination of appropriately balanced defence-in-depth and the risk considerations. General problem of broader interest is the treatment of accident scenarios with low probability and high consequences. Based on Fukushima accident it seems that accident scenario initiated by a tsunami of this severity level was underestimated with regard to its frequency and potential consequences, and further levels of protection against severe consequences shown to be ineffective. The lower and higher mean values of the Bayesian analyses show that accident scenarios initiated by a tsunami > 8m and an earthquake > Shindo 6 may be equal to, or greater than, regulatory limits for CDF and LER, especially when some support and backup systems are guaranteed to fail after such events [A-11]. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 31 Important leasson learned from Fucushima accident is that defense in depth must move from strong to stronger. Important role in achieving this goal is through the use of risk analysis (PSA). It is worth noting that PSA has difficulties with rare events (very large models, calculation cutoffs, screening-out), PSA models must present uncertainty to decision makers, PSA must be used as a “living tool” not only for showing regulators that safety goals have been attained, PSA professionals must be willing to ask and to begin to answer the difficult questions to themselves, the regulators, and the public [A-11]. Another important issue of general interest is related to the role of individual actors of the "Safety Net" (Operator, Vendor, TSOs and Regulator) in protecting the plants against severe hazard events of low likelihood and high consequences. Coordination of efforts and communication between the actors in this context is one of the important aspects to be discussed. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 32 7. References for Anex [A-1] "Fukushima Daiichi Accident – Technical Causal Factor Analysis", EPRI Report #°1024946, Final Report, March 2012. [A-2] "Special Report on the Nuclear Accident at the Fukushima Daiichi Nuclear Power Station", No. INPO 11-005, Revision 0, November 2011. [A-3] "Regulatory Guide for Reviewing Seismic Design of Nuclear Power Reactor Facilities", Nuclear Safety Commission (NSC, Japan), Document No. NSCRG: L-DSI.02, September, 2006. [A-4] "Tsunami Assessment Method for Nuclear Power Plants in Japan", The Tsunami Evaluation Subcommittee, The Nuclear Civil Engineering Committee, Japan Society of Civil Engineers (JSCE), 2002 and 2006. [A5] "Report of the Japanese Government to the IAEA Ministerial Conference on Nuclear Safety - The Accident at TEPCO’s Fukushima Nuclear Power Stations", Nuclear Emergency Response Headquarters, Government of Japan, June, 2011. [A-6] "International Conference on Advances in Nuclear Power Plants- Fukushima Accident: An Overview", Akira Omoto, University of Tokyo, May 3, 2011. [A-7] "Fukushima Nuclear Accident Analysis Report (Interim Report)", Tokyo Electric Power Company, December 2011. [A-8] "Fukushima Analysis 11 03 2011 – In-depth Analysis of the Accident at Fukushima on 11 March 2011 With Special Consideration of Human and Organisational Factors", Swiss Federal Nuclear Safety Inspectorate (ENSI). [A-9] "Recommendations for Enhancing Reactor Safety in the 21st Century", The NearTerm Task Force Review of Insights from the Fukushima Dai-ichi Accident, U.S. Nuclear Regulatory Commission, July 12, 2011. [A-11] Gano,D.L., "Apollo Root Cause Analysis – A New Way of Thinking", Apolonian Publications, Yakima, Washington, 2003. [A-10] [A-11] ThinkReliability, daiichiunit3.pdf http://www.thinkreliability.com/InstructorBlogs/blog- Epstein, W., "A PRA Practioner Looks at the Fukushima Daiichi Accident", Visiting Scholar, Ninokata Lab, presentation at Tokyo Institute of Technology, March 20, 2012. How to Improve Safety in Regulated Industries What Could We Learn From Each Other Background Material, ENCO FR-(12)-44 © ENCO Page 33