What Set Fukushima Apart
Nuclear reactors are designed to leave nothing to chance, but at Fukushima, a lot came down to luck.
Looking back on the 2011 Fukushima Daiichi nuclear disaster, one of the most expensive and complex industrial accidents of all time, it’s striking how often simple luck influenced the course of events. Chance follows us everywhere. You miss the bus after bumping into a friend; a stranger pays it forward by buying your morning coffee; a burst water pipe floods your home. It’s no surprise that a certain amount of luck was involved in an accident as colossal as the Fukushima disaster, but the amount of it is perhaps a little overlooked. Reading through the various government and institutional reports into what happened, words like “coincidence” appear more often than you might expect.
In the nuclear power industry, a sector famed for its caution and strong redundant systems, we can see that luck rarely held much sway prior to the Fukushima disaster. At the Browns Ferry nuclear plant in Alabama in 1975, for example, two men tasked with inspecting an electrical-cable room for air leaks used a naked candle to check for air flow. The flammable foam insulation ignited, damaging the cables, which then crippled the control room instrumentation for two reactors. Not much bad luck there, just a lack of common sense. At Three Mile Island in 1979, luck started the accident when a trickle of water seeped its way into an electrical circuit, but from that point on it had little impact. The safety equipment all functioned as intended up to a critical point, after which it was overwhelmed people who couldn’t grasp the situation and made incorrect decisions because of a badly designed control room.
In August 2004, Japan suffered its worst-ever accident at a nuclear plant in terms of direct fatalities, and its first fatal accident during operation, when a steam pipe ruptured near a group of workers inside the Mihama plant’s turbine hall, boiling five men alive and hospitalizing six others. The victims were unlucky, to put it mildly, but what about the cause? The exact same accident had already occurred in two almost-identical Westinghouse nuclear plants in the United States, the Trojan plant in Oregon and Surry in Virginia in 1985 and 1986 respectively, the latter resulting in four deaths. An investigation quickly determined that flow-accelerated corrosion had eroded the pipe’s inner wall until it was as thin as a sheet of paper. Westinghouse informed its partner Mitsubishi, which maintained the fleet of American-designed plants in Japan, yet Mitsubishi still missed similar piping at several facilities across the country. At Mihama, an engineer spotted the absent pipe in April 2003 and added it to the inspection list, but the plant’s owner decided the issue was trivial. This meant, in a tragic twist, that technicians had planned to perform ultrasound tests on the pipe five days after it burst. Here again, chance did not exert a huge influence. It was more bad communication.
When it comes to the Fukushima disaster, there’s no denying that reckless negligence set the stage, a fact well established by a mountain of evidence against Japanese regulators and the power station’s owner, the Tokyo Electric Power Company (TEPCO). But once it all began, if we view what followed the initial accident with an eye on chance, we can see that good and bad luck played a surprisingly large role.
Earthquake prediction is not an exact science, but regional tremors do follow an observable pattern, and a gigantic earthquake off Japan’s east coast had long been anticipated and prepared for. Nevertheless, the magnitude-9.0 quake knocked out all seven of Fukushima Daiichi’s external power lines, isolating it from the outside world. The plant’s three (of six) operating reactors, Units 1, 2, and 3, automatically shut down, but with all external power severed, their suite of active-cooling methods now relied upon thirteen enormous diesel generators.
TEPCO estimated in 2001 that no tsunami at Daiichi could exceed 5.7 meters (18.7 feet) based on guidelines written by the Japan Society of Civil Engineers. Another simulation derived the same height in 2010. The calculations were flawed and are thought to have assumed an earthquake of magnitude 7.5 or below, ignoring local historical precedent. Still, TEPCO clung to this figure. However, two further internal studies indicated wave heights could exceed 10 meters (33 feet) and flood heights up to 15.7 meters (51.5 feet). Company executives were warned about the shortfall but chose not to act because of the enormous expense of suspending operations while a new wall was built.
These decisions point toward negligence, but geologists speculate that by sheer bad luck the tectonic plates’ shape caused two distinct local tsunami peaks to converge at Daiichi, resulting in an astonishing wave height of 15 meters (49 feet). At Daiichi’s sister plant, Fukushima Daini, waves reached only 9.1 meters (30 feet), despite being just five miles farther from the quake’s epicenter. This made all the difference. Though it did experience substantial flooding, Daini fared far better as a result.
When the wave submerged Daiichi, saltwater disabled every electrical system it touched. Unlike conventional gas or coal power stations, Fukushima’s nuclear reactors required up to 30 tons of water per hour for weeks after shutting down because the fuel continued to generate heat after use. The tsunami knocked out twelve of the thirteen diesel generators, leaving just Unit 6—which had already been offline—with A.C. power. But, as luck would have it, many electrical systems escaped the deluge at Unit 3, meaning it was safe for the time being. At Unit 2, the only working component was the passive reactor core isolation cooling system (RCIC), which required no power and used reactor steam to drive its own small turbine connected to a cooling water pump. Both granted the plant’s stunned personnel time to grapple with Unit 1, where nothing worked. Its fuel soon began to melt. In a last-ditch attempt to prevent disaster, plant workers realized they had no choice but to connect fire truck hoses to the plant’s internal fire-suppression system and route it to the reactor core—a capability that was added to the 40-year-old facility a mere nine months earlier.
Generator trucks began to arrive that night, only for their drivers to discover that Daiichi’s electrical connections had been ruined by saltwater, the sockets were incompatible, and the required 480-volt supply was obsolete and could not be supplied; the generators were useless. With pressure inside the reactor climbing to dangerous levels, two teams of TEPCO operators attempted to manually vent the core, but radiation inside the reactor building had already reached dangerous levels and the teams could not approach.
Repeated attempts to open vent valves remotely from the control room failed, as did efforts to force pneumatic valves open using portable air compressors, first because no one could find adaptors to connect to the piping system, forcing exhausted workers to hunt for equipment locked away in subcontractor buildings, then because the compressors proved to be too weak. After trying to salvage a small diesel generator for hours, a triumphant team of engineers reported they had finally fixed it, only for it to break down again after 20 minutes of use.
Unit 3’s own RCIC stopped working at noon on the second day, but the reactor building’s dry electrical systems allowed alternative equipment—the high-pressure coolant-injection system (HPCI), which, like the RCIC, required no main A.C. power—to automatically kick in and take over. The HPCI was only designed to function for a matter of hours, but this was better than nothing. Midafternoon, just as another recovery team finished their grueling work laying a heavy-duty electrical cable between Unit 1 and an undamaged area of Unit 2 with the aim of using a generator truck connected to the latter to supply power to the former, Unit 1 exploded. The explosion damaged the cables, the electrical panel connected to the truck, and fire hoses being used in a desperate attempt to get water into the core of Unit 1.
At every turn, as soon as their heroic efforts started to make a difference, chance struck them down. And it was far from over. The explosion turned out to be built-up hydrogen from the melting reactor fuel that had escaped into the upper levels of the reactor building and detonated. The building was severely damaged, but the reactor itself had survived.
Over at Unit 3, things took a turn for the worse at around 9 p.m. when the batteries began to run dry, slowly disabling operators’ control room instruments. Worried that the HPCI might break, they decided to use the reactor’s main steam valves, which were still lit up on their instruments, to help switch cooling over to another small diesel generator. They deactivated the HPCI, then tried to open the valves. That final trickle of electricity had been enough to light the control-interface bulb but not enough to open the valve. Panicking, they tried to restart the HPCI and RCIC, but neither worked. Unit 3’s reactor pressure began climbing precipitously and its fuel soon started to melt.
Radiation levels across the plant rose as the damaged reactors struggled to contain their molten contents. Many of Daiichi’s personnel sheltered inside an earthquake-proof bunker during their entire ordeal. The building sat on special dampers to isolate it from the surrounding earth and contained its own emergency supplies and air filtration system to protect the occupants from the radiation outside. This island of safety, the base of operations for the entire recovery effort, had been built just one year earlier. It was arguably more responsible than any other factor in preventing the accident from being far worse than it was.
On the fourth day, as the situation deteriorated at Unit 3, a team sent to check on the condition of Unit 4 (which, remember, was offline and emptied of fuel prior to the earthquake) encountered high radiation readings at the door, forcing them to turn back. Thirty minutes later, Unit 3’s reactor building burst open in a deafening explosion far more powerful than the first. Leaking hydrogen also caused this blast, and again the reactor itself held firm, but flying debris shredded hoses being used for cooling. The explosion also damaged a component of Unit 2, causing its own vent valve to slam shut. All efforts to reopen it and its bypass valve failed; reactor pressure began to creep upwards.
With spectacularly bad timing, Unit 2’s RCIC failed around this time after somehow running for several days straight. It is thought that the lack of battery power prevented the RCIC turbine from tripping and permanently disabling itself, and that by chance it started and stopped as water flooded the core then boiled off into steam.
As pressure now climbed, operators vented the core in a frantic effort to avoid a rupture and allow a fire truck outside to inject cooling water. This worked, but the truck only pumped for 15 minutes before running out of fuel; in the chaos, nobody had checked its fuel gauge. Cooling stopped for two hours while they hunted for more fuel, but Unit 2’s fuel had already started to melt. Here too, the reactor leaked hydrogen, but the blast at Unit 1 days earlier had dislodged an emergency panel in the side of the Unit 2 building, allowing the gas to vent harmlessly into the atmosphere. In an ironic twist of fate, this meant that Unit 1’s reactor building explosion likely prevented the same fate at Unit 2.
It wasn’t over yet. Hours later, at around 6 a.m. on the fifth day, Unit 4 exploded without warning. While no one knew what caused the explosion until later, hydrogen had backfilled into Unit 4 via the chimney stack it shared with Unit 3 during venting of the latter reactor. Without power to the exhaust fans to guide the vented gases upwards, a cloud simply drifted over into Unit 4 until it was detonated by a stray spark. They now had another new problem: Unit 4’s entire inventory of dangerous spent fuel was stored in a pool full of water at the top of the reactor building. That pool was now exposed to the atmosphere and its water was heating up. TEPCO worried that if the explosion had damaged the pool lining, it might drain and ignite the fuel in the open atmosphere, spreading lethal particles for miles around. With things on a knife-edge, no way to get water up to the fuel pool, and Unit 2’s actual reactor core appearing as though it might rupture at any moment, TEPCO evacuated Daiichi’s mentally and physically drained personnel. Just a few dozen senior managers remained to fight on alone.
This proved to be the turning point. Though the situation remained tense for weeks to come, the worst was over. One final piece of good luck helped to stabilize the plant. When Unit 4 was shut down for maintenance prior to the accident, operators flooded the empty space above its reactor lid (known as the reactor well) to enable submerged fuel extraction and transfer over to the pool via a double-gated channel. As water evaporated in the pool during the accident, it was topped up by water from the reactor well leaking around the tall steel gates. Computer simulations by the U.S. National Academies of Sciences, Engineering, and Medicine concluded that if this hadn’t happened, the pool’s fuel would have been exposed by early April, at which time it remained inaccessible.
Then there’s the question of timing. Had the disaster occurred at night or over a national holiday, when plants operate with a skeleton crew, getting everyone back to work would have taken hours or even days, and most may well not have made it. Had it occurred during a storm such as Typhoon Hagibis, which battered Japan in October 2019 with winds of up to 160 miles per hour, venturing outside to perform any kind of recovery work would have been impossible. Had it occurred at any other time of year from winter 2010 to autumn 2011, rather than March 2011, a weather analysis predicted that up to 85 percent of radioactive particles like caesium-137 would have settled on land around the world, as opposed to the 22 percent that ended up mostly in the Pacific Ocean and Arctic regions.
Many things happened at Fukushima Daiichi that are not discussed here, incidents that came down to excellent engineering or selfless determination from the people involved rather than luck. But industrial disasters will always have some element of chance, and the events above involve more luck, both good and bad, than your average catastrophe. If anything, the disaster highlights the well-known importance of designing heavy engineering projects to cope with any eventuality, rather than putting your trust in chance.
Andrew Leatherbarrow is author of Melting Sun: The History of Nuclear Power in Japan and the Disaster at Fukushima Daiichi.