Joshua PollackCascading Failures

No one knows where Japan’s ongoing nuclear disaster will end. The current signs are ominous. We can only hope that the spent-fuel ponds can be prevented from boiling off. In the meantime, we can try to draw out some of the implications of the event. I’ve attempted that in my latest Bulletin column.

The first and simplest point is that Fukushima is both the first nuclear disaster resulting from a natural disaster and the first serious failure of multiple reactors at once. These observations are related. Every other serious event – Windscale, TMI, Chernobyl, etc. – was a one-off caused by internal failures of some sort. What’s happening in Japan isn’t the same at all; this is a natural disaster that has cascaded into a hydra-headed technological disaster.

A compound event isn’t so unusual in itself, although we sometimes don’t fully register them, preferring for some reason to emphasize the “natural” part of what are really natural-technological disasters. Just to pick one example: the inundation of a major city in 2005 gets shorthanded as “Hurricane Katrina,” and not as “The Great New Orleans Multi-Point Levy Failure.”

All Together Now

Group failures are unlikely to happen by sheer chance. Lightning rarely hits two houses next to each other on the same night. It’s more likely that a single wildfire will engulf both of them. This phenomenon is known to statisticians as “tail dependence.” This paper defines tail dependence as “the tendency of dependence between two random variables to concentrate in the extreme values… such that severe losses are more likely to happen together.”

In other words, there are situations that cause everything to crash at once. As the homely proverb has it, “It never rains but it pours.” Anyone living in the PEPCO service area will understand.

That’s a real problem for nuclear power that has perhaps not been adequately recognized. Extreme events may be rare in any given spot, but from a global and multi-decade perspective, they’re more common. Disasters will happen. As a result, some will argue that nuclear power should be abandoned; others will argue that we can live with the risks. But these are the same arguments as ever, really. Reactors will continue to be built, but existing levels of safety won’t suffice.

Previous experience may teach us something about multi-decade efforts to manage catastrophic risks. Insurance companies have known since the 19th century not to insure properties next door to each other, and not to write too many policies in any single city (back in the days before asbestos insulation, when entire cities could and did burn up). It’s reasonable to ask now whether the next generation of nuclear power plants should be quite so bunched up, where the same natural disaster can clobber several of them at once.

Update | March 25, 2011. In the Washington Post, David Nakamura and Chico Harlan describe the vain efforts of seismologist Yukinobu Okamura to get NISA and TEPCO to understand the implications of the year 869 earthquake discussed in my latest Bulletin column and in the comments here.

Comments

  1. Chemster (History)

    Good point, but I suspect that NIMBYism will outweigh common sense, so with a limited number of realistic locations, reactors will continue to be bunched up.

  2. Carl Vehse (History)

    … and not only NPPs but their emergency backup diesel generators and fuel supplies located in the same place on the coast where an earthquake and resulting tsunami might be expected.

    Similarly, in the midwest, tornado shelters are not built on the roofs of houses.

    • judith weingarten (History)

      This brings up a question that has been on my mind but that hasn’t been addressed afaik: why site a nuclear plant right on that coast at all, not very far from a known fault line with all the consequent tsunami dangers?

    • kme (History)

      Proximity to a large ultimate cooling water supply / heat sink. It’s either a large river or the ocean (the same applies to coal-fired plants), and Japan isn’t endowed with a great many large rivers.

  3. yousaf (History)

    Josh,
    It’s not quite an “extreme event” or black swan.

    It was predicted quite precisely:

    http://adsabs.harvard.edu/abs/2007AGUFM.T31G..03S

    “This source (Mw=8.1 to 8.3) is much larger than the anticipated Miyagi-oki earthquake (M~~7.5) with 99% probability in the next 30 years. ”

    They specifically mentioned tsunamis.

    • joshua (History)

      Yousaf:

      Thanks for the reference. The abstract is ambiguously written, though. From context, I think that what was supposed to be assigned 99% probability for the next 30 years (counting from 2007) was actually “the anticipated Miyaki-oki earthquake,” not the Heian-period earthquake-tsunami, described as “much larger” than the former.

    • JT (History)

      But the problem here was not an 8.1-8.3, but a 9.0 event. From what I’ve heard, an 8.1-8.3 event might have been survivable, and no-one was predicting a 9.0. Recall the logarithmic nature of the earthquake scales: this was an enormous event!

    • joshua (History)

      By way of further clarification, there is a fault-line nearby that generates serious earthquakes (but nothing like last Friday’s event) every 25 to 30 years. The last two “Miyagi-oki” quakes took place in 1978 and 2005. They are indeed widely anticipated.

      For more, see:

      http://www.agu.org/journals/ABS/2010/2009JB006758.shtml

  4. CaptainCanuck (History)

    To yousaf’s point, see the August 11, 2007 article in the Asia-Pacific Journal “Japan’s Nuclear Plants at Grave Risk From Quake Damage”, by Professor Katsuhiko Ishibashi.

    http://bit.ly/ebsK5I

    Professor Ishibashi resigned in protest from the panel that set seismic design standards for nuclear facilities in Japan.

    • joshua (History)

      Another really good find. But notice that the author is talking about “mere” 6.8 or 7.5 magnitude quakes.

    • Cameron (History)

      Joshua,

      While the author was only warning about the dangers that could occur from a 6.8-7.5 magnitude quake, his analysis was that the siting an regulation was not sufficient to deal with those lesser quakes.

      While the level of the quake itself was high enough to be an extreme event, in Ishibashi’s view it didn’t need to be to cause the havoc that we’re seeing. While the extra point of magnitude compounds the problem, the article suggests that we had already passed a point where critical damage was done.

      I don’t have the technical background to say if this is true our not, do you think that the extra magnitude contributed significantly to the damage?

    • joshua (History)

      The facts aren’t in yet, but FEPC has stated that it was the tsunami that was in excess of expectations. I would guess it was both the quake and the tsunami — 9.0 magnitude quakes don’t come along every day.

    • Seb Tallents (History)

      Joshua, great article, thanks.

      Something I’ve been thinking these last few days is too much faith in multiple redundancy, which only reduces risk if failure of each backup is independent. This is not the case with some natural disasters. Moreover, as you say, multiple problems at the same time at the same site (or more) are going to tax the logistical ability to respond.

      People are saying this Tsunami was 1/1000, but over a 50 year life time, that is a 5% chance over the lifetime of the plant that you lose all power to the site. It seems pretty much that this design will inevitably get to this situation if there is no power for a protracted period of time; multiple redundancy here has got us precisely nothing in terms of reduced risk of disaster and skipped over the bulk of the defensive depth.

      It actually starts to look like this is the most likely way for this plant in this location to fail overall, which looks really bad in some respects: the most likely reason for the plant to go into cirsis is one that it “unanticipated”, but really… when people say that it was unanticipated that a plant on the coast of a country that has a rich and varied history of earthquakes, whos language gave us the word Tsunami, and who’s engineering is obsessed with “the next big one”, it is not persuasive that nuclear plants can be designed safely…

      Rather, albeit in retrospect, it does look to me like requirements that at least some sets of safety features in a given set of backups should be partially passive and not require onsite power would have mitigated the problems they are having. Later designs of BWR for example do not need pumps for cooling the core I believe.

      Also, having the spent fuel rods out side of secondary containment seems to be a big contributory factor in making the site difficult to work on.

    • Eve (History)

      Multiple redundancy should be mixed liberally with no brainers….

      1) was the diesel all stored in white storage vessels close to the shoreline? If it was then it was apparently wiped out immediately due to the tsunami

      2) a gravity fed water supply

  5. Dan (History)

    If the last workers have been withdrawn, is there any hope of avoiding a full meltdown?

    • joshua (History)

      I hope I’m wrong about this, but I don’t see how. Unless they think that the danger will subside and let them send their people back in, I just don’t see a happy ending at this point.

      http://www.washingtonpost.com/national/latest-nuclear-plant-explosion-in-japan-raises-radiation-fears/2011/03/15/ABwTmha_story.html?hpid=z1

    • Dan (History)

      I found a blog that shows close-up photos of Reactor 3 and Reactor 4 taken sometime after Reactor 4 exploded:

      http://sherriequestioningall.blogspot.com/2011/03/pictures-of-reactor-4-and-3-upclose.html

      Reactor 3 looks like a smoldering heap of metal, and Reactor 4 is in bad shape. Yikes.

    • rwendland (History)

      It struck me that the immediate worry was criticality in the Unit 4 spent fuel pond, after the fire. I caught a mention on the BBC of planning to add water and Boric Acid to the pond (before the workers withdrawn announcement) – though maybe that was a journalist mistake.

      Unit 4 was shutdown 30 November 2010 and defuelled to the pond according to IAEA. So the fuel will still be generating quite a bit of heat. How likely is melting into a critical mass likely?

    • joshua (History)

      A recent TEPCO press release states clearly that they are still conducting water injection operations at the site. Unless something has changed since then, work continues.

      http://www.tepco.co.jp/en/press/corp-com/release/11031604-e.html

    • joshua (History)

      According to the NYT, TEPCO has indicated that there are now 100 workers at the site.

      http://www.nytimes.com/2011/03/17/world/asia/17nuclear.html

    • John Schilling (History)

      “Melting into a critical mass” is, strictly speaking, impossible. The critical mass for reactor-grade uranium in isolation, and I believe also thermal-reactor MOX fuel, is infinite. Criticality, and thus significant nuclear fission activity, can occur only when the fuel is combined with moderator and/or neutron reflector materials in a particularly favorable geometry.

      The odds of this happening by chance are extremely small even without the boron addition. Reactor fuel is, generally speaking, the lowest level of enrichment at which a significant fission reaction can be arranged by people who are trying real hard to do so. If we were dealing with highly-enriched uranium, or undiluted plutonium, criticality events in storage or processing would be a concern. That has happened elsewhere, including once in Japan (the Tokaimura incident), but doesn’t seem to be an issue here.

      The present risk, which is not small, is due to the decay of the fission products that were accumulated in the past when the fuel elements were installed in an actual nuclear reactor – that inventory of radioactive materials can now only decrease, but for some time to come the spent fuel will be quite hot in both senses of the word.

    • rwendland (History)

      John, thank you for that comprehensive reply, which I find convincing.

      However worth pointing out that the BBC, and some other media, report that a TPECO spokesman said for some reason “The possibility of re-criticality is not zero”. The BBC used this in the context of the pools, but “re-criticality ” suggests maybe the spokesman is talking about the pressure vessels.

      Given TEPCO’s tendancy to underplay problems, “not zero” sounds a bit worrying, though could mean extremely small. It could also be journalists cherry-picking the most worrying comments out of context.

      http://www.bbc.co.uk/news/science-environment-12762608

  6. TerryBelton (History)

    Largest earthquakes in the World Since 1900 (Pacific Basin):
    1952 Kamchatka 9.0
    1960 Chile 9.5
    1964 Alaska 9.2
    http://earthquake.usgs.gov/earthquakes/world/10_largest_world.php
    Tsunami heights after 1964 Alaska quake:
    67 meters in Shoup Bay
    31.7 meters at Passage Canal
    http://wcatwc.arh.noaa.gov/64quake.htm
    Is there some reason that these then-contemporary events were not factored into the design considerations for the Fukushima Daiichi plant?

    • Alan (History)

      Terry – I think the extreme heights of the tsunamis you mention were a product of local landslides as a result of the 1964 earthquake and the surrounding terrain – i.e. a huge displacement within a confined bay or inlet. Similar factors possibly don’t apply in the Fukushima case.

    • Eve (History)

      In the boxing day tsunami, runup heights in Aceh at Lhoknga, exceeded 30 meters.

    • Alan (History)

      I think off Aceh there are also islands that create a 20 mile or so channel toward the city. I believe it would also depend on the comparative sea depth off Aceh v Fukushima – if it is shallow for a long way out the wave would be higher. Either way, I would have thought the modelling would depend on a variety of geographic factors that makes simple comparison of wave height unreliable.

      What exactly were the tsunami defence measures at Fukushima? Does anybody have a link that details them? People say 10m or 20m wave protection, but what exactly did that comprise of?

    • Eve (History)

      Tsunami defence measures at Fukushima – it looks like there was some, but you may wish to look at this failure in a specifically designed Tsunami wall. This structure was 10 m high for a village with repeated Tsunami. The wall was breached by a wave 4 m higher than the wall and the village destroyed.
      http://cnn.com/video/?/video/world/2011/03/18/dnt.model.town.gone.nhk

    • Eve (History)

      The largest tsunami ever recorded in Japan in 1896 and was 38 meters high

  7. Bill (History)

    I have read recently about the micro-reactors, some of which are used to power small communities in remote areas. Is it practical to have micro-reactors as the primary reactor(s) in the US and elsewhere. Taking Japan as an example, having micro-reactors (instead of large megawatt reactors) would have presented only a small percentage of the potential problems currently being faced. And if I am understanding correctly, much of the support and other aspects of large reactors are not needed for the micro-reactors, as they are a much more self-contained unit.

    Food for thought anyway – enjoyed your article and site very much.

  8. Andrew Tubbiolo (History)

    Taking the argument a bit further one has to ask what happens when society and its fission reactors meet other disasters? Conventional warfare, economic privation, or social unrest? Any one of these manmade disasters could deny the post shutdown cooling needed to trip these systems into runaway. Keeping in mind that nations will keep and maintain fission reactors to breed plutonium for some sort of weapons capability, can a weaponizing reactor design be designed to avoid the kind of failures we’re seeing in Japan?

    • John Schilling (History)

      It is certainly possible in principle to design a reactor that will remain securely contained with only passive cooling. In practice, it seems to be considered acceptable to require e.g. refilling a gravity-feed external cooling water tank every few days. This may be a reasonable compromise between engineering economics and safety.

      The 1967 practice of requiring near-continual active cooling under pressure, no longer seems quite as reasonable. Unfortunately, I suspect the military plutonium breeders will be most immune to the pressure to learn from recent experience, as their operators can usually hide behind the “secret – national security – trust us” mantra.

    • Eve (History)

      I’d like to know how they’d also respond in say an X10 to X20+ class CME or solar flare. A simple case of station blackout or would it be that the proximity of the turbines and transformers also lead to a cascading set of failures? I think this is pertinent since we have already have had two earth-directed X-class flares already in this solar cycle and there are indications that this cycle will be a potentially strong one.

  9. lsxaq (History)

    nature took charge of policy and swiftly decommissioned Fukushima.

    • Eve (History)

      Albert Einstein once said “Necessity is the mother of all invention” I believe his statement is not only true, but prudent.

      This is where we need some swift inventing/ingenuity to combat the multiple ‘mission impossible’ clean ups and the current problems on the run. The quicker we plug this one, the quicker we retreat from an INES6-7 legacy.

      I guess it is also a chance to diversify and evolve from the idea of 4 steel-cement sarcophaguses, because will it now ever be possible to really pull Daichi apart now?

      maybe….

      1) Liquefied borsilicate sand to be pumped into the fuel ponds and perhaps containment vessels. Perhaps combined with in-situ vitrification like they used at Woomera-Maralinga for the clean up of British buried waste?

      2) Perhaps those guys making FOGBANK turn their capabilities for producing copious amounts of borosilicate aerogel that can be put into place????

      ideas…

  10. moonkoon (History)

    It could be that the multiple failures now evident at all six of the Fukushima reactors within a few days of each other have one common initiator. The tsunami is the obvious candidate. Not so much the flooding but what happened after the inrush of water when the water receded to far below its normal level. Tsunami water levels are alternately excessively high and, perhaps more damaging to the reactors, excessively low. It could be that all the secondary cooling water intakes were left high and dry for some minutes. This would have played havoc with the heat exchangers and other plumbing, setting the scene for the subsequent primary cooling circuit problems.
    A few minutes with no water before the next wave thundered in may have set off the unfortunate and tragic chain of events that we are witnessing. My thoughts and prayers are with the brave workers who are currently risking their lives to minimize the damage.

  11. FSB (History)

    Re. the insurance companies and that whole angle that you mention, see the recent point-counterpoint in the journal Nature:

    http://tuvalu.santafe.edu/~jdf/papers/USNuclearFuture.pdf

    IMHO, the Counterpoint is more convincing.

  12. Mark Gubrud (History)

    As Bill comments, if nuclear power has any future at all, the next move is likely to be to much smaller reactors, e.g. 50 MW instead of 500-1000 MW. Giant reactors are dependent on external cooling even after shutdown, and are difficult to keep under control if something goes wrong. Much smaller reactors could be made “walk-away safe” and much less vulnerable to damage by earthquakes, plane crashes or any other catastrophic events. They could be factory-sealed and delivered by truck, then returned to the factory for refueling after 20 years or so. The fuel cycle would be much less conducive to proliferation, although waste disposal would remain an issue. Small reactors could be located close to industrial users or rural communities, or 20 of them could be sited together to make a GW plant. Economies of scale might be lost, but given the safety issues total costs might be lower even without a major accident.

    I don’t know if this is actually a good idea. But it’s quite likely to be the direction for nuclear power in the future.

  13. Red_Blue (History)
  14. Red_Blue (History)

    Maybe it won’t be stuck in the moderation queue by this way:
    Comparison of historical earthquakes and tsunamis to operating and decomissioned nuclear reactor locations (Coalition for Environment and Development, sourcing further NOAA, NASA, NGDC, INSCDB and Wikipedia)
    http://koti.mbnet.fi/maxt/Tsunamis/quakes1.jpg

  15. Danny Bachman (History)

    Great post, and has more applications than you might think. Multiple systems failure is a good way to describe what happened in the U.S. mortgage market. And the idea of “tail dependence” might just have been useful for people pricing Mortgage Backed Securities…the failures of individual mortgages were not independent events.

    Thanks to everyone for the info about the power plant. This economist is only just learning how this stuff works.

  16. Red_Blue (History)

    Wikileaks at it again.

    “6. (SBU) On earthquakes and nuclear safety, the IAEA presenter noted the Agency has officials in Japan to learn from Japan’s recent experience dealing with earthquakes and described several areas of IAEA focus. First, he explained that safety guides for seismic safety have only been revised three times in the last 35 years and that the IAEA is now reexamining them. Also, the presenter noted recent earthquakes in some cases have exceeded the design basis for some nuclear plants, and that this a serious problem that is now driving seismic safety work. The IAEA is issuing a new guide on seismic evaluation to accompany existing guidelines on seismic hazard and design. Finally, the IAEA noted it had launched an International Seismic Safety Center at its September general conference to enhance safety, develop standards, pool and share knowledge.”

    “2. (U) On March 24, the Kanazawa District Court ordered the Hokuriku Electric Power Company (Rikuden) to shut down operations at Unit Two of its Shika Nuclear Power Plant (NPP) due to safety concerns over its ability to withstand powerful earthquakes. A group of 135 plaintiffs from across the country filed the suit against Rikuden in May 2005, after the operator began trial operations, arguing that its anti-seismic design was insufficient and the advanced boiling water reactor (ABWR) design was inherently dangerous. The suit followed up on an earlier unsuccessful attempt to halt the construction of the new reactor. The plaintiffs pointed to a study commissioned by the GOJ’s Earthquake Research Committee that concluded there was a two percent chance that an earthquake with a magnitude of 7.6 or higher could occur along the 44-kilometer long Ochigata fault, which runs near the NPP. The unit was built to withstand a magnitude 6.5 earthquake. The plaintiffs claimed that Unit Two was built to seismic specifications established more than two decades earlier and therefore posed a direct threat to their safety.”

  17. joshua (History)

    My apologies for the long delays in moderation today. It couldn’t be avoided.

  18. George William Herbert (History)

    I’ve been avoiding this thread for a bit but wanted to comment now.

    I do information technology as a day job, consulting on and as an expert in dependability and reliability. We’ve had some pretty catastrophic common mode failures (surprise – lots of unrelated things were in or near the WTC and all went out at once! Or in or near New Orleans! Or…).

    At some point, you have to say “Well, we’ll have to wing it” in disaster planning. The “What if an accident takes out all of your power lines, grid, and local backup generators” is a pretty big thing to have to handle. I can’t recall something that did that in a modern industrialized city for very long other than Katrina in New Orleans.

    I think the wider question would be, how would the rest of the industry and other designs stand up to an extended Loss Of Power Incident?

    I know that a lot of petrochemical facilities expect that they’ll have hard shutdowns with high chance of fire.

    Chemical plants with serious hazmat usually have onsite UPS to allow shutdown.

    IT facilities and telco facilities have generators and big battery banks, but after a few days you’re out of luck if you can’t refuel or get grid power restored.

    Perhaps the lesson is simply that there needs to be more defense in depth for LOPA events. Better portable generator plugin options, in-place water feed lines to run external water supplies up to the critical areas (both reactors and spent fuel storage). Stores of solids that can be dumped into the cooling pond and which will melt if the water temp hits near 100C, and which will then form a new liquid bath (at higher temperature, but that can still protect the fuel…). Sodium’s melting point is right, but its compatibility with water is …. poor. As for phosphorous and potassium and rubidium. Gallium has potential, as is iodine. Gallium’s high boiling temp (2477 K) is good; it’s availability (100ish tons a year produced) is terrible. Iodine boils at 457K, which isn’t that high and isn’t great (184 C). But it’s better than boiling water and is entirely water compatible, for cleanup afterwards etc. Perhaps a two-step process; Iodine as the water boils away, then something like… hmm… indium (MP 429K, BP 2345 K), or another “low temperature solder” like material. Worldwide productionof Indium is about 1,100 tons from new mining or recyling; there are various low temperature solders that use less indium… and some that don’t at all…

    Whole pile of “solder” alloys listed on:
    http://en.wikipedia.org/wiki/Solder

Pin It on Pinterest