Fukushima Japan Earthquake: nuclear plants Fukushima part 2

[nikkkom]

Sorry to make a rift here everyone.

As for zapper, you mention that I don't seem concered enough that a "fukushima" accident isn't in the DBA.

First off, if I got to a Fukushima accident, it probably means my DBA probably wasn't determined correctly. The DBA is supposed to include the worst case environmental impacts to the plant. So if I got to Fukushima, then it means that I never determined my DBA right. I then have to ask, how do I know putting a "Fukushima" accident in the license requirements is going to actually cover a Fukushima accident, when I couldn't even determine my normal accidents correctly. This is why Fukushima needs to be covered as a beyond design accident.

The DBA for a nuclear plant is essentially as follows: Worst case initial conditions (reactor overpower, lowest lake level, hottest temperaturs, lowest emergency generator fuel storage, etc etc), all safety systems in service, initiating accident, single limiting failure, no human action for 30 minutes, plant is automatically stabilized/made safe, cold shutdown achieved within 36 hours and maintained for 30 days. No core damage if it is an anticipated event. Minimal release is allowed for abnormal events (once in the life of the plant type events). Only postulated events like a LB-LOCA allow for any fuel damage or release approaching the limits of your license.

A fukushima accident requires assumptions that go far beyond the DBA definition. As such, it really fits in with the other accidents, that are non-DBA. Examples of these are station blackout and ATWS. Things that have a high liklihood of occurring, or an unacceptably high consequence if it did occur. Under beyond dba, my initial conditions are what the regulator tells me. Unlike a DBA, I don't need to use the most limiting conditions, instead I only need to demonstrate reasonable assurance that I can protect against the event. This means I'm allowed to use portable equipment, manual operator actions, I'm allowed to assume I start from realistic conditions, I'm allowed to violate my operating license (if it is required for the health and safety of the public), I'm allowed to repurpose equipment as necessary. The goal is to meet the requirement of the accident. For SBO, I have to survive my coping time without violating any design limits of the plant. For BWR ATWS, I have to be able to reduce power independent of the scram system to a point where the plant can survive without violating its safety or design limits long enough for boron injection to complete. My initial conditions and success criteria of the event are what the regulator tells me.

A Fukushima event requires something beyond the definition of the DBA to get there. It fits in best with the select DBAs which have a high liklihood or consequences.

As for DBAs and design criteria for plants, I personally am a huge fan of re-validating, using present day methods, the DBAs for all plants. In the US, plants are revalidating their seismic/structural/flooding, and I think that's a huge step in the right direction. If Fukushima has shown us anything, its that as your methods change, you may find hazards you did not originally expect (or design for)

Camper.
Who cares about terminology? You can call Fukushima scenario however you want. Beyond design basis accident. Very serious accident. Or "holy crap we totally fubared our risk of flooding assessment" accident.

This is *unimportant*.

What is important that it *did happen*, and had shown that Western NPPs' preparedness for accidents is not as good as you believed.

Now you can use it to learn lessons... or not. The future of the industry depends on whether you will do that.

 

[zapperzero]

Sorry to make a rift here everyone.
As for zapper, you mention that I don't seem concered enough that a "fukushima" accident isn't in the DBA.
First off, if I got to a Fukushima accident, it probably means my DBA probably wasn't determined correctly.

Yes. The problem here is that the design basis for Fukushima 1 was practically the same as for similar reactors in the US.

The DBA is supposed to include the worst case environmental impacts to the plant. So if I got to Fukushima, then it means that I never determined my DBA right. I then have to ask, how do I know putting a "Fukushima" accident in the license requirements is going to actually cover a Fukushima accident, when I couldn't even determine my normal accidents correctly. This is why Fukushima needs to be covered as a beyond design accident.

It doesn't follow!
You must change the process that produces license requirements until it gives sane results.

The alternative is to just say, as TEPCO is saying now, "beyond design basis, guys, sorry, nothing more we could do" - when there are clearly things that could have been done and design changes that would have prevented much/most/all of the trouble.

The DBA for a nuclear plant is essentially as follows: Worst case initial conditions (reactor overpower, lowest lake level, hottest temperaturs, lowest emergency generator fuel storage, etc etc), all safety systems in service, initiating accident, single limiting failure, no human action for 30 minutes, plant is automatically stabilized/made safe, cold shutdown achieved within 36 hours and maintained for 30 days. No core damage if it is an anticipated event. Minimal release is allowed for abnormal events (once in the life of the plant type events). Only postulated events like a LB-LOCA allow for any fuel damage or release approaching the limits of your license.

Funny how actual accidents don't fit in this category...

A fukushima accident requires assumptions that go far beyond the DBA definition.

It follows that the DBA must change!

As such, it really fits in with the other accidents, that are non-DBA. Examples of these are station blackout and ATWS. Things that have a high liklihood of occurring, or an unacceptably high consequence if it did occur. Under beyond dba, my initial conditions are what the regulator tells me.
Unlike a DBA, I don't need to use the most limiting conditions, instead I only need to demonstrate reasonable assurance that I can protect against the event.

You are off the hook, in other words! Cleared of ultimate responsibility! Act of God! BDBA! The plant is expected to fail catastrophically and if it doesn't, well that just comes down to luck.

This means I'm allowed to use portable equipment,

which may or may not get there

manual operator actions,

which may or may not be possible in the event because lolradiation

I'm allowed to assume I start from realistic conditions,

meaning, all systems nominal

I'm allowed to violate my operating license (if it is required for the health and safety of the public), I'm allowed to repurpose equipment as necessary

.
Always assuming that it is present, operable and undamaged...

The goal is to meet the requirement of the accident. For SBO, I have to survive my coping time without violating any design limits of the plant.

Even with this ridiculous amount of slack, you still get more! What is it now? 24 hours without external power?

For BWR ATWS, I have to be able to reduce power independent of the scram system to a point where the plant can survive without violating its safety or design limits long enough for boron injection to complete. My initial conditions and success criteria of the event are what the regulator tells me.

You are implying that operators have no input in the regulatory process, maybe? Because that's not true.

A Fukushima event requires something beyond the definition of the DBA to get there. It fits in best with the select DBAs which have a high liklihood or consequences.

That's exactly what TEPCO is saying. Of course, they are lying even by their own definition. For example, the plant was supposed to be protected against tsunamis and TEPCO knew (and told the regulators, even) that there could be tsunamis higher than their seawall.

As for DBAs and design criteria for plants, I personally am a huge fan of re-validating, using present day methods, the DBAs for all plants. In the US, plants are revalidating their seismic/structural/flooding, and I think that's a huge step in the right direction.

It is very good that they are looking at seismic, structural and flooding damages. However the ultimate cause for the catastrophic failures at Fukushima was an extended station blackout, including loss of DC power. This can happen in many ways, not just by flooding.

If Fukushima has shown us anything, its that as your methods change, you may find hazards you did not originally expect (or design for)

It hasn't shown anything of the sort. The tsunami hazard was well known when the plant was being designed (there was/is even a puny wave-breaker dike thing). Nothing new there. The problem was with the regulator allowing TEPCO to assume they would only have to defend against the smallest tsunami ever, functionally no different from a large storm.

 

[zapperzero]

Just to keep some international perspective, here's my post from two years ago:

Thank you! I had been looking for it!

 

[rmattila]

My primary concern at Western plants and Defence-in-depth thinking is that the plant's internal electricity grid appears to be recognized simply as provider of power to the equipment, not as a means for fault propagation. There are several possible failure modes in the plants' busbars, including lightning overvoltages (or the main generator going crazy), undervoltages, phase shifts, frequency errors, harmonics etc. that can potentially damage any equipment connected galvanically to the main busbars.

Yet, whenever you go to an international meeting about the lessons learned from Fukushima, the talk is all about how portable diesel generators connected to some points within the plant's internal grid will solve all electricy-related issues.

We are now backfitting the old plants with an arrangement capable of cooling the core even if all equipment connected to the plant's main busbar-including valve actuators with very few exceptions - are postulated lost due to beyond design basis electrical failure. This requirement is included in the new regulatory guide published next week, and old plants will also be required to fulfil it. Probably this will mean direct diesel-driven pumps or RCICs with special emphasis on the operability of valve line-up. Check valves inside the containment, and possibly fail-open valves outside it.

 

[zapperzero]

http://www.tepco.co.jp/en/news/libr...209002&bclid=347242463002&bctid=642054611002v

 

[westfield]

I'm trying to discuss what the plant ALREADY has installed to meet its design basis requirements. SGTS is not inadequate for design basis accidents, its only inadequate in an extended total loss of power with damage to your permanently installed plant systems. This means a filtered vent is not required to maintain the public safe during design basis accidents. In no case during a DBA would you need a passive filtered vent to make the plant safe. The installation of a passive filtered vent does not help you at all for any design accident, and provides very little if any net benefit. From an engineering/reactor designer perspective its more of a warm fuzzy, because you already have nuclear safety grade equipment which performs that function. (Now if we were designing a new plant, you sure as **** can bet that I would design a passive filter in, but talking about existing plants, you already have something for that)

<snip)

That's my view on it as a plant design engineer.

Ok, that's clearer. I'm trying to broaden my understanding of why these hardened vent systems are even fitted to these plants when they are not filtered, it's like they never intend to use them.
I appreciate your real life knowledge in the subject. NPP designer I am not :)

Are you able to clarify something.

Disregarding which venting system, is venting (to the environment) at close to or exceeding the design pressure of the RPV considered something that might be required in a DBA or would that be only in the BDBA realm?

 

[westfield]

http://www.tepco.co.jp/en/news/libr...209002&bclid=347242463002&bctid=642054611002v

I guess introducing the crud from SFP4 to the common fuel pool isn't something that bothers them. I have no basis for thinking it would be an issue but it seems odd to me that they wouldn't clean them somehow as they transferred them.

Not as odd as the blurring of the videos though.

 

[zapperzero]

it seems odd to me that they wouldn't clean them somehow as they transferred them.

I don't suppose anyone bothered to make (and test!) a procedure for that.

 

[Rive]

I guess introducing the crud from SFP4 to the common fuel pool isn't something that bothers them.

They made some cleaning before moving the bundles.
http://www.tepco.co.jp/news/2013/images/131112a.pdf
Page seven.

Ps.: sorry, I can't check the vid from here, I had to guess what's it about.

 

[westfield]

They made some cleaning before moving the bundles.
http://www.tepco.co.jp/news/2013/images/131112a.pdf
Page seven.

Ps.: sorry, I can't check the vid from here, I had to guess what's it about.

Good guess. The vid showed a fair amount of sediment falling from bottom of the fuel assembly as it was extracted from the cask and moved through the gate into the pool of the common fuel pool.
Presumably some of the sediment from each transfer remains in the cask as well.

 

[Hiddencamper]

Ok, that's clearer. I'm trying to broaden my understanding of why these hardened vent systems are even fitted to these plants when they are not filtered, it's like they never intend to use them.
I appreciate your real life knowledge in the subject. NPP designer I am not :)

Are you able to clarify something.

Disregarding which venting system, is venting (to the environment) at close to or exceeding the design pressure of the RPV considered something that might be required in a DBA or would that be only in the BDBA realm?

For a BWR, venting is not required in the design basis accident. Containment spray is credited for temperature/pressure control of the containment during an accident.

Depending on plant design, between 10-30 minutes after a LOCA, if the containment pressure is still high, the safety logic will transfer one of your RHR pumps from its LPCI mode to the containment spray mode. In this mode, the RHR heat exchanger is brought in service automatically, the LPCI injection valve shuts, and the containment spray valves open, making it rain in containment. This greatly reduces pressure and temperature, and is used for containment P/T control while you still have a steam environment. (Containment spray is so effective, that an inadvertent actuation will create a vacuum in containment, and could damage containment if you don't stop it in a timely fashion. Many plants have interlocks/permissives to help prevent this).

In this mode, heat is transferred from the containment steam atmosphere to the spray droplets, down into the suppression pool. RHR takes suction from the suppression pool and passes it through the RHR heat exchanger and then back through the sprayers. The heat exchanger transfers the heat to the ultimate heat sink. One of the design requirements for the BWR DBA LOCA is that peak containment pressure stays below the containment design pressure (45-65 PSIG for Mark I/II containments, 15 PSIG for Mark III containments). Containment spray is credited for that.

Under DBA, the Standby gas treatment system is only required to deal with any primary containment leakage. It is assumed you leak around 0.5% of your containment volume per day. standby gas treatment is required to filter this radionucleide inventory prior to release. In some plants, standby gas treatment can also be lined up with the containment if needed, although this is not a safety mode of operation, and is disabled/isolated while a LOCA signal is locked in. The idea is that SBGT cleans up leakage until you stabilize the plant, cool it down to clear the LOCA signal, then (in most plants) you can use SBGT to help clean up the containment atmosphere so workers can get into it. SBGT is not meant for venting a high temperature/pressure containment, only a low temp/press one.

 

[LabratSR]

I don't suppose anyone bothered to make (and test!) a procedure for that.

It is interesting that you don't see that on the assembly(probably not the same assembly) that is being removed from the spent fuel pool.

http://youtu.be/0iXZjK45uv0

I suppose that tipping the cask over for transfer and then tipping it back up at the common pool may dislodge crud from inside the assembly.

According to TEPCO's press release, they are going to pause and review the first transfer before continuing. It will be interesting to see if they look at this problem, not that I expect to see any further videos of fuel transfer.


"The work to extract the fuel from the Unit 4 spent fuel pool will shortly pause for a scheduled safety review of procedures and methods. Any necessary refinements will be implemented in the next rounds of extractions."

http://www.tepco.co.jp/en/press/corp-com/release/2013/1232330_5130.html

 

[turi]

The censoring of some parts of the pictures seems to be part of countermeasures against theft of nuclear material. Tepco also asks the media to refrain from publishing information which might reveal things like guard's schedules, info on where which fuel is stored, when and where it is transported etc.:
http://www.tepco.co.jp/en/press/corp-com/release/2013/1232348_5130.html
Personally I'd rather have full transparency and a few more guards...

 

[LabratSR]

I'm totally for MORE transparency by TEPCO but this is a security matter and I don't think its wise for the press to be publishing the cask transport timing or close up photos of cask security measures that have been otherwise blurred by TEPCO. In my opinion, publishing stuff like that does not add to the publics understanding of the event and adds to the security risk.

 

[turi]

I'm totally for MORE transparency by TEPCO but this is a security matter and I don't think its wise for the press to be publishing the cask transport timing or close up photos of cask security measures that have been otherwise blurred by TEPCO. In my opinion, publishing stuff like that does not add to the publics understanding of the event and adds to the security risk.

My issue with this is that it smells a bit like security theater. But I don't blame TEPCO. These seem to be regulatory enforced measures and there are similar measures in other countries. I just feel uneasy whenever these kind of security-through-obscurity measures show up.

 

[a.ua.]

A small addition to research residual fuel in reactor 1.
http://www.fukuleaks.org/web/?p=11816

 

[Hiddencamper]

A small addition to research residual fuel in reactor 1.
http://www.fukuleaks.org/web/?p=11816

On a side note, if you look at that second picture, you are actually looking at all of the undervessel instrumentation and equipment. That picture is taken directly below the reactor vessel itself (inside the vessel pedastal). Those metal things sticking down are incore detectors. The steel grid on the top is used for supporting the incore instrumentation. Just above it (out of view for the most part) is the bottom of the control rod mechanical drive units. All those wires you see are mostly connected to incore detectors, but some of them look like the ends of the control rod information cables which hook into the rod's PIP probes.

In the middle, you see the vertical standing rectangle on some platform. That vertical thing is a hydraulic lift used to help remove control rod mechs. You raise it up, unbolt the mech, then lower it using that tool. The platform can rotate in either direction, and the hydraulic lift can slide across the platform, allowing removal of a control rod anywhere in the core.

Dose rates in this area are typically in the 100mR (1mSv) range per hour. When removing in core detectors the dose rates can be much higher.

 

[jadair1]

All this talk of DBA/BDBA is all sophistry in my opinion.

By defination a DBA is one that the designers had done the engineering and construction to handle with appropriate training and safety procedures in place.

Also a BDBA by it's very nature is one that is not considered in the engineering, construction, training and safety procedures, if it was it would be considered within the parameters of DBA.

I don't know if this makes sense but to me as soon as you start postulating "BDBA" events they become DBA events and controls should be put in place to mitigate the possibilities of these events.

For instance Tepco, in 2008 it was I believe, postulated a 9+ earthquake off the coast and resultant Tsunami but did nothing to mitigate the possible effects of these possible/probable events and we all know how that worked out!

Yes Fukashima was a BDBA event but my point is that it shouldn't have been, once you envision an event happening you should design for it, anything else is a failure of management.

 

[Hiddencamper]

All this talk of DBA/BDBA is all sophistry in my opinion.

By defination a DBA is one that the designers had done the engineering and construction to handle with appropriate training and safety procedures in place.

Also a BDBA by it's very nature is one that is not considered in the engineering, construction, training and safety procedures, if it was it would be considered within the parameters of DBA.

I don't know if this makes sense but to me as soon as you start postulating "BDBA" events they become DBA events and controls should be put in place to mitigate the possibilities of these events.

For instance Tepco, in 2008 it was I believe, postulated a 9+ earthquake off the coast and resultant Tsunami but did nothing to mitigate the possible effects of these possible/probable events and we all know how that worked out!

Yes Fukashima was a BDBA event but my point is that it shouldn't have been, once you envision an event happening you should design for it, anything else is a failure of management.

Well it kind of depends.

When you look at the actual impact on the reactor, the total loss of all class 1E power at the site is beyond the design basis of the facility, as requires multiple failure to get there, which is outside of the definition of a design basis accident. (DBAs are limited to the initiating event plus the most limiting single failure).

However...the initiator for the event was the tsunami/flood. The flood and tsunami ARE part of the plant's design basis, although flooding is not a design basis accident. Floods and tsunamis are not supposed to have an impact on the reactor, and as such, no DBAs should be called "Flood" or "tsunami" as they are not supposed to cause any accident.

So the specific event that occurred (loss of all class 1E power) is a beyond design basis accident, but the flood was supposed to be in the design basis. As you said, TEPCO determined that in 2008 (I thought 2009, close enough).

What I had read, is that TEPCO recalculated their tsunami/flood analysis several times in the life of the plant. In that most recent calculation, they determined a large tsunami could hit the site. At this point, they exercised poor technical rigor. They only considered that the flood could damage their outdoor equipment and their ultimate heat sink pumps in the seawater pump house. They did not consider a site-wide flood that would inundate their buildings. They said they were OK, because at this point the massive tsunami was not in their license yet, and they believed that they had reasonable assurance that they could protect against it (air cooled diesel generators and the ability to set up portable equipment to restore ultimate heat sink function). They then sent the results to a third party to independently review before they put it in their plant's license and designed for it. That third party review was finishing up around the time the 3/11 accident occurred.

It makes sense to me why they did what they did, and I think what we see here is a gap with how licenses work with respect to environmental impacts. Think about it. You find out that some massive flood could potentially hit your site. First, its hard to imagine the true impact of that tsunami. But even then, you and I and everyone here knows that TEPCO had two options, the first was to either make some assumptions about the damage and demonstrate they were providing reasonable assurance, or shut the facility down until they could defend against this new accident. Even if they knew the entire site could have been inundated, I highly doubt that TEPCO or the Japanese regulator would force the plant offline unless there was evidence that it had a high probability of occurring. Even in most other countries I highly doubt the regulator or the operator would have forced the plant offline until additional reviews/studies were done. They would have looked at the cumulative risk impacts and determined that the frequency was sufficiently low that the compensatory actions proposed by the licensee provided reasonable assurance.

I'm kind of brain vomitting here a little bit. But I think if you want to look at the gap here, don't look at DBA/BDBA, instead look at the fact that the regulator allowed this plant to stay online with "reasonable assurance", and that up until 3/11, just about any regulator in the world would have allowed that. That's the real issue.

 

[gmax137]

... once you envision an event happening you should design for it, anything else is a failure of management.

Really? Unless by "envision" you mean something other than "to conceive of as a possibility." Nothing else in modern society is engineered for every possibility.

Otherwise, 20,000 people wouldn't have drowned in the tsunami.

 

[Yamanote]

Really? Unless by "envision" you mean something other than "to conceive of as a possibility." Nothing else in modern society is engineered for every possibility.

Well, I guess it isn't that hard to "envision" an earthquake and a tsunami at this coast of Japan.

In modern society money matters. Tepco wasn't willing to spend the extra bucks on safety measures, so they gambled with a maximum tsunami height of 5,7m. This time they lost the game and the consequences showed us, how easily human engineering can fail.

A small addition to research residual fuel in reactor 1.
http://www.fukuleaks.org/web/?p=11816

Interesting observation - thanks for posting u.ua.

 

[Hiddencamper]

Well, I guess it isn't that hard to "envision" an earthquake and a tsunami at this coast of Japan.

In modern society money matters. Tepco wasn't willing to spend the extra bucks on safety measures, so they gambled with a maximum tsunami height of 5,7m. This time they lost the game and the consequences showed us, how easily human engineering can fail.



Interesting observation - thanks for posting u.ua.

I would check out the following link:

http://www.tepco.co.jp/en/nu/fukushima-np/info/12042401-e.html

What we do know, is they lowered the elevation of the plant quite substantially during construction for both cost purposes AND for earthquake safety purposes. We can also see in the above link how they went back and looked at their tsunami analysis multiple times in the life of the plant.

Based on this article

http://ajw.asahi.com/article/0311disaster/analysis/AJ2011110915073

we see that TEPCO felt the results were unrealistic and did not do everything they needed to until the regulator said to look at it again.

 

[gmax137]

Well, I guess it isn't that hard to "envision" an earthquake and a tsunami at this coast of Japan.

No, of course not. However, if I envision a MM 9.0 earthquake and a 12 meter tsunami do I design for that? Why not a MM 9.9 earthquake and a 15 meter tsunami? I can just as well envision a 50 meter or 100 meter tsunami. There's no upper limit to what can be envisioned. That's my point, it is senseless to say that we must design for anything we can imagine.

I'm not defending the 5.7 meter design basis. That was obviously insufficient.

The "trick" is to design for phenomena worse than ever really occur, but not waste too much time, money, and effort on something you don't need. That is harder to do than it sounds. Society has limited resources, so we have to allocate them wisely.

 

[jadair1]

No, of course not. However, if I envision a MM 9.0 earthquake and a 12 meter tsunami do I design for that? Why not a MM 9.9 earthquake and a 15 meter tsunami? I can just as well envision a 50 meter or 100 meter tsunami. There's no upper limit to what can be envisioned. That's my point, it is senseless to say that we must design for anything we can imagine.

I'm not defending the 5.7 meter design basis. That was obviously insufficient.

The "trick" is to design for phenomena worse than ever really occur, but not waste too much time, money, and effort on something you don't need. That is harder to do than it sounds. Society has limited resources, so we have to allocate them wisely.

There are historical records of Quakes and Tsunamies of MM 9+ and 15 Meters respectavily in that region. I don't know the frequency of such events but obviously they were in the general time frame.

Just as the West Coast of North America is within the frequency range of a similar sized quake and tsunami sometime within the next 100 years or so.

 

[gmax137]

There are historical records of Quakes and Tsunamies of MM 9+ and 15 Meters respectavily in that region...

...

... I'm not defending the 5.7 meter design basis. That was obviously insufficient...

 

[etudiant]

There are historical records of Quakes and Tsunamies of MM 9+ and 15 Meters respectavily in that region. I don't know the frequency of such events but obviously they were in the general time frame.

Just as the West Coast of North America is within the frequency range of a similar sized quake and tsunami sometime within the next 100 years or so.

On that basis, I think most European plants are also deficient.
Europe has had massive quakes and tsunamis well within historic times, for instance the tsunami destruction of Lisbon in 1755.
More broadly, the Storegga slide(s) caused enormous tsunamis along the UK as well as the European coast. This was less than 10,000 years ago, so presumably it should come within the Finnish 10**-5/annum criterion that rmattila highlighted above.
A similar slide off the US East coast, from a failure of the Cumbre Vieja volcano in the Canaries, is outlined here:
http://wet.kuleuven.be/wetenschapinbreedbeeld/lesmateriaal_geologie/wardday-lapalmatsunami.pdf
So I think most nuclear plant DBAs actually underestimate the risk, because the Earth throws up more surprises than we expect, due to our short life span.

 

[jadair1]

On that basis, I think most European plants are also deficient.
Europe has had massive quakes and tsunamis well within historic times, for instance the tsunami destruction of Lisbon in 1755.
More broadly, the Storegga slide(s) caused enormous tsunamis along the UK as well as the European coast. This was less than 10,000 years ago, so presumably it should come within the Finnish 10**-5/annum criterion that rmattila highlighted above.
A similar slide off the US East coast, from a failure of the Cumbre Vieja volcano in the Canaries, is outlined here:
http://wet.kuleuven.be/wetenschapinbreedbeeld/lesmateriaal_geologie/wardday-lapalmatsunami.pdf
So I think most nuclear plant DBAs actually underestimate the risk, because the Earth throws up more surprises than we expect, due to our short life span.

I don't know that DBAs should account for once in a thousand or ten thousand year events unless there is a reasonable expectation it may happen during the lifetime of the plant.

On the other hand plants built in known seismicaly active regions such as California should be designed to withstand the worst case scenario as there is a reasonable expectation the event could happen during the lifetime of the plant.

 

[zapperzero]

the total loss of all class 1E power at the site is beyond the design basis of the facility, as requires multiple failure to get there, which is outside of the definition of a design basis accident.

Wonderful sophistry. The loss of all power was due to one case alone - flooding.

However...the initiator for the event was the tsunami/flood. The flood and tsunami ARE part of the plant's design basis, although flooding is not a design basis accident. Floods and tsunamis are not supposed to have an impact on the reactor, and as such, no DBAs should be called "Flood" or "tsunami" as they are not supposed to cause any accident.

What you wrote here makes zero sense to me.

So the specific event that occurred (loss of all class 1E power) is a beyond design basis accident, but the flood was supposed to be in the design basis. As you said, TEPCO determined that in 2008 (I thought 2009, close enough).

How can an initiating event (flooding) be IN the design basis, but its direct consequence OUT of it?

It makes sense to me why they did what they did, and I think what we see here is a gap with how licenses work with respect to environmental impacts. Think about it. You find out that some massive flood could potentially hit your site. First, its hard to imagine the true impact of that tsunami. But even then, you and I and everyone here knows that TEPCO had two options, the first was to either make some assumptions about the damage and demonstrate they were providing reasonable assurance, or shut the facility down until they could defend against this new accident. Even if they knew the entire site could have been inundated, I highly doubt that TEPCO or the Japanese regulator would force the plant offline unless there was evidence that it had a high probability of occurring. Even in most other countries I highly doubt the regulator or the operator would have forced the plant offline until additional reviews/studies were done. They would have looked at the cumulative risk impacts and determined that the frequency was sufficiently low that the compensatory actions proposed by the licensee provided reasonable assurance.

I know that gambling with lives is what the process is all about, but when you put it like that, it's quite chilling. As for a high tsunami being low-probability, well, the historical record says there's at least two per 1000 years iirc? That's probable enough to be considered.

I'm kind of brain vomitting here a little bit. But I think if you want to look at the gap here, don't look at DBA/BDBA, instead look at the fact that the regulator allowed this plant to stay online with "reasonable assurance", and that up until 3/11, just about any regulator in the world would have allowed that. That's the real issue.

I should very much hope that not every regulator would have committed the same mistake, because otherwise we are due for another Fukushima event. As far as I can tell, regulatory practices and organizations have not changed (outside Japan), only specific rules are in the process of being changed - maybe, in some places.

 

[zapperzero]

The "trick" is to design for phenomena worse than ever really occur, but not waste too much time, money, and effort on something you don't need. That is harder to do than it sounds. Society has limited resources, so we have to allocate them wisely.

It's all well and fine when you put it like that. However, defending the plant against what was then a once-in-human-history event (Jogan quake/tsunami) would have been very, very cheap - a few hundred engineer-hours. How, you ask? Well, some bright souls could have been tasked with defending against tsunamis and they would have stood a very good chance of coming up with the idea of moving the damn junction boxes out of the damn basements.

End of bloody story, as far as I am concerned.

 

[Rive]

http://translate.googleusercontent.com/translate_c?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=ja&tl=en&u=http://photo.tepco.co.jp/date/2013/201311-j/131126-01j.html&usg=ALkJrhj47tdYCbwD2F2gE3fiT3zDVKqawA

They were a bit short with the 'http://translate.googleusercontent.com/translate_c?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=ja&tl=en&u=http://www.tepco.co.jp/nu/fukushima-np/handouts/2013/images/handouts_131125_08-j.pdf&usg=ALkJrhiFBpb_1HiYYvv_C2VdFD80p5eGwg'...


(Sorry for linking these google-translated versions, but as the link for the original document can be extracted from these, it's the same, but at least readable...)

 

[a.ua.]

http://translate.googleusercontent.com/translate_c?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=ja&tl=en&u=http://photo.tepco.co.jp/date/2013/201311-j/131126-01j.html&usg=ALkJrhj47tdYCbwD2F2gE3fiT3zDVKqawA

They were a bit short with the 'http://translate.googleusercontent.com/translate_c?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=ja&tl=en&u=http://www.tepco.co.jp/nu/fukushima-np/handouts/2013/images/handouts_131125_08-j.pdf&usg=ALkJrhiFBpb_1HiYYvv_C2VdFD80p5eGwg'...


(Sorry for linking these google-translated versions, but as the link for the original document can be extracted from these, it's the same, but at least readable...)

http://ex-skf.blogspot.com/2013/11/tepco-is-removing-spent-fuel-assemblies.html
......

 

[gmax137]

How can an initiating event (flooding) be IN the design basis, but its direct consequence OUT of it?

Well, because the design basis is quantitative. It isn't just "flooding" -- it is "flooding to elevation xxx."

The General Design Criteria say

Criterion 2—Design bases for protection against natural phenomena. Structures, systems, and components important to safety shall be designed to withstand the effects of natural phenomena such as earthquakes, tornadoes, hurricanes, floods, tsunami, and seiches without loss of capability to perform their safety functions. The design bases for these structures, systems, and components shall reflect: (1) Appropriate consideration of the most severe of the natural phenomena that have been historically reported for the site and surrounding area, with sufficient margin for the limited accuracy, quantity, and period of time in which the historical data have been accumulated, (2) appropriate combinations of the effects of normal and accident conditions with the effects of the natural phenomena and (3) the importance of the safety functions to be performed.

What this means in practice (as outlined in the associated Regulatory Guides) is that to get the plant license, the owner has to show that the plant is above the maximum flood level -- so during "the design basis flood" no water gets into the buildings or anywhere else that would cause problems. So, if you have a flood higher than that, it is "beyond design basis."

To actually design the plant, you can't just tell the engineers "build it so it will never flood." Someone has to say, "if we build it at elevation xxx it will not flood." You have to pick a number, and go with it.

What we've seen over the past 40 or 50 years is that it is discovered or recognized that the design basis flood level at the time of plant licensing was too low and there is a probability that an actual flood will be higher. This can happen either because the design basis flood was selected incorrectly (e.g., neglecting past events for some faulty reason), or because changes in the physical landscape affect the flood level (this happens to plants along rivers), or because the people who determine the maximum flood level (like the US Army Corps) get smarter and have better models of the flooding...

Since it is not really possible to raise the entire plant to a higher "dry" elevation, some compensatory actions must be taken (build a higher seawall, move the junction boxes, etc.). None of these is as satisfactory as having the plant above the flood waters, but the regulators have to make the decision: are the compensatory actions adequate, or should the license be suspended? And the owners have to decide, how much further do they need to go to protect their assets. One of the lessons to the plant owners from Fukushima should be that simply meeting the regulator's requirements isn't necessarily enough to protect their assets and financial interests.

 

[gmax137]

... defending the plant against what was then a once-in-human-history event (Jogan quake/tsunami) would have been very, very cheap ...

I agree completely with this. The plant owners should see it as in their own best interest to protect their multi-billion dollar assets regardless of what is considered adequate by the regulator. Ceding their responsibility to the regulator is inexcusable in my opinion.

 

[LabratSR]

TEPCO appears to have created a web page for tracking the fuel transfer progress.

http://www.tepco.co.jp/en/nu/fukushima-np/removal4u/index-e.html

 

[LabratSR]

Here's a little gas to throw on the fire.

"There is no fact that TEPCO failed to take adequate measures to prevent all power loss caused by tsunami, informed by NISA in 2006"

http://www.tepco.co.jp/en/nu/fukushima-np/info/12051601-e.html

 

[etudiant]

Here's a little gas to throw on the fire.

"There is no fact that TEPCO failed to take adequate measures to prevent all power loss caused by tsunami, informed by NISA in 2006"

http://www.tepco.co.jp/en/nu/fukushima-np/info/12051601-e.html

A fine piece of bureaucratic buck passing indeed.
The plant was nicely secured against a 5.7m tsunami, apart from a few niggles that it made everyone feel good to fix.
Clearly no one took a step back to ask whether this was enough, given the historic record.

 

[etudiant]

I don't know that DBAs should account for once in a thousand or ten thousand year events unless there is a reasonable expectation it may happen during the lifetime of the plant.

On the other hand plants built in known seismicaly active regions such as California should be designed to withstand the worst case scenario as there is a reasonable expectation the event could happen during the lifetime of the plant.

I'm not sure this logic is reassuring to me.
The lifetime of the plant is probably a century, so you can indeed reasonably argue that experiencing an earthquake of some size is pretty certain if the plant is in California or Japan.
By the same token, a century is also a sizeable fraction of the interval between other infrequent natural catastrophes, so ignoring those as beyond DBA seems pretty risky to me.

 

[jadair1]

I'm not sure this logic is reassuring to me.
The lifetime of the plant is probably a century, so you can indeed reasonably argue that experiencing an earthquake of some size is pretty certain if the plant is in California or Japan.
By the same token, a century is also a sizeable fraction of the interval between other infrequent natural catastrophes, so ignoring those as beyond DBA seems pretty risky to me.

This was kind of what I was saying that plants in earthquake prone areas such as Japan and California should plan for catastropic earthquakes and tsunamis if applicable to the location.

If they cannot be designed to withstand a possible event they shouldn't be built and if existing plants cannot be brought up to acceptable standards they should be shut down and decommisoned as soon as practically possible.

BTW the expected life of the older NPPs was 40 years, some have already been decomisioned in the states IIRC and others are looking for extensions to their operating licenses.

 

[etudiant]

BTW the expected life of the older NPPs was 40 years, some have already been decomisioned in the states IIRC and others are looking for extensions to their operating licenses.

As you say, the initial approval is based on an expected 40 year life, but I believe there is no engineering reason to shut the plant then. There had been concern about possible cumulative damage to the reactor pressure vessel, but these have been alleviated. Afaik, given decent maintenance, there is no reason these plants cannot run indefinitely, much like hydro plants.
The steam is clean, there are no combustion gases to corrode things and the temperatures involved are modest.

The decommissioning is usually because the competition from natural gas fired plants is ferocious, plus nuclear is fighting political headwinds that are ongoing, so utilities bow to the prevailing ethos. The plants are fine, they just get turned off.

 

[LabratSR]

They were a bit short with the 'http://translate.googleusercontent.com/translate_c?depth=1&hl=en&ie=UTF8&prev=_t&rurl=translate.google.com&sl=ja&tl=en&u=http://www.tepco.co.jp/nu/fukushima-np/handouts/2013/images/handouts_131125_08-j.pdf&usg=ALkJrhiFBpb_1HiYYvv_C2VdFD80p5eGwg'...


(Sorry for linking these google-translated versions, but as the link for the original document can be extracted from these, it's the same, but at least readable...)

TEPCO has released the English version

http://www.tepco.co.jp/en/nu/fukushima-np/handouts/2013/images/handouts_131125_07-e.pdf

 

[LabratSR]

"A robot vacuum cleaner dubbed the Raccoon is to tackle contamination within Fukushima Daiichi 2 in preparation for workers re-entering the building."


http://www.world-nuclear-news.org/RS-Tepco-sends-in-the-Raccoon-2711131.html

 

[nikkkom]

No, of course not. However, if I envision a MM 9.0 earthquake and a 12 meter tsunami do I design for that? Why not a MM 9.9 earthquake and a 15 meter tsunami? I can just as well envision a 50 meter or 100 meter tsunami.

Do yourself a favor. Go, say, to Wikipedia and read about tsunamis in Japan. Write down heights and years of largest known ones.

You can easily see that 15+ meter tsunamis happen more often than once a century there.

If nuclear industry is so dumb (or greedy, or incompetent) that it can't do even such a rudimentary "research", then it can't be trusted.

 

[etudiant]

"A robot vacuum cleaner dubbed the Raccoon is to tackle contamination within Fukushima Daiichi 2 in preparation for workers re-entering the building."


http://www.world-nuclear-news.org/RS-Tepco-sends-in-the-Raccoon-2711131.html

Very interesting, but am skeptical.
The US Navy tried to decontaminate ships as early as the Crossroads tests in 1946 and found the process to be very difficult.
If it is a problem cleaning a steel hull a few days after a nuclear contamination, logic suggests that cleaning concrete floors after several years of contamination will not be easy.
Surely there is some additional practical experience that could help illuminate this issue.

 

[nikkkom]

Very interesting, but am skeptical.
The US Navy tried to decontaminate ships as early as the Crossroads tests in 1946 and found the process to be very difficult.
If it is a problem cleaning a steel hull a few days after a nuclear contamination, logic suggests that cleaning concrete floors after several years of contamination will not be easy.
Surely there is some additional practical experience that could help illuminate this issue.

TMI. Removing most contaminants from concrete walls and floors proved not just difficult, but basically impossible. The thing which more-or-less worked was to mechanically abrade the surface and recoat it with a new layer of grout.

TMI reactor unit's basement proved so difficult that it was left basically as-is, not decontaminated even today.

Full decontamination to "green field of grass" state after accidents of TMI magnitude or bigger is delisional fantasizing.

Having said that, robot can be useful in removing loosely attached dust and dirt, which contains some part of radioactivity.

 

[Rive]

Very interesting, but am skeptical.
The US Navy tried to decontaminate ships as early as the Crossroads tests in 1946 and found the process to be very difficult.
If it is a problem cleaning a steel hull a few days after a nuclear contamination, logic suggests that cleaning concrete floors after several years of contamination will not be easy.
Surely there is some additional practical experience that could help illuminate this issue.

As I recall, Russian navy had a nuclear powered submarine which were decontaminated after a nasty accident and then went on service again.

As for Fukushima: Tepco made some experiments about decontamining concrete surfaces and found, that even if it's practically impossible to completely remove the radioactive particles, with some peel-off stuff or with removing the surface it's definitely possible to effectively reduce the radiation.

There was some documents about these early experiments and also about the cleanup of some parking lot near the EQ building. I'll try find something.

 

[a.ua.]

http://iss-atom.ru/book-4/glav-1-8.htm
FEATURES decontamination CHERNOBYL
Anyone is interested, can be read using Google translator

 

[nikkkom]

The Cleanup of Three Mile Island Unit 2, A Technical History: 1979 to 1990

http://www.epri.com/abstracts/Pages/ProductAbstract.aspx?ProductId=NP-6931

 

[nikkkom]

For those who claim that only relatively few people died in nuclear accidents.

The example of how Soviets did not account for exposure of army conscripts in Chernobyl.

http://iss-atom.ru/book-4/glav-1-4.htm

Eyewitness acoount of a worker who was involved in drilling boreholes for nitrogen injection. It happened around 15 May 1986.

"In a pit 100 meters away from Unit 4 we were drilling horizontal boreholes up to 140 meter long for liquid nitrogen cooling of the burning reactor. The pit was 4 meter deep, with Japanese drill ТОР-LS made by "Tone Boring"...

Inside the pit radiation was 1.5 - 2.5 roenthgen/hour. But chunks of reactor graphite blocks were lying around the pit and radiation levels were from 40 to 400, in one spot even 800 R/h. Since our workers had to go up there too for some drilling instruments, it was raising radiation exposure. Maximum allowed dose was 25 R, anyone who took more was evacuated. We asked commander of chemical defence army unit to help with it, to reduce the number of people who had to leave because of taking the limit. He fulfilled our request very simply: soldiers came on a truck, loaded graphite chunks with bare hands, and drove away. You can imagine what dose they got doing that..."Chernobyl reactor's graphite was giving about 2000 R/h on contact. That is, 0.5 R/second.

 

[HowlerMonkey]

I've noticed that among the people who died very quickly that many died from a "piece of fuel lodged on a transformer" which was near a turbogenerator 7.

I only see reference to something like "10,000" or more as a reading but nothing on how this source was recovered.

 

[zapperzero]

I believe there is no engineering reason to shut the plant then. There had been concern about possible cumulative damage to the reactor pressure vessel, but these have been alleviated.

The uncertainties associated with annealing aside, many things which are very improbable on a 40-year timescale and were left out of the design basis, are by definition certain to happen at least once, on an infinite timescale.