Editor's Note: This is part of the IEEE Spectrum special report: Fukushima and the Future of Nuclear Power.
Sometimes it takes a disaster before we humans really figure out how to design something. In fact, sometimes it takes more than one.
Millions of people had to die on highways, for example, before governments forced auto companies to get serious about safety in the 1980s. But with nuclear power, learning by disaster has never really been an option. Or so it seemed, until officials found themselves grappling with the world's third major accident at a nuclear plant. On 11 March, a tidal wave set in motion a sequence of events that led to meltdowns in three reactors at the Fukushima Dai-ichi power station, 250 kilometers northeast of Tokyo.
Unlike the Three Mile Island accident in 1979 and Chernobyl in 1986, the chain of failures that led to disaster at Fukushima was caused by an extreme event. It was precisely the kind of occurrence that nuclear-plant designers strive to anticipate in their blueprints and emergency-response officials try to envision in their plans. The struggle to control the stricken plant, with its remarkable heroism, improvisational genius, and heartbreaking failure, will keep the experts busy for years to come. And in the end the calamity will undoubtedly improve nuclear plant design.
True, the antinuclear forces will find plenty in the Fukushima saga to bolster their arguments. The interlocked and cascading chain of mishaps seems to be a textbook validation of the "normal accidents" hypothesis developed by Charles Perrow after Three Mile Island. Perrow, a Yale University sociologist, identified the nuclear power plant as the canonical tightly coupled system, in which the occasional catastrophic failure is inevitable.
On the other hand, close study of the disaster's first 24 hours, before the cascade of failures carried reactor 1 beyond any hope of salvation, reveals clear inflection points where minor differences would have prevented events from spiraling out of control. Some of these are astonishingly simple: If the emergency generators had been installed on upper floors rather than in basements, for example, the disaster would have stopped before it began. And if workers had been able to vent gases in reactor 1 sooner, the rest of the plant's destruction might well have been averted.
The world's three major nuclear accidents had very different causes, but they have one important thing in common: In each case, the company or government agency in charge withheld critical information from the public. And in the absence of information, the panicked public began to associate all nuclear power with horror and radiation nightmares. The owner of the Fukushima plant, the Tokyo Electric Power Co. (TEPCO), has only made the situation worse by presenting the Japanese and global public with obfuscations instead of a clear-eyed accounting.
Citing a government investigation, TEPCO has steadfastly refused to make workers available for interviews and is barely answering questions about the accident. By piecing together as best we can the story of what happened during the first 24 hours, when reactor 1 was spiraling toward catastrophe, we hope to facilitate the process of learning-by-disaster.
When the 9.0-magnitude earthquake struck off the east coast of Japan, at 2:46 p.m. on 11 March, the ground beneath the power plant shook and alarms blared. In quivering control rooms, ceiling panels fell open and dust floated down onto instrument panels like snow. Within 5 seconds, control rods thrust upward into the three operational reactors and stopped the fission reactions. It was a flawless automatic shutdown, but the radioactive by-products in the reactors' fuel rods continued to generate tremendous amounts of heat.
Without adequate cooling, those rods would become hot enough to melt through the steel pressure vessel, and then through the steel containment vessel. That would result in the dreaded core-meltdown scenario, which could lead to the release of clouds of radioactivity that would be carried by winds to sicken or kill masses of people.
But the heat wouldn't be a problem so long as Fukushima Dai-ichi had power to run the pumps that circulate water from the reactor cores through heat-removal systems. The mighty earthquake had toppled power transmission towers and jumbled equipment at nearby substations, but the interruption in power to the plant was negligible: Within 10 seconds, the plant's emergency power system kicked in. Twelve diesel generators, most of them installed in basement areas below the turbines, were now responsible for the integrity of the plant's reactors—and the well-being of its workers.
At the time of the earthquake, three of the power station's six reactors were operating; the other three were down for scheduled maintenance. In the control rooms governing the active reactors—units 1, 2, and 3—the staff checked the cooling systems that remove residual heat from the reactor cores by cycling water through heat exchangers filled with seawater. Everything seemed under control. Water also filled the spent-fuel pools on the top floors of all six reactor buildings to prevent the pools from overheating.
At 2:52 p.m., the shift supervisor overseeing the plant's oldest reactor, the 40-year-old unit 1, confirmed that a backup cooling system called an isolation condenser (IC) had started up automatically. This system didn't need electric power to cycle steam through a cold-water tank on a higher floor, or to let the resulting water drop back down to the pressure vessel. But operators soon noticed that the IC was cooling the core too quickly, which could stress the steel walls of the pressure vessel. So they shut the system down. It was a by-the-book decision, but the book wasn't written for the extraordinary events of 11 March.
Tsunami alerts flashed on TV screens, predicting a 3-meter-high tsunami for Fukushima prefecture. Although the coastal Fukushima Dai-ichi plant was 10 meters above sea level, nonessential personnel followed procedure and began evacuating the site.
At 3:27 p.m. the first tsunami wave surged into the man-made harbor protecting Fukushima Dai-ichi, rushing past a tidal gauge that measured a water height of 4 meters above normal. At 3:35 another set of much higher waves rolled in and obliterated the gauge. The water rushed over the seawalls and swept toward the plant. It smashed into the seawater pumps used in the heat-removal systems, then burst open the large doors on the turbine buildings and submerged power panels that controlled the operation of pumps, valves, and other equipment. Weeks later, TEPCO employees would measure the water stains on the buildings and estimate the monstrous tsunami's height at 14 meters.
In the basements of turbine and reactor buildings, 6 of the 12 diesel generators shuddered to a halt as the floodwaters inundated them. Five other generators cut out when their power distribution panels were drenched. Only one generator, on the first floor of a building near unit 6, kept going; unlike the others, all of its equipment was above the water line. Reactor 6 and its sister unit, reactor 5, would weather the crisis without serious damage, thanks in part to that generator.
The rest of Fukushima Dai-ichi now faced a cataclysmic scenario that nuclear power plant operators have long feared but never experienced: a complete station blackout.
In the control room where operators managed reactor 1, the alarms went silent. The overhead lights blinked off, and the indicator lights on the instrument panels faded away. The floodwaters had even knocked out the control room's batteries, the power source of last resort. The operators would have to respond to the emergency without working instruments.
With the power out, the pumps were no longer channeling water from unit 1's pressure vessel through the cooling system's heat exchangers, and the ferociously hot fuel rods were boiling the water into steam. The water level in the nuclear core was dropping, but, lacking power for their instruments, the plant operators could only guess at how fast the water was boiling away.
The isolation condenser, which relied on convection and gravity to perform its cooling function, should have helped keep the water level high in unit 1's core through the crisis. But operators had turned off the system just before the tsunami by closing its valves—and there was no electric power to reopen them and let steam and water flow. Workers struggled to manually open the valves on the IC system, but experts believe the IC provided no help after the tsunami struck.
Emergency generators should be installed at high elevations or in watertight chambers.
As the operators surveyed the damage, they quickly realized that the diesel generators couldn't be salvaged and that external power wouldn't be restored anytime soon. In the plant's parking lots, workers raised car hoods, grabbed the batteries, and lugged them back to the control rooms. They found cables in storage rooms and studied diagrams. If they could connect the batteries to the instrument panels, they could at least determine the water levels in the pressure vessels.
TEPCO did have a backup for the emergency generators: power supply trucks outfitted with high-voltage dynamos. That afternoon, emergency managers at TEPCO's Tokyo headquarters sent 11 power supply trucks racing toward Fukushima Dai-ichi, 250 km away. They promptly got stuck in traffic. The roads that hadn't been damaged by the earthquake or tsunami were clogged with residents fleeing the disaster sites.
If a cooling system is intended to operate without power, make sure all of its parts can be manipulated without power.
At 4:36 p.m., TEPCO officially informed the Japanese government about the increasingly dire situation at reactor 1. The company declared that it "could not confirm" that any water was being injected into the reactor's core. The situation was better at the slightly more modern reactors 2 and 3, where emergency cooling systems were operating, driven by the steam from the reactors themselves. And the idled reactors 4, 5, and 6 didn't pose an immediate threat.
At 5:41, the sun set over the pools of seawater and the mounds of debris scattered around the power station. Work crews picked their way through the gloom by flashlight.
At around 9 p.m., operators finally plugged the car batteries they'd collected into the instrument panels and got a vital piece of information—the water level in reactor 1. The information seemed reassuring. The gauge registered a water level of 550 millimeters above the top of the fuel assembly, which, while far below normal safety standards, was enough to assure the operators that no fuel had melted yet.
But TEPCO's later analysis found that the gauges were wrong. Months later, calculations would show that the superheated water inside the reactor 1 pressure vessel had dropped all the way below the bottom of the uranium fuel rods shortly before operators checked the gauge, leaving the reactor core completely uncovered. Heat pulsed through the exposed rods. When temperatures passed 1300 °C, the fuel rods' protective zirconium cladding began to react with the steam inside the vessel, producing highly volatile hydrogen gas. And the uranium inside the fuel rods began to melt, slump, and sag.
Throughout the night of 11 March, radiation levels rose around the plant. At 9:51 p.m. managers prohibited entry into the unit 1 reactor building.
It was a wise decision, because in the bowels of the reactor, the meltdown had already begun. In the reactors used at Fukushima, the control rods thrust up into the pressure vessel from below, and the housings around each control rod's entry point were essentially weak spots. When the melted fuel began to pool at the bottom of the pressure vessel, it likely melted through those vulnerable seams. TEPCO's later analysis found that the pressure vessel was damaged by 11 p.m., allowing highly radioactive water and gases to leak into the primary containment vessel.
Keep power trucks on or very close to the power plant site.
The containment vessel, which surrounds the pressure vessel, is a crucial line of defense: It's a thick steel hull meant to hold in any tainted materials that have escaped from the inner vessel. At 11:50 p.m. operators in the control room finally connected car batteries to the pressure gauge for the primary containment vessel. But the gauge revealed that the containment vessel had already exceeded its maximum operating pressure, increasing the likelihood that it would leak, crack, or even explode.
As 11 March turned into 12 March, TEPCO headquarters told the sleepless operators that they must bring down the pressure by venting the containment vessel. A venting operation would jet the vessel's radioactive gases into the air; Fukushima Dai-ichi's nightmare would soon spread across the countryside.
That night, the desperate struggle to contain the peril at reactor 1 diverged into three responses. Besides the team making preparations to vent the containment vessel, there was also a group getting ready to receive the power supply trucks, which were still making their way to the plant. On arrival, they would supply electricity to restart the pumps and reestablish steady water circulation through the pressure vessel. The third team focused on another, short-term plan for cooling the core: fire trucks, which could inject water from emergency tanks into one of the reactor's cooling systems.
It was after midnight when the first power supply trucks began to arrive at the site, creeping along cracked roads. The trucks parked outside the unit 2 turbine building, adjacent to the troubled unit 1, where workers had found one undamaged power control panel. In the darkness, they began snaking a 200-meter-long power cable through the mud-caked building in order to connect it to the power control panel. Usually trucks are used to lay such a cable, which weighed more than a ton, but that night 40 workers did the job by hand. It took them 5 hours.
Work continued at the power control panel all morning and into the afternoon of 12 March. Finally, at 3:30 p.m., everything was ready. Current flowed from a power supply truck through the cable to the panel, which was ready to switch on the pumps for a backup cooling system inside the reactor 1 building. Workers prepared to start the flow of freshwater into the pressure vessel, knowing that they were about to take a crucial step toward stabilizing the plant.
Meanwhile, the fire engine team had been grappling with difficult logistics all through the early morning hours. Of the three fire engines on site, one had been wrecked by the tsunami; another was stuck near reactors 5 and 6, trapped by damaged roads. That left one fire engine to cool the overheating reactor 1. This truck was the best hope for getting water into the pressure vessel quickly, but it took hours to maneuver it through the plant's wreckage. Finally the workers smashed a lock on an electronic gate and drove the fire engine through.
Install independent and secure battery systems to power crucial instruments during emergencies.
In their initial, improvised response, the fire crew pumped water into the truck's storage tanks, then drove close to the side of the reactor building and injected the water into the fire protection system's intake lines. It was 5:46 a.m. on 12 March when the first drops of water sprayed across the molten fuel. Then the workers drove back to the water tanks and began the slow, arduous operation all over again. Eventually workers managed to use the fire engine's hoses to connect the water tanks directly to the intake lines and established a steady flow of water. By midafternoon, they had injected 80 000 liters of water into the pressure vessel using this makeshift system. But it was too little, too late.
At 2:54 p.m., with freshwater supplies running short, TEPCO headquarters ordered the fire truck crews to inject seawater into the pressure vessel through the fire protection line. Under normal conditions, saltwater is never allowed in a reactor pressure vessel because it would corrode the vessel's protective steel walls and leave a mineral residue on the fuel rods. The decision was an admission that saving the reactor was no longer an option and that operators could only hope to prevent a wide-scale disaster. Fukushima Dai-ichi was now beyond the point of no return.
Workers stretched long fire hoses from a seaside pit that had been filled with seawater by the tsunami; three newly arrived fire engines lined up to pump the water through. They connected the hose to the fire protection system's intake line, and around 3:30 on 12 March they prepared to blast the reactor with seawater.
It had been 24 hours since the tsunami roared into the harbor, and the desperate efforts of both the power crew and the fire truck crew were about to pay off. It must have seemed that their exhaustion and terror were nearly at an end.
The order to vent the containment vessel had come at midnight. But without power to remotely operate the vent system's valves, it wouldn't be a simple task.
And whether the workers knew it or not, time was of the essence. While the venting team prepared for action during the early morning hours of 12 March, gases were building up inside the primary containment vessel and pushing on its weakest points, its gaskets and seals, and they were starting to give. Hydrogen gas hissed through the breaches and drifted up to the top of the building. Hour by hour, the gas collected there until it formed a layer of pure combustible menace.
Ensure that catalytic hydrogen recombiners (power-free devices that turn dangerous hydrogen gas back into steam) are positioned at the tops of reactor buildings where gas would most likely collect.
The workers in charge of the venting operation took iodine tablets. It was a feeble attempt at protection against the radiation they'd soon encounter, but it was better than nothing. They gathered protective head-to-toe suits and face masks connected to air tanks. At 3:45 a.m., the vent crew tried to measure the radiation dose inside the reactor building, which had been off limits for 6 hours. Armed with handheld dosimeters, they opened the air lock, only to find a malevolent white cloud of some "gaseous substance" billowing toward them. Fearing a radiation steam bath, they slammed the door shut. They didn't get their reading, but they had a good indication that things had already gone seriously wrong inside the reactor.
If they could have looked inside the reactor pressure vessel at around 6:30 a.m. on the morning of 12 March, they would have seen a nuclear core transformed into molten sludge. The melted mixture of uranium, zirconium, and other metals had oozed to the bottom of the reactor pressure vessel, where it was gradually eating through the steel floor.
But as the morning ticked on, the vent crew were forced to sit and wait; they were standing by for word that residents had been evacuated and that it was safe to release the radioactive gases into the air. The government had issued an evacuation order for residents living within 3 km the night before; in the early morning hours officials announced that everyone within a 10 km radius of the plant should pack up and go. Residents who had lived their whole lives in the shadow of the Fukushima Dai-ichi plant boarded buses, expecting to be gone for a couple of days at most.
At 9:03 a.m. the message came: The last buses had departed. At 9:04 workers set out for the reactor building to open the valves that would allow gas to flow out of the primary containment vessel. They entered the reactor building and began a long, dark trek around the periphery of the primary containment vessel, guided only by flashlight beams. As they walked, their handheld dosimeters flashed troubling numbers. In normal conditions, a nuclear plant employee's radiation limit is 50 millisieverts per year; in an emergency situation it is 100 mSv. The workers had covered about half the distance to the valve when they realized they had to turn back—if they continued, they would exceed the 100 mSv dose. They returned to the control room at 9:30. They had failed.
Over the next hours the operators scrambled to find another way to open the valves; finally they decided to blast the valve open with air. They used a crane truck to haul a portable air compressor, the kind typically used at construction sites, to the crucial valve's location. At 2:00 p.m. the vent crew switched the compressor on, while workers in the control room nervously watched the gauge.
By 3:30 p.m. on 12 March, it seemed that the venting had worked and that the worst was over. The pressure had dropped significantly in unit 1's primary containment vessel, suggesting that the valve had opened and that gases had rushed through the pipes to the ventilation stack near the reactor building. The workers must have felt that the danger was ebbing. They had no idea that leaks from the vent lines had added even more hydrogen to the gas collected below the ceiling of unit 1's outer building—and it was now ready to blow.
At 3:36 p.m., a spark flashed in the darkness of the reactor building, and hydrogen gas ignited. With a roar, the top of the reactor building exploded.
The roof shattered and the walls splintered; fragments of the building flew through the air. Chunks of rubble cut into the cable leading from the power truck, and the flow of current stopped; now the pumps could not be turned on, and freshwater could not cascade into the core. Other pieces of debris sliced into the fire engine hoses leading from the seawater pit. Smoke billowed upward, radiation levels soared, and the workers fled Fukushima's first radioactive ruin. It wouldn't be the last: The battle to contain the catastrophe during the first 24 hours was lost, and the explosions would keep coming.
Install power-free filters on vent lines to remove radio-active materials and allow for venting that won't harm nearby residents.
The failure of reactor 1 made efforts to stabilize the other reactors exponentially more difficult: Now workers would be laboring in a radioactive hot zone littered with debris. In addition, when work crews returned to the power truck sometime after the explosion, they couldn't get the power flowing. So the disaster continued. At reactors 2 and 3, emergency cooling systems functioned for several days. When reactor 3's overtaxed system failed on 13 March, workers struggled to connect alternate water supplies and to vent the primary containment vessel. But work was slow, and soon reactor 3 followed reactor 1's example. Leaking gas collected at the top of the building, and it exploded on the morning of 14 March.
That blast further impeded recovery efforts at reactor 2, and on the morning of 15 March some still-obscure explosive noise resonated inside the unit 2 reactor building. On that same day, an explosion tore the roof off reactor building 4 and a fire broke out inside. TEPCO reports say the problems in reactor 4 were probably due to hydrogen gas that leaked in from reactor 3; despite early reports to the contrary, the spent fuel rods stored in pools in reactors 4, 5, and 6 were covered with water throughout the accident and never posed a threat.
Each detonation made the effort to stabilize the plant more hopeless. It is clear that if workers had been able to gain control of reactor 1, the whole terrible sequence of events would have been different. But could the workers have done anything differently to speed up their response? Could the full scope of the catastrophe have been averted? So far, TEPCO management hasn't answered those questions.
We've learned a great deal about the Fukushima accident in the past seven months. But the nuclear industry's trial-and-error learning process is a dreadful thing: The rare catastrophes advance the science of nuclear power but also destroy lives and render entire towns uninhabitable. Three Mile Island left the public terrified of nuclear power; Chernobyl scattered fallout across vast swaths of Eastern Europe and is estimated to have caused thousands of cancer deaths. So far, the cost of Fukushima is a dozen dead towns ringing the broken power station, more than 80 000 refugees, and a traumatized Japan. We will learn even more as TEPCO releases more details of what went wrong in the first days of the accident. But as we go forward, we will also live with the knowledge that some future catastrophe will have yet more lessons to teach us.