Machinery Safety 101

The events unfold­ing at Japan’s Fukushima Dai Ichi Nuclear Power plant are a case study in ways that the risk assess­ment process can fail or be abused. In an arti­cle pub­lished on Bloomberg​.com, Jason Clenfield item­izes decades of fraud and fail­ures in engi­neer­ing and admin­is­tra­tion that have led to the cat­a­strophic fail­ure of four of six reac­tors at the 40-​​year-​​old Fukushima plant. Clenfield’s arti­cle, ‘Disaster Caps Faked Reports’, goes on to cover sim­i­lar fail­ures in the Japanese nuclear sector.

Most peo­ple believe that the more seri­ous the pub­lic dan­ger, the more care­fully the risks are con­sid­ered in the design and exe­cu­tion of projects like the Fukushima plant. Clenfield’s arti­cle points to fail­ures by a num­ber of major inter­na­tional busi­nesses involved in the design and man­u­fac­ture of com­po­nents for these reac­tors that may have con­tributed to the cat­a­stro­phe play­ing out in Japan. In some cases, the cor­rect actions could have bank­rupted the com­pa­nies involved, so rather than risk finan­cial fail­ure, these fail­ures were cov­ered up and the work­ers involved rewarded for their efforts. As you will see, some­times the degree of care that we have a right to expect is not the level of care that is used.

How does this relate to the fail­ure and abuse of the risk assess­ment process? Read on!

Risk Assessment Failures

The Fukushima Dai Ichi nuclear plant was con­structed in the late 1960’s and early 1970’s, with Reactor #1 going on-​​line in 1971. The reac­tors at this facil­ity use ‘active cool­ing’, requir­ing elec­tri­cally pow­ered cool­ing pumps to run con­tin­u­ously to keep the core tem­per­a­tures in the nor­mal oper­at­ing range. As you will have seen in recent news reports, the plant is located on the shore, draw­ing water directly from the Pacific Ocean.

Learn more about Boiling Water Reactors used at Fukushima.

Read IEEE Spectrum’s “24-​​Hours at Fukushima”, a blow-​​by-​​blow account of the first 24 hours of the disaster.

Japan is located along one of the most active fault lines in the world, with plate sub­duc­tion rates exceed­ing 90 mm/​year. Earthquakes are so com­mon­place in this area that the Japanese peo­ple con­sider Japan to be the ‘land of earth­quakes’, start­ing earth­quake safety train­ing in kindergarten.

Japan is the county that cre­ated the word ‘tsunami’ because the effects of sub-​​sea earth­quakes often include large waves that swamp the shore­line. These waves affect all coun­tries bor­der­ing the worlds oceans, but are espe­cially preva­lent where strong earth­quakes are frequent.

In this envi­ron­ment it would be rea­son­able to expect that con­sid­er­a­tion of earth­quake and tsunami effects would merit the high­est con­sid­er­a­tion when assess­ing the risks related to these haz­ards. Remembering that risk is a func­tion of sever­ity of con­se­quence and prob­a­bil­ity, the risk assessed from earth­quake and tsunami should have been crit­i­cal. Loss of cool­ing can result in the cat­a­strophic over­heat­ing of the reac­tor core, poten­tially lead­ing to a core meltdown.

The Fukushima Dai Ichi plant was designed to with­stand 5.7 m tsunami waves, even though a 6.4 m wave had hit the shore close by 10 years before the plant went on-​​line. The wave gen­er­ated by the recent earth­quake was 7 m. Although the plant was not washed away by the tsunami, the wave cre­ated another problem.

Now con­sider that the reac­tors require con­stant forced cool­ing using elec­tri­cally pow­ered pumps. The backup gen­er­a­tors installed to ensure that cool­ing pumps remain oper­a­tional even if the mains power to the plant is lost, are installed in a base­ment sub­ject to flood­ing. When the tsunami hit the sea­wall and spilled over the top, the flood­wa­ters poured into the backup gen­er­a­tor room, knock­ing out the diesel backup gen­er­a­tors. The cool­ing sys­tem stopped. With no power to run the pumps, the reac­tor cores began to over­heat. Although the reac­tors sur­vived the earth­quakes and the tsunami, with­out power to run the pumps the plant was in trouble.

Learn more about the accident.

Clearly there was a fail­ure of rea­son when assess­ing the risks related the loss of cool­ing capa­bil­ity in these reac­tors. With sys­tems that are mis­sion crit­i­cal in the way that these sys­tems are, mul­ti­ple lev­els of redun­dancy beyond a sin­gle backup sys­tem are often the min­i­mum required.

In another plant in Japan, a sec­tion of pip­ing car­ry­ing super­heated steam from the reac­tor to the tur­bines rup­tured injur­ing a num­ber of work­ers. The pipe was installed when the plant was new and had never been inspected since instal­la­tion because it was left off the safety inspec­tion check­list. This is an exam­ple of a fail­ure that resulted from blindly fol­low­ing a check­list with­out look­ing at the larger pic­ture. There can be no doubt that some­one at the plant noticed that other pipe sec­tions were inspected reg­u­larly, but that this par­tic­u­lar sec­tion was skipped, yet no changes in the process resulted.

Here again, the risk was not rec­og­nized even though it was clearly under­stood with respect to other sec­tions of pipe in the same plant.

In another sit­u­a­tion at a nuclear plant in Japan, drains inside the con­tain­ment area of a reac­tor were not plugged at the end of the instal­la­tion process. As a result, a small spill of radioac­tive water was released into the sea instead of being prop­erly con­tained and cleaned up. The risk was well under­stood, but the con­trol pro­ce­dure for this risk was not implemented.

Finally, the Kashiwazaki Kariwa plant was con­structed along a major fault line. The design­ers used fig­ures for the max­i­mum seis­mic accel­er­a­tion that were three times lower than the accel­er­a­tions that could be cre­ated by the fault. Regulators per­mit­ted the plant to be built even though the rel­a­tive weak­ness of the design was known.

Failure Modes

I believe that there are a num­ber of rea­sons why these kinds of fail­ures occur.

People have a dif­fi­cult time appre­ci­at­ing the mean­ing of prob­a­bil­ity. Probability is a key fac­tor in deter­min­ing the degree of risk from any haz­ard, yet when fig­ures like ‘1 in 1000′ or ‘1 x 10^–5 occur­rences per year’ are dis­cussed, it’s hard for peo­ple to truly grasp what these num­bers mean. Likewise, when more sub­jec­tive scales are used it can be dif­fi­cult to really under­stand what ‘likely’ or ‘rarely’ actu­ally mean.

Consequently, even in cases where the sever­ity may be very high, the risk related to a par­tic­u­lar haz­ard may be neglected because the risk is deemed to be low because the prob­a­bil­ity seems to be low.

When prob­a­bil­ity is dis­cussed in terms of time, a fig­ure like ‘1 x 10^–5 occur­rences per year’ can make the chance of an occur­rence seem dis­tant, and there­fore less of a concern.

Most risk assess­ment approaches deal with haz­ards singly. This is done to sim­plify the assess­ment process, but the prob­lem that can result from this approach is the effect that mul­ti­ple fail­ures can cre­ate, or that cas­cad­ing fail­ures can cre­ate. In a mul­ti­ple fail­ure con­di­tion, sev­eral pro­tec­tive mea­sures fail simul­ta­ne­ously from a sin­gle cause (some­times called Common Cause Failure). In this case, back-​​up mea­sures may fail from the same cause, result­ing in no pro­tec­tion from the hazard.

In a cas­cad­ing fail­ure, an ini­tial fail­ure is fol­lowed by a series of fail­ures result­ing in the par­tial or com­plete loss of the pro­tec­tive mea­sures, result­ing in par­tial or com­plete expo­sure to the haz­ard. Reasonably fore­see­able com­bi­na­tions of fail­ure modes in mis­sion crit­i­cal sys­tems must be con­sid­ered and the prob­a­bil­ity of each estimated.

Combination of haz­ards can result in syn­ergy between the haz­ards result­ing in a higher level of sever­ity from the com­bi­na­tion than is present from any one of the haz­ards taken singly. Reasonably fore­see­able com­bi­na­tions of haz­ards and their poten­tial syn­er­gies must be iden­ti­fied and the risk estimated.

Oversimplification of the haz­ard iden­ti­fi­ca­tion and analy­sis processes can result in over­look­ing haz­ards or under­es­ti­mat­ing the risk.

Thinking about the Fukushima Dai Ichi plant again, the com­bi­na­tion of the effects of the earth­quake on the plant, with the added impact of the tsunami wave, resulted in the loss of pri­mary power to the plant fol­lowed by the loss of backup power from the backup gen­er­a­tors, and the sub­se­quent par­tial melt­downs and explo­sions at the plant. This com­bi­na­tion of earth­quake and tsunami was well known, not some ‘unimag­in­able’ or ‘unfore­see­able’ sit­u­a­tion. When con­duct­ing risk assess­ments, all rea­son­ably fore­see­able com­bi­na­tions of haz­ards must be considered.

Abuse and neglect

The risk assess­ment process is sub­ject to abuse and neglect. Risk assess­ment has been used by some as a means to jus­tify expos­ing work­ers and the pub­lic to risks that should not have been per­mit­ted. Skewing the results of the risk assess­ment, either by under­es­ti­mat­ing the risk ini­tially, or by over­es­ti­mat­ing the effec­tive­ness and reli­a­bil­ity of con­trol mea­sures can lead to this sit­u­a­tion. Decisions relat­ing to the ‘tol­er­a­bil­ity’ or the ‘accept­abil­ity’ of risks when the sever­ity of the poten­tial con­se­quences are high should be approached with great cau­tion. In my opin­ion, unless you are per­son­ally will­ing to take the risk you are propos­ing to accept, it can­not be con­sid­ered either tol­er­a­ble or accept­able, regard­less of the legal lim­its that may exist.

In the case of the Japanese nuclear plants, the oper­a­tors have pub­licly admit­ted to fal­si­fy­ing inspec­tion and repair records, some of which have resulted in acci­dents and fatalities.

In 1990, the US Nuclear Regulatory Commission wrote a report on the Fukushima Dai Ichi plant that pre­dicted the exact sce­nario that resulted in the cur­rent cri­sis. These find­ings were shared with the Japanese author­i­ties and the oper­a­tors, but no one in a posi­tion of author­ity took the find­ings seri­ously enough to do any­thing. Relatively sim­ple and low-​​cost pro­tec­tive mea­sures, like increas­ing the height of the pro­tec­tive sea wall along the coast­line and mov­ing the backup gen­er­a­tors to high ground could have pre­vented a national cat­a­stro­phe and the com­plete loss of the plant.

A Useful Tool

Despite these human fail­ings, I believe that risk assess­ment is an impor­tant tool. Increasingly sophis­ti­cated tech­nol­ogy has ren­dered ‘com­mon sense’ use­less in many cases, because peo­ple do not have the exper­tise to have any com­mon sense about the haz­ards related to these technologies.

Where haz­ards are well under­stood, they should be con­trolled with the sim­plest, most direct and effec­tive mea­sures avail­able. In many cases this can be done by the peo­ple who first iden­tify the hazard.

Where haz­ards are not well under­stood, bring­ing in experts with the knowl­edge to assess the risk and imple­ment appro­pri­ate pro­tec­tive mea­sures is the right approach.

The com­mon aspect in all of this is the iden­ti­fi­ca­tion of haz­ards and the appli­ca­tion of some sort of con­trol mea­sures. Risk assess­ment should not be neglected sim­ply because it is some­times dif­fi­cult, or it can be done poorly, or the results neglected or ignored. We need to improve what we do with the results of these efforts, rather than neglect to do them at all.

In the mean time, the Japanese, and the world, have some cleanup to do.

Copyright secured by Digiprove © 2012Some Rights Reserved