Japan Shows Need for New Look at “Single Failure”

And it shows what can happen when the vital engineering dictum to avoid “single-cause failure” is ignored, or not thought through.

The single failure criterion is an accepted principal of nuclear – and other high-risk – design. When engineers analyze a design, they check at every step that a single cause cannot create a failure of both a system and its backup. Loss of electric power, for instance, cannot sideline both a pump and a backup pump. And the two cannot default to the same diesel generator or battery, or even the same type of generator or battery – the ways the backup supplies can fail have to be diverse themselves.

The plants now in crisis in Japan suffer from a major deviation from that criterion: they are almost identical. A factor that fails one can fail the others. And it has.

For operating purposes – that is, most of the time – this sameness is an advantage. Specialists can move from one plant to the next, all at the same ocean-side generating station. Spare parts can be swapped. Operators can easily be trained on multiple reactors. Things that go wrong one place can be fixed before they go wrong at the other reactors.

But that advantage has now turned into a fatal flaw. The reactors are all ranged along the seacoast, in an orderly line. The same unprecedented tsunami wave disabled all of their diesel generators – flooding the same below-grade compartments, washing away the same external fuel tanks that fueled the generators.

The identical design left these reactors identically vulnerable, and now severe radiation from any one of them could prevent operators from saving the rest.

There’s a good reason Japan crams so many reactors into single sites. Reactor sites are hard to come by, and utilities make the most of the ones that can get complex government approvals. But since the same utility builds at any given site, most sites host the same or very similar designs.

Tokyo Electric Power Co. experienced a variation on this problem in 2007 when an earthquake centered off Japan’s eastern coast shook the seven reactors at the Kashiwazaki-Kariwa station more than they were designed for. The reactors weathered the quake well, but fears about possible undetected damage and their future earthquake resistance meant the whole station, Japan’s largest at more than 8,000 megawatts, was closed for checks and precautionary backfits for nearly two years.

Tepco’s sites are the largest in Japan, and we have nothing like them in the U.S. Only three of our 62 nuclear stations have as many as three reactors, and one of those is split into two different sites run by two different owners. Many proposed new reactors are to be built at existing sites, for the same reason it’s done that way in Japan, but the new reactors being proposed are materially different designs than those built decades ago.

So far, single-failure criteria have been applied within reactors, but the Fukushima Daiichi disaster shows it is a good idea that needs to be applied in much broader way.

A major “lesson” for nuclear engineers and regulators going forward is to apply single failure criterion to an entire site – can one external disaster, be it hurricanes or tornados or earthquakes or whatever, fail all the reactors the same way? And what will it take in the way of design diversity to ensure that doesn’t happen?