Japan Shows Need for New Look at “Single Failure”

And it shows what can happen when the vital engineering dictum to avoid “single-cause failure” is ignored, or not thought through.

The single failure criterion is an accepted principal of nuclear – and other high-risk – design. When engineers analyze a design, they check at every step that a single cause cannot create a failure of both a system and its backup. Loss of electric power, for instance, cannot sideline both a pump and a backup pump. And the two cannot default to the same diesel generator or battery, or even the same type of generator or battery – the ways the backup supplies can fail have to be diverse themselves.

The plants now in crisis in Japan suffer from a major deviation from that criterion: they are almost identical. A factor that fails one can fail the others. And it has.

For operating purposes – that is, most of the time – this sameness is an advantage. Specialists can move from one plant to the next, all at the same ocean-side generating station. Spare parts can be swapped. Operators can easily be trained on multiple reactors. Things that go wrong one place can be fixed before they go wrong at the other reactors.

But that advantage has now turned into a fatal flaw. The reactors are all ranged along the seacoast, in an orderly line. The same unprecedented tsunami wave disabled all of their diesel generators – flooding the same below-grade compartments, washing away the same external fuel tanks that fueled the generators.

The identical design left these reactors identically vulnerable, and now severe radiation from any one of them could prevent operators from saving the rest.

There’s a good reason Japan crams so many reactors into single sites. Reactor sites are hard to come by, and utilities make the most of the ones that can get complex government approvals. But since the same utility builds at any given site, most sites host the same or very similar designs.

Tokyo Electric Power Co. experienced a variation on this problem in 2007 when an earthquake centered off Japan’s eastern coast shook the seven reactors at the Kashiwazaki-Kariwa station more than they were designed for. The reactors weathered the quake well, but fears about possible undetected damage and their future earthquake resistance meant the whole station, Japan’s largest at more than 8,000 megawatts, was closed for checks and precautionary backfits for nearly two years.

Tepco’s sites are the largest in Japan, and we have nothing like them in the U.S. Only three of our 62 nuclear stations have as many as three reactors, and one of those is split into two different sites run by two different owners. Many proposed new reactors are to be built at existing sites, for the same reason it’s done that way in Japan, but the new reactors being proposed are materially different designs than those built decades ago.

So far, single-failure criteria have been applied within reactors, but the Fukushima Daiichi disaster shows it is a good idea that needs to be applied in much broader way.

A major “lesson” for nuclear engineers and regulators going forward is to apply single failure criterion to an entire site – can one external disaster, be it hurricanes or tornados or earthquakes or whatever, fail all the reactors the same way? And what will it take in the way of design diversity to ensure that doesn’t happen?

 

Japan’s Real Choices

Why Nuclear Was an Option

As the situation deteriorates at Japan’s Fukushima Daiichi nuclear plant, not a few people are wondering what Japan was thinking when it turned to nuclear power. The country gets 30% of its electricity from nuclear, and aimed to make that 40%. Whatever happens to the Fukushima plant, does this mean the end of nuclear power in Japan?

Not likely, because of the options. There aren’t good ones.

Japan is energy resource poor. It’s an industrial economy – the world’s third largest, behind the U.S. and China – which must import almost all of its energy. All of its oil, all of its natural gas (as liquefied natural gas, or LNG), all of its coal, all the uranium fuel.

While the country has explored renewables, the high variability and low efficiency of current wind and solar technologies make them unworkable substitutes for fossil or nuclear, which can provide power 24/7, on demand. Nuclear was, and remains, the only real protection Japan has against the world price of fossil fuels, and the only large-scale source of non-carbon power, important for a nation that treasures the limited environment of its islands.

If you doubt that, take a quick look at what happened when word got out that several nuclear plants had been sidelined by the tsunami – well before the nuclear units went out of operator control. The LNG market spiked upward, on speculation Japan would suddenly need more and traders could get rich.

And look back to 1997, when many Asian currencies collapsed. I recall a South Korean minister saying that country’s nuclear stations had been key to keeping the lights on, because the cost of importing other fuels suddenly reached critical levels and the nation was running short on money to pay for them.

It is that harsh reality that has driven Japan’s leaders to embrace nuclear power. Nuclear carries risks, yes – but so does everything else. Responsible leaders know there are no panaceas, only balancing of risks and advantages. Nuclear looks like a bad choice now, but will a hugely increased fossil import bill look any better to Japan next year? That will depend on whether power can be restored to the Daiichi site and the crippled reactors brought under control without loss of life.

“Radiation” From Japan’s Nuclear Plants – Who’s At Risk?

 It’s not who you think.

We’ve had days of headlines about unspecified “radiation” being released from two Japanese nuclear reactors as operators struggle to cool their radioactive cores. People in the area, devastated by earthquake and tsunami, are struggling without power, heat, clean water, sanitation, sufficient food – what does the addition of “radiation” mean?

So far, it has meant people have had the wits scared out of them, and little else.

As is unfortunately usual when the word “radiation” is mentioned, rational discussion of the physical facts is lost in hysteria. The people who are really at risk are the Tokyo Electric Power Co. workers struggling to bring and keep those reactors under control. They are the ones close enough to the radioactive sources to risk a dose that might affect their health, and there’s been precious little mention of them.

Every nation sets different limits for radiation exposure for the public and for workers. That’s the practice for most hazardous materials – the idea is that the public shouldn’t be exposed to the same level of risks as workers, who are paid to take more risk. But most reporting takes that public limit as the line of “safety” – below the limit, no problem; above the limit, instant radiation poisoning.

That of course is not the case. In the U.S., the annual exposure limit for radiation workers, such as nuclear plant employees, is 20 times higher than the public level, and in some circumstances up to 50 times more is allowed. (The vast majority of nuclear plant workers get nowhere near even the lower level, though they all must be continuously monitored.)

The threshold at which any physical symptoms of radiation poisoning have been detected is an exposure of 100 times the annual public limit in an hour – a very different type of exposure. The worker limit is calculated by looking at a lifetime of radiation work – an assumed 40 years – and figuring how much exposure anyone can have each year to minimize the cumulative addition to their lifetime cancer risk. The public limit is set by a decision to keep any public exposure basically the same as you or I can get if we move from Washington, DC to Denver, CO, where natural radiation is higher (with no known effects on health).

Radiation exposure, like sun tanning, depends on both time and the intensity of the source. Exposing your skin five minutes in the sun on December 25 and two hours on July 25 are extremely different exposures – but if the reporting from Japan were talking about sunburn, it would be reporting those as the same thing. They aren’t – nor are the real radiation risks today. It’s Japan’s nuclear plant workers who up close and personal with radiation. They are risking their health to keep those plants from truly endangering the public.

Egypt and Tunisia: Population IEDs

The innovation we need most for the 21st century isn’t technology. It’s social organization that can cope with our exploding population. The society that wins won’t focus on control – it’ll focus making every person count.

The unrest now roiling the Arab world has long been warned of, by population experts. But the whole subject of population is virtually radioactive in international circles – any diplomatic discussion of the repercussions of population increase on, say, energy use or climate, often degenerates into charges of genocide. As a result, population growth has just been there, ticking away since the world recovered from World War II. Now, those bombs are starting to go off.

Egypt, the most populous country in the Arab world, has 80 million people, a fertility rate of 3 children per woman, and has been growing at about 2% per year. For Tunisia, the numbers are 10.5 million, 1.7, and 1%.  Unemployment, officially, is 10% in Egypt and 14% in Tunisia, but underemployment is a problem both places.

Both countries have literacy rates in the 70 percentile, markedly higher for men than for women. But the average education in Tunisia includes university study, and both countries have had long-term policies valuing higher education. Egypt used to guarantee a government job to university graduates, but had to give that up as the government ranks bloated.

And therein lies that population problem – lots of educated, ambitious, intelligent young people with no place to go and nothing to do. And these young people know there are alternatives – they’re tech savvy and can reach around the globe. Who is standing in the way of their dreams? The old autocrats, obviously.

Except it’s not that easy. Yes, these societies are in many ways static in their organization, and ill-prepared to manage a fundamental shift in their population’s size and ambitions. But the problems they face of usefully absorbing large numbers of educated new workers are not unique. They are also ours.

Look at the failure of U.S. society to figure out how to usefully employ 9-10% of our populace. In the last recession, it wasn’t just low-skilled workers who were affected. People in skilled, mid-life jobs found themselves on the bricks. Business is making a financial comeback, but the society is not – the disconnect between what’s good for Wall Street and what’s good for America is growing.

We can’t look to history for help. There isn’t much that’s new in the world, but 7 billion people definitely is new. And that’s how many we will have worldwide by 2020, barring some cataclysm. After World War II, we had just 4 billion. By 2000, it was 6 billion, with some 85% of the new population in less-developed countries – places like Egypt, places with the least resources if something goes wrong, places that had long supported their own populations but are now food importers. Places now vulnerable if flooding or drought or tsunamis damage world food supplies. The world population IEDs are buried everywhere.

The innovation we need most – if the U.S. is to survive as a leader in this century, but also if our interdependent world is to survive desperate struggles among populations – is innovation in social organization to cope with sheer numbers of humans and the increased complexity of survival. The raison d’etre for any society is organizing to thrive and ensure the survival of the next generation. Societies that prove unable to do this go extinct.

Using people in ways that make societies prosper – until our societies figure out how to do that better for more people, look for more IEDs ahead.

 

Not In Vain

Notwithstanding those inherent risks, the accident of April 20 was avoidable. It resulted from clear mistakes made in the first instance by BP, Halliburton, and Transocean, and by government officials who, relying too much on industry’s assertions of the safety of their operations, failed to create and apply a program of regulatory oversight that would have properly minimized the risks of deepwater drilling. It is now clear that both industry and government need to reassess and change business practices to minimize the risks of such drilling.
-- National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling

They didn’t have to die.

That’s the tragic bottom line. Eleven men working on the Deepwater Horizon would be alive today if the companies managing the operation had been more attuned to safety and less attuned to profit.

Anyone familiar with the concepts of safety culture management in high-tech operations will recognize virtually everything identified as going wrong in the spill commission’s report – because it’s all about fallible humans interacting with increasingly complex machinery that they, increasingly, misjudged.

Worse, we didn’t have to wait for the report – the outlines of disaster were clearly visible. Back in May, when the Macondo well was still spewing millions of gallons of oil into the Gulf of Mexico, I wrote of the investigation: “It will finger a combination of human errors – both managerial and technical, a technology pushed into unknown territory without any comprehensive analysis of the potential failures, and profit pressures propelling everyone full-steam ahead.”

But the commission took its findings a significant step forward when it concluded the faulty managerial and regulatory culture was not isolated in one or two companies, but is “systemic” in the industry.

If the deaths of those 11 men are to mean anything, that’s the Red Alert both the oil industry and its regulators need to respond to.

In the few days since the commission’s conclusions were released, we’ve heard industry representatives and defenders say the conclusions are wrong and the accident was due to a few bad actors – or that, even if the industry had gotten a bit complacent, it has seen the light, learned the lessons, and now can go back to business as usual.

Where have we heard this before? Nuclear plants, among others – where after Three Mile Island-2’s accident, the exact same sentiments were uttered -- for a good dozen years. We’ve learned the lessons, we’ve seen the light, now go away, many operators in effect told regulators – and some of their peers. They spent years deluding themselves that preventing another TMI did not require fundamental change.

But some nuclear leaders knew better – they knew a true “safety culture” revolutionizes the way a company works. You don’t get it by tacking up “Safety First” posters in the break room. But it took years – and a few shutdowns of ill-managed plants, and threats of more for plants that had become money pits for their owners – before the safety culture leadership prevailed.

And they prevailed because good operators bought stinker plants and turned them into well run money-makers. Nothing like a healthy profit to convince risk-averse boards that the long view is indeed the right one.

We often hear the question, “Is this safe?” That’s a meaningless question. Safety is a process, not a status. Is a Boeing 747 safe? Is it safe with a 10-year-old in the pilot’s seat? Is it safe if the oil’s never changed? The machinery can be great – but humans can defeat the best engineering. Creating a safety culture in high-tech environments requires an unbroken chain of managers, top to bottom, who recognize that, long-term, an accident is always the most expensive option and short-term costs have to be evaluated in that context.

Safety culture involves “flattened” management – complex environments require teams, and everyone is on the safety team. Anyone who sees a condition or a practice that could endanger safety has a duty to raise it, without fear of retribution – and managers have a duty to listen.

That means investing in those workers. They need to understand the complex equipment used in the high-tech environment. On-going training becomes a part of every worker’s life – and part of his or her paid workday. Knowledgeable employees can spot something going wrong and save a company’s bottom, and its bottom line.

It also means, when an accident happens, there’s no sticking the blame on the tool-pusher on the drilling floor. Maybe he did do something wrong – but why? He wasn’t trained right or supervised right – and why not? Who failed there? Who at the next level of management failed to provide correct direction so the training and supervision would occur? And so on, up the ladder right into the corner office. In a safety culture, the top always takes ultimate responsibility.

More, in a culture of safety, managers seek that responsibility. Every near-miss is a golden opportunity to make sure it never happens again – and to lower risk for good. Learning from a precursor instead of an accident is always cheaper – as Transocean has just found out the hard way. Lessons from a near-miss on another Transocean platform just a few months earlier could have saved the Deepwater Horizon – if they’d been learned.

And an expert government regulator can be a true partner in the safety culture. Till now, the oil industry has done all it could to marginalize regulators. They’re seen as needless nuisances, just red tape. Far better to have a knowledgeable regulator who can provide intelligent feedback, actually help a company operate safely. It should be the industry, in its own long-term best interests, demanding expert, top-quality safety regulation.

But until we see that kind of turnaround in industry attitudes, we can be confident – this tragedy’s lessons haven’t been learned, risks haven’t been lowered, and the president’s commission is right: it can happen again.

And next time, how many more will die needlessly?