Fukushima: The Story of a Nuclear Disaster (2015)
ANOTHER MARCH, ANOTHER NATION, ANOTHER MELTDOWN
The March 2011 disaster at Fukushima Daiichi recalled another early spring meltdown more than three decades earlier. In March 1979, the Unit 2 reactor core at the Three Mile Island nuclear plant south of Harrisburg, Pennsylvania, suffered a partial meltdown as operators struggled over several days to establish control. The Three Mile Island accident proved much less serious than the crisis at Fukushima Daiichi, but the disasters shared much in common: design inadequacies, equipment failure, and human shortcomings. These led to inadequate cooling of the reactor cores with ensuing meltdowns, hydrogen explosions, releases of radioactivity to the air and water, and evacuations of more than one hundred thousand nearby residents.
There were also notable differences. Three Mile Island Unit 2 was a pressurized water reactor, unlike the boiling water reactors at Fukushima. Three Mile Island was precipitated by an “internal event” in industry parlance, in contrast to the “external” seismic and flooding events at Fukushima. And the challenges at Fukushima Daiichi were far more extreme, not only because of the greater scale of the crisis involving multiple reactors but because the operators had to cope with a sustained total loss of electrical power and the inability to obtain needed supplies because of damaged roads. The more extreme conditions led to a far worse outcome.
But the negligent regulatory and industrial practices that paved the way for both accidents were strikingly similar. The nuclear establishment worldwide had thirty-two years to learn from the mistakes of Three Mile Island and to find ways to avoid repeating them. Was the stage set for another disaster because Three Mile Island’s lessons were forgotten?
The short answers are both no and yes. Many of the mistakes that contributed to Three Mile Island were identified after the accident and addressed in a series of regulatory reforms, with varying degrees of effectiveness. In the United States, control room instrumentation was improved, reactor core cooling and containment isolation systems were enhanced, operator training was intensified, and emergency preparedness drills were beefed up. A number of these reforms were adopted elsewhere in the world. But some critical factors that contributed to the Three Mile Island accident were swept under the rug by regulators both in the United States and abroad. These unlearned lessons remained unheeded three decades later when the waves bore down on Fukushima. Both accidents followed from one common and dangerous belief: that an accident like Three Mile Island, or Fukushima Daiichi, just could not happen.
The March 28, 1979, accident at Three Mile Island began when a pump in the system providing cooling water to the Unit 2 steam generators unexpectedly stopped running, for reasons never determined. That triggered a series of events that caused the reactor to shut down automatically from nearly full power. It was the thirteenth time in a year that problems in this cooling system had forced a shutdown. In the push to restart the reactor and resume generating profitable electricity, nobody had gotten to the root of the problem. This time, luck ran out: a combination of equipment malfunctions, worker miscues, and design flaws transformed warning flags into disaster.
When the accident began at 4:01 a.m., Unit 2 was just thirty-six minutes shy of its first birthday. The reactor was a Babcock & Wilcox pressurized water design, capable of generating about nine hundred megawatts of electricity. Three Mile Island’s owner, Metropolitan Edison Company, was a small utility with little nuclear operating experience.
In a pressurized water reactor, the cooling water that flows through the core is maintained at a pressure high enough to keep it from boiling. To control the pressure, the reactor vessel is connected to a tank known as a pressurizer, which is normally about half filled with water and half with steam. The operators can heat the contents to increase steam pressure at the core, or they can add cooler water to achieve the reverse. Operators at Three Mile Island had been taught to make sure that the pressurizer never filled completely with water, a condition known as going solid, because then they might lose control of the reactor vessel pressure.
Seconds after Unit 2 shut down, three standby emergency pumps automatically started to restore the cooling water flow and resume the removal of heat through the steam generators. But a valve that had been closed for maintenance work two days earlier remained closed for reasons still unknown, blocking the needed water. The operators failed to notice the closed valve for eight minutes.
Absent heat removal by the new coolant, the temperature and pressure of the water inside the reactor vessel began to climb. The rising pressure caused a relief valve atop the pressurizer to open and discharge water to a collection tank in the containment building. Because the reactor had shut down, it was generating significantly less heat than usual. That, along with the open relief valve, allowed the pressure in the reactor vessel to drop below the point at which the valve was supposed to automatically close. But the valve stuck open, and cooling water kept flowing out of the vessel. Operators believed the valve had closed, however, because the indicator light on the control panel went off.
On March 28, 1979, a pump providing cooling water to the Unit 2 reactor at the Three Mile Island nuclear plant south of Harrisburg, Pennsylvania, stopped. It was the thirteenth time problems in this system had forced a shutdown of the year-old reactor. Small quantities of radiation escaped and concerns grew about a hydrogen explosion. Over the next several days tens of thousands of Pennsylvanians fled for their safety. U.S. Nuclear Regulatory Commission
This was not a scenario without precedent. In September 1977 at the Davis-Besse Nuclear Power Station near Toledo, Ohio, a sister plant to Three Mile Island, the relief valve had stuck open under eerily similar circumstances. There was one notable difference: the Ohio reactor was operating then at a much lower power level, giving the operators more time to diagnose the problem and correct it. Unfortunately, information about that near miss was not shared with workers at the eight other reactors of similar design then operating, including Three Mile Island, or at five then under construction. The operators at Davis-Besse had failed to notice the stuck-open relief valve for about twenty minutes; at Three Mile Island it went unnoticed for more than two hours.
During this period, the open valve discharged tens of thousands of gallons of cooling water from the reactor vessel—more than half of what it held. Worse still, the operators were unaware of this because they had no means of directly observing the water level in the reactor vessel. Odd as it may seem, there was no simple gauge. Instead, they relied on the water level in the pressurizer, which was showing the amount to be rising. Something unexpected was happening to mislead them: the stuck-open valve had reduced pressure far enough that the water in the core could now boil and form steam bubbles. Much like what happens when the cap is removed from a bottle of soda that has been shaken, the expanding steam bubbles were causing the volume of the coolant to increase, forcing the pressurizer level upward even though the amount of water was decreasing.
Another set of standby emergency pumps had automatically started and were providing makeup water to the reactor vessel. This measure commonly occurred following a reactor shutdown as the rapid drop in power lowered the pressure and temperature of the water in the primary loop, causing its volume to decrease or “shrink.” But the misleading water-level indication tricked the operators into thinking the pressurizer was in danger of overfilling and going solid. They turned the emergency pumps off and opened valves to drain even more water from the reactor vessel.
Design weaknesses further impaired the operators’ response to the unfolding calamity. The control room computer dutifully printed out alarms and warnings, but the backlog of abnormal conditions grew so large that the printer fell more than two hours behind, jamming at one point and losing critical information. Within minutes of the start of the accident, one hundred alarms were sounding in the control room, adding to the operators’ stress but providing little useful information.
The design also failed to anticipate the magnitude of the event unfolding at Three Mile Island. Radiation detectors had been installed throughout the plant; however, many of them were scaled for relatively low radiation levels. As the reactor core experienced damage, the dials on these detectors moved as high as they could go, unable to provide any useful data as radiation continued to climb. Detection of the rising radiation would have helped the operators to diagnose what was happening and to see if their efforts were working. Instead, the off-scale instruments merely told the operators they had a problem—hardly news by then.
While the barrage of unreliable information impaired the operators’ ability to respond, an information vacuum hindered responses outside the plant. State and federal officials knew early on that there was trouble at Three Mile Island, but limited technology stymied their efforts to learn more. No computer links provided off-site officials with real-time data on plant conditions. Instead, they got strobe-light glimpses into the situation: a reactor pressure reading from twenty-five minutes ago, a core temperature value from ten minutes ago, and radiation levels from two minutes ago. It was like assembling a jigsaw puzzle using pieces from a dozen different puzzles. The dearth of reliable information prompted NRC chairman Joseph Hendrie to remark that he and Pennsylvania governor Richard Thornburgh were “like a couple of blind men staggering around making decisions” (prompting a strong rebuke from the National Federation of the Blind for reinforcing stereotypes).
Approximately two hours after the shutdown, the water level inside the reactor vessel dropped far enough to expose portions of the nuclear fuel rods. Some of the fuel overheated and began to melt. Its zirconium alloy cladding reacted with water to produce large quantities of hydrogen gas; some of the gas flowed through the stuck-open relief valve into the containment building. Molten fuel flowed like lava to the bottom of the reactor vessel, where it began burning through the six-inch-thick metal walls. Fortuitously, workers finally noticed that the relief valve had stuck open and closed another valve to stop the loss of cooling water.
But they found themselves struggling to replace the lost water and to restore forced cooling of the damaged core. The high pressure and the hydrogen bubbles now occupying the reactor vessel thwarted efforts to pump more water in. Finally, after several attempts and many hours, operators were able to depressurize the primary system enough to restart a coolant pump and refill the reactor vessel. They were too late to prevent about half the core from melting but in time to stop it from burning all the way through the bottom of the vessel and spilling onto the containment floor.
Around ten hours after the accident began, there was a pressure spike in the containment building—a hydrogen explosion had occurred. Fortunately, the spike was not strong enough to rupture the massive steel-and-concrete building, which retained most of the radioactivity released from the partially melted core. But radioactive material found other ways to get out.
The operators, fooled into thinking the system had too much water, had opened valves to drain more of it away. That water carried more and more radioactivity as the reactor core overheated and melted. As it moved toward four collection tanks, the water temperature and pressure decreased as it naturally cooled down, and radioactive gases dissolved in the water bubbled free. Vent lines connected the four tanks to two waste gas decay tanks. To keep the drain pathway open, the operators periodically discharged the contents of these two tanks to the atmosphere, and the radioactivity traveled along. In addition, some of the equipment leaked radioactivity into the auxiliary building, from which it later escaped outside.
The venting and other flow paths reportedly released 10 million curies of radioactivity into the air, nearly all in the form of the noble gases xenon-133 and krypton-85. (TEPCO currently estimates that Fukushima Daiichi released about 13.5 million curies of noble gases and about the same amount of iodine-131, along with about half a million curies of highly radioactive cesium isotopes. Compared with the noble gases, radioactive iodine and cesium are much more significant contributors to long-term health effects.)
It took about a month for the reactor core to become reasonably stable with its water temperature below 212°F, the boiling point. It took nearly a year for workers to be able to enter the highly radioactive containment building to ascertain the extent of the damage. It took more than a decade, and $973 million, to clean up the accident. Japanese companies and government agencies contributed $18 million and forty engineers to the cleanup effort. In about 150 minutes, a billion-dollar asset became a billion-dollar liability.
Well before that March day in 1979, American public opinion was deeply divided about nuclear power, given its safety concerns and cost overruns. The 1970s had seen a rise in protests in general, and nuclear energy triggered its own rallies. Although few Americans understood the technology, many knew it could be dangerous, and some objected loudly to its use. But by and large, even for those carrying “No Nukes” signs, the risks of nuclear power remained an abstract concept. Now, that would change.
At about 8:00 a.m. on March 28, the traffic reporter for radio station WKBO in Harrisburg, Pennsylvania, heard on his car’s CB scanner that police and firefighters were mobilizing in Middletown, the river community that is home to the Three Mile Island plant. WKBO’s news director telephoned Three Mile Island and was connected directly to the reactor’s control room. “I can’t talk now, we’ve got a problem,” the control room operator told the newsman, and referred his caller to the plant’s owner, Metropolitan Edison Company, in Reading, Pennsylvania.
There, a spokesman for Met Ed, as the company was known locally, confirmed that a general emergency had been declared but dismissed it as a “red tape” type of thing required by the NRC when certain conditions existed. At 8:25 a.m. WKBO broadcast news of problems at the plant, relying on the utility’s explanation.
A short time later, Met Ed issued a brief press release: “At 4:00 a.m. Wednesday, the reactor at Three Mile Island Unit 2 was automatically tripped and shut down due to a mechanical malfunction in the system. . . . The reactor is being cooled according to design by the reactor coolant system and should be cooled by the end of the day. There is no danger of [a] meltdown.” Soon afterward, teletypes clattered in newsrooms around the United States with a short dispatch from the Associated Press: the Pennsylvania State Police had been advised of a general emergency at the Three Mile Island nuclear plant. There had been “no radiation leak,” but Met Ed officials had asked for a state police helicopter to “carry a monitoring team.”
In fact, by 8:00 a.m. it was clear to Three Mile Island’s station manager that Unit 2 had suffered some fuel damage, based on radiation readings in the containment building. By 9:00 a.m., NRC headquarters in Washington had been alerted. Fifteen minutes later, the White House was notified—precisely the same moment that a Boston radio station reporter called the mayor of Harrisburg to ask what the city was doing about the nuclear emergency. “What emergency?” asked a stunned Mayor Paul Doutrich.
Flawed and disingenuous communication continued as hundreds of reporters from around the globe descended on tiny Middletown to record the unprecedented accident. From the outset, the journalists found that messages from the authorities were frequently at odds with each other or so cryptic as to be indecipherable. If nervous Pennsylvanians were looking for guidance, it wasn’t coming from those in charge—at least in the first days. “The response to the emergency was dominated by an atmosphere of almost total confusion,” concluded the President’s Commission on the Accident at Three Mile Island, also known as the Kemeny Commission, in its report seven months later.
No one seemed to know what was happening or how to respond. That included state officials, who were charged with emergency preparedness; the NRC, which was assessing the accident from three different offices and eventually from the scene; and Met Ed, with officials issuing statements at the plant site, as well as in Reading, and from the New Jersey home of its parent company, General Public Utilities Corporation.
Very quickly, distrust colored nearly every exchange. At an 11:00 a.m. news conference the first morning, Lieutenant Governor William Scranton III told reporters Met Ed had assured him that “everything is under control.” Even as he was speaking, however, Met Ed was venting steam containing radioactivity from the plant. Later that afternoon Scranton would tell reporters: “The situation is more complex than the company first led us to believe.”
For the NRC, the telephone was the prime means of communication, but there was no dedicated line between regulators and the control room. Thus the commission had to deal in the first days with a frustratingly incomplete picture (something that might have felt familiar to the White Flint staffers hungry for information from Japanese officials three decades later). The NRC’s public affairs staff was swamped by media calls; staff members often had no updated information to provide. As for Met Ed, the utility’s public relations team had very little technical expertise, and the executives put forth to brief reporters soon lost credibility not only with the media but also with state and NRC officials.1
As the lack of reliable information stoked public fears, the NRC dispatched to the scene Harold Denton, director of the Office of Nuclear Reactor Regulation, who became the point man for the commission. Denton was handed the task of briefing President Jimmy Carter, the NRC commissioners and staff, and the hordes of media who assembled late each afternoon for a news briefing on the accident.
For many of Three Mile Island’s neighbors—as for the frightened residents living around Fukushima Daiichi thirty-two years later—the uppermost concern was the threat of a radiation release, large or small. If Three Mile Island was venting radioactivity, how safe were they? It was all too apparent that the reason answers were difficult to come by was that the experts were asking the same questions themselves.
By Thursday morning, March 29, the information trickling out of Three Mile Island prompted officials in Harrisburg to raise the possibility of an evacuation, which would be the state’s call. Less than twenty-four hours later, Governor Thornburgh recommended that children and pregnant women living within a five-mile radius of Three Mile Island evacuate and that schools be closed. Federal and state experts were divided on the need for such drastic action, but Thornburgh wasn’t willing to take chances, fearing further radiation releases.
News of the Three Mile Island accident spread around the globe, and hundreds of reporters gathered to cover the story. Afternoon media briefings were conducted by the NRC’s Harold Denton (lower left at microphones), who had been dispatched to the scene to provide updates to the media, the NRC, and President Jimmy Carter. U.S. Nuclear Regulatory Commission
It was the first unequivocal directive delivered to a population craving guidance. All told, nearly 150,000 people, regardless of age or gender, piled into cars and fled, eager to put distance between themselves and the troubled reactor.
Some have called Three Mile Island the most studied accident in U.S. history, at least up to that time. Two weeks after the accident, President Carter appointed the Kemeny Commission to investigate the accident’s causes and recommend ways to prevent recurrence. The U.S. Senate conducted its own investigation. The NRC conducted several investigations. The U.S. nuclear industry held its own Three Mile Island postmortem. The various examiners generally agreed that the accident largely resulted from safety studies and reviews that focused too narrowly on nuclear plant designs and hardware and not sufficiently on the human part of the safety equation.
Some of the most damning language came from the twelve-member commission chaired by Dartmouth College president John G. Kemeny. The Kemeny Commission issued a blunt report in October 1979 after an intensive six-month investigation.
“[T]he fundamental problems are people-related problems and not equipment problems,” the commission wrote. “[W]herever we looked, we found problems with the human beings who operate the plant, with the management that runs the key organization, and with the agency that is charged with assuring the safety of nuclear power plants.” The commission also pointed a finger at “the failure of organizations to learn the proper lessons from previous incidents.” As a result, “we are convinced,” the commission wrote, “that an accident like Three Mile Island was eventually inevitable.”
At the heart of the problem, the report said, was a pervasive attitude that nuclear power was already so safe that there was no need to consider extra precautions. The Kemeny Commission urged that “this attitude . . . be changed to one that says nuclear power is by its very nature potentially dangerous, and, therefore, one must continually question whether the safeguards already in place are sufficient to prevent major accidents.”
The nuclear industry was uncowed by these conclusions. Instead, it trumpeted another finding from the report: “[I]n spite of serious damage to the plant, most of the radiation was contained and the actual release will have a negligible effect on the physical health of individuals.” In the decades to follow, nuclear power supporters would rally behind this statement and repeat the shibboleth “Nobody died at Three Mile Island.” This would become a huge stumbling block to comprehensive safety reform.
Still, the many investigations did result in some chipping around the edges. Among the reforms resulting from the Three Mile Island accident were enhanced training requirements for plant workers, changes in emergency response procedures, and improvements in control room instrumentation. Control room operators now spend about 10 percent of their time reviewing changes to plant procedures and refreshing their skills on full-scale simulators. Prior to Three Mile Island, plant operators typically were required to diagnose what had happened and why before they could invoke the proper response procedure. After Three Mile Island, the operators were allowed to take certain steps to counter a developing problem before ascertaining its cause. Control panels were reconfigured and on/off switches were placed near relevant gauges so an operator could quickly verify the effect of using them.
In addition, the NRC took new steps to collect and share information about problems occurring at nuclear plants. Over the years since Three Mile Island, the commission has issued thousands of notices to plant owners about design, maintenance, and operating problems encountered at reactors. Early on the NRC went further, creating the Office for the Analysis and Evaluation of Operational Data (AEOD) to formally review reports and spotlight emerging adverse trends. (The NRC disbanded the AEOD in the mid-1990s as a budget-cutting measure.)
Three Mile Island’s lessons also led to changes in the nuclear industry’s safety philosophy. In the 1970s, plant owners often applied Band-Aid fixes to equipment problems so reactors could quickly restart—even if it meant the problems would soon recur. But nuclear reactors aren’t yo-yos, and cycling them on and off is neither wise nor cost-effective. Once companies acknowledged that, they paid more attention to finding and fixing problems that triggered reactor shutdowns, such as the recurring issues at Three Mile Island that had preceded the accident.
Today, U.S. nuclear plants operate on average at about a 90 percent capacity factor, meaning that they are almost always producing electricity, except when they are shut down for refueling, which occurs every eighteen to twenty-four months.
One direct response to Three Mile Island by the U.S. nuclear industry was the creation of the Institute of Nuclear Power Operations. Among other things, INPO functions as an information clearinghouse for the industry—and to some degree as a shadow regulator.
The déjà vu sequence of events that led to the Three Mile Island accident eighteen months after a similar occurrence at Davis-Besse was not unique. In the 1970s, nuclear utilities shared little information with each other. Companies were needlessly vulnerable to common problems because of a lack of real-time communication about operating glitches and equipment malfunctions. Now, INPO requires plant owners to share good and bad practices. The goal is to enable everyone to learn from a mistake or malfunction without necessarily having to experience it firsthand.
INPO also established standards of excellence and periodically evaluates each nuclear plant against those standards. But the sharing only goes so far. The INPO assessment reports are among the most closely guarded nuclear industry secrets in the United States. Not even the NRC gets a copy. The nuclear industry defends this secrecy on the grounds that the assessments can be brutally frank—benefits apparently missing from publicly available (and often unjustifiably tame) NRC assessment reports.
In 1993, the public interest group Public Citizen obtained confidential INPO safety reports for all U.S. nuclear plants and compared them with the assessments prepared by the NRC over the same period. Of 463 problems cited by INPO at fifty-six plants, only about a third showed up as matters of concern in the NRC’s reports. INPO identified 185 specific plant problems the NRC reviews did not address, and in 115 cases the NRC praised plant performance that INPO had red flagged. A spokesman for the nuclear industry explained the differences: “The NRC’s mission is to regulate the industry. INPO’s mission is to be painfully candid . . . come into a plant and lay it bare.”
Another downside of the secrecy—beyond hiding a useful yardstick for the NRC’s own inspection performance—is that the public never knows to what extent nuclear utilities implement INPO’s recommendations to fix problems.
The Three Mile Island accident also prompted the NRC to upgrade its requirements for preparing the public for nuclear plant emergencies. There had never before been a radiation release significant enough to warrant advising nearby residents to evacuate. Now, government officials—and people living near nuclear plants—were alerted to the issue.
In 1980, the NRC required that plant owners draw up evacuation plans for the public within ten miles of each plant. (Compare that with the NRC’s recommendation that U.S. citizens within fifty miles of Fukushima be advised to leave.) It also mandated that biennial emergency exercises be conducted at each nuclear plant site. During the exercise, a plant accident is simulated and the Federal Emergency Management Agency evaluates the steps local, state, and federal officials take to protect the public from radiation. In parallel, the NRC evaluates how well plant workers respond to the simulated accident and work with off-site officials.
The biennial exercises are better than nothing, but not by much. In the simulation, winds are assumed to blow in only one direction, conveniently but unrealistically limiting the number of people in harm’s way. The evacuations are only simulated, so there is no way to tell if the complicated logistics of evacuating all homes, businesses, schools, hospitals, and prisons could be successfully carried out. Instead, the exercises merely verify that officials have the right phone numbers and contractual agreements for the buses to carry evacuees and the hospitals to treat the injured and contaminated.
These exercises only provide an illusion of adequate preparation. As the Fukushima experience painfully demonstrated, rapidly moving people out of harm’s way in the midst of a nuclear crisis is exceedingly difficult, yet critical.
Although the various Three Mile Island reviews converged on the need for major nuclear safety upgrades, there was no consensus on how wide-ranging the reforms should be. At the heart of the safety debate were these questions: Should the reforms address only the issues raised by the last accident? Or would that be tantamount to fighting the last war? If the next accident were triggered by a completely different event and proceeded along a different track, the failure of a too-narrow approach would be evident. Because of the NRC’s regulatory focus on design-basis accidents that followed a certain script, it had never taken a comprehensive look at the universe of beyond-design-basis accidents—that is, everything else that could go wrong—or the need to protect against them.
The aversion to considering beyond-design-basis accidents—then called “Class 9 accidents”—dated back to the NRC’s predecessor, the Atomic Energy Commission (AEC). One of the AEC’s concerns was laid out by none other than Harold Denton, then a member of the AEC’s licensing staff. During a January 5, 1973, AEC meeting on reactor siting criteria, he stated that “if Class 9 accidents are considered ‘credible,’ this may preclude the construction of reactors in the Northeast United States.” In other words, if protection from reactor accidents was deemed to require large distances between the reactors and the public, there might be no suitable sites in the northeast.
However, this sentiment was not shared by the NRC’s Advisory Committee on Reactor Safeguards. The panel of experts wrote in a letter to the NRC in December 1979: “The lessons learned from the TMI accident should be viewed in a broader perspective . . . there are other potentially important contributors to the probability of a reactor accident, and they should also receive priority attention.”
Had the NRC followed that advice, the regulation and operation of the nation’s reactors could have been transformed. But breaking out of its traditional focus into this new realm of oversight was not in the cards. Instead, in the face of Three Mile Island’s evidence to the contrary, the NRC ultimately returned to its belief that beyond-design-basis accidents were rare enough to largely ignore, and it limited the scope of the subsequent regulatory reform primarily to fighting the last war.
The NRC had blown its chance to develop a comprehensive approach to preventing meltdowns and thus had failed to learn one of the most significant lessons from Three Mile Island: that if one type of beyond-design-basis accident could occur, so could others. Instead, a series of ad hoc half measures and voluntary industry “initiatives” would fill the vacuum, creating a regulatory patchwork with plenty of holes. The NRC would refuse to recognize the defects of this system for decades, until it was compelled to convene yet another task force to conduct a postmortem on yet another catastrophe: Fukushima.