Reviewing the Safety of Nuclear Power Plants — Part 3: Resuming nuclear power generation is a highly dangerous choice that may cause another Fukushima-scale disaster
By Goto Masashi, Doctor of Engineering, Former Nuclear Plant Engineer, Member of Citizens’ Commission on Nuclear Energy
3. The viewpoints from which to assess accidents is the key to pursuing technological safety
Technology and accidents have an inseparable relationship, and I regard assessing accidents to be equivalent to assessing technology. Back in the 1950s, there was a “theory of technology” controversy, which was about the definition of technology. Of the many theories presented in this controversy, I support the “application theory,” which was argued by Taketani Mitsuo (physicist) and Hoshino Yoshiro (technology critic). In this article I would like to discuss my thinking, rather than introducing the controversy.
To assess technology, I decided to think about safety from the viewpoint of “accident theory,” based on the expertise I have accumulated as a technologist of large structures since 1973, while working on the design of submarine oil mine excavation rigs and other structures, and based on the lessons I learned from many serious accidents in the 1980s. My research approach has been to firstly examine the actual accident conditions and the events that might have caused the accident, and study how diversely accidents unfolded. When accident propagation could not be stopped and a large-scale accident occurred, I also assessed and investigated the scale and impact of the damage through various technological characteristics and accidents. Especially after the 1990s, I proceeded with the research on the “theory of accidents” from the viewpoints of such factors as “technology and accidents,” “design and accidents,” and “natural disasters.” During this time, I taught as a part-time professor at four-year colleges such as Shibaura Institute of Technology and five-year national institutes of technology.
3-1 Finding accident causes and estimating how accidents can come to an end
As Figure 2 of Part 2 of this series (NIT 226 ) shows, an accident occurs when three or two of the following factors occur in combination, or when, although very rarely, one of them occurs.
1) An external event (a natural environmental event or destructive act)
2) An internal event (a failure or loss of function of a device or piping)
3) Human factor (human error)
In many cases, an accident propagates while multiple factors intricately intertwine with each other to a greater or lesser extent. The Fukushima Daiichi Nuclear Power Station disaster originated with an earthquake and tsunamis, which were followed by a station blackout. The reactor cooling function was then lost, and the core started to melt. Pressure and temperature rose in the containment vessel, and to prevent the explosion of the vessel, the gas including radioactive substances in the vessel was released (through the vent). The propagation of the accident is a series of contingent events that are not foreseen. When the causes of the accident are learned to a given extent, the process of the accident propagation becomes visible in due course. During the first week after the onset of the accident, the cooling system and containment vessel vent system did not demonstrate their functions as expected, and the accident unfolded in a severe direction, including hydrogen explosions. In retrospect, the events that took place during the accident occurred serially and could not be explained as the outcome of the station blackout alone, and the accident propagated instead of coming to an end. Namely, the devices that should have stopped the propagation of the accident lost their functions, and to make matters worse, instruments and devices malfunctioned, making the conditions more confusing. At the same time, personnel made misjudgments, contributing to an increasingly worsening situation. It is known that the natural environmental conditions in the vicinity, such as wind direction, were closely associated with the diffusion of nuclear substances and human exposure to radiation. On the other hand, hydrogen explosions occurred inside the nuclear plant buildings. Because the inside of the containment vessels was filled with nitrogen gas, hydrogen explosions should not have occurred. However, in fact, hydrogen leaked from the flanges and other components of the vessels, entered the nuclear reactor buildings (the buildings were not filled with nitrogen gas, and if hydrogen existed, it could easily explode), causing hydrogen to accumulate there and explode. The debris that collapsed in Unit 1 caused core-concrete reactions, damaging the nuclear reactor base (pedestal) more seriously than expected. It is critical to investigate the causes of the accident, which is still continuing today, 14 years after, with the details of the accident not yet clarified.
As the disaster is examined as described above, the meaning of preventing accidents and the limits to preventing accidents become clear. A common attempt is to interpret an actual accident along a thin, single-line scenario, but the propagation of an accident has many crossroads, and depending on the decisions made at the crossroads, a different accident may have occurred. This indicates how difficult it may be to prevent the propagation of an accident, and also that still unknown facts may have determined the propagation. In a large technological system, it is virtually impossible to answer the question how can an accident be prevented?
3-2 In what ways should accidents be understood?
— Accidents are caused by the loss of functions of safety devices —
As we look at accidents, they are caused not only by excessive loads or conditions beyond the design conditions. Let’s consider that, if the safety devices that should have been activated lose their functions due to a failure, the accident may develop into a trapped condition, namely, an irrevocable condition that can never allow the system to return to the original state. We often hear that an accident occurs because of a device failure, in other words, because the reliability of the device is low. The truth is that an accident occurs when a safety device does not function when it should do, rather than because of low reliability. Concerning the failure, instruments may show wrong values or devices may malfunction, and then, combined with human error, the situation develops into an accident. Generally speaking, it is difficult to prevent accidents. To be exact, it is impossible to prevent large-scale accidents.
3-3 Power companies’ bogus explanations about safety
Power companies explain the safety of nuclear plants as follows:
Nuclear power plants basically have a structure that contains radioactive substances, and adopting the idea of multiple protection, we take measures on three levels: “We prevent the occurrence of an anomaly,” “When an anomaly occurs, we detect it at an early stage, and prevent the expansion of the anomaly such that it does not develop into an accident,” and “When an accident occurs, we prevent its propagation and reduce its impacts” (see Figure 1).
Specifically, (1), to prevent an anomaly,
1) Design with sufficient margins (measures against earthquakes, etc.),
2) Use fail-safe design (safe-side operation),
3) Interlock (prevention of erroneous operation)
are available. However, the upper limits of earthquake magnitudes cannot be predicted at the current level of science, and many earthquakes far beyond the “design with sufficient margins” conditions have been experienced after the new regulation standards were established. Namely, even in the new regulation standards, the design conditions for nuclear plants are not provided with values that should not be exceeded (earthquakes, tsunamis, and volcanoes). For technologists to design and evaluate nuclear plants, the design conditions that are sufficiently on the safe side are not specified, and they therefore cannot produce new nuclear plants, or even evaluate the safety of existing nuclear plants. The design of nuclear plants is totally bankrupt.
Concerning, 2), Use fail-safe design, and, 3), Interlock; these are applied in a limited range, such as to shut down the nuclear reaction, but as a basic principle, they are not applied in the design at all. In the actual design of nuclear plants, in case a failure occurs (failure occurrence is inevitable in a complicated system consisting of an innumerable number of components), a fail-safe design, which may keep operation on the safe side, has not yet been realized at all, and the interlock, which prevents erroneous operation, has not yet been sufficiently provided. As evidence, in the Fukushima disaster, when the power supply was lost, cooling became impossible, and instruments operated abnormally, showing mistaken values. The status of the isolation valves of the containment vessels could not be checked and their malfunction could not be prevented. Meltdown thus occurred and the accident further propagated.
(2) Power companies say that they are committed to the reinforcement of safety measures for accident propagation prevention and impact mitigation, but their measures are actually not fail-safe, and thus “devices that detect anomalies at an early stage” and “devices (functions) that stop the nuclear reactor automatically” failed to cool down the nuclear reactor containment vessel (the function of continuous cooling) while the nuclear reactors were barely stopped. The accident worsened to the degree where spent fuel cooling was almost lost. The fail-safe design principle is meaningless if it is only partially applied. It is a basic principle of safe design that should be applied to the entire nuclear plant and to the entire process of accident development. The explanation in Figure 1 pretends that the fail-safe design is applied over the entire nuclear plant although it is applied only to a part of the system (stopping the nuclear reaction). This is a fraud.
Further, (3), the prevention of abnormal release of radioactive substances to the surrounding environment is explained as being realized by the Emergency Core Cooling Systems (ECCS) (function of cooling) and the reactor containment vessel (function of containment). However, when an accident propagates and the ECCS does not work, the core will melt, and pressure and temperature in the containment vessel, which contains radioactive substances, may exceed limits. In this case using the containment vessel vent (filtered vent) may be inevitable. The filter is not guaranteed to demonstrate its function continuously over a long period, and complicated piping and valve systems make it very possible that a vent will be performed without filter function. As described in section 3-1, various explosions and core concrete reactions are possible as the accident unfolds.
3-4 Unexpected accidents that power companies cannot explain
— Airliner crashes and terrorist acts —
Thus far, I have explained that a part of the reasoning in the explanation of nuclear safety by power companies is an exaggeration, making the safety measures sound as if they encompass the entire plant, but I would like to point out what has been excluded from the safety of nuclear plants in Figure 1.
To look back at the Fukushima disaster, one critical point of view that should not be overlooked is that accidents that were deemed impossible or accidents whose occurrence probability was very small were ignored. This point was indicated in the reports by the “National Diet of Japan Fukushima Nuclear Accident Independent Investigation Commission (NAIIC)” and “Investigation Committee on the Accident at the Fukushima Nuclear Power Stations.” The possibility that directly indicates this exclusion is airliner crashes. In Japan, nuclear power plants and reprocessing plants are close to commercial aircraft routes, and depending on the locations, the United States forces’ and Japan Self-defense Force’s flight training areas are close. As military aircraft, Osprey aircraft have been distributed across Japan, and there is concern about accidents.
(1) Frequent airliner accidents
As can be seen from the crash of airliners on the ground at Haneda airport (January 2, 2024, resulting in the loss of five people), the density of commercial aircraft and human errors are emerging as problems. On February 6, at an airport in Seattle, U.S., a Japan Airlines’ passenger airliner suffered a contact accident with another passenger airliner. As accidents involving airline companies of other countries, on December 29, 2024, at a airport near Kwangju, Korea, an airliner suffered a bird-strike and failed to land, killing 179 people. On January 30, 2025 (Japan time), in Washington, D.C., an American Airlines airliner and a U.S. military helicopter collided in midair, killing all 67 passengers and staff on both aircraft. Further, on February 6, in Alaska, a passenger airplane crashed and all onboard died. On March 1, in New York, a cargo airplane suffered a bird-strike and a fire occurred (fortunately no one died). According to National Transportation Safety Board (NTSB) data, in the U.S., between January 1 and February 19, 2025, there were 87 airliner accidents (excluding the February 19 accident), of which 13 accidents resulted in 85 human deaths. In a system controlled by humans, an airborne crash accident can occur at any time, just as with the crash between the military helicopter and passenger airliner.
(2) Danger of underestimating the possibility of an airliner collision with a nuclear plant
Concerning accidents involving an airliner collision with a nuclear plant, the new regulation standards use the standards established before the Fukushima disaster. The standards demand an assessment of damage likely to occur when an airliner crashes in a nuclear plant premises. However, the standards state that, when the annual probability of an airliner crash on the nuclear plant is no more than 10-7, the probability of such an accident is treated as negligible and the assessment is not required. The lessons of the Fukushima disaster indicate that, even if the probability of occurrence is small, measures should be taken against an accident that may cause critical damage to a nuclear plant, or at least it should be confirmed that such a crash will not cause a severe accident. The Fukushima disaster denied the assumption that an event with a very low probability does not require a safety assessment. When an airliner crash occurs, the damage is expected to cause a disaster. If such a crash did not require an assessment, this is tantamount to a significant underestimation of accident risks.
Recently, airliner accidents are frequent. It is extremely inappropriate to determine that the probability of commercial or military aircraft colliding with a nuclear plant is no more than 10-7. The strength of nuclear plants against damage in case of an airliner crash is not assessed, and this seems to me to indicate the lack of an attitude to carefully assess nuclear plant safety. Furthermore, airliner crash accidents such as the September 11, 2001 simultaneous terrorist attacks in the U.S. cannot be discussed on the basis of probability. From the viewpoint of nuclear plant facilities, airliner accidents and hijack terrorist attacks must be regarded as equivalently damaging. Airliner crash damage assessment is a must. The September 11 terrorist attacks encouraged the U.S. to take the extensive damage mitigating guidelines in Section B.5.b of the NRC Interim Compensatory Measure (ICM) Order . Section B.5.b requires “licensees to adopt mitigation strategies using readily available resources to maintain or restore core cooling, containment, and spent fuel pool cooling capabilities to cope with the loss of large areas of the facility due to large fires and explosions from any cause, including beyond-design-basis aircraft impacts.” The details of Section B.5.b are not known, but the Fukushima disaster has been referred to in the establishment of measures to mitigate accidents associated with terrorist attacks.
(3) Under what conditions will the “Specialized Safety Facility” be helpful as a measure against terrorist attacks?
The Specialized Safety Facility refers to the facility provided to prevent a reactor accident by enabling operators to evacuate the central control room and control the reactor from a site distant from the central control room in the case that the plant is subject to a terrorist attack. The new regulation standards added the requirement of this facility in 2013. The standards specify that “to prevent both nuclear reactor buildings and the Specialized Safety Facility from being damaged at the same time, they should be separated (e.g., more than 100 meters), or the facility should be situated in a robust building able to withstand the deliberate crash of a large airliner (refer to Figure 2).
Figure 2. Specialized Safety Facility (Source: The Chugoku Electric Power, November 2014)
The Specialized Safety Facility is required to have water supply equipment for the nuclear reactor and for the interior of the containment vessel, filtered vent equipment, power supply equipment, telecommunications equipment, an emergency control room, etc. However, the most critical point of the facility requirements is that they are planned on the condition that the nuclear reactor and containment vessel body will not suffer damage. For example, if an airliner or other flying object crashes and damages the containment vessel body, the above-mentioned water feed equipment, filtered vent equipment, and all other measures are meaningless. Considering that the facility is a measure useful under such restricted conditions, it is apparent that the safety of nuclear plants is vulnerable. According to the new regulation standards, it was determined in 2015 that the Specialized Safety Facility “should be built within five years from the reactor installation permission date and no exception will be allowed.”
In the next article of this series, I would like to analyze the meaning of “Normal Accident Theory” in the context of nuclear plant accidents.
