Skip to content

Two Too Many Common Causes

December 3, 2013

Fukushima-2We write the occasional post to do with the on-going, slow motion crisis at the Fukushima-Daiichi nuclear power plant in Japan. The focus of the posts is to look at this event through process safety management eyes to see what lessons we can learn and possibly to come up with insights that can help the managers who are trying to cope with this situation.

This post looks at the topic of common cause events issues and their relevance to the Fukushima-Daiichi situation.


Disclaimer: The writer of this blog does not possess special knowledge of the nuclear power industry, has not worked in a nuclear power plant and is relying entirely on public information gleaned mostly from the Internet to write this material. Hence it is more than likely that many of the thoughts and conclusions presented here will have to be updated or changed as new data or insights are provided. If any nuclear power expert can correct what is written here, particularly with regard to the number of redundant systems, we would be very pleased to publish an update with the appropriate accreditation.


The Timeline

On March 11th2011 north eastern Japan was devastated by the Tōhoku subsea earthquake — the most powerful ever to have hit Japan since records have been kept. The earthquake was followed about 50 minutes later by a tsunami of 14 meters in height. It is estimated that the earthquake and tsunami together resulted in 15,883 deaths, with many others injured or missing. Up to 1 million buildings were destroyed or damaged. Many videos on YouTube and elsewhere illustrate the enormity of these two events: the earthquake and the tsunami. They are not easy to watch.

The earthquake caused extensive damage to the structures of the Fukushima-Daiichi power plant and knocked out the pump systems that supply cooling water to the reactors and the spent fuel pools. The tsunami then overwhelmed the facility’s inadequate 5.5 meter seawall and, most important from a process safety point of view, it knocked out the safety systems designed to keep the reactors cool. Consequently the cores of the reactors overheated leading to  partial meltdowns and follow-on problems, such as the generation of hydrogen gas that exploded. A considerable amount of radioactive material leaked to the ground, the sea and the air — and those leaks appear to be on-going.

At least six consequences

Sign-1Although this catastrophe occurred two and a half years ago, the current state of the facility is still a long way from being properly understood. One reason for this is that there are at least six separate events that need to be considered, and they are all different from one another. They are:

  1. The presumed partial meltdown in Reactor #1;
  2. The presumed partial meltdown in Reactor #2;
  3. The presumed partial meltdown in Reactor #3;
  4. The removal of spent fuel from the Reactor #4 storage facility;
  5. The on-going flow of ground water; and
  6. The integrity of the temporary water storage tanks,

    which are not seismically rated.

(Items not included in the above list are the newer Reactors #5 and #6, which seem to have suffered less damage, and the long-term storage of the nuclear fuel rods after they have been recovered.)

In summary, three large nuclear power plants have probably suffered a partial meltdown and the structure containing the spent fuel rods of Reactor #4 is seriously damaged, and could collapse and/or  allow cooling water to escape — particularly were there to be another large earthquake. Given that this this structure is 30 meters above grade and is outside the containment building, and given that the rods are clad in zirconium that catches fire when exposed to air, this is, to say the least, a tricky situation – one that the operator Tepco (Tokyo Electric Power Company) started to address in November of this year.

This is not a good situation.

Common Cause

There are number of inherent safety/process safety issues to do with the above events. For example, the decision to locate the spent fuel storage pool at a high elevation is a concern, as is the fact that the basement sections of the Reactors 1-4 are below sea level.

However, the issue that this post focuses on is that of two separate common causes. An explanation to do with common cause events is provided in an earlier post in this series (Let’s not make common cause). Briefly, a common cause event is one that causes two separate, supposedly independent systems to fail simultaneously. For example, solid materials in a liquid system may cause both a pressure controller instrument and the high pressure shutdown system to be blocked at the same time. The normal control and the interlock are not independent of one another.


It is critical that the cores (and spent fuel pools) of nuclear reactors be kept cool by a continuous flow of cooling water, even if the reactor is shut down. If this does not happen then a Loss of Coolant Accident (LOCA) takes place.

We do not have copies of the Fukushima-Daiichi P&IDs (Piping and Instrument Diagrams). Therefore, just for sake of argument, we make the assumption that there are two sets of pumps: three operating pumps (O1, O2 and O3) driven by electricity and two backup pumps (B1 and B2) that are diesel-powered pumps and that do not require electrical power. The Fault Tree for this assumed set up is shown in Figure 2. It consists entirely of AND Gates.

We welcome any feedback that will tighten up these assumptions.

Two Too Many Common Causes - Fig 1

Figure 2

We then make the further assumption that the operating pump, O1, fails twice a year and that the two backup operating pumps have a failure to start on demand of 0.05 (i.e., the likelihood that they will start on demand is 95%). Hence the overall failure rate for the operating pumps is (2 * 0.05 * 0.05) yr-1, or 0.005 yr-1 or once in 200 years.

If this system were to fail then the backup diesel pumps would take over. Assuming a failure on demand probability for each backup pump of 0.01 then the failure rate of the backup system is 0.0001. Combining the two systems we get an overall failure rate of one in 20 million years. Which is a big number.

Now comes the earthquake; it knocks out electrical power. Hence all three of the operating pumps fail due to the first common cause: Electrical Power Failure caused by the earthquake. This is bad, but the backup pumps, which together have a probability of failure of 1 in a 1000, can be trusted to work since they have their own, independent source of power (diesel). But, 40 minutes later, the tsunami disables the backup pumps due to a second common cause: sea water flooding. The reactor core continues to generate substantial amounts of heat, but there is no means of removing that heat.

Probabilistic Risk Analysis

The Fault Tree shown in Figure 2 is a highly simplified version of a Probabilistic Risk Analysis (PRA). As can be seen from the example, PRAs often give very low values for the likelihood of a major event taking place. They provide some of the justification for statements such as the following from the Japanese Nuclear Commission in the year 2003,

A fatality due to radiation exposure from an accident at one of its facilities should happen less than once per million years.

The probability of complete core meltdown about 1 in 20,000 per reactor per year.

Although there are no indications to date of there being a fatality due to radiation exposure at Fukushima-Daiichi some of the workers have been exposed, so the possibility of a fatality is real. The “once per million years” has become “once per thirty years”.

And within the last three decades there have been three major nuclear power plant events:

  • Three Mile Island (1979)
  • Chernobyl (1989)
  • Fukushima-Daiichi (2010)

One reason for the disconnect between expected failure rates and actual failure rates is that PRA analysts may overlook common cause events such as earthquakes and tsunamis.

Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: