Fukushima’s Lessons: Probability Theory is Unsafe

Kenichi Ohmae, an MIT-trained nuclear engineer also widely regarded as Japan’s top management guru, is dean of Business Breakthrough University. He was a founder of McKinsey & Co.’s strategic consulting practice and is the author of many books, including The Borderless World.

TOKYO—More than a year has now passed since the complete core melt down of three boiling water reactors at Tokyo Electric Power Company’s Fukushima No.1 plant. Because of the limited information issued by the Japanese government—and its insistence that the disaster was only a result of the unanticipated magnitude of the earthquake and tsunami—the world does not know what really happened and will thus draw the wrong lessons.

The most critical lesson for the global nuclear industry to learn, since most plants around the world do not face tsunami or earthquake risks, is that no one imagined that the external electricity supply from outside the plant that would cool the reactors could be disrupted. That assumption, just like the assumption that a natural event of the size that took place was unlikely, was based on “probability theory” taught to all nuclear engineers. It is the basis—wrongly—for telling the public that nuclear power generation is “safe.”

As a nuclear core designer who obtained my doctorate from MIT in Nuclear Engineering, I volunteered to look into the situation at Fukushima No.1 in June of 2011. Goushi Hosono, Japan’s minister of Nuclear Power and Environment, personally granted me access to the information and personnel who were directly involved in the containment operations of the post-disaster nuclear plants.

My now completed investigation shows that the Fukushima accident could have been avoided if the plant had the capacity for electricity generation of any form along with the appropriate heat sink (a supply of water to cool down reactor rods). Despite the “unexpectedly high” tsunami that caused the accident, two reactors, Nos. 5 and 6, remained intact, though they were damaged to the same extent as the other four reactors by the earthquakes and tsunami. The difference was that they had an additional source of electricity beyond links to the outside grid through an air-cooled emergency diesel engine.

The most important lesson of Fukushima No.1 plant, therefore, is that we should have a multiplicity of means to provide a continuous electric supply and heat sinks. This is not the same as “You should not put all the eggs in one basket.” We should have eggs and apples in a few different baskets.

If a country or company wants to operate a nuclear reactor, it should not assume anything about potential disasters — be they earthquakes, tsunamis, terrorist attacks or a plane crash. No matter what happens, the reactor must be brought to cold shutdown, which requires electricity and heat sinks. It is a pretty simple principle.

There is a more general lesson for all operating nuclear facilities: If you have make assumptions, then you are not prepared.

All the nuclear reactors in the world have been designed by probability assumptions, originally proposed by Prof. Norman Rasmussen of MIT. It is a scientific way of expressing what the public will accept.

For example, what is the probability of a plane crushing into Yankee Stadium with a full audience during the World Series? This can be calculated with certain assumptions, and, the theory goes, that “level of probability of accidents” is something people tacitly accept because it is very unlikely to happen. The same principle was followed at Fukushima: Assumptions were made about possible causes of nuclear plant accidents, and engineering precautions were made accordingly so that “the reactor is safe.”

In Japan, the Atomic Energy Safety Commission made at fatal mistake by relying casually on this probability theory. They said that the probability of long-term stoppage of external electric supply “in a country like Japan” is so unlikely that we do not have to assume it might take place. So, while they insisted on having three emergency generator sets per reactor, they did not think of a situation of the disruption of the external electricity supply from Japan’s main grid.

Fukushima No.1 had five different paths for the grid to come in, but all of them were destroyed by the powerful earthquakes 45 minutes prior to the tsunami. Had only one line remained active, we would have had no problems.

Had the commission made no assumptions about the external energy supply and built solar, wind, gas turbine or even small LNG power stations on site for the six gigantic reactors, this accident could have been avoided.

Another fatal assumption was about the tsunami’s power and height. Historically, they say, the maximum height observed along the eastern shores of Japan was 10 meters. The probability of 15-meter tsunami hitting the Japanese coast is so low that you do not have to assume such a disaster because it is likely to take place once in 10,000 years. What we learned in Fukushima is that when something like that happens, the probability is 100 percent. It does not matter what the theoretical probability is.

Yet another false assumption involved the containment vessel, an invention of nuclear engineers to assure nearby inhabitants that, if there were an unimaginable accident and fission products leaked out of the core, they would be confined inside and not leak out into the external environment. This long-held myth was also broken by Fukushima No.1, as the molten fuel dropped through the pressure vessel and the “nuclear lava” melted the bottom of the containment vessel, leaking huge amount of fission gasses and particles to the air and water.

Assumptions and probability are for the theoretical dreamers. If you have a hot reactor, soaked in water and without power to circulate the coolant, then you still have to cool it no matter what. If you cannot equip the facility with a reliable last resort of power and heat sink, you should not operate the nuclear plant to begin with. That is the lesson of Fukushima.

My recommendation is very simple. We should not assume anything in the design of a nuclear reactor. We should be prepared to cool down a reactor and bring it to cold shutdown with at least one reliable power supply and heat sink. This means that the emergency power should be provided in multiplicity of means and location, and the heat sink should not depend on prevailing water alone, but on air and alternative water reservoirs.

If this is established then the reactor can be safe not only against natural disasters but also man-made damage.

Any nuclear plant operator anywhere in the world who does not heed these lessons from Fukushima is inviting the kind of disaster we have experienced in Japan.