Would you be comfortable living next door to a nuclear reactor if you knew it was storing its highly radioactive “live” fuel rods in a swimming pool in a flimsy shed cooled by a garden hose? Probably not. Yet this is effectively what reactor operators at Fukushima and elsewhere in Japan have been doing. This highlights how people sometimes apply different standards for risk, safety, and security during product design versus during ongoing operation of a facility or product. Product managers, project managers, and IT managers, take note so you don’t have a “meltdown” of your own product!
Critical Assets Need Consistent Protection, Not Inconsistent Protection
As the world has just been reminded, during a reactor meltdown event, the nuclear reactor’s containment vessel is supposed to keep the highly radioactive fuel safely separated from the outside world. The containment vessels are some of the toughest objects ever constructed by mankind. They’re designed to withstand earthquakes, the impact of a jet airplane, and the heat and pressure created inside them by a nuclear reactor experiencing an uncontrolled meltdown event. But the containment vessel won’t protect you from the radioactive fuel rods if you take the fuel rods out of the containment vessel, and that’s exactly what Japanese reactor operators have been doing during maintenance as a standard practice! The Wall Street Journal reports:
At the time of the quake, Reactor 4 was offline and not generating power amid annual maintenance. As part of that, five months ago Tepco relocated all the fuel rods—the heavy tubes that contain radioactive fuel pellets—from inside the reactor to what’s called a spent-fuel pool, a concrete holding tank that is less robustly protected than the reactor itself …. The events at Reactor 4 expose the risk of a commonplace practice in Japan, “full core discharge,” in which all the fuel in a reactor is moved during maintenance shutdowns …. In the U.S., reactors shut down for refueling typically retain most of their fuel in the thick steel reactor pressure vessel that provides much more protection against a radioactive release.
Saying that the spent-fuel pool is “less robustly protected than the reactor itself” is a considerable understatement. The containment vessel around the reactor is a steel and concrete structure designed to withstand some of the most intense stresses known to man. The spent-fuel pool at Fukushima is outside that containment vessel, separated from the outside world only by a thin outer wall of the building that is intended to keep the weather out and to burst outward to relieve pressure on the containment vessel if an explosion happens in the building. Essentially, it’s a concrete swimming pool in a drywall building kept cool by water being pumped in, and Japanese reactor operators have been storing the “live” nuclear fuel rods (not just the less-radioactive “spent” fuel rods) in that pool for extended periods during regular maintenance.
During the design of a nuclear reactor, enormous attention is paid to the design of the containment vessel and its ability to withstand every possible adverse event and extreme circumstance. The reactor’s designers, the utility, and government regulators will all minutely scrutinize the design and evaluate its expected performance under all kinds of dire situations. Why? Because they’re relying on the containment vessel to protect us from the highly radioactive “live” fuel rods.
There’s a basic contradiction here. If the “live” fuel rods are so dangerous that a containment vessel is necessary, why is it OK to take the “live” fuel rods out and store them what amounts to a swimming pool in a shed? Conversely, if it’s safe to store “live” fuel rods in a swimming pool in a shed, why is the containment vessel necessary in the first place?
Flawed Assumptions Create Disastrous Results
Essentially, the Japanese reactor operators and regulators assumed that a problem was most likely to occur within the reactor core, so robust protection was necessary there but not elsewhere. They assumed that problems wouldn’t occur with the “live” fuel rods stored in the so-called “spent-fuel pool.” (The name itself is misleading and highlights the contraction. It’s not a “spent-fuel pool” if you’re storing live fuel in it! Misleading names can contribute to poor thinking about product risks by masking contradictions.) They assumed that the pool would always be full of water and that therefore the “live” fuel rods stored within it wouldn’t overheat. Recent events have shown how wrong all those assumptions were, and Tepco was forced to admit that it was possible that the “live” fuel in the pool might go critical (restart the fission chain reaction that’s only supposed to occur inside the nuclear reactor) if the water boiled away and the fuel rods melted and congealed at the bottom of the pool. Put simply, thanks to the practice of removing “live” fuel rods from the reactor during maintenance, it became possible that a crude nuclear reactor might spontaneously form and start itself up at the bottom of what amounts to an unshielded outdoor swimming pool–a possibility that only heroic acts by Japanese nuclear workers risking their lives may yet narrowly avert.
Conflicting Goals for Product Safety and Security
How could the very same regulators require so much protection around the “live” fuel rods when they were inside the nuclear reactor and so little when the nuclear reactor was being serviced? It appears that they were optimizing for different aspects of safety in the two situations. When analyzing the strength of the containment vessel, they were trying to protect the public from exposure to radiation during a nuclear reactor meltdown event. But when allowing the “live” fuel rods to be removed from the reactor and stored in an unshielded pool, the Journal notes that the utility, no doubt with regulator knowledge and approval, was attempting to limit the exposure of workers to radiation during reactor maintenance:
“The Japanese argue it’s safer to move all the fuel to the pool, but the practice of full-core discharge caused a problem, in this case,” said Andy Kadak, a former professor of nuclear engineering at Massachusetts Institute of Technology, who has studied fuel handling for Tepco. Mr. Kadak said the Japanese feel the pools are safer because all the fuel is kept in a neutralized space, removed from workers.
Of course, the fact that the reactor was being serviced didn’t reduce the danger posed to the public by the “live” fuel rods at all. “Live” fuel rods don’t care whether they’re inside a reactor core or sitting in a swimming pool. They’re equally radioactive and equally dangerous at all times, and as any of the workers currently risking their lives at Fukushima will attest, the practice of “full core discharge” that was intended to reduce their exposure to radiation has now backfired, increased their risk and lifetime radiation exposure exponentially, and forced the regulators to increase the amount of radiation workers are permitted to be exposed to by 150%.
High Technology Security in Theory and in Practice
This kind of problem occurs with the security and safety of high-technology products in less dramatic ways all the time. People assume that passwords will prevent hackers from accessing their systems, but then they use short, low-quality passwords that can easily be guessed. They hire a reputable professional archiving firm to securely transport their backup tapes to a secure storage facility, then they assume the truck driver won’t remove and misplace the backup tape during a stop along the way, so they don’t encrypt the data on the tape. (That was the first way I had an employer lose my identity.) They assume that key card access controls and secure networks will protect confidential information, but then a human resources employee takes plain text files with social security numbers out of the office on a laptop that is then stolen out of their car. (That was the second way I had an employer lose my identity. I’m lucky that way!) The same behavioral problem comes up in public health as well. HIV prevention educators note that “It’s usually the person that fails, not the condom that fails.”
Product managers, project managers, and IT managers can help prevent this kind of problem by fighting for consistent safety and security standards for assets at all times. Watch out for contradictions. Flag, escalate, and resolve them. Don’t make the mistake of applying different security or safety standards to the same critical asset at different times based on convenience. If an asset is critical, it needs to be consistently protected, not inconsistently protected. Just ask the workers at Fukushima!