The Wave That Was Already in the Record#
At 14:46 JST on March 11, 2011, a magnitude 9.0 earthquake struck off the Pacific coast of Tōhoku, Japan — the most powerful earthquake ever recorded in Japan, and the fourth most powerful ever recorded globally. The seismic event lasted approximately six minutes. At the Fukushima Daiichi nuclear power plant, located on the Pacific coast of Fukushima Prefecture, the earthquake triggered the emergency shutdown (SCRAM) of the three operating reactors — Units 1, 2, and 3 — within seconds. The control rods dropped into the cores. The fission reaction stopped. The plant's safety systems performed exactly as designed.
Approximately forty-one minutes later, the first of three tsunami waves reached the Fukushima Daiichi coastal boundary. The design basis tsunami height for the plant was 5.7 metres. The arriving wave height was approximately 14–15 metres. The seawall was overtopped by approximately nine metres. The tsunami inundated the turbine buildings, the reactor buildings' lower floors, and — critically — the buildings housing the emergency diesel generators and their associated seawater cooling pumps. All six emergency diesel generators providing backup power to Units 1–4 failed within approximately thirty minutes of tsunami arrival. The backup battery systems, designed for eight hours of instrumentation power, were the only remaining power source. Within hours, they were exhausted.
The Fukushima Daiichi accident was not caused by the earthquake. It was not caused by the tsunami. It was caused by the fact that every layer of redundancy protecting the reactor cores shared a single failure mode: submersion by a tsunami wave of sufficient height. The Safety Return on Redundancy (SRR) for the backup power architecture — evaluated honestly against the tsunami scenario — was approximately zero.
The Architecture of a SRR ≈ 0 System#
The most dangerous type of redundancy failure is one that is invisible during normal operations and catastrophic during the triggering event. Fukushima Daiichi's backup architecture appeared robust in the facility's safety documentation. The National Diet of Japan's independent investigation commission, in its 2012 report, found that TEPCO and the nuclear regulatory authority had systematically underestimated the tsunami risk by anchoring their design basis to the smallest tsunami historically recorded at the site — not the largest. The 869 CE Jōgan earthquake had generated a tsunami that geological and sedimentological evidence suggests reached well inland of the Fukushima site. That evidence had been presented to TEPCO by its own researchers in 2007–2008. The safety implications were not acted upon.
Correlated Failures in a Shared Envelope#
The Diesel Generators in the Basement#
Emergency diesel generators are the backbone of nuclear plant backup power architecture. At Fukushima Daiichi, twelve emergency diesel generators served the six reactor units. Their placement within the plant represents the critical decision that determined the accident's severity. Ten of the twelve diesel generators and their associated utilities — fuel oil tanks, seawater cooling water intake structures, distribution switchgear — were located in buildings at or below grade in the northeastern portion of the plant. The plant layout placed these critical components in the zone with the highest tsunami inundation risk given the site's topography and the direction of the Pacific Ocean approach.
The generators were not unprotected. The reactor buildings and turbine buildings had waterproof doors and flood-resistant construction to a design basis of approximately 5.7m tsunami height. This protection was entirely adequate for the design basis event. It provided zero protection for the actual event. All ten diesel generators in the inundated zone failed. The two generators located in a higher-elevation building — serving Unit 6 — survived and maintained power to that unit. The contrast is precise: same design specification, same maintenance programme, same operator competency. The two surviving generators were at elevation 13m above sea level. The ten failed generators were at elevation 4–6m above sea level. The SRR contribution of the failed generators was governed entirely by their geographic vulnerability, not their mechanical reliability.
This is the canonical correlated failure scenario. In the SRR framework, correlation between the primary failure event (loss of grid power due to tsunami damage) and the redundancy layer failure event (loss of diesel generators due to tsunami inundation) means that the probability of both failing together approaches the probability of the tsunami itself — not the product of their individual failure probabilities. The conditional probability P(generators fail | tsunami of height >11m reaches the site) approaches 1.0. The unconditional probability of a tsunami of height >11m in a given year may be very low — but when that event occurs, all generator protection is simultaneously negated.
The Seawall That Was Not Designed for Tōhoku#
The Fukushima Daiichi seawall, completed in the 1970s at height 5.7m above mean sea level, was the primary physical barrier protecting the coastal plant from tsunami inundation. The design basis for the seawall was derived from historical records of tsunamis at the Fukushima coast, specifically a 1960 Chilean earthquake-generated tsunami that reached approximately 3.1m at the site. A safety factor of approximately 1.5–2× was applied to produce the 5.7m design basis.
The historical record used to establish this design basis excluded or discounted geological evidence of the Jōgan 869 CE tsunami, which sedimentological surveys conducted by TEPCO researchers in 2007 indicated may have inundated coastal areas several kilometres inland of the Fukushima site — consistent with a far larger tsunami height at the coast than the 5.7m design basis. The TEPCO researchers presented this finding to the utility's engineering and safety staff. The process of revising the design basis — which would have required costly seawall upgrades and potentially plant modifications — was still underway when the Tōhoku earthquake occurred in March 2011.
The National Diet investigation commission characterised this institutional failure as a predictable consequence of a regulatory culture in which nuclear utilities and their regulator, the Nuclear and Industrial Safety Agency (NISA), had developed a relationship of mutual accommodation that suppressed inconvenient risk findings. The seawall height was not a technical error — the engineering of the existing structure was competent. It was an institutional error: the failure to update the design basis when new evidence indicated the original design basis was non-conservative.
The SRR of the seawall — evaluated against the actual tsunami distribution it was designed to protect against — was positive and real. It would have protected the plant against the historical design basis tsunami. Against the actual Tōhoku tsunami, its SRR was zero. The critical question in any SRR calculation is always: what is the hazard distribution against which the redundancy layer is being evaluated? If that distribution is systematically underestimated, the SRR calculation is systematically wrong — and the false assurance it generates is more dangerous than acknowledged uncertainty.
The Battery Countdown#
After the diesel generators failed, Fukushima Daiichi Units 1, 2, and 3 were operating on backup battery power alone. The battery systems were designed for an eight-hour operating life under design basis conditions. The batteries powered instrument readings — the operators' only visibility into reactor core conditions — and certain emergency cooling system components. As the batteries depleted, operators progressively lost instrumentation for coolant pressure, coolant level, and core temperature. Without reliable readings, they could not confirm whether emergency cooling water was reaching the fuel. Without power to drive pump motors, they could not inject cooling water even when water sources were available.
The SRR contribution of the battery system to core cooling protection is precisely calculable: the battery life of eight hours gave the operations team an eight-hour window to restore power or establish alternative cooling before core temperatures entered the regime of zirconium-water reaction and hydrogen generation. Given the actual conditions — total loss of plant power, a tsunami-inundated site inaccessible to service vehicles, and a regulatory and utility communication framework that impeded prompt decision-making — eight hours was not sufficient. The battery system contributed real SRR value in absolute terms. Against the scenario that actually occurred, its contribution was finite but insufficient to prevent core damage in three of four operating units.
What a Properly Evaluated SRR Would Have Revealed#
The retrospective SRR calculation for Fukushima Daiichi's backup architecture is straightforward and sobering. Consider only the emergency diesel generator layer. Its nominal SRR, based on its mechanical reliability specification against initiating events other than tsunami, was positive and quantifiable through the standard probabilistic risk assessment (PRA) framework that TEPCO maintained for the plant. The PRA credited the diesel generator layer with a specific conditional core damage probability reduction.
What the PRA did not correctly account for was the conditional failure probability of the diesel generator layer given a Tōhoku-scale tsunami — which, based on the Jōgan 869 CE geological evidence available by 2008, had a non-negligible probability within the plant's fifty-year operating licence. Incorporating this scenario into the PRA would have revealed that the SRR of the diesel generator layer, averaged across the full tsunami hazard distribution including the Jōgan scenario, was materially lower than the value credited in the existing safety case. The investment in the diesel generators — estimated at approximately $15–25 million for the full backup power suite — was not matched by proportional safety return because its failure mode was correlated with the most severe credible initiating event.
The corrective action would have been geographically straightforward: relocate or elevate the diesel generators above the maximum credible tsunami inundation level. TEPCO's Onagawa plant, located further north on the same coastline, had diesel generators at higher elevation, was struck by the same tsunami, and did not experience station blackout. The Onagawa location choice — documented as a deliberate safety decision by the plant's chief engineer, Yanosuke Hirai, in the 1970s — cost nothing more than the incremental civil engineering required to site the generators on the hillside behind the plant. The SRR of that location decision, evaluated against the actual tsunami scenario, was measurably higher than Fukushima Daiichi's layout — at no material additional cost. The difference was not resources. It was the quality of the threat-scenario evaluation and the institutional willingness to follow its conclusions. The next post examines a case where the redundancy failure was not geographic but architectural — where the safety system was designed from the outset in a configuration almost guaranteed to fail.
