Nuclear Reactor Safety: Lessons from Three Mile Island and Fukushima

Alexander DeVolpi

[This article is based on a longer article published in the Summer 2012 edition of the Federation of American Scientists Public Interest Report; We are grateful to FAS for permission to run an abbreviated version of Dr. DeVolpi’s article – Ed.]


All accidents that have involved commercial nuclear-power reactors have ultimately delivered useful lessons about nuclear safety, reactor design, and radiation effects. Despite various power-reactor mishaps [Enrico Fermi Unit 1 (1966); Three Mile Island-2 (TMI-2) in Pennsylvania (1979); Chernobyl in the former Soviet Union (1986); and Fukushima Daiichi in Japan (2011)], the accidents are noteworthy for very few, if any, public casualties. Indeed, it is well-substantiated that neither the TMI nor Fukushima reactor accidents have been responsible for any fatalities to date among the surrounding public. The safety record of nuclear-power, measured in fatalities per unit of energy consumed, is unmatched in the industrial world; coal-fired power plants, for example, have a much higher fatality rate per unit of electricity generated. (The Chernobyl accident, which happened during a safety test, led directly to about three dozen deaths among operators and emergency workers, according to international Chernobyl Forum study reports that have tracked mortality data since the accident [1].) However, these accidents shocked the industrialized world, and they had expensive consequences in terms of cleanups, power loss, decommissioning, and public apprehension. While nuclear safety has improved and important functional lessons have been derived as a consequence of these incidents, more safety systems could have been and could yet be implemented in existing reactors. In particular, a fundamental instrumentation shortcoming that contributed to the Pennsylvania Three Mile Island (TMI)-2 reactor meltdown was never fully addressed in other operating reactors, and that omission might have indirectly hastened Fukushima reactor damage.

At both TMI and Fukushima, accidental loss of water needed to remove residual heat from the reactor resulted in serious damage to overheated nuclear fuel within the reactors’ cores. In this article, I review the circumstances of the TMI and Fukushima accidents, and describe some overlooked autonomous nuclear instrumentation that can be installed which would provide independent measures of reactor water level and fissile fuel distribution before, during, and after an accident. I will argue that had operators at TMI been aware that coolant in the nuclear core was below the level and density required. for sufficient heat removal, it might have been possible to avert a core meltdown. Similarly, if operators at Fukushima had implemented (or been able to implement) extraordinary emergency cooling measures sooner, they too might very well have forestalled or mitigated reactor-core damage.

Three Mile Island

At Three Mile Island, two reactors were built in the 1970s in the Susquehanna River near Harrisburg, Pennsylvania. Both were of the pressurized-water type manufactured by Babcock and Wilcox. Construction began on TMI-1 in 1968, and that reactor commenced operation in 1974; it has now operated without incident for over 38 years. The second reactor, TMI-2, suffered its accident after just one year of operation.

The accident at TMI-2 was precipitated when a relatively minor malfunction in fluid flow caused its primary coolant temperature to rise. This caused the reactor to shut down automatically in about one second. A pressure-relief valve then failed to properly shut, but control-room instrumentation did not reveal that failure. As a result, coolant drained from the reactor core, and residual nuclear-decay heat was not removed at a sufficient rate. Worse yet, operators erroneously believed at the time that there was too much water in the pressure vessel, and turned off  the emergency core-cooling system. The situation was further aggravated  when, after an hour or so of unrecognized overheating, they shut down the coolant pumps.

During the accident, operators and supervisors were unable to diagnose or respond properly to the unplanned automatic reactor shutdown. More specifically, they had no actionable indication that coolant capacity was insufficient to relieve the dangerous overheating of reactor fuel, nor did they have any information about fluid density while the accident transpired. Instrumentation for monitoring and managing the fission-induced nuclear reaction functioned properly, but means to regulate water-transported power production failed, and no autonomous auxiliary indicators were available to alert operators of the impending disaster. According to the World Nuclear Association, no direct information was available to the operators during evolution of the accident regarding the amount of water within the reactor vessel [2]. Lacking direct water instrumentation, operators judged coolant levels solely by the pressurizer indicator, which advised that water level was apparently high, a consequence of steam buildup in the reactor vessel giving misleading pressure readings. The operators assumed the core was properly covered with coolant. Had they known that water was being lost from the reactor vessel (and that the core was going without coolant), the destructive part of the accident could have been avoided by correct remedial actions. Some external instruments were located on the reactor bridge structure outside the pressure vessel, but those devices could not and did not help diagnose the loss-of-coolant evolution.

Various investigations - such as the Kemeny Commission appointed by President Carter, the Rogovin investigative board, Nuclear Regulatory Commission follow-ups, Department of Energy and UK Chief Inspector reports, Babcock & Wilcox manufacturer improvements, and watchdog groups like the Union of Concerned Scientists - ascribed the TMI accident to deficient control-room instrumentation, inadequate emergency-response operator training, human factors, and user-interface engineering problems. Ironically, "operator error" was cited as a decisive factor in the accident on the rationale that if reactor operators had not erroneously turned off emergency cooling systems, the accident would have been limited. Valuable lessons were learned from TMI, and improvements were advised and implemented in a number of procedural and analytical areas, but, as best as I can determine, no recommendation was made to implement autonomous external water-level instrumentation in either existing or new reactors in any jurisdiction [3, 4, 5]. As I describe below, such specialized equipment, based fundamentally on nuclear rather than conventional sensor principles, would operate in such a manner as to be functionally and physically independent of other instruments and their power sources.


The extraordinary 11 March 2011 Tohoku earthquake of estimated magnitude 9.0 off the coast of Japan caused severe damage to populated areas and induced a tsunami that breached protective seawalls. Up to 20,000 residents are known to have died; 125,000 or more buildings were damaged or destroyed; and there were a multiplicity of secondary effects such as nuclear-plant shutdowns and meltdown accidents near the earthquake epicenter.

The Fukushima Dai-ichi nuclear power station comprises six separate boiling water reactors originally designed by General Electric and maintained by the owner-operator, Tokyo Electric Power Company (TEPCO). Combined electrical power for the station was 4.7 GWe. At the time of the earthquake, units 1 to 3 were providing power at rated output, reactor 4 had been de-fueled, and units 5 and 6 were in scheduled cold shutdown for maintenance. In response to the earthquake, control rods deployed, and the operating reactors automatically shut down. When external electricity was lost, emergency diesel generators started up properly and many other instruments also functioned as designed, although backup electrical supply was insufficient for the reactor pumping systems. However, about an hour later, the tsunami overwhelmed ocean-facing barriers and broke connection to the power grid, resulting in flooding of sub-grade rooms containing emergency generators. Those generators consequently stopped working, and pumps that circulate coolant water in the reactor ceased to work, causing the reactors to begin overheating. Operators were still engaged in post-shutdown procedures such as controlling reactor pressure with limitations not to exceed an established cool-down rate. The flooding and earthquake damage greatly hindered external assistance. Contrived remedial measures, including injection of ocean water, were not sufficient to prevent partial or full core meltdown in the three reactors that had been in operation. Flooding also lead to failure of secondary systems and to dramatically destructive explosions in three reactor buildings; volatile gases had originated inside the reactors after zirconium fuel cladding reacted chemically with coolant water to produce a buildup of explosive hydrogen. In addition, radiation escaped reactor containment, polluting the land, sea, and air environment.

The reactor water level in Fukushima unit 1 is considered to have receded within a short period of time, leading to exposure of the reactor core and to core damage. Reactor pressure decreased even though no actions were taken to reduce it. On the other hand, pressure within the containment vessel increased, implying that reactor-vessel pressure could not be maintained due to stresses on the vessel, and that the core damage had advanced a considerable extent within a short period of time. For Units 2 and 3, reactor water level started to decrease after cooling circulation stopped. Fire-engine pumps were started and low-pressure water injection was ready, but it could not be started quickly enough. The amount of water in the reactors sharply decreased. This resulted in core damage, for unit 2 about two hours after the earthquake, and for unit 3 after about 60 hours. Because of the extraordinary conditions, boric acid and seawater were injected into the unsalvageable reactors in order to quench possible nuclear recriticality, in which a reactor might spontaneously renew production of a fission chain reaction that cannot be properly cooled or safely contained. Such nightmarish scenarios are more conceptual than realistic, but properly informed measures are needed to cool, control, and manage the residual cores until they are fully decommissioned.

At this writing, the condition of Fukushima units 1, 2, and 3 is relatively static, but those reactors have yet to achieve a stable, cold shutdown. This means that they could still undergo various and uncharted stages of self-destructive disassembly and meltdown. These reactors could thus still benefit from diagnostic information specific to (1) their existing, but unknown, post-accident coolant level, (2) the current status of undetermined core fuel redistribution, and (3) any other changes that might yet take place in time. The responsible managers simply don’t know how much water is in the pressure vessels, nor do they know where the nuclear fuel is now located. Although nominally out of operation, these three reactors still generate many megawatts of heat and radiation, and considerable risk remains of further potentially harmful degradation of their components. Most uncertain is the ongoing condition of the nuclear core and its water coolant, a continuously changing and currently indeterminate situation. Because normal water supply was interrupted by failure of electrical pumps and other emergency measures, extraordinary methods are currently being used to supply sufficient water coolant for the three damaged reactor vessels. Forced external cooling will probably be necessary for many years.

The Case for Coolant-Level Monitoring

Top (upper) and side (lower) schematic illustrations of a hodoscope.

Figure 1 – Top (upper) and side (lower) schematic illustrations of a hodoscope.

Some factors that caused internal reactor damage at Fukushima were similar to the accident at TMI in the sense that (1) the hot reactor core was suddenly deprived of sufficient water coolant, and (2) ad-hoc measures had to be undertaken to provide emergency cooling. Because of insufficient coolant, and despite improvised emergency measures, three Fukushima reactors experienced internal fuel meltdowns that destroyed their nuclear cores. The molten core debris was fully and safely contained within the biological shield of each respective reactor, however.

When the Fukushima-reactor cleanup staff and crew is ready to plan and engage in removal of fuel and core debris, it would be extremely valuable, and probably essential, to have updated knowledge of the approximate quantity and geometrical distribution of water and fuel inside the reactor pressure vessel.Such information would help safely and economically manage residual nuclear-criticality and radiation-exposure risks for each disabled reactor.

External instrumentation has been designed and patented that could be introduced for the specific purpose of determining in real time how much water is currently within the reactor vessels. Such instrumentation can be placed inside the reactor containment building, but outside the pressure vessel. For example, this author has developed and patented a proposal for such an instrument that could be installed and operated remotely, based on a modified "fast-neutron/gamma-ray hodoscope." [6] This equipment was conceptualized as a result of the TMI accident, and was formalized in a U.S. patent issued in 1987. Had this instrument system already been installed at the TMI-2 reactor, it is likely that the accident could have been averted, and implementation at Fukushima could yet assist in preventing further damage by removing uncertainty regarding the ongoing nuclear-fuel condition and water-coolant status. Such a system could collect data for years after a reactor has nominally ceased operation. The same instrumentation, if based on measurement of penetrating radiation, can also be used to map the physical arrangement of the intact and/or crumbled reactor fuel. Such information would be important in safe and methodical dismantlement, which might take up to ten years. Much of this is now cleverly being deduced from indirect instrument data and analysis.

Photo of hodoscope installation outside the TREAT reactor.

Figure 2 – Photograph of hodoscope installation outside the TREAT reactor

The term "hodoscope" refers to a calibrated set of radiation-detecting instruments that differentiate the direction and energy of selected nuclear radiation. Fast neutrons and gamma rays are forms of penetrating radiation that originate inside nuclear reactors, whether operating at full power or closed down after a long history of operation. Residual radiation emerging from the now-inoperative reactors provides a way to measure the existing quantity and distribution of water and fuel in the reactor. Figure 1 shows cross-sectional and side views of a hodoscope that has been tested at the Transient Reactor Test (TREAT) facility at the Idaho National Laboratory. The basic premise of this device is that a neutron source and target are placed inside the reactor core; detecting apparatus is installed with the reactor’s biological shield, and the remainder of the data storage and electronic systems are placed outside the reactor shield (Figure 2). In both the United States and France, hodoscopes have been installed in a manner similar to that shown in Figure 2, and have rendered time-resolved image reconstruction of fuel and coolant that have been subjected to severe test conditions. A more recent patent is directed particularly at Fukushima, and is based on the idea of equipping the reactors with autonomous, remotely-operated sensors located inside reactor biological shields. Implementing this invention could take two manifestations: a system of mobile detectors which would be introduced through the airlock onto each reactor floor, adjacent to but external to the reactor pressure vessels, or a system of permanent detectors installed by means of narrow penetrations through the biological shields. Of course, a major limiting factor will be safe and practical access to requisite areas inside the reactor building.

The diagnostic system proposed here has a solid foundation in prior research, development, testing, and supportive calculations, but has not as yet been actually assembled and tested in a water-cooled power reactor. An evaluation program is under consideration in the Nuclear Engineering Division of Argonne National Laboratory and proposed to the U.S. Department of Energy.

Discussion and Summary

Although the worldwide nuclear industry has implemented and touted higher levels of safety, reliability, reactor improvements, and training in the operation of plants since the accidents described here, apparently little has been done to provide supplementary external instrumentation. Indeed, belatedly, and without authorizing relevant action, an official 2004 NRC Fact Sheet on the Accident at Three Mile Island acknowledged explicitly that "There was no instrument that showed the level of coolant in the core" [7]. More recently, a 2011/2012 NRC Task Force Review of Insights from the Fukushima Daiichi accident failed to make recommendations dealing with the gamma hodoscope instrumentation previously discussed in this paper[8]. In the 30-plus years since the TMI event, no operating reactors have been retrofitted with failure-resistant autonomous water-level instrumentation positioned external to the pressure vessel.

Plausible explanations for omitting bulk water monitoring are that such an objective was deemed technically too speculative, too difficult, or too intrusive to achieve. Given the vast array of monitoring devices already built into reactors, however, these should not have been overwhelming objections; also, the cost of providing such instrumentation should have been but a small fraction of the capital cost of a reactor. Somewhat incongruously, as a lesson-learned from the Fukushima accident, NRC is advocating autonomous water-level instrumentation only for spent-fuel ponds, but not for the reactors themselves.

I firmly believe that it is not too late for the disabled Fukushima reactors to benefit from post-hoc introduction of diagnostic monitoring equipment such as I have described here, nor is it too late to develop and test such proposed systems for a role in commercial power reactors throughout the world.

Damaged reactors must be gradually and safely shepherded into a condition known as "cold shutdown" before being disassembled and decommissioned. For TMI, the post-accident stage required about ten years, and substantial effort, cost, and the development of special decommissioning technologies. For the Fukushima reactors, it would be wise to anticipate and implement technical measures based on the TMI experience. The hazards of core meltdown and subsequent decommissioning might further be minimized by some selected remedial measures and precautions that could be implemented.

The title of this article was chosen deliberately to emphasize the safety of commercial nuclear power. But just as important as controlling the nuclear reaction is the necessity of safely dealing with water-transported heat. I have outlined autonomous external nuclear instrumentation that can independently measure reactor water level and fissile fuel distribution before, during, and after a reactor accident or routine shutdown. I encourage nuclear regulators and utilities to consider the adoption of autonomous water-level and fuel-concentration monitoring systems for both existing and planned reactors.


[1] Chernobyl Forum reports.
[2] World Nuclear Association report
[3] Kemeny Commission report.
[4] Mitchell Rogovin, "Three Mile Island, A Report to the Commissioners and to the Public" (1980).
[5] HM Chief Inspector of Nuclear Installations, "Japanese earthquake and tsunami: Implications for UK nuclear industry," (September 2011)
[6] A. DeVolpi, "Applications of Cineradiography to Nuclear Reactor Safety Studies." Review of Scientific Instrumentation. 55, 1197 (1984).
[7] NRC "Backgrounder on the Three Mile Island Accident" (updated 2011).
[8] "Recommendations for Enhancing Reactor Safety in the 21st Century: NRC Task Force Review of Insights from the Fukushima Daiichi Accident" (2011/2012).

Alexander DeVolpi (Fellow, APS)
Oceanside, CA

Dr. Alexander DeVolpi’s  research and development work in reactor safety grew in part from active military service in the U.S. Navy, followed by assignments as a Reservist at the Naval Research Laboratory in Washington, DC, and the Naval Radiological Defense Laboratory in San Francisco. This affiliation lead to specific applications in reactor-safety research and instrumentation later developed at Argonne National Laboratory, near Chicago, Illinois, and utilized at the Idaho Nuclear Engineering Laboratory. In later years at Argonne, he moved on to applications involving arms control and treaty verification, which included technical assignments from the Defense Nuclear Agency and professional collaboration with many non-government organizations.

These contributions have not been peer-refereed. They represent solely the view(s) of the author(s) and not necessarily the view of APS.