I participated in the post-Fukushima Daiichi nuclear disaster stress tests in Luxembourg in 2012, during a time when the industry was trying to demonstrate that it had learned the necessary lessons. What has stayed with me and continues to trouble me is how comfortably the very designs that failed would have passed those tests.
Fukushima Daiichi Nuclear Power Plant Unit 1 had an isolation condenser—passive, independent, and on paper, exactly the kind of system one would want to see under severe conditions. Yet, it was the first system to fail. The issue was not with the thermodynamics but rather with the logic embedded in the valves. These valves were designed to fail safe, meaning they closed automatically upon loss of power or control signal. In a conventional disturbance, this design protects the system. However, in this case, it eliminated the only remaining heat sink. The condenser was located outside the containment structure, and one of its key valves had been closed early to prevent rapid cooling of the reactor pressure vessel. Once DC power was lost, that valve could not be reopened. A system that exists is not the same as a system that remains operable.
In Units 2 and 3 of the Fukushima Daiichi Nuclear Power Plant, the reactor core isolation cooling systems initially functioned as intended, injecting water into the core without external power. However, there was no acceptable way to remove heat from the containment. Without filtered venting, opening the vent would have released large amounts of radioactivity, so the vent line valves stayed closed. While the system could cool the core, it could not vent the energy safely.
Ultimately, the issue came down to the valves—not just as mechanical components, but as tangible representations of decisions. These valves defaulted to a position that was locally safe but globally disabling. They required power to reverse their state and were positioned outside the very boundary they were meant to support.
There is a deeper contradiction underlying this situation. The goals of injecting water into the reactor and containing radioactivity become opposing objectives under severe conditions. At Fukushima, the latter objective prevailed for as long as possible—until it became unsustainable.
What unsettled me then, and still does, is that our assessment frameworks seemed satisfied with systems that appeared robust and independent in isolation, yet they did not fully consider how these systems behave when those objectives conflict.
The stress tests were intended to expose weaknesses. In some respects, they risked validating designs that had already demonstrated where the true weaknesses lie: not in the absence of systems, but in how these systems are allowed to fail in concert.
***
The discussion surrounding the Fukushima Daiichi nuclear disaster is often oversimplified.
Specifically, it is stated that the loss of AC power caused the three meltdowns. However, the reactors were designed to withstand such an event, and for a time, they actually did.
This has several consequences:
The shutdown functionality would work.
Decay heat is manageable.
Steam-driven systems like the Reactor Core Isolation Cooling (RCIC) and the Isolation Condenser (IC) can remove heat effectively.
However, the loss of AC power also eliminated the ultimate heat sink, leading to several critical issues. Seawater systems became unavailable, heat exchangers could no longer dissipate heat. and the RCIC could not operate long-term without a heat sink.
Additionally, direct current (DC) power was lost as the batteries were disabled by flooding. This resulted in the loss of control and instrumentation systems, which defaulted to a fail-safe isolation state.
This had significant consequences. The isolation condenser relied on controlled valve operation, which could not be sustained without DC power, leading to the loss of Unit 1. Furthermore, alternative injection paths, such as fire water, could not be established, resulting in the loss of Units 2 and 3. And, as insult to injury, since the venting of Unit 3 wasn’t performed as had been assumed, hydrogen found its way into Unit 4, causing its loss as well.
At this point, the plant’s operational state changed fundamentally from being able to “remove heat” to being in a condition where it “could not maintain a heat removal path.”
Therefore, while the loss of AC power created challenges, it was ultimately the automation system’s fail-safe operation that led to the three meltdowns.
In my opinion, the main lesson from Fukushima is that there must always be an injection route available, regardless of the automation controls in place.
***
At the Fukushima Daiichi Nuclear Power Plant, three units were in operation when the accident began. Within days, four reactor buildings were effectively lost.
That number is not a paradox. It is a system failure.
Units 1–3 suffered core damage, but Unit 4—defueled at the time—was also devastated by a hydrogen explosion. The hydrogen did not originate there. It migrated. It found pathways the design did not seriously intend to exist, moving through shared ventilation and service spaces, accumulating where no one expected it to matter. Once ignited, it turned a non-operating unit into a casualty of the others.
This is what happens when containment is treated as a boundary on paper rather than a pressure system that must be actively and reliably managed.
During the accident, containment pressure rose as designed—but there was no dependable way to relieve it under the conditions that actually occurred.
Venting existed, but it depended on valves, power, instrumentation, and above all, the willingness to release radioactive material. In practice, it became a last resort that was delayed, improvised, and in some cases effectively unavailable. The design assumed that, when needed, containment pressure would be reduced in a controlled way.
It was assumed the pressure would be relieved.
When it wasn’t, the system found its own path.
With pressure rising and venting constrained, gases sought other paths. Hydrogen did not respect containment boundaries once those boundaries were functionally compromised. It moved through ducting, leakage paths, and shared systems—into spaces never designed to handle it. The plant did not lose four units because four independent failures occurred. It lost them because the units were not independent in the ways that mattered.
Controlled containment pressure management is not an auxiliary feature. It is the difference between keeping a severe accident inside a defined volume and allowing it to spread across a site.
If venting is required, it must work under the worst conditions, not the most convenient ones. It must be operable without AC power, without intact instrumentation, and without hesitation. And it must be filtered, so that the act of protecting containment does not become politically or operationally impossible.
At Fukushima, the system for managing containment pressure existed—but only within a narrow envelope of assumptions. Outside that envelope, it did not fail cleanly. It dissolved into improvised decisions and unintended connections.
And the plant paid for that, one building at a time.
***
During the Fukushima Daiichi nuclear disaster, a colleague stood in front of a TV camera and said:
“A reactor can’t explode.”
Behind him, Unit 1’s reactor building exploded.
He was technically right. And completely unconvincing.
In engineering terms, a “reactor” is the core and its pressure boundary. What failed at Fukushima was something else: hydrogen formed in the accident migrated out of containment, mixed with air, and detonated in the reactor building.
No prompt critical excursion.
No nuclear explosion.
The core did not explode.
But the building did. Violently. On live television.
And that is what people saw.
The problem is not physics. It is language.
To the public, “reactor” means the whole visible plant. If that structure blows apart, saying “the reactor did not explode” sounds insane.
Trying to correct it afterward — “it was hydrogen, outside containment” — only widens the gap. It shifts the conversation from what happened to whether you are being honest.
In safety, we often talk about systems failing. At Fukushima, communication did too.