3. “Defense in depth" is crucial – but sometimes not as deep as expected
This is clearly an example of the huge importance of taking redundant safety systems seriously, and considering carefully the full scope of events that could occur. Given the huge magnitude of the quake, I think it is impressive that all the affected reactors initially managed to shut down automatically as planned, and begin emergency cooling operations. None of the reactors, for example, suffered damage that prevented the insertion of the control rods. When the Fukushima-1 lost power, the backup diesel generators started up as planned. But they were then knocked out an hour later, apparently by the tsunami.
The reactors suffered, in effect, a one-two punch that hadn’t really been expected. Clearly, given that an earthquake might well cause a tsunami, the diesel generators should have been designed in a way that would not be affected by tsunami waves. This is very likely a broader issue, that people have not adequately thought through the possibility of multiple traumas that could be caused by the same initiating event (e.g., a blackout and a large object crashing into the diesel generator as a result of a tornado – one could imagine many such coupled events).
This reinforces the view that whenever someone says there is less than a one-in-a-million chance of a complex system failing, there is more than a one-in-a-million chance they have made unjustified assumptions in their estimate.