Resilience Engineering for Safety of Nuclear Power Plant with Accountability
Various accident investigations have been conducted to identify the causes of the Fukushima nuclear accident and to propose countermeasures to prevent future severe accidents. This chapter describes an attempt to review the investigations from the perspective of Resilience Engineering. Most investigations are based on a fundamental approach of listing up adverse events experienced during an accident to find out the causes of each adverse event, and to propose countermeasures to eliminate the identified causes. An implicit belief underlying the fundamental approach is that safety can be achieved by eliminating the causes that contributed to the accident. As a natural consequence, the causal descriptions and proposed recommendations are large in number and complicated in structure. It would obviously be desirable if the proposed recommendations were better organized and simplified. The present study took an alternate approach where safety of a system is believed to be achievable by properly maintaining the four essential capabilities proposed in Resilience Engineering: responding, monitoring, anticipating and learning. Also, efforts have been made to find so-called “second stories” (Woods and Cook, 2002) latently existing behind the multiple causal relationships described in the investigation reports.
Introduction
Description of Problem
The nuclear accident which occurred on March 11, 2011, at the Fukushima-Daiichi Nuclear Power Station (NPS) of Tokyo Electric Power Company (TEPCO) was truly an unprecedented disaster. As of July 2013, about 160,000 residents in Fukushima Prefecture have still not been able to return to their hometowns. Citizens’ concern about the nuclear accident remains high two years after the accident. Most of the NPSs in Japan have been shut down without any clear timetable for restarting operations. Japanese nuclear experts are obliged to clarify factors that contributed to the disaster. They are also obliged to propose dependable countermeasures to prevent recurrence of another disaster. Through these activities, they have to recover public trust on nuclear industry. Although these are extremely difficult tasks, they should be done irrespective of future nuclear policy in Japan. Without recovering the public trust, no nuclear policy, including nuclear phase-out, will ever function properly.
Various accident investigation reports have been published. A large number of statements and opinions concerning causes of the accident have been put forth and recommendations have been proposed to eliminate the causal factors and thus to improve the safety of NPSs in the future. However, the causal analyses are in an interim state, as are the recommendations. The usefulness and sufficiency of the recommendations to prevent future large-scale disasters have not yet been confirmed. Further efforts are necessary to obtain more systematic and accountable recommendations that can be understood by citizens. This chapter summarizes an attempt to meet this need by applying the methodology of Resilience Engineering (Hollnagel, Woods and Leveson, 2006; Hollnagel et al., 2011) and the concept of Safety-II (Hollnagel, 2012, 2013). First, official accident reports are reviewed to identify the key factors that contributed to the accident and its negative after-effects. Then, an additional in-depth review is carried out to obtain a structured description of the causal relationships and to identify so-called second stories describing more fundamental factors that eventually contributed to the Fukushima disaster.
Target of Study
Subsequent to the disaster, several accident analysis committees were organized in Japan. The Investigation Committee on the Accident at Fukushima Nuclear Power Stations of TEPCO (also called the Hatamura Committee), and The Fukushima Nuclear Accident Independent Investigation Commission organized by The National Diet of Japan (also called the Kurokawa Commission) were the most influential committees since they were established by the Japanese government and the National Diet of Japan, respectively. Another committee named the Independent Investigation Commission on the Fukushima Daiichi Nuclear Accident (also called the Kitazawa Commission) was established by an organization named Rebuild Japan Initiative Foundation (RJIF). After highly intensive investigations, all these groups have published reports, which are herein called the Hatamura report (Hatamura, 2012), the Kurokawa report (Kurokawa, 2012) and the Kitazawa report (Kitazawa, 2012), respectively. The present study is based on in-depth analysis and examination of these three reports. The report issued by The American Nuclear Society Special Committee on Fukushima (Klein and Corradini, 2012) is also reviewed in this study for purposes of comparison.
Focus of Study
These reports cover a large number of factors, which contributed to the extremely severe accident. Though the contents differ to some extent, they all contain strong criticism of TEPCO, the regulatory bodies such as the Nuclear and Industrial Safety Agency (NISA) and the Nuclear Safety Commission (NSC), the Cabinet of Japan, and the Japanese nuclear community. The focus of this chapter is placed on major causes of the accident commonly identified and on the recommendations derived from the identified causes. In addition to the key findings and recommendations described in the reports, narrative statements referred to in the reports as testimonies by witnesses and interviewees are carefully reviewed.
This approach is adopted because the narrative statements are sometimes more informative since they are less modified by subjective views of the interviewers.
Overview of Investigation Reports
Findings and Recommendations
The investigation by various bodies was undertaken by focusing on the activities of involved individuals and organizations during the accident, but then the focus was naturally extended to activities prior to the accident. The time span of the retrospective investigation was extended to include historical efforts concerning seismic Probabilistic Safety Assessment (PSA) and severe accident management in the early 1990s. Some remarks on lessons learned from the accident at the Three Mile Island (TMI) nuclear plant, which occurred in 1979, were also made. As typical examples of major findings, the ones given in the Hatamura report (Hatamura, 2012) are compiled from the author’s viewpoint and presented in Table 4.1.
Issues 1 through 4 essentially imply that a number of improvements must be made in order to enhance defense-in-depth capabilities of the NPSs. The defense-in-depth capability implies that the NPS is not only able to prevent occurrence of anomalies and accidents, but also able to mitigate consequences of an accident if it happens in spite of the preventive measures. The capability also implies that proper plans must be prepared in advance for effective evacuation of residents if it becomes necessary in spite of the mitigation efforts. Issues 5, 6 and 7 are related to crisis management, including crisis communication. These issues are also important constituents of defense-in-depth capability. Issue 8 indicates the need for rebuilding safety culture, and issue 9 implies the need for further investigation. Recommendations in the Hatamura report to address the issues presented in Table 4.1 are given in Table 4.2.
Table 4.1 Major issues mentioned in the Hatamura Committee report
Issue No. |
Headings |
Key statements |
1 |
Building of fundamental and effective disaster preventive measures |
Quite a number of problems exist …. These problems should be reviewed and resolved … In doing so, concerned organizations should sincerely take into consideration the recommendations the Investigation Committee has made and they should do so with accountability to society for its process and results. |
2 |
Lack of viewpoint of complex disasters |
Risks of a large-scale complex disaster should be sufficiently considered in emergency preparedness. |
3 |
Change needed in an attitude to face risks |
It is necessary to humbly face the reality of natural threats, diastrophism and other natural disasters … |
4 |
Importance of “deficiency analysis from the disaster victims’ standpoint” |
If nuclear operators and regulatory bodies overestimate the safety of “system core domain” … safety measures will fail. Safety measures in the “system support domain” and “regional safety domain” need to be able to function independently in the case of an emergency. |
5 |
The issue of “beyond assumptions” and lack of the sense of crisis at the administrative bodies and TEPCO |
Scientific knowledge of earthquakes is not yet sufficient yet. The latest research results should be continually incorporated in emergency preparedness. |
6 |
Issues of the government crisis management system |
The crisis management system for a nuclear emergency should be urgently reformed. |
7 |
Issues of the provision of information and risk communication |
It is necessary to build mutual trust between the public and the government and to provide relevant information in an emergency while avoiding societal confusion and mistrust. |
8 |
Importance of a safety culture vital to the lives of the public |
In view of the reality that safety culture was not necessarily established in our country, the Investigation Committee would strongly require rebuilding of safety culture … |
Necessity of continual investigation of the whole picture of accident causes and damage |
Items that were not subjected to investigation and verification by the Investigation Committee remain of great importance to the victims. |
Table 4.2 Recommendations mentioned in Hatamura report
Rec No. |
Headings |
Target issue |
1 |
Recommendations for a basic stance for safety measures and emergency preparedness |
Emergency preparedness in light of complex disasters; Changing an attitude to face risks; Incorporating the latest knowledge in the emergency preparedness. |
2 |
Recommendations for safety measures regarding nuclear power generation |
Necessity of comprehensive risk analysis; Severe accident management. |
3 |
Recommendations for nuclear emergency response systems |
Reforming the crisis management system for a nuclear emergency; Nuclear emergency response headquarters. |
4 |
Recommendation for damage prevention and mitigation |
Provision of information and risk communication; Improvement of radiation monitoring operations and SPEEDI system; Evacuation procedures of residents; Intake of stable iodine tablets; Improvement of medical care institutions; Public understanding of radiation effects. |
5 |
Recommendations for harmonization with international practices |
International practices such as IAEA safety standards. |
6 |
Recommendation for relevant organizations |
Reforming nuclear safety regulatory body and TEPCO; Rebuilding a safety culture. |
7 |
Recommendations for continued investigation of accident causes and damages |
Continued investigation of accident causes; Extended investigation of the whole picture of accident damage. |
Recommendations 1 and 2 are relevant to the activities prior to the accident with emphasis on emergency preparedness, and recommendations 3 and 4 are relevant to the activities during the accident such as crisis management and communication. Recommendations 5 and 6 are more fundamental issues related to basic safety culture and international harmonization. Recommendation 7 reflects the recognition of the Investigation Committee that the investigation is still in its interim stage.
Needs for In-depth Analysis
The findings and recommendations given in the report contain quite broad viewpoints adopted by the Investigation Committee. These recommendations seem to be valid in general. The same is true for other reports such as the Kurokawa report and Kitazawa report. However, several drawbacks concerning the findings and recommendations can be identified as detailed below:
• The findings and recommendations must be structurally organized and simplified: The findings and recommendations have been derived via examination of a wide variety of difficulties experienced during the accident in diverse spatial domains and time periods. In other words, the recommendations seem to reflect a linear model of causality corresponding to each difficulty experienced along with the progression of the accident. As a natural outcome of this approach, the contents of Table 4.1 and Table 4.2 are quite complicated. The itemized list of recommendations in Table 4.2 is actually even more complicated because each of the recommendations implies multiple requirements. According to the widely acknowledged concept of Occam’s razor (Rissanen, 1978), also known as law of parsimony (Akaike, 1974), out of multiple competing theories or explanations, the simplest one is to be preferred. This principle is also expressed as “Entities are not to be multiplied beyond necessity.” Further efforts must be made to find more organized and integrated representations of the causal relationships. In this regard, an attempt must be made to compile and express the complicated outcomes of the investigation in a simpler fashion.
• Second stories must be clarified: The messages in the reports seem to be reasonable as far as “first stories” (Woods and Cook, 2002) are concerned. For example, in Table 4.1, under the heading of “Lack of viewpoint of complex disasters”, it is stated that “Risks of a large scale complex disaster should be sufficiently considered in emergency preparedness.” Also, in Table 4.1, under the heading of “Issues of the provision of information and risk communication”, it is stated that “It is necessary to build mutual trust between the public and the government and to provide relevant information in an emergency while avoiding societal confusion and mistrust.” It is obvious that these statements are reasonable. However, a question, that is, why the responsible organizations such as TEPCO and NISA failed to meet such necessary conditions prior to the accident, is not explicitly dealt with. More efforts must be made to pursue second stories (Woods and Cook, 2002) beneath the surface to discover other contributors and/or causes. Otherwise, the recommendations can have only limited effectiveness.
• Accountability for “safety” must be pursued: Whatever countermeasures are implemented, it is obviously necessary that the implication of attained “safety” be accountable, as emphasized in issue 1 of Table 4.1. In other words, the consequence of implementation of countermeasures must be transparently explained and the implication of resultant “safety” must be clarified. Otherwise, the resultant improvement in safety will be unacceptable to the public.
An attempt to meet the above-mentioned requirement s has been conducted in light of Resilience Engineering. Observations derived from the attempt are described in the next section.
Restructuring the Findings and Recommendations
The activities of people involved in the Fukushima accident have been reviewed in terms of the four essential capabilities that together define resilience: responding, monitoring, anticipating and learning (Hollnagel, Woods and Leveson, 2006; Hollnagel, Woods, Paries and Wreathal, 2011). This approach has been adopted with an expectation that the diverse activities conducted during the accident can be structured in a simpler manner.
Analysis of Situation Prior to the Accident
As is widely known, the ability to learn was unacceptably poor in TEPCO, NISA, and NSC. The issue of severe accident management had been discussed and studied in Western countries and a number of documents had been published. It is highly likely that Japanese utilities had various opportunities to examine and learn from the documents. In addition to learning from such documents, the Japanese nuclear community could have learned from actual accidents/incidents. On December 27, 1999, an unexpectedly strong storm flooded the Blayais Nuclear Power Station in France, resulting in water damage of pumps and containment safety systems. Also on December 26, 2004, the Sumatra tsunami attacked the Madras Nuclear Power Plant in India, resulting to an emergency shutdown due to tsunami-induced damage to a seawater pump. The Japanese nuclear energy organizations could have obtained informative lessons from these events.
In conjunction with the poor ability to learn, the ability to anticipate was also poor. Since the nuclear energy organizations were preoccupied by a mindset that an extremely large earthquake and tsunami were highly unlikely to happen, they made practically no effort to anticipate and prepare for these external events and resultant severe accidents. This mindset is clearly evidenced by repeated neglect of warnings raised by various actors.
It is now clear that the NISA had received several warnings from researchers in relevant academic areas concerning the possibility of a gigantic tsunami in Fukushima and adjacent prefectures. Another warning concerning a possible tsunami had been raised by Diet member H. Yoshii in a budget committee meeting of the Diet. He had also addressed the possible loss of external AC electricity and station blackout. These warnings made by H. Yoshii were issued in 2006. Similarly to the TMI accident, the Fukushima accident could have been avoided, or considerably mitigated, if these warnings had been properly taken into consideration. Needless to say, the lack of ability to learn and anticipate is in contrast to the requirement of “a constant sense of unease” mentioned as an important necessary condition to establish a resilient system (Hollnagel, 2006b)
Analysis of Situations During the Accident
Since the abilities to learn and anticipate were poor, the ability to respond to the tsunami and subsequent severe accident was terribly deficient. Most of the resources needed for utilization during the accident were unavailable. TEPCO people collected 12V batteries from cars and buses and used them to activate the instrumentation systems for measuring important plant parameters such as reactor pressure and water level. But the number of available batteries was far fewer than needed. In addition, the majority of response actions were carried out in the “scrambled” (Hollnagel, 1993) mode. One typical example is the ignored response to the order issued by the Director of Fukushima-Daiichi NPS to prepare for using fire engines to inject cooling water in the reactor. Though the verbal order was recognized by personnel in the emergency response center, nobody actually responded to the order since no division had been assigned in advance to conduct such an unusual way of accident management.
The ability to monitor was also deficient. As with the weakness of the ability to respond, the monitoring activities were conducted in the “scrambled” mode. One of the worst failures in monitoring resulted from the invalid belief that the isolation condenser (IC) was functioning in unit 1 reactor. Since nobody foresaw the possibility of IC malfunctioning, which was caused by an unintended closure of valves in the piping connecting the pressure vessel to the IC, the unit 1 reactor was left uncooled, resulting to a hydrogen explosion. If somebody in TEPCO had considered the possibility of IC malfunctioning and tried to monitor the status of the IC and other reactor cooling systems, the situation could have been significantly improved.
Another example of serious failure in monitoring was the weak attention to the condition of the unit 2 reactor. More attention had been paid to prevention of a hydrogen explosion in the unit 3 reactor because of the incorrect assumption that the situation of unit 2 was less dangerous. In reality, that was not true. When the pressure and water temperature inside the suppression chamber were measured by tentatively using batteries, the measured values indicated that the condition of unit 2 was becoming dangerous. If monitoring of the plant condition had been carried out several hours earlier, the situation could have been much improved. It should be noted that the majority of radioactive material released from the Fukushima-Daiichi NPS was not caused by the hydrogen explosions of unit 1 and unit 3, but rather by the break of pressure boundary of unit 2.
Based on the above-mentioned analysis, it can be concluded that the accident is attributable to deficiencies in each of the four essential capabilities. The large number of findings and recommendations in the investigation reports can be restructured in a more organized manner corresponding to the four capabilities. Also, it is obvious that the most glaring deficiency in the four capabilities is the poor learning, which inevitably led to the poor preparedness for severe accidents. It is possible to argue further and criticize the organizational and managerial flaws in TEPCO, NISA, and other related organizations. The criticisms are valid per se, and thus the flaws must be remedied. However, it should be stressed that the accident could have been prevented or at least significantly mitigated if the learning-based preparedness had been in a better condition.
Second Stories
The restructured version of findings and recommendations given in the preceding section provides us with a clearer view of the accident causes and contributors. However, the improved view is still dependent on first stories. Deeper interpretations based on other fact-finding efforts are certainly needed.
First, the question, that is, why responsible organizations such as TEPCO and NISA failed to meet such necessary conditions prior to the accident, must be resolved. In Table 4.1, issue four states as follows: “If nuclear operators and regulatory bodies overestimate the safety of ‘system core domain’ … safety measures will fail.”
The Hatamura report also stated that the organizations’ ignorance and/or neglect of the possibility of a tsunami had been caused by lack of imagination and complacency within the organizations. But this interpretation seems to be superficial. A deeper interpretation can be derived from a description provided in another investigation report (Kitazawa, 2012):
Multiple members of TEPCO management board stated, “I doubted that safety measures of TEPCO NPSs were sufficient. But I was reluctant to express my concern since I felt my opinion was minor in the board.”
This description clearly indicates that a minority of the board members had concerns about a tsunami and severe accident management but stayed silent because of a lack of confidence in communicating their concerns about the safety of the NPS.
A similar issue is related to the fear of lawsuits. The Kurokawa report criticized TEPCO and NISA for having been reluctant to improve their preparedness against severe accidents because of a fear of lawsuits. This interpretation is again superficial. The risk of lawsuits has in fact been high. To prepare for lawsuits is of course quite demanding for utilities and NISA. Most utilities operating NPSs have experienced anti-nuclear lawsuits, and several lawsuits are still ongoing. It is likely that the accusers would strongly claim the safety measures currently implemented at the NPSs have proved to be insufficient if the accused utility decided to implement additional measures in preparation for severe accidents. Though such a claim is not valid from the viewpoint of defense-in-depth principle, it is often convincing to jurists and the concerned public. This dilemma also originates from the difficulty in communicating the safety of NPSs.
Another issue is the risk of long-term shutdown magnified by the shared regulatory authority. The comments of Nobuaki Terasaka, the director of NISA at the time of the Fukushima accident, and Atsuyuki Suzuki, who served as the Chairman of NSC from 2006 to 2010, both quoted in the Hatamura report, stressed the difficulty of explaining the need for measures for severe accident management to local government and the public. This issue is also mentioned in the ANS Committee Report (Klein and Corradini, 2012) as follows:
One of the key lessons learned after the TMI-2 accident was to reform and strengthen the independence and technical competence of the NRC (Nuclear Regulatory Commission). Many other nations followed. However, Japan did not change its regulatory governance because to do so would centralize too much authority in its central government, which would upset the shared authority arrangement with the prefectural government.
Because of the shared authority arrangement, TEPCO, and other utilities as well as NISA, always need to make considerable effort to obtain the agreement of the prefectural government to restart operations after every scheduled and unscheduled shutdown. Their reluctance to implement additional measures for severe accident management should be interpreted in this context also. In short, all the second stories described in this section are attributable to the difficulty in communicating the safety of NPSs in conjunction with the defense-in-depth principle.
It should be noted that a considerable portion of nuclear risk is socially constructed (Kitamura, 2009). As described above, the difficulty in communicating safety based on the defense-in-depth principle to top-management people in a company, to juries and the public, and to local authorities eventually led to the lack of preparedness for tsunamis and severe accidents. The messages from the investigation reports would have been more convincing and prescriptive (that is, resolution-oriented) if this aspect had been articulated more explicitly.
Accountability, Safety-I, Safety-II, and Resilience Engineering
It is definitely necessary to resolve the difficulty experienced in communication of nuclear safety. Through experiences of public communication concerning nuclear technology for more than ten years (Yagi, Takahashi, Kitamura, 2006), the author believes that the fundamental difficulty lies in the confused recognition of nuclear safety, and safety in general. The people in nuclear organizations have some understanding about the concept of defense-in-depth, but they are not sufficiently knowledgeable to provide a convincing response to the accusation from anti-nuclear activists that any attempt to implement add-on measures for severe accident management is clear evidence that the current state of the NPS is not absolutely safe.
The author believes that the first necessary step to resolve the difficulty is to provide and share the idea of Safety-II (Hollnagel, 2012, 2013). The traditional definition of safety is termed Safety-I, where the purpose of managing safety is to attain and maintain the state where the number of adverse events is controlled to be as low as reasonably achievable. Safety-I practices presume that the target system and operation environment can be completely understood and specified. Safety-I also assumes that safety can be achieved by exhaustively eliminating the causes of adverse events. As a result, a state of safety can be achieved by compliance to rules and procedures. In this context, the explanation of the need for additional measures for severe accident management is logically difficult. Similarly, denying the accusations of anti-nuclear activists is also difficult.
On the contrary, an alternate concept of safety, that is, Safety-II, is defined as a state where “things go right.” Safety-II also assumes that the target system and its environment are subject to uncertainty and unforeseen disturbances. Within the framework of Safety-II, the expected performance of the target system is not just to maintain a static condition, but also to override a large disturbance. Furthermore, when the disturbance is so large that the system performance is significantly degraded, the system is expected to recover from the degraded state as smoothly as possible. Safety-II logically includes Safety-I since something that goes right cannot go wrong at the same time.
It should now be clear that Safety-II is consistent with the concept of defense-in-depth, where what is pursued is not Safety-I but Safety-II. It should also be clear that the four main capabilities, the preparedness of resources and the constant sense of unease introduced in the framework of Resilience Engineering are excellent as practical guidelines to materialize the concept of defense-in-depth. The introduction of the concept of Safety-II, renewed understanding of the concept of defense-in-depth, and the methodology of Resilience Engineering for materialization of Safety-II together would enable nuclear experts to acquire communication capability to explain the reality of nuclear safety with accountability to society and concerned citizens.
Conclusion
The reports issued by the official investigation committees have been reviewed in this chapter. It should be clear that in their reports, these committees have issued recommendations for eliminating the causes of the adverse events experienced during the accident. The basic methodology behind the investigation is to find out a linear model of causality that corresponds to each of the adverse events, and to propose countermeasures to nullify the causal relationship. This methodology is also regarded as a scenario-driven, descriptive approach since the adverse events and the related models of causality are identified along with the scenario of the actual accident. The present review has been conducted from a different viewpoint, namely, that lessons for enhancement of nuclear safety can be identified by looking at the accident from a “what-if” perspective. This is equivalent to conducting a thought experiment where the crucial functions proposed by Resilience Engineering are applied to critical time points prior to the accident. Although this approach might be regarded as just a hypothetical exercise, the results are sufficiently informative to provide us with useful guidelines for significant enhancement of nuclear safety in the future. Among the four main functions, proactive and continuous application of learning and anticipating, in particular, will be beneficial to avoid the recurrence of severe nuclear accidents. The observations obtained through the present attempt clearly demonstrate the high potentiality of the Resilience Engineering in providing a systematic way toward safety improvements with accountability to society. Additional potentiality of Resilience Engineering as a methodology for resolving conflicts between technology and society should be acknowledged because public participation in technical conflict resolution is becoming a standard procedure in modern society, because a considerable portion of the risk of a large-scale socio-technical system is regarded as socially constructed (Kitamura, 2009), and because technological activities must be conducted with accountability to the public.
Commentary
The more serious an accident is, the more urgent is the need to explain what has happened, usually by pointing to some clearly recognizable causes. While the several investigation committees that have looked at the Fukushima Daiichi disaster were no exception to the rule, this chapter tries to go beyond the multiple first stories by applying the principles of Resilience Engineering, and by looking at what happened from a safety perspective. Large scale socio-technical systems cannot be made safer by addressing specific causes one by one and by filling identified gaps with even more technology. Large-scale socio-technical systems are socially constructed and their ability to succeed cannot be strengthened unless the methods that are used can account for that.