1 Introduction

The accident at the Tokyo Electric Power Company (TEPCO)’s Fukushima Daiichi Nuclear Power Station was not a black swan, but was probably a gray swan [1]. The technical problem that led to the multi-unit accident involving core melt and fission product release to the environment was insufficient preparedness for complete Station Blackout (SBO: loss of all AC/DC power) coupled with Isolation from Heat Sink (IHS) caused by the tsunami (see Chap. 2—eds.). The tsunami resulted in flooding of the Electric Equipment Room (containing switchgears, power center, batteries, power source for Reactor Protection System) located on the underground floor of Turbine Buildings of Units 1–4, which almost completely (with exception of DC power in Unit 3) deprived AC/DC power supply capability to safety systems as well as to other components required to function for Accident Management in Beyond Design Basis Events (BDBE).

Historically, tsunami had frequently hit coastlines in Japan. With the advent of knowledge of plate tectonics and other factors, Japanese nuclear reactor operators had discussed re-evaluation of Design Basis Tsunami (DBT) for more than 10 years before March 11, 2011. Nevertheless, decision-making on counter-measures to possible high tsunami after 2002 (when revision of design basis tsunami was made) was not done in time for 3.11 (hereafter the accident is also referred to as 3.11). Furthermore, progress in preparedness in the form of Accident Management to BDBE after the Chernobyl accident and the 9.11 attack was not fully developed, especially on two points: incapability to withstand extended SBO and IHS, and insufficient capability to implement Accident Management under disabled conditions [given damage to Structure, System and Component (SSC), team, communication, etc. by external hazard]. Similar provisions as those represented by B.5.bFootnote 1 in the U.S. nuclear industry to protect plant safety under damaged conditions did not exist.

This chapter discusses why there was incompleteness in preparation to the unexpected disaster in Japan, utilizing information from reports including accident investigation committees’ reports and other studies and insights [214].

The etiology naturally goes to the question “what was behind the insufficient preparedness and decisions by those involved in the accident, namely TEPCO, the regulatory body, the nuclear community, as well as those involved in Emergency Preparedness and Response (EPR)?” This discussion leads to national factors including cultures prevailing in an organization, the nuclear community, and society as a whole. However, as researchers in safety culture argue, cultures are not good or bad by themselves but are good or bad at achieving certain outcomes.

2 Weakness in the Application of Defense-in-Depth Concept

Since defense-in-depth is the key concept for better assurance of nuclear safety by compensating for uncertainties and incompleteness in our knowledge, the review will start where there were weaknesses in the application of the defense-in-depth concept and why. For levels 1, 4, and 5 of the defense-in-depth concept, lessons learned, possible cultural attitudes, and others issues are discussed. However, the reader should note that this chapter does not touch upon technical lessons related to safety designs such as accident instrumentation, location of spent fuel pool, multi-unit installation, conflict between containment isolation, and use of heat removal system.

2.1 Level 1

Level 1 in the defense-in-depth concept is about Prevention of abnormal operation and failures.

2.1.1 Setting Design/Evaluation Basis

Guide for Licensing Review of Safety Design of LWR (de facto General Design Criteria in Japan, originally issued in 1970 and last updated in 1990 by Nuclear Safety Commission (NSC) [15]) required that, for SSC to perform safety functions, it must be designed to withstand postulated natural hazards and to maintain its safety functions under these and other loadings, such as due to an accident. Though tsunami was raised as one of the natural hazards to be considered in the note [15], unlike for earthquakes, no specific guide for how to define its design basis nor how to evaluate its impact on nuclear facilities, etc. was provided on tsunami neither by NSC nor industry until 2002.

The height of a tsunami depends on specific local characteristics such as subduction plates, faults, depth of the sea near the coast, and the shape of coastline. For instance, indented areas in Sanriku historically frequently experienced high tsunami following earthquakes [16]. Therefore, each NPS site has its own unique definition of DBT. A construction permit and a license to operate the Fukushima Daiichi NPS was given based on TEPCO’s licensing basis document (Establishment Permit) that set DBT at 3.0 m by using the highest level ever historically recorded at this site by 1960 Chile Tsunami. With the rising concern over tsunami hazard (especially after the tsunami that hit Okujiri Island, Hokkaido, in 1983 and 1993) and the advent of knowledge about plate tectonics, the nuclear industry with the help from academia started studies to re-assess DBT. This resulted in the guide [17] by the Nuclear Power Division of Japan Society of Civil Engineers (JSCE) in 2002.Footnote 2 Based on this deterministic guide, TEPCO redefined DBT as 5.7 m and modified the design of components in the seawater intake structure and control logics to secure net positive suction head of pumps required to function during and after a tsunami attack.

In hindsight, the JSCE guide had some problems: (a) Modeling of tsunami source started with historical (literature) tsunami records, rather than study of tsunami deposit sediments, which can cover records of time periods before written records existed; (b) The guide did not appropriately (other than those historically experienced) deal with fracture of multiple segments occurring within a narrow time window as they had occurred on March 11, 2011 (the EPRI report [11] also points this out); and (c) JSCE had not asked for public comment to invite alternative views.

In July 2002, the Research Committee of the Headquarters for Earthquake Research Promotion (HERP) released “Long-Term Projection” [19] of possible earthquakes along the coastline off of Sanriku to Bōsō Peninsula facing the Pacific Ocean, in which it said a large scale (M8.2) earthquake can occur anywhere along the Japan trench. This coastal stretch includes Fukushima. TEPCO had expressed concern over this projection and had communicated [3] with this Committee. Also, TEPCO started further study on possible tsunami hitting the Fukushima coast, not necessarily to change the design basis but for evaluation, including (Fig. 8.1):

Fig. 8.1
figure 1

Re-evaluation of design basis and possible maximum tsunami height

  • Refinement of tsunami model;

  • Probabilistic study (in 2006) of tsunami hazard (probability of exceeding 6 m would be less that 10−2/year in the coming 50 years and exceeding 10 m less than 10−5/year) [20];

  • Calculation (in 2008) of maximum tsunami height by hypothetically placing the epicenter of the earthquake off the Fukushima coast (15.7 m inundation height);

  • Tsunami deposit study;

  • Possible new installation of tall break water wall off the Fukushima site; and

  • Creation of an expert panel and internal Working Group.

It must be noted that:

  • The tsunami deposit studies, including that of Jogan Tsunami (AD 869) [21], did not necessarily help model construction for TEPCO, and JSCE’s guide did not encourage a deposit study nor base its model on a deposit study;

  • TEPCO regarded JSCE’s “Methodology for Probabilistic Tsunami Hazard Analyses” [22] as being in the development stage, although it provided an opportunity for considering multi-segment failure given by logic-tree analysis;

  • TEPCO also started to hypothetically place an earthquake source off the Fukushima coast where no record existed, got estimation that inundation height could be 15.7 m, and consulted with external experts;

  • The idea of installation of a tall breakwater wall was abandoned due to concern over possible increase of tsunami height hitting the neighboring municipality adjacent to the Fukushima Daiichi site. No action was successfully taken before March 11, 2011 when the site was hit by the earthquake with magnitude 9.0 and tsunami with around 14–15 m inundation height; and

  • TEPCO had regarded the results from external-event probabilistic risk analysis (PRA) as not much useful due to significant uncertainty, rather than thinking it represents the state-of-art of their knowledge, and that the Operator needs to address possible consequences of beyond design basis by considering where the “cliff edge” exists when hit by a high tsunami as described before.

Meanwhile, stimulated by the Sumatra Earthquake and Tsunami (2004) and others, the Nuclear and Industrial Safety Agency (NISA), then the regulatory body, and Japan Nuclear Energy Safety Organization (JNES), which provided NISA with technical support, jointly established in 2006 a study group on flooding. Experts in JNES recognized the risk of SBO if Fukushima Daiichi were hit by a significantly high tsunami, and their concern seems to have been shared with TEPCO, according to the Diet’s Accident Investigation Report [3].

Furthermore, the revised licensing review guide on seismic design (2006) [23] called for minimizing residual risk and mentioned tsunami as follows:

safety functions of the Facilities shall not be significantly impaired by tsunami which could be reasonably postulated to hit in a low probability in the service period of the Facilities.

NISA, in a meeting with operators, also called for attention to potentially small margins against high tsunami in the current fleet of nuclear power plants [3].

Defining design/evaluation basis of external events for its NPS sites is the responsibility of the Owner/Operator, although it may outsource necessary investigations to consulting companies. To fulfill this task, the Owner/Operator usually consults with experts and researchers, such as seismologists.

It appears that opinions of seismologists split, though not evenly, when it comes to a possible earthquake off the Fukushima coast: one camp considered that continuous slip of the Pacific plate could explain the absence of giant earthquakes in this area [24] with due attention to GPS data somewhat contradictory to the “continuous slip” theory, whereas another camp considered such earthquakes can occur anywhere along the Japan trench, such as the 2002 long-term prediction made by the Headquarters for Earthquake Research Promotion (HERP) [19], but this view was not adopted by the Central Disaster Management Council (CDMC) as a basis for Disaster Management. It also must be understood that the theory based on tsunami deposit study failed to predict the tsunami height as the one TEPCO saw on March 11. Fracture of multiple fault segments within a short time period that occurred on March 11 did not seem to be the basis for the JSCE guide in 2002 [17] or for HERP’s long-term prediction in 2002 [19]. Tsunami height off the Fukushima coast was amplified due to superposition of waves from multiple segments.

On the matter of failure of the earthquake hazard map, which resulted in around 20,000 casualties on March 11, a retrospective paper [24] describes “the presumed absence of giant a earthquake was implicitly interpreted as indicating that much of the subduction occurred aseismically,” and “the revised idea about the maximum earthquake and tsunami size were not yet fully appreciated and incorporated into the Japanese hazard map.” IAEA Safety Standards SSG-9 [25] describes: “comparison with similar structures for historical data which are available should be used in this determination” (design basis earthquake). Given the ring of subduction zone surrounding the Pacific Ocean, should Japan have assumed M9.5 (Chile, 1960), or M9.2 (Alaska, 1964), or M9.1 (Aleutian, 1957) anywhere along the Japanese trench?

Comparative subductology by Japanese and American seismologists [26, 27] suggested the magnitude of the biggest earthquake in a certain subduction zone depends on local characteristics of the subducting plate (convergence rate and the age of the plate). Given this theory, it was considered that subduction zones like Mariana or Northeast Japan were different from that of Chile, or Alaska, or Aleutian. This notion seems to have prevailed, and apparently, influenced guides by JSCE and CDMC. However, the Sumatra earthquake in 2004 (M9.2) was a big challenge to this theory, since the expected magnitude there was much smaller (M7.9) [28, 29]. Given the Sumatra earthquake, Japanese seismologists re-evaluated model, reviewed GPS data for status of asperity, and so on, until 3.11 occurred.

2.1.2 Technical Lessons

There are many lessons as to how to define design basis earthquakes in subduction zone and postulated tsunami in the design of NPS: use of data from similar structures (SSG-9), study of deposit sediments, rupture of multi-segment in an almost simultaneous manner and consequential superposition of waves. Had CDMC changed its position after the Sumatra earthquake, things might have been different and the casualty number of 20,000 might have been much less. Had TEPCO, under advice from some scientists, taken a conservative view and consideration of earthquakes in similar subduction zones, as indicated by the IAEA Safety Standard SSG-9, things might have been different. Now, based on this lesson, the Japanese regulatory body, Nuclear Regulatory Authority (NRA), has published a new tsunami guide which requires for Northeast Japan to assume M9.6 as a plate boundary earthquake with a note about giant slip and possibly released accumulated strain by the 3.11 earthquake [30].

Since there remains a certain possibility that earthquakes or tsunami greater than the design basis can occur, consideration must be given to preparedness for the unexpected by:

  • Where is the cliff edge leading to degraded core conditions?

  • What means are possible to increase the distance to cliff edge?

Had TEPCO’s study, rather than focusing on what is the new design basis tsunami or waiting for uncertainty to be reduced, addressed the location of the cliff edge that may render the NPS to be in a serious situation and how to increase the distance to the cliff edge, then the accident might not have occurred. The cliff edge to go to core melt was flooding of the Electric Equipment Room. Even an assessment of internal flooding by a rupture in low grade piping in the turbine building could have found this vulnerability, especially given the experience of flooding of a part of the turbine building in December 1991 at Fukushima Daiichi Unit 1.

The Operator is responsible for defining design basis external hazards and for preparing for the unexpected that may go beyond the design basis, and needs to discharge this responsibility by continuous re-assessment of such hazards based on updated information and listening to experts’ views including minority views. Since decision-making on external hazards is based on multi-disciplinary knowledge, implicit assumptions even in a professional society’s guide need scrutiny by experts in other disciplines and the guide must be, before making it official, subject to public review and comment.

2.1.3 Possible Cultural Attitude Issue in the Background

Basically, a possible underlying issue could be that there was not enough consideration to preparedness for unforeseen events by increasing the distance to the cliff edge, thinking “Beyond Design Basis” can really occur. When TEPCO decided to raise DBT height to 5.7 m, TEPCO had also studied what might happen if a tsunami was 10 m high. The study was relatively optimistic due to the availability of the Air-Cooled Emergency Diesel-Generator (EDG) located at a high place and to consideration of possible use of the ultimate heat sink (atmosphere) instead of seawater by containment feed and bleed operation.

Critical and reflective thinking was missing in the JSCE guide, evidenced by its insufficient study of deposit sediments and assumption of multi-segment failure. Sound decision-making on multi-disciplinary issues is not possible when experts in each disciplinary area do not critically review the work done in other disciplinary areas (called “vertical silo situation” [31, 32]) in the organization or among the professional societies. Compared with the JSCE study on tsunami, the Atomic Energy Society of Japan (AESJ) did not act to formulate a safety assessment guide by considering the possibility of higher tsunami beyond DBT.

Plant engineers could have asked civil engineers questions on these points. Civil engineers also could have listened more carefully to a wide variety of views including alternative views by soliciting public comments.

Difficulty in decision-making under uncertainty and incomplete knowledge is a common issue in the area of natural hazards. Delaying decision by expecting that uncertainty would be reduced and more information would be available unfortunately often results in fatal accidents. A huge uncertainty should not be used to justify not using insights from probabilistic hazard analysis. Construction of a logic tree could have given new insights, especially on multi-segment rupture. Since supposedly around 10 % of tsunami occur by land-sliding of the seabed such as Storegga slides [33] that presumably occurred 8,000 years ago near Norway, tsunami deposit study should have been considered for all the NPS located along the coastline at an early stage.

2.1.4 Possible Institutional Issue in the Background

Since Government officials (such as in NISA) are frequently rotated to different positions, it is difficult for them to develop expertise in specific technical areas such as tsunami. Also, regulators have no real plant experience in the absence of a nuclear Navy, unlike some other countries, and the limited number of staffers recruited from Operators due to concern over conflict of interest.

JSCE did not invite comments publicly before releasing its tsunami guide in 2002, which is not the ordinary practice in establishing consensus standards by professional societies.

2.2 Level 4

Level 4 in the defense-in-depth concept concerns control of accident beyond Design Basis.

2.2.1 Assumptions in Accident Management

In light of the Chernobyl accident, provisions and procedures for Severe Accident Management (SAM) were prepared by all the Operators in Japan, which include hardened venting for BWR containment, connection of versatile low pressure makeup systems to the reactor for reactor water makeup such as by Fire Protection System pumps driven by dedicated EDG, and flooding capability to reactor cavity in BWR. A report [34] from the “Common Issues Committee” submitted to NSC reviewed the results of PRA by Japanese Operators, global trends in SAM, and strategies that could help prevent and mitigate the consequence of severe accidents. It encouraged Operators to prepare SAM on a voluntary basis. It also called for action by NSC to establish a direction and framework for Regulator and Operators to act on SAM. In response, NSC immediately decided [35] to receive reports from Nuclear and Industrial Safety Agency (NISA, Regulator) on an individual operating plant basis on preparation of SAM as well as PRA that forms its basis. For new plants, NSC also demanded Operators to prepare SAM before fuel loading. Probably partly to avoid impact to the lawsuit to “Establishment Permit” of NPS, i.e., to argue there is no fault in licensing practices under current regulations having no rule on SAM, no change in regulatory requirements was made until 2013 when the newly established NRA, in the light of the Fukushima accident, set regulations on severe accidents (Fig. 8.2).

Fig. 8.2
figure 2

Regulatory changes after Fukushima [37]

There seems to be a prevailing misunderstanding that Operators did not implement hardened venting for BWR as was requested by U.S. Nuclear Regulatory Commission (NRC) in the Generic Letter 89–16 [36], but as the above description clarifies, this is not true. The report from the “Common Issues Committee” elaborated on specific SAM strategies. There was no mention about the capability of SAM under damaged conditions by external hazards. The report discussed differences between filtered venting and hardened venting in BWR, and found no significant differences since over-temperature failure in the drywell would dominate, by referring to Peach Bottom PRA. Since filtered venting does not address the risks from over-temperature failure in the drywell, the report emphasized the importance of cooling inside containment as well as suppression of Molten Core Concrete Interaction (MCCI).

In the Fukushima Daiichi NPS accident, Operator’s action for prevention of core damage, as shown on Fig. 8.3, was supposed to enable long-term cooling, after the short-term automatic response by AC-independent makeup capability by the use of steam produced by decay heat. The Reactor Core Isolation Cooling System (RCIC) and the High Pressure Core Injection System (HPCI) functioned for 2 or 3 days to sustain core cooling. In order to enable the above transition, Operator tried [4] to depressurize the Reactor Coolant Pressure Boundary (RCPB) to send water from the low-pressure makeup system to the reactor core. Operator tried to resume power necessary for instrumentation, venting, RCPB depressurization, and water makeup by collecting mobile power units or batteries from automobiles. Due to lack of drills emulation of real accident conditions, it was found only at the time of the accident that the connection from mobile power units to the plant electric system did not match. DC power from automobile batteries enabled occasional reading of plant parameters. However, there was not enough power (air and electricity) to operate safety relief valves to depressurize RCPB or containment vent valves.

Fig. 8.3
figure 3

Accident progression in Fukushima-Daiichi Units 2 and 3 [39]

Emergency Operating Procedure (EOP) nor SAM did not assume:

  • Complete loss of both AC and DC power (SBO) for an extended time period and simultaneous IHS (although this assumption was not unique to Japan), nor

  • Damages given by external hazards to Structure/System/Component (SSC), offsite power, communications system, workforce at NPS, nor

  • Hydrogen explosion outside of the containment vessel, although redundant recombiners were installed in the containment to cope with design basis accident (unlike statement in a report [13]). Possibility of hydrogen accumulation and explosion outside of the containment was studied in a Finnish paper [38], but it is not clear what action was taken to counter.

Especially, flooding by tsunami of Electric Equipment Room located on the underground floor of Turbine Building and IHS (by damage to sea-water intake structure) by tsunami occurring simultaneously were beyond consideration in preparing for the unexpected. SBO and Isolation from Heat Sink by tsunami meant common cause failure at levels 3 and 4 of defense-in-depth.

The experience of the 2007 Chuetsu-Oki earthquake [40] at Kashiwazaki-Kariwa NPS prompted TEPCO to install fire engines, underground water tanks, and an onsite Emergency Response Facility (ERF) with seismic isolation design. Although seismic-resistant ERF helped greatly for management of accidents, modifications to the plant in order to increase SAM capability against external hazards were not sufficient against tsunami.

One reason why such damages by external hazards were not a part of the consideration when establishing SAM, was that Operator’s priority in the 1990s in preparation for SAM was on enabling plant capability without losing time, while leaving issues of external events, such as realistic capability of those provisions at the time of earthquake [2], to a later stage. Operator waited for reduction of uncertainties associated with seismic risk assessment. However, later, attention to upgrading accident management capability to withstand external events faded in the aftermath of the following:

  • Falsification of inspection records of components such as shroud and piping in the 1990s at TEPCO [41] had surfaced in August 2002,Footnote 3, Footnote 4 and

  • Move to amend the seismic design regulatory guide, such as upgrading the magnitude of near-field earthquake. TEPCO focused on the need for seismic upgrading of underground safety-class piping and the concrete structure containing them in Fukushima-Daiichi NPS, which could be necessitated by regulatory change [23].

It may be worth to note that the fact that SAM provisions did not meet the high level of requirements globally was discussed in the IAEA international expert meeting held in March 2012 on Reactor and Spent Fuel as one of the issues surrounding present day EOP and SAM.

The Fukushima accident raised concerns over the nexus between safety and security [42], since terrorists could have learned from the accident how to cause nuclear accidents, i.e., attacking offsite power, Ultimate Heat Sink (intake structure), and so on. After the 9.11 attack, U.S. NRC placed a requirement to Licensees in the U.S. to install provisions and procedures to maintain safety functions under a postulated attack, commonly called B.5.b [43, 44]. Although Japanese regulatory body (then NISA belonging to Ministry of Economy, Trade and Industry) had received information verbally in a meeting with U.S. NRC on this topic [45], no warning or information were given to Japanese Operators. After 9.11, the nuclear industry and Operators’ efforts were focused on hardware; proving that missiles would not penetrate inside of the containment cause by terrorist attack or by the use of airplanes or missiles, rather than trying to find strategies for maintaining safety function under damaged conditions.

The report [3] by the Diet’s Investigation Committee raised the opinion that damage caused by the earthquake played an important role in the progress of the accident, which is more or less in conflict with the estimated scenario in Fig. 8.3. Though it is not easy to raise evidence to show that this hypothesis is wrong, TEPCO has this view that:

  • Transient recorder shows functioning of safety systems as intended without trace of damage given to those systems or to RCPB,

  • Given the magnitude of the earthquake almost equivalent to Design Basis (though time of continuation of shake is considerably longer in the 3.11 case) and seismic resistance capability as shown in Chuetsu-Oki Earthquake in 2007 to Kashiwazaki-Kariwa NPS where acceleration exceeded design basis considerably, it is estimated there was no significant damage by the Great East Japan Earthquake,

  • Walk-down to Fukushima Daiichi Unit 5 on the same site and with BWR/4 generation design (similar to Units 2, 3, and 4) revealed no damage attributable to the earthquake.

The report [46] by the Atomic Energy Society of Japan (AESJ) on the Fukushima accident is also of the opinion that no damage was caused by the earthquake itself, and even if it existed, it had not led to core melt.

During the course of the accident, there had been cases of misunderstanding of the plant status, such as availability of the Isolation Condenser (IC) of Unit 1. This affected prioritization of actions and use of resources in the early stage of the accident [10]. This represents an issue of knowledge about design information by Operator.

This is also linked with the issue of not trying to benefit from independent check or oversight of strategies and actions.Footnote 5 Unlike the U.S. or France, Japanese Operators had not institutionalized a system to deploy a shift safety engineer or shift technical advisor, who provides independent assessment on plant safety. This seems to represent a significant problem associated with group thinking among Japanese. A few days into the accident, TEPCO had organized a group of experts consisting of retirees to provide advice [6], but how the reports from this group were utilized is not clear.

2.2.2 Technical Lessons

Simply said, there was lack of preparedness for the unexpected in the context of:

  • Robustness of accident management, especially against SBO and HIS occurring simultaneously was lacking,

  • Independence of each layer of defense-in-depth was jeopardized by external hazards, since provisions for both level 3 and level 4 failed due to a common cause (tsunami),

  • EOP and SAM provisions and procedures did not assume damages given by external hazards, and

  • B.5.b-like function was not considered after 9.11 in Japan and information on B.5.b. did not reach Japanese Operators.

2.2.3 Possible Cultural Attitude Issue in the Background

Given that NPSs in Japan are located in areas prone to natural hazards, careful attention had to be given to damage by external hazards to SAM provisions. Waiting for uncertainties of seismic risk analysis to be reduced was not the right attitude to take. One could have questioned why Operators were not assuming damages caused by external events in SAM provisions at the beginning of SAM deployment. Operators wanted to make use of all available onsite resources of SAM without losing time, irrespective of their seismic and quality grades. Operators had set aside this grade issue for later consideration.

Group thinking and the trait of not raising concerns could have been in the background.

There is a possibility that complacency also played a certain role. Lack of “reality drills” by emulating realistic accident scenarios and lack of concern over what was prepared in the U.S. after 9.11 may suggest assumptions in the mind of Operators that accidents cannot happen here. Issues of similar assumptions and not enough sensitivity to information (in this case B.5.b) could apply to Regulator as well.

To enable knowledge-based actions by Operator in beyond design basis conditions, the Operator is expected to possess design basis knowledge. To what detail will be a matter of discussion. However, generally speaking, Operators are, as an intelligent user, expected to be knowledgeable of design—including why the system is designed in such a way. With the life extension of Generation II nuclear power plants of more than 40 years in many countries, in other words, as plant life is exceeding the life span of engineers’ employment, component products, and even the company, chances are rising for Design Basis information to be scattered among operators, plant designers, and component manufacturers that may include those other than original suppliers. In this situation, Operator is expected to function as the Design Authority [47] for plant life after the plant has started operation. The culture of becoming the Design Authority and an intelligent user/customer did not seem to be strong among Operators. Given the situation that, when a nuclear accident occurs, liability is channeled solely to the Operator whatever the design, the Operator needs to be thoroughly knowledgeable about the design of the plant it uses.

There was a possibility that concern over lawsuits (against the Government for licensing of NPS as well as against the Operator for incurring undue risk to the plaintiff by potential nuclear accident) and opposition to nuclear power intimidated Government officials and Operator to engage in continuous improvement to address risks including that of severe accidents. This also hindered open communication to discuss issues such as severe accidents and containment venting, even though the action of venting is justified to take a small risk to avoid a bigger risk. The situation is just like the “prisoner’s dilemma” where both prisoners failed to achieve a common goal due to distrust of each other. Likewise, the society and Operator failed to achieve the common goal of nuclear safety by distrusting each other.

However, we should not forget to look at the positive side. The professional attitude, dedication, and spirit of self-sacrifice shown by staffers working at the Fukushima Daiichi NPS [4, 9] to alleviate core damage and health risks to the public are really impressive.

2.2.4 Possible Institutional and Societal Issues in the Background

Since Government officials (such as in NISA) are rotated to different positions frequently, it is difficult for them to develop expertise in specific technical areas such as SAM, Severe Accident, or B.5.b. Recruitment of professionals knowledgeable about plant design and operation to the Regulator needs careful consideration, to avoid conflict of interest.

A mechanism of independent check or oversight of strategies and actions was not institutionalized in Japan’s operating organization. There was no system of shift safety engineer or shift technical advisor. The problem of group thinking was not well-recognized.

2.3 Level 5

Level 5 in the defense-in-depth concept concerns Offsite Emergency Response.

2.3.1 Identified Problems During the Course of Accident

Although overall offsite actions (Emergency Response) helped reduce health risks associated with radiation, many problems have been identified and mentioned in detail, especially in Diet’s Investigation Committee’s report [3]. The problems include:

  • Loss of offsite center’s function (coordination of offsite action) due to damage by earthquake to communication line and habitability under radiation environment,

  • Confusion and lack of necessary actions due primarily to lack of knowledge and drills,

  • Confusion in the line of command including Prime Minister, Government, and TEPCO.

A different perspective [48] has been presented that, since evacuation significantly degrades quality of life of evacuees and even may lead to physical and mental health problems, the necessity of extended evacuation could be better evaluated (not necessarily at the time of accident but before anything happens) objectively by not singling out risk of radiation but by using multi-criteria decision analysis such as J-value technique developed from a life-quality index.

There is also an argument by some experts that reduction of acute and chronic effects of radiation are not well balanced, and that evacuation was unnecessary beyond 3 km from the NPS to reduce health risk [49]. On the contrary, it increased health risk by forcing evacuees into a stressful life and reportedly even brought about death to more than 60 patients in hospitals. According to the UNSCEAR report on the Fukushima Accident [50] “No discernible increased incidence of radiation-related health effects are expected among exposed members of the public or their descendants. The most important health effect is on mental and social well-being.”

Recognizing but setting these discussions aside, this Sect. 8.2.3 of the chapter focuses on practical problems that surfaced during the course of the accident in the area of the fifth layer of defense-in-depth.

A report on implementation of the Emergency Plan from the association of municipalities having NPPs [51] provides valuable details of how the Emergency Plan was implemented (or not implemented), what information source local residents depended on in deciding to evacuate, etc.

A Japanese Health Physics Society’s (JHPS) report [52] covers comprehensively, based on information including accident investigation reports [2, 3], the issues in Emergency Plan and post-accident health physics issues, including monitoring and ingestion control, computerized projection system, evacuation, radiation protection standards, exposure to the public and its assessment, exposure to the workers and its assessment, and risk communication. It is appropriate to list some of the identified problems raised by JHPS to help consider what causes were behind the issues. Monitoring and Ingestion Control
  • 23 of 24 radiation monitoring posts were rendered unusable due to tsunami (physically lost) and loss of transmission line;

  • Mobile survey systems faced difficulties (road, fuel, transmittal of data, etc.);

  • Aerial survey was not available (not planned and needed modification of helicopter), while U.S. Department of Energy (DOE)’s “drone” survey started 6 days after the accident;

  • Problems of contaminated beef were caused by feeding contaminated rice straw (Government alerted only cattle farmers and not suppliers of rice straw); and

  • Management system for monitoring and ingestion control was not fully pre-planned (procedures and devices). Computerized Projection System
  • Computerized tool was not available or not used, while Emergency Preparedness and Response (EPR) depended on computerized tool (ERSS/SPEEDI) developed by the Government;

  • Emergency Response Support System (ERSS) was based on Safety Parameter Display System (SPDS) data coming from the plant but they were not available due to loss of DC power in the plants;

  • SPEEDI (Dose Prediction System) was usable by assuming unit release due to loss of ERSS, but calculated results were not released from the Government (Cabinet Office staffers) to the public to help their evacuation;

  • Calculation using SPEEDI was sent to the prefectural government of Fukushima after March 12. However, the staffers in the local government did not consider the use of this calculation in EPR. Consequently, out of 86 emails including SPEEDI calculation results they had received, 65 were deleted without sharing even within the organization;

  • Simulation of radioactivity diffusion in the ocean was not planned, consequently not available; and

  • Even though measurement was done for seawater by taking samples, nothing was done to check the level of radioactivity deposit on the seabed, whereas this deposit led to contaminated fish (flounder, sole, and other fishes according to food chain). Evacuation
  • Offsite center did not function for coordination of offsite activities including evacuation due to loss of communication and insufficient design for radiation protection;

  • Local municipality and residents decided on evacuation based on different sources [3, 51] (Prime Minister’s Office, municipality, commercial media);

  • Area of evacuation was changed many times as the accident evolved, which forced some evacuees to change place of settlement more than six times (for residents in townships of Namie and Futaba located north, more than 70 % of residents had relocated more than four times) [3];

  • Due to lack of information from SPEEDI to local authorities or residents, evacuees headed northwest where the plume was spreading (leeward) on the morning of March 15, when release of radioactivity was largest;

  • Questions had already been raised before the accident from experts on the use of atmospheric diffusion of released radioactivity and subsequent dose prediction system in emergency response. The argument is that basically the basis of precautionary offsite action should be on plant condition rather than measured or predicted dose. The fact is that codes are not technically mature enough (ERSS cannot predict well timing and magnitude of containment failure. SPDS does not necessarily cover all the parameters that describe the plant condition leading to core damage. SPEEDI cannot predict well diffusion under condition of precipitation.)Footnote 6;

  • There was no drill before the accident assuming that information from ERSS or SPEEDI is unavailable;

  • There was no clear pre-plan for the evacuation path and where to settle;

  • Residents experienced difficulty living in sheltering zone due to stoppage of incoming food;

  • Evacuees considered this to be temporary evacuation, and did not imagine it would end up becoming de facto relocation;

  • Evacuation of hospitalized patients was difficult and ended up in more than 60 deaths. Hospitals were supposed to establish evacuation plan on their own (according to the plan by the local government), but it was revealed they had not; and

  • JHPS report raised the role of local government as one of the key points to be scrutinized in light of the Fukushima case where lack of its capability faced with combined disaster of earthquake, tsunami, and nuclear accident became evident. Radiation Protection Standards
  • There was confusion about taking iodine tablets. Recommendation from NSC was handled by the recipient local governments inappropriately, and local governments did not release orders, while certain municipalities instructed, on their own decision, the taking of iodine tablets.

  • There were some cases of denial by hospital staffers to see contaminated evacuees; and

  • Standards have been changed by facing reality such as

    • Screening level (for decontamination of residents),

    • Exposure to school for pupils to play (from 20 to 1 mSv/year), and

    • Allowable level of radioactivity in foods. Risk Communication
  • Government frequently used the phrase “no immediate threat,” which was ambiguous. Recipients of this message may think “there is no risk” or may think “not immediate effect but, in the long run, there will be a health effect”;

  • There had been cases of delay of disclosure (intended or not) of information or release of unclear messages from the Government and TEPCO, which fueled distrust from the public;

  • According to opinion polls, 70 % of the public distrust information from the Government;

  • Disparity in the level of knowledge between experts and lay people was occasionally completely neglected in communication;

  • Delay of notice to neighboring countries on release of slightly contaminated water (3,000 m3) to the ocean, though intended to avoid larger risk of spill-over of heavily contaminated water, invited distrust from them;

  • Need for mental health care and for education on risk of low level radiation were raised after the accident; and

  • The role played by the Social Media System (SMS) was highlighted in the Fukushima accident. There were cases of disguised authoritative information sources, which led the public authority to use authentication. TEPCO delayed starting the use of Twitter and heavily used PDF files in release of information, which frustrated the public. Generally speaking, neither the Government nor TEPCO had enough SMS-savvy staffers.

2.3.2 Technical Lessons

The following issues need revisiting and changes:

  • Delineation of responsibility,

  • Command line, coordination,

  • Design and function of “offsite center,”

  • Offsite emergency plan (zoning, drills, and others), and

  • Mental health care of evacuees.

In particular, training of staff members to understand what obtained information or data mean, especially, preparedness for accidents by frequent drills, using realistic scenario and education/training, would improve capability. Amendment of relevant laws by addressing the issue of delineation of responsibility and to increase national capability in emergency response is needed.

Evacuation forces evacuees significant degradation of their quality of life and may lead to physical and mental health problems. Prior careful thinking of the value of evacuation such as by the use of J-value as a tool could have assisted minimization of overall risk associated with the nuclear accident.

2.3.3 Possible Cultural Attitude Issue in the Background

The fact that serious “reality drills” and education/training were not in place indicates that those involved were not seriously thinking “an accident can happen here.”

2.3.4 Possible Institutional and Societal Issues in the Background

Operators’ tendency to assure to local residents that no such accident could happen here to avoid uneasiness with NPS deprived residents of an opportunity for realistic drills involving them.

There is no such organization like U.S. Federal Emergency Management Agency (FEMA) or Nuclear Emergency Planning Delivery Committee (NEPDC), which coordinates activities across different agencies in the Government for concerted actions. The Cabinet’s Crisis Management team in the Japanese Government did not function in confronting the nuclear accident. In an environment where ministries and agencies did not communicate with each other very well, coordinated action was difficult.

Education and training of staffers in local and central governments involved in Emergency Response could have enabled them to understand what actions to take and what is the significance of information they had received from experts or Operator.

Although a group of experts was functioning to provide advice to the Cabinet Office and meetings had been held on a daily basis with participation of politicians [6], it is not clear to what extent the recommendations from this group (such as on the use of SPEEDI information) was used in decision-making. There is a similarity with the case of TEPCO in the handling of information from senior advisory groups mentioned relevant to the 4th layer of defense-in-depth.

3 Nuclear Safety Regulation

Characteristics of Japanese nuclear safety regulation were found in three points: two-agency system (not necessarily very unique), hardware focus, and frequent shuffling of staff members. Although there may be a criticism that the regulatory body NISA belonged to the Ministry of Economy, Trade and Industry (METI) and consequently lacked independence, NISA claimed it has “functional independence.” What is important is not the formality of independence but if safety-first decisions can be made without outside intervention. There seems to be no clear evidence to support failure of functional independence.

3.1 Two-Agency System

Japan’s nuclear safety regulation historically developed in two sectors of the Government, namely Science and Technology Agency (STA, currently part of Ministry of Education, Culture, Sports, Science and Technology, MEXT) and Ministry of International Trade and Industry (MITI, predecessor of METI). STA used to be primarily for radiation safety and licensing of nuclear facilities, whereas MITI was for inspection of operating power reactors. As the number of operating units increased, licensing and regulation for power reactors were taken over by METI. Nevertheless, there were multiple regulatory reviews under the name of “double check” performed by the Nuclear Safety Commission (NSC, part of the Cabinet Office separated from STA when STA was merged with MEXT) and by METI. Regulatory requirements were primarily formulated by STA, and later by NSC, whereas practical regulation using such requirements was carried out by NISA belonging to METI. This complexity had been criticized in IAEA’s Integrated Regulatory Review Service (IRRS) mission report [54], but this scheme had continued until June 2012 when the regulatory structure was changed in light of the Fukushima accident (Fig. 8.4). An NPO report on the Fukushima accident criticized this state of “lack of governance of nuclear regulation” by the two-agency system as irresponsible [6].

Fig. 8.4
figure 4

Change of regulatory structure before and after the Fukushima Daiichi accident

3.2 Hardware Focus

A culture is observed in Japan in engineering and manufacturing to place heavy emphasis on hardware—component quality and reliability, which itself is presumably a source of strength for Japanese industry, while being weak in system thinking. By benefitting from Professor E. Hollnagel’s insight [55], key lessons from a major nuclear accident can be summarized as follows:

  • Pre-Three-Mile Island (TMI) accident era: Accidents are primarily attributed to failure of components, hence component reliability was deemed important;

  • TMI: Highlighted human factor;

  • Chernobyl: Highlighted organizational safety culture and SAM; and

  • Fukushima: Highlighted Resilience and social license to operate [56].

It seems that the Japanese paradigm for nuclear safety had still primarily rested in the pre-TMI era. Three examples can be raised:

  • Tendency to focus on component reliability and inspections (and inspection records) to assure this reliability, while not paying much attention to soft aspects (risk governance, culture, human factor), and systems thinking was traditional. The Japanese code for design and inspection of mechanical components are mostly equivalent to the ASME Boiler and Pressure Vessel code in the U.S. However, unlike the ASME code (professional society’s code), this Japanese code became part of a regulation (Ministerial ordinance #501), requiring Government examination of compliance to code requirements by review of stress analysis calculations. This focus on component reliability had also been subject of discussion as a part of inappropriate regulatory emphasis and practices in Japan together with other issues of Establishment Permit (PSAR/FSAR) and Operational Technical Specification.

  • After the 9.11 attack in the U.S., the Japanese nuclear community’s effort was focused on proving containment would remain intact after an airplane attack, setting aside the issue of maintaining safety functions assuming the plant may potentially receive significant damages. Consequently B.5.b-like strategy was remote from their thought.

  • In developing coping strategy against high tsunami, TEPCO was considering construction of a tall break water wall, while not trying to find where the cliff edge is and how to increase the distance to the cliff edge when hit by beyond design basis tsunami.

3.3 Frequent Shuffling

Although this is not unique to the regulatory body, the Japanese government as a whole had a practice of frequent (once in 2–3 years or even shorter intervals) staff shuffling, partly to cultivate wider views and partly to avoid collusion with the regulated bodies. However, this is not necessarily an appropriate practice for nuclear regulation, which requires highly professional competence (knowledge and experience).

4 Differences in Plant Responses Among 17 Nuclear Power Plants

There are 17 nuclear power plants (Fig. 8.5) affected by the 3.11 Earthquake and tsunami. Why did only three units in Fukushima Daiichi NPS cause core melt? The gap (Table 8.1) between tsunami (Design Basis, inundation height on March 11) and Ground Level (GL) is one of the key parameters, but that does not explain everything.

Fig. 8.5
figure 5

Nuclear power plants affected by 3.11 earthquake and tsunami

Table 8.1 Tsunami height and Ground Level [57]

Three factors need to be considered to explain the different responses: Gap in elevation (tsunami and GL), Availability of power, and SAM. Figure 8.6 shows that the location of the Electric Equipment Room (EER) was a critical factor that led Units 1–3 of Fukushima Daiichi to core melts. Within Fukushima Daiichi NPS, three air-cooled Emergency Diesel Generators functioned as designed, one of which served electricity to Unit 5 (then to Unit 6 by EOP) saving Units 5 and 6, whereas two air-cooled Emergency Diesel Generators serving electricity to Units 1–4 functioned but power was not distributed to equipment due to flooding of EER.

Fig. 8.6
figure 6

Factors affecting plant response. Red failure was fatal, yellow failure was not critical, green success

5 Cultural Attitude Issues

5.1 General Observation

For those who may have been watching Japanese nuclear energy from the outside and saw a series of incidents and accidents, such as sodium leakage in Monju (1995), JCO criticality accident (1999), falsification issues (surfaced in 2002, but bad practices were found to be existent since 1990s), they may have wondered if something might go wrong recently, felt governance by the Japanese nuclear community was weak, and thought some belt-tightening efforts may be necessary. To answer if there are underlying commonalities with the Fukushima accident, we must await extensive research based on fact-finding study; hence it is not discussed here.

Weakness of defense (in the context of defense-in-depth) may arise from inappropriate decisions and insufficient information available to decision-makers as well as uncertainties. Naturally, organizational culture, group culture (of the nuclear community), priority of management, and even national culture influence such decisions and decision-making processes. This section discusses such cultural and cultural attitude aspects that could have been relevant to the Fukushima accident. Four points are important to note before discussing this topic:

  • National culture is a part of national factors influencing culture for safety.

  • Cultures are not good or bad in themselves, but are good or bad at achieving certain outcomes [58]; in this particular case outcome is “achieving safety.”

  • It is not an appropriate learning attitude to regard the Fukushima accident as a very unique accident that occurred only under a unique natural environment (earthquake and tsunami) and a unique culture.

  • A warning was given in the “overview” section of the Kemeny report [59]: “We have stated that fundamental changes must occur in organizations, procedures, and, above all, in the attitudes of people. No amount of technical ‘fixes’ will cure this underlying problem.” This message should not be forgotten. Even though technical fixes are well established, the bottom line lies in human factors in successful prevention and mitigation of an accident. The holistic safety approach takes the position that human/cultural, organizational, and technological aspects contribute to safety.

5.2 Related Studies

In autumn 2011, GoNERI (Initiative for Nuclear Education and Research by Global Center of Excellence) at the University of Tokyo commenced the study “Why the nuclear community in Japan failed to prevent this accident.” A series of interviews was conducted by GoNERI members of 24 well-recognized nuclear experts from Universities, Regulatory body, Atomic Energy Commission, Operators, Industry, Research institutes, Institute under the umbrella of Operators, and NPO critics. The results were reported [42] at an international conference, according to which discussion focused on three points:

  1. (1)

    Why was the nuclear community not well prepared for the unexpected natural hazard?

Answers were:

  • The nuclear community in Japan focused on internal events in PRA and tsunami was outside its radar scope

  • Generally, no question was raised to U.S. original designs (GE/EBASCO design placing electric equipment room in the underground floor of Turbine Building for Fukushima Daiichi Units 1 and 2)

  • There was lack of communication and mutual understanding between natural science and engineering on uncertainty and margin in designs to cope with these hazards

  1. (2)

    Why prevention/mitigation against beyond Design Basis was not enough?

Answers were:

  • Operators’ culture for safety had degraded over time; they had shown signs of complacency, lack of sensitivity to safety-related information from outside of Japan, delayed action to alert, and over-confidence in nuclear safety

  • Lack of tension between Regulatory body and Operators

  • Operators’ staffers are generally too busy in caring for day-by-day problems

  • Society takes risk-related actions and modifications as evidence of unsafe plants (“prisoner’s dilemma”), which delayed or prevented safety-related modifications for improvements

  • Failure of safety regulation

  • “Problems of culture were more or less recognized even before 3.11”

  1. (3)

    (Since a number of interviewees mentioned cultural issues which were already recognized, a further question was asked) If you recognized serious problems beforehand, what did you do?

Some answered that actions such as below were taken in this context but were not enough to prevent the disaster:

  • Creation of Japan Nuclear Technology Institute (JANTI) emulating U.S. INPO.

  • In light of the 2007 Kashiwazaki-Kariwa earthquake, TEPCO constructed seismic isolation ERC, underground water storage tanks, deployed fire engines.

  • “Change culture” project (called “Renaissance Project” in TEPCO) in light of the falsification problem, Corrective Action Program (CAP) [9, 60] by learning from INPO, and by “Safety alert” reports, etc.

  • Local Information Committee was created at TEPCO’s Kashiwazaki-Kariwa site by learning from the French good practice of sharing information with local residents.

Others answered generally no significant actions (by themselves or by members in the nuclear community) were taken because:

  • Operator is King, allowing no criticism from outside

  • No question was asked about the nuclear energy program implemented by Operators under the National Policy

  • “Loose lips sink ships”

  • Members in nuclear community are too busy to care

It must be recognized, however, these views were necessarily offered without their own detailed analysis of causal relationship with the Fukushima accident.

Another example is a paper [61] in INSS (Institute of Nuclear Safety System) Journal, which overviewed the organizational issues that may have been factors leading to the Fukushima accident or were observed during the course of the Fukushima accident, based on accident investigation reports. It claims it found problems in the context of the framework proposed for organizational excellence as follows:

  • Consideration of residual risks

  • Production culture

  • Lack of preparedness to low probability unexpected scenarios such as earthquakes and tsunami

  • Safety culture

  • Higher priority on cost and impact litigation against operating fleet, less on nuclear safety

  • Not enough disclosure and sharing of information

  • Insufficient training of individual competence for emergency actions including severe accident situations

  • Insufficient planning for emergency actions

  • Insufficient use of lessons learned from past incidents

The study also noted that three areas have an outstanding number of identified problems: deficiency of safety infrastructure, lack of open discussion and information sharing, and limited communication with stakeholders.

5.3 Link with National Culture

National culture is only one of the factors influencing the culture for nuclear safety. Others include but are not limited to: historically cultivated organizational culture, professional culture (component focus, weak systems thinking, Operators’ heavy outsourcing), institutional aspect of national nuclear system (Operator as a local giant stockholder-owned monopoly, Nuclear Energy program endorsed and strongly backed by Government and implemented by Operators), interface with regulatory body, interface with society as a whole (“prisoner’s dilemma”) and local municipality (Government subsidies to local infrastructure building), relationship with academia (especially seismology when it comes to the Fukushima accident), etc. All of these are worth further study. However, influence of national culture in particular is picked up here, since understanding of this aspect may benefit newcomers when launching a nuclear power program.

5.3.1 Collectivism, Group Thinking, Insufficient Critical/Reflective Thinking and Questioning Attitude, not Raising Concerns

There has been a general tendency in which the Japanese are not trained in critical thinking. No such training and debates have been a part of Japanese traditional education, which placed emphasis on transfer of knowledge and learning by heart, rather than teaching how to think. INPO report also points out TEPCO could have benefitted from additional questioning and challenging of assumptions [9].

“Harmonization is our core value,” says the Article 1 of Japan’s oldest Constitution promulgated in year 604. People’s attitude tends to be one of not speaking out. In the area of nuclear safety culture, Japanese definition of traits of safety culture often drops “raising concerns.” Also, according to Prof. Hofstede’s international comparison [62], collectivism seems to be one of the salient features of Japanese culture.Footnote 7

5.3.2 Lack of Big-Picture Thinking, Losing Sight of Substance by Being Distracted by Formality and Details

Unlike the argument by Nisbett [63], it seems that very often Japanese tend to be distracted by formality and details and forget the big picture. Rather than viewing something as an integral part of the whole issue, single-criteria (as against multi-criteria) analysis and decision-making are observed. The following is a case involving nuclear regulation in 2000s.

In the aftermath of the falsification scandal involving many Operator companies, Operators’ staffers consumed a significant amount of time in assuring consistency and accuracy of the documents, partly by regulatory requirement. This blurred the focus on the significance of safety. Even after the Fukushima accident, insufficient dialogue between Regulator and Operator was often argued. This may be a case of distraction by the formality of independence and losing the basics of “what independence is for.” Independence is for assuring safety-first decision-making and collection of information not only from the Operator but also others through dialogue, which serves well for informed decision-making.

5.3.3 Hardware Culture and Technology-Focus

This trait in the nuclear community is not necessarily unique but present in many fields of Japanese industry. Excessive hardware-focus, technology-focus, and overconfidence in component reliability may result in lack of preparedness in case technology fails. No analysis of causal relationship is available, but the observation is that these traits (hardware-focus, technology-focus and lack of preparedness for technology failure) co-existed.

5.3.4 Positive Aspects

However, positive aspects were observed during the Fukushima accident, namely the dedication and professionalism of TEPCO’s site staffers. INPO special report [64] on the nuclear accident, November 2011 cites: “… Some workers lost their homes and families to the earthquake and tsunami, yet continued to work. Many workers slept at the station… usually on the floor.” TEPCO’s investigation report [4] Appendix touches on heroic acts by operators sacrificing themselves. Generally speaking, a utilities employee has the mentality of dedication to work for the betterment of society. Other virtues of Japanese culture include compassion, politeness, and diligence.Footnote 8

5.4 Future Directions

Possible cultural attitude issues have been discussed [65, 66], which may have existed behind the weakness of each layer of defense-in-depth. Discussions below are on the areas where transformation of cultural attitudes would be required for Japan to achieve nuclear safety:

  • Change in priority of risk management by management of utility companies.

  • Avoid complacency prevailing among those working in nuclear energy.

  • Avoidance of “prisoner’s dilemma” situation prevented continuous safety improvement.

  • Avoid parochialism in decision-making; encourage multi-disciplinary and critical review.

  • Enhance professionalism.

  • Encourage questioning attitude, critical/reflective thinking.

  • Recognize the value of independent checks to avoid falling into the pit of group thinking.

  • Recognize the importance of being an intelligent user including being Design Authority.

  • Need to learn global good practices. Need to learn from precursors, incidents, and accidents (The JCO accident in 1999 [68, 69], for instance, illustrates an example of production culture, lack of knowledge of design on the part of workers, complacency.).

    Further, improvements can be made in the application of defense in depth by;

  • Assuring independence of each layer of defense in depth to avoid common cause failure.

  • Setting Design Extension Condition to cover severe conditions not covered by design basis so that significant release is practically eliminated by strengthening containment function.

  • Scrutiny of the quality of defense in depth by use of objective tree (IAEA Safety Report Series 46 Annex).

  • Critical review and regulatory requirement.

6 Conclusions

The Fukushima accident was a gray swan in the context that such an accident was very low in probability but can happen, rather than can never happen (black swan). Can this gray swan be found only in Japan?

Probably not, if the nuclear utility industry is not well prepared and if problems exist in safety culture because: (a) insufficient preparedness of nuclear power plants, particularly to extended SBO coupled with Isolation from Heat Sink and to possible damages to SAM provisions, is more or less common, and (b) even though an attack by a giant earthquake and tsunami might be rare in other countries, other natural disasters beyond design basis may trigger similar accidents.

This disaster of some 20,000 casualties by the tsunami and subsequent nuclear accident in Japan, one of the most industrialized countries, may have been a surprise to many in the world. Germany, in its Ethics Commission’s report [70] that led to the phase = out of nuclear power in Germany immediately after the Fukushima accident, noted a change in the perception of the risk of nuclear accidents because it had “occurred in a high-tech country like Japan” and “this has caused people to lose faith that such an event could not happen in Germany.”

Why was such an industrialized country not well prepared? Most probably, whether a country is industrialized or not does not matter, since human and organizational factors, as discussed above, played a critical role. Presented here are five simplified plausible reasons:

  • Complacency and consequential poor training for emergency situations, especially evident when we see confusion in implementing EPR (level 5 defense-in-depth), but, in general, there seems to have been the prevailing notion of “accident will not happen here,” and “nothing much to learn from outside of Japan”.

  • Delayed decision-making to prepare for unexpected.

  • Over-confidence in technology: focus on component reliability and technology is probably linked to the optimistic attitude of not assuming failure of components or technological measures, such as the case of SBO or SPEEDI.

  • Lack of critical/reflective thinking, insufficient listening to alternative or even opposing views, and group thinking.

  • Insufficient continuous improvements, partly due to “prisoner’s dilemma” situation with society.

The root cause could be said to lie in history, since this cultural attitude was developed during the course of development and utilization of nuclear power for more than half a century. Investigation of organizational causes (not only TEPCO, but including Industry, Government, and local government as well) would need historical insight as was done in the CAIB report [71]. Also needing to be taken into account are national factors influencing the culture for safety.