Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Many problems were posed in the accident happened at Fukushima Dai-ichi nuclear power station, including recognizing the situation in the plant, information sharing in/out of the power station, decision making, emergency response, education and training on daily basis, instrumentation/control facilities and work environment of the plant, etc. A voluntaly group in the division of Human-Machine System of Atomic Society of Japan reviewed the problems suggested in various reports from the viewpoint of human factors (HF: human factors to ensure safety).

By referring the documents, reports and data published, the following 6 items that are important from the viewpoint of HF are reviewed:

  1. (1)

    assessment of the plant’s conditions by operators at Units 1 and 2, and a review on accident response from the viewpoint of CRM (Crew Resource Management) (until the hydrogen explosion of Unit 1 occurred);

  2. (2)

    actions taken by the power station staff (recognition of operating status of the isolation condenser (IC), alternative water injection into Unit 3);

  3. (3)

    challenges in terms of education and training;

  4. (4)

    problems and actions to address the problems in the field of communication and information sharing;

  5. (5)

    emergency response ability of the organization; and

  6. (6)

    factors that inhibited from responding smoothly to the accident and plausible solutions on how to improve from the aspects of the operation of these reactors as well as from the field operation on the site.

This paper describes the outline of review results in relation to the items (1), (4) and (5).

2 Assessment of the Plant’s Conditions by Operators at Units 1 and 2

2.1 How to Conduct Investigation and Examination

It is important to understand the work condition of operators in the main control room (MCR) for the assessment of grasping plant’s condition by operators from the viewpoints of human factors. First, the work condition is visualized based on earthquake information and reported condition of MCR in the accident reports [1, 2]. Then, based upon the accident reports [1, 2] and information [3] published by the defunct Nuclear and Industrial Safety Agency, we examined (assumed) what picture of the plant’s condition the operators grasped after the big shock by the earthquake.

There are several factors to influence the works by operators in MCR. First, there happened frequent after-shocks after the big shock resulting in disturbing the countermeasures and field inspection of the damages of facilities by the big shock. The operators inspecting the damage should postpone their works and go back to MCR under the continuous announcement of the alarm of big Tsunami. Second, because MCR is a closed space, the illumination is inevitable for human works. Flashlights are necessary for the operators in a dark MCR. Third, high radioactivity level will restrict human activities due to the necessity to wear anti-radioactivity suits and the time limitation of radiation exposure. Fourth, it is difficult for a human worker to move and make an observation outside a building in the night.

The work condition of operators is visualized for the four factors. Figure 1 shows the work condition and major events related with Unit 1 and 2 from 14:30 to 18:30 on March 11, 2015 as an example of the visualization. The figure is drawn under the following assumptions as to the influences by after-shocks, illumination condition and the light outside the building. The level of earthquake is indicated by Japan Meteorological Agency seismic intensity scale because it expresses the level of ground motion and there are many monitoring posts all over Japan. The measured level at the nearest monitoring post to Fukushima-Daiichi nuclear power station is used. The Japan Meteorological Agency explains the relations of level number in the scale and severity of ground motion as shown in Table A1 [4] of Appendix. The operators are assumed to be able to do nothing for six minutes if the intensity level by the after-shock exceeds 6. The time span is shown by black color in the figure. The operators should postpone their works for four and two minutes by the after-shocks of intensity levels 5 and 4, respectively. The operators can be supposed to continue to do their works that they are doing at a small shock below the intensity level 4. For the reference, the happening time of an after-shock of the intensity level 3 is indicated as a fine black bar. As to the illumination in the MCR, some small light sources of instrumentation indicators are assumed to exist for ten minutes after the station blackout. The time span is indicated by gray color. After the period, the MCR is assumed to be in the darkness. After putting on temporary illumination, the MCR was no longer in the darkness, but it is reported that the MCR is in the condition with insufficient illumination. Therefore, the period with temporary illumination is indicated in gray color. It is also assumed that it was not in the darkness for 30 min after the sunset and before sunrise.

Fig. 1.
figure 1

Work environment of MCR operators from 14:30 to 18:30 in March 11, 2011

Full size image

As seen from Fig. 1, after-shocks frequently happened. This means that the working condition of operators was not good and they often had to postpone their works in some minutes. After the station blackout, the working condition became greatly worse. They needed flashlights to continue their works. By the station blackout, operators lost their methods to know plant condition. The sun set after two hours later. It became dark outside the building resulting in making difficulty in observing the condition of facilities from the distance. Considering the bad work condition, the operators are supposed to recognize plant condition as summarized in the next subsection.

2.2 Assessment of Units 1 and 2 Conditions Until Unit 1 was Damaged by the Hydrogen Explosion

Assessments from the occurrence of the earthquake to the onslaught of the second wave of tsunami.

In the MCR, operators precisely monitor the automatic operation and plant status through the control panel and take operation steps to shutdown the reactor in accordance with the operation manual. However, they are supposed to have had a sense of uneasiness by the frequent big after-shocks. Although the major tsunami warning was issued at 14:58, they might have not assumed such a major tsunami enough to flood the reactor building. The operators supposed that they would be able to achieve a cold shutdown in accordance with procedures specified in the operation manual if no plant component was damaged by the ground motion. They might also think that the field confirmation of the damage of plant components would continue for a long time due to frequent aftershock jolts with the major tsunami warning, However, judging from the plant parameter data over time, the operators seemed to have concluded that the main equipment and apparatus functioned well.

Assessments from the onslaught of the second wave of tsunami to temporary lighting-up of the Main Control Room.

The AC power supply was totally lost (SBO) due to the damage by the second tsunami wave at 15:32 resulting in the turning off the lighting of the MCR and main control panel. At 15:50, power supply for instruments was lost, which made the water level of the Units 1 and 2 undetectable. In the darkness, a review was made on the cause of SBO, how to restore the power source (especially, lighting of the MCR, as well as power supply of the monitoring instruments), and how to confirm the operating condition of IC (Unit 1) and Reactor Core Isolation Cooling System (RCIC) (Unit 2). Later, operators seemed to have begun studying how to inject alternative water to prepare for unexpected problems.

Judging from the happening of frequent after-shock jolts, the Emergency Preparedness Headquarters (EPH) seemed to have concluded that it would take time to restore the power source, where General Manager (GM) directed to study the alternative water injection at 17:12. Also, in the evening, the reactor water level of Unit 2 was found to be stable. This fact indirectly indicates the RCIC operation. By the identification of the extent of tsunami damage, the discussion begun on how to restore the power source by using part of Unit 2 power center with a power source car. Taking the above into account, the focus of operators’ attention seemed to have shifted to how to secure water injection line for the alternative water injection and to check IC operation.

They tried to identify the IC operation in vain. Then, a review was made of procedures for the containment venting because they recognized that it would be needed depending on the future situation. Also, they worked to secure the water injection lines in the darkness in the order of Units 1 and 2. In parallel they inspected the location, etc. of field instruments based upon the drawings and entered the reactor building (R/B) to see the reactor pressure and functioning status of the main equipment.

Situations from the temporary lighting-up of the Main Control Room to the access prohibition to Unit 1 reactor building due to the increase of radiation dose.

A small generator was installed at 20:49 and temporary lighting was turned on in the MCR of Units 1 and 2. Although the temporary lighting did not serve enough illumination for smooth actions of operators, the MCR was no longer in the darkness. Temporary batteries were also connected to the monitoring instruments. They must have been relieved by obtaining the data that showed that the reactor water levels of Units 1 and 2 were above the fuel rod level meaning that the fuel rods were not exposed. As for the unknown status of IC valves, the operators were dubious if IC did function based upon the result of “opening” operation of MO-3A valve at 21:30. At 21:51, GM directed not to enter the R/B of Unit 1 due to the increase of radiation dose.

Situations from the access prohibition to Unit 1 reactor building to hydrogen explosion of Unit 1.

Probably, the cause of why the radiation levels rapidly rose was discussed. According to the data indicating the reactor water level of Unit 1 on 22 o’clock, operators may have concluded that fuel melting, if any, was only partial. Power source for control operation was expected to be restored in MCR. However, laying temporary power source lines took long time due to the evacuation by frequent after-shock jolts under the major tsunami warning. The operators focused on the confirmation of the operation status of RCIC in Unit 2. Before dawn of March 12, they obtained a proof of its functioning, and might shift their attention to how to restore the Unit 1’s power source while wondering the water source.

Meanwhile, the diesel driven fire pump for water injection at Unit 1 was found to be shutdown at 1:48, and it was unable to be restarted. Facing difficulties, they seemed to have recognized that they made a step forward in the operation when they successfully started fresh water injection from fire cisterns at 5:46. They repeatedly studied venting operation procedures for pressure containment vessel (PCV), trying to collect the equipment necessary for the venting. Around 5 o’clock, they were ordered to equip themselves with the full mask, charcoal filter, and B apparatus. And the operators took shelter of the Unit 2 side due to an increase in radiation dose from the Unit 1 side. Thus, efficiency in the operations at MCR aggravated further. With the situation worsening, the operators must have believed that some of the fuel rods had exposed. The group on duty from the morning of March 11 had worked for 24 h.

In an attempt of PCV venting at a high radiation level, operators manually opened motor operated valves in the field. They also handled the air operated small valve from the MCR and tried opening operation of air operated large valves by setting up a temporary air compressor. With a decrease in the pressure of drywell, the EPH concluded that they succeeded in PCV venting. Because the operation of fresh water injection had continued during this time, emergency core cooling system, if not sufficient, may have worked to some extent. Because fresh water from the fire cistern dried up, GM directed to start seawater injection to the Unit 1 reactor at 14:54.

They managed to complete preparation for restoring the power source at around 15:30. But, a hydrogen explosion occurred in the reactor building at 15:36. This damaged cables, etc., and made all of the on-site staffs to take shelter in the important anti-seismic building.

3 Problems and Measures in Communication and Information Sharing

3.1 Objective and Method of the Study

This section aims at analyzing problems and proposing measures to cope with communication and information sharing in the case of the accident at Fukushima Dai-ichi Nuclear Power Station with the following conditions: (a) the subjects of this study are set to the MCR and EPH, because the ‘sites’ had a significant influence on the accident situation and the operations were restricted by time, (b) the main data used is the detailed descriptions included in the TEPCO’s reports [2, 7] and the Investigation Committee on the Accidents at the Fukushima Nuclear Power Station Report [1, 6], (c) if any measures were proposed in the reports, then the validity will be evaluated in this study. If it is necessary, additional measures will be proposed as the part of this study. The following paragraphs show the analysis results in three situations: information sharing between the MCR and the EPH; within the MCR; and in the EPH.

3.2 Information Sharing Between the Main Control Room and the Emergency Preparedness Headquarters - Information Sharing Between Two Groups

Information on Unit 1 operation status and situations was not fully shared with the EPH. Figure 2 shows the process of the communication from the MCR to the EPH. Using hotlines, information of the MCR was transmitted verbally to the Power Generation Team of the EPH. The information which the team received was given orally to the Chief of Power Generation Team. Finally, the information is given to entire Headquarters using a microphone from the Chief. The information about detailed operations (e.g., valve controls) and sound they heard (e.g., generation of steam) was communicated to the entire Headquarters. The information might prove IC was functioning. However, the information opposed to it was not transmitted from the MCR to the Headquarters for some reason. The reason has not been revealed. As the result, there was a period of time that the operators in the MCR understood “IC’s not functioning,” while the members of the Headquarters recognized the situation as “IC’s functioning” [2] (p. 323 and Appendix 8–10).

Fig. 2.
figure 2

Flow of information from the main control room of units 1&2 to the emergency preparedness headquarters (Source: Reference [2], Appendix 8–10, p. 2).

Full size image

TEPCO proposed four measures in the report: (a) to understand the situation visually, communication form (e.g., simple diagram) should be used for communicating plant and system status, (b) the common template, e.g., dedicated sheets on white boards, should be set both in the EPH and the MCR, (c) communications should be exchanged whenever information is updated, (d) the use of these methods should be trained through disaster drills [2] (pp. 344–345 and Appendix 16–3).

In situations where old information was recorded on the template at the Headquarters, it is difficult for the members of the Headquarters to find out the operators forgot to convey new information. To address this problem, they need to compare records on the both templates. A feasible measure is using a hardware that the Headquarters can visually confirm the template in the MCR with. A software measure is stationing of staffs in charge who perform a periodical report about the information in the MCR.

It might not be feasible for them to measure and communicate everything of many items at the time of emergency. These items should be selected based upon the importance assessment. More flexible strategy may be appropriate, which ask to handle only essential information according to the situation.

3.3 Information Sharing in the Main Control Room - Information Sharing in a Working Group

The problem was that the operators in the MCR of Unit 1 failed to share the information on the operation status just before SBO. One operator testified, “Valve 3A was closed before power source was lost. I told the information to another operators” [2] (Appendix 8–10). But no similar testimony was obtained from other operators. When the control panel does not work as external memory, information that they should store in the memory rapidly increases. This easily causes a memory failure.

The measures with the block diagram and template mentioned in 3.2 can be also applicable to information sharing in a group. This may help address the problem.

3.4 Instructions and Directions at the Emergency Preparedness Headquarters - Information Sharing Between Commanders and Subordinates

At 17:12 on March 11th, the GM ordered the members of the Headquarters to make preparation of water injection by fire engines. In the reference [6] (pp. 403–404), it was reported that the instruction was not promptly accepted by the members of each function teams or groups at the Headquarters. It also pointed out that because the roles of the teams and groups are fractionated, they lack a way of thinking which is recognizing the situation in a comprehensive manner, designing their roles, and providing necessary support service.

No measure was proposed in the reports. To address this problem, it may be good to visualize the details and allocation of the tasks, and ongoing status on a white board. This allows the commanders and subordinates to clearly share the information about the task. Furthermore, if the display of the MCR can be seen from the Headquarters, it may be effectively used to develop necessary support and advice to the MCR.

3.5 Notes for Considering the Measures

For a practical use of the measures, each license holder should evaluate the effectiveness and feasibility at sites in details. One of the requirements should be satisfied is “avoiding interruption of the operator’s task on the site.” The first priority should be assign to achieving the control tasks in the MCR, where resources are limited. The information sharing task should be allotted to the EPH to inhibit the interruption to the task process of the operators of the MCR.

Actually it is reported that workers in charge were allocated in the Fukushima Dai-Ni and Tokai Dai-Ni Nuclear Power Plants. On the other hand, there is no such report about the case of the Fukushima Dai-ichi Nuclear Power Plant.

4 Analysis on the Emergency Response Capability by Organizations

4.1 Analysis Method

Based upon analysis methods used for various accident reports [810], and new methods advocated in recent years such as Resilience Engineering (RE) [11] and High Reliability Organization [12], we extracted successful and failure cases in regards to how they responded to the Accident in Fukushima Dai-ichi Nuclear Power Station, from individual via. organizational, and to the external response levels. At the analysis, based upon the report from TEPCO [6], we discuss the timeline on water injection at Unit 1, especially on the judgment to continue seawater injection.

4.2 Methods Used for the Analysis

According to the definition of RE [11], it is a strategy to control the state steady by adopting human situational awareness when the change of a system status is severe, in contrast with the concept to design a robust system against disturbance to avoid a conventional human error. Resilience (flexible and robust) refers to a capability to adjust the function, which an organization inherently has, in responding to the environment and disturbance before, amid and after it, which includes (i) studying ability, (ii) predicting ability, (iii) monitoring ability, and (iv) responding ability.

HRO [12] studied organizational capability, and refers to “honesty” (report any small indication), “prudency” (to be very careful), and “sharpness” (sharp sense about operation), at ordinary time, and then “agility” (to fully respond to problem-solving) and “flexibility” (to entrust authority to the most suitable person), at the time of emergency. High Reliability Organization is a concept to review a successful case from the standpoint of an organization, which has a common objective to alleviate accident trouble, in line with the present direction of RE.

Risk literacy (RL) is a capability to examine the background of a risk, and to understand and deal with the influence of the risk. To ensure an effective risk management of an organization, it is important for the organization or risk manager to have a risk literacy [13]. This capability includes analysis capability (collection, understanding and predictive ability), communication capability (networking and communication ability), and practice capability (response and applied ability).

4.3 Analysis Results of Organization Factors

We analyzed water injection timeline of Unit 1 from the viewpoints of RE, HRO, and RL. The analysis result is shown in the paper titled “Accident Analysis by using Methodology of Resilience Engineering, High Reliability Organization, and Risk Literacy” written by H. Ujita for HCI 2015.

4.4 Discussion on the Accident Response Capability

A difference in accident response capability is found between individual & organizational levels, and national & industrial levels. Many successful examples of resilience were found on individual and organizational basis. The operators on the site seem to have a sense of duty, a critical mind for usual work, and an experience of accident training programs, which seemed to have worked effectively at the situation of emergency. This is what we call the significance of safety culture development. In this context, we advise that it is important to “establish study (feedback) system as an organization” on daily basis.

On the other hand, there are many flaws in crisis response of managerial and country levels. In the management division, trainings is dispensable that focus on emergency responsibility allotment, evaluation of severe situation assessment, and mode shift from normal time to emergency. Failure cases are concentrated on rare event recognition and challenges in organization culture, in the national level and industrial base. According to bounded rationality [13], they used the limited information to make a rational decision in the limited environment, which may have been a failure in the site of God. Our suggestion is that it is important to destroy bounded rationality, or to “establish the system which prioritize judgment on the site (allows violation of order). The typical example was seen in the judgment to continue seawater injection despite the order from the official residence and the headquarters. A higher priority was placed on the conclusion on the site. Also, rebuilding of the safety concept integrating unexpected responses is designed in order to eliminate errors in risk recognition.

Analyzing documents including lessons learned from the Fukushima Dai-Ni Plant accident as shown in Reference [14], the causes of such difference were due to the severity in damage and the availability of power source. In the Fukushima Dai-ni, the damage of the whole system was less than the Fukushima Dai-ichi, and the total power source was not lost. Considering the four capabilities of Resilience Engineering, the response was not greatly different between Fukushima Dai-ichi and Dai-ni Plants.

TEPCO proposed, in the accident summary newly submitted [15], in addition to the hardware measures by the Investigation Committee on the Accidents at the Fukushima Nuclear Power Station of TEPCO (Investigation Committee) [2], such means to avoid a negative chain of organization as “to improve safety awareness by the top management” and “to introduce incident-command system” for addressing the challenges of the organization suggested in this paragraph.

5 Concluding Remarks

This paper reviews some topics of the accident in Fukushima Dai-ichi Nuclear Power Station from the viewpoint of HF. First, this paper reviews how the operators had recognized the plant conditions until the hydrogen explosion of Unit 1. The operating condition of components was hard to be recognized because of the loss of functions such as control panels of the MCR, Safety Parameter Display System (SPDS), etc., which were indispensable of monitoring the situation. Also, the operation manual was no longer applicable. These severe situations resulted in unsuccessful operation. However, the staffs on the site seem to have taken flexible approaches based on their knowledge and experience. As for the fields of communication and information sharing, there found some problems among two groups, operation groups, or order-givers and takers. It is important not to prevent site/task operations in applying plausible measures for the problems. In the analysis of emergency response capability to the accident, many good cases were found in individual and organizational levels, but there were bad crisis responses found in managerial or national levels.

Based upon the review results, it will be effective to have measures to keep the power source and system function for a long duration. A system design that enables manual operation without an excessive dependence on remote control is also important.