Reviewing the Safety of Nuclear Power Plants – Part 4: Resuming nuclear power generation is a highly dangerous choice that may cause another Fukushima-scale disaster

By Goto Masashi, Doctor of Engineering, Former Nuclear Plant Engineer, Member of Citizens’ Commission on Nuclear Energy

4. The theory of highly complex technology systems indicates that nuclear power plants cannot be free from large-scale accidents

Nuclear power accidents are studied from many points of view, and I herewith discuss what normal accident theory, explicated in organizational accident studies, means to nuclear accidents. A normal accident here can be rephrased as “an accident whose occurrence stands to reason,” or “an accident waiting to happen.”

The arguments concerning this theory closely correspond to the fundamental arguments related to the safety of nuclear power plants: nuclear operators argue that “a safe nuclear power plant is possible if safety is pursued infinitely,” while local people and citizens critically argue that “nuclear plants cannot be free from the possibility of accidents and should be no longer used.”

4-1 “Highly complex technology systems” are the most critical issue in modern society

Technology today is rapidly expanding and becoming more complex. As transportation measures, horse-drawn carriages and bicycles were common in the past, but as a result of technological advancement, systems are becoming increasingly complex; aircraft and ships are equipped with navigation systems supported by complicated radars and electronical devices, and rail transport systems are supported by complex signal systems. Common power generation systems used to be thermal systems, which burn oil or coal, generate steam that drives a turbine, while nuclear power, which uses nuclear reactions, has now appeared. The subsystems that compose a whole complicated technology are in many cases tightly linked (“tight coupling”). As an example, nuclear power generation drives a turbine in the same manner as thermal power does, but the heat source of nuclear power is a very complicated control system, which involves nuclear reactions. In nuclear power generation, technologies that are very different in nature are tightly coupled.

The normal accident theory states that when such complicated technologies are used and many of them are tightly coupled, composing an entire system where a malfunction or failure in a single technology can instantaneously influence other subsystems, accidents are  waiting to happen. A typical example was seen when three major Japanese banks merged into Mizuho Bank: The banks attempted to unify complicated accounting systems with different built-in programs, resulting in a devastating system failure. When technologies are complicated and tightly coupled, the influence of an accident may spread instantaneously to the entire system, possibly producing results far severer than designers expected.

4-2 Complex interaction and tight coupling

Concerning complex systems using advanced technologies, such as nuclear plants, Fujikawa Natsuko, in her paper “Review of the Fukushima Nuclear Station Disaster from the Viewpoint of Organizational Studies,”^＊1 discusses the normal accident theory (NAT), propounded in 1984 by U.S. sociologist Charles Perrow,^＊2 and high reliability theory (HRT),^＊3 which focuses on the reliability of organizations that achieve high safety records under highly unsafe circumstances.

The basis of NAT is the characteristics of a system that consists of complex interactions and tight coupling, as shown in Figure 1.

Figure 1: Interaction–Coupling Chart*¹, p. 122

The systems are classified according to one dimension where interactions are either linear (proportionally linked and predictable) or complex (with nonlinear relationships unperceived by humans) and according to one further dimension where the coupling of elements in the system (mutual relationships) is tight or loose, thus classifying and positioning such systems into four types in the Interaction-Coupling Chart.

The difference between NAT and HRT is that NAT considers that in a complex system using advanced technologies, an organizational accident is an unavoidable, inherent characteristic, while HRT analyzes the organizations that retain high reliability in circumstances where the risk of an accident is high, and considers that organizational accidents are preventable. I consider that the background to which such a theory has been generated is the sense of crisis of those people who, if the optimistic idea, namely, “even in case of advanced technology systems, a safe system that can prevent accidents will be available as a result of pursuing the reliability of an organization and by thoroughly conducting training and culture development” is negated, it may work as a significant obstacle to the social application of advanced technology developed in the future.

4-3 Normal accident theory (NAT) and high reliability theory (HRT)

In her paper, Fujikawa reviews NAT and HRT, and introduces the following as the view of Sagan (1993)^＊1 (p. 128): “HRT does not contradict Perrow’s fundamental logic, where the complexity of interactions and the constructional condition of tight coupling theoretically make organizations susceptible to accidents. However, HRT has the vision that human activities (agency), namely, culture, design, management and selection, invalidate, or compensate for, the pressure of a dangerous organizational structure. Therefore, Perrow’s safety glasses find a 1% blank, while HRT finds the perfectness of 99% when the glasses of the same safety performance are used.” The paper also quotes Perrow (1999) as saying: “The fundamental difference between NAT and HRT is that HRT believes that a system of complex interaction and tight coupling can produce a system substantially free from accidents if efforts are made, while NAT believes that, whatever efforts are made, a system of complex interaction and tight coupling is susceptible to accidents due to its inherent characteristics” (underline added by the author).

However, Fujikawa’s paper was written three years after the Fukushima disaster, and aims to “review the Fukushima disaster from the viewpoint of high reliability organization, which is one field of organizational studies” (Fujikawa^＊1, “Preface,” p. 120). Therefore, she discusses the analysis of a normal accident with the main emphasis on organizational studies, human factors, and human relations. It is needless to say that the paper is noteworthy in these respects. However, while it refers to National Diet of Japan Fukushima Nuclear Accident Independent Investigation Commission Report, and What Happened in the Fukushima Accident—Collapse of the Safety Myth (Kuroda, Ino and Yamaguchi ed. 2012, Iwanami Shoten), the paper does not review the accident from the viewpoint of technology or engineering. More than ten years after the disaster, new damage and radioactive contamination due to the disaster are still being discovered, and I decided to discuss NAT in this paper to review it from the technological and engineering points of view to assess the safety of nuclear plants.

4-4 Characteristics of a normal accident

Fujikawa performs the classification of interaction and coupling in combination with the centralization and decentralization of authorities. As Figures 1 and 2 show, in Cell 1, where the relationship is linear (predictable and visible interactions) and elements are tightly coupled, a centralized organization is suitable. In Cell 2, where the system is complex and elements are tightly coupled, such as with nuclear plants, tight coupling demands a centralized organization on one hand, but on the other hand, the complexity of interaction demands decentralized organization, so that contradicting demands exist in a given organization. Most manufacturing is in Cell 3, where the relationship is linear and elements are loosely coupled, and can thus be centralized or decentralized. For complex, loosely coupled organizations such as universities, decentralized organization is suitable.

Figure 2: Centralization and Decentralization Associated with Crises*¹, p.124

4-5 Fukushima disaster and normal accidents

Such a system accident has three characteristics: The first one is that the individually minor failures (incidents) discussed in the review of the organizational studies of the Fukushima Daiichi Nuclear Power Station disaster are tightly coupled, such that the system encounters the consequence (accident) of the interaction of multidimensional failures. Secondly, the accident is caused by the interaction of failures of six components, known as DEPOSE, which stands for design, equipment, procedures, operators, supplies and materials, and environment. Thirdly, such interactions are not only unpredictable but also incomprehensible under a crisis condition (Fujikawa^＊1, pp. 121–122). An important point of view here is whether the Fukushima disaster is explainable from the system characteristics.

4-6 Review of the Fukushima disaster from papers written before the disaster — Discussing the disaster from the accident theory

From spring 1989 to two years before the March 2011 Fukushima disaster, the author was engaged in research on reactor design, especially on the serious (severe) accidents of a nuclear reactor containment vessel, which is the basis of the safety of nuclear plants. I am humbly proud of myself to have been one of the  engineers who have closely observed and is familiar with the relationship between an accident and safety in the real field of technology. In October 2010, the author contributed papers to the publication of Thorough Review of All the Technologies in the 21st Century.^＊4 The Introduction to the book states: “We thought that we must begin by grasping the entire sphere of modern technology. We have seen with our own eyes modern technology becoming gigantic, complex, and segmentalized, and thought that we must closely analyze the contradictions and problems of individual technologies, and elucidate comprehensively and systematically the various facets of problems that occur in association with the relationship between humans and society, while reviewing technology again from the roots.” I contributed Chapter 9, “Future of high-speed and mass transport”^＊4 (pp. 263–277), in which I explained the basic mechanisms of such transportation measures as railways, ships and aircraft, and the relationship between those mechanisms and safety. In Chapter 8, “How will energy change?,” I described the mechanism of nuclear power generation and its essential flaws: “A nuclear power generation plant is equipped with more safety systems than the systems and devices that perform its essential operational functions. Most of the safety systems are completely unnecessary if these operational systems and devices do not malfunction or as far as they operate without failure. It is an assembly of safety systems. However, the essential problem in the safety of nuclear power plants is that, however carefully the plant is designed, built and operated, the plant cannot completely avoid the possibility of a disaster. From the theory of accidents, nuclear power generation is a socially unacceptable technology.”^＊4 (p. 233) (written under the author’s penname, Shibata Hiroyuki). Further, in Chapter 15, “Fear of accidents becoming frequent and gigantic,” I discussed the causes of accidents and the relationship between the causes and society/natural environment (Figure 3).

Figure 3: Relationship between Accident Causes and Social and Natural Environment*4, p. 359

In this section, I discussed the differences between the range controllable by humans (technological range) and what is outside that range (natural environmental conditions). The author then discussed the direct causes of accidents, such as the failures of and damage to machines and mechanisms and human errors. As an example, I referred to  an accident where a Japan Railway West train overturned and analyzed the overall picture of the accident^＊4 (pp. 364–366) (under another penname, Ikeda Satoshi). In the section named “Fear of nuclear power plant accidents,” I discussed the requirements to be satisfied to ensure that “the nuclear reactor is stopped, the nuclear fuel in the reactor is cooled, and radioactive substances are contained in the plant” and referred to accidents that have been covered up, such as a control rod drive mechanism accident, and wrote: “From the scale and complexity of the system of nuclear power plants and the processes of how these accidents were revealed, it is natural to consider that there have been unknown potential failures (underlined by the author).

4-7 Multifaceted and/or multilayer protection measures cannot prevent containment vessel destruction — The renewed regulatory requirements will in no way prevent a “normal accident”

Reviewing what I wrote above, I found that it coincides with the idea of accident unavoidability in NAT. I also indicated that a  common cause failure would simultaneously break down the multi-layer safety systems and that the Nuclear Safety Commission (at that time) wrote that the possibility of an accident sequence leading to a severe accident would be as small as to be probabilistically negligible. I indicated that we would be confronted with the ultimate choice in the face of a severe accident, namely, to supply or not to supply cooling water in the case of a core meltdown. When the core melts down, a “China Syndrome” may take place (if the debris could not be cooled down, it would continue to erode downwards endlessly; in the Fukushima Daiichi disaster, the large base of the nuclear reactor vessel was seriously damaged); if water is supplied to cool down the reactor, a huge steam explosion may occur. Another consideration is that, while the containment vessel is a structure for containing radioactive substances at the time of an accident, when the core melts down, pressure and temperature in the vessel rise as the accident develops, and when no measures are taken, the vessel may explode. Venting the vessel is therefore unavoidable. The containment vessel essentially prevents the release of radioactive substances, and I regarded that venting the vessel signified relinquishing its own essential function, or “self-destruction of the vessel.” I emphasized that it would be an ultimate measure, which would release radioactive substances, although such a vent would be unavoidable to prevent the explosion of the vessel. Before the Fukushima disaster, I wrote that an accident at one plant would produce contamination over a wide area, and that one nuclear plant is a very dangerous existence that could ruin a country, as in the case of the Chernobyl accident^＊4 (pp. 366–369) (Ikeda Satoshi).

4-8 Theory of nuclear power generation safety

In a complex system, failures, or loss of function cannot be avoided. If such failures or similar events occur, most of the systems of nuclear plants are not fail-safe; namely, deterministic safety (please refer to Figure 1, Section 2-3, Part 2 of this series)^＊5 is not realized. Because a plant consists of many parts, the possibility of a failure occurrence with unknown causes cannot be denied. This not only means that a nuclear plant accident occurrence is unavoidable; it also means that the renewed nuclear regulation requirements prepared in a hurry after the Fukushima disaster cannot prevent a severe accident or large-scale destruction of a nuclear power plant (containment vessel destruction, spent fuel destruction, etc.).

Table 1: Comparison between Normal Accident Theory and High Reliability Theory

As can be seen from above, what has been learned about the Fukushima disaster, including technological viewpoints, and the fact that the truths have remained unknown and will remain unknown in the future, indicate that the disaster was an accident of a complex system. Further, this accident was not special. As an example, the containment vessel isolation valve, which is designed to activate or to be available at the time of an accident (the opening/closing of the valve that automatically closes so as not to release radioactive substances will significantly influence the development of the accident; however, the condition where it cannot be decided whether to open or close the valve is truly a normal accident. This occurred in the Fukushima disaster and Three Mile Island accident, and concerning the Chernobyl disaster, its occurrence is unknown. As we review these events, the occurrence of an accident, which is totally unforeseen no matter how carefully its probability is studied, sounds realistic. Whatever measures are taken against an accident, a failure in a single valve may develop into a huge accident because of the tightly coupled complex system. Currently, discussion is taking place about whether the Kashiwazaki-Kariwa NPS should be restarted or not, including the feasibility of evacuation, but if we dig into the nature of an accident, the author believes that the only theoretically derived way to prevent a second Fukushima disaster is to give up nuclear power. Lastly, I would like to add that Scott Sagan’s The Limits of Safety: Organizations, Accidents, and Nuclear Weapons^＊6 motivated me to write this series of articles; I did not mention this, because the subject of the book was nuclear weapons.

Cited literature and references

*1: Fujikawa Natsuko. “Review of the Fukushima Nuclear Station Disaster from the Viewpoint of Organizational Studies.” The Journal of Yokkaichi University, Vol. 26, No. 2, 2014 (in Japanese).

*2: Charles Perrow. Normal Accidents: Living with High-Risk Technologies. Princeton University Press, 1999. (Referred to as NAT in this paper)

*3: High Reliability Theory (referred to as HRT in this paper) (Karlene H. Roberts and Karl E. Weick are major advocates)

*4: Ino Hiromitsu and Saeki Yasuharu ed. Modern Technology History Study Group ed. Thorough Review of All the Technologies in the 21st Century. Fujiwara Shoten, Tokyo, October 2010 (in Japanese).

Shibata Hiroyuki and Ikeda Satoshi are Goto Masashi’s pennames.

*5: Nuke Info Tokyo No. 226 (May/June 2025), cnic.jp/english/?p=8392. 

*6: Scott D. Sagan. The Limits of Safety: Organizations, Accidents, and Nuclear Weapons. Translated by.   Fujiwara Shoten, Tokyo, July 2024