Advertisement

Simulation, Epistemic Opacity, and ‘Envirotechnical Ignorance’ in Nuclear Crisis

  • Tudor B. IonescuEmail author
Open Access
Article
  • 237 Downloads

Abstract

The Fukushima nuclear accident from 2011 provided an occasion for the public display of radiation maps (or dose projections) generated using decision-support systems for nuclear emergency management. Such systems rely on computer models for simulating the atmospheric dispersion of radioactive materials and estimating potential doses in the event of a radioactive release from a nuclear reactor. In Germany, as in Japan, such systems are part of the national emergency response apparatus and, in case of accidents, they can be used by emergency task forces for planning radioprotection countermeasures. In this context, the paper addresses the epistemology of dose projections by critically analyzing some of the sources of epistemic opacity and non-knowledge (or ignorance) affecting them, and the different methods and practices used by German radioprotection experts to improve their trustworthiness and reliability. It will be argued that dose projections are part of an entire radioprotection regime or assemblage built around the belief that the effects of nuclear accidents can be effectively mitigated thanks to the simulation technologies underlying different protocols and practices of nuclear preparedness. And, as the Fukushima experience showed, some of these expectations will not be met in real emergencies due to the inherent uncertainties entailed by the use of dose projections when planning protective countermeasures.

Keywords

Simulation Decision support Nuclear accident Fukushima Epistemic opacity Non-knowledge Ignorance 

1 Introduction

The latest severe nuclear accident at Fukushima-Daiichi provided an occasion for the public display of radiation maps (or dose projections) in official communiqués, ex-post reports on the accident, and the mass media. Vividly colored visualizations of radiological risk, spreading from the damaged reactors at Fukushima into the world, became public elements of fascination and fear. The scale and uniqueness of this ‘envirotechnical disaster’ (Pritchard 2012) put the operators of the simulation-based Japanese System for Prediction of Environment Emergency Dose Information (SPEEDI) and the Emergency Response Support System (ERSS) under tremendous pressure. Not only were the available radiation measurement data sparse, but could the dose projections produced by these systems be trusted in such a critical situation? Minimizing the severity of the radiological situation might have endangered the population in the radiologically affected areas; whereas an overly conservative recommendation to evacuate a large area might have paralyzed the capacities of emergency task forces.

The Japanese SPEEDI and ERSS systems fall into the category of decision-support systems for nuclear emergency management (henceforth referred to as DSNE systems). They rely on computer models for simulating the atmospheric dispersion of radioactive trace species and estimating (or projecting) potential doses in the event of a radioactive release from a nuclear site. In Germany (Wilbois et al. 2013), as in Japan (Chino et al. 1993), such systems are part of the national emergency response apparatus, supporting experts and other members of emergency task forces in managing the radiological effects of nuclear accidents. In the wake of the accident, different official reports provided sometimes contrasting assessments of the way in which the SPEEDI and ERSS systems have been used during the Fukushima-Daiichi crisis. For example, the extensive report by an Independent Commission appointed by the National Diet of Japan criticized the way in which the Japanese authorities conducted their regular drills and exercises as well as the fact that the results of the SPEEDI system were not drawn upon in the decision making process early enough (The National Diet of Japan 2012). In contrast to this assessment, the International Atomic Energy Agency’s (IAEA) report on the accident (IAEA 2015) pointed out that, according to its own standards, dose projections should not be used as the basis for determining the most appropriate protective countermeasures in a real emergency because of the inherent uncertainty of such simulations. The lack of consensus regarding the role of computer-generated radiation dose projections during the Fukushima nuclear crisis prompts us to address some issues concerning the epistemology of dose projections.

Against this background, this paper critically addresses some of the sources of epistemic opacity (Humphreys 2009), non-knowledge or ignorance (Gross 2007; Böschen et al. 2010; Friedrich et al. 2017), and ‘the limits of representation’ (Kinsella 2012) affecting DSNE systems by looking into the simulation technologies and practices used by the members of the epistemic community of radioprotection experts supporting German nuclear regulators and emergency task forces. In this country, regular drills and exercises aimed at preparing for real accidents are conceived with DSNE systems in mind. In a real event, they are expected to provide first dose projections within two hours from the onset of a serious incident or accident. In this context, latent software faults (i.e., software defects which may remain undetected for a long time) lingering in simulation code are one source of epistemic opacity affecting DSNE systems, which has received relatively little attention by the atmospheric dispersion modeling community. The discovery of such faults often surprises experts, who usually focus their efforts on the science of dispersion modeling rather than on the reliability of the computer code implementing them. The lessons from Fukushima prompted the German epistemic community of radioprotection experts to engage in a model inter-comparison exercise with the different dose projection models used by the state and federal authorities in that country. The result of this exercise showed that these models can yield widely differing results, both quantitatively and qualitatively, which may contribute to wrong decisions concerning the most appropriate countermeasures in emergencies. The paper then turns to an account of and commentary on the impromptu adaptations brought to a German DSNE system used in Baden-Württemberg during the Japanese nuclear crisis from 2011 in order to allow for a dose projection with several emission phases and sources for the Fukushima accident site. This experience showed that the effective use of this system was impeded by what we shall regard as envirotechnical ignorance. Finally, we provide commentary on a series of questions that emerged in the wake of the Fukushima crisis concerning the role of DSNE systems in emergency response planning, on the basis of two official reports on the accident.

The analysis draws mainly on four empirical sources: Scientific papers, regulatory guidelines, and official reports on the Fukushima accident; the author’s retrospective ethnographic account as a member of the scientific staff at the Institute of Nuclear Technology and Energy Systems (IKE) in Stuttgart between 2007 and 2012; participant observation of IKE’s public activities during the Fukushima accident; and interviews with IKE experts (both formal and informal). Founded in 1963, the IKE is one of the oldest and was at its peak in the 1980s the largest German nuclear science and engineering institute, employing over 200 people. Following the Chernobyl accident, the institute was tasked with the development and maintenance of an atmospheric dispersion forecasting and dose projection system, called ABR-KFUE,1 used by the state government of Baden-Württemberg for decision support in nuclear emergency management. On the theoretical side, the paper contributes to a more nuanced, situated understanding of three sensitizing concepts—epistemic opacity, non-knowledge (or ignorance), and the limits of representation—on the basis of a concrete case study focused on German radioprotection policies, experts, practices, and simulation software. On the practical side, the case study arguably contributes to a better understanding of how radioprotection regimes or—in a Foucauldian–Deleuzian sense—assemblages, are socially constructed within specific political traditions and technological cultures. Bringing the theoretical question of knowledge production together with the practical and political question of how radioprotection is constructed ultimately helps to trace a series of sociotechnical issues related to protecting people and ecosystems against radioactivity back to the epistemology of dose projections.

2 Background and Framework of Analysis

As a consequence of the radiological effects of the Chernobyl accident in Germany, a federal law for radiological protection, known as the German Precautionary Radiation Protection (PRP) Act,2 was passed in November 1986 by the then governing conservative-liberal coalition with the aim of facilitating an effective, coordinated emergency response to nuclear accidents. While being criticized for aligning the allowable radiation levels with the more permissive international standards of that time (Günther and Dietz 1987), the law also laid the legal groundwork for the establishment of the German Integrated Radioactivity Information and Decision Support System (IMIS). IMIS is composed of a dense network of radioactivity measurement stations and represents an essential component of the national nuclear emergency response and radioprotection system (Weiss and Leeb 1993). An important extension to this system consisted of computer-based atmospheric dispersion simulation and dose projection models for immediate decision support in nuclear emergencies. These models employ emission data from the IMIS network and meteorological data from the German Weather Service in order to produce comprehensive small-to-mid range atmospheric dispersion forecasts and dose projections.

As stipulated by the PRP Act from 1986, in the event of an emergency, the individual state governments are in charge of taking immediate countermeasures for a limited area (currently 100 km in radius) around the accident site. Outside that area, the federal government takes over responsibility. In Baden-Württemberg, for example, a nuclear emergency task force composed of employees of the environment ministry supported by expert advisors assembles within an hour after the onset of an accident to decide upon the most appropriate radioprotection countermeasures. Task force members communicate with nuclear power plant (NPP) operators and make recommendations to the branch of the government in charge of managing the crisis. By the end of the 1980s, DSNE systems were introduced to automate atmospheric dispersion forecasts and dose projections and to support experts and decision makers during emergencies. In such an event, dose projections are either triggered automatically when measured emission values exceed a certain threshold or when an NPP operator signals a dangerous technical incident. Within 1–2 hours from the alarm trigger, the first dose projections are delivered to the members of the emergency task force, who can use them in the decision making process. In principle, there are four possible recommendations: Take shelter or stay in house; take iodine tablets; and temporary/permanent evacuation in a specified area. A 2–5 km zone around the emission point is evacuated regardless of the amount of released substances if an event qualifies as an accident. In addition, for an area of up to 100 km from the emission source, divided into 12 equal sectors, dose projections are used to decide if, when, and which sectors to evacuate.

The PRP Act also stimulated the formation of an epistemic community of experts supporting authorities and policy makers in their efforts to facilitate an effective response to nuclear accidents. Haas (1992) defines an epistemic community as “a network of professionals with recognized expertise and competence in a particular domain and an authoritative claim to policy relevant knowledge within that domain or issue-area” (p. 3). The members of such a community share beliefs, norms, practices, values, and notions of validity as well as a set of common practices and problem domains they jointly address. The German epistemic community of radiological protection professionals is composed of several research groups working closely with the state and federal environment ministries, and other relevant government agencies. Until 2017, the IKE in Stuttgart hosted one of these research groups in charge of the development of the simulation components of the ABR-KFUE system.

In the wake of the Chernobyl accident, the promise and expectation that dose projections, a vast network of monitoring stations, and an epistemic community of radioprotection experts would be able to effectively protect the population and the environment in the event of another nuclear “mishap” facilitated a compromise between the nuclear industry, regulators, and society. This compromise allowed for the continued operation of NPPs despite the risks entailed by nuclear power production, proven real by the Chernobyl accident. The accident in Ukraine, however, did not provide an objective basis for challenging the safety of German reactors for the simple reason that it occurred elsewhere. Within the discourse of compromise, nuclear power was considered a bridging technology until nuclear fusion or some other new technology would be able to replace it. An important argument in favor of extending the regulatory focus from accident prevention to radioprotection was the fact that, although Chernobyl occurred in another country, its radiological effects were also felt in Germany. This meant that something needed to be done regardless of the perceived safety of German reactors, in order to protect the population.

By stalemating the nuclear issue, the compromise from 1986, focusing on risk mitigation rather than prevention, ensured the continued operation of German reactors until 2011, when the Fukushima accident prompted a nuclear phase-out decision by the governing conservative-liberal coalition of the time.3 The critics of this decision considered that the federal government ignored the results of the reactor safety review (BfS 2011) commissioned by the Bundestag shortly after the onset of the accident, endorsing the safety of German nuclear plants. The government chose instead to follow the recommendation of an ‘Ethics Commission’ appointed by the German chancellor to phase out nuclear power by 2022 on the basis that the severity and uncontrollability of an eventual accident on German soil must be taken into account in the assessment of residual risks (Jahn and Korolczuk 2012).

Setting the stage for a case study focused on Germany, the next three subsections will introduce the theoretical framework used to analyze the epistemology of dose projections. In doing so, we leave the discussion of the broader political implications of such systems aside for now, as it would exceed the aims and scope of this paper.

2.1 The German Radioprotection Assemblage

Computer models have been identified as elements of Foucauldian–Deleuzian assemblages, perhaps most notoriously by Edwards (1997), who conceptualized discourse as a “self-elaborating ‘heterogeneous ensemble’ that combines technique and technologies, metaphors, language, practices, and fragments of other discourses around a support or supports” (p. 40). On the example of computerized military technologies and serious games used during the Vietnam War, Edwards argues that the discursive world of the Cold War was a closed one, in which the objectivist mindset of technology experts and army strategists—dominated by the idea of absolute control of the battlefield through computer technologies—managed to exclude open or “green” worlds (as Edwards puts it), in spite of their obvious failure in Vietnam. Owing to the ‘closed world’ mindset, which justified enormous investments in computer and software technology, computer modeling and simulation have become commonplace in research and development, co-determining the ways in which science is being conducted and disasters are being managed today. These technologies carry with them a political and military heritage, which makes itself evident in the ways in which computers of all sorts are increasingly being used as instruments of personal data collection and social control.

Drawing on Edward’s conceptual framework, the German radioprotection regime may be regarded as a socially constructed assemblage developed around the knowledge claim that the residual risks4 of civil nuclear facilities can be successfully mitigated with the help of computer simulation, an extensive supporting network of radioactivity measurement stations, and a series of regularly rehearsed emergency response practices and protocols, governed through policies and guidelines. Upheld by the collectively shared belief that major nuclear accidents on German soil are highly unlikely and moderate ones controllable, this knowledge claim built upon the visual metaphor of radiation maps. Prompted by nuclear accidents, these maps facilitate a panoptic visualization of the imminent risk of radiation exposure, while conveying the impression that the affected areas can be evacuated in the attempt to mitigate that risk. In this sense, they fulfill a double purpose of warning and assurance through knowledge produced by computer models and radioactivity monitoring technologies. To gain public legitimacy and acceptance as mitigation technologies, radiation maps needed to prove themselves effective ante factum by fostering practices, protocols, and policies of nuclear emergency preparedness anchored in local cultures of political responsibility and accountability. Using an entire arrangement of technologies, practices, and experts, the radioprotection assemblage provided the broader public with assurances that everything is being done to protect the civil population against radioactivity regardless of its source, while promising to deliver the necessary support in case of a real emergency. In a way, this promise, which by the time of the Fukushima accident had turned into an expectation, also helped to mitigate the German resentments against nuclear power during the 25 years between the Chernobyl and Fukushima accidents. The system for the remote monitoring of nuclear reactors furthered the emergence of an epistemic community of radioprotection experts, in which radioprotection is envisioned as an exercise of moving people out of the way of radioactivity or otherwise protectig them according to information provided by dose projections.

Framing radioprotection as an assemblage can help to better understand how dose projections became an obligatory passage point during the Fukushima crisis, only to be challenged in this role in the aftermath of the accident by some institutional members of this assemblage, such as the IAEA (2015), which normally assert the usefulness of such technologies for nuclear emergency preparedness (IAEA 2002). According to Callon, an obligatory passage point is a specified course of action (“action program”) constructed around a rationale commonly agreed upon by the actors involved in the issue at stake. In the aftermath of the Chernobyl accident, the availability of computer models able to process vast amounts of data in a way that, in a mechanical objectivist logic, humans would never be able to do, rendered it difficult for anyone to argue against the use of dose projections for decision support in emergencies, regardless of the epistemic issues they might entail. Yet, whereas DSNE systems seem to have stabilized within the radioprotection assemblage after the Chernobyl accident, the controversies surrounding the Fukushima emergency response suggest that the assumptions and beliefs supporting this assemblage ignored the possibility of accidents within accidents; or, in other words, that the technologies, practices, and institutions designed to mitigate residual risk could fail themselves due to the inherent uncertainties affecting them. In the wake of Fukushima, the radioprotection assemblage thus appeared to reflect what Beck (1992) identified as “organized irresponsibility”—a division of responsibilities and competencies oriented towards functionally different subsystems, which may fail to act in a consistent and concerted way when called upon to do so. This realization prompted a reordering of radioprotection regimes around the world, which culminated in the German nuclear phase-out decision from June 2011. Section 6 further discusses the contrasting assessments of the Fukushima emergency response on the basis of two official reports.

2.2 The Epistemic Opacity of Dose Projections

Simulation codes represent the core of DSNE systems. They implement physical and computational models of different meteorological, fluid-mechanical, and radiological phenomena contributing to the atmospheric dispersion and ground deposition of radioactive substances. On that basis, effective doses can be computed for different age groups (i.e., adults, children, and newborns) and regions in the monitored area. The link between models and codes is subsumed in the numerical scheme (i.e., the algorithmic strategy, discretization scheme, and data structures) used to solve the underlying differential equations. For the purpose of visualization, dose projections are overlain on topographic maps of the area surrounding the source of emission, whereby location-specific concentrations of the emitted radioactive material or projected doses in that area are color-coded to facilitate human interpretability. The resulting radiation maps may be regarded as visual representations of radiological risk. In the algorithmic process of transforming meteorological and emission data into radiation maps, numerical effects5 inherent to the models and computational schemes used can articulate themselves in the visualization in ways that may artificially amplify or attenuate the perceived risk in the eye of the viewer—or cognitive agent, to use Humphreys’ (2009) term. Drawing a parallel to the social amplification of risk framework (Kasperson et al. 1988), which sets forth that risk perception may be amplified or attenuated by different ‘social stations’ in a manner reminiscent of electromagnetic signal processing, dispersion model biases—be they numerical, statistical, or visual—might also be conceived in terms of perceived amplifications (or attenuations) of risk affecting the trustworthiness of dose projections. This reflects the limits of visual representations of radiological risk.

The ABR-KFUE system comprises relatively large simulation programs, of several thousand lines of code each, implementing complex algorithms. In some application contexts, these simulation programs (or codes) can be regarded as safety relevant (Ionescu and Scheuermann 2016). Owing to their complexity, large codes contain latent software faults that may remain undetected for a time. Silent faults—that is, faults which do not trigger visible errors yet influence the results of the programs in ways unknown to the users and developers of the system—can hardly be distinguished from inherent model features and biases. Therefore, the members of the atmospheric dispersion modeling community are generally reluctant to tackle latent software faults in a systematic way because it would mean to search for possibly invisible needles in haystacks. Lundestad and Hommels (2007) note that the vulnerability of software is rooted in social and organizational factors. Using Snook’s (2002) theory of practical drift, defined as “the slow, steady uncoupling of practice from written procedure” (p. 194), they argue that even if software developers believe in rules, processes, and practices designed to increase the reliability of software, many of them end up circumventing these accepted norms of the profession for practical reasons, such as to overcome a perceived lack of understanding between developers on the one hand, and managers or users of the software on the other. The chance for latent faults in simulation codes to remain undiscovered also increases with practical drift from sound software engineering methods and practices.

The visualization and implementation issues just mentioned can be related to a problem known as the epistemic opacity of simulation (Humphreys 2009). While the effectiveness of models is usually evaluated in consideration of their capacity or quality to “represent” objects or knowledge accurately (Ionescu and Merz 2018), their operational implementation in code adds a layer of abstraction and opacity to the problem of knowledge representation through models. The necessary translation of knowledge into models and models into code required by the discipline and activity of computer simulation constitutes one of the sources of what Humphreys (2009) calls epistemic opacity—the inability of a cognitive agent to know all the epistemically relevant elements of a computational process at a given moment because “[t]he computations involved in most simulations are so fast and so complex that no human or group of humans can in practice reproduce or understand the processes” (p. 619). As Chen (2005) observes, referring to what he regards the top ten unresolved problems of information visualization, “the complexity of the underlying analytic process involved in most information visualization systems is a major obstacle; end users cannot see how their raw data is magically turned into colorful images” (p. 12). Merz (1999) also notes that simulation codes submit themselves to the “black box” paradigm which means that users can only control the inputs while assuming that the outputs are trustworthy and reliable. As Humphreys (2009) further remarks, the cognitive agent faced with the epistemic opacity of simulation can be an individual or a group. The constantly negotiated, slowly drifting practices and protocols of the community of radioprotection experts determine the ways in which different actors interpret and apply regulatory guidelines, combine different types of expertise in simulation models and practices, and assess the reliability of data and dose projections. The epistemic opacity of dose projections thus seems rooted in the social construction of the radioprotection assemblage just as much as it is a problem of sheer computational complexity. Sections 3 and 4 provide an analysis of these issues in more detail, on the example of the German epistemic community of radioprotection experts.

2.3 Envirotechnical Ignorance

Writing about the Three Mile Island nuclear accident, Perrow (1984) argued that, in large tightly coupled and highly complex technical systems, accidents are “normal” and will continue to occur with a certain regularity. For the evacuees, cleanup workers, and crisis managers of the latest nuclear accident at Fukushima, however, the experience was arguably anything but normal. Whereas experts considered that the accident was triggered by a series of “beyond design basis” causes and failures (Hirano et al. 2012), for other scholars Fukushima was a techno-natural disaster (Felt 2014), a compound disaster (Chhem 2014), the triple disaster from “3/11” (Kinsella 2015), an ‘envirotechnical’ disaster (Pritchard 2012), or one of the most important events of the twentyfirst century (Hindmarsh 2013). Drawing on Perrow’s concept of “eco-system accidents,” which reflects the tight coupling of human-made and natural systems between which “there are few or no deliberate buffers because the designers never expected them to be connected” (p. 222), Pritchard (2012) regards Fukushima as an “envirotechnical disaster” in which the air, the water, and the bodies of cleanup workers became part of an envirotechnical system—the reactor—requiring constant attention because it can never be completely off. As Pritchard further explains with reference to Thomas Hughes’ notion of “open” technological systems, “the concept of envirotechnical system encapsulates and specifically foregrounds this dynamic imbrication of natural and technological systems” (p. 223). Thinking of “the reactor” as of an envirotechnical system also draws attention to the political dimensions of nuclear technology, dominated by the probabilistic thinking that downplays the possibility of concomitant natural disasters, as Pritchard notes. In effect, the probability for a 14-m tsunami to occur was considered ‘beyond imaginable’ by some Japanese plant operators (Pritchard 2012). Yet—as Kinsella puts it—“[i]f Fukushima was beyond its engineering design basis, it was also beyond the ‘limits of representation’ for a sociotechnical system that has exceeded its creators’ vision of control” (Kinsella 2012, p. 252).

These various characterizations of the Fukushima experience point towards the accident’s edifying consequences, from which much can be learned in terms of prevention, control, and mitigation (or the limits thereof). Downer (2011) proposes the term “epistemic accident” to denote “those accidents that occur because a scientific or technological assumption proves to be erroneous, even though there were reasonable and logical reasons to hold that assumption before (although not after) the event” (p. 752). Downer argues that this distinct category of disasters, revealed, for example, by the crash of the Aloha Airlines 243 flight from 1988, contributes to a constructivist understanding of failure with important implications for engineering and technological risk. More specifically, Downer shows how the realization that a corrosive saltwater environment, which—over time—damaged the fuselage of the aircraft servicing the Aloha 243 flight, stunned the community of aeronautical engineers because it revealed a root cause of failure due to metal fatigue previously unknown to experts at that time. Downer identifies as one of the primary reasons for this epistemic blind spot the fact that, metal fatigue tests in the aeronautical engineering domain are deeply theory-laden. In this context, the uncertainties, which—in a constructivist view—pervade scientific knowledge, were exacerbated by the corrosive atmosphere in which the Aloha aircraft regularly operated—a very specific condition that was never replicated in laboratory tests.

Böschen et al. (2010) note that when dealing with unknown factors in their research and applications, different scientific communities develop domain-specific scientific cultures of non-knowledge (or ignorance), which are conceptually related to epistemic cultures (Knorr Cetina 1999). Scientific cultures of ignorance acknowledge that “there can be knowledge about what is not known,” as Gross (2007, p. 742) puts it, and develop ways of dealing with the unknown, including “strategies to react to unexpected results and events” (Böschen et al. 2010, p. 788). As Böschen et al. (2010) note, “such events … may be taken as a hint that the initial assumptions about the object in question were fundamentally wrong” (p. 789). In this sense, the German and Japanese responses to the accident revealed a kind of envirotechnical ignorance6 consequential to the social construction of the radioprotection assemblage, notably the collectively held belief that severe accidents are unconceivable in highly technologized countries and moderate ones manageable. Envirotechnical ignorance refers to a lack of knowledge and awareness of the tightly coupled processes and potentially hazardous interactions between technology, humans, and nature—inherent to any envirotechnical system—revealed by epistemic accidents. At Fukushima-Daiichi, the hypothethicality of nuclear incidents and accidents—to use Vehlken’s (2016) term—as conceived by nuclear safety and radioprotection experts, reached out of the reactor building into the environment in a way that was previously unaccounted for by the members of this epistemic community. Beck (1996) distinguishes between non-knowledge (or ignorance) that (1) one does not wish or need to know and (2) cannot be known. The envirotechnical ignorance revealed by the Fukushima accident arguably finds itself between these two categories. For one thing, an accident of this scale had not been considered possible by the better part of the epistemic community of radiological protection experts. Therefore a series of potential “envirotechnical complications,” such as those resulting from the abysmal combination of an earthquake, tsunami, and failures beyond the engineering design basis of the nuclear plant, have been ignored in the constitution of DSNE systems—perhaps in an attempt to control the overall complexity of the system. For another, some of these unforeseen complications, such as the flooding of the diesel generators, which led to a multi-source release of radioactive materials in several phases, have proven easy to represent as a new accident scenario in DSNE systems, requiring only a few modifications. Section 5 provides a more detailed analysis of these issues on the example of the German response to the Fukushima accident.

3 Latent Coding Faults in the Context of the Verification-Validation Dialectic

While the members of the epistemic community of radioprotection experts are generally committed to supporting regulators and emergency managers, the degree of their commitment to a predefined set of beliefs, norms, values, and practices may vary from one country or group to another. These variations reflect the social construction of different radioprotection regimes and modeling cultures. As Haas (1992) notes, the members of an epistemic community have “intersubjective, internally defined criteria for weighting and validating knowledge in the domain of their expertise” (p. 3). For example, the Initiative on” Harmonisation within Atmospheric Dispersion Modelling for Regulatory Purposes” (short, Harmo)7 endorses two model validation kits, following seemingly contradictory methodologies. Referring to the main validation kit, the description of the alternative validation kit states that “[t]he results from the Model Validation Kit should be interpreted with care, because it does not explicitly address the question of stochastic nature of observed concentrations” (Harmo.org 2018). A few sentences later, however, it acknowledges that “[t]here are some issues with the [alternative] ASTM procedure that are not fully resolved and deserve further attention.” The problems and practices associated with the verification, validation, and testing of simulation models and codes seem dialectical within the dispersion modeling community. Furthermore, the absence of a clear distinction between simulation codes as software; and models as representations of reality within this community can be traced back to the question of whether validation and verification should be viewed as qualitatively different activities. Winsberg (2010), for example, argues that the conceptual division between validation and verification can be misleading if the focus is put on the methods used to achieve either of the two. Oreskes et al. (1994) note that, as opposed to verification, validation does not necessarily denote an establishment of truth but of legitimacy, whereas the verification of numerical solutions is usually performed by comparison with analytical solutions considered to reflect a theoretical truth. As these authors further note, the two terms are used erroneously, either as synonyms or with “validation” entailing the assertion that the model accurately represents some physical reality. However, as other authors observe (Hook and Kelly 2009; Merali 2010), such debates do not consider the social dimension of coding as an error-prone human activity. In this sense, Neumann (1994) provides dozens of examples of disasters caused by pure coding faults in computer models. The distinction between simulation codes as software and simulation models as constructs of reality requires the existence of a distinction between testing software and a philosophical argument around the notions of validation and verification in the mindset of modelers.

One of the paradoxes entailed by the principle that verification and validation must always imply comparisons with measured data is that testing is reduced to a limited number of input cases reflecting only instances in an entire history of realizations of the phenomena being modelled. As Oreskes et al. (1994, p. 642) put it, “[w]hat we call data are inference-laden signifiers of natural phenomena to which we have incomplete access.” While measurement data from experiments and accidents, such as the ones from Chernobyl and Fukushima, represent invaluable epistemic resources for modelers, these datasets are limited in number and will hopefully remain so. As Vehlken (2016) notes, some aspects of nuclear technology cannot be tested at all by means of experiments because of insurmountable physical and social difficulties. In this context, the practice of relating the outputs of one’s model to a limited set of measured data contrasts with the principles of code and input space coverage by test cases. Test coverage criteria aim at stressing the limits of the software being tested to the end of finding more faults rather than making the software behave as expected for a limited set of input cases. In this sens, latent software faults in simulation codes pose a particular challenge, the tackling of which may require an additional toolbox of methods from the software reliability domain. Testing can be a costly, repetitive, and unattractive task especially for scientists (Merali, 2010), for whom it becomes more attractive and “publishable” if real data are used. At the same time, scientists often seem reluctant to publish their code (Barnes, 2010), thus preventing interested peers and members of the public from participating to the search for software faults in simulation codes. Currently, more effective testing methods exist, such as random testing, which, however, are not easy to use even by software engineers. Testing requires an intense preoccupation with the problem of revealing the maximum number of faults before releasing the software, regardless of the nature of those faults. Observing that there are very few published methods and studies aimed at finding and removing pure coding faults (or mistakes) from scientific software, Hook and Kelly (2009) propose a new testing activity, called code scrutinization, which is to be carried out before verification and validation; and show that random and mutation testing can successfully be used for code scrutinization. In spite of these promising results, there are reasons to believe that code scrutinization will not be picked up by all members of the scientific community because it is likely beyond their research interests. Addressing a new source of uncertainty in dispersion models owing to software faults is met with reluctance by some members of the Harmo community as well, whose strategic purpose is to obtain funding for atmospheric release experiments. Also, code scrutinization does not guarantee the elimination of all existing software faults. This suggests that, with the current testing, validation, and verification methods and practices, the trustworthiness of simulation codes cannot be fully guaranteed.

The validation-verification dialectic as well as the distinction between models and codes (or lack thereof) also reverberates upon the ability of experts to distinguish between inherent model features and flaws, numerical effects, and coding faults. This may lead to situations in which latent faults remain undetected for years in simulation codes. In the course of the development of the ABR-KFUE system, it became evident on a number of occasions that latent faults existed in the codes. Whenever such a fault was discovered, the experts from the ABR-KFUE group analyzed its root causes, removed it, and released a new version of the system. In the remainder of this section we discuss two examples that we consider relevant with respect to the epistemic opacity of simulation codes, as perceived by the members of the ABR-KFUE group.

The first example deals with a scaling error in the gamma submersion code,8 which remained undetected for about 5 years. The scaling error was introduced when the developers of the system were required by a new regulatory guideline to extend the radius of the monitored area from 50 to 100 km. In order to avoid increasing the computation time given the new problem size, the developers chose to increase the size of the grid cells used to discretize the three-dimensional space surrounding the monitored sites while keeping the number of cells unchanged. In the old code, the optimization of the gamma submersion dose computation was based on a set of precomputed parameters generated using a legacy program, which was no longer available. Because the developers did not fully understand the role and meaning of those parameters, provided in form of a static file, they ignored them. The resulting bug remained unnoticed for several years, although the new version of the code computed in some cases doses 5 times higher than what would be normally expected. This was partly due to the fact that the maximum concentration is determined by dispersion models as a function of the overall distribution of concentrations within a given area and time frame. The maximum concentration needs to be calibrated using experimental data for any given combination of topography, weather, and emission data. With the maximum concentration being a model variable without meaning in the absence of a reference to measured data, to which—however—all other concentration values in the model area are mathematically linked through the mass conservation law, this example also illustrates how verification and validation of dispersion models are intrinsically coupled.

The opaque dependency on precomputed parameters represents a good example of what Wimsatt (2007) calls generative entrenchment: “A deeply generatively entrenched feature of a structure is one that has many other things depending on it because it has played a role in generating them” (p. 133).9 Owing to missing documentation, this dependency appears to be a symptom of practical drift (Snook 2002, p. 194). As Lundestad and Hommels (2007) note with regard to software development, practical drift can be understood as an unwanted yet unavoidable progressive derogation from software engineering processes and best practices rooted in social and organizational factors. Considering that DSNE systems have only come under serious scrutiny in the wake of nuclear accidents, there was sufficient time for practical drift to occur as well as for fluctuations in policies, funding, and personnel to affect the practices of the ABR-KFUE group. To better understand how trust in simulation software can emerge and be upheld in these circumstances, the ABR-KFUE group should be regarded as a multidisciplinary thought collective.10

Fleck (1979) defined a thought collective as a community of persons mutually exchanging ideas or maintaining intellectual interaction. The members of a thought collective both adopt a certain way of perceiving and thinking; and transform it continuously, whereby this transformation happens both in their minds and in the interpersonal space between them. A thought collective is likely to develop a certain thought style reflecting the members’ way of perceiving and thinking as well as interpersonal relationships. While the members of the ABR-KFUE group had different backgrounds, ranging from meteorology, physics, and engineering to computer science, over the years, the frequent meetings (at least 4 per year) brought them closer together from an epistemic point of view, thus creating the premises for the emergence and cultivation of a specific thought style. Members shared the common purpose of developing and improving the ABR-KFUE system through regular exchanges of ideas, concerns, and joint drills and exercises with representatives of the environment ministry and NPP operators. Being at the core of all these activities, over the years the ABR-KFUE system not only gained a degree of autonomy, as Winsberg (2010) observes about simulation models in general, but also a certain epistemic authority within the group, reaching the status of what might be called a non-human expert. Members trusted the results of the system just as much as they would trust the opinion of another colleague on a certain matter—until a more critical spirit finally questioned the authority of the system while conducting a routine calculation, which led to the discovery of the scaling error. Since there was no a priori sense within the group for what a gamma submersion dose projection would look like for the extended monitored area, most members did not question the epistemic authority of the system—a black box to them, which obscured the practices of its authors. As for the actual developers of the code—a minority within the group—the generative entrenchment caused by the natural churn of scientific personnel at the IKE induced a certain reluctance to grapple with the poorly documented legacy codes, unless really required to do so.

Another example of a long lived latent fault in the ABR-KFUE system is that of an erroneous parameterization of one of the six atmospheric stability classes, depicted in Fig. 1, used by the atmospheric dispersion code. Depending on wind speed and solar radiation intensity, these empirically determined stability classes have a direct influence on the radiation dose because, in more unstable conditions, represented by the classes A-C, the diffusion process caused by turbulence helps to spread the radioactive trace species over a larger area of the atmosphere. The table in Fig. 1 shows that the most commonly encountered stability classes are C and D. Influenced by the scenarios of the drills conducted yearly at one or two NPPs and by the weather conditions during those drills, the users of the system usually carried out their routine simulations using the most commonly encountered atmospheric stability classes. One user of the system eventually observed that for the stability class E, the horizontal spread of the plume was excessive. The fault, caused by an erroneous parameterization of the E class, was discovered in the course of the German model calibration study carried out after the Fukushima accident, discussed in more detail in the next section. A rule of thumb from reliability engineering states that, the less common an input case is, the more likely it is for it to activate a latent fault. Under the influence of their habits and practices, the users and testers of the systems usually limited their scope to the most common input cases. In this context, if one regards the entire ABR-KFUE expert group as a collective cognitive agent, then epistemic opacity is due also to the habits, practices, and thought style cultivated by its individual members. In other words, it is socially constructed.
Fig. 1

Pasquill–Gifford stability classes.

Source: Burton (2018)

4 Visual Inspection and Model Inter-Comparisons

The most common way of testing DSNE systems is to visually inspect the dose and concentration projections they produce. Experts visually check radiation and concentration maps for plausibility, confronting them with their expert knowledge about the phenomena being simulated. This practice, although less systematic than validating against real data or the verification methods proposed, for example, in the guideline 3945 issued by The Association of German Engineers (VDI 2000), is worth cultivating because, given its popularity, it is probably the one that facilitated the discovery of most anomalies and coding faults so far. However, to avoid confirmation bias, visual inspection should be accompanied by some curiosity and randomness in choosing the input cases. This is how, for example, the systematic scaling error from the ABR-KFUE system was eventually discovered.

Through visual inspection, experienced users are able to judge with a reasonable level of confidence whether the following input parameters have been correctly accounted for in atmospheric dispersion simulations: Wind direction, wind speed, and atmospheric stability class (or diffusion category) by inspecting the orientation of the plume; the length and shape of the plume by correlating them with the wind speed and the atmospheric stability class; and, to some extent, the concentration and dose levels indicated by the color-coding scheme. What even experienced users may not be able to check for plausibility by mere visual inspection include the following characteristics of dose projections less evident to the eye: The maximum dose level, since this is one of the very unknowns the system is called upon to forecast; the extent to which the spatial distribution of dose values in the monitored area obeys a Gaussian distribution, as it is supposed to do in theory (Etling 2008); and the relation of a particular simulation result (which is yet to be verified) to already verified reference results. In addition, one of the pitfalls of common visualizations of concentrations and doses is induced by the default logarithmic scale used by DSNE systems. Logarithmic scales can obscure model flaws and numerical effects, which may contribute to a perceived amplification or attenuation of risks, respectively, in different regions of the monitored area, by making small concentration and dose values appear greater, and vice versa. As shown in Fig. 2, the logarithmic scale used in the plot on the right-hand side obscures the dotting effect of the RIMPUFF model, which becomes more evident when using a linear scale (left hand side plot). The logarithmic scale may also induce a perceived amplification of risk, whereas the inverse effect might be expected when using a linear visualization scale. This pitfall arguably exposes the limits of radiological risk representation through radiation maps.
Fig. 2

Visualization of a simulation result produced by the RIMPUFF code (Thykier-Nielsen et al. 1999) using a linear scale (left) and a logarithmic scale (right).

Source: Ionescu (2013)

Staying within the epistemic boundaries of a single model when conducting verification and validation entails a series of disadvantages, some of which could be related to the inability of modelers to escape the thought style of one’s work group. Comparing different models based on their results promises more rewarding outcomes in terms of identifying and elucidating anomalies and faults. Model inter-comparisons require different institutions to provide access to their systems or to decide upon a set of input cases and to share the results produced by their models for those cases. Like in the case of single-version verification and validation, within the epistemic community of radioprotection experts, visual inspection appears to be one of the preferred method for inter-model comparisons. Depending on the results of such exercises, experts may dig into their own code base to elucidate any anomalies revealed by the comparison with the results of other models. Since visual comparisons do not distinguish between inherent model features, biases, and software faults, the purpose of model inter-comparisons is to also facilitate focused discussions between experts from different institutions based on specific input cases. Here another source of socially motivated epistemic opacity arises from secrecy; since, usually, experts and members of the public do not have access to the source code and thought styles of other groups.

While occasional inter-institutional model comparisons have been carried out before 2011 as well, the Fukushima accident provided reasons to conduct more systematic comparative studies of the atmospheric dispersion models used in Germany and Switzerland. One of these reasons was that the various dose projections for the Fukushima Daiichi accident site, published in different official reports on the accident, scientific journals, and the media were so different, both qualitatively and quantitatively, that reasonable doubt arose concerning their usefulness in real emergencies. Consequently, in 2012 the German Federal Office for Radiation Protection (BfS—Bundesamt für Strahlenschutz) commissioned a comparative study of the atmospheric dispersion and dose projection models used in Germany and Switzerland (BfS 2016), which confirmed these concerns.

The study showed that, given the same inputs, different models produced qualitatively different results in many of the tested input cases (Fig. 3 shows an example). The authors of the BfS study (themselves members of the groups developing the systems being compared) concluded that different models using identical input and calibration parameters may lead to different recommendations of countermeasures in a real emergency. Therefore, they called for the harmonization of dose projection models on an international level, especially in cooperation with Germany’s neighboring countries (BfS 2016). The authors of the study also pointed out that existing experimental data are insufficient for validating the models and requested that “dispersion experiments” with non-radioactive tracers and emission phases of several hours should be conducted, especially for emission source distances ranging from 10 to 100 km.
Fig. 3

Effective doses projected by four models used in Germany (from left to right: ABR-KFUE, ATSTEP, DIPCOT, and RIMPUFF) for an area of 100 × 100 km (top) and 25 × 25 km (bottom).

Source: BfS (2016)

The BfS comparative study provides insights into how an entire epistemic community went about the problem of epistemic opacity in the aftermath of the Fukushima-Daiichi accident. Much like the ABR-KFUE group, the epistemic community of radioprotection experts may be regarded as a collective cognitive agent tasked, among other things, with facilitating the collaboration in an eventual joint emergency response effort at the federal and international levels. In this sense, the BfS report suggests that, to avoid confusion and to facilitate collaboration, members and groups from different countries and federal states should take steps towards “harmonizing” their guidelines and regulations concerning civil protection measures in order to allow for each state and country to use their own DSNE system(s) in a real emergency. This is to say that, given the inherent differences between their models, the different groups participating in the study agreed to disagree concerning their own modeling cultures but promised to make efforts towards improving collaboration in spite of these differences. This interpretation suggests that the chosen way of tackling the epistemic opacity of dose projection models was to defer to responsibility and accountability for the tools and methods used in one’s own backyard. This mindset allows for the coexistence of parallel modeling cultures and simulated realities embedded in the local regulatory cultures of different federal states and countries. Also, considering the large number of back-to-back radiation maps presented in the study, the method of visual inspection seems to be indeed the de facto community standard for learning about models and codes. This is understandable considering that, in a real emergency, decision makers will also use visual dose projections to plan protective countermeasures.

5 Epistemic Consequences of Fukushima for DSNE Systems

Shortly after the onset of the accident, the ABR-KFUE group received a request from the environment ministry of Baden-Württemberg to perform an atmospheric dispersion forecast using the source term (i.e., the quantity and nature of radioactive materials and the duration of the release) and meteorological data from the Fukushima-Daiichi site. The goal was to test the ABR-KFUE system in a real situation in which data are sparse and the crisis communication is performed under tremendous pressure. This was part of an effort by nuclear experts all around the country to rehearse civil protection protocols in a global crisis situation. In response to the ministry’s request, IKE experts used data provided by the German Society for Facility and Reactor Safety (GRS), which were insufficient to evaluate the possible consequences of the accident without a high level of uncertainty. For this reason, they were given license to make assumptions as necessary based on their experience and expertise. As the accident unfolded, the release of radioactive materials continued over days and weeks, with four main emission phases from different sources, which were clearly visible in the source term compiled by the GRS. However, the ABR-KFUE system only supported single-source releases since an accident with several emission phases and sources had not been explicitly foreseen in the accident scenarios, the regular drills, and guidelines for nuclear emergency response. In these circumstances, the experts decided to adapt the ABR-KFUE system impromptu in order to provide the requested simulation results as rapidly as possible. They prepared a special accident category with several emission phases and four sources of emission, which was added to the existing list of accident categories supported by the system for bootstrapping the emission codes. Although the required adaptations were relatively uncomplicated, they took several days to implement. In addition, the model area had to be increased, the meteorological data had to be prepared manually, and the topography of the Fukushima site, reaching as far as Tokyo, had to be added to the database of the system. Eventually the ABR-KFUE system was able to produce a result (Scheuermann et al. 2011), which looked similar to the ones published by the Japanese authorities.

Prior to the accident, predefined inputs for the source term based on so-called release categories, determined as part of two German risk studies from 1979 and 1990 (Schmid and Schnadt 2004), were used by the ABR-KFUE system. These release categories foresaw a maximum release time of 6 h, whereby the most severe of them was based on a core meltdown scenario with a single emission phase and source. The limitation of the system to one emission phase per simulation may thus be attributed to a kind of envirotechnical ignorance concerning the tightly coupled physical interactions between normal and extreme natural processes, nuclear reactors, and their active safety systems. At Fukushima, the tsunami wave, the plant protection wall, the water affecting the diesel generators, and the rising temperature caused by the ongoing radioactive decay process interacted in unprecedented ways. This abysmal combination of factors ultimately led to a scenario beyond that of the maximum credible accident—the term used by nuclear experts for worst case scenarios on the basis of which the safety systems of nuclear reactors are designed. Since Fukushima had exceeded the maximum credible accident scenario in scale and severity, it also produced knowledge which was not represented in the ABR-KFUE system before. The epistemic accident at Fukushima thus revealed a scenario previously unforeseen by experts. In response, the system was upgraded to allow for several emission phases and sources. The failure to account for an accident with several emission phases of long durations can also be attributed to the “limits of representation” (Kinsella 2012) with respect to the maximum credible accident scenario. This epistemic blind-spot was arguably the product of a collectively held belief that in Germany such an accident would not be possible, reinforced by the risk studies from 1979 to 1990. In this light, the experts’ decision to adapt the ABR-KFUE system impromptu so as to be able to produce a dose projection for the Fukushima site may be interpreted as a reflex reaction aimed at restoring the “closed world” imagination of controllable accidents underpinning the German post-Chernobyl radioprotection assemblage. While experts argued that a similar combination of factors and events that led to the Fukushima disaster would not be possible in Germany, a different scenario leading to an accident of comparable scale (including multiple radioactive emissions from different reactors) cannot be reasonably excluded.

6 Expectations and Assessments of the Fukushima Accident Response

The nuclear emergency response of the Japanese authorities was criticized in the media (Von Hippel 2011; Ionescu 2012; Jones et al. 2013), by members of the public (Plantin 2015; Riedlinger and Rea 2015; Kera et al. 2013), and in different official reports on the Fukushima accident. Some of these reports reflect contradictory expectations of the role of DSNE systems during the Fukushima crisis, notably the one issued by an independent commission appointed by the Japanese Diet (The National Diet of Japan 2012) and that of the International Atomic Energy Agency (IAEA 2015). In the section about nuclear emergency response, the independent commission’s report notes that the “chaotic evacuation orders” were revised several times in one day and that some evacuees were sent to areas which later turned out having high levels of radioactivity (p. 38). The report further criticizes the Japanese practices of preparedness, including the use (or misuse) of the radiation measurement and dose projection systems:

[The] government also failed to assume a severe accident or a complex disaster in its comprehensive nuclear disaster drills. As the scope of the drills expanded, they lost substance, and were performed for cosmetic purposes, rather than to develop preparedness. The irrelevant drills were lacking instruction in the necessity of using tools such as the radiation monitored information from SPEEDI [System for Prediction of Environment Emergency Dose Information]. Though it was applied in the annual drills, participants found the drills useless at the time of the accident” (p. 38).

To sustain this assessment, the authors reiterate some of the regulatory guidelines and expectations concerning the role of DSNE systems in Japan, which seem analogous to the German ones:
The Emergency Response Support System (ERSS) and SPEEDI are in place to protect public safety. The environment monitoring guideline assumption is that ERSS predicts and forecasts the release of radioactive substances and release data, and SPEEDI predicts and forecasts the spread of radioactive materials based on ERSS. Public safety measures, including those for evacuation, should be planned based on the use of these systems. […]

The system failed. The emission data could not be retrieved from ERSS, and the government was unable to use the SPEEDI results in planning protection measures and fixing evacuation zones. (p. 38).

As the report suggests, the Japanese regulatory expectations of preparedness for a nuclear accident assumed a working DSNE system in place at the time of the accident. Without taking into consideration the circumstance of the situation, notably the lack of measurement data and the inherent limitations of the simulation-based SPEEDI system, the report finds that these expectations were not met in practice. This point of view is shared by several commentators of the Fukushima evacuation controversy (Schäfer 2016; Funabashi and Kitazawa 2012; Yamawaki 2017). In contrast to the Three Mile Island and Chernobyl accidents, human error on the part of plant operators played a relatively minor role in the root cause analysis of the “beyond design basis” accident at Fukushima Daiichi. The Independent Commission found, however, evidence of it in the authorities’ response to the accident, thus putting the burden of accountability on emergency managers. This may also be interpreted as a shift from prevention to preparedness in the Japanese regulatory culture, as Schmid (2016) observes.
In contrast to the Independent Commission’s report, the IAEA guideline for nuclear emergency preparedness and response recommends that initial decisions upon countermeasures be taken on the basis of simple criteria that rely on observable data and not on dose projection models, which may entail “great uncertainties” before and during a release (IAEA 2002, p. 286). In this sense, the IAEA report on the Fukushima accident (IAEA 2015) notes that, although

“[t]he [Japanese] emergency response plans envisaged that decisions on protective actions would be based on dose projections [using SPEEDI] performed at the time when a decision was necessary… [t]his approach was not in line with IAEA safety standards, which stipulate that the initial decisions on urgent protective actions for the public need to be based on plant conditions” (IAEA 2015, p. 44).

These contradictory expectations of the role of DSNE systems in real emergencies may have induced a state of indecision with the Japanese nuclear emergency managers. Yamawaki (2017), for example, notes that one of the main reasons for doubting the utility of dose projections was the concern that the wind direction might suddenly change. Therefore, experts were reluctant to release the forecasts of the SPEEDI system in the first place. While both reports acknowledge that dose projection models can facilitate a more comprehensive diagnosis of the radiological situation based on measured meteorological and emission data, there appears to be a lack of consensus concerning the trustworthiness of dose projections based on weather forecasts and inconsistent emission data. This lack of consensus may be explained by the different contexts in which the IAEA and national regulatory agencies operate. Whereas the latter context entails a dimension of political accountability rooted in a mitigation principle which holds that even unreliable dose projections are better than no projections at all, the international and professional perspective advocated by the IAEA seems rooted in a deterministic paradigm of precaution, which considers that a sound national regulatory culture can warrant reactor safety. In the wake of Fukushima, the constructivist, mitigation-oriented view of the Independent Commission and the deterministic, precautionary principles advocated for by the IAEA in its role as an expert advisory body thus appeared to challenge each other, with the latter reflecting the dominant view within the nuclear community.

7 Conclusion

The apparent disagreement between the dose projections published during the Fukushima accident prompted a series of questions and controversies about the exact role and usefulness of such simulations in planning emergency response measures. As I have argued, the epistemic opacity affecting atmospheric dispersion simulations and dose projections produced by DSNE systems challenges the trustworthiness of such tools when used in real emergencies. The ‘envirotechnical ignorance’ of radioprotection experts—that is, a lack of knowledge and awareness of the tightly coupled processes and potentially hazardous interactions between technology, humans, and nature revealed by the epistemic accident at Fukushima—raised additional concerns regarding the overall usefulness of these systems. In this sense, the German response to the accident showed that DSNE systems were unable to account for the complex envirotechnical failures that caused the Fukushima accident without impromptu adaptations. This experience revealed the limits of representation concerning the maximum credible accident scenario in the context of the German radioprotection assemblage.

One of the lessons learned from Fukushima is that dose projection models and DSNE systems are out there and they will be used, one way or another, regardless of the issues addressed in this paper. In a way, the accident pushed the problems associated with using these systems in real emergencies into public debate, thus drawing upon them the scrutiny of various publics and political actors. In Japan as in Germany, DSNE systems seem to have become an ‘obligatory passage point’ (Callon 1984) in nuclear emergency management and indispensable components of the radioprotection assemblage. In spite of the Fukushima experience, in Germany there still appears to be a general consensus among experts about the positive role of these systems in planning evacuations and countermeasures in nuclear emergencies. This is understandable considering that, over the past three decades, the routines and practices of nuclear emergency task forces were developed and rehearsed with DSNE systems in mind and at hand. Consequently, these systems gained epistemic authority in the interdisciplinary thought collectives that create and operate them. Today, regular drills and exercises with radioprotection experts, emergency managers, and NPP operators would be inconceivable without the use of DSNE systems.

The Fukushima experience thus points to an unresolved tension related to the question of whether or not to use DSNE systems in crisis situations, considering the diverse sources of uncertainty affecting them. In the logic of national regulatory systems, not using such systems can be interpreted as an institutional breakdown caused by the rejection of uncertainty at the expense of ignoring incomplete yet valuable knowledge; whereas, in the deterministic-precautionary logic of the IAEA, using dose projections for emergency response planning is conditioned by their provable reliability and trustworthiness. This tension is further deepened by the social construction of the radioprotection assemblage within which various individual and collective cognitive agents—ranging from experts, thought collectives, and epistemic communities to political actors and publics—are confronted with the epistemology of dose projections in critical situations. A possible way out of this impasse could be to accept dose projections for what they are—a source of incomplete, uncertain, yet potentially valuable knowledge, which needs to be confronted with the tacit knowledge and experience of radioprotection experts as well as with the input of other relevant cognitive agents, including members of the public and lay experts, in order to gain trustworthiness and acceptance in any given situation. And, as Schmid (2012) suggests, at least some room for improvisation should be left in emergency response plans and protocols so as to be able to tolerate uncertainty and mistakes.

Finally, it should be noted that the current paper merely scratches the surface of the issue of radioprotection regimes in Germany, Japan, and worldwide. A more detailed analysis is needed with regard to questions of responsibility and accountability for decisions and countermeasures, such as evacuations, on the basis of the ongoing Fukushima experience. Jobin (2012), for example, opened the way in this regard by arguing that radioprotection regimes are not able to provide all the help needed by the people directly affected by the Fukushima accident. Also, a broader discussion of the German nuclear phase-out decision with reference to the German radioprotection assemblage and its implications for the discourse of nuclear power in that country is still missing in the literature.

Footnotes

  1. 1.

    The Name ABR-KFUE is an abbreviation of the German Ausbreitungsrechnung für die Reaktorkernüberwachung, which literally translates to atmospheric dispersion calculation for the remote monitoring of nuclear reactors.

  2. 2.

    The original German name of the law is “Strahlenschutzvorsorgegesetz (StrVG), 19.12.1986, BGBI. I S. 2610.”

  3. 3.

    In Germany, a preliminary nuclear phase-out decision was first taken in 2000 by the then governing Ecologist-Socialist coalition. In 2010, the conservative-ciberal government led by Angela Merkel extended the lifetime of several reactors, an act regarded by the members of the nuclear community as a first important step towards the rescindment of the phase-out decision from 2000. Less than 1 year later, prompted by the Fukushima accident, the same government returned to the phase-out plans from 2000.

  4. 4.

    Residual risks are hazards that are unknown or have a very low likelihood of becoming a threat and therefore are not accounted for in the design of reactor safety systems (Ionescu 2013). The term is routinely used by nuclear experts to bundle all potentially hazardous factors that cannot be represented using numerical risk assessment methods. Borrowed from the fields of economics and medicine, the term seems to minimize the significance and inherent nature of the risks it aims to describe, while revealing the “limits of representation” (Kinsella 2012) of nuclear risk assessment as a discipline.

  5. 5.

    In computational science, numerical effects represent known systematic biases induced by the specific scheme used to discretize the model and implement it in machine-interpretable code (also called numerical scheme). These effects are usually observable in simulation results but cannot be removed due to the inherent semantics of the model and numerical scheme used.

  6. 6.

    English dictionaries define ignorance as a lack of knowledge, education, or awareness. Here, it is by no means meant in a pejorative sense but merely used as a less clumsy synonym for “non-knowledge.”

  7. 7.

    Harmo stands for the Initiative on “Harmonisation within Atmospheric Dispersion Modelling for Regulatory Purposes”. According to its official website, Harmo organizes workshops and conferences aimed at promoting new-generation atmospheric dispersion models and improving modelling culture (Harmo.org 2018).

  8. 8.

    The term gamma submersion denotes the exposure through gamma radiation from radioactive aerosols and gases in the atmosphere.

  9. 9.

    Lenhard and Winsberg (2010) discuss this property of systems in relation to computer simulation.

  10. 10.

    Here we use the notion of a thought collective to refer to a group of members from the epistemic community of radiation protection professionals which are close to each other in purpose, thought, and mood due to their affiliation with a specific institution. However, as Haas (1992) notes, an entire epistemic community may also be regarded as a thought collective.

Notes

Acknowledgements

Open access funding provided by TU Wien (TUW). I would like to thank the two anonymous reviewers for their insightful and detailed suggestions, which helped me to improve this manuscript to a considerable extent.

References

  1. Barnes, N. (2010). Publish your computer code: It is good enough. Nature News, 7317(467), 753.Google Scholar
  2. Beck, U. (1992). Risk society: Towards a new modernity. London: SAGE.Google Scholar
  3. Beck, U. (1996). Wissen oder Nicht-Wissen? Zwei Perspektiven reflexiver Modernisierung. In: U. Beck, A. Giddens, & S. Lash (Eds.), Reflexive Modernisierung (pp. 289–315). Frankfurt am Main: Suhrkamp.Google Scholar
  4. BfS. (2011). Anlagenspezifische Sicherheitsüberprüfung (RSK-SÜ) deutscher Kernkraftwerke unter Berücksichtigung der Ereignisse in Fukushima-I (Japan). Salzgitter: Bundesamt für Strahlenschutz.Google Scholar
  5. BfS. (2016). Vergleich aktuell eingesetzter Modelle zur Beschreibung der atmosphärischen Ausbreitung radioaktiver Stoffe. Salzgitter: Bundesamt für Strahlenschutz.Google Scholar
  6. Böschen, S., et al. (2010). Scientific nonknowledge and its political dynamics: The cases of agri-biotechnology and mobile phoning. Science, Technology and Human Values, 35(6), 783–811.Google Scholar
  7. Burton, R. R. (2018). Atmospheric dispersion. [Online]. http://homepages.see.leeds.ac.uk/~lecrrb/dispersion/index5.html. Accessed May 08, 2018.
  8. Callon, M. (1984). Some elements of a sociology of translation: Domestication of the scallops and the fishermen of St Brieuc Bay. The Sociological Review, 32(1_suppl), 196–233.Google Scholar
  9. Chen, C. (2005). Top 10 unsolved information visualization problems. IEEE Computer Graphics and Applications, 25(4), 12–16.MathSciNetGoogle Scholar
  10. Chhem, R. K. (2014). Radiation medical science center, Fukushima Medical University. Fukushima, Radiation Medical Science Center, Fukushima Medical University.Google Scholar
  11. Chino, M., Ishikawa, H., & Yamazawa, H. (1993). SPEEDI and WSPEEDI: Japanese emergency response systems to predict radiological impacts in local and workplace areas due to a nuclear accident. Radiation Protection Dosimetry, 2–4(50), 145–152.Google Scholar
  12. Downer, J. (2011). “737-Cabriolet”: The limits of knowledge and the sociology of inevitable failure. American Journal of Sociology, 117(3), 725–762.Google Scholar
  13. Edwards, P. N. (1997). The closed world: Computers and the politics of discourse in Cold War America. Cambridge, MA: MIT Press.Google Scholar
  14. Etling, D. (2008). Theoretische Meteorologie: Eine Einführung. Heidelberg: Springer.Google Scholar
  15. Felt, U. (2014). Knowledge claims and forms of expertise in the context of a techno-natural disaster. Fukushima, Radiation Medical Science Center, Fukushima Medical University.Google Scholar
  16. Fleck, L. (1979). Genesis and development of a scientific fact. Chicago, IL: University of Chicago Press.Google Scholar
  17. Friedrich, A., et al. (2017). Technisches Nichtwissen. Jahrbuch Technikphilosophie. Baden-Baden: Nomos Verlagsgesellschaft mbH & Co. KG.Google Scholar
  18. Funabashi, Y., & Kitazawa, K. (2012). Fukushima in review: A complex disaster, a disastrous response. Bulletin of the Atomic Scientists, 68(2), 9–21.Google Scholar
  19. Gross, M. (2007). The unknown in process: Dynamic connections of ignorance, non-knowledge and related concepts. Current Sociology, 5(55), 742–759.Google Scholar
  20. Günther, U., & Dietz, T. (1987). Vom Strahlenschutz zur Informationsherrschaft über Strahlen-Das Strahlenschutzvorsorgegesetz 1986. Kritische Justiz, 20(1), 53–59.Google Scholar
  21. Haas, P. M. (1992). Introduction: Epistemic communities and international policy coordination. International Organization, 46(1), 1–35.MathSciNetGoogle Scholar
  22. Harmo.org. (2018). Harmo.org. [Online]. http://www.harmo.org/kit/ASTM_reference.asp. Accessed May 08, 2018.
  23. Hindmarsh, R. (2013). Nuclear Disaster at Fukushima Daiichi: Introducing the Terrain. In R. Hindmarsh (Ed.), Nuclear Disaster at Fukushima Daiichi: Social, Political and Environmental Issues (pp. 1–21). London & New York: Routledge.Google Scholar
  24. Hirano, M., et al. (2012). Insights from review and analysis of the Fukushima Dai-ichi accident: Fukushima NPP accident related. Journal of Nuclear Science and Technology, 49(1), 1–17.Google Scholar
  25. Hook, D., & Kelly, D. (2009). Testing for trustworthiness in scientific software. In Proceedings of the ICSE workshop on software engineering for computational science and engineering (pp. 59–64). IEEE Computer Society.Google Scholar
  26. Humphreys, P. (2009). The philosophical novelty of computer simulation methods. Synthese, 169(3), 615–626.MathSciNetGoogle Scholar
  27. IAEA. (2002). Regulatory control of nuclear power plants part A (Textbook). In Training course series (no. 15). Vienna: IAEA.Google Scholar
  28. IAEA. (2015). The Fukushima Daiichi accident: Technical volume 3/5—Emergency preparedness and response. Vienna: IAEA.Google Scholar
  29. Ionescu, T. B. (2012). Communicating in Germany about the Fukushima accident: How direct encounter beat media representations. Environmental Communication: A Journal of Nature and Culture, 6(2), 260–267.Google Scholar
  30. Ionescu, T. (2013). Reliability of decision-support systems for nuclear emergency management. Stuttgart: IKE—Universität Stuttgart.Google Scholar
  31. Ionescu, T., & Merz, M. (2018). Cyber-physical production: Models and enactment of the smart factory. Arbeits- und Industriesoziologische Studien, 11(2), 247–261.Google Scholar
  32. Ionescu, T. B., & Scheuermann, W. (2016). Architecting safety-critical decision-support systems for nuclear emergency management. it-Information Technology, 58(1), 49–60.Google Scholar
  33. Jahn, D., & Korolczuk, S. (2012). German exceptionalism: The end of nuclear energy in Germany! Environmental Politics, 21(1), 159–164.Google Scholar
  34. Jobin, P. (2012). Qui est protégé par la radioprotection? Ebisu. Études Japonaises, 47, 121–131.Google Scholar
  35. Jones, C. F., Loh, S.-L., & Satō, K. (2013). Narrating Fukushima: Scales of a nuclear meltdown. East Asian Science, Technology and Society, 7(4), 601–623.Google Scholar
  36. Kasperson, R. E., et al. (1988). The social amplification of risk: A conceptual framework. Risk Analysis, 8(2), 177–187.Google Scholar
  37. Kera, D., Rod, J., & Peterova, R. (2013). Post-apocalyptic citizenship and humanitarian hardware. In R. Hindmarsh (Ed.), Nuclear disaster at Fukushima Daiichi: Social, political and environmental issues (pp. 1–27). London & New York: Routledge.Google Scholar
  38. Kinsella, W. J. (2012). Environments, risks, and the limits of representation: Examples from nuclear energy and some implications of Fukushima. Environmental Communication: A Journal of Nature and Culture, 6(2), 251–259.Google Scholar
  39. Kinsella, W. J. (2015). Being “Post-Fukushima”: Divergent understandings of sociotechnical risk. Tokyo, United Nations University Institute for the Advanced Study of Sustainability.Google Scholar
  40. Knorr Cetina, K. (1999). Epistemic cultures: How the sciences make knowledge. Cambridge, MA: Harvard University Press.Google Scholar
  41. Lenhard, J., & Winsberg, E. (2010). Holism, entrenchment, and the future of climate model pluralism. Studies in History and Philosophy of Science Part B: Studies in History and Philosophy of Modern Physics, 41(3), 253–262.Google Scholar
  42. Lundestad, C. V., & Hommels, A. (2007). Software vulnerability due to practical drift. Ethics and Information Technology, 9(2), 89–100.Google Scholar
  43. Merali, Z. (2010). Computational science: Error, why scientific programming does not compute. Nature, 7317(467), 775–777.Google Scholar
  44. Merz, M. (1999). Multiplex and unfolding: Computer simulation in particle physics. Science in Context, 12(2), 293–316.Google Scholar
  45. Neumann, P. (1994). Computer-related risks. Hoboken, NJ: Addison-Wesley Professional.Google Scholar
  46. Oreskes, N., Shrader-Frechette, K., & Belitz, K. (1994). Verification, validation, and confirmation of numerical models in the earth sciences. Science, 263(5147), 641–646.Google Scholar
  47. Perrow, C. (1984). Normal accidents: Living with high risk technologies. New York: Basic Books.Google Scholar
  48. Plantin, J. C. (2015). The politics of mapping platforms: Participatory radiation mapping after the Fukushima Daiichi disaster. Media, Culture and Society, 37(6), 904–921.Google Scholar
  49. Pritchard, S. B. (2012). An envirotechnical disaster: Nature, technology, and politics at Fukushima. Environmental History, 17(2), 219–243.Google Scholar
  50. Riedlinger, M., & Rea, A. J. (2015). Discourse ecology and knowledge niches: Negotiating the risks of radiation in online Canadian forums, post-Fukushima. Science, Technology and Human Values, 40(4), 588–614.Google Scholar
  51. Schäfer, F. (2016). 3/11“: Medienkatastrophe „Fukushima“und „latente (senzai-teki) Öffentlichkeit. In F. Schäfer (Ed.), Medium als Vermittlung (pp. 211–241). Wiesbaden: Springer VS.Google Scholar
  52. Scheuermann, W., et al. (2011). Modeling consequences of the accident at Fukushima. International Journal for Nuclear Power, 56(6), 325–331.Google Scholar
  53. Schmid, S. (2012). Nuclear emergency response: Atomic Priests or an International SWAT Team? In R. Hindmarsh (Ed.), Nuclear disaster at Fukushima Daiichi: Social, political and environmental issues (pp. 194–213). London & New York: Routledge.Google Scholar
  54. Schmid, S. (2016). Chernobyl, Fukushima, and preparedness for a “next one”. [Online]. http://thebulletin.org/chernobyl-fukushima-and-preparedness-next-one. Accessed June 1, 2016.
  55. Schmid, S., & Schnadt, H. (2004). Leitfaden für den Fachberater Strahlenschutz der Katastrophenschutzleitung bei kerntechnischen Notfällen. München-Jena: Elsevier Urban & Fischer.Google Scholar
  56. Snook, S. A. (2002). Friendly fire: The accidental shootdown of US Black Hawks over northern Iraq. Princeton: Princeton University Press.Google Scholar
  57. The National Diet of Japan. (2012). The official report of the Fukushima nuclear accident independent investigation commission. Tokyo: The National Diet of Japan.Google Scholar
  58. Thykier-Nielsen, S., Deme, S., & Mikkelsen, T. (1999). Description of the atmospheric dispersion module RIMPUFF. Karlsruhe: Forschungszentrum Karlsruhe GMBH.Google Scholar
  59. VDI. (2000). Environmental meteorology; atmospheric dispersion models; particle model. Beuth/Berlin: Verein deutscher Ingenieure.Google Scholar
  60. Vehlken, S. (2016). Super-GAU und Computersimulation Technisches Nichtwissen in der zivilen Nuklearforschung. In A. Friedrich, P. Gehring, C. Hubig, A. Kaminski, & A. Nordmann (Eds.), Technisches Nichtwissen (pp. 85–122). Baden-Baden: Nomos Verlagsgesellschaft mbH & Co. KG.Google Scholar
  61. Von Hippel, F. N. (2011). The radiological and psychological consequences of the Fukushima Daiichi accident. Bulletin of the Atomic Scientists, 67(5), 27–36.Google Scholar
  62. Weiss, W., & Leeb, H. (1993). IMIS-the German integrated radioactivity information and decision support system. Radiation Protection Dosimetry, 50(2), 163–170.Google Scholar
  63. Wilbois, T., et al. (2013). Remote monitoring of nuclear power plants in Baden-Wuerttemberg—From measurement to emergency protection. Radioprotection, 48(5), S95–S102.Google Scholar
  64. Wimsatt, W. C. (2007). Re-engineering philosophy for limited beings: Piecewise approximations to reality. Cambridge, MA: Harvard University Press.Google Scholar
  65. Winsberg, E. (2010). Science in the age of computer simulation. Chicaco, IL: University of Chicago Press.Google Scholar
  66. Yamawaki, N. (2017). Von STS zu STSE angesichts des Atomunfalls in Japan. In W. Pietsch, J. Wernecke, & M. Ott (Eds.), Berechenbarkeit der Welt? (pp. 563–574). Wiesbaden: Springer VS.Google Scholar

Copyright information

© The Author(s) 2018

Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Authors and Affiliations

  1. 1.Institute of Management SciencesTechnical University of ViennaViennaAustria

Personalised recommendations