1 Introduction

Continuous improvement is considered vital for maintaining the high safety standard. Very few people contend this view. Continuous improvement is believed to be needed for many reasons.

When the Japanese bullet train opened for business in 1964 for the operation between Tokyo and Shin-Osaka, the maximum operating speed was 210 km/hr. It has been increased to 285 km/hr. The interval has been reduced from 15–30 min to 3–10 min. It took 4 h to travel from Tokyo to Shin-Osaka. Now, it takes 2 h and 35 min. The number of cars has been increased from 12 to 16. The maximum operating speed depends on various factors, not on the mechanical performance alone. In fact, the maximum operating speed is set at 300 km/hr. for a different bullet line. The highest speed of the Japanese bullet train recorded in a technical test is reported to be 443 km/hr. What this story implies is that it is the fate of almost any joint systems that people try to maximize the efficiency in a balanced way under given conditions. There are various driving forces such as the corporate responsibility for fulfilling economic demands, the desire to develop new and better technologies.

Continuous change is also an important driving force to maintain the high spirit of people from the viewpoint of human resource management. Even employees sometimes want to improve the efficiency for the benefit of themselves, where the better efficiency does not compete against the better well-being. People are always motivated to change the system under the name of ‘improvement.’

However, continuous improvement may have down side. This paper intends to argue that continuous improvement can cause fatal accidents. A nuclear criticality accident happened at a nuclear fuel processing factory in Japan is used as an example.

2 The Accident

The JCO Co Ltd. was involved in the manufacturing of materials used for nuclear fuel. JCO still exists even though they closed the manufacturing. They usually manufactured low-enriched products of 3 to 5% U235 concentration. A few times a year, they were asked to manufacture a high-enriched product of 18.8% U235 concentration which was used for an experimental fast-breeder reactor. The same facility and process were used to manufacture the both low-enriched and high-enriched products. The accident happened on September 30, 1999 when the high-enriched product was manufactured. It was a nuclear accident called ‘criticality accident’ in which uncontrolled nuclear reactions occurred successively – chain reaction. Two workers lost their lives as a result of exposure to strong neutron flux emitted by the reaction.

2.1 The Original Process

Chemical Process.

The nuclear fuel is made by sintering enriched uranium dioxide (UO2). The enriched uranium dioxide is produced typically from uranium concentrate called ‘yellow cake’ through two major chemical processes – (i) the conversion process to produce uranium hexafluoride (UF6) from yellow cake and (ii) the re-conversion process to produce uranium dioxide. JCO was a unique company which was specialized for the re-conversion process.

The re-conversion process is divided into several stages. On the day of the accident, JCO was involved in the stage of harmonizing the uranium concentration. For the purpose of harmonization, nitric acid (HNO3) was added to enriched uranium powder – triuranium octoxide (U2O8), which yielded uranyl nitrate solution (UO2(NO3)2). Several batches of solution obtained with enriched uranium powder of slightly different concentration were mixed to harmonize the uranium concentration. The criticality accident happened during the mixing process.

Production Process.

The basic production process is simple. Nitric acid is added to enriched uranium powder in the dissolution tower to obtain uranyl nitrate solution. Then, the solution is filled in a small container for delivery. Figure 1 presents the authorized production process [1].

Fig. 1.
figure 1

The authorized iterative production process for producing triuranium octoxide (U2O8) and uranyl nitrate solution (UO2(NO3)2) [1]

Full size image

For a larger amount of production, this process has to be iterated because the dissolution tower is designed to be small in order to avoid the criticality. The volume of the container for delivery was only 4 L. The uranium concentration of uranyl nitrate solution obtained from different processing is not uniform. The uranium concentration has to be harmonized by a method called ‘cross-blending’. Several batches of uranyl nitrate solution were mixed (blended) bit by bit with small containers. Then, the harmonized uranyl nitrate solution is filled in small containers for delivery. This was the authorized production process which was supposed to be followed strictly by the workers of JCO.

2.2 Changes

The authorized production process was successively changed three times [2].

  1. 1.

    For the dissolution of enriched uranium material, the dissolution tower was replaced by a stainless bucket around 1993. The volume of the bucket was 10-L, which was larger that of the dissolution tower. The use of the bucket was authorized by JCO, and was considered to be part of standard production process. Authorized in-house operating procedures were specified and implemented. This change, which intended to increase the volume of each batch for efficiency, was not applied for permission by the regulatory agency. Therefore, it was an illegal change. The rest of the process was not changed.

  2. 2.

    For the harmonization of uranium concentration of uranyl nitrate solution, the cross blending was replaced by the storage tank around 1995. This additional change, which intended to remove the tedious and technically difficult cross-blending for efficiency and easier production, was not applied for permission by the regulatory agency. Therefore, it was an illegal change. Together with the use of the stainless bucket, this change was specified as part of in-house standard production procedures authorized by JCO.

  3. 3.

    For the harmonization, the storage tank was further replaced by the settling tank. This change, which intended to increase the efficiency of harmonization, was improvisational and shared only among workers. This change is reported to be made a day before the accident and implemented successfully. [3] Fig. 2 presents the illegal process that caused the criticality accident [1].

    Fig. 2.
    figure 2

    The illegal process that caused the criticality accident [1]

    Full size image

2.3 The Fatal Operation

On the day of the accident, the workers were involved in the harmonization of high-enriched (18.8% U235) uranyl nitrate solution. The workers took the risk of using the settling tank rather than the storage tank for harmonization – the third and last change mentioned earlier.

It was unfortunate that the settling tank was totally unsuitable for the use of harmonization – See discussion in Clause 3.1. The criticality was triggered when the workers poured a large amount of highly enriched uranyl nitrate solution into the settling tank. The amount exceeded the safety limit.

Table 1 summarizes the development of changes including one that caused the accident – Change 3.

Table 1. Changes of equipment / method made at the JCO enrichment process
Full size table

3 Discussions

3.1 Technical Aspect

The accident occurred when the workers attempted to harmonize the concentration of uranyl nitrate solution using the settling tank. The use of settling tank for the harmonization was totally irrelevant in terms of nuclear safety, and it was a violation of the authorized procedures. [4, 5] The authorized procedures specify the use of the cross-blending technique for the harmonization.

It is not known if the procedures explicitly prohibit the use of the settling tank for the harmonization thought, it was probably beyond the imagination of the system designers and regulators that the settling tank could be used that way.

The settling tank was designed for its own purpose. It has a rounded shape. Because of the rounded shape, more neutrons stay longer inside the tank, increasing the chance of neutrons to react with uranium. The dissolution tower on the other hand was thin and tall, which does not allow neutrons to stay long inside the tower, decreasing the chance of neutrons to react with uranium. In addition, the settling tank was surrounded by a cooling jacket, which was not the case with the dissolution tower. This also causes more neutrons to stay longer inside the tank, increasing the chance of neutrons to react with uranium. Both of these design features are not suitable for handling radioactive materials. They only increase the chance of the criticality. Technically speaking, it was totally prohibitive to use the settling tank for the harmonization.

3.2 Administrative Aspect

Operating procedures are an essential human-system interface. It conveys what engineers want users to do. They often times include remarks for the purpose of maintaining the user safety and the system integrity. But, they seldom mention the underlying engineering considerations.

How to train workers such that they acquire sufficient knowledge about underlying engineering considerations and related principles is generally considered to be an administrative issue. It is also considered to be an administrative issue how to keep the workers complying with the operating procedures which are assumed to be reflecting engineering demands and regulatory requirements correctly. Obviously, these administrative measures were not strictly implemented at all at the JCO fuel processing plant. One of the three workers who survived is reported to have answered to Japanese media [6]:

  1. 1.

    The company did not caution the danger of the criticality.

  2. 2.

    Workers were aware of the illegality of actual operating procedures and they were not proud of it.

  3. 3.

    Workers never thought that accidents could happen with the liquefied uranium.

  4. 4.

    The interviewee concluded that the ignorance was the cause of the accident.

These comments clearly indicate that effective administrative control was virtually non-existent at JCO. The answer #2 is interesting. The answer #3 must sound totally irrational to those who has elementary knowledge of nuclear physics. Both answers vividly illustrate that people can do anything when they are not appropriately trained through administrative control and education.

The authors, however, believe that it was not only the lack of appropriate administrative control and education alone but the ‘successful experiences’ also played a major role: Nothing wrong happened even though illegal procedures were implemented. Nothing wrong happened even though the understanding of underlying physics was wrong.

3.3 Legal Aspect

The accident investigation reports, as well as media, identified the accident as an organizational accident and accused JCO of their negligent administrative control. JCO and its six employees were sentenced an order of compensation and suspended prison terms three and a half years after the accident.

3.4 Human Factors View

Human Factors/Ergonomics (HFE).

HFE is an interdisciplinary engineering, of which foundation is the scientific studies of human characteristics. [7] The scope of HFE has been expanded considerably as joint human-machine systems become much larger and more complicated. Consequently, systemic views are prevailing in recent HFE researches and practices. The contemporary HFE tries to look at as many as possible related elements (e.g., machine systems, users, customers, employees, administrative and regulatory systems, general people and the society) from various viewpoints including cognitive, organizational and sociological viewpoints, and try to find issues and balanced solutions from the eyes of people. One of the critical problems of large-scale, safety-critical systems is that various mismatches existing among the above-mentioned elements tend to cause catastrophic accidents.

Relevant Human Characteristics.

One of the authors identified several human characteristics that challenge safety-critical systems. [8] The two characteristics cited below look particularly relevant to the JCO accident.

The nature of changes in systems: Human in systems (e.g., operators, maintenance people) are essentially alike and are, in general, adaptive and proactive. These are admirable qualities, but of limited scope. Adaptive and proactive behaviors can change system continuously, but humans at the front end alone may or may not be able to recognize the potential impact that the changes can have on the system, especially the impact when several changes are put into effect simultaneously. Humans at the back end (e.g., administrators, regulators) tend to have sanguine ideas such as that the system is always operated as planned, and the rules and procedures can fix the system at an optimal state. Mismatches caused by these two tendencies constitute latent hazards, which may cause the system to drift to failures.

Rules and Procedures: Work rules and operating procedures are much less effective than they are normally believed to be. Trying to fix the system at an optimal point for extended time with work rules and procedures may be a feeble idea. “Situated Cognition,” a school of sociology, argues that the idea of controlling work with rules and procedures is only an administrative view…

In fact, major changes were made to the operating procedures at least three times at JCO (Table 1). Obviously, the reason for the changes was a desire to improve the tedious works. There is no evidence that the workers were under pressure for higher productivity in normal sense. The formal procedures were just tedious and technically not easy. The use of informal equipment such as stainless bucket and settling tank made the operation so much easier and quicker.

Both the front end workers and the back end administrators at JCO were ignorant of fatal risk associated with the changes. The regulator, who usually assumes that authorized procedures are implemented, was a typical back end people who do not see what is really taking place. There was a huge mismatch between those two groups of people.

It was unfortunate that the sense of violating rules which was recognized among the workers and perhaps among the administrators of JCO as well was suppressed by successful experiences. The changes did not cause anything wrong when the low-enriched products were manufactured.

A Human Factors Argument.

Taking all the discussions mentioned earlier into considerations, the authors find it fair to argue that some important discussions are missing.

Obviously, formal conclusions publicly made are based on a belief that the system should be operated safely when formal procedures and any other rules are observed. However, there were accidents, which vividly exemplified that the belief was rooted in a weak ground.

It has been a recent trend to question the final responsibility to the organizations involved in accidents. It is probably because that organizations have been becoming larger and more complicated for the past decades, and many of them are susceptible to administrative deficiencies. But, administrative deficiency is too vague a title to dig into details that underlie critical accidents. In case of the JCO accident, there were some important questions that were not asked.

Firstly, it was totally prohibitive to use the settling tank for the harmonization. However, the discussions made previously in Clause 3.1 are a hindsight that can only be argued by integrating knowledge of nuclear safety engineering after the accident happened. How could workers develop such a professional reasoning? How can we be sure that such a professional reasoning is taught to workers before the accident occurs? It is not fair to criticize the workers and organization based on technical hindsight without evaluating how well the underlying engineering considerations are in effect in reality.

Secondly, how can we be sure that the information provided by engineers (and regulators) are good enough for the end users to learn and operate the given system? There is a strong sense on the side of engineers and regulators that rules are based on the best engineering knowledge and regulatory judgement, and therefore they must be observed. But, how can we be sure that rules do not make the jobs very difficult to implement? There is no evidence that the JCO works and administrators were supported by safety engineers and regulators to make their jobs easier to conduct.

Thirdly, people make changes for many reasons as discussed in Chapter 1. In the JCO’s case, procedures were changed three times. The worker who survived mentioned that JCO workers were aware of illegality, but it did not stop them making changes because they were not accused of committing minor violations such as not maintaining a specified spatial separation between small containers filled with uranium nitrite solution. He further explained that he never thought that the use of settling tank for harmonization of liquefied uranium solution could cause accident, because it worked successfully for the production of low-enriched product. [5] A common underlying characteristics is that tendency to make changes can be enforced significantly by experience if nothing wrong happened out of doing something. How can we be sure that administrative and regulatory controls can stop this characteristics? Aren’t many of past accidents suggesting that we cannot be?

4 Concluding Remarks

It appeared from the post-accident investigation that the workers of JCO were using illegal procedures. It further appeared that a major change was made three times. The last change which replaced the storage tank with the settling tank for harmonization was potentially fatal because of the technical features of the settling tank. But it worked for manufacturing the low-enriched products. On the day of the accident, the workers were involved in the production of high-enriched uranyl nitrate solution. It was a hindsight that the combination of these caused the process to go beyond the safety limit. It was a typical organizational failure as it is widely acknowledged.

But, it is also seen as a typical example of accidents caused by changes that were invented to satisfy a required quality standard more efficiently. It was also believed to have benefitted the workers in terms of making the job easier in an adverse work condition imposed by the formal but tedious operating procedures. Hazards associated with the changes that happened overtime at JCO became difficult to recognize because of successful experiences. Many other accidents, in which similar mechanisms contributed significantly, can easily be found.

All these accidents clearly show the need to recognize that people are expensing the safety margin from day to day under the name of ‘improvement.’ It is therefore crucially important to focus on everyday changes that are not causing any problems under normal conditions. But, they may be undermining the resilience soundlessly. It is not relevant to overestimate the administrative control. It is too late to enforce the administrative control after experiencing accidents.

One of the authors points out [8]:

Knowing the existence of mismatches between reality and formality is the first step for better remedy. Enforcing rules without understanding the mismatches is not an effective remedy. Appropriate monitoring mechanisms are a prerequisite for knowing the existence of mismatches. So are appropriate evaluation mechanisms for understanding mismatches. These mechanisms should maintain independence from and authority over administrative mechanisms.

HFE provides various methods for detecting the mismatches. The methods are based largely on systematic observations with the knowledge of human characteristics taken into account. Any detected significant mismatches need to be examined by safety engineers to judge if significant hazards are associated with the mismatches. It is better to let HFE specialists and safety engineers to work together rather than blindly believe that the works will just follow what operating procedures specify.