Defense in Depth and Safety Culture from an IAEA Conference

A 2013 IAEA conference focused on the concept of Defense in Depth (DID) and its implementation at nuclear facilities.  It was a large-scale event with almost 50 presentations and papers.  The published proceedings* run over 350 pages.  This post focuses on the treatment of safety culture (SC) by the authors and presenters.  The proceedings started off well: SC was explicitly mentioned as a cross-cutting issue in the implementation of DID. (p. 1)  In addition, the conference itself was predicated on Fukushima lessons learned which, as everyone now knows, included SC shortcomings in both licensee and government organizations.

But on the whole the treatment of SC was something of a disappointment.  The presentations from Argentina, Pakistan and Vietnam mentioned SC in passing.  The presentation from Egypt discussed the regulator’s role in SC oversight at length. (pp. 302-304)  Only the following three presentations gave SC a featured role.

SC in WANO

The World Association of Nuclear Operators (WANO) presenter said this about SC: “Safety supposes that no operator feels isolated, or refuses openness and permanent self-questioning; it requests as well for WANO to ensure that cultural and sometimes political barriers do not hinder safety culture . . . . In WANO, we believe that management system and practices are at the centre of safety culture, and a full involvement of top management (CEOs) of our members is absolutely requested.”**

SC in Indonesia

Two papers discussed SC at different nuclear facilities in Indonesia.  Desirable SC characteristics at both facilities were based on INSAG-4.

The Experimental Fuel Element Installation (EFEI)

The abstract of this paper*** highlighted SC’s role at this facility.  “The application of safety culture in a nuclear facility is one way of DID implementation.  Safety culture aims at the performance of safe works, the prevention of deviation, and the accomplishment of quality operation.  It is in accordance with the first level of DID concept which is the prevention of abnormal operation and failures that is done through conservative design and high quality in construction and operation. . . The objective of safety culture implementation in the EFEI is to encourage workers to have a stronger sense of responsibility on safety and to contribute actively for its development”  The paper presented a laundry list of strategies used to strengthen SC including briefings, workshops, training, senior management visits, integration of safety into work processes, self-assessments, open reporting on safety incidents, open and timely reporting to the regulator, evaluation of safety performance indicators and an annual SC questionnaire.

The authors displayed a bit of realism when they said “Leaders cannot completely control safety culture, but they may influence it.” (p. 179)  They also said their questionnaire results indicated that EFEI SC is at Stage 2 (from IAEA-TECDOC-1329) where “Safety becomes an organizational goal.”  They want SC to evolve to Stage 3 where the organization believes “Safety can always be improved.” (pp. 187-188)

Kartini Research Reactor

This paper**** reported the findings of a SC self-assessment.  The method consisted of questionnaire responses reviewed by experts.  The assessment identified several good current practices in maintaining the safety status of Kartini reactor.  As supporting evidence, the authors noted the number of inspection/audit findings from the regulator went down while reactor utilization and operating hours increased over the past several years.  One opportunity for improvement was the need for more frequent dialogues between employees and managers.

Our Perspective

There is not much SC substance here.  The recitations on SC repeated familiar stuff you’ve seen in lots of places.  In other words, zero new information or insight.  The single page WANO presentation indicates their lowest common denominator audience is even lower than IAEA’s.  Perhaps there were technical issues discussed at the conference that are of interest to you.  Otherwise, don’t invest your coffee break in going through this lengthy document.

*  IAEA, International Conference on TopicalIssues in Nuclear Installation Safety: Defence in Depth — Advances andChallenges for Nuclear Installation Safety, Oct. 21-24, 2013 ConferenceProceedings, IAEA-TECDOC-CD-1749 (Vienna, 2014).  We are grateful to Madalina Tronea for publicizing this material.  Dr. Tronea is the founder and moderator of the LinkedIn Nuclear Safety Culture forum.

**  J. Regaldo, “WANO Actions to Reinforce the Operators’ Safety Culture Worldwide,” p. 147.

***  H. Hardiyanti, B. Herutomo and G. K. Suryaman, “Safety Culture as a Pillar of Defense-in-Depth Implementation at the Experimental Fuel Element Installation, Batan, Indonesia,” pp. 173-188.

****  S. Syarip, “Safety Management and Safety Culture Self Assessment of Kartini Research Reactor,” pp. 321-326.

Back to the Past at Millstone?

Millstone

A recent article* in the Hartford Courant newspaper reported on a turbine-driven auxiliary feedwater (TDAFW) pump problem at Millstone 3 that took so long to resolve that the NRC issued a White finding to plant owner Dominion Resources.

The article included a quote from the Connecticut Nuclear Energy Advisory Council (NEAC) describing their unease over the pump problem.  We dug a little deeper on the NEAC, a state government entity that works with public agencies and plant operators to ensure public health and safety.  Their 2014 annual report** highlights the TDAFW pump problem and another significant event at Millstone, a loss of site power that caused a dual reactor trip.  NRC inspections following these two events resulted in one Severity Level III finding, the White finding previously mentioned and two Green findings.  The events and NRC findings led the NEAC to express “great concern regarding the downward performance trend” to Dominion and request a formal response from Millstone management on any root cause that linked the performance problems.

In his response to the NEAC, the Millstone site VP said there was no root cause linking events.  He also said two safety culture (SC) improvement areas had been identified, viz., problem identification and evaluation and establishing clarity around decision making, and that the site has implemented improvement actions to address those areas.  In the Courant article, a plant spokesman is quoted as saying "If it's not immediately obvious why it's not working, we put a team to work on it."

The article also referred to related behind-the-scenes NRC staff emails*** in which the time it took for Dominion to identify and address the TDAFW pump issue raised eyebrows at the NRC.

So what does the TDAFW pump event tell us about SC at Millstone?

Our Perspective

Is Millstone on the road to the bad old days, when SC was AWOL from the site?  We hope not.  And there is some evidence that suggests the TDAFW pump issue was an isolated problem exacerbated by a bit of bad luck (a vendor supplying the wrong part with the same part number as the correct part).

Positive data includes the following: Millstone 2 and 3 both had all green performance indicators on the 3QTR2014 NRC ROP and, more importantly, a mid-2014 baseline inspection of the Millstone CAP “concluded that Dominion was generally effective in identifying, evaluating, and resolving problems.”****  In addition, plant “staff expressed a willingness to use the corrective action program to identify plant issues and deficiencies and stated that they were willing to raise safety issues.” (p. 10)

Currently, M2 is subject to baseline inspection and M3 to baseline and a supplemental inspection because of the White finding.

To us, this doesn’t look like a plant on the road to SC hell although we agree with the NRC that the TDAFW pump problem took too long to evaluate and resolve.

We hope the Millstone organization learned more from the TDAFW pump problem than they displayed in their reply to the NRC.*****  In dealing with the regulator, Millstone naturally tried to bound the problem and their response: they pointed at the vendor for sending them the wrong part, implemented a TDAFW pump troubleshooting guide, revised a troubleshooting procedure, and produced and presented two case studies to applicable plant personnel. 

The site VP’s letter to NEAC suggests a broader application of the lessons learned.  We suggest the “trust but verify” principle for dealing with vendors be strengthened and that someone be assigned to read Constance Perin’s Shouldering Risk (see our Sept. 12, 2011 review) and report back on the ways factors such as accepted logics, organizational power relations and production pressure can prevent organizations from correctly perceiving problems that are right in front of them.

*  S. Singer, “Emails Show NRC's Concern Over How Millstone Nuclear Plant Reacted To Malfunction,” Hartford Courant (Jan. 12, 2015).

**  2014 Nuclear Energy Advisory Council (NEAC) Report (Dec. 11, 2014).  The Nov. 10, 2014 letter from Millstone site VP S.E. Scace to J.W. Sheehan (NEAC) is appended to NEAC’s 2014 annual report.

***  The Associated Press obtained the emails under a Freedom of Information Act request.  Most of the content relates to the evolution of technical issues but, as cited in the Courant article, there are mentions of Millstone’s slowness in dealing with the pump issue.  The emails are available at ADAMS ML14358A318 and ML14358A320.

****  “Millstone Power Station – NRC Problem Identification and Resolution Inspection Report 05000336/2014009 and 05000423/2014009” (Sept. 12, 2014), cover letter.  ADAMS ML14255A229.

*****  Dominion Nuclear Connecticut, Inc. Millstone Power Station Unit 3, Reply to a Notice of Violation (Nov. 19, 2014).  ADAMS ML14325A060.

Human Performance at a Nuclear Power Plant

2015 is off to a slow start in the safety culture (SC) space but we recently saw two mid-2014 articles worth a few words: “Putting People in the Mix” Parts I and II by Ken Ellis, both originally published in Nuclear Engineering International.*  The basic premise is that an incident investigation finding of human error is only “the tip of the iceberg” in understanding human performance issues.

Part I

Part I describes how people add a probabilistic aspect to nuclear plant performance.  Ellis begins by reviewing the nuclear industry’s defense-in-depth: physical barriers, safety systems and contingency plans.  If an incident occurs, then linear root cause analysis starts with the outcome and works back to identify what happened.  Lessons learned are used to update the defense-in-depth system.

But people don’t always behave according to the laws of physics.  People “can circumvent both equipment and process, either unwittingly or wittingly” because of their personal history, perceptions, stress and other factors.  Adding people makes a complicated system (a nuclear plant) a complex one.  One consequence is that a complete and accurate reconstruction of the events preceding an incident may not be possible.  Incident analysis should include investigating the dynamic context in which any relevant human behavior occurred. 

Part II

Part II describes risk management.  It begins with a list of factors that can increase risks at nuclear plants, including lack of leadership, time pressures, complacency and normalization of deviance.  The organization’s primary goal in risk space “is to narrow the band of what constitutes acceptable risk.” The strategy should be to control human behavior by making the boundaries of the work space “explicit and known, and giving workers opportunities to develop coping skills at boundaries.”

Ellis on goes to list  practices that can help improve safety including communication protocols, conservative decision-making and a questioning attitude.  He concludes with some suggestions for managing human performance risk including explicit discussion of complexity and risk boundaries, seeking divergent opinions and understanding how workers interpret messages from corporate. 

Our Perspective 

There is really nothing wrong with these articles.  Ellis covers the ground fairly well in 2400 words intended for a general nuclear industry audience.  But there is nothing new here.  More importantly, this is a brisk treatment of some important concepts about human behavior, the nature of human and system errors, competing mental models of nuclear operations, and desirable management attributes.  The author’s lack of references means a curious reader is left to his own devices.  One really needs direction to key sources, e.g., Dekker, Hollnagel, Reason, Taleb, Vaughan, Woods and the HRO people to gain a meaningful understanding of such concepts.  If you’ve been following Safetymatters for awhile, you know we’ve covered these folks and their ideas at length.

*  K. Ellis, “Putting People in the Mix: Part I,” Nuclear Engineering International (July 18, 2014) and “Putting People in the Mix:Part II,” Nuclear Engineering International (July 21, 2014).  Mr. Ellis is the Managing Director of the World Association of Nuclear Operators (WANO).  Thanks to Dr. W.R. Corcoran for publicizing Part I in the LinkedIn Nuclear Safety Culture group.

Financial Incentives to Promote Safety Culture at the Vit Plant

The Vit Plant

We have reported on safety culture (SC) issues at the Hanford Waste Treatment Plant (WTP, or “vit plant”) for years.  Some of these issues arose in the Department of Energy (DOE) organization at Hanford; other issues became evident at Bechtel, DOE’s prime contractor at Hanford.  But this post focuses on a bit of good news: recent Bechtel contracts have included financial incentives for good performance related to establishing and maintaining a strong SC.*

The incentives are very small potatoes in the overall scheme of things.  The WTP is an $11 billion plus project (so far); the semi-annual SC incentives have been in the $1-5 million range.  But it is the correct signal for the government to be sending to a contractor.  It’s also interesting how the incentives have been fiddled with during their brief existence, as shown in the following table.  To keep things simple, the table excludes incentive program components that are not related to SC, e.g., cost performance incentives.  Note that the dollar amounts shown are the maximum Bechtel can earn; published payouts to date have been less than the maximums.

From July 1, 2012 to June 30, 2013 the contract included a project management incentive (PMI) component.  Nuclear Safety and Quality Culture items (the Corrective Action Program, Employee Concerns Program, Differing Professional Opinion process, Safety Conscious Work Environment (SCWE) and Integrated Safety Management Systems) were 20-30% of the PMI.

Starting July 1, 2013 and continuing to the present a section was added to the incentive plan covering Self-Analysis/Assessment/Discovery/Action.  This basically means Bechtel will be rewarded for identifying and fixing its problems before outsiders tell them to.  The contract does not characterize this activity as part of SC but we do; fixing problems is an essential artifact of a strong SC.  In addition, the attributes under this section, including transparency and organizational learning, are also attributes of a strong SC.  Another new section on Environmental, Safety and Health is mostly about industrial safety but includes promoting a robust NSQC embracing INPO principles, including a SCWE.  The section on the Quality Assurance program includes supporting an effective CAP and, starting July 1, 2014, maintaining a robust quality culture.

Start	End	Project Management Incentive (PMI)	Nuclear Safety and Quality Culture (NSQC)
7/1/2012	12/31/2012	$3,150,000	$945,000	30% of PMI: NSQC inc. CAP, ECP, DPO, SCWE (25%), Integrated Safety Management Systems (5%)
1/1/2013	6/30/2013	$3,780,000	$756,000	20% of PMI: NSQC inc. CAP, ECP, DPO, SCWE (15%), Integrated Safety Management Systems (5%)
		Self-Analysis/ Assessment/ Discovery/Action	Environmental, Safety & Health	QA Program
7/1/2013	12/31/2013	$3,500,000	$1,000,000	$800,000
1/1/2014	6/30/2014	$3,500,000	$1,000,000	$800,000
7/1/2014	12/31/2014	$1,260,000	$1,260,000	$1,260,000

Our Perspective

For starters, let’s give credit where credit is due: Huzzah to DOE and Bechtel.  For a long time, we have been saying that organizational reward systems should include SC components.  Safety slogans and empty mantras are just that—empty.  If a government agency, or a nuclear plant owner, or a board of directors, or any other overseer truly values SC then they should put some money where their mouths are.

Enough cheering, let’s put our reality hat back on.  Could Bechtel (or any other contractor) game the incentive system to get rewarded without actually creating a strong SC?  Possibly.  Who would you bet on: government bureaucrats or a clever, financially motivated contractor?  But an official incentive plan like the one described above is a good start.

Now that DOE has figured out how to design a contract that aims to motivate a contractor to strengthen its SC, let’s turn the spotlight back on DOE itself.  How does DOE do on transparency, extent of condition and other SC attributes?  Not so good.  Over the last few years we have been reporting on the DOE effort to evaluate SC at other (i.e., non-WTP) sites to determine if WTP SC issues exist elsewhere.  We saw foot-dragging, an unorganized SC assessment program and deliberate opacity in the resultant reports.  DOE can and should do better.

*  The WTP Performance Evaluation and Measurement Plans used in this post are available here.  For prior related posts click on the Vit Plant label below.