We recently read a paper* that echoes some of the themes we emphasize on Safetymatters, viz., leadership, decisions and a systems view. Following is an excerpt from the abstract:
“Leadership is progressively being recognized as a key** factor in supporting successful performance across a range of domains. . . . the decisions and actions that characterize safety leadership thus become important emergent properties in the prevention of incidents, which should be considered within the context of the broader organizational system and not merely constrained to understanding events or conditions that shape performance at the ‘sharp end’.” [emphasis added]
The authors go on to analyze decisions and actions after a mining incident (landslide) using a combination of three different schemes: Rasmussen’s Risk Management Framework (RMF) and corresponding AcciMap, and the Critical Decision Method (CDM).
The RMF describes work systems as comprised of various levels and argues that safety performance is affected by decisions and actions at all levels from politicians in the external environment down through company executives and managers and finally to individual workers. Rasmussen’s AcciMap is an expansive causal diagram for an accident or incident that displays the contributions (or omissions) at each level in the RMF and their connections.
CDM uses semi-structured interviews to obtain information about how individuals formulate their decisions, including context such as background knowledge and immediate influencing factors. Consistent with the RMF, case study interviews were conducted with individuals at different organizational levels. CDM data were used to construct the AcciMap.
We won’t go into the details of the analysis but it identified over a dozen key decisions made at different organizational levels before and during the incident; most were connected to at least one other key decision. The AcciMap illustrates decisions and communications across multiple levels and thus provides a useful picture of how an organization anticipates and responds to an unusual situation.
Our Perspective
The authors argue, and we agree, that this type of analysis provides greater detail and insight into the performance of an organization’s safety management system than traditional accident investigations (especially those focused on finding someone to blame).
This article does not specifically discuss culture. But the body of decisions an organization produces is the strongest evidence and most visible artifact of its culture. Organizational decisions are far more important than responses to surveys or interviews where people can report what they believe (or hope) the culture is, or what they think their audience wants to hear.
We like that RMF and AcciMap are agnostic: they can be used to analyze either “what went wrong” or “what went right” scenarios. (The case study was in the latter category because no one was hurt in the incident.) If an assessor is looking at a sample of decisions to infer a nuclear organization’s culture, most of those decisions will have had positive (or at least no negative) consequences.
The authors are Australian academics but this short (8 pages total) paper is quite readable and a good introduction to CDM and Rasmussen’s constructs. The references include people whose work we have positively reviewed on Safetymatters, including Dekker, Hollnagel, Leveson and Reason.
Bottom line: There is nothing about culture or nuclear here, but the overall message reinforces our beliefs about how to think about Nuclear Safety Culture.
In the last few years, nuclear plant owners have shut down or scheduled for shutdown 17 units totaling over 14,000 MW. Over half of these units had (or have) nuclear safety culture (NSC) issues sufficiently noteworthy to warrant mention here on Safetymatters. We are not saying that NSC issues alone have led to the permanent shutdown of any plant, but such issues often accompany poor decision-making that can hasten a plant’s demise. Following is a roll call of the deceased or endangered plants.
Plants with NSC issues
NSC issues provide windows into organizational behavior; the sizes of issues range from isolated problems to systemic weaknesses.
FitzPatrick
This one doesn’t exactly belong on the list. Entergy scheduled it for shutdown in Jan. 2017 but instead it will likely be purchased by a white knight, Exelon, in a transaction brokered by the governor of New York. With respect to NSC, in 2012 FitzPatrick received a Confirmatory Order (CO) after the NRC discovered violations, the majority of which were willful, related to adherence to site radiation protection procedures.
Fort Calhoun
This plant shut down on Oct. 24, 2016. According to the owner, the reason was “market conditions.” It’s hard for a plant to be economically viable when it was shut down for over two years because of scheduled maintenance, flooding, a fire and various safety violations. The plant kept moving down the NRC Action Matrix which meant more inspections and a third-party NSC assessment. A serious cultural issue was how the plant staff’s perception of the Corrective Action Program (CAP) had evolved to view the CAP as a work management system rather than the principal way for the plant to identify and fix its problems. Click on the Fort Calhoun label to pull up our related posts.
Indian Point 2 and 3
Units 2 and 3 are scheduled to shut down in 2020 and 2021, respectively. As the surrounding population grew, the political pressure to shut them down also increased. A long history of technical and regulatory issues did not inspire confidence. In NSC space, they had problems with making incomplete or false statements to the NRC, a cardinal sin for a regulated entity. The plant received a Notice of Violation (NOV) in 2015 for providing information about a licensed operator's medical condition that was not complete and accurate; they received a NOV in 2014 because a chemistry manager falsified test results. Our May 12, 2014 post on the latter event is a reader favorite.
Palisades
This plant had a long history of technical and NSC issues. It is scheduled for shutdown on Oct. 1, 2018. In 2015 Palisades received a NOV because it provided information to the NRC that was not complete and accurate; in 2014 it received a CO because a security manager assigned a person to a role for which he was not qualified; in 2012 it received a CO after an operator left the control room without permission and without performing a turnover to another operator. Click on the Palisades label to pull up our related posts.
Pilgrim
This plant is scheduled for shutdown on May 31, 2019. It worked its way to column 4 of the Action Matrix in Sept. 2015 and is currently undergoing an IP 95003 inspection, including an in-depth evaluation of the plant’s CAP and an independent assessment of the plant’s NSC. In 2013, Pilgrim received a NOV because it provided information to the NRC that was not complete and accurate; in 2005 it received a NOV after an on-duty supervisor was observed sleeping in the control room.
San Onofre 2 and 3
These units ceased operations on Jan. 1, 2012. The proximate cause of death was management incompetence: management opted to replace the old steam generators (S/Gs) with a large, complex design that the vendor had never fabricated before. The new S/Gs were unacceptable in operation when tube leakage occurred due to excessive vibrations. NSC was never anything to write home about either: the plant was plagued for years by incidents, including willful violations, and employees claiming they feared retaliation if they reported or discussed such incidents.
Vermont Yankee
This plant shut down on Dec. 29, 2014 ostensibly for “economic reasons” but it had a vociferous group of critics calling for it to go. The plant evidenced a significant NSC issue in 2009 when plant staff parsed an information request to the point where they made statements that were “incomplete and misleading” to state regulators about tritium leakage from plant piping. Eleven employees, including the VP for operations, were subsequently put on leave or reprimanded. Click on the Vermont Yankee label to pull up our related posts.
Plant with no serious or interesting NSC issues
The following plants have not appeared on our NSC radar in the eight years we’ve been publishing Safetymatters. We have singled out a couple of them for extremely poor management decisions.
Crystal River basically committed suicide when they tried to create a major containment penetration on their own and ended up with a delaminating containment. It ceased operations on Sept. 26, 2009.
Kewaunee shut down on May 7, 2013 for economic reasons, viz., the plant owner apparently believed their initial 8-year PPA would be followed by equal or even higher prices in the electricity market. The owner was wrong.
Rounding out the list, Clinton is scheduled to shut down June 1, 2017; Diablo Canyon 1 and 2 will shut down in 2024 and 2025, respectively; Oyster Creek is scheduled to shut down on June 1, 2019; and Quad Cities 1 and 2 are scheduled to shut down on June 1, 2018 — all for business reasons.
Our Perspective
Bad economics (low natural gas prices, no economies of scale for small units) were the key drivers of these shutdown decisions but NSC issues and management incompetence played important supporting roles. NSC problems provide ammunition to zealous plant critics but, more importantly, also create questions about plant safety and viability in the minds of the larger public.
The start of a new year is an opportunity to take stock of the current situation in the U.S. nuclear industry and reiterate what we believe with respect to nuclear safety culture (NSC).
For us, the big news at the end of 2016 was Entergy’s announcement that Palisades will be shutting down on Oct. 1, 2018.* Palisades has been our poster child for a couple of things: (1) Entergy’s unwillingness or inability to keep its nose clean on NSC issues and (2) the NRC’s inscrutable decision making on when the plant’s NSC was either unsatisfactory or apparently “good enough.”
We will have to find someone else to pick on but don’t worry, there’s always some new issue popping up in NSC space. Perhaps we will go to France and focus on the current AREVA and Électricité de France imbroglio which was cogently summarized in a Power magazine editorial: “At the heart of France’s nuclear crisis are two problems. One concerns the carbon content of critical steel parts . . . manufactured or supplied by AREVA . . . The second problem concerns forged, falsified, or incomplete quality control reports about the critical components themselves.”** Anytime the adjectives “forged” or “falsified” appear alongside nuclear records, the NSC police will soon be on the scene.
Why do NSC issues keep arising in the nuclear industry? If NSC is so important, why do organizations still fail to fix known problems or create new problems for themselves? One possible answer is that such issues are the occasional result of the natural functioning of a low-tolerance, complex socio-technical system. In other words, performance may drift out of bounds in the normal course of events. We may not be able to predict where such issues will arise (although the missed warning signals will be obvious in retrospect) but we cannot reasonably expect they can be permanently eliminated from the system. In this view, an NSC can be acceptably strong but not 100% effective.
If they are intellectually honest, this is the implicit mental model that most NSC practitioners and “experts” utilize even though they continue to espouse the dogma that more engineering, management, leadership, oversight, training and sanctions can and will create an actual NSC that matches some ideal NSC. But we’ve known for years what an ideal NSC should look like, i.e., its attributes, and how responsibilities for creating and maintaining such a culture should be spread across a nuclear organization.*** And we’re still playing Whac-A-Mole.
At Safetymatters, we have promoted a systems view of NSC, a view that we believe provides a more nuanced and realistic view of how NSC actually works. Where does NSC live in our nuclear socio-technical system? Well, it doesn’t “live” anywhere. NSC is, to some degree, an emergent property of the system, i.e., it is visible because of the ongoing functioning of other system components. But that does not mean that NSC is only an effect or consequence. NSC is both a consequence and a cause of system behavior. NSC is a cause through the way it affects the processes that create hard artifacts, such as management decisions or the corrective action program (CAP), softer artifacts like the leadership exhibited throughout an organization, and squishy organizational attributes like the quality of hierarchical and interpersonal trust that permeates the organization like an ether or miasma.
Interrelationships and feedback loops tie NSC to other organizational variables. For example, if an organization fixes its problems, its NSC will appear stronger and the perception of a strong NSC will influence other organizational dynamics. This particular feedback loop is generally reinforcing but it’s not some superpower, as can be seen in a couple of problems nuclear organizations may face:
Why is a CAP ineffective? The NSC establishes the boundaries between the desirable, acceptable, tolerable and unacceptable in terms of problem recognition, analysis and resolution. But the strongest SC cannot compensate for inadequate resources from a plant owner, a systemic bias in favor of continued production****, a myopic focus on programmatic aspects (following the rules instead of searching for a true answer) or incompetence in plant staff.
Why are plant records falsified? An organization’s party line usually pledges that the staff will always be truthful with customers, regulators and each other. The local culture, including its NSC, should reinforce that view. But fear is always trying to slip in through the cracks—fear of angering the boss, fear of missing performance targets, fear of appearing weak or incompetent, or fear of endangering a plant’s future in an environment that includes the plant’s perceived enemies. Fear can overcome even a strong NSC.
Our Perspective
NSC is real and complicated but it is not mysterious. Most importantly, NSC is not some red herring that keeps us from seeing the true causes of underlying organizational performance problems. Safetymatters will continue to offer you the information and insights you need to be more successful in your efforts to understand NSC and use it as a force for better performance in your organization.
Your organization will not increase its performance in the safety dimension if it continues to apply and reprocess the same thinking that the nuclear industry has been promoting for years. NSC is not something that can be directly managed or even influenced independent of other organizational variables. “Leadership” alone will not fix your organization’s problems. You may protect your career by parroting the industry’s adages but you will not move the ball down the field without exercising some critical and independent thought.