Boeing’s Safety Culture Under the FAA’s Microscope

The Federal Aviation Administration (FAA) recently released its report* on the safety culture (SC) at Boeing.  The FAA Expert Panel was tasked with reviewing SC after two crashes involving the latest models of Boeing’s 737 MAX airplanes.  The January 2024 door plug blowout happened as the report was nearing completion and reinforces the report’s findings.

737 MAXX door plug

The report has been summarized and widely reported in mainstream media and we will not review all its findings and recommendations here.  We want to focus on two parts of the report that address topics we have long promoted as being keys to understanding how strong (or weak) an organization’s SC is, viz., an organization’s decision-making processes and executive compensation.  In addition, we will discuss a topic that’s new to us, how to ensure the independence of employees whose work includes assessing company work products from the regulator’s perspective.

Decision-making

An organization’s decision-making processes create some of the most visible artifacts of the organization’s culture: a string of decisions (guided by policies, procedures, and priorities) and their consequences.

The report begins with a clear FAA description of decision-making’s important role in a Safety Management System (SMS) and an organization’s overall management.  In part, an “SMS is all about decision-making. Thus it has to be a decision-maker's tool, not a traditional safety program separate and distinct from business and operational decision making.” (p. 10)

However, the panel’s finding on Boeing’s SMS is a mixed bag.  “Boeing provided evidence that it is using its SMS to evaluate product safety decisions and some business decisions. The Expert Panel’s review of Boeing’s SMS documentation revealed detailed procedures on how to use SMS to evaluate product safety decisions, but there are no detailed procedures on how to determine which business decisions affect safety or how they should be evaluated under SMS.” (emphasis added) (p. 35)

The associated recommendation is “Develop detailed procedures to determine which business activities should be evaluated under SMS and how to evaluate those decisions.” (ibid.)  We think the recommendation addresses the specific problem identified in the finding.

One of the major inputs to a decision-making system is an organization’s priorities.  The FAA says safety should always be the top priority but Boeing’s commitment to safety has arguably weakened over time.

“Boeing provided the Expert Panel with a copy of the Boeing Safety Management System Policy, dated April 2022, which states, in part, “… we make safety our top priority.” Boeing revised this policy in August 2023 with . . .  a change to the message “we make safety our top priority” to “safety is our foundation.”” (p. 29)

Lowering the bar did not help.  “The [Expert] panel observed documentation, survey responses, and employee interviews that did not provide objective evidence of a foundational commitment to safety that matched Boeing’s descriptions of that objective.” (p. 22)

Boeing also created seeds of confusion for its safety decision makers.  Boeing implemented its SMS to operate alongside (and not replace or integrate with) its existing safety program.

“During interviews, Boeing employees highlighted that SMS implementation was not to disrupt existing safety program or systems.  SMS operating procedure documents spoke of SMS as the overarching safety program but then also provided segregation of SMS-focused activities from legacy safety activities . . .” (p. 24)

Executive compensation

We have long said that if safety performance is important to an organization then their senior managers’ compensation should have a safety performance-related component. 

Boeing has included safety in its executive financial incentive program.  Safety is one of five factors comprising operational performance which, in turn, is combined with financial performance to determine company-level performance.  Because of the weights used in the incentive model, “The Product Safety measure comprised approximately 4% of the overall 2022 Annual Incentive Award.” (p. 28)

Is 4% enough to influence executive behavior?  You be the judge.

Employee independence from undue management influence   

Boeing’s relationship with the FAA has an aspect that we don’t see in other industries. 

Boeing holds an Organization Designation Authorization (ODA) from the FAA. This allows Boeing to “make findings and issue certificates, i.e., perform discretionary functions in engineering, manufacturing, operations, airworthiness, or maintenance on behalf of the [FAA] Administrator.” (p. 12)

Basically, the FAA delegates some of its authority to Boeing employees, the ODA Unit Members (UMs), who then perform certain assessment and certification tasks.  “When acting as a representative of the Administrator, an individual is required to perform in a manner consistent with the policies, guidelines, and directives of the FAA. When performing a delegated function, an individual is legally distinct from, and must act independent of, the ODA holder.” (ibid.)  These employees are supposed to take the FAA’s view of situations and apply the FAA’s rules even if the FAA’s interests are in conflict with Boeing’s business interests. 

This might work in a perfect world but in Boeing’s world, it’s had and has problems, primarily “Boeing’s restructuring of the management of the ODA unit decreased opportunities for interference and retaliation against UMs, and provides effective organizational messaging regarding independence of UMs. However, the restructuring, while better, still allows opportunities for retaliation to occur, particularly with regards to salary and furlough ranking.” (emphasis added) (p. 5)  In addition, “The ability to comply with the ODA’s approved procedures is present; however, the integration of the SMS processes, procedures, and data collection requirements has not been accomplished.” (p. 26)

To an outsider, this looks like bad organizational design and practices. 

The U.S. commercial nuclear industry offers a useful contrast.  The regulator (Nuclear Regulatory Commission) expects its licensees to follow established procedures, perform required tests and inspections, and report any problems to the NRC.  Self-reporting is key to an effective relationship built on a base of trust.  However, it’s “trust but verify.”  The NRC has their own full-time employees in all the power plants, performing inspections, monitoring licensee operations, and interacting with licensee personnel.  The inspectors’ findings can lead, and have led, to increased oversight of licensee activities by the NRC.

Our perspective

It’s obvious that Boeing has emphasized production over safety.  The problems described above are evidence of broad systemic issues which are not amenable to quick fixes.  Integrating SC into everyday decision-making is hard work of the “continuous improvement” variety; it will not happen by management fiat.  Adjusting the compensation plan will require the Board to take safety more seriously.  Reworking the ODA program to eliminate all pressures and goal conflicts may not be possible; this is a big problem because the FAA has effectively deputized 1,000 people to perform FAA functions at Boeing. (p. 25)

The report only covers the most visible SC issues.  Complacency, normalization of deviation, the multitude of biases that can affect decision-making, and other corrosive factors are perennial threats to a strong SC and can affect “the natural drift in organizations.” (p. 40)  Such drift may lead to everything from process inefficiencies to tragic safety failures.

Boeing has taken one step: they fired the head of the 737 MAX program.**  Organizations often toss a high-level executive into a volcano to appease the regulatory gods and buy some time.  Boeing’s next challenge is that the FAA has given Boeing 90 days to fix its quality problems highlighted by the door plug blowout.***

Bottom line: Grab your popcorn, the show is just starting.  Boeing is probably too big to fail but it is definitely going to be pulled through the wringer. 

*  “Section 103Organization Designation Authorizations (ODA) for Transport Airplanes Expert Panel Review Report,” Federal Aviation Administration (Feb. 26, 2024). 

**  N. Robertson, “Boeing fires head of 737 Max program,” The Hill (Feb. 21, 2024).

***  D. Shepardson and V. Insinna, “FAA gives Boeing 90 days to develop plan to address quality issues,” Reuters (Feb. 28, 2024).

IAEA Working Paper on Safety Culture Traits and Attributes

Working paper cover

The International Atomic Energy Agency (IAEA) has released a working paper* that attempts to integrate (“harmonize”) the efforts by several different entities** to identify and describe desirable safety culture (SC) traits and attributes.  The authors have also tried to make the language of SC less nuclear power specific, i.e., more general and thus helpful to other fields that deal with ionizing radiation, such as healthcare.  Below we list the 10 traits and highlight the associated attributes that we believe are most vital for a strong SC.  We also offer our suggestions for enhancing the attributes to broaden and strengthen the associated trait’s presence in the organization.

Individual Responsibility 

All individuals associated with an organization know and adhere to its standards and expectations.  Individuals promote safe behaviors in all situations, collaborate with other individuals and groups to ensure safety, and “accept the value of diverse thinking in optimizing safety.”

We applaud the positive mention of “diverse thinking.”  We also believe each individual should have the duty to report unsafe situations or behavior to the appropriate authority and this duty should be specified in the attributes.

Questioning Attitude 

Individuals watch for anomalies, conditions, behaviors or activities that can adversely impact safety.  They stop when they are uncertain and get advice or help.  They try to avoid complacency.  “They understand that the technologies are complex and may fail in unforeseen ways . . .” and speak up when they believe something is incorrect.

Acknowledging that technology may “fail in unforeseen ways” is important.  Probabilistic Risk Assessments and similar analyses do not identify all the possible ways bad things can happen. 

Communication

Individuals communicate openly and candidly throughout the organization.  Communication with external organizations and the public is accurate.  The reasons for decisions are communicated.  The expectation that safety is emphasized over competing goals is regularly reinforced.

Leader Responsibility

Leaders place safety above competing goals, model desired safety behaviors, frequently visit work areas, involve individuals at all levels in identifying and resolving issues, and ensure that resources are available and adequate.

“Leaders ensure rewards and sanctions encourage attitudes and behaviors that promote safety.”  An organization’s reward system is a hot button issue for us.  Previous SC framework documents have never addressed management compensation and this one doesn’t either.  If SC and safety performance are important then people from top executives to individual workers should be rewarded (by which we mean paid money) for doing it well.

Leaders should also address work backlogs.  Backlogs send a signal to the organization that sub-optimal conditions are tolerated and, if such conditions continue long enough,  are implicitly acceptable.  Backlogs encourage workarounds and lack of attention to detail, which will eventually create challenges to the safety management system.  

Decision-Making

“Individuals use a consistent, systematic approach to evaluate relevant factors, including risk, when making decisions.”  Organizations develop the ability to adapt in anticipation of unforeseen situations where no procedure or plan applies.

We believe the decision making process should be robust, i.e., different individuals or groups facing the same issue should come up with the same or an equally effective solution.  The organization’s approach to decision making (goals, priorities, steps, etc.) should be documented to the extent practical.  Robustness and transparency support efficient, effective communication of the reasons for decisions.

Work Environment 

“Trust and respect permeate the organization. . . . Differing opinions are encouraged, discussed, and thoughtfully considered.”

In addition, senior managers need to be trusted to tell the truth, do the right things, and not sacrifice subordinates to evade the managers’ own responsibilities.

Continuous Learning 

The organization uses multiple approaches to learn including independent and self-assessments, lessons learned from their own experience, and benchmarking other organizations.

Problem Identification and Resolution

“Issues are thoroughly evaluated to determine underlying causes and whether the issue exists in other areas. . . . The effectiveness of the actions is assessed to ensure issues are adequately addressed. . . . Issues are analysed to identify possible patterns and trends. A broad range of information is evaluated to obtain a holistic view of causes and results.”

This is good but could be stronger.  Leaders should ensure the most knowledgeable individuals, regardless of their role or rank, are involved in addressing an issue. Problem solvers should think about the systemic relationships of issues, e.g., is an issue caused by activity in or feedback from some other sub-system, the result of a built-in time delay, or performance drift that exceeded the system’s capacities?  Will the proposed fix permanently address the issue or is it just a band-aid?

Raising Concerns

The organization encourages personnel to raise safety concerns and does not tolerate harassment, intimidation, retaliation or discrimination for raising safety concerns. 

This is the essence of a Safety Conscious Work Environment and is sine qua non for any high hazard undertaking.

Work Planning 

“Work is planned and conducted such that safety margins are preserved.”

Our Perspective

We have never been shy about criticizing IAEA for some of its feckless efforts to get out in front of the SC parade and pretend to be the drum major.***  However, in this case the agency has been content, so far, to build on the work of others.  It’s difficult for any organization to develop, implement, and maintain a strong, robust SC and the existence of many different SC guidebooks has never been helpful.  This is one step in the right direction.  We’d like to see other high hazard industries, in particular healthcare organizations such as hospitals, take to heart SC lessons learned from the nuclear industry.

Bottom line: This concise paper is worth checking out.


*  IAEA Working Document, “A Harmonized Safety Culture Model” (May 5, 2020).  This document is not an official IAEA publication.

**  Including IAEA, WANO, INPO, and government institutions from the United States, Japan, and Finland.

***  See, for example, our August 1, 2016 post on IAEA’s document describing how to perform safety culture self-assessments.  Click on the IAEA label to see all posts related to IAEA.

Any Lessons for Nuclear Safety Culture from VW’s Initiative to Improve Its Compliance Culture?

VW Logo (Source: Wikipedia)

The Wall Street Journal (WSJ) recently published an interview* with the head of the new compliance department in Volkswagen’s U.S. subsidiary.  The new executive outlined the department’s goals and immediate actions related to improving VW’s compliance culture.  They will all look familiar to you, including a new organization (headed by a former consultant) reporting directly to the CEO and with independent access to the board; mandatory compliance training; a new code of conduct; and developing a questioning attitude among employees.  One additional attribute deserves a brief expansion.  VW aims to improve employees’ decision making skills.  We’re not exactly sure what that means but if it includes providing more information about corporate policies and legal, social and regulatory expectations (in other words, the context of decisions) then we approve.

Our Perspective 

These interventions could be from a first generation nuclear safety culture (NSC) handbook on efforts to demonstrate management interest and action when a weak culture is recognized.  Such activities are necessary but definitely not sufficient to strengthen culture.  Some specific shortcomings follow.

First, the lack of reflection.  When asked about the causes of VW’s compliance failures, the executive said “I can’t speculate on the failures . . .”  Well, she should have had something to say on the matter, even party line bromides.  We’re left with the impression she doesn’t know, or care, about the specific and systemic causes of VW’s “Dieselgate” problems that are costing the company tens of billions of dollars.  After all, this interview was in the WSJ, available to millions of critical readers, not some trade rag.

Second, the trust issue.  VW wants employees who can be trusted by the organization, presumably to do “the right thing” as they go about their business.  That’s OK but it’s even more important to have senior managers who can be trusted to do the right thing.  This is especially relevant for VW because it’s pretty clear the cheating problems were tolerated, if not explicitly promoted, by senior management; in other words, there was a top-down issue in addition to lower-level employee malfeasance.

Next, the local nature of the announced interventions.  The new compliance department is for VW-USA only.  The Volkswagen Group of America includes one assembly plant, sales and maintenance support functions, test centers and VW’s consumer finance entity.  It’s probably safe to say that VW’s most important decisions regarding corporate practices and product engineering are made in Wolfsburg, Lower Saxony and not Herndon, Virginia.

Finally, the elephant in the room.  There is no mention of VW’s employee reward and recognition system or the senior management compensation program.  We have long argued that employees focus on actions that will secure their jobs (and perhaps lead to promotions) while senior managers focus on what they’re being paid to accomplish.  For the latter group in the nuclear industry, that’s usually production with safety as a should-do but with little, if any, money attached.  We don’t believe VW is significantly different.

Bottom line: If this WSJ interview is representative of the auto industry’s understanding of culture, then once again nuclear industry thought leaders have a more sophisticated and complete grasp of cultural dynamics and nuances.

We have commented before on the VW imbroglio.  See our Dec. 20, 2015 and May 31, 2016 posts or click on the VW label.


*B. DiPietro, “Working to Change Compliance Culture at Volkswagen,” Wall Street Journal (Nov. 16, 2017).

Nuclear Safety Culture (and Other) Problems in the U.S. Nuclear Weapons Complex

Los Alamos  Source: LANL

The Center for Public Integrity (CPI) has published a five-part report on safety lapses in the U.S. nuclear weapons complex—an array of facilities overseen by the Department of Energy (DOE).*  Overall, the report paints a picture of a challenged and arguably weak safety culture (SC).  Following is a summary of the report and our perspective on it.

Part I traces the history of radioactive criticality incidents (which have resulted in human fatalities) and near-misses at Los Alamos National Laboratory (LANL).  Analysis and production of plutonium pits, essential for maintaining the U.S. nuclear weapons inventory, has been halted for years because of concerns over safety issues.  In addition, almost all members of the site’s criticality analysis team quit over inadequate management support for the team’s efforts.

Part II discusses in more detail the impacts of the LANL shutdown.  Most significant, from our perspective, is a 2013 report that said “Management has not yet fully embraced its commitment to criticality safety.”  The 2013 report “also listed nine weaknesses in the lab’s safety culture that were rooted in a “production focus” to meet work deadlines. Workers say these deadlines are typically linked to financial bonuses.”

Speaking of bonuses, although the plant was not working, the contractors were judged to have exceeded expectations in getting ready to restart.  Accordingly, the contractors “received 74 percent or $10.7 million of the $14.4 million in profits available to them from the NNSA in the category that includes pit production and surveillance”

Part III covers incidents at other facilities and cultural shortcomings in the weapons complex.  It is the meatiest section of the report.  Most of the unfortunate events were industrial accidents (electric shocks, explosions, burns) but the nuclear hazard is always nearby because of the nature of the work.  Occasionally the nuclear factor is key, e.g., when LANL improperly packed a drum of waste they shipped to the Waste Isolation Pilot Plant where it exploded or when Nevada National Security Site personnel inhaled radioactive particles

This section captures the key point of the entire report: the DOE contractors make a lot of money ($2B in profit over the last 10 years), the financial rewards for safety are minimal and the financial penalties for accidents and such are minimal (1-3% of profits) and often waived.

Part IV details a 2014 incident in Nevada where over 30 personnel inhaled potentially cancer-causing uranium particles during laboratory experiments over a two-month period.  The researchers were annoyed by radiation alarms so they switched them off (which also turned off a safety ventilation system).  This was a self-inflicted wound that suggests a weak SC.

Part V focuses on a radiation exposure accident at the Idaho National Laboratory.  The accident occurred even though years before, the head of the safety committee had warned DOE managers about the hazards of handling the specific material involved in the accident.  The lab contractor made 92% of its contractually available profit that year.  The contractor has petitioned DOE to reimburse the contractor’s litigation expenses (including payouts to affected employees) associated with the accident.

NNSA’s Response

The National Nuclear Security Administration (NNSA) is a semi-autonomous agency within DOE that oversees U.S. nuclear weapons work.  In a statement** responding to the CPI report, the NNSA Administrator basically says the CPI report is incomplete and misleading with respect to LANL.  Unsurprisingly, he starts with “Safety is paramount . . . . [CPI] attacks the safety culture at . . .  (LANL) without offering all of the facts and the full context.”  However, he does not directly refute the CPI report, instead he provides the NNSA’s version of history: LANL paused operations because of concerns with the criticality safety program. Since then, “LANL has increased criticality safety staffing and demonstrated improvements in its performance of operational tasks.”  NNSA has withheld $82 million in fee payments to LANL.  Finally, LANL maintained its ability to fulfill its mission during the pause in operations.  Alternative facts?  You be the judge. 

Our Perspective 

The DOE says it wants safe production but is not willing to wield the hammer (higher financial incentives for safety and more penalties for unsafety) to drive that outcome.  In addition, DOE, constrained by Congress (which is bowing to their defense industry contributors), appears to deliberately understaff their own auditors and other procurement officials so they are unable to surface too many embarrassing problems. 

The contractors are rational.  They understand that production is the primary goal and they accept that bad things will occasionally happen in a hazardous environment.  They know they will make their profits no matter what happens, including facility shutdowns, because they can get paid for fixing problems they helped to create.

The CPI report is not shocking to us and it shouldn’t be to you.  (Click on the DOE label to see our many posts on DOE SC.)  It merely documents what has been, and continues to be, business as usual at nuclear weapons facilities.  If you can tolerate the overwrought writing, Part III is worth a look.           


*  The Center for Public Integrity, “Nuclear Negligence” (June 28, 2017).  Retrieved July 5, 2017.  According to Wikipedia, CPI “is an American nonprofit investigative journalism organization . . .”

The report describes problems at the Idaho National Laboratory and some NNSA facilities.  Overall, NNSA oversees eight sites that are involved with nuclear weapons: Kansas City National Security Campus (non-nuclear component manufacture), Lawrence Livermore National Laboratory (weapon design), Los Alamos National Laboratory (design and testing), Nevada National Security Site (testing), Pantex Plant (weapon assembly and disassembly), Sandia National Laboratories (non-nuclear component design), Savannah River Site (nuclear materials) and Y-12 National Security Complex (uranium components).

**  “Klotz Responds To Center For Public Integrity's Series On Safety Culture At NNSA Sites,” Los Alamos Daily Post (June 20, 2017).  Retrieved July 10, 2017

Canadian Draft Regulation on Nuclear Safety Culture

Draft REGDOC cover

The Canadian Nuclear Safety Commission (CNSC) has published a draft regulatory document REGDOC-2.1.2, “Safety Culture” for comment*  The REGDOC will be a requirement for nuclear power plants and provide guidance for other nuclear entities and activities.  

The REGDOC establishes “requirements and guidance for fostering and assessing safety culture.” (p. 1)  The CNSC’s purpose is to promote a healthy safety culture (SC) which they say “is a key factor in reducing the likelihood of safety-related events and mitigating their potential impact, and in continually improving safety performance.” (ibid.)

Section 2 specifies five characteristics of a healthy SC: Safety is a clearly recognized value, accountability for safety is clear, a learning organization is built around safety, safety is integrated into all activities in the organization, and a safety leadership process exists in the organization.  For each characteristic, the document lists observable indicators. 

Sections 3 and 4 describe how licensees should perform SC assessments.  Specifically, assessments should be empirical, valid, practical and functional.  Each of these three characteristics is fleshed out with relevant criteria.  The document goes on to discuss the mechanics of performing assessments: developing a communications strategy, defining the assessment framework, selecting team members, planning and conducting assessments, developing findings and recommendations, writing reports, etc.

Our Perspective

The REGDOC is clear and relatively brief.  None of the content is controversial or even new; the document is based on multiple International Atomic Energy Agency (IAEA) publications.  (14 of 15 references in the document are from IAEA.  The “Additional Information” page includes items from INPO, NEI and WANO.)

Here’s how the REGDOC addresses SC topics that are important to us:

Decision making - Satisfactory

The introduction to the SC characteristics says “The highest level of governing documentation should make safety the utmost priority – overriding the demands of production and project schedules . . .” (p. 4)  The specific SC indicators include “Timely decisions are made that reflect the value and relative priority placed on safety.” (ibid.)  “Workers are involved in risk assessment and decision-making processes.” (p. 5)  “A proactive and long-term approach to safety is demonstrated in decision making.” (p. 6)  We would have liked a more explicit treatment of safety-production-cost goal conflict but what the CNSC has included is OK.

Taking a systems view of SC - Unacceptable

This topic is only mentioned in a table of SC maturity model indicators that is in an appendix to the REGDOC.  The links between SC and other important organizational attributes must be inferred from the observable indicators.  There is no discussion of the interrelationship between SC and other important organizational attributes, e.g., the safety conscious work environment, management’s commitment to safety, or workers’ trust in management to do the right thing.

Rewards and compensation - Unacceptable 

The discussion is limited to workers.  What about senior management compensation and incentives?  How much are senior managers paid, if anything, for establishing and maintaining a healthy SC?

The discussion on performing assessments refers several times to a SC maturity model that is appended to the REGDOC.  The model has three stages of organizational maturity—requirement driven, goal driven and continually improving, along with specific observable behaviors associated with each stage.  The model can be used to “describe and interpret the organization’s safety culture, . . .” (p. 10)  Nowhere does the REGDOC explicitly state that stage 3 (a continually improving organization) is the desired configuration.  This is a glaring omission in the REGDOC.

Bottom line: If you keep up with IAEA’s SC-related publications, you don’t need to look at this draft REGDOC which adds zero value to our appreciation or understanding of SC.


*  Canadian Nuclear Safety Commission, draft regulatory document REGDOC-2.1.2, “Safety Culture” (Sept. 2016).  The CNSC is accepting public comments on the document until Jan. 31, 2017.

Korean Perspective on Nuclear Safety Culture

Republic of Korea flag

We recently read two journal articles that present the Korean perspective on nuclear safety culture (NSC), one from a nuclear research institute and the other from the Korean nuclear regulator.  Selected highlights from each article are presented below, followed by our perspective on the articles’ value.

Warning:  Although the articles are in English, they were obviously translated from Korean, probably by a computer, and the translation is uneven.  However, the topics and references (including IAEA, NRC, J. Reason and Schein) will be familiar to you so with a little effort you can usually figure out what the authors are saying.

Korean NSC Situation and Issues*

The author is with the Korea Atomic Energy Research Institute.  He begins by describing a challenge facing the nuclear industry: avoiding complacency (because plant performance has been good) when the actual diffusion of NSC attributes among management and workers is unknown and major incidents, e.g., Fukushima, point to deficient NSC has a major contributor.  One consequence of this situation is that increased regulatory intervention in licensee NSC is a clear trend. (pp. 249, 254)

However, different countries have differing positions on how to intervene in or support NSC because (1) the objectification of an essentially qualitative factor is necessarily limited and (2) they fear diluting the licensee’s NSC responsibilities and/or causing unintended consequences. 

The U.S. NRC’s NSC history is summarized, including how NSC is addressed in the Reactor Oversight Process and relevant supplemental inspection procedures.  The author’s perception is “If safety culture vulnerability is judged to seriously affect the safety of a nuclear power plant, NRC orders the suspension of its operation, based on the judgment.” (p. 254)  In addition, the NRC has “developed and has been applying a licensee safety culture oversight program, based on site-stationed inspector's observation and assessment . . .” (ibid.)

The perception that the NRC would shut down a plant over NSC issues is a bit of a stretch.  While the agency is happy to pile on over NSC shortcomings when a plant has technical problems (see our June 16, 2016 post on ANO) it has also wrapped itself in knots to rationalize the acceptability of plant NSC in other cases (see our Jan. 30, 2013 post on Palisades).   

There is a passable discussion of the methods available for assessing NSC, ranging from observing top management leadership behavior to taking advantage of “Big data” approaches.  However, the author cautions against reliance on numeric indicators; they can have undesirable consequences.  He observes that Europe has a minimal number of NSC regulations while the U.S. has none.  He closes with recommendations for the Korean nuclear industry.

Regulatory Oversight of NSC**

The authors are with the Korea Institute of Nuclear Safety, the nuclear regulatory agency.  The article covers their philosophy and methods for regulating NSC.  It begins with a list of challenges associated with NSC regulatory oversight and a brief review of international efforts to date.  Regulatory approaches include monitoring onsite vulnerabilities (U.S.), performing standard reviews of licensee NSC evaluations (Canada, Korea) and using NSC indicators (Germany, Finland) although the authors note such indicators do not directly measure NSC. (pp. 267-68)

In the Korean view, the regulator should perform independent oversight but not directly intervene in licensee activities.  NSC assessment is separate and different from compliance-based inspection, requires effective two-way communications (i.e., a common language) and aims at creating long-term continuous improvement. (pp. 266-67)  Their NSC model uses a value-neutral definition of NSC (as opposed to strong vs. weak); incorporates Schein’s three levels; includes individuals, the organization and leaders; and emphasizes the characteristics shared by organization members.  It includes elements from IAEA GSR Part 2, the NRC, J. Reason's reporting culture, DOE, INPO, just culture and Korea-specific concerns about economics trumping safety. (pp. 268-69)***

In the detailed description of the model, we were pleased to see “Incentives, sanctions, and rewards correspond to safety competency of individuals.”  (p. 270)  An organization’s reward system has always been a hot-button issue for us; all nuclear organizations claim to value NSC, few are willing to pay for achieving or maintaining it.  Click the “Compensation” label to see all our posts on this topic.

The article presents a summary of an exercise to validate the model, i.e., link model components to actual plant safety performance.  The usual high-level mumbo-jumbo is not helped by the rough spots in the translation.  Inspection results, outage rates, scrams, incidents, unplanned shutdowns and radiation doses were claimed to be appropriately correlated with NSC model components.

There should be no surprise that the model was validated.  Getting a “right” answer is obviously good for the regulator.  We routinely express some skepticism over studies that validate models when we can’t see the actual data and we don’t know if the analysis was independently reviewed by anyone who actually understands or cares about the subject matter.

During the pilot study, several improvement areas in Korean NPP's safety culture were identified.  The approach has not been permanently installed.

Our Perspective

These articles are worth reading just to get a different, i.e., non-U.S., perspective on regulatory evaluation of (and possible intervention in) licensee SC.  It’s also worthwhile to get a non-U.S. perspective on what they think is going on in U.S. nuclear regulatory space.  Their information sources probably include a June 2015 NRC presentation to Korean regulators referenced in our Aug. 24, 2015 post.  

It’s interesting that Europe has some regulations that focus on ongoing communications with the licensees.  In contrast, the U.S. has no regulations but an approach that can stretch like a cheap blanket to cover all possible licensee situations.

Afterword

We haven’t posted for awhile.  It’s not because we’ve lost interest but there hasn’t been much worth reporting.  The big nuclear news in the U.S. is not about NSC, rather it’s about plants being scheduled for shutdown because of their economics.  International information sources have not been offering up much either.  For example, the LinkedIn NSC forum has pretty much dried up except for recycled observations and consultants’ self-serving white papers.


*  Y-H Lee, “Current Status and Issues of Nuclear Safety Culture,” Journal of the Ergonomics Society of Korea vol. 35 no. 4 (Aug 2016) 247-261.

**  YS Choi, SJ Jung and YH Chung, “Regulatory Oversight of Nuclear Safety Culture and the Validation Study on the Oversight Model Components,” Journal of the Ergonomics Society of Korea vol. 35 no. 4 (Aug 2016) 263-275.

***  Korea has had problems, mentioned in both articles, caused by deficient NSC.  Also see our Aug. 7, 2013 post for related information.

The Criminalization of Safety (Part 3)

Our Perspective

The facts and circumstances of the events described in Table 1 in Part 1 point to a common driver - the collision of business and safety priorities, with safety being compromised.  Culture is inferred as the “cause” in several of the events but with little amplification or specifics.^[1]  The compromises in some cases were intentional, others a product of a more complex rationalization.  The events have been accompanied by increased criminal prosecutions with varied success. 

We think it is fair to say that so far, criminalization of safety performance does not appear to be an effective remedy.  Statutory limitations and proof issues are significant limitations with no easy solution. The reality is that criminalization is at its core a “disincentive”.  To be effective it would have to deter actions or decisions that are not consistent with safety but not create a minefield of culpability.  It is also a blunt instrument requiring rather egregious behavior to rise to the level of criminality.  Its best use is probably as an ultimate boundary, to deter intentional misconduct but not be an unintended trap for bad judgment or inadequate performance.  In another vein, criminalization would also seem incompatible with the concept of a “just culture” other than for situations involving intentional misconduct or gross negligence.

Whether effective or not, criminalization reflects the urgency felt by government authorities to constrain excessive risk taking, intentional or not, and enhance oversight.  It is increasingly clear that current regulatory approaches are missing the mark.  All of the events catalogued in Table 1 occurred in industries that are subject to detailed safety and environmental regulation.  After the fact assessments highlight missed opportunities for more assertive regulatory intervention, and in the Flint cases there are actual criminal charges being applied to regulators.  The Fukushima event precipitated a complete overhaul of the nuclear regulatory structure in Japan, still a work in progress.  Post hoc punishments, no matter how severe, are not a substitute.

Nuclear Regulation Initiatives

Looking specifically at nuclear regulation in the U.S. we believe several specific reforms should be considered. It is always difficult to reform without the impetus of a major safety event, but we could see these actions as ones that could appear obvious in a post-event assessment if there was ever an “O-ring” moment in the nuclear industry.^[2]

1. The NRC should include the safety management system in its regulatory activities.

The NRC has effectively constructed a cordon sanitaire around safety management by decreeing that “management” is beyond the scope of regulation.  The NRC relies on the fact that licensees bear the primary responsibility for safety and the NRC should not intrude into that role.  If one contemplates the trend of recent events scrutinizing the performance of regulators following safety events, this legalistic “defense” may not fare well in a situation where more intrusive regulation could have made the difference.

The NRC does monitor “safety culture” and often requires licensees to address weaknesses in culture following performance issues.  In essence safety culture has become an anodyne for avoiding direct confrontation of safety management issues.  Cynically one could say it is the ultimate conspiracy - where regulators and “stakeholders” come together to accept something that is non-contentious and conveniently abstract to prevent a necessary but unwanted (apparently by both sides) intrusion into safety management.

As readers of this blog know, our unyielding focus has been on the role of the complex socio-technical system that functions within a nuclear organization to operate nuclear plants effectively and safely.  This management system includes many drivers, variables, feedbacks, culture, and time delays in its processes, not all of which are explicit or linear.  The outputs of the system are the actions and decisions that ultimately produce tangible outcomes for production and safety.  Thus it is a safety system and a legitimate and necessary area for regulation.

NRC review of safety management need not focus on traditional management issues which would remain the province of the licensee.  So organizational structure, personnel decisions, etc. need not be considered.^[3]  But here we should heed the view of Daniel Kahneman where he suggests we think of organizations as “factories for producing decisions” and therefore, think of decisions as a product.  (See our Nov. 4,2011 post, A Factory for Producing Decisions.)  Decisions are in fact the key product of the safety management system.  Regulatory focus on how the management system functions and the decisions it produces could be an effective and proactive approach.

We suggest two areas of the management system that could be addressed as a first priority: (1) Increased transparency of how the management system produces specific safety decisions including the capture of objective data on each such decision, and (2) review of management compensation plans to minimize the potential for incentives to promote excessive risk taking in operations.

2. The NRC should require greater transparency in licensee management decisions with potential safety impacts.

Managing nuclear operations involves a continuum of decisions balancing a variety of factors including production and safety.  These decisions may occur with individuals or with larger groups in meetings or other forums.  Some may involve multiple reviews and concurrences.  But in general the details of decision making, i.e., how the sausage is made, are rarely captured in detail during the process or preserved for later assessment.^[4]  Typically only decisions that happen to yield a bad outcome (e.g., prompt the issuance of an LER or similar) become subject to more intensive review and post mortem.  Or actions that require specific, advance regulatory approval and require an SER or equivalent.^[5]  

Transparency is key.  Some say the true test of ethics is what people do when no one is looking.  Well the converse of that may also be true - do people behave better when they know oversight is or could be occurring?  We think a lot of the NRC’s regulatory scheme is already built on this premise, relying as it does on auditing licensee activities and work products.

Thinking back to the Davis Besse example, the criminal prosecutions of both the corporate entity and individuals were limited to providing false or incomplete information to the NRC.  There was no attempt to charge on the basis of the actual decisions to propose, advocate for, and attempt to justify, that the plant could continue to operate beyond the NRC’s specified date for corrective actions.  The case made by First Energy was questionable as presented to the NRC and simply unjustified when accounting for the real facts behind their vessel head inspections.

Transparency would be served by documenting and preserving the decision process on safety significant issues.  These data might include the safety significance and applicable criteria, the potential impact on business performance (plant output, cost, schedule, etc), alternatives considered, and the participants and their inputs to the decision making process, and how a final decision was reached.   These are the specifics that are so hard or impossible to reproduce after the fact.^[6]  The not unexpected result: blaming someone or something but not gaining insight into how the management system failed.

This approach would provide an opportunity for the NRC to audit decisions on a routine basis.  Licensee self assessment would also be served through safety committee review and other oversight including INPO.  Knowing that decisions will be subject to such scrutiny also can promote careful balancing of factors in safety decisions and serve to articulate how those balances are achieved and safety is served.  Having such tangible information shared throughout the organization could be the strongest way to reinforce the desired safety culture.

3. As part of its regulation of the safety management system, the NRC should restrict incentive compensation for nuclear management that is based on meeting business goals.

We started this series of posts focusing on criminalization of safety.  One of the arguments for more aggressive criminalization is essentially to offset the powerful pull of business-based incentives with the fear of criminal sanctions.  This has proved to elusive.  Similarly attempting to balance business incentives with safety incentives also is problematic.  The Transocean experience illustrates that quite vividly.^[7]

Our survey several years ago of nuclear executive compensation indicated (1) the amounts of compensation are very significant for the top nuclear executives, (2) the compensation is heavily dependent on each year’s performance, and (3) business performance measured by EPS is the key to compensation, safety performance is a minor contributor.  A corollary to the third point might be that in no cases that we could identify was safety performance a condition precedent or qualification for earning the business-based incentives. (See our July 9, 2010 post, Nuclear Management Compensation (Part 2)).  With 60-70% of total compensation at risk, executives can see their compensation, and that of the entire management team, impacted by as much as several million dollars in a year.  Can this type of compensation structure impact safety?  Intuition says it creates both risk and a perception problems.  Virtually every significant safety event in Table 1 has reference to the undue influence of production priorities on safety.  The issue was directly raised in at least one nuclear organization^[8] which revised its compensation system to avoid undermining safety culture. 

We believe a more effective approach is to minimize the business pressures in the first place.  We believe there is a need for a regulatory policy that discourages or prohibits licensee organizations from utilizing significant incentives based on financial performance.  Such incentives invariably target production and budget goals as they are fundamental to business success.  To the extent safety goals are included they are a small factor or based on metrics that do not reflect fundamental safety.  Assuring safety is the highest priority is not subject to easily quantifiable and measurable metrics - it is judgmental and implicit in many actions and decisions taken on a day-to-day basis at all levels of the organization.  Organizations should pay nuclear management competitively and generously and make informed judgments about their overall performance.

Others have recognized the problem and taken similar steps to address it.  For example, in the aftermath of the financial crisis of 2008 the Federal Reserve Board has been doing some arm twisting with U.S. financial services companies to adjust their executive compensation plans - and those plans are in fact being modified to cap bonuses associated with achieving performance goals. (See our April 25, 2013 post, Inhibiting Excessive Risk Taking by Executives.)

Nick Taleb (of Black Swan fame) believes that bonuses provide an incentive to take risks.  He states, “The asymmetric nature of the bonus (an incentive for success without a corresponding disincentive for failure) causes hidden risks to accumulate in the financial system and become a catalyst for disaster.”  Now just substitute “nuclear operations” for “the financial system”.

Central to Taleb’s thesis is his belief that management has a large informational advantage over outside regulators and will always know more about risks being taken within their operation. (See our Nov. 9, 2011 post, Ultimate Bonuses.)  Eliminating the force of incentives and providing greater transparency to safety management decisions could reduce risk and improve everybody’s insight into those risks deemed acceptable.

Conclusion

In industries outside the commercial nuclear space, criminal charges have been brought for bad outcomes that resulted, at least in part, from decisions that did not appropriately consider overall system safety (or, in the worst cases, simply ignored it.)  Our suggestions are intended to reduce the probability of such events occurring in the nuclear industry.

---

^[1] It raises the question whether anytime business priorities trump safety it is a case of deficient culture.  We have argued in other blog posts that sufficiently high business or political pressure can compromise even a very strong safety culture.  So reflexive resort to safety culture may be easy but not be very helpful.

^[2] Credit to Adam Steltzner author of The Right Kind of Crazy recounting his and other engineers’ roles in the design of the Mars rovers.  His reference is to the failure of O-ring seals on the space shuttle Challenger.

^[3] We do recognize that there are regulatory criteria for general organizational matters such as for the training and qualification of personnel. 

^[4] In essence this creates a “safe harbor” for most safety judgments and to which the NRC is effectively blind.

^[5] In Davis Besse much of the “proof” that was relied on in the prosecutions of individuals was based on concurrence chains for key documents and NRC staff recollections of what was said in meetings.  There was no contemporaneous documentation of how First Energy made its threshold decision that postponing the outage was acceptable, who participated, and who made the ultimate decision.  Much was made of the fact that management was putting great pressure on maintaining schedule but there was no way to establish how that might have directly affected decision making.

^[6] Kahneman believes there is “hindsight bias”.  Hindsight is 20/20 and it supposedly shows what decision makers could (and should) have known and done instead of their actual decisions that led to an unfavorable outcome, incident, accident or worse.  We now know that when the past was the present, things may not have been so clear-cut.  See our Dec.18, 2013 post, Thinking, Fast and Slow by Daniel Kahneman.

^[7] Transocean, owner of the Deepwater Horizon oil rig, awarded millions of dollars in bonuses to its executives after “the best year in safety performance in our company’s history,” according to an annual report…’Notwithstanding the tragic loss of life in the Gulf of Mexico, we achieved an exemplary statistical safety record as measured by our total recordable incident rate and total potential severity rate.’”  See our April 7, 2011 post for the original citation in Transocean's annual report and further discussion.

^[8] “The reward and recognition system is perceived to be heavily weighted toward production over safety”.  The reward system was revised "to ensure consistent health of NSC”.  See our July 29, 2010 post, NRC Decision on FPL (Part 2).