Reflections on Nuclear Safety Culture for the New Year

©iStockphoto.com

The start of a new year is an opportunity to take stock of the current situation in the U.S. nuclear industry and reiterate what we believe with respect to nuclear safety culture (NSC).

For us, the big news at the end of 2016 was Entergy’s announcement that Palisades will be shutting down on Oct. 1, 2018.*  Palisades has been our poster child for a couple of things: (1) Entergy’s unwillingness or inability to keep its nose clean on NSC issues and (2) the NRC’s inscrutable decision making on when the plant’s NSC was either unsatisfactory or apparently “good enough.”

We will have to find someone else to pick on but don’t worry, there’s always some new issue popping up in NSC space.  Perhaps we will go to France and focus on the current AREVA and Électricité de France imbroglio which was cogently summarized in a Power magazine editorial: “At the heart of France’s nuclear crisis are two problems.  One concerns the carbon content of critical steel parts . . . manufactured or supplied by AREVA . . . The second problem concerns forged, falsified, or incomplete quality control reports about the critical components themselves.”**  Anytime the adjectives “forged” or “falsified” appear alongside nuclear records, the NSC police will soon be on the scene.  

Why do NSC issues keep arising in the nuclear industry?  If NSC is so important, why do organizations still fail to fix known problems or create new problems for themselves?  One possible answer is that such issues are the occasional result of the natural functioning of a low-tolerance, complex socio-technical system.  In other words, performance may drift out of bounds in the normal course of events.  We may not be able to predict where such issues will arise (although the missed warning signals will be obvious in retrospect) but we cannot reasonably expect they can be permanently eliminated from the system.  In this view, an NSC can be acceptably strong but not 100% effective.

If they are intellectually honest, this is the implicit mental model that most NSC practitioners and “experts” utilize even though they continue to espouse the dogma that more engineering, management, leadership, oversight, training and sanctions can and will create an actual NSC that matches some ideal NSC.  But we’ve known for years what an ideal NSC should look like, i.e., its attributes, and how responsibilities for creating and maintaining such a culture should be spread across a nuclear organization.***  And we’re still playing Whac-A-Mole.

At Safetymatters, we have promoted a systems view of NSC, a view that we believe provides a more nuanced and realistic view of how NSC actually works.  Where does NSC live in our nuclear socio-technical system?  Well, it doesn’t “live” anywhere.  NSC is, to some degree, an emergent property of the system, i.e., it is visible because of the ongoing functioning of other system components.  But that does not mean that NSC is only an effect or consequence.  NSC is both a consequence and a cause of system behavior.  NSC is a cause through the way it affects the processes that create hard artifacts, such as management decisions or the corrective action program (CAP), softer artifacts like the leadership exhibited throughout an organization, and squishy organizational attributes like the quality of hierarchical and interpersonal trust that permeates the organization like an ether or miasma. 

Interrelationships and feedback loops tie NSC to other organizational variables.  For example, if an organization fixes its problems, its NSC will appear stronger and the perception of a strong NSC will influence other organizational dynamics.  This particular feedback loop is generally reinforcing but it’s not some superpower, as can be seen in a couple of problems nuclear organizations may face: 

Why is a CAP ineffective?  The NSC establishes the boundaries between the desirable, acceptable, tolerable and unacceptable in terms of problem recognition, analysis and resolution.  But the strongest SC cannot compensate for inadequate resources from a plant owner, a systemic bias in favor of continued production****, a myopic focus on programmatic aspects (following the rules instead of searching for a true answer) or incompetence in plant staff. 

Why are plant records falsified?  An organization’s party line usually pledges that the staff will always be truthful with customers, regulators and each other.  The local culture, including its NSC, should reinforce that view.  But fear is always trying to slip in through the cracks—fear of angering the boss, fear of missing performance targets, fear of appearing weak or incompetent, or fear of endangering a plant’s future in an environment that includes the plant’s perceived enemies.  Fear can overcome even a strong NSC.

Our Perspective

NSC is real and complicated but it is not mysterious.  Most importantly, NSC is not some red herring that keeps us from seeing the true causes of underlying organizational performance problems.  Safetymatters will continue to offer you the information and insights you need to be more successful in your efforts to understand NSC and use it as a force for better performance in your organization.

Your organization will not increase its performance in the safety dimension if it continues to apply and reprocess the same thinking that the nuclear industry has been promoting for years.  NSC is not something that can be directly managed or even influenced independent of other organizational variables.  “Leadership” alone will not fix your organization’s problems.  You may protect your career by parroting the industry’s adages but you will not move the ball down the field without exercising some critical and independent thought.

We wish you a safe and prosperous 2017.


*  “Palisades Power Purchase Agreement to End Early,” Entergy press release (Dec. 8,2016).

**  L. Buchsbaum, “France’s Nuclear Storm: Many Power Plants Down Due to Quality Concerns,” Power (Dec. 1, 2016).  Retrieved Jan. 4, 2017.

***  For example, take a look back at INSAG-4 and NUREG-1756 (which we reviewed on May 26, 2015).

****  We can call that the Nuclear Production Culture (NPC).

Canadian Draft Regulation on Nuclear Safety Culture

Draft REGDOC cover

The Canadian Nuclear Safety Commission (CNSC) has published a draft regulatory document REGDOC-2.1.2, “Safety Culture” for comment*  The REGDOC will be a requirement for nuclear power plants and provide guidance for other nuclear entities and activities.  

The REGDOC establishes “requirements and guidance for fostering and assessing safety culture.” (p. 1)  The CNSC’s purpose is to promote a healthy safety culture (SC) which they say “is a key factor in reducing the likelihood of safety-related events and mitigating their potential impact, and in continually improving safety performance.” (ibid.)

Section 2 specifies five characteristics of a healthy SC: Safety is a clearly recognized value, accountability for safety is clear, a learning organization is built around safety, safety is integrated into all activities in the organization, and a safety leadership process exists in the organization.  For each characteristic, the document lists observable indicators. 

Sections 3 and 4 describe how licensees should perform SC assessments.  Specifically, assessments should be empirical, valid, practical and functional.  Each of these three characteristics is fleshed out with relevant criteria.  The document goes on to discuss the mechanics of performing assessments: developing a communications strategy, defining the assessment framework, selecting team members, planning and conducting assessments, developing findings and recommendations, writing reports, etc.

Our Perspective

The REGDOC is clear and relatively brief.  None of the content is controversial or even new; the document is based on multiple International Atomic Energy Agency (IAEA) publications.  (14 of 15 references in the document are from IAEA.  The “Additional Information” page includes items from INPO, NEI and WANO.)

Here’s how the REGDOC addresses SC topics that are important to us:

Decision making - Satisfactory

The introduction to the SC characteristics says “The highest level of governing documentation should make safety the utmost priority – overriding the demands of production and project schedules . . .” (p. 4)  The specific SC indicators include “Timely decisions are made that reflect the value and relative priority placed on safety.” (ibid.)  “Workers are involved in risk assessment and decision-making processes.” (p. 5)  “A proactive and long-term approach to safety is demonstrated in decision making.” (p. 6)  We would have liked a more explicit treatment of safety-production-cost goal conflict but what the CNSC has included is OK.

Taking a systems view of SC - Unacceptable

This topic is only mentioned in a table of SC maturity model indicators that is in an appendix to the REGDOC.  The links between SC and other important organizational attributes must be inferred from the observable indicators.  There is no discussion of the interrelationship between SC and other important organizational attributes, e.g., the safety conscious work environment, management’s commitment to safety, or workers’ trust in management to do the right thing.

Rewards and compensation - Unacceptable 

The discussion is limited to workers.  What about senior management compensation and incentives?  How much are senior managers paid, if anything, for establishing and maintaining a healthy SC?

The discussion on performing assessments refers several times to a SC maturity model that is appended to the REGDOC.  The model has three stages of organizational maturity—requirement driven, goal driven and continually improving, along with specific observable behaviors associated with each stage.  The model can be used to “describe and interpret the organization’s safety culture, . . .” (p. 10)  Nowhere does the REGDOC explicitly state that stage 3 (a continually improving organization) is the desired configuration.  This is a glaring omission in the REGDOC.

Bottom line: If you keep up with IAEA’s SC-related publications, you don’t need to look at this draft REGDOC which adds zero value to our appreciation or understanding of SC.


*  Canadian Nuclear Safety Commission, draft regulatory document REGDOC-2.1.2, “Safety Culture” (Sept. 2016).  The CNSC is accepting public comments on the document until Jan. 31, 2017.

IAEA Nuclear Safety Culture Conference

The International Atomic Energy Agency (IAEA) recently sponsored a week-long conference* to celebrate 30 years of interest and work in safety culture (SC).  By our reckoning, there were about 75 individual presentations in plenary sessions and smaller groups; dialog sessions with presenters and subject matter experts; speeches and panels; and over 30 posters.  It must have been quite a circus.

We cannot justly summarize the entire conference in this space but we can highlight material related to SC factors we’ve emphasized or people we’ve discussed on Safetymatters, or interesting items that merit your consideration.

Topics We Care About

A Systems Viewpoint

Given that the IAEA has promoted a systemic approach to safety and it was a major conference topic it’s no surprise that many participants addressed it.  But we were still pleased to see over 30 presentations, posters and dialogues that included mention of systems, system dynamics, and systemic and/or holistic viewpoints or analyses.  Specific topics covered a broad range including complexity, coupling, Fukushima, the Interaction between Human, Technical and Organizational Factors (HTOF), error/incident analysis, regulator-licensee relationships, SC assessment, situational adaptability and system dynamics.

Role of Leadership

Leadership and Management for Safety was another major conference topic.  Leadership in a substantive context was mentioned in about 20 presentations and posters, usually as one of multiple success factors in creating and maintaining a strong SC.  Topics included leader/leadership commitment, skills, specific competences, attributes, obligations and responsibilities; leadership’s general importance, relationship to performance and role in accidents; and the importance of leadership in nuclear regulatory agencies. 

Decision Making

This was mentioned about 10 times, with multiple discussions of decisions made during the early stages of the Fukushima disaster.  Other presenters described how specific techniques, such as Probabilistic Risk Assessment and Human Reliability Analysis, or general approaches, such risk control and risk informed, can contribute to decision making, which was seen as an important component of SC.

Compensation and Rewards

We’ve always been clear: If SC and safety performance are important then people from top executives to individual workers should be rewarded (by which we mean paid money) for doing it well.  But, as usual, there was zero mention of compensation in the conference materials.  Rewards were mentioned a few times, mostly by regulators, but with no hint they were referring to monetary rewards.  Overall, a continuing disappointment.   

Participants Who Have Been Featured in Safetymatters

Over the years we have presented the work of many conference participants to Safetymatters readers.  Following are some familiar names that caught our eye.  Page numbers refer to the conference “Programme and Abstracts” document.
 
We have to begin with Edgar Schein, the architect of the cultural construct used by almost everyone in the SC space.  His discussion paper (p. 47) argued that the SC components in a nuclear plant depend on whether the executives actually create the climate of trust and openness that the other attributes hinge on.  We’ve referred to Schein so often he has his own label on Safetymatters.

Mats Alvesson’s presentation (p. 46) discussed “hyper culture,” the vague and idealistic terms executives often promote that look good in policy documents but seldom work well in practice.  This presentation is consistent with his article on Functional Stupidity which we reviewed on Feb. 23, 2016.

Sonja Haber’s paper (p. 55) outlined a road map for the nuclear community to move forward in the way it thinks about SC.  Dr. Haber has conducted many SC assessments for the Department of Energy that we have reviewed on Safetymatters. 

Ken Koves of INPO led or participated in three dialogue sessions.  He was a principal researcher in a project that correlated SC survey data with safety performance measures which we reviewed on Oct. 22, 2010 and Oct. 5, 2014.

Najmedin Meshkati discussed (p. 60) how organizations react when their control systems start to run behind environmental demands using Fukushima as an illustrative case.  His presentation draws on an article he coauthored comparing the cultures at TEPCO’s Fukushima Daiichi plant and Tohoku Electric’s Onagawa plant which we reviewed on Mar. 19, 2014.

Jean-Marie Rousseau co-authored a paper (p. 139) on the transfer of lesson learned from accidents in one industry to another industry.  We reviewed his paper on the effects of competitive pressures on nuclear safety management issues on May 8, 2013.

Carlo Rusconi discussed (p. 167) how the over-specialization of knowledge required by decision makers can result in pools of knowledge rather than a stream accessible to all members of an organization.  A systemic approach to training can address this issue.  We reviewed Rusconi’s earlier papers on training on June 26, 2013 and Jan. 9, 2014.

Richard Taylor’s presentation (p. 68) covered major event precursors and organizations’ failure to learn from previous events.  We reviewed his keynote address at a previous IAEA conference where he discussed using system dynamics to model organizational archetypes on July 31, 2012.

Madalina Tronea talked about (p. 114) the active oversight of nuclear plant SC by the National Commission for Nuclear Activities Control (CNCAN), the Romanian regulatory authority.  CNCAN has developed its own model of organizational culture and uses multiple methods to collect information for SC assessment.  We reviewed her initial evaluation guidelines on Mar. 23, 2012. 

Our Perspective

Many of the presentations were program descriptions or status reports related to the presenter’s employer, usually a utility or regulatory agency.  Fukushima was analyzed or mentioned in 40 different papers or posters.  Overall, there were relatively few efforts to promote new ideas, insights or information.  Having said that, following are some materials you should consider reviewing.

From the conference participants mentioned above, Haber’s abstract (p. 55) and Rusconi’s abstract (p. 167) are worth reading.  Taylor’s abstract (p. 68) and slides are also worth reviewing.  He advocates using system dynamics to analyze complicated issues like the effectiveness of organizational learning and how events can percolate through a supply chain.

Benoît Bernard described the Belgian regulator’s five years of experience assessing nuclear plant SC.  Note that lessons learned are described in his abstract (p. 113) but are somewhat buried in his presentation slides.

If you’re interested in a systems view of SC, check out Francisco de Lemos’ presentation (p. 63) which gives a concise depiction of a complex system plus a Systems Theoretic Accident Models and Processes (STAMP) analysis.  His paper is based on Nancy Leveson’s work which we reviewed on Nov. 11, 2013.

Diana Engström argued that nuclear personnel can put more faith in reported numbers than justified by the underlying information, e.g., CAP trending data, and thus actually add risk to the overall system.  We’d call this practice an example of functional stupidity although she doesn’t use that term in her provocative paper.  Both her abstract (p. 126) and slides are worth reviewing.

Jean Paries gave a talk on the need for resilience in the management of nuclear operations.  The abstract (p. 228) is clear and concise; there is additional information in his slides but they are a bit messy.

And that’s it for this installment.  Be safe.  Please don’t drink and text.


*  International Atomic Energy Agency, International Conference on Human and Organizational Aspects of Assuring Nuclear Safety: Exploring 30 years of Safety Culture (Feb. 22–26, 2016).  This page shows the published conference materials.  Thanks to Madalina Tronea for publicizing them.  Dr. Tronea is the founder/moderator of the LinkedIn Nuclear Safety Culture discussion group. 

NEA’s Safety Culture Guidance for Nuclear Regulators

A recent Nuclear Energy Agency (NEA) publication* describes desirable safety culture (SC) characteristics for a nuclear regulator.  Its purpose is to provide a benchmark for both established and nascent regulatory bodies.

The document’s goal is to describe a “healthy” SC.  It starts with the SC definition in INSAG-4** then posits five principles for an effective nuclear regulator: Safety leadership is demonstrated at all levels; regulatory staff set the standard for safety; and the regulatory body facilitates co-operation and open communication, implements a holistic approach to safety, and encourages continuous improvement, learning and self-assessment.

The principle that caught our attention is the holistic (or systemic) approach to safety.  This approach is discussed multiple times in the document.  In the Introduction, the authors say the regulator “should actively scrutinise how its own safety culture impacts the licensees’ safety culture.  It should also reflect on its role within the wider system and on how its own culture is the result of its interactions with the licensees and all other stakeholders.” (p. 12)

A subsequent chapter contains a more expansive discussion of each principle and identifies relevant attributes.  The following excerpts illustrate the value of a holistic approach.  “A healthy safety culture is dependent on the regulatory body using a robust, holistic, multi-disciplinary approach to safety.  Regulators oversee and regulate complex socio-technical systems that, together with the regulatory body itself, form part of a larger system made up of many stakeholders, with competing as well as common interests.  All the participants in this system influence and react to each other, and there is a need for awareness and understanding of this mutual influence.” (p. 19)

“[T]he larger socio-technical system [is] influenced by technical, human and organisational, environmental, economic, political and societal factors [including national culture].  Regulators should strive to do more than simply establish standards; they should consider the performance of the entire system that ensures safety.” (p. 20)

And “Safety issues are complex and involve a number or inter-related factors, activities and groups, whose importance and effect on each other and on safety might not be immediately recognisable.” (ibid.)

The Conclusions include the following: “Regulatory decisions need to consider the performance and response of the entire system delivering safety, how the different parts of the system are coupled and the direction the system is taking.” (p. 28)

Our Perspective

Much of this material in this publication will be familiar to Safetymatters readers*** but the discussion of a holistic approach to regulation is more extensive than we’ve seen elsewhere.  For that reason alone, we think this document is worth your quick review.  We have been promoting a systems view of the nuclear industry, from individual power plants to the overall socio-technical-legal-political construct, for years. 

The committee that developed the guidance consisted of almost thirty members from over a dozen countries, the International Atomic Energy Agency and NEA itself.  It’s interesting that China was not represented on the committee although it has world's largest nuclear power plant construction program**** and, one would hope, substantial interest in effective safety regulation and safety culture.  (Ooops!  China is not a member of the NEA.  Does that say something about China's perception of the NEA's value proposition?)


*  Nuclear Energy Agency, “The Safety Culture of an Effective Nuclear Regulatory Body” (2016).  Thanks to Madalina Tronea for publicizing this document.  Dr. Tronea is the founder/moderator of the LinkedIn Nuclear Safety Culture discussion group.  The NEA is an arm of the Organisation for Economic Co-operation and Development (OECD).

**  International Nuclear Safety Advisory Group, “Safety Culture,” Safety Series No. 75-INSAG-4, (Vienna: IAEA, 1991), p. 4.

***  For example, the list of challenges a regulator faces includes the usual suspects: maintain the focus on safety, avoid complacency, resist external pressures, avoid regulatory capture and maintain technical competence. (pp. 23-25)

****  “China has world's largest nuclear power capacity under construction,” China Daily (Dec. 30, 2015).

Foolproof by Greg Ip: Insights for the Nuclear Industry

This book* is primarily about systemic lessons learned from the 2008 U.S. financial crisis and, to a lesser extent, various European euro crises. Some of the author’s observations also apply to the nuclear industry.

Ip’s overarching thesis is that steps intended to protect a system, e.g., a national or global financial system, may over time lead to over-confidence, increased risk-taking and eventual instability.  Stability breeds complacency.**  As we know, a well-functioning system creates a series of successful outcomes, a line of dynamic non-events.  But that dynamic includes gradual changes to the system, e.g., innovation or adaptation to the environment, that may increase systemic risk and result in a new crisis or unintended consequences

He sees examples that evidence his thesis in other fields.  For automobiles, the implementation of anti-lock braking systems leads some operators to drive more recklessly.  In football, better helmets mean increased use of the head as a weapon and more concussions and spinal injuries.  For forest fires, a century of fire suppression has led to massive fuel build-ups and more people moving into forested areas.  For flood control, building more and higher levees has led to increased economic development in historically flood-prone areas.  As a result, both fires and floods can have huge financial losses when they eventually occur.  In all cases, well-intentioned system “improvements” lead to increased confidence (aka loss of fear) and risk-taking, both obvious and implicit.  In short, “If the surroundings seem safer, the systems tolerate more risk.” (p. 18)

Ip uses the nuclear industry to illustrate how society can create larger issues elsewhere in a system when it effects local responses to a perceived problem.  Closing down nuclear plants after an accident (e.g., Fukushima) or because of green politics does not remove the demand for electric energy.  To the extent the demand shortfall is made up with hydrocarbons, additional people will suffer from doing the mining, drilling, processing, etc. and the climate will be made worse.

He cites the aviation industry as an example of a system where near-misses are documented and widely shared in an effort to improve overall system safety.  He notes that the few fatal accidents that occur in commercial aviation serve both as lessons learned and keep those responsible for operating the system (pilots and controllers) on their toes.

He also makes an observation about aviation that could be applied to the nuclear industry: “It is almost impossible to improve a system that never has an accident. . . . regulators are unlikely to know whether anything they propose now will have provable benefits; it also means that accidents will increasingly be of the truly mysterious, unimaginable variety . . .” (p. 252)

Speaking of finance, Ip says “A huge part of what the financial system does is try to create the fact—and at times the illusion—of safety.  Usually, it succeeds; . . . On those rare occasions when it fails, the result is panic.” (p. 86)  Could this description also apply to the nuclear industry? 

Our Perspective

Ip’s search for systemic, dynamic factors to explain the financial crisis echoes the type of analysis we’ve been promoting for years.  Like us, he recognizes that people hold different world views of the same system.  Ip contrasts the engineers and the ecologists:  “Engineers satisfy our desire for control, . . . civilization’s needs to act, to do something, . . .” (p. 278)  Ecologists believe “it’s the nature of risk to find the vulnerabilities we missed, to hit when least expected, to exploit the very trust in safety we so assiduously cultivate with all our protection . . .” (p. 279)

Ip’s treatment of the nuclear industry, while positive, is incomplete and somewhat simplistic.  It’s really just an example, not an industry analysis.  His argument that shutting down nuclear plants exacerbates climate harm could have come from the NEI playbook.  He ignores the impact of renewables, efficiency and conservation.

He doesn’t discuss the nuclear industry’s penchant for secrecy, but we have and believe it feeds the public’s uncertainty about the industry's safety.  As Ip notes, “People who crave certainty cannot tolerate even a slight increase in uncertainty, and so they flee not just the bad banks, the bad paper, and the bad country, but everything that resembles them, . . .” (p. 261)  If a system that is assumed [or promoted] to be safe has a crisis, even a local one, the result is often panic. (p. 62)

He mentions high reliability organizations (HROs) focusing on their avoiding catastrophe and “being a little bit scared all of the time.” (p. 242)  He does not mention that some of the same systemic factors of the financial system are at work in the world of HROs, including exposure to the corrosive effects of complacency and system drift. (p. 242)

Bottom line: Read Foolproof if you have an interest in an intelligible assessment of the financial crisis.  And remember: “Fear serves a purpose: it keeps us out of trouble.” (p. 19)  “. . . but it can keep us from taking risks that could make us better off.” (p. 159)


*  G. Ip, Foolproof (New York: Little, Brown, 2015).  Ip is a finance and economics journalist, currently with the Wall Street Journal and previously with The Economist.

**  He quotes a great quip from Larry Summers: “Complacency is a self-denying prophecy.”  Ip adds, “If everyone worried about complacency, no one would succumb to it.” (p.263)

Systems Thinking in Air Traffic Management

A recent white paper* presents ten principles to consider when thinking about a complex socio-technical system, specifically European Air Traffic Management (ATM).  We review the principles below, highlighting aspects that might provide some insights for nuclear power plant operations and safety culture (SC).

Before we start, we should note that ATM is truly a complex** system.  Decisions involving safety and efficiency occur on a continuous basis.  There is always some difference between work-as-imagined and work-as-done.

In contrast, we have argued that a nuclear plant is a complicated system but it has some elements of complexity.  To the extent complexity exists, treating nuclear like a complicated machine via “analysing components using reductionist methods; identifying ‘root causes’ of problems or events; thinking in a linear and short-term way; . . . [or] making changes at the component level” is inadequate. (p. 5)  In other words, systemic factors may contribute to observed performance variability and frustrate efforts to achieve the goal in nuclear of eliminating all differences between work-as-planned and work-as-done.

Principles 1-3 relate to the view of people within systems – our view from the outside and their view from the inside.

1. Field Expert Involvement	“To understand work-as-done and improve how things really work, involve those who do the work.” (p. 8)
2. Local Rationality	“People do things that make sense to them given their goals, understanding of the situation and focus of attention at that time.” (p. 10)
3. Just Culture	“Adopt a mindset of openness, trust and fairness. Understand actions in context, and adopt systems language that is non-judgmental and non-blaming.” (p. 12)

Nuclear is pretty good at getting line personnel involved.  Adages such as “Operations owns the plant” are useful to the extent they are true.  Cross-functional teams can include operators or maintenance personnel.  An effective CAP that allows workers to identify and report problems with equipment, procedures, etc. is good; an evaluation and resolution process that involves members from the same class of workers is even better.  Having someone involved in an incident or near-miss go around to the tailgates and classes to share the lessons learned can be convincing.

But when something unexpected or bad happens, nuclear tends to spend too much time looking for the malfunctioning component (usually human).   “The assumption is that if the person would try harder, pay closer attention, do exactly what was prescribed, then things would go well. . . . [But a] focus on components becomes less effective with increasing system complexity and interactivity.” (p. 4)  An outside-in approach ignores the context in which the human performed, the information and time available, the competition for focus of attention, the physical conditions of the work, fatigue, etc.  Instead of insight into system nuances, the result is often limited to more training, supervision or discipline.

The notion of a “just culture” comes from James Reason.  It’s a culture where employees are not punished for their actions, omissions or decisions that are commensurate with their experience and training, but where gross negligence, willful violations and destructive acts are not tolerated.

Principles 4 and 5 relate to the system conditions and context that affect work.

4. Demand and Pressure	“Demands and pressures relating to efficiency and capacity have a fundamental effect on performance.” (p. 14)
5. Resources & Constraints	“Success depends on adequate resources and appropriate constraints.” (p. 16)

Fluctuating demand creates far more varied and unpredictable problems for ATM than it does in nuclear.  However, in nuclear the potential for goal conflicts between production, cost and safety is always present.  The problem arises from acting as if these conflicts don’t exist.

ATM has to “cope with variable demand and variable resources,” a situation that is also different from nuclear with its base load plants and established resource budgets.  The authors opine that for ATM, “a rigid regulatory environment destroys the capacity to adapt constantly to the environment.” (p. 2) Most of us think of nuclear as quite constrained by procedures, rules, policies, regulations, etc., but an important lesson from Fukushima was that under unforeseen conditions, the organization must be able to adapt according to local, knowledge-based decisions  Even the NRC recognizes that “flexibility may be necessary when responding to off-normal conditions.”***

Principles 6 through 10 concern the nature of system behavior, with 9 and 10 more concerned with system outcomes.  These do not have specific implications for SC other than keeping an open mind and being alert to systemic issues, e.g., complacency, drift or emergent behavior.

6. Interactions and Flows	“Understand system performance in the context of the flows of activities and functions, as well as the interactions that comprise these flows.” (p. 18)
7. Trade-Offs	“People have to apply trade-offs in order to resolve goal conflicts and to cope with the complexity of the system and the uncertainty of the environment.” (p. 20)
8. Performance variability	“Understand the variability of system conditions and behaviour.  Identify wanted and unwanted variability in light of the system’s need and tolerance for variability.” (p. 22)
9. Emergence	“System behaviour in complex systems is often emergent; it cannot be reduced to the behaviour of components and is often not as expected.” (p. 24)
10. Equivalence	“Success and failure come from the same source – ordinary work.” (p. 26)

Work flow certainly varies in ATM but is relatively well-understood in nuclear.  There’s really not much more to say on that topic.

Trade-offs occur in decision making in any context where more than one goal exists.  One useful mental model for conceptualizing trade-offs is Hollnagel’s efficiency-thoroughness construct, basically doing things quickly (to meet the production and cost goals) vs. doing things well (to meet the quality and possibly safety goals).  We reviewed his work on Jan. 3, 2013.

Performance variability occurs in all systems, including nuclear, but the outcomes are usually successful because a system has a certain range of tolerance and a certain capacity for resilience.  Performance drift happens slowly, and can be difficult to identify from the inside.  Dekker’s work speaks to this and we reviewed it on Dec. 5, 2012.

Nuclear is not fully complex but surprises do happen, some of them not caused by component failure.  Emergence (problems that arise from new or unforeseen system interactions) is more likely to occur following the implementation of new technical systems.  We discussed this possibility in a July 6, 2013 post on a book by Woods, Dekker et al.

Equivalence means that work that results in both good and bad outcomes starts out the same way, with people (saboteurs excepted) trying to be successful.  When bad things happen, we should cast a wide net in looking for different factors, including systemic ones, that aligned (like Swiss cheese slices) in the subject case.

The white paper also includes several real and hypothetical case studies illustrating the application of the principles to understanding safety performance challenges 

Our Perspective 

The authors draw on a familiar cast of characters, including Dekker, Hollnagel, Leveson and Reason.  We have posted about all these folks, just click on their label in the right hand column.

The principles are intended to help us form a more insightful mental model of a system under consideration, one that includes non-linear cause and effect relationships, and the possibility of emergent behavior.  The white paper is not a “must read” but may stimulate useful thinking about the nature of the nuclear operating organization.


*  European Organisation for the Safety of Air Navigation(EUROCONTROL), “Systems Thinking for Safety: Ten Principles” (Aug. 2014).  Thanks to Bill Mullins for bringing this white paper to our attention.

**  “[C]omplex systems involve large numbers of interacting elements and are typically highly dynamic and constantly changing with changes in conditions. Their cause-effect relations are non-linear; small changes can produce disproportionately large effects. Effects usually have multiple causes, though causes may not be traceable and are socially constructed.” (pp. 4-5)

Also see our Oct. 14, 2013 discussion of the California Independent System Operator for another example of a complex system.

***  “Work Processes,” NRC Safety Culture Trait Talk, no. 2 (July 2014), p. 1.  ADAMS ML14203A391.  Retrieved Oct. 8, 2014

1995 ANS Safety Culture Conference: A Portal to the Past

In April 1995 the American Nuclear Society (ANS) sponsored a nuclear safety culture (SC) conference in Vienna.  This was a large undertaking, with over 80 presentations; the proceedings are almost 900 pages in length.*  Presenters included industry participants, regulators, academics and consultants.  1995 was early in the post-Soviet era and the new openness (and concerns about Soviet reactors) led to a large number of presenters from Russia, Ukraine and Eastern Europe.  This post presents some conference highlights on topics we emphasize on Safetymatters.

Decision Making

For us, decision making should be systemic, i.e., consider all relevant inputs and the myriad ways a decision can affect consequences.  The same rigor should be applied to all kinds of decisions—finance, design, operations, resource allocation, personnel, etc.  Safety should always have the highest priority and decisions should accord safety its appropriate consideration.  Some presenters echoed this view.

“Safety was (and still is) seen as being vital to the success of the industry and hence the analysis and assessment of safety became an integral part of management decision making” (p. 41); “. . . in daily practice: overriding priority to safety is the principle, to be taken into account before making any decision” (p. 66); and “The complexity of operations implies a systemic decision process.” (p. 227)

The relationship between leadership and decisions was mentioned.  “The line management are a very important area, as they must . . . realise how their own actions and decisions affect Safety Culture.  The wrong actions, or perceived messages could undermine the work of the team leaders” (p. 186); “. . . statements alone do not constitute support; in the intermediate and long-term, true support is demonstrated by behavior and decision and not by what is said.” (p. 732)

Risk was recognized as a factor in decision making.  “Risk culture yields insights that permit balanced safety vs.cost decisions to be made” (p. 325); “Rational decision making is based on facts, experience, cognitive (mental) models and expected outcomes giving due consideration to uncertainties in the foregoing and the generally probabilistic nature of technical and human matters.  Conservative decision making is rational decision making that is risk-averse.  A conservative decision is weighted in favor of risk control at the expense of cost.” (p. 435)

In sum, nuclear thought leaders knew what good decision making should look like—but we still see cases that do not live up to that standard.

Rewards

Rewards or compensation were mentioned by people from nuclear operating organizations.  Incentive-based compensation was included as a key aspect of the TEPCO management approach (p. 551) and a nuclear lab manager recommended using monetary compensation to encourage cooperation between organizational departments. (p. 643)  A presenter from a power plant said “A recognition scheme is in place . . . to recognise and reward individuals and teams for their contribution towards quality improvement and nuclear safety enhancement.” (p. 805)

Rewards were also mentioned by several presenters who did not come from power plants.  For example, the reward system should stress safety (p. 322); rewards should be given for exhibiting a “caring attitude” about SC (p. 348) and to people who call attention to safety problems. (p. 527)  On the flip side, a regulator complained about plants that rewarded behavior that might cause safety to erode. (pp. 651, 656) 

Even in 1995 the presentations could have been stronger since INSAG-4** is so clear on the topic: “Importantly, at operating plants, systems of reward do not encourage high plant output levels if this prejudices safety.  Incentives are therefore not based on production levels alone but are also related to safety performance.” (INSAG-4, p. 11)  Today, our own research has shown that nuclear executives’ compensation often favors production.   

Systems Approach

We have always favored nuclear organizational mental models that consider feedback loops, time delays, adaptation, evolution and learning—a systems approach.  Presenters’ references to a system include “commercial, public, and military operators of complex high reliability socio-technical systems” (p. 260); “. . . assess the organisational, managerial and socio-technical influences on the Safety Culture of socio-technical systems such as nuclear power plants” (p. 308); “Within the complex system such as . . . [a] nuclear power plant there is a vast number of opportunities for failures to stay hidden in the system” (p. 541); and “It is proposed that the plant should be viewed as an integrated sociotechnical system . . .” (p. 541)

There are three system-related presentations that we suggest you read in their entirety; they have too many good points to summarize here.  One is by Electricité de France (EdF) personnel (pp. 193-201), another by Constance Perin (pp. 330-336) and a third by John Carroll (pp. 338-345). 

Here’s a sample, from Perin: “Through self-analysis, nuclear organizations can understand how they currently respond socially, culturally, and technically to such system characteristics of complexity, density, obscured signals, and delayed feedback in order to assure their capacities for anticipating, preventing, and recovering from threats to safety.” (p. 330)  It could have been written yesterday.

The Role of the Regulator

By 1995 INSAG-4 had been published and generally accepted by the nuclear community but countries were still trying to define the appropriate role for the regulator; the topic merited a half-dozen presentations.  Key points included the regulator (1) requiring that an effective SC be established, (2) establishing safety as a top-level goal and (3) performing some assessment of a licensee’ safety management system (either directly or part of ordinary inspection duties).  There was some uncertainty about how to proceed with compliance focus vs. qualitative assessment.

Today, at least two European countries are looking at detailed SC assessment, in effect, regulating SC.  In the U.S., the NRC issued a SC policy statement and performs back-door, de facto SC regulation through the “bring me another rock” approach.

So conditions have changed in regulatory space, arguably for the better when the regulator limits its focus to truly safety-significant activities.

Our Perspective

In 1995, some (but not all) people held what we’d call a contemporary view of SC.  For example, “Safety culture constitutes a state of mind with regard to safety: the value we attribute to it, the priority we give it, the interest we show in it.  This state of mind determines attitudes and behavior.” (p. 495)

But some things have changed.  For example, several presentations mentioned SC surveys—their design, administration, analysis and implications.  We now (correctly) understand that SC surveys are a snapshot of safety climate and only one input into a competent SC assessment.

And some things did not turn out well.  For example, a TEPCO presentation said “the decision making process is governed by the philosophy of valuing harmony highly so that a conclusion preferred by all the members is chosen as far as possible when there are divided opinions.” (p. 583)  Apparently harmony was so valued that no one complained that Fukushima site protection was clearly inadequate and essential emergency equipment was exposed to grave hazards. 


*  A. Carnino and G. Weimann, ed., “Proceedings of the International Topical Meeting on Safety Culture in Nuclear Installations,” April 24-28, 1995 (Vienna: ANS Austria Local Section, 1995).  Thanks to Bill Mullins for unearthing this document.

**  International Nuclear Safety Advisory Group, “Safety Culture,” Safety Series No. 75-INSAG-4, (Vienna: IAEA, 1991). INSAG-4 included a definition of SC, a description of SC components, and illustrative evidence that the components exist in a specific organization.

A Systems View of Two Industries: Nuclear and Air Transport

We have long promoted a systems view of nuclear facilities and the overall industry.  One consequence of that view is an openness to possible systemic problems as the root causes of incidents in addition to searching for malfunctioning components, both physical and human.

One system where we see this openness is the air transport industry—the air carriers and the Federal Aviation Administration (FAA).  The FAA has two programs for self-reporting of incidents and problems: the Voluntary Disclosure Reporting Program (VDRP) and the Aviation Safety Action Program (ASAP).  These programs are discussed in a recent report* by the FAA’s Office of Inspector General (OIG) and are at least superficially similar to the NRC’s Licensee Event Reporting and Employee Concerns Program.

What’s interesting is that VDRP is receptive to the reporting of both individual and systemic issues.  The OIG report says the difference between individual and systemic is “important because if the issue is systemic, the carrier will have to develop a detailed fix to address the system as a whole—whereas if the issue is more isolated or individual, the fix will be focused more at the employee level, such as providing counseling or training.” (p. 7)  In addition, it appears both FAA programs  are imbued with the concept of a “just culture,” another topic we have posted about on several occasions and which is often associated with a systems view.  A just culture is one where people are encouraged to provide essential safety-related information, the blame game is aggressively avoided, and a clear line exists between acceptable and unacceptable behavior.

Now the implementation of the FAA programs is far from perfect.  As the OIG points out, the FAA doesn't ensure root causes are identified or corrective actions are sufficient and long-lived, and safety data is not analyzed to identify trends that represent risks.  Systemic issues may not always be reported by the carriers or recognized by the FAA.  But overall, there appears to be an effort at open, comprehensive communication between the regulator and the regulated.

So why does the FAA encourage a just culture while the nuclear industry seems fixated on a culture of blame?  One factor might be the NRC’s focus on hardware-centric performance measures.  If these are improving over time, one might infer that any incidents are more likely caused by non-hardware, i.e., humans. 

But perhaps we can gain greater insight into why one industry is more accepting of systemic issues by looking at system-level factors, specifically the operational (or actual) coupling among industry participants versus their coupling as perceived by external observers.**

As a practical matter, the nuclear industry is loosely coupled, i.e., each plant operates more or less independently of the others (even though plants with a common owner are subject to the same policies as other members of the fleet).  There is seldom any direct competition between plants.  However, the industry is viewed by many external observers, especially anti-nukes, as a singular whole, i.e, tightly coupled.  Insiders reinforce this view when they say things like “an accident at one plant is an accident for all.”  And, in fact, one incident (e.g., Davis-Besse) can have industry-wide implications although the physical risk may be entirely local.  In such a socio-political environment, there is implicit pressure to limit or encapsulate the causes of any incidents or irregularities to purely local sources and avoid the mention of possible systemic issues.  The leads to a search for the faulty component, the bad employee, a failure to update a specific procedure or some other local problem that can be fixed by improved leadership and oversight, clearer expectations, more attention to detail, training etc.  The result of this approach (plus other industry-wide factors, e.g., the lack of transparency in certain oversight practices*** and the “special and unique” mantra) is basically a closed system whose client, i.e., the beneficiary of system efforts, is itself.

In contrast, the FAA’s world has two parts, the set of air carriers whose relationship with each another is loosely coupled, similar to the nuclear industry, and the air traffic control (ATC) sub-system, which is more tightly coupled because all the carriers share the same airspace and ATC.  Because of loose coupling, a systemic problem at a single carrier affects only that carrier and does not infect the rest of the industry.  What is most interesting is that a single airline accident (in the tightly coupled portion of the system) does not lead to calls to shut down the industry.  Air transport has no organized opposition to its existence.  Air travel is such an integral part of so many people’s lives that pressure exists to keep the system running even in the face of possible hazards.  As a consequence, the FAA has to occasionally reassert its interest in keeping safety risks from creeping into the system.  Overall, we can say the air transport industry is relatively open, able to admit the existence of problems, even systemic ones, without taking an inadvertent existential risk. 

The foregoing is not intended to be a comprehensive comparison of the two industries.  Rather it is meant to illustrate how one can apply a simple systems concept to gain some insights into why participants in different industries behave differently.  While both the FAA and NRC are responsible for identifying systemic issues in their respective industries, it appears FAA has an easier time of it.  This is not likely to change given the top-level factors described above. 


*  FAA Office of Inspector General, “Further Actions are Needed to Improve FAA’s Oversight of the Voluntary Disclosure Reporting Program” Report No. AV-2014-036 (April 10, 2014).  Thanks to Bill Mullins for pointing out this report to us.

“VDRP provides air carriers the opportunity to voluntarily report and correct areas of non-compliance without civil penalty. The program also provides FAA important safety information that might not otherwise come to its attention.“ (p. 1)  ASAP “allows individual aviation employees to disclose possible safety violations to air carriers and FAA without fear that the information will be used to take enforcement or disciplinary action against them.” (p. 2)

**  “Coupling” refers to the amount of slack, buffer or give between two items in a system.

***  For example, INPO’s board of directors is comprised of nuclear industry CEOs, INPO evaluation reports are delivered in confidence to its members and INPO has basically unfettered access to the NRC.  This is not exactly a recipe for gaining public trust.  See J.O. Ellis Jr. (INPO CEO), Testimony before the National Commission on the BP Deepwater Horizon Oil Spill and Offshore Drilling (Aug. 25, 2010).  Retrieved from NEI website May 27, 2014.