IAEA on Instituting Regulation of Licensee Safety Culture

The International Atomic Energy Agency (IAEA) has published a how-to report* for regulators who want to regulate their licensees' safety culture (SC).  This publication follows a series of meetings and workshops, some of which we have discussed (here and here).  The report is related to IAEA projects conducted “under the scope of the Regional Excellence Programme on Safe Nuclear Energy–Norwegian Cooperation Programme with Bulgaria and Romania. These projects have been implemented at the Bulgarian and Romanian regulatory bodies” (p. 1)

The report covers SC fundamentals, regulatory oversight features, SC assessment approaches, data collection and analysis.  We'll review the contents, highlighting IAEA's important points, then provide our perspective.

SC fundamentals

The report begins with the fundamentals of SC, starting with Schein's definition of SC and his tri-level model of artifacts, espoused values and basic assumptions.  Detail is added with a SC framework based on IAEA's five SC characteristics:

• Safety is a clearly recognized value
• Leadership for safety is clear
• Accountability for safety is clear
• Safety is integrated into all activities
• Safety is learning driven.

The SC characteristics can be described using specific attributes.

Features of regulatory oversight of SC 

This covers what the regulator should be trying to achieve.  It's the most important part of the report so we excerpt the IAEA's words.

“The objective of the regulatory oversight of safety culture, focused on a dynamic process, is to consider and address latent conditions that could lead to potential safety performance degradation at the licensees’ nuclear installations. . . . Regulatory oversight of safety culture complements compliance-based control [which is limited to looking at artifacts] with proactive control activities. . . . ” (p. 6, emphasis added)

“[R]egulatory oversight of safety culture is based on three pillars:

“Common understanding of safety culture. The nature of safety culture is distinct from, and needs to be dealt with in a different manner than a compliance-based control. . . .

“Dialogue. . . . dialogue is necessary to share information, ideas and knowledge that is often qualitative. . . .

“Continuousness. Safety culture improvement needs continuous engagement of the licensee. Regulatory oversight of safety culture therefore ideally relies on a process during which the regulator continuously influences the engagement of the licensee.” (p. 7)

“With regards to safety culture, the regulatory body should develop general requirements and enforce them in order to ensure the authorized parties have properly considered these requirements. On the other hand, the regulatory body should avoid prescribing detailed level requirements.” (p. 8)  The licensee always has the primary responsibility for safety.

Approaches for assessing SC

Various assessment approaches are currently being used or reviewed by regulatory bodies around the world. These approaches include: self-assessments, independent assessments, interaction with the licensee at a senior level, focused safety culture on-site reviews, oversight of management systems and integration into regulatory activities.  Most of these activities are familiar to our readers but a couple merit further definition.  The “management system” is the practices, procedures and people.**  “Integration into regulatory activities” means SC-related information is also collected during other regulatory actions, e.g., routine or special inspections.

The report includes a table (recreated below) summarizing, for each assessment approach, the accuracy of results and resources required.  Accuracy is judged as realistic, medium or limited and resource requirements as high, medium and low.  The table thus shows the relative strengths and weaknesses of each approach.

		Criteria
Approaches	Accuracy of SC picture	Effort	Management involvement	Human and Organizational Factors & SC skills
Self-assessment	Medium	Low (depending on	Low	Medium
Review		who initiates the		(to understand
(high experience and		self-assessment,		deliverables)
skills of the		regulator or
reviewers are		licensee)
assumed)
Independent	Medium	Low	Low	Medium
assessment Review				(to understand
(high experience and				deliverables)
skills of the
reviewers are
assumed)
Interaction with the	Limited (however	Medium	High	Medium
Licensee at Senior	can support a
Level	shared
	understanding)
Focused Safety	Realistic (gives	High	Medium	High
Culture On-Site	depth in a moment
Review	of time)
Oversight of	Medium (Reduced	Low	Low	Medium
Management System	if only formal
Implementation	aspects are
	considered)
Integration into	Medium (when	Medium (after an	Medium (with an	Medium (specific
Regulatory	properly trended	intensive initial	intensive initial	training
Activities	and analyzed)	introduction)	support)	requirement and
				experience sharing)

Data collection, analysis and presenting findings to the licensee

The report encourages regulators to use multiple assessment approaches and multiple data collection methods and data sources.  Data collection methods include observations; interviews; reviews of events, licensee documents and regulator documents; discussions with management; and other sources such as questionnaires, surveys, third-party documents and focus groups.  The goal is to approach the target from multiple angles.  “The aim of data analysis is to build a safety culture picture based on the inputs collected. . . . It is a set of interpreted data regarding the organizational practices and the priority of safety within these practices. (p. 17)

Robust data analysis “requires iterations [and] multi-disciplinary teams. A variety of expertise (technical, human and organizational factors, regulations) are necessary to build a reliable safety culture picture. . . . [and] protect against bias inherent to the multiple sources of data.” (p. 17)

The regulator's picture of SC is discussed with the licensee during periodic or ad hoc meetings.  The objective is to reach agreement on next steps, including the implementation of possible meeting actions and licensee commitments.

Our perspective

The SC content is pretty basic stuff, with zero new insight.  From our viewpoint, the far more interesting issue is the extension of regulatory authority into an admittedly soft, qualitative area.  This issue highlights the fact that the scope of regulatory authority is established by decisions that have socio-political, as well as technical, components.  SC is important, and certainly regulatable.  If a country wants to regulate nuclear SC, then have at it, but there is no hard science that says it is a necessary or even desirable thing to do.

Our big gripe is with the hypocrisy displayed by the NRC which has a SC policy, not a regulation, but in some cases implements all the steps associated with regulatory oversight discussed in this IAEA report (except evaluation of management personnel).  For evidence, look at how they have been pulling Fort Calhoun and Palisades through the wringer.


*  G. Rolina (IAEA), “Regulatory oversight of safety culture in nuclear installations” IAEA TECDOC 1707 (Vienna: International Atomic Energy Agency, 2013).

**  A management system is a “set of interrelated or interacting elements (system) for establishing policies and objectives and enabling the objectives to be achieved in an efficient and effective way. . . . These elements include the structure, resources and processes. Personnel, equipment and organizational culture as well as the documented policies and processes are parts of the management system.” (p. 30)

Safety Management and Competitiveness

Jean-Marie Rousseau

We recently came across a paper that should be of significant interest to nuclear safety decision makers.  “Safety Management in a Competitiveness Context” was presented in March 2008 by Jean-Marie Rousseau of the Institut de Radioprotection et de Surete Nucleaire (IRSN).  As the title suggests the paper examines the effects of competitive pressures on a variety of nuclear safety management issues including decision making and the priority accorded safety.  Not surprisingly:

“The trend to ignore or to deny this phenomenon is frequently observed in modern companies.” (p. 7)

The results presented in the paper came about from a safety assessment performed by IRSN to examine safety management of EDF [Electricite de France] reactors including:

“How real is the ‘priority given to safety’ in the daily arbitrations made at all nuclear power plants, particularly with respect to the other operating requirements such as costs, production, and radiation protection or environmental constraints?” (p. 2)

The pertinence is clear as “priority given to safety” is the linchpin of safety culture policy and expected behaviors.  In addition the assessment focused on decision-making processes at both the strategic and operational levels.  As we have argued, decisions can provide significant insights into how safety culture is operationalized by nuclear plant management. 

Rousseau views nuclear operations as a “highly complex socio-technical system” and his paper provides a brief review of historical data where accidents or near misses displayed indications of the impact of competing priorities on safety.  The author notes that competitiveness is necessary just as is safety and as such it represents another risk that must be managed at organizational and managerial levels.  This characterization is intriguing and merits further reflection particularly by regulators in their pursuit of “risk informed regulation”.  Nominally regulators apply a conceptualization of risk that is hardware and natural phenomena centric.  But safety culture and competitive pressures also could be justified as risks to assuring safety - in fact much more dynamic risks - and thus be part of the framework of risk informed regulation.*  Often, as is the case with this paper, there is some tendency to assert that achievement of safety is coincident with overall performance excellence - which in a broad sense it is - but notwithstanding there are many instances where there is considerable tension - and potential risk.

Perhaps most intriguing in the assessment is the evaluation of EDF’s a posteriori analyses of its decision making processes as another dimension of experience feedback.**   We quote the paper at length:

“The study has pointed out that the OSD***, as a feedback experience tool, provides a priori a strong pedagogic framework for the licensee. It offers a context to organize debates about safety and to share safety representations between actors, illustrated by a real problematic situation. It has to be noticed that it is the only tool dedicated to “monitor” the safety/competitiveness relationship.

"But the fundamental position of this tool (“not to make judgment about the decision-maker”) is too restrictive and often becomes “not to analyze the decision”, in terms of results and effects on the given situation.

"As the existence of such a tool is judged positively, it is necessary to improve it towards two main directions: - To understand the factors favouring the quality of a decision-making process. To this end, it is necessary to take into account the decision context elements such as time pressure, fatigue of actors, availability of supports, difficulties in identifying safety requirements, etc.
- To understand why a “qualitative decision-making process” does not always produce a “right decision”. To this end, it is necessary to analyze the decision itself with the results it produces and the effects it has on the situation.” (p. 8)

We feel this is a very important aspect that currently receives insufficient attention.  Decisions can provide a laboratory of safety management performance and safety culture actualization.  But how often are decisions adequately documented, preserved, critiqued and shared within the organization?  Decisions that yield a bad (reportable) result may receive scrutiny internally and by regulators but our studies indicate there is rarely sufficient forensic analysis - cause analyses are almost always one dimensional and hardware and process oriented.  Decisions with benign outcomes - whether the result of “good” decision making or not - are rarely preserved or assessed.  The potential benefits of detailed consideration of decisions have been demonstrated in many of the independent assessments of accidents (Challenger, Columbia, BP Texas Oil Refinery, etc.) and in research by Perin and others. 

We would go a step further than proposed enhancements to the OSD.  As Rousseau notes there are downsides to the routine post-hoc scrutiny of actual decisions - for one it will likely identify management errors even in the absence of a bad decision outcome.  This would be one more pressure on managers already challenged by a highly complex decision environment.  An alternative is to provide managers the opportunity to “practice” making decisions in an environment that supports learning and dialogue on achieving the proper balances in decisions - in other words in a safety management simulator.  The industry requires licensed operators to practice operations decisions on a simulator for similar reasons - why not nuclear managers charged with making safety decisions?


*  As the IAEA has noted, “A danger of concentrating too much on a quantitative risk value that has been generated by a PSA [probabilistic safety analysis] is that...a well-designed plant can be operated in a less safe manner due to poor safety management by the operator.”  IAEA-TECDOC-1436, Risk Informed Regulation of Nuclear Facilities: Overview of the Current Status, February 2005.

**  EDF implemented safety-availability-Radiation-Protection-environment observatories (SAREOs) to increase awareness of the arbitration between safety and other performance factors. SAREOs analyze in each station the quality of the decision-making process and propose actions to improve it and to guarantee compliance with rules in any circumstances [“Nuclear Safety: our overriding priority” EDF Group‟s file responding to FTSE4Good nuclear criteria] 

***  Per Rousseau, “The OSD (Observatory for Safety/Availability) is one of the “safety management levers” implemented by EDF in 1997. Its objective is to perform retrospective analyses of high-stake decisions, in order to improve decision-making processes.” (p. 7)

High Reliability Organizations and Safety Culture

On February 10^th, we posted about a report covering lessons for safety culture (SC) that can be gleaned from the social science literature. The report's authors judged that high reliability organization (HRO) literature provided a solid basis for linking individual and organizational assumptions with traits and practices that can affect safety performance. This post explores HRO characteristics and how they can influence SC.

Our source is Managing the Unexpected: Resilient Performance in an Age of Uncertainty* by Karl Weick and Kathleen Sutcliffe. Weick is a leading contemporary HRO scholar. This book is clearly written, with many pithy comments, so lots of quotations are included below to present the authors' views in their own words.

What makes an HRO different?

Many organizations work with risky technologies where the consequences of problems or errors can be catastrophic, use complex management systems and exist in demanding environments. But successful HROs approach their work with a different attitude and practices, an “ongoing mindfulness embedded in practices that enact alertness, broaden attention, reduce distractions, and forestall misleading simplifications.” (p. 3)

Mindfulness

An underlying assumption of HROs is “that gradual . . . development of unexpected events sends weak signals . . . along the way” (p. 63) so constant attention is required. Mindfulness means that “when people act, they are aware of context, of ways in which details differ . . . and of deviations from their expectations.” (p. 32) HROs “maintain continuing alertness to the unexpected in the face of pressure to take cognitive shortcuts.” (p. 19) Mindful organizations “notice the unexpected in the making, halt it or contain it, and restore system functioning.” (p. 21)

It takes a lot of energy to maintain mindfulness. As the authors warn us, “mindful processes unravel pretty fast.” (p. 106) Complacency and hubris are two omnipresent dangers. “Success narrows perceptions, . . . breeds overconfidence . . . and reduces acceptance of opposing points of view. . . . [If] people assume that success demonstrates competence, they are more likely to drift into complacency, . . .” (p. 52) Pressure in the task environment is another potential problem. “As pressure increases, people are more likely to search for confirming information and to ignore information that is inconsistent with their expectations.” (p. 26) The opposite of mindfulness is mindlessness. “Instances of mindlessness occur when people confront weak stimuli, powerful expectations, and strong desires to see what they expect to see.” (p. 88)

Mindfulness can lead to insight and knowledge. “In that brief interval between surprise and successful normalizing lies one of your few opportunities to discover what you don't know.” (p. 31)**

Five principles

HROs follow five principles. The first three cover anticipation of problems and the remaining two cover containment of problems that do arise.

Preoccupation with failure

HROs “treat any lapse as a symptom that something may be wrong with the system, something that could have severe consequences if several separate small errors happened to coincide. . . . they are wary of the potential liabilities of success, including complacency, the temptation to reduce margins of safety, and the drift into automatic processing.” (p. 9)

Managers usually think surprises are bad, evidence of bad planning. However, “Feelings of surprise are diagnostic because they are a solid cue that one's model of the world is flawed.” (p. 104) HROs “Interpret a near miss as danger in the guise of safety rather than safety in the guise of danger. . . . No news is bad news. All news is good news, because it means that the system is responding.” (p. 152)

People in HROs “have a good sense of what needs to go right and a clearer understanding of the factors that might signal that things are unraveling.” (p. 86)

Reluctance to simplify

HROs “welcome diverse experience, skepticism toward received wisdom, and negotiating tactics that reconcile differences of opinion without destroying the nuances that diverse people detect. . . . [They worry that] superficial similarities between the present and the past mask deeper differences that could prove fatal.” (p. 10) “Skepticism thus counteracts complacency . . . .” (p. 155) “Unfortunately, diverse views tend to be disproportionately distributed toward the bottom of the organization, . . .” (p. 95)

The language people use at work can be a catalyst for simplification. A person may initially perceive something different in the environment but using familiar or standard terms to communicate the experience can raise the risk of losing the early warnings the person perceived.

Sensitivity to operations

HROs “are attentive to the front line, . . . Anomalies are noticed while they are still tractable and can still be isolated . . . . People who refuse to speak up out of fear undermine the system, which knows less than it needs to know to work effectively.” (pp. 12-13) “Being sensitive to operations is a unique way to correct failures of foresight.” (p. 97)

In our experience, nuclear plants are generally good in this regard; most include a focus on operations among their critical success factors.

Commitment to resilience

“HROs develop capabilities to detect, contain, and bounce back from those inevitable errors that are part of an indeterminate world.” (p. 14) “. . . environments that HROs face are typically more complex than the HRO systems themselves. Reliability and resilience lie in practices that reduce . . . environmental complexity or increase system complexity.” (p. 113) Because it's difficult or impossible to reduce environmental complexity, the organization needs to makes its systems more complex.*** This requires clear thinking and insightful analysis. Unfortunately, actual organizational response to disturbances can fall short. “. . . systems often respond to a disturbance with new rules and new prohibitions designed to present the same disruption from happening in the future. This response reduces flexibility to deal with subsequent unpredictable changes.” (p. 72)

Deference to expertise.

“Decisions are made on the front line, and authority migrates to the people with the most expertise, regardless of their rank.” (p. 15) Application of expertise “emerges from a collective, cultural belief that the necessary capabilities lie somewhere in the system and that migrating problems [down or up] will find them.” (p. 80) “When tasks are highly interdependent and time is compressed, decisions migrate down . . . Decisions migrate up when events are unique, have potential for very serious consequences, or have political or career ramifications . . .” (p. 100)

This is another ideal that can fail in practice. We've all seen decisions made by the highest ranking person rather than the most qualified one. In other words, “who is right” can trump “what is right.”

Relationship to safety culture

Much of the chapter on culture is based on the ideas of Schein and Reason so we'll focus on key points emphasized by Weick and Sutcliffe. In their view, “culture is something an organization has [practices and controls] that eventually becomes something an organization is [beliefs, attitudes, values].” (p. 114, emphasis added)

“Culture consists of characteristic ways of knowing and sensemaking. . . . Culture is about practices—practices of expecting, managing disconfirmations, sensemaking, learning, and recovering.” (pp. 119-120) A single organization can have different types of culture: an integrative culture that everyone shares, differentiated cultures that are particular to sub-groups and fragmented cultures that describe individuals who don't fit into the first two types. Multiple cultures support the development of more varied responses to nascent problems.

A complete culture strives to be mindful, safe and informed with an emphasis on wariness. As HRO principles are ingrained in an organization, they become part of the culture. The goal is a strong SC that reinforces concern about the unexpected, is open to questions and reporting of failures, views close calls as a failure, is fearful of complacency, resists simplifications, values diversity of opinions and focuses on imperfections in operations.

What else is in the book?

One chapter contains a series of audits (presented as survey questions) to assess an organization's mindfulness and appreciation of the five principles. The audits can show an organization's attitudes and capabilities relative to HROs and relative to its own self-image and goals.

The final chapter describes possible “small wins” a change agent (often an individual) can attempt to achieve in an effort to move his organization more in line with HRO practices, viz., mindfulness and the five principles. For example, “take your team to the actual site where an unexpected event was handled either well or poorly, walk everyone through the decision making that was involved, and reflect on how to handle that event more mindfully.” (p. 144)

The book's case studies include an aircraft carrier, a nuclear power plant,**** a pediatric surgery center and wildland firefighting.

Our perspective

Weick and Sutcliffe draw on the work of many other scholars, including Constance Perin, Charles Perrow, James Reason and Diane Vaughan, all of whom we have discussed in this blog. The book makes many good points. For example, the prescription for mindfulness and the five principles can contribute to an effective context for decision making although it does not comprise a complete management system. The authors' recognize that reliability does not mean a complete lack of performance variation, instead reliability follows from practices that recognize and contain emerging problems. Finally, there is evidence of a systems view, which we espouse, when the authors say “It is this network of relationships taken together—not necessarily any one individual or organization in the group—that can also maintain the big picture of operations . . .” (p. 142)

The authors would have us focus on nascent problems in operations, which is obviously necessary. But another important question is what are the faint signals that the SC is developing problems? What are the precursors to the obvious signs, like increasing backlogs of safety-related work? Could that “human error” that recently occurred be a sign of a SC that is more forgiving of growing organizational mindlessness?

Bottom line: Safetymatters says check out Managing the Unexpected and consider adding it to your library.

* K.E. Weick and K.M. Sutcliffe, Managing the Unexpected: Resilient Performance in an Age of Uncertainty, 2d ed. (San Francisco, CA: Jossey-Bass, 2007). Also, Wikipedia has a very readable summary of HRO history and characteristics.

** More on normalization and rationalization: “On the actual day of battle naked truths may be picked up for the asking. But by the following morning they have already begun to get into their uniforms.” E.A. Cohen and J. Gooch, Military Misfortunes: The Anatomy of Failure in War (New York: Vintage Books, 1990), p. 44, quoted in Managing the Unexpected, p. 31.

*** The prescription to increase system complexity to match the environment is based on the system design principle of requisite variety which means “if you want to cope successfully with a wide variety of inputs, you need a wide variety of responses.” (p. 113)

**** I don't think the authors performed any original research on nuclear plants. But the studies they reviewed led them to conclude that “The primary threat to operations in nuclear plants is the engineering culture, which places a higher value on knowledge that is quantitative, measurable, hard, objective, and formal . . . HROs refuse to draw a hard line between knowledge that is quantitative and knowledge that is qualitative.” (p. 60)

Inhibiting Excessive Risk Taking by Executives

The Federal Reserve Board has been doing some arm twisting with U.S. financial services companies to adjust their executive compensation plans - and those plans are in fact being modified to cap bonuses associated with achieving performance goals.  These actions have their genesis in the financial crisis where it appeared that incentives could encourage excessive risk taking by management.  A Wall Street Journal article* notes “regulators are still looking at ways to lower risk in the banking system, even if it means interfering with private pay practices.”  This follows a similar trend in Europe and where some firms are considering increasing salaries to make up for less bonus potential.

These actions merit some thoughtful consideration within the U.S. nuclear industry.  While the Fed’s concern is excessive business risk, the analog in nuclear operations is safety risk.  Both go to ensuring that the “system” (banking or nuclear production) remain within controlled limits.  As we have noted in prior blog posts (July 6 and July 9, 2010), there have been trends for nuclear executive compensation to both escalate and include significant performance based components.  The increased salaries probably reflect competition for the best qualified executives and are indicative of the great responsibilities of nuclear management.  However the trend to include large short-term bonuses (comprising up to 60-70% of total compensation) may be indicative of the evolution of “nuclear generation as a business” and the large profit potential available at high capacity factors.  Whatever the nominal amount of pressure on nuclear executives to achieve operating goals, the presence of very large monetary incentives can only increase that pressure.  In a strong safety culture environment where perception of management’s priorities is central, incentive based compensation plans can easily create presumptions regarding the motivation for management decisions.  At least one nuclear utility has concluded that incentives were not appropriate and taken action to adjust their compensation plans.  We have advocated dialing back incentives in favor of more direct compensation.

It is also rather interesting that the Fed decided to step into the province of private compensation practices.  A similar initiative by the NRC seems unlikely given its reluctance to impinge on management performance in any manner.  As noted in our February 28, 2013 post the NRC has included some nominal but poorly focused language on incentives in its Safety Culture Common Language Path Forward.  This seems to indicate that the NRC believes incentives are or could be relevant.  The best approach may be for the NRC to become more intrusive - to determine if compensation plans have the potential to lead to excessive risk taking.  This would require the NRC to obtain compensation plan information from its licensees, characterize the extent and magnitude of performance based incentives, and consider the effect of such incentives in assessing specific operational issues that arise in its normal regulatory oversight activities.  Only if some relationship appeared would the NRC need to consider whether to take action similar to the Fed or other means to ameliorate risk taking.


 
*  A.Lucchetti and J. Steinberg, "Regulators Get Banks to Rein In Bonus Pay," Wall Street Journal (April 23, 2013).

IAEA on Safety Culture in New Plant Design and Construction

The International Atomic Energy Agency (IAEA) has a 2012 publication* that provides guidance on establishing a strong safety culture (SC) during the design and construction of new nuclear power plants.  The report's premise, with which we agree, is a weak SC during plant design and construction can lead to later problems during plant operations.   

Major issues can arise during plant design and construction.  For example, the numerous organizations involved may have limited direct experience and/or insufficient knowledge of nuclear safety requirements, or projects may be located in countries with no existing nuclear industry or countries may have a nuclear industry but no recent construction experience.

The report attempts to cover the different needs, challenges and circumstances that may face project participants (governments, regulators, owners, designers, builders, manufacturers, etc.) anywhere in the world.  Most of the content addresses generic issues, e.g., understanding SC, the role of leadership, appropriate management systems, or communication and organizational learning.  Each issue is discussed in terms of specific challenges, goals, and recommended approaches and methods.  However, in their effort to attain maximum coverage (scope) IAEA sacrifices depth.  For example, the discussion of leadership covers five pages of the report but scarcely mentions the two most important activities of leaders: decision making and modeling safety-focused behavior.

If we look at the report's specific advice and recommendations, we see uneven coverage of the observable artifacts we consider essential for a strong SC: a decision making process that appropriately values safety, an effective corrective action program and financial incentives that reward safety performance. 

Decision making process
 
One overall challenge facing new projects is “Conflicts between schedule, cost and safety objectives can adversely affect conservative decision making and the maintenance of a questioning attitude, or impair the ability to perceive links between short term actions and their long term consequences.” (p. 2)

That's a good starting point but what are the characteristics of an appropriate decision making process?  It seems that decision making should be “conservative” (pp. 32, 34, 39), “broad” (p. 43) and “risk informed” (pp. 50, 51) but the terms are not defined.  More specificity on how the decision making process should handle competing goals, set priorities and assign resources would be useful.
 
What about the decision makers?  Leaders should be able to “Explain the relationships between time periods/horizons and decision making to help resolve competing priorities.” (p. 41)  That's OK but the need goes beyond time periods.  The manager must be able to explain the rationale for significant decisions related to safety.  What were the considerations, assumptions, priorities, alternatives, decision factors and their relative weights, and the applicable laws, rules and regulations?  How should leaders treat devil’s advocates who raise concerns about possible unfavorable outcomes?  Do leaders get the most qualified people involved in key decisions?
 
In addition, leaders should “Simulate decision making in a fast paced, complex environment to help leaders identify risks in their own approaches.”  (p. 41)  This is an excellent approach and we wholeheartedly support it. 

Corrective action

“Ineffective problem identification, inadequate reporting and inadequate corrective actions” (p. 9) were identified in a 2006 investigation as causal factors of construction problems at a nuclear plant site.  But there is no follow-up to describe the characteristics of an effective corrective action program.  There should be more about the CAP's ability to recognize and diagnose problems, formulate and implement solutions that consistently and appropriately consider safety, and monitor the effects of corrective actions. The importance of robust cause analysis, i.e., analysis that finds the real causes of problems so they do not recur, should be mentioned.  This would not be an unreasonable level of detail for this general report.

Financial incentives

The report correctly notes that “In construction environments, cultural attributes such as schedule awareness, cost focus and urgency of problem resolution are reinforced because they are rewarded by immediate measures of success.” (p. 8)  This becomes a specific challenge when “Contractor incentives are often driven by cost and schedule rather than by safety culture performance.” (p. 26).  A recommended fix is to “Establish a reward and incentive programme [sic] for the overall project, with objectives for safety performance and rewards that are either monetary or in the form of future contracts as a long term partner.” (p. 27).  This will probably result in a focus on industrial safety performance rather than the overall SC but it may be the best practical solution.  Periodic assessment of key contractors' SC should be used to identify any general SC issues. 

Our perspective

In prior posts, we have taken the IAEA to task for their overly bureaucratic approach.  So we're pleased to report this document actually provides some useful, sensible guidance (albeit often in an unprioritized, laundry list style) applicable to both countries initially embarking on the nuclear road and more experienced countries experiencing a nuclear renaissance.

The report makes a few important points.  For example, IAEA proposes a systems approach to thinking about all the project participants and the varied work they must accomplish.  “In the case of NPP projects, the ‘system’ involves human–social systems, work processes, complex technologies and multiple organizations in a global economic, energy, environmental and regulatory context.” (p. 11)  This is a viewpoint we have repeatedly advocated in this blog. 

Overall this report is satisfactory and it does refer the reader to other IAEA publications for additional information on specific subjects.  But in trying to provide relevant material to a plethora of stakeholders, the report gives shorter shrift to factors we consider vital to establishing and maintaining a strong SC. 


*  M. Haage (IAEA), “Safety culture in pre-operational phases of nuclear power plant projects” (Vienna : International Atomic Energy Agency,  2012).

Warning Shot for Chevron

White vapor and black smoke.  From CSB report.

On August 6, 2012 a leaking pipe at the Chevron refinery in Richmond, CA led to a fire that shut down a crude oil distillation unit and caused over 15,000 people to report to local hospitals seeking treatment for respiratory and other health issues.  This was not a Texas City.  About 20 of the 15,000 people were admitted to local hospitals and there were some minor injuries to employees in the area of the fire but no fatalities.  However, it should be a wake-up call for Chevron. 

The proximate cause of the leak was a pipe ("4-sidecut") that had corroded because of the fluids that flowed through it.  But the Chevron and Chemical Safety Board (CSB) investigations showed there was a ten-year trail of missed possibilities to identify and correct the problem, including the following: In 2002, an employee inspector had expressed concern about sulfidation corrosion in the 4-sidecut and recommended upgrading it but his recommendation was never implemented.  In the same year, an incident at another Chevron refinery led the company to recommend 100% inspection of pipes for corrosion but this was not implemented at Richmond.  In 2009 and 2010 Chevron promulgated new warnings about sulfur corrosion and reiterated the recommendation for 100% inspection but Richmond did not implement any remedial actions on the 4-sidecut.*  In 2011, after a fire in another pipe, Richmond employees complained to Cal/OSHA about the company ignoring corrosion dangers but Chevron rationalized their way out of the issue.**

Chevron's incident investigation, including a root cause analysis, resulted in multiple corrective actions that will ring familiar to our readers.  Summarized, they are: look harder for corrosion; upgrade the hardware reliability program and supporting procedures; increase oversight and training; implement new rules for evaluating leaks; and emphasize the importance of process safety in decision making.  In even fewer words, tweak the system and retrain.

There is no mention of safety culture (SC) but the odor of a weak or compromised SC wafts from the report.  In a strong SC, the 2002 inspector would have identified the potential problem, documented it in the corrective action program and monitored progress until the issue was resolved.  The corrective action program would have evaluated, prioritized and resourced the problem's resolution consistent with its safety significance.  Outside experience and directives (from other Chevron entities or elsewhere) would have been regularly integrated into local operating practices, including inspection, maintenance and process procedures.

We are not alone in recognizing the importance of SC.  The local county supervisor, who also chairs the Bay Area Air Quality Management District, said “We need to do a thorough review of the safety culture at the refinery.”***  The CSB's managing director said the company had a “tolerance for allowing piping to run toward failure” and “I think it points to a certain cultural issue.”****  The CSB's interim report says “After reviewing evidence and decisions . . . the CSB has determined that issues relating to safety culture are relevant to this incident. The CSB will examine the Chevron Richmond Refinery’s approach to safety, its safety culture and any organizational deficiencies, to determine how to best prevent future incidents.” (p. 61)

We'll see if Chevron gets the hint.


*  CUSA Richmond Investigation Team, “Richmond Refinery 4 Crude Unit Incident August 6, 2012” (April 12, 2013).  Attachment to letter from S. Wildman (Chevron) to R.L. Sawyer (Contra Costa County Health Services), “Seventh Update to the 30-Day Report for the CWS Level 3 Event of August 6, 2012” (April 12, 2013).  

U.S. Chemical Safety and Hazard Investigation Board, “Interim Investigation Report Chevron Richmond Refinery Fire” (April 15, 2013).  In addition to Chevron, the CSB also criticizes regulatory and other government agencies, particularly Cal/OSHA, for shortcomings in their oversight of refinery activities.

**  J. Van Derbeken, “Chevron ignored risk in '11, workers say” sfgate.com (Oct. 13, 2012).

***  J. Van Derbeken, “Chevron fire report shows troubled history” sfgate.com (April 13, 2013).

****  J. Van Derbeken, “Chevron fire sign of weak oversight” sfgate.com (April 15, 2013).