Friday, June 5, 2015

NRC Staff Review of National Research Council Safety Culture Recommendations Arising from Fukushima

On July 30, 2014 we reviewed the safety culture (SC) aspects of the National Research Council report on lessons learned from the Fukushima nuclear accident.  We said the report’s SC recommendations were pretty limited: the NRC and industry must maintain and monitor a strong SC in all safety-related activities, the NRC must maintain its independence from outside influences, and the NRC and industry should increase their transparency about their SC-related efforts.

The NRC staff reviewed the report’s recommendations, assessed whether the agency was addressing them and documented their results.*  Given the low bar, it’s no surprise the staff concluded “that all NAS’s recommendations are being adequately addressed.” (p.1)  Following is the evidence the staff assembled to show the NRC is addressing the SC recommendations.

Emphasis on Safety Culture (pp. 25-26) 


In 1989, after Peach Bottom plant operators were caught sleeping on the job, the NRC issued a “Policy Statement on the Conduct of Nuclear Power Plant Operations.”   The policy statement focused on personal dedication and accountability but also underscored management’s responsibility for fostering a healthy SC.

In 1996, after Millstone whistleblowers faced retaliation, the NRC issued another policy statement, “Freedom of Employees in the Nuclear Industry to Raise Safety Concerns without Fear of Retaliation.”  This policy statement focused on the NRC’s expectation that all licensees will establish and maintain a safety-conscious work environment (SCWE).

In 2002, after discovery of the Davis-Besse reactor pressure vessel’s degradation, the Reactor Oversight Process (ROP) was strengthened to detect potential SC weaknesses during inspections and performance assessments.  ROP changes were described in Regulatory Issue
Summary 2006-13, “Information on the Changes Made to the Reactor Oversight Process to More Fully Address Safety Culture.”

In 2004, INPO published “Principles for a Strong Nuclear Safety Culture.”  In 2009, an industry/NEI/INPO effort produced a process for monitoring and improving SC, documented in NEI 09-07 “Fostering a Strong Nuclear Safety Culture.”  We reviewed NEI 09-07 on Jan. 6, 2011.

In 2008, the NRC initiated an effort to define and expand SC policy.  The final Safety Culture Policy Statement (SCPS) was published on June 14, 2011.  We posted eight times on the SCPS effort before the policy was issued.  Click on the SC Policy Statement label to see both those posts and subsequent ones that refer to the SCPS. 

An Independent Regulator (pp. 26-27)

The Energy Reorganization Act of 1974 established the NRC.  Principal Congressional oversight of the agency is performed by the Senate Subcommittee on Clean Air and Nuclear Safety, and the House Subcommittee on Energy and the Environment.  It’s not clear how the NRC performing obeisance before these committees contributes to the agency’s independence.

The NRC receives independent oversight from the NRC’s Office of the Inspector General and the U.S. Government Accountability Office.

Perhaps most relevant, the U.S. is a contracting party to the international Convention on Nuclear Safety.  The NRC prepares a periodic report describing how the U.S. fulfills its obligations under the CNS, including maintaining the independence of the regulatory body.  On March 26, 2014 we posted on the NRC’s most recent report.

Industry Transparency (pp. 27-28)

For starters, the NRC touts its SC website which includes the SCPS and SC-related educational and outreach materials.

In March 2014, the NRC published NUREG-2165, “Safety Culture Common Language,” which
documents a common language to describe SC in the nuclear industry.  We reviewed the NUREG on April 6, 2014.

That’s all.

Our Perspective 


We’ll give the NRC a passing grade on its emphasis on SC.  The “evidence” on agency independence is slim.  Some folks believe that regulatory capture has occurred, to a greater or lesser degree.  For what it’s worth, we think the agency is fairly independent.

The support for industry transparency is a joke.  As we said in our July 30, 2014 post, “the nuclear industry’s penchant for secrecy is a major contributor to the industry being its own worst enemy in the court of public opinion.”     


NRC Staff Review of National Academy of Sciences Report, “Lessons Learned from theFukushima Dai-ichi Nuclear Accident for Improving Safety of U.S. Nuclear Plants” (Apr. 9, 2015).  ADAMS ML15069A600.  The National Research Council is part of the National Academy of Sciences.

Tuesday, May 26, 2015

Safety Culture “State of the Art” in 2002 per NUREG-1756

Here’s a trip down memory lane.  Back in 2002 a report* on the “state of the art” in safety culture (SC) thinking, research and regulation was prepared for the NRC Advisory Committee on Reactor Safeguards.  This post looks at some of the major observations of the 2002 report and compares them with what we believe is important today.

The report’s Abstract provides a clear summary of the report’s perspective:  “There is a widespread belief that safety culture is an important contributor to the safety of operations. . . . The commonly accepted attributes of safety culture include good organizational communication, good organizational learning, and senior management commitment to safety. . . . The role of regulatory bodies in fostering strong safety cultures remains unclear, and additional work is required to define the essential attributes of safety culture and to identify reliable performance indicators.” (p. iii) 

General Observations on Safety Performance 


A couple of quotes included in the report reflect views on how safety performance is managed or influenced.

 “"The traditional approach to safety . . . has been retrospective, built on precedents. Because it is necessary, it is easy to think it is sufficient.  It involves, first, a search for the primary (or "root") cause of a specific accident, a decision on whether the cause was an unsafe act or an unsafe condition, and finally the supposed prevention of a recurrence by devising a regulation if an unsafe act,** or a technical solution if an unsafe condition." . . . [This approach] has serious shortcomings.  Specifically, ". . . resources are diverted to prevent the accident that has happened rather than the one most likely to happen."” (p. 24)

“"There has been little direct research on the organizational factors that make for a good safety culture. However, there is an extensive literature if we make the indirect assumption that a relatively low accident plant must have a relatively good safety culture." The proponents of safety culture as a determinant of operational safety in the nuclear power industry rely, at least to some degree, on that indirect assumption.” (p. 37) 

Plenty of people today behave in accordance with the first observation and believe (or act as if they believe) the second one.  Both contribute to the nuclear industry’s unwillingness to consider new ways of thinking about how safe performance actually occurs.

Decision Making, Goal Conflict and the Reward System

Decision making processes, recognition of goal conflicts and an organization’s reward system are important aspects of SC and the report addressed them to varying degrees.

One author referenced had a contemporary view of decision making, noting that “in complex and ill-structured risk situations, decisionmakers are faced not only with the matter of risk, but also with fundamental uncertainty characterized by incompleteness of knowledge.” (p. 43)  That’s true in great tragedies like Fukushima and lesser unfortunate outcomes like the San Onofre steam generators.

Goal conflict was mentioned: “Managers should take opportunities to show that they will put safety concerns ahead of power production if circumstances warrant.” (p.7)

Rewards should promote good safety practices (p. 6) and be provided for identifying safety issues. (p. 37)  However, there is no mention of the executive compensation system.  As we have argued ad nauseam these systems often pay more for production than for safety.

The Role of the Regulator


“The regulatory dilemma is that the elements that are important to safety culture are difficult, if not impossible, to separate from the management of the organization.  [However,] historically, the NRC has been reluctant to regulate management functions in any direct way.” (pp. 37-38)  “Rather, the NRC " . . . infers licensee organization management performance based on a comprehensive review of inspection findings, licensee amendments, event reports, enforcement history, and performance indicators."” (p. 41)  From this starting point, we now have the current situation where the NRC has promulgated its SC Policy Statement and practices de facto SC regulation using the highly reliable “bring me another rock” method.

The Importance of Context when Errors Occur 


There are hints of modern thinking in the report.  It contains an extended summary of Reason’s work in Human Error.  The role of latent conditions, human error as consequence instead of cause, the obvious interaction between producers and production, and the “non-event” of safe operations are all mentioned. (p. 15)  However, a “just culture” or other more nuanced views of the context in which safety performance occurs had yet to be developed.

One author cited described “the paradox that culture can act simultaneously as a precondition for safe operations and an incubator for hazards.” (p. 43)  We see that in Reason and also in Hollnagel and Dekker: people going about business as usual with usually successful results but, on some occasions, with unfortunate outcomes.

Our Perspective

The report’s author provided a good logic model for getting from SC attributes to identifying useful risk metrics, i.e., from SC to one or more probabilistic risk assessment (PRA) parameters.  (pp. 18-20)  But none of the research reviewed completed all the steps in the model. (p. 36)  He concludes “What is not clear is the mechanism by which attitudes, or safety culture, affect the safety of operations.” (p. 43)  We are still talking about that mechanism today.   

But some things have changed.  For example, probabilistic thinking has achieved greater penetration and is no longer the sole province of the PRA types.  It’s accepted that Black Swans can occur (but not at our plant).

Bottom line: Every student of SC should take a look at this.  It includes a good survey of 20th century SC-related research in the nuclear industry and it’s part of our basic history.

“Those who cannot remember the past are condemned to repeat it.” — George Santayana (1863-1952)


*  J.N. Sorensen, “Safety Culture: A Survey of the State-of-the-Art,” NUREG-1756 (Jan. 2002).  ADAMS ML020520006.  (Disclosure: I worked alongside the author on a major nuclear power plant litigation project in the 1980s.  He was thoughtful and thorough, qualities that are apparent in this report.)

**  We would add “or reinforcing an existing regulation through stronger procedures, training or oversight.”

Monday, April 27, 2015

INPO’s View on Fukushima Safety Culture Lessons Learned

In November 2011 the Institute of Nuclear Power Operations (INPO) published a special report* on the March 2011 Fukushima accident.  The report provided an overview and timeline for the accident, focusing on the evolution of the situation during the first several days after the earthquake and tsunami.  Safety culture (SC) was not mentioned in the report.

In August 2012 INPO issued an addendum** to the report covering Fukushima lessons learned in eight areas, including SC.  Each area contains a lengthy discussion of relevant plant activities and experiences, followed by specific lessons learned.  According to INPO, some lessons learned may be new or different from those published elsewhere.  Several caught our attention as we paged through the addendum: Invest resources to assess low-probability, high-consequence events (Black Swans).  Beef up available plant staffing to support regular staff in case a severe, long duration event inconveniently occurs on a weekend.  Evaluate the robustness of off-site event management facilities (TEPCO’s was inaccessible, lost power and did not have filtered ventilation).  Be aware that assigning most decision making authority to the control room crew (as TEPCO did) meant other plant groups could not challenge or check ops’ decisions—efficiency at the cost of thoroughness.  Conduct additional training for a high-dose environment when normal dosage limits are replaced with emergency ones.  Ensure that key personnel have in-depth reactor and power plant knowledge to respond effectively if situations evolve beyond established procedures and flexibility is required.

Focusing on SC, the introduction to this section is clear and unexpectedly strong: “History has shown that accidents and their precursors at commercial nuclear electric generating stations result from a series of decisions and actions that reflect flaws in the shared assumptions, values, and beliefs of the operating organization.” (p. 33)

The SC lessons learned are helpful.  INPO observed that while TEPCO had taken several steps over the years to strengthen its SC, it missed big picture issues including cultivating a questioning attitude, challenging assumptions, practicing safety-first decision making and promoting organizational learning.  In each of these areas, the report covers specific deficiencies or challenges faced at Fukushima followed by questions aimed at readers asking them to consider if similar conditions exist or could exist at their own facilities.

Our Perspective

The addendum has a significant scope limitation: it does not address public policy (e.g., regulatory or governmental) factors that contributed to the Fukushima accident and yielded their own lessons learned.***  However, given the specified scope, a quick read of the entire addendum suggests it’s reasonably thorough, the SC section certainly is.  The questions aimed at report readers are the kind we ask all the time on Safetymatters but we award INPO full marks for addressing these general, qualitative, open-ended subjects.  One question INPO raised that we have not specifically asked is “To what extent are the safety implications considered during enterprise business planning and budgeting?” (italics added)  Another, inferred from the report text, is “How do operators create complex, realistic scenarios (e.g., with insufficient information and/or personnel under stress) during emergency training?”  These are legitimate additions to the repertoire.  

The addendum is not perfect.  For example, INPO trots out the “special and unique” mantra when discussing the essential requirements to maintain core cooling capability and containment integrity (esp. with respect to venting at Fukushima).  This mantra, coupled with INPO’s usual penchant for secrecy, undermines public support for commercial nuclear power.  INPO can be a force for good when its work products, like this report and addendum, are publicly available.  It would be better for the industry if INPO were more transparent and if commercial nuclear power were characterized as a safety-intense industrial process run by ordinary, albeit highly trained, people.

Bottom line, you should read the addendum looking for bits that apply to your own situation.


*  INPO, “Special Report on the Nuclear Accident at the Fukushima Daiichi Nuclear Power Station,” INPO 11-005 Rev. 0 (Nov. 2011).

**  INPO, “Lessons Learned from the Nuclear Accident at the Fukushima Daiichi Nuclear Power Station,” INPO 11-005 Rev. 0 Addendum (Aug. 2012).  Thanks to Madalina Tronea for publicizing this document.  Dr. Tronea is the founder/moderator of the LinkedIn Nuclear Safety discussion group.

***  Regulatory, government and corporate governance lessons learned have been publicized by other Fukushima reviewers and the findings widely distributed, including on Safetymatters.  Click on the Fukushima label to see our related posts. 

Wednesday, April 22, 2015

More Evidence of Weak Safety Culture in DOE

DNFSB Headquarters
We have posted many times about safety culture (SC) issues in the Department of Energy (DOE) empire.  Many of those issues have been raised by the Defense Nuclear Facilities Safety Board (DNFSB), an overseer of DOE activities.  Following is a recent example based on a DNFSB staff report.*

The Radcalc Imbroglio

Radcalc is a computer program used across the DOE complex (and beyond) to determine the transportation package classification for radioactive materials, including radioactive waste, based on the isotopic content.  Radcalc errors could lead to serious consequences, e.g., exposure to radiation or explosions, in the event of a transportation accident.  DOE classified Radcalc as safety software and assigned it the second highest level of rigor in DOE’s software quality assurance (SQA) procedures.

A DNFSB audit found multiple deficiencies with respect to Radcalc, most prominently DOE’s inability to provide any evidence of federal oversight of Radcalc during the software's lifetime (which dates back to the mid-1990s).  In addition, there was no evidence DOE contractors had any Radcalc-related QA plans or programs, or maintained software configuration management.  Neither DOE nor the contractors effectively used their corrective action program to identify and correct software problems.  DNFSB identified other problems but you get the idea.

DNFSB Analysis

As part of its analysis of problems and causes, the DNFSB identified multiple contributing factors including the following related to organization.  “There is an apparent lack of a systematic, structured, and documented approach to determine which organization within DOE is responsible to perform QA audits of contractor organizations.  During the review, different organizations within DOE stated that they thought another organization was responsible for performing Radcalc contractor QA audits.  DOE procedures do not clearly delineate which organization is responsible for QA/SQA audits and assessments.” (Report, p. 4)

Later, the report says “In addition, this review identified potentially significant systemic [emphasis added] concerns that could affect other safety software. These are: inadequate QA/SQA requirement specification in DOE contracts and the lack of policy identifying the DOE organizations in charge of performing QA assessments to ensure compliance; unqualified and/or inadequate numbers of qualified federal personnel to oversee contract work; . . . and additional instances of inadequate oversight of computer work within DOE (e.g., Radtran).” (Report, p. 5)

Our Perspective

Even without the DNFSB pointing out “systemic” concerns, this report practically shouts the question “What kind of SC would let this happen?”  We are talking about a large group of organizations where a significant, safety-related activity failed to take place and the primary reason (excuse) is “Not my group’s job.”  And no one took on the task to determine whose job it was.  This underlying cultural attitude could be as significant as the highly publicized SC problems at individual DOE facilities, e.g., the Hanford Waste Treatment Plant or the Waste Isolation Pilot Plant.

The DNFSB asked DOE to respond to the report within 90 days.  What will such a report say?  Let’s go out on a limb here and predict the report will call for “improved procedures, training and oversight.”  The probability of anyone facing discipline over this lapse: zero.  The probability of DOE investigating its own and/or contractor cultures for a possible systemic weakness: also zero.  Why?  Because there’s no money in it for DOE or the contractors and the DNFSB doesn’t have the organizational or moral authority to force it to happen.

We’ve always championed the DNFSB as the good guys, trying to do the right thing with few resources.  But the sad reality is they are a largely invisible backroom bureaucracy.  When a refinery catches fire, the Chemical Safety Board is front and center explaining what happened and what they’ll recommend to keep it from happening again.  When was the last time you saw the DNFSB on the news or testifying before Congress?  Their former chairman retired suddenly late last year, with zero fanfare; we think it’s highly likely the SC initiative he championed and attempted to promulgate throughout DOE went out the door with him.


*  J.H. Roberson (DNFSB) to D.M. Klaus (DOE), letter (Mar. 16, 2015) with enclosed Staff Issue Report “Review of Federal Oversight of Software Quality Assurance for Radcalc” (Dec. 17, 2014).  Thanks to Bill Mullins for bringing this document to our attention.

Monday, April 13, 2015

Safety-I and Safety-II: The Past and Future of Safety Management by Erik Hollnagel

This book* discusses two different ways of conceptualizing safety performance problems (e.g., near-misses, incidents and accidents) and safety management in socio-technical systems.  This post describes each approach and provides our perspective on Hollnagel’s efforts.  As usual, our interest lies in the potential value new ways of thinking can offer to the nuclear industry.

Safety-I

This is the common way of looking at safety performance problems.  It is reactive, i.e., it waits for problems to arise** and analytic, e.g., it uses specific methods to work back from the problem to its root causes.  The key assumption is that something in the system has failed or malfunctioned and the purpose of an investigation is to identify the causes and correct them so the problem will not recur.  A second assumption is that chains of causes and effects are linear, i.e., it is actually feasible to start with a problem and work back to its causes.  A third assumption is that a single solution (the “first story”) can be found. (pp. 86, 175-76)***  Underlying biases include the hindsight bias (p. 176) and the belief that the human is usually the weak link. (pp. 78-79)  The focus of safety management is minimizing the number of things that go wrong.

Our treatment of Safety-I is brief because we have reported on criticism of linear thinking/models elsewhere, primarily in the work of Dekker, Woods et al, and Leveson.  See our posts of Dec. 5, 2012; July 6, 2013; and Nov. 11, 2013 for details.

Safety-II

Safety-II is proposed as a different way to look at safety performance.  It is proactive, i.e., it looks at the ways work is actually performed on a day-to-day basis and tries to identify causes of performance variability and then manage them.  A key cause of variability is the regular adjustments people make in performing their jobs in order to keep the system running.  In Hollnagel’s view, “Finding out what these [performance] adjustments are and trying to learn from them can be more important than finding the causes of infrequent adverse outcomes!” (p. 149)  The focus of safety management is on increasing the likelihood that things will go right and developing “the ability to succeed under varying conditions, . . .” (p. 137).

Performance is variable because, among other reasons, people are always making trade-offs between thoroughness and efficiency.  They may use heuristics or have to compensate for something that is missing or take some steps today to avoid future problems.  The underlying assumption of Safety-II is that the same behaviors that almost always lead to successful outcomes can occasionally lead to problems because of performance variability that goes beyond the boundary of the control space.  A second assumption is that chains of causes and effects may be non-linear, i.e., a small variance may lead to a large problem, and may have an emergent aspect where a specific performance variability may occur then disappear or the Swiss cheese holes may momentarily line up exposing the system to latent hazards. (pp. 66, 131-32)  There may be multiple explanations (“second stories”) for why a particular problem occurred.  Finally, Safety-II accepts that there are often differences between Work-as-Imagined (esp. as imagined by folks at the blunt end) and Work-as-Done (by people at the sharp end). (pp. 40-41)***

The Two Approaches

Safety-I and Safety-II are not in some winner-take-all competitive struggle.  Hollnagel notes there are plenty of problems for which a Safety-I investigation is appropriate and adequate. (pp. 141, 146)

Safety-I expenditures are viewed as a cost (to reduce errors). (p. 57)  In contrast, Safety-II expenditures are viewed as bona fide investments to create more correct outcomes. (p. 166)

In all cases, organizational factors, such as safety culture, can impact safety performance and organizational learning. (p. 31)

Our Perspective

The more complex a socio-technical entity is, the more it exhibits emergent properties and the more appropriate Safety-II thinking is.  And nuclear has some elements of complexity.****  In addition, Hollnagel notes that a common explanation for failures that occur in a System-I world is “it was never imagined something like that could happen.” (p. 172)  To avoid being the one in front of the cameras saying that, it might be helpful for you to spend a little time reflecting on how System-II thinking might apply in your world.

Why do most things go right?  Is it due to strict compliance with procedures?  Does personal creativity or insight contribute to successful plant performance?  Do you talk with your colleagues about possible efficiency-thoroughness trade-offs (short cuts) that you or others make?  Can thinking about why things go right make one more alert to situations where things are heading south?  Does more automation (intended to reduce reliance on fallible humans) actually move performance closer to the control boundary because it removes the human’s ability to make useful adjustments?  Has any of your root cause evaluations appeared to miss other plausible explanations for why a problem occurred?

Some of the Safety-II material is not new.  Performance variability in Safety-II builds on Hollnagel’s earlier work on the efficiency-thoroughness trade-off (ETTO) principle.  (See our Jan. 3, 2013 post.)   His call for mindfulness and constant alertness to problems is straight out of the High Reliability Organization playbook. (pp. 36, 163-64)  (See our May 3, 2013 post.)

A definite shortcoming is the lack of concrete examples in the Safety-II discussion.  If someone has tried to do this, it would be nice to hear about it.

Bottom line, Hollnagel has some interesting observations although his Safety-II model is probably not the Next Big Thing for nuclear safety management.

 

*  E. Hollnagel, Safety-I and Safety-II: The Past and Future of Safety Management  (Burlington, VT: Ashgate , 2014)

**  In the author’s view, forward-looking risk analysis is not proactive because it is infrequently performed. (p. 57) 

***  There are other assumptions in the Safety-I approach (see pp. 97-104) but for the sake of efficiency, they are omitted from this post.

****  Nuclear power plants have some aspects of a complex socio-technical system but other aspects are merely complicated.   On the operations side, activities are tightly coupled (one attribute of complexity) but most of the internal organizational workings are complicated.  The lack of sudden environmental disrupters (excepting natural disasters) means they have time to adapt to changes in their financial or regulatory environment, reducing complexity.

Sunday, March 29, 2015

Nuclear Safety Assessment Principles in the United Kingdom

A reader sent us a copy of “Safety Assessment Principles for Nuclear Facilities” (SAPs) published by the United Kingdom’s Office for Nuclear Regulation (ONR).*  For documents like this, we usually jump right to the treatment of safety culture (SC).  However, in this case we were impressed with the document’s accessibility, organization and integrated (or holistic) approach so we want to provide a more general review.

ONR uses the SAPs during technical assessments of nuclear licensees’ safety submissions.  The total documentation package developed by a licensee to demonstrate high standards of nuclear safety is called the “safety case.”

Accessibility

The language is clear and intended for newbies as well as those already inside the nuclear tent.  For example, “The SAPs contain principles and guidance.  The principles form the underlying basis for regulatory judgements made by inspectors, and the guidance associated with the principles provides either further explanation of a principle, or their interpretation in actual applications and the measures against which judgements can be made.” (p. 11) 

Also furthering ease of use, the document is not strewn with acronyms.  As a consequence, one doesn’t have to sit with glossary in hand just to read the text.

Organization

ONR presents eight fundamental principles including responsibility for safety, limitation of risks to individuals and emergency planning.  We’ll focus on another fundamental principle, Leadership and Management (L&M) because (a) L&M activities create the context and momentum for a positive SC and (b) it illustrates holistic thinking.

L&M is comprised of four subordinate (but still high-level) inter-related principles: leadership, capable organization, decision making and learning.  “Because of their inter-connected nature there is some overlap between the principles. They should therefore be considered as a whole and an integrated approach will be necessary for their delivery.” (p. 18)

Drilling down further, the guidance for leadership includes many familiar attributes.  We want to acknowledge attributes we have been emphasizing on Safetymatters or reflect new thoughts.  Specifically, leaders must recognize and resolve conflict between safety and other goals, ensure that the reward systems promote the identification and management of risk, encourage safe behavior and discourage unsafe behavior or complacency; and establish a common purpose and collective social responsibility for safety. (p.19) 

Decision making (another Safetymatters hot button issue) receives a good treatment.  Topics covered include explicit recognition of goal conflict; appreciating the potential for error, uncertainty and the unexpected; and the essential functions of active challenges and a questioning attitude.

We do have one bone to pick under L&M: we would like to see words to the effect that safety performance and SC should be significant components of the senior management reward system.

Useful Points

Helpful nuggets pop up throughout the text.  A few examples follow.

“The process of analysing safety requires creativity, where people can envisage the variety of routes by which radiological risks can arise from the technology. . . . Safety is achieved when the people and physical systems together reliably control the radiological hazards inherent in the technology. Therefore the organizational systems (ie interactions between people) are just as important as the physical systems, . . . “ (pp. 25-26)

“[D]esigners and/or dutyholders may wish to put forward safety cases that differ from [SAP] expectations.   As in the past, ONR inspectors should consider such submissions on their individual merits. . . . ONR will need to be assured that such cases demonstrate equivalence to the outcomes associated with the use of the principles here,. . .” (p. 14)  The unstated principle here is equifinality; in more colorful words, there is more than one way to skin a cat.

There are echoes of other lessons we’ve been preaching on Safetymatters.  For example “The principle of continuous improvement is central to achieving sustained high standards of nuclear safety. . . . Seeking and applying lessons learned from events, new knowledge and experience, both nationally and internationally, must be a fundamental feature of the safety culture of the nuclear industry.” (p. 13)

And, in a nod to Nicholas Taleb, if a “hazard is particularly high, or knowledge of the risk is very uncertain, ONR may choose to concentrate primarily on the hazard.” (p. 8)

Our Perspective

Most of the content of the SAPs will be familiar to Safetymatters readers.  We suggest you skim the first 23 pages of the document covering introductory material and Leadership & Management.  SAPs is an excellent example of a regulator actually trying to provide useful information and guidance to current and would-be licensees and is far better than the simple-minded laundry lists promulgated by IAEA.


*  Office for Nuclear Regulation, “Safety Assessment Principles for Nuclear Facilities” Rev. 0 (2014).  We are grateful to Bill Mullins for forwarding this document to us.

Wednesday, March 18, 2015

Safety Culture at the 2015 NRC Regulatory Information Conference

NRC Public Meeting
The Nuclear Regulatory Commission (NRC) held its annual Regulatory Information Conference (RIC) on March 10-12, 2015.  As usual, safety culture (SC) played a minor supporting role: it was the topic of one technical session out of 37 total.  The SC session focused on assessing and/or measuring SC.  It featured a range of presentations—from NRC, Duke Energy, DOE and a SC consultant—which are summarized below.*

NRC

This presentation consisted of one (sic) slide recounting the NRC’s SC outreach program during the past year including the Trait Talk brochures, SC case studies and meetings with other nuclear regulatory bodies.

Duke Energy

The presenter provided a list of internal (CAP, Employee Concerns Program )and external (INPO, NRC) information, and management activities (Nuclear SC Monitoring Panel, Site Leadership team, Corporate Nuclear SC Monitoring Panel, Fleet Nuclear SC Monitoring Panel, Executive Nuclear Safety Council) that are used to assess equipment, processes and people across the Duke fleet.  There was no information on how these activities are integrated to describe plant or fleet SC, or if any SC issues have been identified or corrective actions taken; the slides were basically a laundry list.

Department of Energy (DOE)

The speaker was from DOE’s Office of Environment, Health, Safety and Security.  He reviewed the safety mission and goals related to DOE’s Integrated Safety Management program, DOE’s SC focus areas (leadership, employee/worker engagement and organizational learning) and SC-related activities (extent of condition reviews, self‐assessments, sustainment plans, independent assessments and the SC Improvement Panel.) 

The presentation covered the challenges in relating SC to safety management performance (mostly industrial safety metrics) and in implementing cultural changes.  Factors that make SC improvement difficult include production vs. safety goal conflict, fiscal pressures, leadership changes and internal inertia (resistance to change).

This presentation covered the basics of SC, as customized for DOE, but had no supporting details or any mention of the SC issues that have arisen at various DOE facilities, e.g., Hanford, Pantex and the Waste Isolation Pilot Plant.  We have posted many times on DOE SC; please click on the DOE label to retrieve these posts.

SC Consultant

The presenter was Sonja Haber.  She reviewed the fundamentals of the linkage between culture, behavior and ultimate performance, and the Schein three-level model of culture.

She also covered the major considerations for conducting SC assessments including having a diversity of expertise in assessing culture, using multiple methods of data collection, understanding how cultural complexity impacts performance and considering the interaction of human, organizational and technological factors.

Our Perspective

This was thin gruel compared to the 2014 RIC SC session (which we reviewed April 25, 2014).  Based on the slides, there was not much “there” there at this session.  The speaker who offered the most was Dr. Haber, not a surprise given that she has been involved in SC evaluations at various DOE facilities and testified at a Defense Nuclear Facilities Safety Board hearing on SC (which we reviewed June 9, 2014).

If a webcast of the SC technical session becomes available, we will review it to see if any useful additional information was presented or arose during the discussion.


*  The SC technical session presentations are available on the NRC website.

Friday, March 6, 2015

More Safety Culture “Trait Talk” from the NRC

Typical NRC Trait Talk brochure
The NRC introduced a series of educational brochures, the Safety Culture Trait Talk, at the March 2014 Regulatory Information Conference.  Each brochure covers one of the nine safety culture (SC) traits in the NRC SC Policy Statement (SCPS), describing why the trait is important and providing examples of related attributes and an illustrative scenario.

At that time, only one Trait Talk was available, viz., Leadership Safety Values and Actions.  We thought the content was pretty good.  The “Why is this trait important?” portion was derived from an extensive review of SC-related social science literature, which we liked a lot and posted about Feb. 10, 2013.  The “What does this trait look like?” section (aka attributes) comes from the SC Common Language initiative, which we have reviewed multiple times, most recently on April 6, 2014.  The illustrative scenario is new content developed for each brochure.

During 2014 and early 2015, NRC published additional Trait Talk brochures and now has one for each trait in the SCPS.*  We reviewed them all and still believe they provide a useful introduction and overview for each trait.  Following is our take on each trait’s essence (based on the brochure contents), and each brochure’s strengths and weaknesses.  

Leadership Safety Values and Actions

This trait focuses on the responsibilities of leaders to set the tone for SC through their own visible actions.  There is a good discussion of how employees at all levels can face goal conflicts, e.g., safety vs. production.  The focus of the reward system is on the staff; unfortunately, there is no mention of management’s financial incentives.  Although leaders’ decisions set the priority for safety, there is no mention of the decision making process, arguably management’s most fundamental and important function.**

Work Processes

This trait focuses on controlling work.  It emphasizes limiting temporary modifications, minimizing backlogs and adhering to procedures, which is all good.  It also says “organizations may require strict adherence to normal and emergency operating procedures.   However, flexibility may be necessary when responding to off-normal conditions.”  This may give the purists heartburn but it reflects reality and is a major observation of the Fukushima disaster.

Questioning Attitude

This trait is about avoiding complacency, watching for abnormalities while going about one’s duties and stopping work if unexpected conditions or results are encountered.  The key is ensuring safety has its appropriate priority at all times, which is not easy if a plant is under significant financial or political pressure.

Problem Identification and Resolution

This trait is about identifying and permanently resolving current problems, and anticipating potential future challenges and dealing with them before they manifest.  In our view, this is one of the two most important areas (the other being decision making) where everyone sees what a plant’s real priorities are.  This Trait Talk covers the topic well.

Environment for Raising Concerns

The trait is about establishing and maintaining a safety conscious work environment (SCWE).  The Trait Talk lays out the theory but the truth is whistle-blowers in many industries, including nuclear, become pariahs.

Effective Safety Communication

This trait is about transparency (although the term does not appear in the brochure.)  All business communication should be clear, complete, understandable and respectful.  The Trait Talk’s discussion on the importance of first-level supervisors being a primary source of information for their employees is very good.

Respectful Work Environment

The title says it all about this trait which overlaps with others, including questioning attitude, SCWE and transparent communications.  The Trait Talk has a good discussion of trust, at both the individual and organizational level.  One aspect we would add to the trust “equation” is the perception of self-interest vs. concern for others.

Continuous Learning

This trait is about identifying, obtaining, sharing, applying and retaining new knowledge that can lead to improved individual or organizational performance.  This trait overlaps with others, including questioning attitude and a respectful work environment.

Personal Accountability

This trait is mostly about everyone’s willingness to accept responsibility for safety but it also encompasses assigned individuals’ obligation for specific safety responsibilities.  For the latter case, the brochure’s statement that “Personal accountability is not finger pointing, blame, or punishment” is simply not true. 

Our Perspective 


The brochures provide a useful introduction and overview for each trait in the SCPS.  The content is generally good, with some weak spots and missing items.  These are, after all, four-page brochures and roughly 45 percent of the content is the same in every brochure.


*  All the Trait Talk brochures can be downloaded from the SC education materials page on the NRC website.

**  Interestingly, Decision Making is included as a tenth trait in NRC NUREG-2165, “Safety Culture Common Language” (Mar. 2014).  ADAMS ML14083A200.