Nuclear Safety Culture Under Assault: DNFSB Chairman Proposes Eliminating the Board

DNFSB headquarters

The Center for Public Integrity (CPI) recently published a report* that disclosed a private letter** from Sean Sullivan, the Chairman of the Defense Nuclear Facilities Safety Board (DNFSB) to the Director of the Office of Management and Budget in which the chairman proposed abolishing or downsizing the DNFSB.  The CPI is highly critical of the chairman’s proposals; support for their position includes a list of the safety improvements in the Department of Energy (DOE) complex that have resulted from DNFSB recommendations and the safety challenges that DOE facilities continue to face.

The CPI also cites a 2014 National Nuclear Security Administration (NNSA, the DOE sub-organization that oversees the nuclear weapons facilities) internal report that describes NNSA’s own safety culture weaknesses, e.g., lack of a questioning attitude toward contractor management’s performance claims, with respect to its oversight of the Los Alamos National Laboratory.

The CPI believes the chairman is responding to pressure from the private contractors who actually manage DOE facilities to reduce outside interference in, and oversight of, contractor activities.  That’s certainly plausible.  The contractors get paid regardless of their level of performance, and very little of that pay is tied to safety performance.  DNFSB recommendations and reports can be thorns in the sides of contractor management.

The Sullivan Letter

The primary proposal in the Sullivan letter is to abolish the DNFSB because the DOE has developed its own “robust regulatory structure” and oversight capabilities via the Office of Enterprise Assessments.  That’s a hollow rationale; the CPI report discusses the insufficiency of DOE’s own assessments.  If outright elimination is not politically doable then DNFSB personnel could be transferred to DOE, sustaining the appearance of independent oversight, and then be slowly absorbed into the larger DOE organization.  That is not a path to increased public confidence and looks like being assimilated by the Borg.***  The savings that could be realized from abolishing the DNFSB is estimated at $31 million, a number lost in the decimal dust of DOE’s $30+ billion budget.

Sullivan mentions but opposes transferring the DNFSB’s oversight responsibilities to the Nuclear Regulatory Commission.  Why?  Because the NRC is not only independent, it has enforcement powers which would be inappropriate for defense nuclear facilities and might compromise national security.  That’s a red herring but we’ll let it go; we don’t think oversight of defense facilities really meshes with the NRC’s mission.

His secondary proposal is to downsize the DNFSB workforce, especially its management structure, and transfer most of the survivors to specific defense facilities.  While we think DNFSB needs more resources, not fewer, it would be better if more DNFSB personnel were located in the field, keeping track of and reporting on DOE and contractor activities.

Our Perspective

Safetymatters first became interested in the DNFSB when we saw the growing mess at the Waste Treatment Plant (WTP, aka the Vit Plant) in Hanford, WA.  It was the DNFSB who forced the DOE and its WTP contractors to confront and remediate serious nuclear safety culture (NSC) problems.  We have published multiple reports on the resultant foot-dragging by DOE in its responses to DNFSB Recommendation 2011-1 which addressed safety conscious work environment (SCWE) problems at Hanford and other DOE facilities.  Click on the DOE label to see our offerings on WTP, other DOE facilities and the overall DOE complex.
 
We have reported on the NSC problems at the Waste Isolation Pilot Plant (WIPP) in New Mexico.  The DNFSB has played an important role in attempting to get DOE and the WIPP contractor to strengthen their safety practices.  Click the WIPP label to see our WIPP-related posts. 

We have also covered a report on the DNFSB’s own organizational issues, including board members’ meddling in day-to-day activities, weak leadership and too-frequent organizational changes.  See our Feb. 6, 2015 post for details.

DNFSB’s internal issues notwithstanding, the board plays an indispensible role in strengthening NSC and safety practices throughout the DOE complex.  They should be given greater authority (which won’t happen), stronger leadership and additional resources.

Bottom line: Sullivan’s proposal is just plain nuts.  He’s a Republican appointee so maybe he’s simply offering homage to his ultimate overlord.
  

*  P. Malone and R.J. Smith, “GOP chair of nuclear safety agency secretly urges Trump to abolish it,” The Center for Public Integrity (Oct. 19, 2017).  Retrieved Oct. 26, 2017.

**  S. Sullivan (DNFSB) to J.M Mulvaney (Management and Budget), no subject specified but described as an “initial high-level draft of [an] Agency Reform Plan” (June 29, 2019).  Available from the CPI in html and pdf format.  Retrieved Oct. 26, 2017.

***  The Borg is an alien group entity in Star Trek that forcibly assimilates other beings.  See Wikipedia for more information.

Nuclear Safety Culture: A Suggestion for Integrating “Just Culture” Concepts

All of you have heard of “Just Culture” (JC).  At heart, it is an attitude toward investigating and explaining errors that occur in organizations in terms of “why” an error occurred, including systemic reasons, rather than focusing on identifying someone to blame.  How might JC be applied in practice?  A paper* by Shem Malmquist describes how JC concepts could be used in the early phases of an investigation to mitigate cognitive bias on the part of the investigators.

The author asserts that “cognitive bias has a high probability of occurring, and becoming integrated into the investigators subconscious during the early stages of an accident investigation.” 

He recommends that, from the get-go, investigators categorize all pertinent actions that preceded the error as an error (unintentional act), at-risk behavior (intentional but for a good reason) or reckless (conscious disregard of a substantial risk or intentional rule violation). (p. 5)  For errors or at-risk actions, the investigator should analyze the system, e.g., policies, procedures, training or equipment, for deficiencies; for reckless behavior, the investigator should determine what system components, if any, broke down and allowed the behavior to occur. (p. 12).  Individuals should still be held responsible for deliberate actions that resulted in negative consequences.

Adding this step to a traditional event chain model will enrich the investigation and help keep investigators from going down the rabbit hole of following chains suggested by their own initial biases.

Because JC is added to traditional investigation techniques, Malmquist believes it might be more readily accepted than other approaches for conducting more systemic investigations, e.g., Leveson’s System Theoretic Accident Model and Processes (STAMP).  Such approaches are complex, require lots of data and implementing them can be daunting for even experienced investigators.  In our opinion, these models usually necessitate hiring model experts who may be the only ones who can interpret the ultimate findings—sort of like an ancient priest reading the entrails of a sacrificial animal.  Snide comment aside, we admire Leveson’s work and reviewed it in our Nov. 11, 2013 post.

Our Perspective

This paper is not some great new insight into accident investigation but it does describe an incremental step that could make traditional investigation methods more expansive in outlook and robust in their findings.

The paper also provides a simple introduction to the works of authors who cover JC or decision-making biases.  The former category includes Reason and Dekker and the latter one Kahneman, all of whom we have reviewed here at Safetymatters.  For Reason, see our Nov. 3, 2014 post; for Dekker, see our Aug. 3, 2009 and Dec. 5, 2012 posts; for Kahneman, see our Nov. 4, 2011 and Dec. 18, 2013 posts.

Bottom line: The parts describing and justifying the author’s proposed approach are worth reading.  You are already familiar with much of the contextual material he includes.  


*  S. Malmquist, “Just Culture Accident Model – JCAM” (June 2017).

WANO and NEA to Cooperate on Nuclear Safety Culture

World Nuclear News Oct. 4, 2017

According to an item* in World Nuclear News, the World Association of Nuclear Operators (WANO) and the Organisation for Economic Co-operation and Development’s Nuclear Energy Agency (NEA) signed a memorandum of understanding to cooperate on "the further development of approaches, practices and methods in order to proactively strengthen global nuclear safety."

One objective is to “enhance the common understanding of nuclear safety culture challenges . . .”  In addition, the parties have identified safety culture (SC) as a "fundamental subject of common interest" and plan to launch a series of "country-specific discussions to explore the influence of national culture on the safety culture".

Our Perspective

As usual, the press release touts all the benefits that are going to flow from the new relationship.  We predict the flow will be at best a trickle based on what we’ve seen from the principals over the years.  Following is our take on the two entities.

WANO is an association of the world's nuclear power operators.  Their objective is to exchange safety knowledge and operating experience among its members.  We have mentioned WANO in several Safetymatters posts, including Jan. 23, 2015, Jan. 7, 2015, Jan. 21, 2014 and May 1, 2010.  Their public contributions are generally shallow and insipid.  WANO may be effective at facilitating information sharing but it has no real authority over operators.  It is, however, an overhead cost for the economically uncompetitive commercial nuclear industry. 

NEA is an intergovernmental agency that facilitates cooperation among countries with nuclear technology infrastructures.  In our March 3, 2016 post we characterized NEA as an “empty suit” that produces cheerleading and blather.  We stand by that assessment.  In Safetymatters’ history, we have come across only one example of NEA adding value—when they published a document that encouraged regulators to take a systems view of SC.  See our Feb. 10, 2016 post for details.

No one should expect this new arrangement to lead to any breakthroughs in SC theory or insights into SC practice.  It will lead to meetings, conferences, workshops and boondoggles.  One hopes it doesn’t indirectly raise the industry’s costs or, more importantly, distract WANO from its core mission of sharing safety information and operating experience across the international nuclear industry. 


*  “WANO, NEA enhance cooperation in nuclear safety,” World Nuclear News (Oct. 4, 2017).

“New” IAEA Nuclear Safety Culture Self-Assessment Methodology

IAEA report cover

The International Atomic Energy Agency (IAEA) touted its safety culture (SC) self-assessment methodology at the Regulatory Cooperation Forum held during the recent IAEA 61st General Conference.  Their press release* refers to the methodology as “new” but it’s not exactly fresh from the factory.  We assume the IAEA presentation was based on a publication titled “Performing Safety Culture Self-assessments”** which was published in June 2016 and we reviewed on Aug. 1, 2016.  We encourage you to read our full review; it is too lengthy to reasonably summarize in this post.  Suffice to say the publication includes some worthwhile SC information and descriptions of relevant SC assessment practices but it also exhibits some execrable shortcomings.


*  IAEA, “New IAEA Self-Assessment Methodology and Enhancing SMR Licensing Discussed at Regulatory Cooperation Forum” (Sept. 22, 2017).

**  IAEA, “Performing Safety Culture Self-assessments,” Safety Reports Series no. 83 (Vienna: IAEA, 2016).

Nuclear Safety Culture: The Threat of Bureaucratization

We recently read Sidney Dekker’s 2014 paper* on the bureaucratization of safety in organizations.  It’s interesting because it describes a very common evolution of organizational practices, including those that affect safety, as an organization or industry becomes more complicated and formal over time.  Such evolution can affect many types of organizations, including nuclear ones.  Dekker’s paper is summarized below, followed by our perspective on it. 

The process of bureaucratization is straightforward; it involves hierarchy (creating additional layers of organizational structure), specialized roles focusing on “safety related” activities, and the application of rules for defining safety requirements and the programs to meet them.  In the safety space, the process has been driven by multiple factors, including legislation and regulation, contracting and the need for a uniform approach to managing large groups of organizations, and increased technological capabilities for collection and analysis of data.

In a nutshell, bureaucracy means greater control over the context and content of work by people who don’t actually have to perform it.  The risk is that as bureaucracy grows, technical expertise and operational experience may be held in less value.

This doesn’t mean bureaucracy is a bad thing.  In many environments, bureaucratization has led to visible benefits, primarily a reduction in harmful incidents.  But it can lead to unintended, negative consequences including:

• Myopic focus on formal performance measures (often quantitative) and “numbers games” to achieve the metrics and, in some cases, earn financial bonuses,
• An increasing inability to imagine, much less plan for, truly novel events because of the assumption that everything bad that might happen has already been considered in the PRA or the emergency plan.  (Of course, these analyses/documents are created by siloed specialists who may lack a complete understanding of how the socio-technical system works or what might actually be required in an emergency.  Fukushima anyone?),
• Constraints on organizational members’ creativity and innovation, and a lack of freedom that can erode problem ownership, and
• Interest, effort and investment in sustaining, growing and protecting the bureaucracy itself.
  

Our Perspective

We realize reading about bureaucracy is about as exciting as watching a frog get boiled.  However, Dekker does a good job of explaining how the process of bureaucratization takes root and grows and the benefits that can result.  He also spells out the shortcomings and unintended consequences that can accompany it.

The commercial nuclear world is not immune to this process.  Consider all the actors who have their fingers in the safety pot and realize how few of them are actually responsible for designing, maintaining or operating a plant.  Think about the NRC’s Reactor Oversight Process (ROP) and the licensees’ myopic focus on keeping a green scorecard.  Importantly, the Safety Culture Policy Statement (SCPS) being an “expectation” resists the bureaucratic imperative to over-specify.  Instead, the SCPS is an adjustable cudgel the NRC uses to tap or bludgeon wayward licensees into compliance.  Foreign interest in regulating nuclear safety culture will almost certainly lead to its increased bureaucratization.  

Bureaucratization is clearly evident in the public nuclear sector (looking at you, Department of Energy) where contractors perform the work and government overseers attempt to steer the contractors toward meeting production goals and safety standards.  As Dekker points out, managing, monitoring and controlling operations across an organizational network of contractors and sub-contractors tends to be so difficult that bureaucratized accountability becomes the accepted means to do so.

We have presented Dekker’s work before, primarily his discussion of a “just culture” (reviewed Aug. 3, 2009) that tries to learn from mishaps rather than simply isolating and perhaps punishing the human actor(s) and “drift into failure” (reviewed Dec. 5, 2012) where a socio-technical system can experience unacceptable performance caused by systemic interactions while functioning normally.  Stakeholders can mistakenly believe the system is completely safe because no errors have occurred while in reality the system can be slipping toward an incident.  Both of these attributes should be considered in your mental model of how your organization operates.

Bottom line: This is an academic paper in a somewhat scholarly journal, in other words, not a quick and easy read.  But it’s worth a look to get a sense of how the tentacles of formality can wrap themselves around an organization.  In the worse case, they can stifle the capabilities the organization needs to successfully react to unexpected events and environmental changes.


*  S.W.A. Dekker, “The bureaucratization of safety,” Safety Science 70 (2014), pp. 348–357.  We saw this paper on Safety Differently, a website that publishes essays on safety.  Most of the site’s content appears related to industries with major industrial safety challenges, e.g., mining.

Nuclear Safety Culture: Another Incident at Pilgrim: Tailgate Party

Pilgrim

The Cape Cod Times recently reported* on a security violation at the Pilgrim nuclear plant: one employee entering a secure area facilitated “tailgating” by a second employee who had forgotten his badge.  He didn’t want to go to Security to obtain clearance for entry because that would make him late for work.

The NRC determined the pair were deliberately taking a shortcut but were not attempting to do something malicious.  The NRC investigation also revealed that other personnel, including security, had utilized the same shortcut in the past to allow workers to exit the plant.  The result of the investigation was a Level IV violation for the plant.

Of course, the plant’s enemies are on this like a duck on a June bug, calling the incident alarming and further evidence for immediate shutdown of the plant.  Entergy, the plant’s owner, is characterized as indifferent to such activities. 

The article’s high point was reporting that the employee who buzzed in his fellow worker told investigators “he did not know he was not allowed to do that”.

Our Perspective 

The incident itself was a smallish deal, not a big one.  But it does score a twofer because it reflects on both safety culture and security culture.  Whichever category it goes in, the incident is a symptom of a poorly managed plant and a culture that has long tolerated shortcuts.  It is one more drop in the bucket as Pilgrim shuffles** toward the exit.

This case raises many questions: What kind of training, including refresher training, does staff receive about security procedures?  What kind of oversight, reminders, reinforcement and role modeling do they get from their supervisors and higher-level managers?  Why was the second employee reluctant to take the time to follow the correct procedure?  Would he have been disciplined, or even fired, for being late?  We would hope Pilgrim management doesn’t put everyone who forgets his badge in the stocks, or worse.

Bottom line: Feel bad for the people who have to work in the Pilgrim environment, be glad it’s not you or your workplace.


*  C. Legere, “NRC: Pilgrim workers ‘deliberately’ broke rules,” Cape Cod Times (July 24, 2017).  Retrieved July 26, 2017

**  In this instance, “shuffle” has both its familiar meaning of “dragging one's feet” and a less-used definition of “avoid a responsibility or obligation.”  Google dictionary retrieved July 27, 2017.

Nuclear Safety Culture (and Other) Problems in the U.S. Nuclear Weapons Complex

Los Alamos  Source: LANL

The Center for Public Integrity (CPI) has published a five-part report on safety lapses in the U.S. nuclear weapons complex—an array of facilities overseen by the Department of Energy (DOE).*  Overall, the report paints a picture of a challenged and arguably weak safety culture (SC).  Following is a summary of the report and our perspective on it.

Part I traces the history of radioactive criticality incidents (which have resulted in human fatalities) and near-misses at Los Alamos National Laboratory (LANL).  Analysis and production of plutonium pits, essential for maintaining the U.S. nuclear weapons inventory, has been halted for years because of concerns over safety issues.  In addition, almost all members of the site’s criticality analysis team quit over inadequate management support for the team’s efforts.

Part II discusses in more detail the impacts of the LANL shutdown.  Most significant, from our perspective, is a 2013 report that said “Management has not yet fully embraced its commitment to criticality safety.”  The 2013 report “also listed nine weaknesses in the lab’s safety culture that were rooted in a “production focus” to meet work deadlines. Workers say these deadlines are typically linked to financial bonuses.”

Speaking of bonuses, although the plant was not working, the contractors were judged to have exceeded expectations in getting ready to restart.  Accordingly, the contractors “received 74 percent or $10.7 million of the $14.4 million in profits available to them from the NNSA in the category that includes pit production and surveillance”

Part III covers incidents at other facilities and cultural shortcomings in the weapons complex.  It is the meatiest section of the report.  Most of the unfortunate events were industrial accidents (electric shocks, explosions, burns) but the nuclear hazard is always nearby because of the nature of the work.  Occasionally the nuclear factor is key, e.g., when LANL improperly packed a drum of waste they shipped to the Waste Isolation Pilot Plant where it exploded or when Nevada National Security Site personnel inhaled radioactive particles

This section captures the key point of the entire report: the DOE contractors make a lot of money ($2B in profit over the last 10 years), the financial rewards for safety are minimal and the financial penalties for accidents and such are minimal (1-3% of profits) and often waived.

Part IV details a 2014 incident in Nevada where over 30 personnel inhaled potentially cancer-causing uranium particles during laboratory experiments over a two-month period.  The researchers were annoyed by radiation alarms so they switched them off (which also turned off a safety ventilation system).  This was a self-inflicted wound that suggests a weak SC.

Part V focuses on a radiation exposure accident at the Idaho National Laboratory.  The accident occurred even though years before, the head of the safety committee had warned DOE managers about the hazards of handling the specific material involved in the accident.  The lab contractor made 92% of its contractually available profit that year.  The contractor has petitioned DOE to reimburse the contractor’s litigation expenses (including payouts to affected employees) associated with the accident.

NNSA’s Response

The National Nuclear Security Administration (NNSA) is a semi-autonomous agency within DOE that oversees U.S. nuclear weapons work.  In a statement** responding to the CPI report, the NNSA Administrator basically says the CPI report is incomplete and misleading with respect to LANL.  Unsurprisingly, he starts with “Safety is paramount . . . . [CPI] attacks the safety culture at . . .  (LANL) without offering all of the facts and the full context.”  However, he does not directly refute the CPI report, instead he provides the NNSA’s version of history: LANL paused operations because of concerns with the criticality safety program. Since then, “LANL has increased criticality safety staffing and demonstrated improvements in its performance of operational tasks.”  NNSA has withheld $82 million in fee payments to LANL.  Finally, LANL maintained its ability to fulfill its mission during the pause in operations.  Alternative facts?  You be the judge. 

Our Perspective 

The DOE says it wants safe production but is not willing to wield the hammer (higher financial incentives for safety and more penalties for unsafety) to drive that outcome.  In addition, DOE, constrained by Congress (which is bowing to their defense industry contributors), appears to deliberately understaff their own auditors and other procurement officials so they are unable to surface too many embarrassing problems. 

The contractors are rational.  They understand that production is the primary goal and they accept that bad things will occasionally happen in a hazardous environment.  They know they will make their profits no matter what happens, including facility shutdowns, because they can get paid for fixing problems they helped to create.

The CPI report is not shocking to us and it shouldn’t be to you.  (Click on the DOE label to see our many posts on DOE SC.)  It merely documents what has been, and continues to be, business as usual at nuclear weapons facilities.  If you can tolerate the overwrought writing, Part III is worth a look.           


*  The Center for Public Integrity, “Nuclear Negligence” (June 28, 2017).  Retrieved July 5, 2017.  According to Wikipedia, CPI “is an American nonprofit investigative journalism organization . . .”

The report describes problems at the Idaho National Laboratory and some NNSA facilities.  Overall, NNSA oversees eight sites that are involved with nuclear weapons: Kansas City National Security Campus (non-nuclear component manufacture), Lawrence Livermore National Laboratory (weapon design), Los Alamos National Laboratory (design and testing), Nevada National Security Site (testing), Pantex Plant (weapon assembly and disassembly), Sandia National Laboratories (non-nuclear component design), Savannah River Site (nuclear materials) and Y-12 National Security Complex (uranium components).

**  “Klotz Responds To Center For Public Integrity's Series On Safety Culture At NNSA Sites,” Los Alamos Daily Post (June 20, 2017).  Retrieved July 10, 2017