A culture of safety3 May 2002
A recent book, "Safety Culture in Nuclear Power Operations", is a collaboration between the Institute of Social Research within the Institute of Nuclear Safety Systems, and the Berlin University of Technology. The book is the result of the third international conference on human factors research in nuclear power operations. By Bernhard Wilpert and Naosuke Itoigawa
Civil nuclear operations have, to date, demonstrated a remarkable level of safety. Despite the near disaster of Three Mile Island and the catastrophe of Chernobyl, civil nuclear installations can be categorised as belonging to the class of high-hazard, low-risk organisations, or High Reliability Organisations. This high level of safety can only be understood as the result of the nuclear industry's high safety standards from the very beginning of its development.
Safety science has been evolving over time. It has shown four phases of safety concerns. First was the technical phase, in which the design and material of technical components is optimised. Second was the human error phase, when it was evident that erroneous human action could result in accidents in spite of technically robust machines. Third was the socio-technical phase, when it was recognised that the complex and often poorly understood interaction of human and technical factors had to be taken as the roots of large-scale systems failures. A fourth phase has recently emerged, the interorganisational phase. In this, dysfunctional relationships between different organisations must be corrected in order to ensure sustained system safety.
Presently, nuclear power is in focus of the public safety concern, and several governments are being forced to reconsider its role in their national power policy. In this situation, it is mandatory for the utilities and the industry to present credible risk management strategies.
The term, as it relates to the nuclear industry, was brought up in the aftermath of Chernobyl, and is still quite new and in need of further clarification. Safety culture is a complex and difficult term. Its various facets need to be unfolded on several levels, which the book attempts to do in four parts.
Part one looks at the conceptual bases of safety culture. Part two looks at societal dynamics and trends in nuclear safety issues. Part three looks at safety management in the nuclear industry. Part four looks at managing personnel and workplace issues in nuclear power operations.
The concept of safety culture comprises at least three analytical levels: the deep layer of often unconscious basic assumptions and orientations; shared values and norms; and directly observable artifacts and behaviour patterns of organisation members.
Conceptual bases of safety culture
This deals with fundamental issues of safety culture, and illustrates the multiple perspectives that must be applied to promote a better understanding of this issue.
In the first chapter, Wilpert reviews science's understanding of the term "culture". Safety culture, as a distinct and holistic concept, first entered scientific discourse in the aftermath of the Chernobyl catastrophe, and is now adopted by virtually all high-hazard industries.
The chapter outlines open issues for further clarification and the ensuing implications for methodological approaches and safety practice.
The chapter explores the practical relevance of safety culture in terms of its use as an educational vehicle, its limits and possibilities of change, and its contributions to the safety and reliability of nuclear installations.
The second chapter looks at the socio-economic embeddedness of safety in all large-scale and complex high-hazard systems. It outlines the required multilevel considerations to analyse the efforts of high-hazard organisations to cope with the emerging challenges of their rapidly changing societal environment: technological change, changing regulatory requirements, increasing competition, and changing public opinion towards nuclear power. Rather than analysing safety in the traditional mode of single-level decomposition of relevant factors, a multilevel functional analysis approach couched as a systems control task is proposed. Some critical research problems are identified and illustrated by examples of accidents within shipping, aviation, etc, and parallels drawn with the conditions of nuclear power.
Chapter three analyses basic ergonomics such as population stereotypes, culturally or nationally preferred patterns of hierarchical work arrangements and of human resource management, automation philosophy, and communication patterns. Further, it is possible to interpret specific culturally determined personality types and basic orientations as possibly having significant implications for safety practices. It is shown that at each level, ergonomics, control room organisation and national characteristics of the workforce, there seem to be substantial differences that have potential impacts on nuclear safety and productivity. The implications of such differences are discussed in the context of recent work on high reliability organisations.
Chapter four looks at human reliability issues in terms of basic human endowment. The study is based on a review of six human reliability analysis problems in UK nuclear power plants and reprocessing industries. The issues were: low probability events and human error probabilities; modelling recovery; cognitive errors and errors of commission; dependence modelling; the appropriate level of decomposition to use in the human reliability assessment; and advanced/dynamic human reliability assessment. The study identified issues of recovery in low-probability events and cognitive errors and errors of commission as areas that should be further studied.
Societal dynamics and trends in nuclear safety issues
This looks at specific studies of nuclear industry responses to socio-economic change. The first chapter analyses the human event database of the Japanese nuclear industry, and describes the attempt by the industry to increase popular credibility by identifying major research themes for further human factors research. Such major themes include: human reliability analysis, the improvement of databases, human-machine system environments, organisational factors and safety, and accident management approaches. Human behaviour is highly dependent on the situational context. The development of a method for systematically examining this context is aimed at proactively challenging the incident, including human cognition in a broad sense. The participants in a discussion on organisational factors, which was based on a report on organisational factors related to nuclear power plant safety, have proposed the application of experimental methodology that uses a simulator for the assessment of safety culture significance.
The second chapter uses data from the USA that is also relevant to other countries. It studies the potential safety consequences of the deregulation of electricity markets. Such consequences are seen to flow mainly from attempts by the nuclear industry to reduce variable costs in the three optional domains of fuel expenses, operating and maintenance costs, and capital additions.
The third chapter looks at Japan's use of public opinion polls for continuous analysis of public response to the nuclear industry, particularly in reaction to major incidents or accidents. Each nuclear event that receives publicity can be shown to diminish favourable popular evaluation of the industry's trustworthiness. The surveys conducted by the Institute of Nuclear Safety Systems have clearly shown that the public's perceptions of organisations operating nuclear power stations are closely related to their opinions on the use of nuclear power generation.
Safety management in the nuclear industry
This offers a variety of general nuclear safety management perspectives and techniques as they relate to the role of organisational and managerial factors in assessing safety.
The first chapter starts from the premise that organisational factors and management cut across different functional domains by creating work environments. Hence they exert a pervasive influence on safety practices. The chapter describes the incident analysis method work process analysis model (WPAM) and, by way of a case study, applies it to an unusual event, thus demonstrating the method as an efficient means to identify safety-relevant organisational and managerial factors. In applying the methodology to significant incidents, several conclusions were reached. These were that significant incidents are not the result of single failures. Rather, they are a combination of both hardware and human failures to which organisational factors are significant factors.
Organisational factors, although pervasive throughout the organisation, do not exert significant influence everywhere in the organisation. They have a pronounced influence on the successful outcome of particular tasks within work processes. Goal prioritisation, for example, has been identified as an important factor due to its importance in the prioritisation task of various work processes. Many work processes have certain tasks, such as prioritisation, in common. As a result of this sharing of tasks, the potential for common-cause failures between dissimilar components exists. Due to the scarcity of information on the contributions of organisational factors to incidents, common-cause failures involving organisational factors could not be demonstrated conclusively.
The second chapter looks at the safety record of different Japanese industrial domains, and specifically at the accident at Tokai-Mura uranium processing plant in terms of consequences of a deteriorating safety culture.
The third and fourth chapters highlight the need for better self-assessment methods for the analysis of the impact of organisational factors on safety. The third chapter reports on the results from a recent EU-funded study on organisational factors and nuclear safety and similar Finnish studies by VTT Automation, which is one of the nine research institutes at the Technical Research Centre of Finland (VTT). It presents a preliminary framework which describes how various organisational aspects may influence nuclear safety. The framework should support the definition of safety indicators, the construction of organisational surveys, the implementation of self-assessment methods, and so on.
The fourth chapter shows the interrelationship of organisational factors and safety performance using data on occupational accidents in the Japanese construction and petrochemical industries. This preliminary study may be considered a demonstration of an appropriate method as well for analysing the relationships of organisational factors and systems failures. Several important organisational factors that influence the indicator in both the nuclear and the petrochemical industries were identified.
The fifth chapter examines the case study of Millstone. In March 1996, TIME magazine presented a story about harassment and intimidation of employees who brought safety concerns to management at Millstone. The US NRC then issued an unprecedented Order that directed the operator of Millstone to devise and implement a plan for handling safety concerns raised by employees and ensuring a safety conscious work environment free from discrimination. Over the next three years, there were major changes in management personnel, training, communication patterns, programme structures and human relationships. There were also personal transformations. Most of these changes were not planned from the start, but emerged from a wide range of leaders and contributors inside and outside the station. Millstone is operating again, the work environment is healthy, and there are many challenges ahead as deregulation and downsizing play out in the industry. The story of Millstone's development of a safety conscious work environment has many lessons for the nuclear industry.
This theme is continued in the sixth chapter, which describes the efforts of EdF to introduce a coherent national safety management strategy. External approaches in risk sectors, some basic studies and works, provide a basis for guiding both reflection and the action programmes.
The seventh chapter describes a novel incident analysis methodology, Safety through Organisational Learning, which, different from received checklist approaches, uses a distinct problem-solving approach to overcome analytic biases in incident analysis, thus offering a well-tested management tool for corrective action. An important aspect of safety culture is its holistic approach comprising all levels of an organisation as well as the relevant extra-organisational environment.
How an organisation learns from its experience is a safety-critical feature and an expression of its culture. An event analysis methodology should investigate all levels of the organisation and the extra-organisational environment rather than restrict its focus to operating personnel. Furthermore, the methodology should improve systemic thinking and critical reflection on the performance of the total system.
Managing personnel and workplace issues
This section addresses the role of people in the nuclear industry, and provides a set of concrete studies and interventions which focus on human resource management, operator action, and human error.
There is a good deal of evidence that shows that even in extremely regulated environments, the explicit rules are not always followed. The first chapter is a report on a research study of the role of implicit safety-related norms in their impact on safety behaviour. The study was carried out in an East European nuclear power plant, uses an innovative scenario methodology, and shows that, contrary to expectations, it is less safety-related attitudes that influence behaviour than safety-related, implicit, often unconscious norms. The first step of the study encompassed discussions and open-ended interviews with control room operators and unit managers. The aim of this initial effort was to produce real-life scenarios with subjective norms. The consequent iterative research process included collection and analysis of data, the planning of procedures, and facilitation of the exchange of information in group feedback sessions. The findings have important implications for leadership and training in nuclear power plants.
The next three chapters all focus on the problem of how to reduce human error in the nuclear industry. They report on different Japanese approaches to the use of near misses as consciousness-raising units, to systematic interventions through basic and advanced training measures, to the development of a model-based human error prevention approach, and to consensus-building strategies through intranet knowledge-sharing and the anonymous reporting of incidents. The chapters also describe why certain measures failed, and how a redress was found. The Human Factors Group investigated High Reliability Organisations in order to acquire some tips about their essential characteristics and apply these tips to the promotion of safety activities. The Human Factors Group is currently developing a near-miss database. It is necessary to investigate thoroughly the cause of human error, and to take action to prevent its recurrence. This requires activities to counter the events experienced, that is, event analysis. It is also necessary to educate personnel to enhance human factor awareness of the personnel working in the field. In order to make these activities effective, joint activity between the operator and the subcontractors is important. Furthermore, to prevent human errors during operations on the work site, it is important that workers have sufficient knowledge of "the most suitable error prevention methods for different situations". For this reason, it is necessary that all workers develop and share a common knowledge and understanding of the causes and remedies of specific problems, through analysis of past records of problems. Moreover, because of natural limitations in human concentration abilities, it is also important that at critical times, workers call attention‚ not only to themselves, but also to others. They need to choose effective means of calling attention, taking into account the intended effect of the method and the appropriate situations for using the method. It is desirable that workers develop a consensus on fundamental safety concepts by means of effective communication.
The fifth chapter describes a comprehensive approach to designing a coherent visual communication system to help nuclear power plant staff orient themselves and understand complex work environments. The study revealed that effective designs and locations for sign presentations based on the viewer's needs, among them layout signboards, direction indication displays, and room name signs, were effective in enhancing understanding of the workplace environment. Conformability, redundancy and consistency were found to be important principles for developing a sign system that contributes to safety in nuclear power plants.
Strategies to improve safety systems have to address the joint optimisation of the social and technical subsystems. The three foci of safety concerns - technology, individuals and socio-technical features - are confined in their analysis to individual organisations. However, as any full analysis of major industrial catastrophes shows (Tokai-Mura being a case in point), we have to take into account interorganisational dysfunctions as well. As a consequence, dysfunctional relationships among different organisations must be corrected to ensure sustained system safety.
Safety culture must be shared. The concept covers the central concerns of the four phases of thinking about safety: technology, individuals, the interactions of the social and technical subsystems, and interorganisational relationships in their impacts on systems safety.