Enhancing Human and Organizational
Factors in Defence in Depth
Jozef Misak, UJV Rez a.s., Czech Republic,
e-mail: [email protected], phone number: +420 602 293 882
Germaine Watts, Intelligent Organizational Systems, Canada,
e-mail: [email protected], phone number: 1-506-333-7093
Contents of the presentation
Practical method of objective trees for assessment of
comprehensiveness of DiD
Consideration of links between technological systems and human
factors for identification of weaknesses in DiD
Applying the Objective Trees for Assessment of Internal/External
HOF in DiD and identification of improvements
Ways for strengthening HOF in nuclear safety
Examples of post-Fukushima enhancements of objective trees
How a Systemic perspective supports the realization of DiD
provisions
Background
• Defence in depth (INSAG-10) – hierarchical deployment of different levels of equipment and procedures to maintain the effectiveness of physical barriers placed between radioactive material and workers, the public or the environment, in normal operation, anticipated operational occurrences and, for some barriers, in accidents at the plant
• Defence in depth – ensures that the safety functions are reliably achieved with sufficient margins to compensate for equipment failure and human errors
Defence in depth is generally recognized as an effective way for preventing and mitigating consequences of accidents in nuclear power plants
Provisions for compliance with defence in depth include both technological items as well as human controlled or influenced items
Defence in depth is often oversimplified focusing on engineering aspects (barriers and their integrity) while “soft” aspects are much weaker
Human and organizational issues including safety culture are associated with large uncertainties, while they can affect several levels of defence at the same time (similarly as external hazards)
IAEA Fundamental Safety Principle No.8
3.31. The primary means of preventing and mitigating the consequences of
accidents is ‘defence in depth’. Defence in depth is implemented primarily
through the combination of a number of consecutive and independent levels
of protection that would have to fail before harmful effects could be caused
to people or to the environment. If one level of protection or barrier were to fail, the subsequent level or barrier would be available. When properly
implemented, defence in depth ensures that no single technical, human or
organizational failure could lead to harmful effects, and that the
combinations of failures that could give rise to significant harmful effects are
of very low probability. The independent effectiveness of the different levels of defence is a necessary element of defence in depth.
3.32. Defence in depth is provided by an appropriate combination of:
• An effective management system with a strong management commitment to safety and a
strong safety culture.
• Adequate site selection and the incorporation of good design and engineering features
providing safety margins, diversity and redundancy, mainly by the use of: o Design, technology and materials of high quality and reliability;
o Control, limiting and protection systems and surveillance features;
o An appropriate combination of inherent and engineered safety features.
• Comprehensive operational procedures and practices as well as accident management
procedures. 3
DiD approach: Elaboration on the original table form
INSAG-10 – HOF means to be specifically added?
Level of
defence
Objective Essential design means Essential operational
means
Level 1 Prevention of abnormal operation and
failures
Conservative design and high
quality in construction of normal
operation systems, including
monitoring and control systems
Operational rules and
normal operating
procedures
Level 2 Control of abnormal operation and detection
of failures
Limiting and protection systems
and other surveillance features
Abnormal operating
procedures/emergency
operating procedures
Level 3 Control of design basis accidents
(postulated single initiating events) Engineered safety features
(safety systems) Emergency operating
procedures
Level 4 Control of design extension conditions
(postulated multiple failures events)
including prevention of accident progression
and mitigation of the consequences of
severe accidents
Safety features for design
extension conditions. Technical
Support Centre
Complementary
emergency operating
procedures/ severe
accident management
guidelines
Level 5 Mitigation of radiological consequences of
significant releases of radioactive materials On-site and off-site emergency
response facilities On-site and off-site
emergency plans
Correlation of levels of defence and success criteria
CONSEQUENCES
FREQUENCY
LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5
Challenges to Level 1
dealt with by
provisions of Level 1 Failure of Level 1
an event sequence
is initiated
Failure of Level 2
an accident sequence
is initiated
Failure of Level 3
Acceptance criteria
for DBAs exceeded
Failure of Level 4
prompt off-site
measures needed
Provisions
Success:
Normal operation
Success:
Return to normal operation, prevention of DBA
Success:
Consequences within design basis
Success:
Containment
integrity
5
Defence in depth addressed in a number of
background IAEA documents
Method of objective trees: Screening of
comprehensiveness of defence in depth
• Possible interpretation of the term “defence in depth” is too broad: all NPPs
have physical barriers and means to protect the barriers, while their level of defence
can be very different
• A practical tool for detailed assessment of the comprehensiveness of the
provisions for ensuring defence in depth was needed
• A screening method using so called “objective trees” has been developed by the
IAEA several years ago to respond to the need
• The reference approach for checking the completeness and quality of
implementation of the concept of defence in depth, which includes a comprehensive
overview of challenges /mechanisms/provisions for all levels of defence
• Graphical form of objective trees helps to understand the links between safety
provisions and challenges to safety objectives at different levels of defence
• At the same time the objective trees also illustrate that the means for protection of
the physical barriers against releases of radioactive substances include much
more than just NPP technological systems and procedures
Selected definitions
• Safety Function: A specific purpose that must be accomplished for
safety in operational states, during and following DBA and, to the
extent practicable, in, during and following the considered NPP
conditions beyond the DBA
Fundamental Safety Functions: 1) controlling the reactivity, 2)
cooling the fuel, 3) confining the radioactive material and control of
operational discharges, as well as limitation of accidental releases
• Safety Principles: Commonly shared safety concepts stating how to
achieve safety objectives at different levels of defence in depth
(INSAG definition)
• Mechanisms: Elementary physical processes or situations whose
consequences might create challenges to the performance of safety
functions
Selected definitions
• Challenges: Generic processes or circumstances (conditions) that
may impact the intended performance of safety functions; a set of
mechanisms having consequences which are similar in nature
• Provisions: Inherent plant characteristics, safety margins, system
design features and operational measures contributing to the
performance of the safety functions; aimed at prevention of the
mechanisms to occur
• Objective Tree: Graphical presentation, for each of the five levels
of defence, of the following elements, from top to bottom: 1) the
objective of the level, 2) the relevant safety functions, 3) the
identified challenges, 4) constitutive mechanisms for each of the
challenges, 5) the list of provisions preventing the mechanism to
occur
Description of the objective trees (next figure)
• Safety must be ensured by provisions at all 5 levels at the same time
• Each level has its relevant safety objectives ensured by maintaining integrity of
the barriers
• For maintaining integrity of the barriers, the fundamental (and derived) safety
functions should be performed
• Performance of safety functions can be affected by a number of mechanisms;
combination of similar mechanisms represents a challenge to safety functions
• To prevent mechanisms and challenges affecting the safety functions, safety
provisions of different kinds should be implemented
• Links between different components of defence in depth can be graphically
depicted in objective trees
General structure of the objective tree at each
level of defence (IAEA SR No. 46)
Comprehensiveness of safety provisions
(measures) to ensure effectiveness of barriers
Variety of safety provisions: organizational, behavioural and design
measures, namely
inherent safety characteristics
safety margins
active and passive systems
operating procedures and operator actions
human factors and other organizational measures
safety culture aspects
Although plant systems are very important, they are not the only important
component of defence in depth
How to ensure that a set of provisions is comprehensive enough? –
Basic Safety Principles (INSAG-12)
Safety principles form a fundamental set of rules how to achieve nuclear
safety objectives and ensure comprehensiveness of provisions
INSAG-12: The safety principles do not guarantee that NPPs will be absolutely free of risk, but, when the principles are adequately
implemented, the plants should be very safe
Overview of INSAG-12 basic safety principles
Fundamental principles: Management (3); Strategy of defence in depth
(3); General technical principles (10)
Specific principles: Siting (4); Design (25); Manufacturing and construction
(2); Commissioning (4); Operation (12); Accident management (3); Emergency
preparedness (3); Decommissioning (1)
Examples of safety principles (INSAG-12)
30. Safety culture. An established safety culture governs the actions and interactions of all individuals and organizations engaged in activities related to nuclear power.
Explanatory text in 4 articles, more than 2 pages of text
89. Human factor. Personnel engaged in activities bearing on nuclear plant safety are trained and qualified to perform their duties. The possibility of human error in nuclear power plant operation is taken into account by facilitating correct decisions by operators and inhibiting wrong decisions, and by providing means for detecting and correcting or compensating for error.
Explanatory text in 6 articles, about 2 pages of text
192. Protection against power transient accidents. The reactor is designed so that reactivity induced accidents are protected against, with a conservative margin of safety.
Explanatory text in 2 articles, approx. 1 page of text
249. Achievement of quality. The plant manufacturers and constructors discharge their responsibilities for the provisions of equipment and construction of high quality by using well proven and established techniques and procedures supported by quality assurance techniques.
Explanatory text in 4 articles, approx. 1 page of text
INSAG Basic Safety Principles
LEVEL 1
LEVEL 2
LEVEL 3
LEVEL 4
LEVEL 5
LEVEL 1
LEVEL 2
LEVEL 3
LEVEL 4
LEVEL 5
15
Examples of challenges /mechanisms/ provisions
• Safety principle (192) Levels 1-3: Protection against power transient
accident
• Challenge: Insertion of reactivity with potential fuel damage
• Mechanisms: 1. Control rod (CR) withdrawal; 2. CR ejection; 3. CR
malfunction; 4. Erroneous start-up of a loop; 5. Release of absorber
deposits; 6. Incorrect refueling operations; 7. Inadvertent boron dilution
• Provisions (only for 1st mechanism): For Level 1:
Design margins minimizing need for automatic control Operational strategy with most rods out
For Level 2: Monitoring of control rod position Limited speed of control rod withdrawal Limited worth of control rod groups
For Level 3: Negative reactivity feedback coefficient Conservative set-points of reactor protection system Reliable and fast shutdown system
17
Examples of objective
trees
Statistics of the objective trees included in IAEA
Safety Report No. 46
•95 different challenges identified (some of them
applicable for several levels)
•254 different mechanisms identified
•941 different provisions indicated
Monitoring
of rod
position
Limited
speed of rod
w ithdrawal
Limited worth
of control
rod groups
Control rod
w ithdrawal
In-core
instrumentation
Monitoring
of rod
position
Control rod
malfunction
(drop, alignment)
Limitations on
inactive loop
parameters
Limited
speed for
a loop
connection
Erroneous
startup
of loop
Adequate
coolant
chemistry
In-core
instrumentation
Release of
absorber
deposits
In-core
instrumentation
Sufficient
shutdown
margin
Negative
reactivity
coefficient
feedback
Incorrect
refuelling
operations
Adequate
operating
procedures
Monitoring
system for
makeup
water
Long time
for operator
response
Inadvertent
boron
dilution
Insertion of reactivity w ith
potential for fuel damage
SF(1) affected:
to prevent
unacceptable reactivity
transientssafety functions:
challenges:
mechanisms:
provisions:
Example: Objective tree for
Level 2
SAFETY PRINCIPLE: Protection
against power transient
accidents
19
Safety functions
Challenges
Mechanisms
Provisions
safety functions:
challenges:
mechanisms:
provisions:
SF(7) affected: to remove
residual heat
in operational states andaccidents with RPB intact
SF(6) affected: to remove
heat from the core after
a failure of the RPBto limit fuel damage
SF(8) affected: to transfer
heat from other
safety systems to theultimate heat sink
Body of water (sea,
river, lake,etc.)lost due to exter-
nal hazards
Atmospheric UHS
not designedto withstand
extreme events
natural phenomena
human inducedevents
Analysis of all
site relevantextreme events
for design
natural
phenomenahuman induced
events
diversity of UHSdiversity of supply
systems (power,
fluid)
External hazards
properlyaddressed in
in UHS design
Long term ultimate
heat sink (UHS)
notadequate
proven components
redundancy
diversity
interconnection
isolation
physicalseparation
HTSs designed
according to the
importance of theircontribution to HT
Heat transportsystems(HTS)
not
reliable
Evaporation ofwater process
in UHS
impacted
Raising of thetemperature
process of UHS
impacted
Support systemsfor UHS not
proper
designed
rates within limits
pressure limitsinterconnection and
isolation capabilities
leak detectionpower and fluid
supply
LOOPredundancy
diversity
independencesafety margins
design precautions
for external hazards
Proper design
of theHTS
venting
additional waterfor spray system
Extended capabilities
for heat transferin case of
severe accidents
Heat transport
systems(HTS)
vulnerable
Objective tree for Levels 1,2,3,4 of defence in depth.
SAFETY PRINCIPLE: Ultimate heat sink provisions(142) 20
Objective tree for Level 3 of
defence in depth
SAFETY PRINCIPLE: Dependent
failures)
Independence of
safety systems
from other plant
systems
Fail-safe design
of safety systems
to the extent
possible
Sufficient
redundancy and
diversity in power
sources
Redundancy, diver-
sity, independence
of auxiliary services
for safety systems
Interaction
of simultaneously
operated safety
systems
CCF due to internal
events (loss of power,
lack of fuel for DGs,
etc.)
Independent, re-
dundant systems
linked with
diversity
QA programme
implemented in all
phases of plant
lifetime
Independent
verification/
assessment of
design
Margins incorpo-
rated in design to
cope with ageing
and wear-out
Coordination of
different operational
maintenance,
support groups
CCF due to system
errors in design, con-
struction, operation,
maintenance, tests
Avoid sharing of
important systems
between units
Demonstration of
safety for all ope-
rational states and
DBA on any of units
Safe shutdown and
cooling of one re-
actor with severe
accident on other
CCF due to events
originated in other
units on the same
site
Risk analysis of
internal hazards
and implementation
of countermeasures
Physical separa-
tion by barriers,
distance or
orientation
Redundant systems
located in
different
compartments
Crucial equipment
qualified for
environmental
conditions
External events con-
sidered as initiators
for internal hazards
(fires, floods,...)
Overpressurization
of one system from
other interconnected
system avoided
CCF due to internal
hazards (flooding,
missiles, pipe whip,
jet impact)
Fire hazard analysis
performed to specify
barriers, detection,
fighting systems
Preference to
fail-safe operation
of systems
Use of non-
combustible, fire
retardant and heat
resistant materials
Separation of redun-
dant systems by
fire resistant
walls/doors
Preferable
use of
non-flammable
lubricants
Control of
combustibles and
ignition sources
Sufficient fire
fighting capability
available
Automatic initiation
of fire fighting
system
Inspection, mainte-
nance, testing of
fire fighting
system
Fire resistant sys-
tems for shutdown,
RHR, monitoring,
conf. of radioactivity
Avoid impairment
of safety systems
by function of fire
fighting systems
External
fire fighting
services
considered
Organization of
relevant training
of plant personnel
CCF due to fires
and internal
explosions
Consideration of
seismicity in
site selection
Sufficient margins
in anti- seismic
design
Safety equipment
qualified for
seismic events by
tests and analysis
Events possibly
induced by earth-
quakes e.g. floods
considered
Failure of non-safety
equipment to affect
performance of sa-
fety equip. avoided
CCF due to
earthquakes
Assessment
of risk from
man-induced
hazards
Subset of man-
induced events
included into
design
Transport
routs declined
from vicinity
of the plant
CCF due to human
made hazards (air-
craft crash, gas
clouds, explosives)
Most extreme con-
conditions conside-
red in special
design features
CCF due to external
events (high winds,
floods, extreme
meteorol. cond.)
Safety systems fail when
performing their functions
due to common-cause
failure vulnerabilities
All FSFs affected:
controlling reactivity
cooling fuel
confining rad. mat.
safety functions:
challenges:
mechanisms:
provisions:
21
22
Human and organizational
factors as an integral part of
defence in depth
Consideration of human and
organizational factors in objective trees
INSAG 12 safety principles indicated clear role of human and organizational
factors for achieving safety objectives at all levels of defence
Defence in depth is often oversimplified focusing on engineering aspects
(barriers and their integrity) while “soft” aspects are neglected
Human and organizational issues are associated with large uncertainties,
and can affect several levels of defence at the same time
Objective trees illustrate clear links between weaknesses in human and
organizational factors and challenges to safety objectives and help to identify and
eliminate them
It is obvious that there is always a room for improvements, and comprehensive
assessment of Fukushima offers broad opportunity for improvements
Example: Objective tree for Level 1-4 : HOF SAFETY PRINCIPLE
Organization, responsibility and staffing
Mechanisms
Challenges
Provisions
Responsible
plant manager
in
place
Organizational
structure under
plant manager
in place
Executive
management
supports
plant manager
Important ele-
ments for
achieving safety
not established
Implementation
and enforcement
of safety culture
principles
Operation
not
governed
by safety
financial
technical
support
material
chemistry
radiological
protection
other staff
resources
to operation
Executive
management
provides
resources
Resources
not provided
by executive
management
Job
descriptions
to state
responsibilities
Missing or
incomplete
job
descriptions
Long term
int. training
programme
for crucial staff
Sharing of expe-
rience of senior
experts
with new staff
Competitive
conditions
for neces-
sary expertise
Maintaining moti-
vation of staff
during shut
down periods
Maintaining
documentation
important for cor-
porate memory
Support of
good students
in relevant
areas
Loss
of
corporate
memory
Degraded respon-
sibility of operating
organization for
safe operation
Enough
qualified staff
is
employed
Insufficient
number of
qualified
staff
Appropriate
schedule
for normal
activities
Undue stress
or
delay
in activities
e.g.
maintenance,
etc.
Appropriate
schedule for
supervision by
exter. experts
Weak supervi-
sion during
periods of excep-
tional workload
Backup
for
key
positions
Taking
account
of
attrition
Time
reservation
for
retraining
Insufficient
staffing
specifications
Degraded staff
actions in
normal
operations
Qualified staff
for damage
assessment
and control
Qualified
staff
for
AMP
Qualified
staff
for fire
fighting
Qualified
staff
for first aid
treatment
Qualified
staff for on-
and off-site
monitoring
Emergency
service
in the
locality
Staff not qualified
for special tasks;
emergency ser-
vice not available
Degraded staff
actions in
accident situation
and beyond
All FSFs affected:
controlling reactivity
cooling fuel
confining rad. mat.
Example: Objective tree for Levels
1-3: HOF SAFETY PRINCIPLE
Training Safety functions
Challenges
Mech
an
ism
s
Pro
vis
ion
s
Comprehensive
training
programme
for all staff
Supporting training
organization with
sufficient resourcesand facilities
Inclusion of safety
culture principles
into training
Avoidance of conflict
of production needs
and training
of personnel
Assessment
and
improvement of
training programme
Training
of external personnel
and cooperation
with plant personnel
Approval of
training
programme
by regulatory body
Inclusion of tests
of all personnel
into training
programme
Insufficient
development
of safety
awareness
Systematic
approach
to
training
Inclusion of variety of
aspects:neutronics, TH,
radiological, technologicalinto training
Importance of
maintaining fundamental
safety functions
into training
Importance of
maintaining plant
limits and conditions
into training
Inclusion of plant lay-out,
role and location of
important components
and systems into training
Inclusion of location of ra-
materials and measures
to prevent their
dispersal into training
Covering plant normal,
abnormal and accident
conditions
in training
Inclusion of relevant
plant walk-through
into staff
training
Specify intervals
for refreshment
training
Non-effective
staff
training
Routine staff activities
potentially compromising
safety due to overall lack
of qualified personnel
Priority
of safety over
production
in training
Covering role
of managers in
ensuring plantsafety
Inclusion of PSA
results into
training
Familiarization with
results of
accident analysis
within DBA
Analysis of
operational experience
feedback from same
or similar plants
Specialized
management
training
insufficient
Degraded plant safety
performance due to
inappropriate safety
management
Covering detailed
training of
normal operating
procedures
Plant
familiarizationand on the job
training
Simulator
training for
plant operating
regimes
Inclusion of analysis
of operating events
into training
Arrangement for
formal approval
(licensing) of
operators
Degraded or
out-of-date
knowledge
Includsion of PSA
results
into
training
Familiarization of staff
with results ofaccident analysis
within DBA
Covering details
of accidents within
DBA including
diagnostic skills
Detailed EOP training,
retraining and testing
of operating
personnel
Emphasizing team
work and
coordination of
activities
Use of plant full
scope simulator intraining for accidents
within DBA
Analysis
of transients and
accidents occured
in similar plants
Limited theoretical
and practical
knowledge of
the plant
Unqualified conduct
of control room
operations with limited
or degraded knowledge
On the job
training
Use of special
equipment and
mockupsin training
Potential safety
consequences
of technical or
procedural errors
Covering records of
reliability and faults
of plant systems
during maintenance
Analyzing spurious ini-
tiation of events and
activation of plant systems
during maintenance
Specialized
maintenance
staff training
insufficient
Failures of plant
systems initiated or
resulting from
unqualified maintenance
All FSFs affected:controlling reactivity
cooling fuel
confining rad. mat.
Example: Objective
tree for Level 4:
HOF SAFETY
PRINCIPLE
Training and
procedures for
accident
management
Safety functions
Challenges M
ech
an
ism
s
Pro
vis
ion
s
Review of emergency
organization and
qualification
of personnel
Development ofa list
of required
qualifications
Sufficient
human resources
for accident
management
Definition of lines
of responsibility
and authority
for all personnel
Establishment of a
specialist team
to advice operatorsin emergency
Call-on
system
for
personnel
Personnel
assignement
not effective
for BDBA
Lack of
personnel for
accident
management
Specification of scenarios
representative
or contributing
significantly to risk
Definition of plant statesto be covered by
EOPs and their
symptoms
Proposal and
verification of recovery
actions for
BDBA
Availability
of information
to detect level and
trend of severity
Verification of performance
of required
equipment underBDBA conditions
Definition of conditions
for operator
involvement
incl. exit from EOP
Verification
and validation
of EOPS for
selected BDBA
Availability
of EOPs in alloperating
locations
Emergency operating
procedures not
developed adequately
for BDBA
Procedures
for all strategies
and check their
effectiveness
Userfriendly format
of SAMG
Completness
of guidelines
vs strategies for
accident managem.
Availability
of information needed
to detect level/trend
of severity
Verification of performance
and access of
equipment requiredfor each strategy
Definition of expected
positive and negative
effects for each strategy
incl. uncertainties
Definition of entry and
exit conditions
for each strategy
and further steps
Verification
and to the extentpossible
validation of SAGs
Availability
of SAGs in all
operating
locations
Severe accident
guidelines
inadequate
Inadequate response
of AM personnel
due to lack of
AM procedures
Definition of training
needs for
different
personnel
Inclusion of simulatorsto reasonable
extent to training
programme
Covering details
of phenomenology
of severe accidents
into programme
Familiarization of
staff with results
of severe accident
analysis for the NPP
Inclusion of relevant
plant walk-through
into trainingprogramme
Making available
AMP development
material for
training
Availability
of software tools
for validation
and training
Consistency
of proceduresand guidelines
with simulation
Making training
programme
available to
regulator
Training
programme for
AM inadequate
Arrangemment for
regular retraining
and testing
of personnel
Involvement of emergencystaff into
functional tests
of equipment
Inclusion of relevant
operating events
into training
Inclusion of other site
and external
personnel into
training
Performance of
training for AM
inadequate
Inadequate response
of AM personnel
due to lack of
AM training
All FSFs affected:controlling reactivity
cooling fuel
confining rad. mat.
Example: Objective tree for
Levels 1-4: HOF SAFETY
PRINCIPLE
Engineering and technical
support of operations
Safety functions
Challenges
Mechanisms
Provisions
Education
and training for the
country (links with
universities, etc)
Contact to foreign
partners or
international
organizations
Establishment of
links with the plant
suppliers
Support of
relevant
research
programmes
Overall lack
of expertise
in the country
Definition of necessary
expertise needed
to ensure plant safety
throughout lifetime
Internal group for
support of operation, inde-
pendent assessment and
control of external support
Strategy for assistan-
ce in evaluation of events
plant modifications, repair,
tests and analytical support
Links and clear
interfaces with external
technical support
organizations
Inclusion of
results of research
programmes into
technical support
Insufficient
coordination
of technical
support for NPP
Use of more efficient
expertise of plant
personnel
Sharing resources with
other organizations
having similar
needs
Use of resources
from international
sponsorships
programmes
Availability of sufficient
resources to contract
external
organizations
Lack of resources
for comprehensive
engineering and
technical support
Evaluation of expertise
available and support
development of
lacking expertise
Involvement of several
engineering and
technical support
organizations
Adequate
quality assurance
programmes in technical
support organizations
Support competitive working
conditions in technical
support organizations
compared to other industries
Support of relevant
research
programmes
Links
with foreign
technical support
organizations
Insufficient
expertise in
technical support
organizations
Engineering and technical
support inadequate to
maintain required capability of
disciplines important to safety
All FSFs affected:
controlling reactivity
cooling fuel
confining rad. mat.
Ways for strengthening HOF in nuclear
safety (IAEA IEM on HOF, 21-24 May 2013)
Enhancing effectiveness of the regulatory body
Organizational changes, including recognition of the need for the independence of the regulatory body
The development of additional regulatory requirements, expectations and guidance on human and organizational factors
The regulatory body providing licensees the authority at the preparedness stage to perform activities in emergency situations that may be outside the existing operating procedures and regulatory requirements but that are necessary in order to mitigate consequences
The regulatory body and the licensee holding joint dialogues about safety culture
The development of an integrated approach to safety by the regulatory body to enable dialogue on topics beyond compliance and regulation
Enhanced efforts by the regulatory body to go out in the field and engage the licensee in conversations at the working level about safety practices and policies
Efforts supporting safety culture self-assessment by the regulatory body and the sharing of that information with licensees
Ways for strengthening HOF in nuclear
safety (IAEA IEM on HOF, 21-24 May 2013)
Internal enhancement of safety performance of the operating organization
Implementation of more practical ways for managers to strengthen safety culture supporting prioritization of nuclear safety (in particular, if a NPP is part of non-nuclear utility)
Strengthening leadership and management for safety, mainly for top-level managers
Identifying ways to ensure that safety is a top priority
Objectively assessing efforts to strengthen safety and informing staff about safety initiatives
Proactively introducing resources to ensure safety
Questioning whether safety culture is a high enough priority
Recognizing the efforts of personnel to protect and ensure the safety of the public, the workers and the plant
Improvements with regard to decision making and consideration of the use of tools to support decision making in emergency response
Identification of additional training, including understanding resilience, for operating personnel
Ways for strengthening HOF in nuclear
safety (IAEA IEM on HOF, 21-24 May 2013)
Adequate consideration of external factors
Implementation of systemic approach to safety, taking into account interaction
between individual, technical and organizational factors
Strengthening mutual interactions and cooperation among all stakeholders
(operators, vendors, regulators, contractors, TSOs, corporate organizations,
international organizations)
Strengthening interdisciplinary expertise by involvement of social and
behavioural sciences
Continuously improving maintenance management to ensure safety and
establishing closer cooperation with manufacturers and contractors
Establishing and maintaining the trust of local communities
Use of new communication interfaces and arrangements with all
stakeholder organizations
Consideration of human and organizational factors in the planning, conduct
and evaluation of emergency drills and exercises
31
Examples of post-Fukushima
enhancements of objective trees
Example: Objective tree for Level 1-4: HOF SAFETY PRINCIPLE
Organization, responsibility and staffing – External factors
Example: Objective tree for
Level 1-4: HOF SAFETY
PRINCIPLE
Organization, responsibility
and staffing
Lack of safety culture
Reinforcing Defence in Depth –
A Practical Systemic Approach
IAEA IEM on HOF (21-24 May 2013) - importance of adopting a systemic approach to safety that considers the interaction between individual, technical and organizational factors.
investigate the non-linear interactions between the hard and ‘soft’ logic trees, and to look beyond traditional organizational boundaries
WHY?
‘Complicated’ systems – the relationship between cause and effect requires analysis or some other form of investigation and/or the application of expert knowledge (sense-analyse-respond)
expert and rational leaders, top-down planning, smooth implementation of policies, and a clock-like organization can ensure flawless operation
‘Complex’ systems – the relationship between cause and effect can only be fully perceived in retrospect (probe-sense-respond)
filled with hundreds of moving parts, potentially thousands of actors with varied expertise and independence, and no central point that orchestrates all these different parts within an ever-changing context
Complex Systems
Reality: Behaviour is contextualized: continuously adapt in and evolve
with a changing environment; conflict and unplanned changes occur all
the time, perceptions and projections have impact
Result: Very high degrees of uncertainty that represent a different risk-
management challenge than in technical systems; emergent, fractal
property; normal tools for predictability are insufficient
Requirement: Use a screening process that looks at how the entire
‘complex’ system is adapting to changes, dealing with conflicts, and
learning as a whole (next slide)
Maintain and strengthen ‘virtuous’ cycles to support the ultimate goal of
safety conscious decisions and actions,
Intervene in ‘vicious’ cycles that undermine the information flows,
cooperation, and conservative decision-making
35
Systemic Perspective
A systemic perspective enhances application of the defence in depth
concept by screening interactions multi-directionally, and across many
organizational boundaries
Example: DiD Resilience - Changing HOF Reality
Novel practice
Emergent practice
Good practice
Best practice
IAEA Systemic Training Workshop
Purpose
deepen understanding of human and organizational factors
demonstrate application of the systemic mapping methodology to real life
scenarios
provide opportunity for participants to explore safety challenges in their own
organizations with multi-disciplinary team of facilitators
Target Audience
middle managers in operating, regulatory and technical support organizations,
including non-technical leaders such as performance improvement, training, and
leadership or organization development managers
Timing
March 29 – April 1, 2016
Conclusions
Defence in depth is an essential strategy to ensure nuclear safety for
both existing and new NPPs
The use of objective trees for screening the comprehensiveness of
defence in depth provides a powerful tool for understanding links
between technological and organizational provisions for ensuring safety
of NPPs
Defence in depth should not be oversimplified by reducing it to the
capacity of barriers to protect against releases of radioactive
substances.
The large uncertainties associated with predicting human behaviour,
alongside their sensitivity to organizational factors and societal
influences, requires special attention to be given to ‘soft’ logic trees
within the defence in depth framework and screening process.
Conclusions
Defence in depth can be further strengthened by understanding
nuclear power programmes as ‘complex’ systems, and by taking into
account all the components of the system, from operators, through
middle level managers, NPP managers, up to corporate, governmental
and even international levels when assessing risk.
Cross-correlation and mutual interdependence between all
components of this complex system’s defence in depth needs to be
given considerable attention in the future.
The use of system mapping for exploring the non-linear interactions
between individual, technical and organizational factors can enhance
defence in depth by providing a method for screening the multiplicity of
dynamics within and between organizations that drive the overall
culture for safety within a national nuclear programme.