(Editor’s Intro) I’m pleased to introduce an article by Bill Nelson who led the Safety Culture track at the Recent PSAM. As with our DOE approach to High Reliability, Bill takes the approach that safety and performance are necessarily complimentary goals. Thanks to Bill for permitting me to post his paper. Bill is a Principal Consultant with Det Norske Veritas (DNV) in Houston, Texas. His responsibility is to develop and manage projects towards the power generation industry in North America, with a focus on safety culture and safety management. Prior to joining DNV, Bill worked for 24 years at the Idaho National Laboratory and 3 years at the Halden Reactor Project in Norway. In those positions he managed programs in human factors and risk management for the Nuclear Regulatory Commission, Department of Energy, US Army, US Air Force, and NASA. However, his most interesting and challenging assignment was 3 years as the Executive Pastor of a church in Northwest Houston. Bill holds an M.S. Degree in Nuclear Engineering from the University of Washington.
Building and Assessing an Effective Safety and Performance Culture
William R. Nelson
DetNorske Veritas (USA) Inc., Houston, TX USA
Abstract: In order to reach maximum levels of performance and safety for complex installations such as nuclear power plants and oil refineries, technical and organizational risk factors should be integrated so that the full spectrum of risk information can be utilized and communicated. Current approaches typically separate technical and organizational perspectives due to the diverse engineering and social sciences perspectives of the two disciplines. Both safety and performance issues require balanced treatment to enable maximum business performance. DNV has developed an approach combining bow tie diagrams (from the oil and gas and process industries) and defense in depth objective trees (from the nuclear power industry) to address these needs. The approach has been applied to the study of supply chain risk for Lockheed Martin, focusing on three complex risk issues: environmental compliance, information systems for supporting organizational situation awareness, and incentives and motivation across a community of suppliers. The results of this application show promise for designing safety management systems and a “safety and performance culture” to enable operations excellence for high risk installations such as nuclear power plants, oil refineries, and offshore oil platforms. The approach is now being applied to the assessment of risk informed safety culture for a nuclear power station in Canada.
It is widely recognized that a healthy safety culture is a critical component of effective safety and risk management for nuclear power stations. Unfortunately, there is substantial disagreement about what constitutes an effective safety culture, and accidents and near misses continue to occur even when substantial efforts are exerted to institute safety management and safety culture programs. It is therefore apparent that something is missing in standard safety management and safety culture programs. There is an urgent need for a safety culture assessment approach that effectively combines technical and organizational risk factors together, and which can be tied directly to objective measures of safety and risk. This is essential to ensure that safety culture assessment has a real and positive effect on safety and risk, and to ensure that risk mitigation investments are focused where they will have the maximum benefit. In addition, both safety and performance issues should receive balanced attention to enable a healthy organizational culture and to achieve optimum business results. To help achieve these goals, DNV is developing an approach for risk informed safety culture assessment, to support the development of an effective safety and performance culture. The overall objectives for the risk informed safety culture assessment process are the following:
- Develop a measure of safety culture that is grounded in objective measures of safety and risk
- Prevent individual events from progressing to serious accidents by slipping through the holes in the barriers that are intended to prevent them from occurring
- Support the assessment of operational experience to identify lessons learned that will prevent not only “identical” accidents but broader categories of similar events
- Support achievement of organizational objectives for safety and performance
- Develop a common awareness of safety and performance across disciplines and at all levels of the organization
- Integrate the full spectrum of management systems on a common foundation of safety and performance objectives
- Redefine the utility – regulator engagement to enable an effective partnership for achieving safety objectives
The main steps of the DNV approach for risk informed safety and performance management include:
- Define organizational performance and safety objectives and the critical functions required to achieve them
- Identify major risk events: i.e. challenges to the critical functions
- Develop bow tie diagrams for the major risk events to show potential pathways for event progression from causes to consequences, barriers for preventing the events, and controls for reducing the consequences
- Develop defense in depth objective trees to integrate mitigation strategies for multiple risk events and identify the links to the performance and safety objectives
- Evaluate, select, and implement integrated mitigation strategies
- Monitor process performance to assess the effectiveness of the mitigation strategies
Both technical and organizational risk factors are represented in the bow tie diagrams and the defense in depth objective trees, describing how they must be integrated to achieve the safety and performance objectives. The two complementary perspectives for safety and performance management, and the tools for representing them are described in the following sections.
2.1 Combining two complementary dimensions for safety and performance management
Classical methods for safety management are often based on a loss prevention paradigm – that is, intervening in the progression of events to prevent the occurrence of serious accidents that would result in financial loss due to equipment damage, loss of production, injury to personnel or the public, or loss of reputation. A complementary critical function paradigm focuses on the achievement of organizational goals including production and safety. By combining these two perspectives it becomes possible to create a robust management system and resulting culture that will help the organization achieve both safety and performance goals.
2.1.1 Loss prevention paradigm
Figure 1 shows a common graphic that illustrates the loss prevention approach – the “Swiss cheese” model developed by James Reason.  The diagram illustrates a number of “pathways” that are followed (e.g. by people, equipment, or processes) as an event progresses from “hazards” (i.e. potentially dangerous conditions) to an accident – where significant losses to the organization may occur. The diagram also shows that the primary strategy to prevent events from progressing to accidents is to establish and maintain barriers that intervene in event progression, either physically or procedurally. Safety management then becomes an exercise to ensure that the proper barriers are in place and maintained. The primary goal for safety culture in the loss prevention paradigm is to maintain awareness of the barriers and to actively intervene in accident progression when the situation requires it.
Figure 1: Loss prevention paradigm
2.1.2 Critical function paradigm
The concept of critical safety functions was developed in the nuclear industry following the accident at Three Mile Island.  Critical safety functions can be extended to the more generic term, “critical functions”, to cover broader objectives, for example production goals for a nuclear power station. Critical functions are used to ensure that the proper equipment, systems, and procedures are in place to enable organizations to achieve their goals. Figure 2 shows how the addition of the critical function perspective can be used to supplement the loss prevention perspective. In this case the goal is to move towards the top of the diagram, i.e. to achieve the organization’s performance and safety goals. Resources are made available to help the organization achieve these goals, and information systems are used to help personnel understand the critical functions and the current situation relative to the achievement of the goals. In some cases it may be possible that focused attention on the organization’s performance and safety goals can divert personnel from potential accident pathways even before the barriers are encountered. In this paradigm the safety and performance culture is concerned with awareness of the health of the critical safety functions, and effective decision making to support the achievement of the organization’s safety and performance goals.
2.1.3 Benefits of combining the loss prevention and critical function paradigms
By combining the loss prevention and critical function paradigms, a very robust system for safety and performance management becomes possible, and supports the development of a “safety and performance culture.” This helps highlight the important concept that organizations are not solely concerned with preventing accidents, but on achieving production and financial goals while operating safely. By integrating the treatment of the performance and safety goals a more robust system is created that allows the organization to make more effective decisions in both the performance and safety domains.
Figure 2: Combining the loss prevention and critical function paradigms
2.1.4 Attributes of the safety and performance culture
We believe that organizational culture has the most meaning in the context of organizational purpose and mission, and that safety culture programs are most effective in the same context. Essential elements of the safety and performance culture are: Awareness of the safety and performance goals and the current situation relative to achieving them, Commitment to achieve the goals, and Tools that enable achievement of the goals. We differentiate “commitment” from “motivation” (which can be purely financial or fear of punishment) by adding the very critical consideration that “it’s the right thing to do.” Two types of tools must be available to enable the safety and performance culture: tools that enable awareness of safety and performance goals and the current situation relative to achieving them, and tools that enable decision making – i.e. to convert commitment into reality.
2.2 Healthy regulatory engagement – “going the second mile”
Regulatory relations are sometimes viewed primarily as a necessary cost of doing business. However, nuclear utilities should recognize that healthy relations with regulatory organizations play a vital role in maintaining safety and achieving performance goals. By providing a complementary perspective and an independent set of eyes for monitoring processes for safety and risk management, effective partnership between the regulator and utility can help both organizations achieve their respective responsibilities towards shareholders and citizens. Effective utility – regulator engagement is analogous to the statement “If someone forces you to go one mile, go with him two miles.” Going the first mile under duress is hallmark of standards-based compliance. Compliance is only the starting point for excellence in safety and plant performance. Effective collaboration between regulatory and industry groups is needed to ensure that effective measures for safety management and safety culture are implemented. The key to “going the second mile” is to agree on the destination.
2.3 Tools for representing the loss prevention and critical function paradigms
The DNV approach uses two basic analytic tools to organize safety and risk management information: objective trees and bow tie diagrams.
2.3.1 Bow tie diagrams
Bow tie diagrams are a very effective tool for representing information regarding the loss prevention paradigm for safety management. Bow tie diagrams were developed in the offshore oil and gas industry, and were originally applied primarily to identify physical barriers for preventing and mitigating catastrophic events such as fires and explosions. More recently however, they have been applied to a broader spectrum of potential events, and to cover organizational barriers as well as physical barriers. Figure 3 shows the basic structure of a bow tie diagram. The circle at the center of the diagram shows the “top event” – i.e. the occurrence of a serious accident resulting from a specific type of hazard. At the left side of the diagram are the potential causes of the top event and the barriers (either technical or organizational) that could prevent it from occurring. On the right hand side of the diagram are the potential consequences of the top event, barriers that can be used to mitigate or control the consequences, and the overall effects that could result from the occurrence of the accident.
Figure 3: Example bow tie diagram
2.3.2 Objective trees
Various forms of objective trees for critical function management have been developed and applied since the accident at Three Mile Island (TMI). Even prior to TMI, the Idaho National Engineering Laboratory (INEL) developed a form of objective trees called response trees that were used to organize the emergency procedures for the Loss of Fluid Test (LOFT) facility, a test reactor that was used to test the performance of emergency core cooling systems during a loss of coolant accident (LOCA). Following TMI the Combustion Engineering (CE) Owner’s Group created a variation of response trees called Resource Assessment Trees to organize information in the Emergency Procedure Guidelines for CE nuclear power plants. The INEL developed a more generic version called safety objective trees to study information requirements for Severe Accident Management in a study for the US Nuclear Regulatory Commission.  Finally, the International Atomic Energy Agency (IAEA) developed another variation called defense in depth objective trees to illustrate strategies for maintaining defense in depth for nuclear power plants.  The defense in depth objective trees showed that organizational factors could be treated together with technical risk factors in the same objective tree structure.
Figure 4 is an example of the basic defense in depth objective tree structure that we are using in our approach for risk informed safety culture assessment. It includes levels that describe the critical safety functions; the challenges that could endanger the critical safety functions; specific mechanisms that could lead to the critical function challenges; and risk management strategies that can be used to prevent or mitigate the challenges and thus protect the critical safety functions. The example is a simplified version of an IAEA defense in depth objective tree showing how technical and organizational risk factors can be combined in a common representation.
Figure 4: Example defense in depth objective tree
2.3.3 Combining objective trees and bow tie diagrams for safety and performance management
Figure 5 shows how bow tie diagrams and objective trees can be linked together to provide integrated treatment of both the critical function and loss prevention paradigms for safety and performance management. Strategies are divided into prevention strategies aimed at prevention of the critical function challenge and mitigation strategies that are aimed at mitigating the effects of the occurrence of the critical function challenge. Events at the Challenge and Mechanism levels of the objective trees can be linked directly to bow tie diagrams that illustrate how these events can be prevented and/or mitigated through the application of technical or organizational barriers. These events can also be directly linked to quantified risk assessment methods such as Probabilistic Safety Assessment (PSA).
Figure 5: Combining objective trees and bow tie diagrams for risk informed safety and performance management
Figure 5 (cont.): Combining objective trees and bow tie diagrams for risk informed safety and performance management
The overall approach has been applied to the study of supply chain risk for the Lockheed Martin Joint Strike Fighter program, focusing on three complex risk issues: environmental compliance, information systems for supporting organizational situation awareness, and incentives and motivation across a community of suppliers. High-level bow tie diagrams were developed for each of the risk issues, and suppliers were interviewed to gain their perspectives on the issues and potential risk management strategies. Then, detailed bow tie diagrams were developed in a workshop setting with Lockheed Martin personnel to identify integrated risk management strategies that could be implemented to address the spectrum of risk issues that were identified. The results of the application were very positive. Building upon Lockheed Martin’s extensive risk management program, the approach helped show how individual risks are related and how integrated mitigation strategies could be applied to address multiple risks. Also, the graphical representation of the bow tie diagrams resulted in an excellent tool for communicating major risk issues across disciplines and at multiple levels of the organization.
DNV is currently working with a nuclear utility in Canada to develop and assess a safety and performance culture, as part of their overall management systems assessment process. We are focusing on the use of bow tie diagrams to identify the important technical and organizational barriers that can be used to prevent or mitigate accidents. Once the barriers are identified we will develop measures of barrier health. Then we will perform a baseline assessment to determine the current health of the barriers and the awareness of plant personnel of the barriers and the implications of their actions on the performance of the barriers. This process will form the foundation for risk informed safety culture assessment at this nuclear power station.
The bow tie – objective tree approach has many benefits for development and assessment of the performance and safety culture. Bow tie diagrams and objective trees combine to provide complementary perspectives for risk management: event progression and intervention, and maintenance of the critical functions for achieving performance and safety goals. The approach provides a graphical illustration of risk management, making an excellent tool for communicating and understanding risk issues across disciplines and at all levels of the organization. The diagrams clearly show how risk events and risk mitigation strategies are linked to organizational objectives including safety as well as operational and financial performance. Lessons learned can be generalized across events so that “similar” events can be prevented rather than just identical events. Owners can be assigned to maintain the barriers and critical functions to ensure that they are continuously monitored and maintained. Finally, the bow tie diagrams and defense in depth objective trees provide direct links to quantitative risk assessment methods such as Probabilistic Safety Assessment (PSA), and support decision processes for selecting optimal risk mitigation strategies.
DNV has developed an approach to risk informed safety and performance culture assessment that combines two complementary perspectives for safety and performance management: the loss prevention paradigm and the critical function paradigm. By combining these two paradigms it is possible to provide effective processes and tools that enable a healthy safety and performance culture, and to provide objective means for safety culture assessment. We are currently working in partnership with a Canadian nuclear utility to apply risk informed safety culture assessment as part of their overall management systems assessment. We are also working to organize a Joint Industry Project to fully explore the potential of the approach.
 James T. Reason, “Managing the Risk of Organizational Accidents,” Ashgate Publishing, 1997,Aldershot.
 W. R. Corcoran et al., “Nuclear Power-Plant Safety Functions,” Nuclear Safety, Vol. 22-2, pp.179-191 (1981).
 W. R. Nelson, “Response Trees for Emergency Operator Action at the LOFT Facility,” ANS/ENS Topical Meeting on Thermal Reactor Safety, Knoxville, TN, April 7-11, 1980.
 W. R. Nelson, D. J. Hanson, and D. E. Solberg, “Identification of the Operating Crew’s Information Needs for Accident Management,” American Nuclear Society Meeting, Washington, D. C., Oct. 31 – Nov. 4, 1988.
 International Atomic Energy Agency, “Assessment of Defense in Depth for Nuclear Power Plants,” IAEA Safety Reports Series No. 46, 2005.