Slide 1

All rights reserved B&W Pantex 2008 4 Hour Professional Development Seminar HPRCT Workshop, Baltimore Maryland June 21, 2010 Richard S. Hartley, Ph.D., P.E. Janice N. Tolk, Ph.D., P.E. This presentation was produced under contract number DE-AC04-00AL66620 with

Slide 2

All rights reserved B&W Pantex 2008 An organization that repeatedly accomplishes its mission while avoiding catastrophic events, despite significant hazards, dynamic tasks, time constraints, and complex technologies A key attribute of being an HRO is to learn from the organizations mistakes A.K.A. a learning organization 2

Slide 3

All rights reserved B&W Pantex 2008 Nuclear Navy Commercial nuclear power Aircraft carrier operations Hospital patient care Military nuclear deterrent Forest service Aviation Nuclear weapons assembly and disassembly 3

Slide 4

All rights reserved B&W Pantex 2008 Is it right for you? 4

Slide 5

All rights reserved B&W Pantex 2008 Data as of 7/7/2009 Contractor ISM deployed DOE injury rates have come down significantly since Integrated Safety Management (ISM) was adopted 5

Slide 6

All rights reserved B&W Pantex 2008 Rx Trips/ Scrams Cost ( /kwh) Significant Events/Unit Capacity Factor (% up) Nuclear Energy Institute (NEI) Data 6

Slide 7

All rights reserved B&W Pantex 2008 7

Slide 8

8 The Normal Accident Organization

Slide 9

All rights reserved B&W Pantex 2008 As Columbia and Davis-Besse have demonstrated, great safety stats dont equal real, tangible organizational safety. The tendency for normal people when confronted with a continuous series of positive stats is to become comfortable with good news and not be sensitive to the possibility of failure. Normal people routinely experience failure by believing their own press (or statistics). 9

Slide 10

All rights reserved B&W Pantex 2008 CAIB: The unexpected became the expected, which became the accepted. 10 When NASA lost 7 astronauts, the organization's TRC rate was 600% better than the DOE complex. And yet, on launch day 3,233 Criticality 1/1R* hazards had been waived. * Criticality 1/1R component failures result in loss of the orbiter and crew.

Slide 11

All rights reserved B&W Pantex 2008 Had some performance hard spots in the 80's Had become a world-class performer in the next 15 years Preceding initiating events of mid 90's Frequently benchmarked by other organizations While a serious corrosion event was taking place Complete core melt near miss in 2002 11

Slide 12

All rights reserved B&W Pantex 2008 SYSTEM ACCIDENT TIMELINE 1979 - Three Mile Island 1984 Bhopal India 1986 NASA Challenger 1986 Chernobyl 1989 Exxon Valdez 1996 Millstone 2001 World Trade Center 2005 BP Texas City 2007 Air Force B-52 2008 Stock Market Crash What is Next? Who is Next?

Slide 13

All rights reserved B&W Pantex 2008 Attempts to Understand & Prevent System Accidents 13

Slide 14

All rights reserved B&W Pantex 2008 Attempts to Understand & Prevent System Accidents (High Reliability vs. Normal Accident Theory)

Slide 15

All rights reserved B&W Pantex 2008 "Most ailing organizations have developed a functional blindness to their own defects. They are not suffering because they cannot resolve their problems, but because they cannot see their problems. John Gardner 15

Slide 16

All rights reserved B&W Pantex 2008 Individual Accidents OR Systems Accidents? 16

Slide 17

All rights reserved B&W Pantex 2008 An accident occurs wherein the worker is not protected from the plant and is injured (e.g. radiation exposure, trips, slips, falls, industrial accident, etc.) Plant (hazard) Human Errors (receptor) 17 Focus: Protect the worker from the plant

Slide 18

All rights reserved B&W Pantex 2008 An accident wherein the system fails allowing a threat (human errors) to release hazard and as a result many people are adversely affected Workers, Enterprise, Surrounding Community, Country 18 Human Errors (threat) Plant (hazard) Focus: Protect the plant from the worker The emphasis on the system accident in no way degrades the importance of individual safety, it is a pre-requisite of an HRO

Slide 19

All rights reserved B&W Pantex 2008 System accident - an occurrence that is unplanned and unforeseen that results in serious consequences and causes total system disruption (i.e. death, dose, dollars, delays etc.). System event - any unplanned, unforeseen occurrence that results in the failure of the system that does not result in catastrophic consequences -- indicates a breakdown in the system vital to the well-being of many people and the survivability of the organization! 19 System accident - an occurrence that is unplanned and unforeseen that results in serious consequences and causes total system disruption (i.e. death, dose, dollars, delays etc.). System event - any unplanned, unforeseen occurrence that results in the failure of the system that does not result in catastrophic consequences -- indicates a breakdown in the system vital to the well-being of many people and the survivability of the organization!

Slide 20

All rights reserved B&W Pantex 2008 20 Some types of system failures are so punishing that they must be avoided at almost any cost. These classes of events are seen as so harmful that they disable the organization, radically limiting its capacity to pursue its goal, and could lead to its own destruction. Laporte and Consolini, 1991 Some types of system failures are so punishing that they must be avoided at almost any cost. These classes of events are seen as so harmful that they disable the organization, radically limiting its capacity to pursue its goal, and could lead to its own destruction. Laporte and Consolini, 1991 Some types of system failures are so punishing that they must be avoided at almost any cost. These classes of events are seen as so harmful that they disable the organization, radically limiting its capacity to pursue its goal, and could lead to its own destruction. Laporte and Consolini, 1991

Slide 21

All rights reserved B&W Pantex 2008 HROs vs. NAT Organizations 21

Slide 22

All rights reserved B&W Pantex 2008 22 R = C x P If we are truly working with high-risk operations, ethically and morally we should not be in business! Risk = Consequence x Probability

Slide 23

All rights reserved B&W Pantex 2008 Belief of HRO Accidents can be avoided by organizational design and management i.e. Risk = C x P is manageable 23 Dr. Karlene Roberts Dr. Charles Perrow Belief of NAT Accidents are inevitable in complex and tightly coupled operations i.e. Risk = C x P is too high

Slide 24

All rights reserved B&W Pantex 2008 Belief of HRO Accidents can be avoided by organizational design and management i.e. Risk = C x P is manageable Belief of NAT Accidents are inevitable in complex and tightly coupled operations i.e. Risk = C x P is too high 24 Control of Risk DOE reduces C by: minimizing the hazard and/or mitigating the consequence DOE reduces P - human performance improvement human performance error precursors barriers

Slide 25

All rights reserved B&W Pantex 2008 Linear interactions Expected & familiar production or maintenance sequences Visible, even if unplanned Simple -- readily comprehensible Complex interactions One component can react with others outside normal production sequence Nonlinear Unfamiliar sequences, or unplanned and unexpected sequences not visible nor immediately comprehensible 25

Slide 26

All rights reserved B&W Pantex 2008 Linear interactions Expected & familiar production or maintenance sequences Visible, even if unplanned Simple -- readily comprehensible Complex interactions One component can react with others outside normal production sequence Nonlinear Unfamiliar sequences, or unplanned and unexpected sequences not visible nor immediately comprehensible 26

Slide 27

All rights reserved B&W Pantex 2008 27 Complex Interactions 1 2 3 Linear Interactions 123 4 For linear interactions 4 events lead to 4 interactions. 1 2 3 4 5 6 1 2 3 4 5 6 7 89 Complex Interactions 1 2 3 4 5 6 7 89 10 11 12 For complex interactions, 4 events lead to 12 possible interactions. Greatly amplifies difficulty in determining and responding to the problem.

Slide 28

All rights reserved B&W Pantex 2008 28 Complex interactions not necessarily high-risk systems with catastrophic potential, examples: Universities R&D Federal Government Also takes another key ingredient Tight coupling

Slide 29

All rights reserved B&W Pantex 2008 Loosely coupled systems: Delays possible; processes can remain in standby mode Spur-of-the-moment redundancies and substitutions can be found Fortuitous recovery aids possible Failures can be patched more easily, temporary rig can be set up Tightly coupled systems: Time-dependent processes: they cant wait or standby Reactions in chemical plants instantaneous, cant be delayed or extended Sequences invariant Only one way to reach production goal Little slack; quantities must be precise, resources cant be substituted Buffers and redundancies must be designed in, thought of in advance 29 Ever done this? Super Glue

Slide 30

All rights reserved B&W Pantex 2008 30 Loose Coupling Tight Coupling

Slide 31

All rights reserved B&W Pantex 2008 31 Normal Accidents Living with High-Risk Technologies, Perrow Loose