International Journal of Atomic and Nuclear Physics
Volume 2, Issue 1
Review Article DOI: 10.35840/2631-5017/2507
Importance of Safety Culture at Pre-Operational Phase to Prevent Nuclear Plant Accidents
Fahad Khubrani1*, Nader Bagherzadeh2 and Najmedin Meshkati3
Table of Content
Major subsystems of a large-scale, complex technological system .
Schein's three level culture model, adapted from IAEA .
Nuclear pre-operational project phases, adapted from IAEA .
Figure 4: Nuclear plant safety culture barrier model.
Nuclear plant safety culture barrier model.
Defense in depth barriers and levels of protection, source: IAEA .
USNRC decision-making process, adapted from NUREG-2150 .
Risk-informed deliberation, NUREG-2150 .
Integrated framework segment for management systems, adapted from IAEA .
Damage to the reactor buildings of units 3 & 4 shot on march 14-15, .
- (2002) Safety culture in nuclear installations: Guidance for use in the enhancement of safety culture. IAEA.
- Najmedin Meshkat, Maryam Tabibzadeh (2016) An integrated system-oriented model for the interoperability of multiple emergency response agencies in large-scale disasters: Implications for the persian gulf. Int J Disaster Risk Sci 7: 227-244.
- Safety Reports Series No.74 (2012) Safety culture in pre-operational phases of nuclear power plant projects. IAEA.
- Terrell MS (2000) The project manager's role as a safety champion. Paper presented at Project Management Institute Annual Seminars & Symposium, Houston, TX.
- USNRC (2004) Good practices for implementing Human Reliability Analysis (HRA).
- INSAGA (1996) The defense in depth concept: Purposes, methods and means.
- USNRC (2016) Probabilistic Risk Assessment (PRA).
- Robert Budniz (2016) Nuclear plant safety, Seismic assessment. Short Program, Presentation, MIT.
- USNRC (2014) Design-basis accident.
- (2012) USNRC implementation guide: Nuclear energy institute, Criticality. NRC: Glossary.
- (2009) The management system for nuclear installation. IAEA, Safety Standards, GS-G-3.5.
- USNRC (2013) Backgrounder on the three mile island accident. Plant Image.
- Högberg L (2013) Root causes and impacts of severe accidents at large nuclear power plants. Ambio 42: 267-284.
- INSAG (1993) The chernobyl accident: Updating of INSAG-1. Environment International 19.5.
- IAEA (1996) One decade after Chernobyl. In Proceedings of an International Conference in Vienna, Vienna.
- Kiyoshi Kurokawa (2012) Report to the national diet of Japan: Fukushima Nuclear Accident Independent Investigation Commission (NAIIC).
- Airi Ryu, Najmedin Meshkati (2014) Why you haven't heard about onagawa nuclear power station after the earthquake and tsunami of march 11, 2011.
- Najmedin Meshkati, Yalda Khashe (2016) Operators' improvisation in complex technological systems: Successfully tackling ambiguity, enhancing resiliency and the last resort to averting disaster.
- Madalina Tronea, Cantemir Ciurea (2014) Nuclear safety culture attributes and lessons to be learned from past accidents. INSJ 3.
- James F Gleason, Joe Hale, Claude Thibault, Edward L Quinn (2017) Post-Fukushima safety enhancements to nuclear power plants.
Fahad Khubrani1*, Nader Bagherzadeh2 and Najmedin Meshkati3
2University of California, USA
3University of Southern California, USA
Fahad Khubrani, University of California, Irvine, USA, E-mail: firstname.lastname@example.org
Accepted: November 27, 2017 | Published Online: November 29, 2017
Citation: Khubrani F, Bagherzadeh N, Meshkati N (2017) Importance of Safety Culture at Pre-Operational Phase to Prevent Nuclear Plant Accidents. Int J At Nucl Phys 2:007.
Copyright: © 2017 Khubrani F, et al. This is an open-access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
The authors of this paper shed light on the concept of safety culture at preoperational and operational phases, demonstrate a safety culture module to illustrate the roles of various safety culture barriers to prevent nuclear disasters. Also, they review and analyze the past major nuclear power plant accidents; Three Mile Island in 1979, Chernobyl in 1986 and Fukushima in 2011 with a focus on the lack of strong safety culture at the pre-operational phase that led to the tragedies. Furthermore, they exhibit a good example of a strong organizational safety culture case in Onagawa nuclear power station that survived a destructive tsunami.
Nuclear power plant, Safety culture, Tragedy, Onagawa nuclear power plant, Tsunami
A safety culture in an organization entails the influence of safety on the workforce attitudes, behavior, and practices. Safety is always the first priority in an organizational safety culture. In additional to that, there are no conflicts between safety, production, and/or cost. The Institute of Nuclear Power Operations (INOP) defines safety culture as "The core values and behaviors resulting from a collective commitment by leaders and individuals to emphasize safety over competing goals to ensure the protection of people and the environment" .
Human, organization, and technology are the main components of safety culture. The metaphor, shown in Figure 1, can be used to better understand the effects of human, organization, and technology factors in large scale complex technological systems such as nuclear power plants.
As you see in Figure 1, human, organization, and technology represents subsystems (links), which can break down the system (chain) if they are not strong enough to withstand the extra load (unpredictable safety risks). Accidents in NPPs occur as a result of a deficiency of one or more subsystems, which are most of the time related to human and organizational factors .
The focus of this paper will be on the human and organizational factors at pre-operational phase, which are dominant in the safety culture of NPPs.
Safety Culture Overview
Culture is a set of shared beliefs, values, and behavior of individuals in a certain society, organization, or nation. It is shaped by many factors, such as the climate, geography, education, government, and religions. Therefore, there is no a good or bad culture. The importance of highlighting the culture here is to understand the pros and cons that an organizational culture feature when it comes to safety. In other words, we need to understand the safety culture of an organization. The concept of safety culture has been first introduced by the International Nuclear Safety Advisory Group (INSAG) post the Chernobyl nuclear accident in 1986. Figure 2 illustrates the safety culture model, which was developed by Edgar Schein. The model consists of three levels: Artifacts, espoused values, and basic assumption.
The above model is used to assess an organizational safety culture. The artifacts level is very obvious, tangible, and visible to a person who is visiting an organization. Artifacts are what you see, hear, or feel. They include objects, language, rituals, and behavior. The examples of the artifact level are: Safety policy statement, zero lost time accidents, safety award presentations, and use of safety equipment. Although this level is very apparent, it is not easy to be fully understood unless you move to the next level.
The next level is the espoused values, such as goals and philosophies. This level is not noticeable, but it can be elicited. Examples of espoused values are: Teamwork, safety's priority, zero tolerance toward safety deficiencies, no-blame work environment, and mistakes consideration as excellent learning opportunities. It requires some analytical thinking to understand the links between an observed behavior and a contradicting espoused value. For instance, the absence of teamwork as an adopted value in an organization could result from a reward program that is highly competitive and individualistic. Sometimes, it is not that easy to relate an espoused value to a behavior. For instance, an operator may take risks to meet production targets while ignoring the safety priority espoused value. This problem requires deeper thinking and analysis that takes you to the third level.
The third level is the basic assumption, which entails the human nature. Examples of the basic assumption in a nuclear organization are: Risks have to be taken to achieve targets, carelessness causes accidents, some people are accident-prone, and accidents are always preventable. Unlike the previous two levels, this level is invisible and implicit. Most of the times, the basic assumptions are influenced by the deeper national culture. The basic assumptions at the management level translate their views of employees. Leaders who inhabit positive assumptions drive their employees to be self-directed. On the other hand, leaders who inhabit negative assumptions influence their employees to be self-controlled. The culture model presents evidence that the organizational culture is deep and broad. Culture is unchangeable, but it can be transformable if it is properly handled and given the adequate time. Experts in organizational sociology and psychology are the best people who can professionally assess a corporate culture. Though, they should use a systematic scientific methodology to attain accurate and precise data.
Safety Culture at Pre-Operational Phase
Safety culture in Nuclear Power Plants (NPP) starts right at the beginning of a project proposal. The existence of a strong safety culture throughout the project helps in discovering vulnerabilities at an early stage and thereby avoids future deficiencies by having the proper solutions in timely and cost effective manners. Experts allege that "concentration during project phases is dedicated to technicalities and project schedules and budgets, whereas human and organizational facts are not given the proper attention. The application of safety culture principles and practices in new NPP projects may prevent subsequent operational issues" .
The nuclear pre-operational project is divided into three phases as illustrated in Figure 3.
Phase I is the pre-project, which takes place prior to deciding on launching a nuclear power program. The first milestone in Phase I is a feasibility study. Phase II is the project decision-making process, which involves the preliminary work following the decision making to proceed in the nuclear power program such as the development of the conceptual design packages and prepare for the bidding process. Phase III is the construction, concerning all activities associated with an NPP completion and commissioning. The timeframe for a nuclear power project from the nuclear program consideration until the commissioning is between 10 to 15 years. Many factors contribute to that such as the maturity of technology type, funding process, contractor proficiency, experience, and other related issues. The pre-optional phase mandates intensive cross and internal communications and coordination between multiple concerned agencies, which may present a challenge. The following are examples of short-comings associated with the construction of NPPs identified by the Finnish Radiation and Nuclear Safety Authority (STUK):
• Poor communication and coordination between different concerned parties participating in the construction of the nuclear plant.
• Incompetent regulatory inspectors, insufficient oversight, and lack or ineffective training for the regulatory personnel.
• Improper problem identification, inadequate reporting, and ineffective corrective actions.
• Conflict between project schedule and safety compliance.
• Inadequate contractors experience in the nuclear field.
• Lack of nuclear safety training for subcontractors.
• Owners over reliance on subcontractors to perform all tasks .
The below safety culture barrier model is created by the authors to better understand and analyze the pre-operational challenges. Figure 4 model demonstrates two stages; the preoperational phase and operational phase. The pre-operational phase consists of multiple barriers to prevent poor NPP design. Therefore, regulatory bodies, plant management, site Subject Matter Experts (SMEs), project management, design office, vendors, and contactors are all countable for the design and construction of a nuclear plant. Each of them has its own defensive role, but merely works toward the same objective to assure a safe and good design of a NPP.
It is worth noting that regulatory bodies, site management and SMEs continue to support the plant's operation after commissioning. Those parties with the integration of Human Resource (HR) system, Safety Management Systems, and organization structure forms the basis for the organizational safety culture as presented in Figure 2. Thus, regulators, site managements, and SMEs are the dominant forces behind the existence and spread of safety culture during the project and the operational stages. The strong safety culture among those three parties and the strong safety culture of the entire organization are crucial for any NPP project. Next, we will describe the roles of the dominant safety culture barriers.
It is critical for a regulatory body to be independent of nuclear plant proponents and government interference. It should be empowered with the legislative authority to oversight all nuclear power activities during and after the pre-operational nuclear project phase. Regulators shall be technically competent, knowledgeable of human and organizational contributions to safety culture, and independent from governmental and operation organization influences when taking decisions. The relationship between the regulatory body and all stakeholders shall be maintained healthy. Despite the attained authority to access all the data related to the nuclear safety and give directions, they need to respect and hear from other parties when a safety concern arises.
The role of regulatory bodies in nuclear plant project depends on the preset strategies, which have huge impacts on the safety culture of the nuclear organization. The regulator policy outlines the responsibilities and boundaries of the regulatory body and other agencies.
For example, perspective strategy holds regulatory inspectors accountable for the safety performance and quality assurance of a nuclear plant and hence licensees may become entirely dependent on the regulator to perform critical assessments.
Self-assessment based strategy, on the other hand, features that the proponents are solely accountable for their safety performance with minimal interference of regulators. It boosts the learning and adoption of best practices of the licensees by conducting safety self-assessments.
The process-based strategy requires regulators to identify the critical processes and holds proponents accountable for the development and implementation. Process-based strategy for the long run promotes continuous improvement of the safety culture. It requires a system thinking talent, which might not be easily gained through training, though.
The best approach is the combination of all the above strategies so that both the regulator body and licensees are all accountable for the safety performance by collectively identifying and implementing the critical processes and regularly performing safety culture self-assessments to enhance the plant design and safety performance.
Site management role
The role of site managements in nuclear plant projects is significant. It impacts individuals and the whole organization culture. They are the ones who are responsible for procurement, budget control, and supporting SMEs to assure quality and safety of the plant design. A successful leader is trustworthy, fair, a team player who creates an adoption culture, encouraging, and motivating others. A successful leader commits him to the organizational goals, helps support and coaches other talents to promote the culture to the highest tier. The Pre-operational phase requires dynamic leadership skills that can adopt a rapidly changing environment. Besides project management skills, pre-operation leaders shall demonstrate nuclear safety awareness and commitment, be aware of human and organization factors, envisioned and open to new ideas. They shall create a healthy and open learning work environment engaging all individuals to achieve the set goals and have the ability to identify and resolve conflicts, ambiguity, and issues. Also, they shall be capable of working under pressure, have good decision-making skills, and maintain good relations with all participating parties. The site management after commissioning should continue assisting workers to understand their roles, coaches other talents, and positively challenge employees to show their innovation to solve problems.
Subject Matter Experts (SMEs) role
The role of the SMEs in pre-optional phase is very important. Their responsibilities include but not limited to:
• Review and approve the plant design.
• Be aware of all potential risks and hazards.
• Conduct critical Probability Risk Assessments (PRA) and human reliability analysis.
• Negotiate with the design office and vendors.
• Monitor the performance of the contractors during the construction.
• Test and approve the functionality of the safety systems and equipment.
The shortage of competent professionals to meet the growing demand in the nuclear field is a global challenge. It is even more challenging for newcomer countries to compete for the limit resource for those professionals to meet their demand. The local university programs in the developed countries may not be aligned with the industry need and can't provide the hands-on experience and in-depth competencies of the nuclear various aspects. Thus, in the early phases of the nuclear project, the countries may consider nuclear professional consulting companies who are experienced in NPP development to provide the required competencies to perform the essential tasks and simultaneously support licensees' learning.
In summary, the roles of regulatory, site management and SMEs are crucial to the safety culture at and post the pre-operational phase. Their roles are complementing and supporting each other. So, all of them should get the blame when there is a design deficiency or safety culture weakness.
The nuclear corporate staff will inherit their culture, which is, in fact, going to be the organizational culture for many years. The attempts to changing it are impossible. Nevertheless, transforming it to a better situation is possible, but it takes a long time and exerts considerable efforts and resources.
The best approach to maintain the highest plant's safety state throughout its lifecycle and thereby prevent accidents is to focus on the safety culture of the three parties at the beginning of the nuclear project.
The following section analyzes the past major nuclear plant accidents and proves the linkage between the lack of the safety at the pre-operational phase and the tragedies.
Project management role
The underline role of a project manager is assuring that a project completes on time, within the allocated budget, and quality. The project cannot be considered successful if there is any injury, fatality, or safety violations. A successful project manager in a NPP project shall adapt and expose the belief that safety and quality equate to cost and schedule performance productivity relates . He should play as safety officer and constantly reinforce the message to contractors and subcontractors that safety will never be compromised under any circumstances even if it impacts the project schedule and budget.
Design office role
The design office has an important role in determining the safest and most reliable technologies that suit the NPP project. Design engineers must work hand in hand with the plant SMEs to develop a qualitative design on paper. Also, they shall carry out a comprehensive analysis and studies related to the plant design safety systems such as probabilistic risk assessments, design basis accidents, seismic analysis, to identify all potential risks to be deliberated with all stakeholders ahead of implementation. Design office staff shall be driven by safety and their design deliverables should reflect their safety commitment.
Preoperational Safety Systems and Perspectives
The following safety systems and perspectives help identify the NPP risks right at the beginning of the NPP project to determine the required safe guards to eliminate or mitigate NPP accidents.
Human reliability analysis
The human contribution to nuclear accidents has always been present. The new view of human error according to Sidney Dekker is that "human error is a symptom of trouble deeper inside a system. To explain the failure, don't try to find where people went wrong. Instead, investigate how people's assessments and actions would have made sense at the time, given the circumstances that surrounded them" .
Human Reliability Analysis (HRA) is integrated with a PRA to provide risk data about human performance. The objective of the HRA is to support risk-informed decision-making on nuclear industries. Several HRA techniques are available in the market. All HRA techniques share the same objective. One of the well-defined HRA processes is the Technique for Human Event Analysis (ATHEANA), which has been developed by the USNRC. The USNRC in collaboration with the Electrical Power Research Institute (EPRI) has embarked on a new HRA hybrid method called IDHEAS, standing for Integrate D Human Event Analysis System. The purpose of IDHEAS is to reduce unnecessary and inappropriate variability in HRA results and improve the reliability of human error probability estimates. The IDHEAS method has a strong foundation in human performance and cognitive psychology theories and employs a cause-based quantification model. It carries out qualitative and quantitative analysis. The qualitative analysis involves:
• Narrative: Including crew response diagram and identifying their failure modes.
• Context: Considering possible complicating physical conditions and complicating human conditions.
The quantitative analysis, on the other hand, uses cause-based-decision tree.
Defense in Depth (DID)
Defense in Depth (DID) is a fundamental design and operational concept in NPPs. The basic questions DID can address are:
1. What if it goes wrong?
2. Can we protect ourselves from an unknown "unknown"?
DID integrates all safety activities, technologies, and human behavior in multiple layers. Hence, the DID components complement each other and prevent an accident or mitigate its consequences.
The primary objective of DID in NPPs is to control and manage power generation, cooling the reactor, and contain the radioactive materials inside the reactor building. Figure 5 illustrates the concept of defense in depth protection layers.
It is noted in Figure 5 that there are multiple barriers and control levels to prevent a nuclear accident or at least mitigate its consequences. The radioactive fuel is secured by three different barriers: A fuel matrix, cladding, and the primary circuit boundary. In addition, there are three segregated control levels to manage the normal operation process, abnormal operation, and emergencies within the design basis. Let's assume none of the previous systems work: The fourth barrier, confinement, exists to prevent radioactive release to the environment. Next, the fourth control level takes place to manage the accident on-site. The fifth level is the off-site emergency response, which is activated if the site officials could not handle the accident.
Failure Modes and Effects Analysis (FMEA) is a powerful technique used in DID philosophy. FMEA is conducted on a component, system, or at a global functional level to determine the effects of failures on a particular item, or on overall plant safety. Hence, it identifies other systems and functions necessary for promoting plant safety.
Probabilistic Risk Assessment (PRA)
The PRA is an engineering approach for establishing the risk profiles of NPPs. It identifies unrecognized deficiencies in a plant design or operation. The PRA is analogous to FMEAs but it is more quantitative. It is often used to relate the expected failure probabilities of the plant to specific regulatory goals. The PRA can simply answer the following questions:
1. What can go wrong?
2. How likely are these scenarios?
3. What are their consequences?
The PRA involves the identification and analysis of: initiating events, safety functions, and accidents' sequences. Figure 6 illustrates a PRA model, which consists of three levels.
The above PRA model is constructed to model the as-built and as-operated plant. The PRA model uses multiple sources of information, including:
• Plant design data.
• Thermal hydraulic analyses of plant response.
• System drawings and performance criteria.
• Operating experience data.
• Abnormal and emergency operating procedures.
• Maintenance practices and procedures.
The technical basis for the PRA model is based on the knowledge of the plant perturbation, the initiating event, such as the transient conditions. An example of transient conditions is: Loss of off-site power, loss of feedwater, and Loss of Coolant Accidents (LOCAs). This model also is based on the understanding of the plant response to that perturbation, such as the physical response, automatic responses, and operator responses. The results of this technical basis analysis are the definition of the end state, CDF and the determination of the system success measures for a given scenario, such as the time required to prevent the core damage. The building blocks of the PRA model are:
• Event trees to model the sequences of the events from an initiating event to the end state.
• Fault trees to model the failure of mitigating functions.
• Frequency and probability calculations for the initiating events.
The outcome of the PRA model could be one of the following:
• Core damage frequency (Level 1).
• Radioactive release frequency (Level 2) or
• Radiological consequences to the public (Level 3).
It is important to notice that the uncertainties of the PRA model accumulate as the PRA dives into Level II and Level III. Thus, most nuclear utilities do not bother themselves about Level II and Level III PRAs and conduct only Level I PRA .
NPPs' resistance to earthquakes is analyzed by using a combination of engineering analysis and seismic PRA methods. The Seismic Probabilistic Risk Assessment (SPRA) consists of the following:
• Seismic Hazards analysis.
• Fragilities analysis.
• Systems analysis.
The Probabilistic Seismic Hazard Analysis (PSHA) identifies seismic near and far sources at a given site. Also, it identifies the sizes of earthquakes for each source and their frequencies of occurrence. On the other hand, the fragility testing of a nuclear plant component is performed using shake-tables methodology. A plant component is placed on a table, which is shaking at incremental acceleration. The acceleration point at which the component flies away off the table determines the fragility of that component. The system analysis uses the event-tree and fault-tree methodology, which is fed from the component fragility analysis. Next, the intersection of the mean core damage fragility curve with the mean hazard curve indicates the mean frequency of the core damage due to seismic hazard. Figure 7 illustrates the SPRA methodology.
This SPRA methodology has limitations such as:
• Correlation among failures.
• Post-Earthquake human error probabilities, especially in non-seismic regions.
• Uncertainties in the hazards.
• Uncertainties in the fragility analysis.
Design basis accident
Design Basis Accident (DBA) is a postulated accident that a nuclear facility must be designed and built to withstand without loss to the systems, structures, and components necessary to assure public health and safety .
DBAs are affected by:
• Plant Initial conditions such as LOCA.
• Equipment failure and
• Loss of off-site power.
The plant response to Postulated Initiating Events (PIEs) has to be evaluated to acknowledge the accident sequences and determine the critical safety parameters. The safety parameters must be continuously monitored by console operators. The PIE acknowledgment helps the NPP task force in:
• Mitigating design basis events.
• Monitoring the accomplishment of plant safety functions.
• Assessing the integrity of protection barriers.
• Ensuring that the critical safety parameters have not exceeded the design basis values.
After Fukushima's accidents, regulators have incorporated severe accidents mitigation requirements in their standards. The severe accident can be defined as a beyond design accident at which a fuel meltdown is most likely to occur. In other words, it is the point when operators switch from emergency operating procedures to severe accident management guidelines. When the core outlet temperature reaches 1200 °F or (650 ℃) it is considered the critical point that determines a severe accident condition.
Regulators have also recommended adding qualification standards for natural hazards such as hurricane, tornado, heavy rain, flood, earthquake, and volcano. These hazards present a high challenge to NPPs and regulators due to the high uncertainties and shortage of expert sources.
Integrated risk-informed decision making process
Integrated Risk-Informed Decision Making (IRIDM) is a systematic process that balances between the nuclear plant's safety requirement and the plant's operation optimization. The objective of IRIDM process is to ensure that any decision affecting nuclear safety is optimized without excessively limiting the plant's production. Figure 8 illustrates the Risk-Informed approaches framework.
The risk-informed approach combines the traditional deterministic approach and risk-based approach through a deliberative process. The deterministic approach is a very conservative process, which focuses on unquantified probabilities, DBAs, DID, and safety margins. On the other hand, the risk-based approach is a very realistic approach that includes quantified probabilities and considers thousands of accident sequences. Both approaches are incomplete and have advantages and disadvantages. Figure 9 describes the IRIDM process, which is adopted by the USNRC.
The process starts with identifying the issue and then identifying the possible options to solve that issue. The options then are analyzed and deliberated with the concerned parties. The conscious decision afterword is made and implemented. The regulatory body keeps monitoring the implementation of that decision and takes corrective actions as needed by going through the same process over and over again. Figure 10 shows the complexity of the deliberation in the IRIDM process. The biggest advantage of deliberation is the consideration of all concerned parties concerns and inputs to obtain a consensus decision and assure commitments to implement the decision.
The beauty of the risk-informed approach is not only that it optimizes the unnecessary NPP inspection frequencies but also discovers overlooked systems.
Management system process to support safety culture
The integrated framework model is a systematic thinking process that incorporates the organizational systems, human systems, work processes, and sophisticated technologies. The purpose of this model is to help understand the relationship between those systems and their effects on each other to be parts of an integrated system. Figure 11 illustrates an integrated framework segment for management systems.
The integrated management system shown in Figure 11 comprises three essential elements:
• Human system, including leadership, taskforce competencies, organization structure, and safety culture. The human system is complex, dynamic, and dominant in determining the quality integrated management system.
• Management systems, involving work processes, regulations, policies, and standards and
• Physical and financial resources, including budget and complex technologies.
The systematic thinking approach also considers the external influences, impacting the interactions between the systems. The following are the external factors that influence the organizational safety culture:
• Cultures including national, organization, and multicultural extents.
• Environment, including business climate and resources and commercial availability.
• International obligations and expectations and
• Government, regional and corporate governance .
NPP projects can benefit from the application of the scheme thinking since they involve dynamic interactions between various systems and human. It also encompasses the contributory organizational factors. Nuclear Safety is only a segment of the entire system. The system's thinking approach in a nuclear project can be clearly explained by having an example of the consideration of the capability and competency of a regulatory body to perform oversight tasks on the given resource. Nuclear power projects consist of various management systems, such as design, construction, vendors, regulations, and commissioning.
Safety observation system
Safety is the responsibility of everyone working in a strong safety culture. Thus, it is necessary to have a systematic mechanism to raise and correct safety concerns with no fear. It is highly recommended adopting a safety observation system and makes it accessible to everybody involved in the NPP project including contractors. The Safety Observation System (SOS) can be also used to recognize individuals or groups for complying with safety regulations and roles. The SOS shall be monitored by the site management, regulatory body, and higher management. Root-cause Analysis and investigation should take place to address all safety violation reported in the SOS. In addition, feedback, corrective actions, and lessons learned shall be incorporated in the SOS and shared with everybody .
Major Nuclear Plant Accidents
Three sever nuclear plant accidents occurred in the history of nuclear power generation; Three Mile Island in 1979, Chernobyl in 1986, and Fukushima in 2011.
Three mile island
Three Mile Island Nuclear Power Plant consists of two Pressurized Water Reactors (PWR). The second reactor has an electrical power capacity of 906 MWe. It was put online a year before the accident happened on March 28, 1979. The event started when a high pressure started to increase inside the reactor, causing a pressure relief valve to open. The valve stuck open causing loss of steam and water from the reactor primary system. The operator unaware of the stuck valve was misled by the high water level in the pressurizer shown in Figure 12 and shut down the cooling water system. Consequently, the water in the reactor boiled away and reactor core overheated and partially melted. Hydrogen was produced as a result and exploded, but luckily was within the withstand design of the reactor building.
The radioactive materials release was limited and hence was the dose to the population surrounding TMI. It took 14 years to remove and clean up the damaged fuel rods with an estimated cost of 1 billion dollars. The other TMI reactor (TMI I) was modified and restarted in 1985. There were trust and communication issues between the public of the US and authority which led to confusion. As a result, a short-term precautionary evacuation of communities within 8 km radius of the plant was recommended .
The roots cause revealed to the TMI accident as identified in Kemeny report, (the Reactor Safety Commission in 1979) are:
• Instrumentation malfunction stuck open valve with no indication in the control room.
• Inaccurate probabilistic risk assessment for the relief valves.
• Neglect of lessons learned from other similar nuclear power plant incidents.
It is apparent that the malfunction of the relief valve and lack of the accurate probabilistic Risk Assessments (PRA) is an indication of a poor design and underestimation of the risks, which occurred during the pre-operational phase. In addition to that, the lack of safety culture among the regulators, site management, and technical experts by the neglecting lesson learned from other nuclear plant incidents to be incorporated into the plant design led to that accident. The operator reaction to the faulty instrument was another indication of absence of the human reliability assessment during the pre-operational stage. "The human reliability assessment identifies and provides probabilities for the human induced failure events that can negatively impact normal or Emergency operations" .
TMI accident resulted from the extension of the deficient safety culture of the parties participating in the nuclear project.
The Chernobyl nuclear power plant consists of four RBMK reactors. Unit 4 was a graphite-moderated channel-type Boiling Water Reactor (BWR) put online in 1984. A test program on Unit 4 was scheduled on the night of April 25th, 1986. The test failed, and hence the control room operators drove the reactor to an unstable state violating the safety operation limits at low power. Not only this but also they irrationally disabled the reactor protection systems. While the operators in the control room attempted to shut down the reactor, a very high power surge was initiated leading to an explosion in the core of the reactor. Consequently, the heavy lid of the reactor core lifted up and the control rods moved away from the fuel rods. With no radiation control, a second explosion occurred, destroying the entire reactor building as shown in Figure 13. In addition to that tragedy, a fire started in the remaining graphite lasting for ten days .
The Unit 4 reactor's explosion caused plenty of radioactive materials to release into the atmosphere, contaminate the soil of the plant, and travel by the wind to all over the Europe continent. Around 4000 TBq of Cs-137 were deposited on Swedish soil . The estimation of the total cost of the Chernobyl accident over 30 years since the tragedy is between 250 to 500 Billion US Dollar. The cost includes removal and safeguarding the damaged cores and clean-up activities. It is worth mentioning that the cleaning up, safeguarding, and recovery activities are still on going until now. More than 300,000 people had to evacuate the contaminated areas and people who are exposed to the contamination near the plant had serious psychological and health problems for many years .
According to INSAG 1986, the root causes of the accident and related deficiencies in safety work revealed to:
• Poor safety system design, unreliable reaction control system, and insufficient core containment capacity to cope with multiple fuel rods melting.
• Lack of thorough safety analysis.
• Poor communication of important safety information between RBMK plants and the designer.
• Weakness of the regulatory authorities to oppose unsafe act.
• Unclear safe operational guidelines for performing test procedures and
• Operators' ignorance to obey safety rules by disabling the safety system during the test performance.
"Taken together, these deficiencies showed that there was a general lack of safety culture in the political and organizational system, at the national level as well as locally" . The listed root causes are an evidence of strong bonds between the poor design and the deficient safety culture among regulatory bodies, technical experts, and the plant management who participated during the preoperational phase. The weakness of the safety culture, the neglect of getting lessons learned from what happened to TMI seven years back to improve the plant design, and failure to analyze the human reliability continued after the preoperational stage until the disaster occurred.
Fukushima Daiichi Nuclear power plant lies in Tohoku, Japan. It has six (BWR) nuclear reactors. At 14:46 on March 11, 2011, a high magnitude earthquake of a 9.0 followed by a 9.0 magnitude tsunami hit Japan soil. Units one, two, and three were running during the earthquake whereas units, four, five, and six were down for refueling.
Unit one, two and three did successfully shut down when the earthquake was early detected. Yet, the external power went off and hence the emergency diesel engines took effect to provide power to the cooling systems and essential instrumentation. Everything appeared fine until the moment when a 14-meter-high tsunami hit the plant at 15:41. Sea water flooded the lower floors of the nuclear reactors and thereby damaging the emergency diesel generators. The reactor cooling systems at Unit 1 through 3 stopped working causing the core overheating. Consequently, the fuel rods started melting and Hydrogen (H2) came out. After that, an explosion occurred, destroying the roof of unit one, three, and four as shown in Figure 14 and substantial amounts of radioactive materials released to the environment .
The released radioactive materials with the aid of rain caused substantial ground contamination. It is estimated that as much as 1800 km2 of land had contamination levels, resulting in a potentially cumulative radiation dose of 5 millisieverts or higher per year . The completion of the clean-up of the site is estimated to take 30 to 50 years due to the severe damage to the reactors. The total cost of the accident is estimated to be in the range of 100 to 500 billion dollars. About 150,000 people living within a 20 km radius from the plant have evacuated .
The root causes revealed form Fukushima accidents are as follows:
• Inadequate safety systems to protect the plant against tsunamis; the seawall was constructed at only 6 meters, whereas the tsunami hitting the plant was 14 meter high.
• Inadequate safety systems to protect the plant against tsunamis; the seawall was constructed at only 6 meters, whereas the tsunami hitting the plant was 14 meter high.
• Ignorance of Teppco's management, the owner of Fukushima Nuclear Power Plant, to the warnings of possible high tsunami.
• Lack of the safety culture among Teppco organization.
Fukushima tragedy was not different from TMI's or Chernobyl's. The poor design, negligence of learning from other accidents, management not commitment to safety, ineffective regulatory inspection, and weak technical staff are all signs of a deficiency of safety culture during the project. Although the disaster occurred 30 years later, the organization sustained the poor safety culture during the constructing of the plant, which proves the strong relationship between the safety culture at the pre-operational phase and after.
It is worth mentioning that all the three severe nuclear accidents were preventable if the regulators, plant management, and the technical experts were empowered with a strong safety culture at the pre-operational phase. The following section provides a proof of how the safety culture at Onagawa nuclear power plant saved it from the destructive tsunami.
Onagawa Nuclear Power Plant
Onagawa Nuclear Power Plant (NPP) experienced the same tsunami's strength as the one that hit Fukushima NPP. However, it survived the tsunami without any major safety issues. The reason behind that was the management and SMEs of Tohoku (Utility's owner) were driven by safety, since the construction of the first reactor in 1984. The construction time span between Fukushima NPP first reactor and Onagawa is only 5 years. Figure 15 demonstrates the locations of Fukushima and Onagawa NPPs on the Google map. It is interesting to note that Onagawa NPP's location is closer to the epicenter when the natural disaster occurred.
Both reactors, Fukushima's Unit one, and Onagawa first unit, have the same reactor technology, Boiling Water Reactor (BWR) by GE. Onagawa reactors were put online in 1984 while Fukushima's first reactor was online in 1981. However, Tohoku Electric Power Company, whose regulatory agency is also NISA, did not have similar risk management issues as TEPCO did . Onagawa NPP was constructed at 14.7 meters' elevation, which is about five times higher than the historical tsunami data available at that time. The plant's management and technical experts considered the risk of high tsunami and hence built the plant at a high elevation. In addition to that, Tohoku showed an impressive, effective emergency response to the severe natural disaster which reflects the strong safety culture in the organization by analyzing the human reliability thoroughly during the construction of the plant.
Despite the deficiency of the regulatory body effectiveness in Japan, Tohoku took the extra mile and considered safety as a first priority objective. Onagawa NPP is a role model for a strong safety culture organization that should be learned from by others. Unfortunately, it is not getting enough attention and few people in the nuclear field have heard about it.
Safety Cultural Comparison between TMI, Chernobyl, Fukushima, and Onagawa NPPs
Table 1 illustrates the safety culture traits comparison between: TMI, Chernobyl, Fukushima, and Onagawa NPPs based on surveys and root causes analysis investigations conducted post the accidents.
The common safety culture theme that can be concluded from the three most prominent NPP accidents, TMI, Chernobyl, and Fukushima, can be summarized as follows:
• A mindset of the management that ignore severe accidents possibility.
• A failure to make effective design making base on use of operational experience lessons learned.
• Ineffective safety and risk assessments.
• Poor systematical response to severe accident.
• Ineffective training.
• Failure to predict and manage plant behavior under abnormal conditions.
• Lack of a questioning attitude, and
• Defeceint work processes .
Unlike those three deficient safety culture organizations, Onagawa NNP had better safety traits that were realized after the real test the plant underwent in 2011.
Safety culture is proven to be the only resort to enhance the safety performance in any complex technological systems such as NPPs. The safety culture starts right at the beginning of the project proposal. All the severe nuclear power plant accidents resulted from deficiencies of their safety culture. On the other hand, Onagawa proved its strong safety culture as it survived the severe high tsunami level without major impact. Onagawa had taken in their consideration, the natural hazard which can be revealed from the high sea wall level they built back in 1984. Fukushima nuclear power disaster has a considerable impact on the global nuclear policies as some countries decided to accelerate their phase-out plans, some postponed their nuclear projects, and others to pursue their ambition to join the nuclear club as newcomers . It is merely important for the newcomers to give the safety culture and namely the human and organizational factors enough attention during the planning phase to avoid future accidents. The authors of this paper demonstrated a safety culture module to clarify the roles of various safety culture barriers to prevent nuclear disasters.