All rights reserved B&W Pantex 2008 4 Hour Professional
Development Seminar HPRCT Workshop, Baltimore Maryland June 21,
2010 Richard S. Hartley, Ph.D., P.E. Janice N. Tolk, Ph.D., P.E.
This presentation was produced under contract number
DE-AC04-00AL66620 with
Slide 2
All rights reserved B&W Pantex 2008 An organization that
repeatedly accomplishes its mission while avoiding catastrophic
events, despite significant hazards, dynamic tasks, time
constraints, and complex technologies A key attribute of being an
HRO is to learn from the organizations mistakes A.K.A. a learning
organization 2
Slide 3
All rights reserved B&W Pantex 2008 Nuclear Navy Commercial
nuclear power Aircraft carrier operations Hospital patient care
Military nuclear deterrent Forest service Aviation Nuclear weapons
assembly and disassembly 3
Slide 4
All rights reserved B&W Pantex 2008 Is it right for you?
4
Slide 5
All rights reserved B&W Pantex 2008 Data as of 7/7/2009
Contractor ISM deployed DOE injury rates have come down
significantly since Integrated Safety Management (ISM) was adopted
5
Slide 6
All rights reserved B&W Pantex 2008 Rx Trips/ Scrams Cost (
/kwh) Significant Events/Unit Capacity Factor (% up) Nuclear Energy
Institute (NEI) Data 6
Slide 7
All rights reserved B&W Pantex 2008 7
Slide 8
8 The Normal Accident Organization
Slide 9
All rights reserved B&W Pantex 2008 As Columbia and
Davis-Besse have demonstrated, great safety stats dont equal real,
tangible organizational safety. The tendency for normal people when
confronted with a continuous series of positive stats is to become
comfortable with good news and not be sensitive to the possibility
of failure. Normal people routinely experience failure by believing
their own press (or statistics). 9
Slide 10
All rights reserved B&W Pantex 2008 CAIB: The unexpected
became the expected, which became the accepted. 10 When NASA lost 7
astronauts, the organization's TRC rate was 600% better than the
DOE complex. And yet, on launch day 3,233 Criticality 1/1R* hazards
had been waived. * Criticality 1/1R component failures result in
loss of the orbiter and crew.
Slide 11
All rights reserved B&W Pantex 2008 Had some performance
hard spots in the 80's Had become a world-class performer in the
next 15 years Preceding initiating events of mid 90's Frequently
benchmarked by other organizations While a serious corrosion event
was taking place Complete core melt near miss in 2002 11
Slide 12
All rights reserved B&W Pantex 2008 SYSTEM ACCIDENT
TIMELINE 1979 - Three Mile Island 1984 Bhopal India 1986 NASA
Challenger 1986 Chernobyl 1989 Exxon Valdez 1996 Millstone 2001
World Trade Center 2005 BP Texas City 2007 Air Force B-52 2008
Stock Market Crash What is Next? Who is Next?
Slide 13
All rights reserved B&W Pantex 2008 Attempts to Understand
& Prevent System Accidents 13
Slide 14
All rights reserved B&W Pantex 2008 Attempts to Understand
& Prevent System Accidents (High Reliability vs. Normal
Accident Theory)
Slide 15
All rights reserved B&W Pantex 2008 "Most ailing
organizations have developed a functional blindness to their own
defects. They are not suffering because they cannot resolve their
problems, but because they cannot see their problems. John Gardner
15
Slide 16
All rights reserved B&W Pantex 2008 Individual Accidents OR
Systems Accidents? 16
Slide 17
All rights reserved B&W Pantex 2008 An accident occurs
wherein the worker is not protected from the plant and is injured
(e.g. radiation exposure, trips, slips, falls, industrial accident,
etc.) Plant (hazard) Human Errors (receptor) 17 Focus: Protect the
worker from the plant
Slide 18
All rights reserved B&W Pantex 2008 An accident wherein the
system fails allowing a threat (human errors) to release hazard and
as a result many people are adversely affected Workers, Enterprise,
Surrounding Community, Country 18 Human Errors (threat) Plant
(hazard) Focus: Protect the plant from the worker The emphasis on
the system accident in no way degrades the importance of individual
safety, it is a pre-requisite of an HRO
Slide 19
All rights reserved B&W Pantex 2008 System accident - an
occurrence that is unplanned and unforeseen that results in serious
consequences and causes total system disruption (i.e. death, dose,
dollars, delays etc.). System event - any unplanned, unforeseen
occurrence that results in the failure of the system that does not
result in catastrophic consequences -- indicates a breakdown in the
system vital to the well-being of many people and the survivability
of the organization! 19 System accident - an occurrence that is
unplanned and unforeseen that results in serious consequences and
causes total system disruption (i.e. death, dose, dollars, delays
etc.). System event - any unplanned, unforeseen occurrence that
results in the failure of the system that does not result in
catastrophic consequences -- indicates a breakdown in the system
vital to the well-being of many people and the survivability of the
organization!
Slide 20
All rights reserved B&W Pantex 2008 20 Some types of system
failures are so punishing that they must be avoided at almost any
cost. These classes of events are seen as so harmful that they
disable the organization, radically limiting its capacity to pursue
its goal, and could lead to its own destruction. Laporte and
Consolini, 1991 Some types of system failures are so punishing that
they must be avoided at almost any cost. These classes of events
are seen as so harmful that they disable the organization,
radically limiting its capacity to pursue its goal, and could lead
to its own destruction. Laporte and Consolini, 1991 Some types of
system failures are so punishing that they must be avoided at
almost any cost. These classes of events are seen as so harmful
that they disable the organization, radically limiting its capacity
to pursue its goal, and could lead to its own destruction. Laporte
and Consolini, 1991
Slide 21
All rights reserved B&W Pantex 2008 HROs vs. NAT
Organizations 21
Slide 22
All rights reserved B&W Pantex 2008 22 R = C x P If we are
truly working with high-risk operations, ethically and morally we
should not be in business! Risk = Consequence x Probability
Slide 23
All rights reserved B&W Pantex 2008 Belief of HRO Accidents
can be avoided by organizational design and management i.e. Risk =
C x P is manageable 23 Dr. Karlene Roberts Dr. Charles Perrow
Belief of NAT Accidents are inevitable in complex and tightly
coupled operations i.e. Risk = C x P is too high
Slide 24
All rights reserved B&W Pantex 2008 Belief of HRO Accidents
can be avoided by organizational design and management i.e. Risk =
C x P is manageable Belief of NAT Accidents are inevitable in
complex and tightly coupled operations i.e. Risk = C x P is too
high 24 Control of Risk DOE reduces C by: minimizing the hazard
and/or mitigating the consequence DOE reduces P - human performance
improvement human performance error precursors barriers
Slide 25
All rights reserved B&W Pantex 2008 Linear interactions
Expected & familiar production or maintenance sequences
Visible, even if unplanned Simple -- readily comprehensible Complex
interactions One component can react with others outside normal
production sequence Nonlinear Unfamiliar sequences, or unplanned
and unexpected sequences not visible nor immediately comprehensible
25
Slide 26
All rights reserved B&W Pantex 2008 Linear interactions
Expected & familiar production or maintenance sequences
Visible, even if unplanned Simple -- readily comprehensible Complex
interactions One component can react with others outside normal
production sequence Nonlinear Unfamiliar sequences, or unplanned
and unexpected sequences not visible nor immediately comprehensible
26
Slide 27
All rights reserved B&W Pantex 2008 27 Complex Interactions
1 2 3 Linear Interactions 123 4 For linear interactions 4 events
lead to 4 interactions. 1 2 3 4 5 6 1 2 3 4 5 6 7 89 Complex
Interactions 1 2 3 4 5 6 7 89 10 11 12 For complex interactions, 4
events lead to 12 possible interactions. Greatly amplifies
difficulty in determining and responding to the problem.
Slide 28
All rights reserved B&W Pantex 2008 28 Complex interactions
not necessarily high-risk systems with catastrophic potential,
examples: Universities R&D Federal Government Also takes
another key ingredient Tight coupling
Slide 29
All rights reserved B&W Pantex 2008 Loosely coupled
systems: Delays possible; processes can remain in standby mode
Spur-of-the-moment redundancies and substitutions can be found
Fortuitous recovery aids possible Failures can be patched more
easily, temporary rig can be set up Tightly coupled systems:
Time-dependent processes: they cant wait or standby Reactions in
chemical plants instantaneous, cant be delayed or extended
Sequences invariant Only one way to reach production goal Little
slack; quantities must be precise, resources cant be substituted
Buffers and redundancies must be designed in, thought of in advance
29 Ever done this? Super Glue
Slide 30
All rights reserved B&W Pantex 2008 30 Loose Coupling Tight
Coupling
Slide 31
All rights reserved B&W Pantex 2008 31 Normal Accidents
Living with High-Risk Technologies, Perrow Loose