Enhancing Human and Organizational Factors in Defence in Depth

Transcription

1 Enhancing Human and Organizational Factors in Defence in Depth Jozef Misak, UJV Rez a.s., Czech Republic, phone number: Germaine Watts, Intelligent Organizational Systems, Canada, phone number:

2 Contents of the presentation Practical method of objective trees for assessment of comprehensiveness of DiD Consideration of links between technological systems and human factors for identification of weaknesses in DiD Applying the Objective Trees for Assessment of Internal/External HOF in DiD and identification of improvements Ways for strengthening HOF in nuclear safety Examples of post-fukushima enhancements of objective trees How a Systemic perspective supports the realization of DiD provisions

3 Background Defence in depth (INSAG-10) hierarchical deployment of different levels of equipment and procedures to maintain the effectiveness of physical barriers placed between radioactive material and workers, the public or the environment, in normal operation, anticipated operational occurrences and, for some barriers, in accidents at the plant Defence in depth ensures that the safety functions are reliably achieved with sufficient margins to compensate for equipment failure and human errors Defence in depth is generally recognized as an effective way for preventing and mitigating consequences of accidents in nuclear power plants Provisions for compliance with defence in depth include both technological items as well as human controlled or influenced items Defence in depth is often oversimplified focusing on engineering aspects (barriers and their integrity) while soft aspects are much weaker Human and organizational issues including safety culture are associated with large uncertainties, while they can affect several levels of defence at the same time (similarly as external hazards)

4 IAEA Fundamental Safety Principle No The primary means of preventing and mitigating the consequences of accidents is defence in depth. Defence in depth is implemented primarily through the combination of a number of consecutive and independent levels of protection that would have to fail before harmful effects could be caused to people or to the environment. If one level of protection or barrier were to fail, the subsequent level or barrier would be available. When properly implemented, defence in depth ensures that no single technical, human or organizational failure could lead to harmful effects, and that the combinations of failures that could give rise to significant harmful effects are of very low probability. The independent effectiveness of the different levels of defence is a necessary element of defence in depth Defence in depth is provided by an appropriate combination of: An effective management system with a strong management commitment to safety and a strong safety culture. Adequate site selection and the incorporation of good design and engineering features providing safety margins, diversity and redundancy, mainly by the use of: o Design, technology and materials of high quality and reliability; o Control, limiting and protection systems and surveillance features; o An appropriate combination of inherent and engineered safety features. Comprehensive operational procedures and practices as well as accident management 3 procedures.

5 DiD approach: Elaboration on the original table form INSAG-10 HOF means to be specifically added? Level of defence Objective Essential design means Essential operational means Level 1 Prevention of abnormal operation and failures Conservative design and high quality in construction of normal operation systems, including monitoring and control systems Operational rules and normal operating procedures Level 2 Control of abnormal operation and detection of failures Limiting and protection systems and other surveillance features Abnormal operating procedures/emergency operating procedures Level 3 Control of design basis accidents (postulated single initiating events) Engineered safety features (safety systems) Emergency operating procedures Level 4 Level 5 Control of design extension conditions (postulated multiple failures events) including prevention of accident progression and mitigation of the consequences of severe accidents Mitigation of radiological consequences of significant releases of radioactive materials Safety features for design extension conditions. Technical Support Centre On-site and off-site emergency response facilities Complementary emergency operating procedures/ severe accident management guidelines On-site and off-site emergency plans

6 Correlation of levels of defence and success criteria FREQUENCY Challenges to Level 1 dealt with by provisions of Level 1 Provisions Success: Normal operation Failure of Level 1 an event sequence is initiated Success: Return to normal operation, prevention of DBA Failure of Level 2 an accident sequence is initiated Success: Consequences within design basis Failure of Level 3 Acceptance criteria for DBAs exceeded Success: Containment integrity Failure of Level 4 prompt off-site measures needed 5 LEVEL 1 LEVEL 2 LEVEL 3 LEVEL 4 LEVEL 5 CONSEQUENCES

7 Defence in depth addressed in a number of background IAEA documents

8 Method of objective trees: Screening of comprehensiveness of defence in depth Possible interpretation of the term defence in depth is too broad: all NPPs have physical barriers and means to protect the barriers, while their level of defence can be very different A practical tool for detailed assessment of the comprehensiveness of the provisions for ensuring defence in depth was needed A screening method using so called objective trees has been developed by the IAEA several years ago to respond to the need The reference approach for checking the completeness and quality of implementation of the concept of defence in depth, which includes a comprehensive overview of challenges /mechanisms/provisions for all levels of defence Graphical form of objective trees helps to understand the links between safety provisions and challenges to safety objectives at different levels of defence At the same time the objective trees also illustrate that the means for protection of the physical barriers against releases of radioactive substances include much more than just NPP technological systems and procedures

9 Selected definitions Safety Function: A specific purpose that must be accomplished for safety in operational states, during and following DBA and, to the extent practicable, in, during and following the considered NPP conditions beyond the DBA Fundamental Safety Functions: 1) controlling the reactivity, 2) cooling the fuel, 3) confining the radioactive material and control of operational discharges, as well as limitation of accidental releases Safety Principles: Commonly shared safety concepts stating how to achieve safety objectives at different levels of defence in depth (INSAG definition) Mechanisms: Elementary physical processes or situations whose consequences might create challenges to the performance of safety functions

10 Selected definitions Challenges: Generic processes or circumstances (conditions) that may impact the intended performance of safety functions; a set of mechanisms having consequences which are similar in nature Provisions: Inherent plant characteristics, safety margins, system design features and operational measures contributing to the performance of the safety functions; aimed at prevention of the mechanisms to occur Objective Tree: Graphical presentation, for each of the five levels of defence, of the following elements, from top to bottom: 1) the objective of the level, 2) the relevant safety functions, 3) the identified challenges, 4) constitutive mechanisms for each of the challenges, 5) the list of provisions preventing the mechanism to occur

11 Description of the objective trees (next figure) Safety must be ensured by provisions at all 5 levels at the same time Each level has its relevant safety objectives ensured by maintaining integrity of the barriers For maintaining integrity of the barriers, the fundamental (and derived) safety functions should be performed Performance of safety functions can be affected by a number of mechanisms; combination of similar mechanisms represents a challenge to safety functions To prevent mechanisms and challenges affecting the safety functions, safety provisions of different kinds should be implemented Links between different components of defence in depth can be graphically depicted in objective trees

12 General structure of the objective tree at each level of defence (IAEA SR No. 46)

13 Comprehensiveness of safety provisions (measures) to ensure effectiveness of barriers Variety of safety provisions: organizational, behavioural and design measures, namely inherent safety characteristics safety margins active and passive systems operating procedures and operator actions human factors and other organizational measures safety culture aspects Although plant systems are very important, they are not the only important component of defence in depth How to ensure that a set of provisions is comprehensive enough? Basic Safety Principles (INSAG-12) Safety principles form a fundamental set of rules how to achieve nuclear safety objectives and ensure comprehensiveness of provisions INSAG-12: The safety principles do not guarantee that NPPs will be absolutely free of risk, but, when the principles are adequately implemented, the plants should be very safe

14 Overview of INSAG-12 basic safety principles Fundamental principles: Management (3); Strategy of defence in depth (3); General technical principles (10) Specific principles: Siting (4); Design (25); Manufacturing and construction (2); Commissioning (4); Operation (12); Accident management (3); Emergency preparedness (3); Decommissioning (1)

15 Examples of safety principles (INSAG-12) 30. Safety culture. An established safety culture governs the actions and interactions of all individuals and organizations engaged in activities related to nuclear power. Explanatory text in 4 articles, more than 2 pages of text 89. Human factor. Personnel engaged in activities bearing on nuclear plant safety are trained and qualified to perform their duties. The possibility of human error in nuclear power plant operation is taken into account by facilitating correct decisions by operators and inhibiting wrong decisions, and by providing means for detecting and correcting or compensating for error. Explanatory text in 6 articles, about 2 pages of text 192. Protection against power transient accidents. The reactor is designed so that reactivity induced accidents are protected against, with a conservative margin of safety. Explanatory text in 2 articles, approx. 1 page of text 249. Achievement of quality. The plant manufacturers and constructors discharge their responsibilities for the provisions of equipment and construction of high quality by using well proven and established techniques and procedures supported by quality assurance techniques. Explanatory text in 4 articles, approx. 1 page of text

16 INSAG Basic Safety Principles LEVEL 1 LEVEL 1 LEVEL 2 LEVEL 2 LEVEL 3 LEVEL 3 LEVEL 4 LEVEL 4 15 LEVEL LEVEL 5

17 Examples of challenges /mechanisms/ provisions Safety principle (192) Levels 1-3: Protection against power transient accident Challenge: Insertion of reactivity with potential fuel damage Mechanisms: 1. Control rod (CR) withdrawal; 2. CR ejection; 3. CR malfunction; 4. Erroneous start-up of a loop; 5. Release of absorber deposits; 6. Incorrect refueling operations; 7. Inadvertent boron dilution Provisions (only for 1 st mechanism): For Level 1: Design margins minimizing need for automatic control Operational strategy with most rods out For Level 2: Monitoring of control rod position Limited speed of control rod withdrawal Limited worth of control rod groups For Level 3: Negative reactivity feedback coefficient Conservative set-points of reactor protection system Reliable and fast shutdown system

18 Examples of objective trees 17

19 Statistics of the objective trees included in IAEA Safety Report No different challenges identified (some of them applicable for several levels) 254 different mechanisms identified 941 different provisions indicated

20 Safety functions SF(1) affected: to prevent unacceptable reactivity transients Example: Objective tree for Level 2 Mechanisms Challenges Insertion of reactivity w ith potential for fuel damage SAFETY PRINCIPLE: Protection against power transient accidents Control rod w ithdraw al Control rod malfunction (drop, alignment) Erroneous startup of loop Release of absorber deposits Incorrect refuelling operations Inadvertent boron dilution M onitoring of rod position In-core instrumentation Limitations on inactive loop parameters Adequate coolant chemistry In-core instrumentation Adequate operating procedures Limited speed of rod w ithdraw al M onitoring of rod position Limited speed for a loop connection In-core instrumentation Sufficient shutdow n margin M onitoring system for makeup w ater 19 Limited w orth of control rod groups Provisions Negative reactivity coefficient feedback Long time for operator response

21 safety functions: SF(7) affected: to remove residual heat in operational states and accidents with RPB intact SF(6) affected: to remove heat from the core after a failure of the RPB to limit fuel damage SF(8) affected: to transfer heat from other safety systems to the ultimate heat sink challenges: Long term ultimate heat sink (UHS) not adequate Heat transport systems(hts) vulnerable mechanisms: Body of water (sea, river, lake,etc.) lost due to external hazards Atmospheric UHS not designed to withstand extreme events Heat transport systems(hts) not reliable Evaporation of water process in UHS impacted Raising of the temperature process of UHS impacted Support systems for UHS not proper designed provisions: Analysis of all site relevant extreme events for design External hazards properly addressed in in UHS design HTSs designed according to the importance of their contribution to HT Proper design of the HTS Extended capabilities for heat transfer in case of severe accidents natural phenomena human induced events natural phenomena human induced events diversity of UHS diversity of supply systems (power, fluid) proven components redundancy diversity interconnection isolation physical separation Objective tree for Levels 1,2,3,4 of defence in depth. 20 SAFETY PRINCIPLE: Ultimate heat sink provisions(142) rates within limits pressure limits interconnection and isolation capabilities leak detection power and fluid supply LOOP redundancy diversity independence safety margins design precautions for external hazards venting additional water for spray system

22 : Objective tree for Level 3 of defence in depth SAFETY PRINCIPLE: Dependent failures) All FSFs affected: controlling reactivity cooling fuel confining rad. mat. Safety systems fail when performing their functions due to common-cause failure vulnerabilities CCF due to internal events (loss of power, lack of fuel for DGs, etc.) CCF due to system errors in design, construction, operation, maintenance, tests CCF due to events originated in other units on the same site CCF due to internal hazards (flooding, missiles, pipe whip, jet impact) CCF due to fires and internal explosions CCF due to earthquakes CCF due to human made hazards (aircraft crash, gas clouds, explosives) CCF due to external events (high winds, floods, extreme meteorol. cond.) Independence of safety systems from other plant systems Independent, redundant systems linked with diversity Avoid sharing of important systems between units Risk analysis of internal hazards and implementation of countermeasures Fire hazard analysis performed to specify barriers, detection, fighting systems Preference to fail-safe operation of systems Consideration of seismicity in site selection Assessment of risk from man-induced hazards Most extreme conconditions considered in special design features Fail-safe design of safety systems to the extent possible QA programme implemented in all phases of plant lifetime Demonstration of safety for all operational states and DBA on any of units Physical separation by barriers, distance or orientation Use of noncombustible, fire retardant and heat resistant materials Separation of redundant systems by fire resistant walls/doors Sufficient margins in anti- seismic design Subset of maninduced events included into design Sufficient redundancy and diversity in power sources Independent verification/ assessment of design Safe shutdown and cooling of one reactor with severe accident on other Redundant systems located in different compartments Preferable use of non-flammable lubricants Control of combustibles and ignition sources Safety equipment qualified for seismic events by tests and analysis Transport routs declined from vicinity of the plant Redundancy, diversity, independence of auxiliary services for safety systems Margins incorporated in design to cope with ageing and wear-out Crucial equipment qualified for environmental conditions Sufficient fire fighting capability available Automatic initiation of fire fighting system Events possibly induced by earthquakes e.g. floods considered Interaction of simultaneously operated safety systems Coordination of different operational maintenance, support groups External events considered as initiators for internal hazards (fires, floods,...) Inspection, maintenance, testing of fire fighting system Fire resistant systems for shutdown, RHR, monitoring, conf. of radioactivity Failure of non-safety equipment to affect performance of safety equip. avoided Overpressurization of one system from other interconnected system avoided Avoid impairment of safety systems by function of fire fighting systems External fire fighting services considered 21 Organization of relevant training of plant personnel

23 Human and organizational factors as an integral part of defence in depth 22

24 Consideration of human and organizational factors in objective trees INSAG 12 safety principles indicated clear role of human and organizational factors for achieving safety objectives at all levels of defence Defence in depth is often oversimplified focusing on engineering aspects (barriers and their integrity) while soft aspects are neglected Human and organizational issues are associated with large uncertainties, and can affect several levels of defence at the same time Objective trees illustrate clear links between weaknesses in human and organizational factors and challenges to safety objectives and help to identify and eliminate them It is obvious that there is always a room for improvements, and comprehensive assessment of Fukushima offers broad opportunity for improvements

25 Example: Objective tree for Level 1-4 : HOF SAFETY PRINCIPLE Organization, responsibility and staffing All FSFs affected: controlling reactivity cooling fuel confining rad. mat. Degraded responsibility of operating organization for safe operation Challenges Degraded staff actions in normal operations Degraded staff actions in accident situation and beyond Important elements for achieving safety not established Responsible plant manager in place Operation not governed by safety Implementation and enforcement of safety culture principles Resources not provided by executive management Executive management provides resources Missing or incomplete job descriptions Job descriptions to state responsibilities Loss of corporate memory Mechanisms Long term int. training programme for crucial staff Insufficient number of qualified staff Enough qualified staff is employed Undue stress or delay in activities Appropriate schedule for normal activities Weak supervision during periods of exceptional workload Appropriate schedule for supervision by exter. experts Insufficient staffing specifications Backup for key positions Staff not qualified for special tasks; emergency service not available Qualified staff for damage assessment and control Organizational structure under plant manager in place Executive management supports plant manager financial technical support material chemistry radiological protection other staff resources to operation Sharing of experience of senior experts with new staff Competitive conditions for necessary expertise Maintaining motivation of staff during shut down periods Provisions e.g. maintenance, etc. Taking account of attrition Time reservation for retraining Qualified staff for AMP Qualified staff for fire fighting Qualified staff for first aid treatment Maintaining documentation important for corporate memory Qualified staff for onand off-site monitoring Support of good students in relevant areas Emergency service in the locality

26 Provisions Mechanisms Example: Objective tree for Levels 1-3: HOF SAFETY PRINCIPLE Training Challenges Routine staff activities potentially compromising safety due to overall lack of qualified personnel Degraded plant safety performance due to inappropriate safety management All FSFs affected: controlling reactivity cooling fuel confining rad. mat. Safety functions Unqualified conduct of control room operations with limited or degraded knowledge Failures of plant systems initiated or resulting from unqualified maintenance Insufficient development of safety awareness Non-effective staff training Specialized management training insufficient Degraded or out-of-date knowledge Limited theoretical and practical knowledge of the plant Specialized maintenance staff training insufficient Comprehensive training programme for all staff Supporting training organization with sufficient resources and facilities Inclusion of safety culture principles into training Avoidance of conflict of production needs and training of personnel Assessment and improvement of training programme Training of external personnel and cooperation with plant personnel Approval of training programme by regulatory body Inclusion of tests of all personnel into training programme Systematic approach to training Inclusion of variety of aspects:neutronics, TH, radiological, technological into training Importance of maintaining fundamental safety functions into training Importance of maintaining plant limits and conditions into training Inclusion of plant lay-out, role and location of important components and systems into training Inclusion of location of ramaterials and measures to prevent their dispersal into training Covering plant normal, abnormal and accident conditions in training Inclusion of relevant plant walk-through into staff training Priority of safety over production in training Covering role of managers in ensuring plant safety Inclusion of PSA results into training Familiarization with results of accident analysis within DBA Analysis of operational experience feedback from same or similar plants Covering detailed training of normal operating procedures Plant familiarization and on the job training Simulator training for plant operating regimes Inclusion of analysis of operating events into training Arrangement for formal approval (licensing) of operators Includsion of PSA results into training Familiarization of staff with results of accident analysis within DBA Covering details of accidents within DBA including diagnostic skills Detailed EOP training, retraining and testing of operating personnel Emphasizing team work and coordination of activities Use of plant full scope simulator in training for accidents within DBA Analysis of transients and accidents occured in similar plants On the job training Use of special equipment and mockups in training Potential safety consequences of technical or procedural errors Covering records of reliability and faults of plant systems during maintenance Analyzing spurious initiation of events and activation of plant systems during maintenance Specify intervals for refreshment training

27 Provisions Mechanisms Safety functions All FSFs affected: controlling reactivity cooling fuel confining rad. mat. Lack of personnel for accident management Inadequate response of AM personnel due to lack of AM procedures Challenges Inadequate response of AM personnel due to lack of AM training Personnel assignement not effective for BDBA Emergency operating procedures not developed adequately for BDBA Severe accident guidelines inadequate Training programme for AM inadequate Performance of training for AM inadequate Review of emergency organization and qualification of personnel Specification of scenarios representative or contributing significantly to risk Procedures for all strategies and check their effectiveness Definition of training needs for different personnel Arrangemment for regular retraining and testing of personnel Development of a list of required qualifications Definition of plant states to be covered by EOPs and their symptoms User friendly format of SAMG Inclusion of simulators to reasonable extent to training programme Involvement of emergency staff into functional tests of equipment Sufficient human resources for accident management Proposal and verification of recovery actions for BDBA Completness of guidelines vs strategies for accident managem. Covering details of phenomenology of severe accidents into programme Inclusion of relevant operating events into training Definition of lines of responsibility and authority for all personnel Availability of information to detect level and trend of severity Availability of information needed to detect level/trend of severity Familiarization of staff with results of severe accident analysis for the NPP Inclusion of other site and external personnel into training Establishment of a specialist team to advice operators in emergency Call-on system for personnel Verification of performance of required equipment under BDBA conditions Definition of conditions for operator involvement incl. exit from EOP Verification and validation of EOPS for selected BDBA Availability of EOPs in all operating locations Verification of performance and access of equipment required for each strategy Definition of expected positive and negative effects for each strategy incl. uncertainties Definition of entry and exit conditions for each strategy and further steps Verification and to the extent possible validation of SAGs Availability of SAGs in all operating locations Inclusion of relevant plant walk-through into training programme Making available AMP development material for training Availability of software tools for validation and training Consistency of procedures and guidelines with simulation Making training programme available to regulator Example: Objective tree for Level 4: HOF SAFETY PRINCIPLE Training and procedures for accident management

28 Mechanisms Overall lack of expertise in the country Safety functions Challenges Insufficient coordination of technical support for NPP All FSFs affected: controlling reactivity cooling fuel confining rad. mat. Engineering and technical support inadequate to maintain required capability of disciplines important to safety Lack of resources for comprehensive engineering and technical support Example: Objective tree for Levels 1-4: HOF SAFETY PRINCIPLE Engineering and technical support of operations Insufficient expertise in technical support organizations Education and training for the country (links with universities, etc) Definition of necessary expertise needed to ensure plant safety throughout lifetime Use of more efficient expertise of plant personnel Evaluation of expertise available and support development of lacking expertise Contact to foreign partners or international organizations Internal group for support of operation, independent assessment and control of external support Sharing resources with other organizations having similar needs Involvement of several engineering and technical support organizations Establishment of links with the plant suppliers Strategy for assistance in evaluation of events plant modifications, repair, tests and analytical support Use of resources from international sponsorships programmes Adequate quality assurance programmes in technical support organizations Support of relevant research programmes Links and clear interfaces with external technical support organizations Availability of sufficient resources to contract external organizations Support competitive working conditions in technical support organizations compared to other industries Provisions Inclusion of results of research programmes into technical support Support of relevant research programmes Links with foreign technical support organizations

29 Ways for strengthening HOF in nuclear safety (IAEA IEM on HOF, May 2013) Enhancing effectiveness of the regulatory body Organizational changes, including recognition of the need for the independence of the regulatory body The development of additional regulatory requirements, expectations and guidance on human and organizational factors The regulatory body providing licensees the authority at the preparedness stage to perform activities in emergency situations that may be outside the existing operating procedures and regulatory requirements but that are necessary in order to mitigate consequences The regulatory body and the licensee holding joint dialogues about safety culture The development of an integrated approach to safety by the regulatory body to enable dialogue on topics beyond compliance and regulation Enhanced efforts by the regulatory body to go out in the field and engage the licensee in conversations at the working level about safety practices and policies Efforts supporting safety culture self-assessment by the regulatory body and the sharing of that information with licensees

30 Ways for strengthening HOF in nuclear safety (IAEA IEM on HOF, May 2013) Internal enhancement of safety performance of the operating organization Implementation of more practical ways for managers to strengthen safety culture supporting prioritization of nuclear safety (in particular, if a NPP is part of non-nuclear utility) Strengthening leadership and management for safety, mainly for top-level managers Identifying ways to ensure that safety is a top priority Objectively assessing efforts to strengthen safety and informing staff about safety initiatives Proactively introducing resources to ensure safety Questioning whether safety culture is a high enough priority Recognizing the efforts of personnel to protect and ensure the safety of the public, the workers and the plant Improvements with regard to decision making and consideration of the use of tools to support decision making in emergency response Identification of additional training, including understanding resilience, for operating personnel

31 Ways for strengthening HOF in nuclear safety (IAEA IEM on HOF, May 2013) Adequate consideration of external factors Implementation of systemic approach to safety, taking into account interaction between individual, technical and organizational factors Strengthening mutual interactions and cooperation among all stakeholders (operators, vendors, regulators, contractors, TSOs, corporate organizations, international organizations) Strengthening interdisciplinary expertise by involvement of social and behavioural sciences Continuously improving maintenance management to ensure safety and establishing closer cooperation with manufacturers and contractors Establishing and maintaining the trust of local communities Use of new communication interfaces and arrangements with all stakeholder organizations Consideration of human and organizational factors in the planning, conduct and evaluation of emergency drills and exercises

32 Examples of post-fukushima enhancements of objective trees 31

33 Example: Objective tree for Level 1-4: HOF SAFETY PRINCIPLE Organization, responsibility and staffing External factors

34 Lack of safety culture Example: Objective tree for Level 1-4: HOF SAFETY PRINCIPLE Organization, responsibility and staffing

35 Reinforcing Defence in Depth A Practical Systemic Approach IAEA IEM on HOF (21-24 May 2013) - importance of adopting a systemic approach to safety that considers the interaction between individual, technical and organizational factors. WHY? investigate the non-linear interactions between the hard and soft logic trees, and to look beyond traditional organizational boundaries Complicated systems the relationship between cause and effect requires analysis or some other form of investigation and/or the application of expert knowledge (sense-analyse-respond) expert and rational leaders, top-down planning, smooth implementation of policies, and a clock-like organization can ensure flawless operation Complex systems the relationship between cause and effect can only be fully perceived in retrospect (probe-sense-respond) filled with hundreds of moving parts, potentially thousands of actors with varied expertise and independence, and no central point that orchestrates all these different parts within an ever-changing context

36 Complex Systems Reality: Behaviour is contextualized: continuously adapt in and evolve with a changing environment; conflict and unplanned changes occur all the time, perceptions and projections have impact Result: Very high degrees of uncertainty that represent a different riskmanagement challenge than in technical systems; emergent, fractal property; normal tools for predictability are insufficient Requirement: Use a screening process that looks at how the entire complex system is adapting to changes, dealing with conflicts, and learning as a whole (next slide) Maintain and strengthen virtuous cycles to support the ultimate goal of safety conscious decisions and actions, Intervene in vicious cycles that undermine the information flows, cooperation, and conservative decision-making 35

37 Systemic Perspective A systemic perspective enhances application of the defence in depth concept by screening interactions multi-directionally, and across many organizational boundaries

38 Example: DiD Resilience - Changing HOF Reality Novel practice Emergent practice Good practice Best practice

39 IAEA Systemic Training Workshop Purpose deepen understanding of human and organizational factors demonstrate application of the systemic mapping methodology to real life scenarios provide opportunity for participants to explore safety challenges in their own organizations with multi-disciplinary team of facilitators Target Audience middle managers in operating, regulatory and technical support organizations, including non-technical leaders such as performance improvement, training, and leadership or organization development managers Timing March 29 April 1, 2016

40 Conclusions Defence in depth is an essential strategy to ensure nuclear safety for both existing and new NPPs The use of objective trees for screening the comprehensiveness of defence in depth provides a powerful tool for understanding links between technological and organizational provisions for ensuring safety of NPPs Defence in depth should not be oversimplified by reducing it to the capacity of barriers to protect against releases of radioactive substances. The large uncertainties associated with predicting human behaviour, alongside their sensitivity to organizational factors and societal influences, requires special attention to be given to soft logic trees within the defence in depth framework and screening process.

41 Conclusions Defence in depth can be further strengthened by understanding nuclear power programmes as complex systems, and by taking into account all the components of the system, from operators, through middle level managers, NPP managers, up to corporate, governmental and even international levels when assessing risk. Cross-correlation and mutual interdependence between all components of this complex system s defence in depth needs to be given considerable attention in the future. The use of system mapping for exploring the non-linear interactions between individual, technical and organizational factors can enhance defence in depth by providing a method for screening the multiplicity of dynamics within and between organizations that drive the overall culture for safety within a national nuclear programme.