Human Factors Subcommittee - March 15, 2000
UNITED STATES OF AMERICA
NUCLEAR REGULATORY COMMISSION
ADVISORY COMMITTEE ON REACTOR SAFEGUARDS
MEETING: HUMAN FACTORS
U.S. Nuclear Regulatory Commission
Two White Flint North, Room T-2B1
11545 Rockville Pike
Wednesday, March 15, 2000
The subcommittee met, pursuant to notice, at 1:05
GEORGE APOSTOLAKIS, ACRS, Chairman
JOHN J. BARTON, ACRS
JOHN D. SIEBER, ACRS
NOEL F. DUDLEY, ACRS
MARIO V. BONACA
DANA A. POWERS. PARTICIPANTS:
JACK ROSENTHAL, RES, Chief of the Regulatory
and Human Factors Branch
BRUCE HALLBERT, INEEL
DAVID GERTMAN, INEEL
JOHN O'HARA, BNL
VICKI BIER, University of Wisconsin
ISABELLE SCHOENFELD, RES
J. PERSENSKY, RES
DAVID TRIMBLE, NRR. P R O C E E D I N G S
MR. APOSTOLAKIS: The meeting will now come to
order. This is a meeting of the ACRS Subcommittee on Human
Factors. I am George Apostolakis, chairman of the
subcommittee. ACRS members in attendance are John Barton
and John Sieber.
The purpose of this meeting is for the
subcommittee to review the NRC program on human performance
at nuclear power plants, the status of international
activities, the quantitative analysis of risk associated
with human performance, the safety issues report on economic
deregulation, status of control station review guidance, and
planned activities by the Office of Nuclear Regulatory
Research and the Office of Nuclear Reactor Regulation.
The subcommittee will gather information, analyze
relevant issues and facts, and formulate proposed positions
and action, as appropriate, for deliberation by the full
committee. Mr. Noel Dudley is the cognizant ACRS top
engineer for this meeting.
The rules for participation in today's meeting
have been announced as part of the notice of this meeting,
previously published in the Federal Register of June 1,
1999. A transcript of this meeting is being kept and will
be made available, as stated in the Federal Register notice.
It is requested that speakers first identify themselves and
speak with sufficient clarity and volume so they can be
We have received written comments from Mr. Barry
Quigley, a licensed senior reactor operator. I will read
his statement into the record.
Mr. Quigley writes, "The ACRS is currently
reviewing the impact of human error on reactor safety. To
date, the role of fatigue has gone largely undetected. It
stretches the limits of credibility to believe that only one
percent of the errors listed in the human factors
information system are due to fatigue.
"Contrast this with National Transportation Board
data that shows about 30 percent of consequential errors are
due to fatigue. A comparison between NTSB data and nuclear
plants is not inconsistent. Control room crews have similar
dynamics as airline crews and personnel working alone in the
field compared to truck drivers.
"My experience as a root cause analyst allows me
to review LERs and determine that fatigue or other causes
are not found to be the causes of events simply because the
reports don't look deep enough. The reports stop at
personnel error or slightly deeper at inattention to detail.
True root causes for the human errors, such as mind set,
task too complex, or fatigue, are rarely reached.
"Utilities also rely on supervisory operation to
detect fatigue and impairment. Given the reductions in
numbers of supervisors and dramatic increases in their
workload brought on by deregulation, observation is a poor
barrier to fatigue. Attempts to take credit for observation
at the briefings at the beginning of a shift are deceptive.
Personnel are being observed when they have had the most
rest. They are also being observed outside of their normal
work environment. Even when observation occurs, detection
of fatigue is not easy. Recently, one large utility
admitted that it had not trained personnel on detecting
"I ask that when the ACRS discuss the causes of
human error, fatigue be considered as a potentially
significant contributor. I am uncertain of the protocol for
dealing with the ACRS, so I hesitate to provide large
amounts of information that might otherwise distract from
the planned discussions today. Further information can be
found in a proposed rule making to 10 CFR 26, fitness for
duty programs (PRM 26-2), and the Union of Concerned
Scientists report, overtime and staffing problems in the
commercial nuclear power industry.
"I can also be contacted directly. Sincerely,
Barry Quigley, senior reactor operator."
This is the end of the statement.
The ACRS last reviewed and commented on the human
performance plan on February 19, 1999. Today the staff will
update the subcommittee on its revision to the plan and on
the status of ongoing activities.
We will now proceed with the meeting. And I call
upon Mr. Rosenthal, Chief of the Regulatory Effectiveness
Assessment and Human Factors Branch to begin.
MR. ROSENTHAL: Thank you. I am Jack Rosenthal,
chief of the Regulatory Effectiveness Assessment and Human
Factors Branch. That is a mouthful.
J. Persensky is the team leader of the human
performance. And he will be assisting in the presentation.
And David Trimble from NRR is responsible for human
performance at NRR. And he will have comments to make
later. This is a joint plan of RES. RES is lead. And NRR,
NMSS would ideally be another participant. They are
reorganizing their own risk efforts right now and so did not
participate in this version of the plan.
I am going to give some introductory remarks and
talk mostly from a paper that we wrote to the Commission and
was provided, which actually presents the plan to the
Commission, and make some comments myself about risk work
that we did at Brookhaven with the in-house staff.
Then Hallbert from INEEL is going to talk about
their quantitative accident sequence precursor work. And
then John O'Hara will talk about control stations, Vicki
Bier about economic deregulation, Isabelle Schoenfeld of the
staff about international work, Dave about NRR activities,
and then Jay for where we are going from here.
Last time there was a meeting on the plan itself,
Steve Arnt (phonetic) was the presenter, and I got to sit in
the audience. We paid a lot of attention to the comments
that were made. Not all the things that we are talking
about today span all of your concerns.
You wanted us to have close ties with NPO, and we
have had contact with NPO and EPRI to ensure that we don't
duplicate efforts. We have done that.
You asked about what other federal agencies were
doing, and we compiled the list of those activities. And we
provided that information to you last week in writing. So
we will not be discussing them today. But I think that we
were faithful to your concerns. And the agenda is based on
your current concerns.
We have been working on the human performance plan
since 1995. I was in AEOD at the time. And it was just
originally an attempt for the three branch chiefs to get
together to ensure that activities were coordinated and we
were not duplicating efforts. And it grew into a formal
In 1998, we described what work we were doing to
attempt to risk inform the plan. We had a meeting in
February of 1999 that I just referred to. And we just
roughly on an annual basis came out with rough versions of
We want to stop doing this, because it is a very
small effort. And if we could do our planning biannually
instead of annually, or something else, we could actually
put more resources into work.
I will be getting to the substance in a minute.
The section that we presented to you talks about the status
of prior meetings, gives a mission statement. I don't want
to dwell on it. And the program.
Ideally, if we were to truly risk inform, we could
take all the program elements and do some sort of risk
achievement worth and calculate just what each thing is
worth and truly risk base all our activities. But the
reality is that we can't risk base our activities. We can
risk inform our activities.
In research, user needs from the program offices
are very, very important. And some of the work that we do
is based on user needs.
MR. POWERS: Can you give us a feeling for about
MR. ROSENTHAL: About 80 percent. It varies from
year to year in terms of the money that is being spent. And
I will get into that.
In the SECY that we provided you, there is a table
of each of the activities. And you will see one, two or
three asterisks next to each item, which explains which are
formal user needs or anticipated user needs or RES-sponsored
work. So what I will say is that the plan is risk inform,
but it is not risk base in the sense that we just cannot go
to every bubble and come up with a formal risk achievement
We are also mindful of what industry is doing. We
know the European effort. And we know what other agencies
are doing. And last, we have to fit what we are doing into
overall agency programs. And I will get back to that. Let
me just dwell on the risk side.
What we did, one of the things was that we --
actually, we asked Brookhaven to look at what PRAs have to
say about is the human contribution to risk. And that is
one of the documents that we provided you last week. And it
is not that there is a table of risk worth of various
actions, but there is a table in that document of reports
that include risk worth.
In other words, we have been over this issue time
and time again. And depending on which PRA you look at,
what are the dominant sequences and what people choose to
call human performance or not, you are going to end up with
numbers of the order of 10 to 50 percent of the risk is due
to human performance. And I will get back to that in a
What we also --
MR. POWERS: One of the questions that come back
is, is 10 to 50 percent too much, too little, about what you
MR. ROSENTHAL: I don't know. But I will get to
that in a moment.
What we also decided to do is to look at the
accident sequence precursor data in some detail. And there
were roughly 50 events in the last five years in which the
conditional core damage probability exceeds 10 to the minus
5. And that was our focus for events.
Like your earlier comment with respect to PRA, is
that too much or too little, the agency really doesn't have
a position now. And it is one thing we ought to figure out.
Is 50 events over a 5-year period and a declining trend
acceptable or not? Because we know that events will
continue to occur. And yet plants still meet the safety
goals, et cetera.
We do have a performance element that says that we
will not have an event in the 10 to the minus 3, that
exceeds 10 to the minus 3, as a formally set goal. But this
is a rich source of information to look at.
The staff compiled the events and qualitatively
examined those events. In parallel with that effort, INEEL
also looked at the events -- the timing was different. And
you will hear from them at length -- and tried to do some
quantitative work to quantify the human contribution.
Now we will get into some of why I don't know. If
I look at the risk in such reports, NUREG-1560, things like
manual depressurization, containment venting, standby liquid
control, UCCS switchover to recirc, feed-and-bleed are
dominant human actions. And you see them time and time
again in IPEs.
If you accept this as true, that this is where the
risk is, then it would tell you to go look at their training
for severe accidents, go look at their EOPs, go look at
simulators, but don't look at the operating experience,
because you won't see these kinds of events in operating
So it would lead you, it would push you in the
direction of the simulator and the EOPs, et cetera. Much of
that work we have already done. And NPO has an active
accreditation program, et cetera. So if this is the
reality, we should be backing off from human performance,
because we have all these things that we have done in the
past, all the work that NPO is doing.
MR. POWERS: In following that logic, you would
say, okay, we have done everything we can think of doing
here. This is just the base that you are going to have to
live with. Humans are fallible creatures, but we still have
not found a better thing to run a nuclear power plant.
MR. ROSENTHAL: Well, we have chosen in the U.S.
to have automatic actuate manual run plants. I had a
briefly with RSK, the German equivalent of the ACRS -- I am
not quite sure what RSK stands for -- in which the
discussion was the Germans chose to have their plants far
more automated than we do. So these are choices that we
made. This is one viewer reality. Okay?
And this says don't bother looking at a day-to-day
operation. And don't bother trying to develop a performance
indicator for human performance in the plant assessment
process, because that would not be --
MR. POWERS: It would never get to trigger.
MR. ROSENTHAL: It would never get triggered. And
it doesn't tell you that which is risk important by looking
Another view of reality is to look at the dominant
accident sequence precursors. And depending on how you
count, two-thirds, three-quarters, 80 percent, depending on
who is doing the sorting, all involve human performance.
And these are important aspects. Sometimes positive and
For example, the event at the top, Wolf Creek was
caused by human actions and ameliorated by the operator. So
you are looking for good and bad. So if you accept this as
a view of reality, then this says that yes, you can look at
the plant assessment process to extract human behavior, or
your plant assessment process can do that.
It is conceivable that you could develop a PI,
some sort of numerical performance indicator, if these are
the kinds of things you are worried about.
Well, the reality is that right now we are, I
won't say schizophrenic, we are just of a dual mind. We
have not yet sorted out how much we should rely on the ASP,
how much we should rely on the PRA. As I say, they lead you
in two different directions. What is an acceptable
contribution to the PRA rests on maybe deciding how many of
these kinds of events I am willing to tolerate.
Now in these events, it is not -- okay. In the
PRA, what I showed you was actions by the operators, ECCS
switchover. Will they do slick? Will they go to
feed-and-bleed before the steam generators dry out? Here in
operating experience space, I have a much more complex
Let's take the Wolf Creek event. The plant
management decided to do the quickest refueling outage they
had ever done in their history. That was their decision.
They decided to do maintenance in mode four, when there is
still both latent heat, as well as the K heat.
They decided to do multiple maintenance operations
at the same time in order to speed their processes. And the
maintenance organization, rather than the operators,
actually opened valves, and the operators saved the day.
Catawba chose to be doing maintenance of an EDG
with the plant on line. This Oconee event is a very
interesting event, in which they do burn -- they are again
in mode four or, I'm sorry, a high mode. And they end up
burning up two of three high pressure injection pumps. And
they would have burnt up the third one. They actually
damaged the two pumps, not a maybe, because the operators
were smart not to allow the third one to automatically come
And what underlies it is that even though you do
quarterly testing of the ECCS pumps in accordance with your
in-service testing program and your text specs and all of
this other stuff, they were not -- they were testing the
pumps. And what was wrong was the level indicators on the
refueling storage tank, which caused the common mode.
So if you take this as a reality, then you are
going to get into not only the operators, but the operating
organization. You are going to get into maintenance. You
are going to get into latent failures in the Jim Reason
(phonetic) sense of the latent failures.
And it is going to drive you to look at how the
place is organized, et cetera. That is another view of
MR. POWERS: Well, maybe you can come up with the
answer, that both are correct, that on the first slide you
say operators are trained, tested, folded, spindled,
mutilated, and they do pretty well. The rest of the
organization maintenance doesn't have that kind of intensity
associated with it. And that is where we see problems
arising. And safety culture is something we don't how to
enforce or police or do anything with.
MR. BONACA: And I don't think you get two
different stories. I mean, simply in PRA you model what you
know happens and then assigns some likelihood of success or
failure. And, of course, the point Dr. Powers is making is
true, whether there has been intensive training and so on
and so forth, that probably -- or whether there was not.
Here, however, you have actual events taking
place. And, you know, I would like to hear about the
characterization in the report of 90 percent, of average
contribution human performance to the event importance was
90 percent in these latents events. That is very
MR. ROSENTHAL: We are going to -- I am going to
go fast, so we can put Dave up for more time.
MR. APOSTOLAKIS: Yes. I want to -- well, the
statement that you have two views of reality and that they
lead into different directions is not quite accurate, I
think, because there is a third message from this that
perhaps the PRA models are not reflecting operating
I think you would be hard pressed to find a PRA
that would have something similar to the Wolf Creek
incident, where the operators created a situation, and then
they managed it well. But they created it.
In fact, in our letter on Athena we recommended
that that become a major part of the Athena effort. So I
would say there is a third message here. In fact, I would
call this really the reality. The PRA, I would say, is a
model. And if there are any lessons in this kind of
evaluation or assessment of real incidents, then PRA should
benefit from those.
MR. BONACA: What I thought was the most
challenging thing is the PRA assumptions that you make and
failures of operators are understandable. And you can deal
with them quite -- much more challenging, because these are
random occurrence out of tens of thousands or more. This is
MR. ROSENTHAL: Some of my management will
repeatedly ask: You have been working on human performance
since Three Mile Island, so many millions of dollars have
been put into this, when is enough enough? When do you
declare success? When do you stop?
Now I had an opportunity to at least brief at the
DEDO level, the Deputy Executive Director of Operation
level, to say that the activities that we are doing now are
different than the ones that we did post-TMI. We are not
advocating more work on EOPs. We are not advocating more
what I call paper taping label. We are reliant today on
imposing accreditation. And we are looking at other things.
MR. APOSTOLAKIS: Now you also gave the
impression, Jack, if you look at the PRA results that you
showed earlier, that perhaps we have done the best we could
there, maybe this is a situation we have to live with, these
kinds of errors during recovery and so.
Well, it seems to me that we are doing more than
just accepting the situation as being, you know, that's
life. Athena has followed the change in paradigm. And now
that we are talking about the context and all that, so if we
understand the context, maybe those numbers will go down, if
we understand it better than we used to.
So there is still hope, I think, that these
numbers will improve. And we are not there yet. We have
not settled on any of these numbers.
The last question I have -- actually the first
question; the others were statements -- of these 11 events
that you list up there, I think we have all agreed that the
first one is not the type of thing a PRA analyzes. Are
there any others from 2 through 11 that a typical PRA would
not include? I mean, that would be an interesting lesson
MR. ROSENTHAL: I think that the PRA analyst would
say, look, I have considered single failures, I have
considered multiple failures, I have considered common mode.
And in that sense, I picked up the Oconee event, because it
involved two pumps. I would argue that no, because you
didn't -- especially if you had a super component, you
didn't model this level transmitter. When the tank goes to
zero, it mechanistically causes both pumps to fail, because
you are pumping steam.
MR. APOSTOLAKIS: I would agree with you.
MR. ROSENTHAL: The St. Lucie, the research set
point, I think that that depends on the detail of the PRA.
Let me just make the point. And in fact, I briefed the ACRS
on this Fort Calhoun event. There are very few examples to
say how well we did post-Three Mile Island. At Fort Calhoun
they had a stuck open safety valve on the pressurizer from
power. Okay? And they used their EOPs.
They used their sub-cooling mod to monitor. They
used their thermocouples. They went by the book. They
followed the procedures. And they very successfully coped
with the event. And there are very few examples like that,
to say that the stuff that we put in place actually work.
But that is the best integral test they could possibly think
And there are 50 events there. I am just going
over the top.
MR. BONACA: But there are things there that were
pretty interesting. Take event number nine, Oconee, where
you had the loss of offset power because the Kiwi facility
was not under the control of the control room. Now when we
were looking at license renewal, we learned that the Kiwi
facility was not under Appendix B and, in fact, had a total
different -- and the question is, you know, is there a link
there? Of course there is a link.
This facility was being run separately from the
control room. So if the control room had an expectation
that they could remotely actuate that facility, the facility
was doing something else at the time.
Now the point I am trying to make is that you may
not be able to get the information that goes into a PRS
report. But certainly, this is critical information.
Certainly, when you look at events and then learn about PIs,
for example, or cross-cutting issues. This is critical
And when I read that, I said, oh, no wonder it
happened, because we were looking at that plant and being
surprised that in fact the emergency power source was not
controlled in the same program with the control room.
The point I am trying to make here is that if you
don't focus only on trying to model these events, there are
so many different uses and insights we are getting from
MR. ROSENTHAL: We write a very -- in my AE of
D-Day, we wrote a very big report on Oconee and their
electrical distribution, which I would be glad to share with
you. But that is not the subject of this meeting.
MR. APOSTOLAKIS: Jack, the report that contains
this information, which I assume has much more than just
MR. ROSENTHAL: Right.
MR. APOSTOLAKIS: Is it going to address the
question of how many of these events or similar events are
treated in a PRA? That would be a very useful insight.
MR. ROSENTHAL: We provided documentation last
week. It does not include that. That would be a
very -- I think that we have to go that way in order to
start answering Dana's question about how much is
acceptable. And we really haven't answered that.
Let me just stop there a second. Of course with
my colleagues, I end up with a deal of wait a second, you
wanted 95 percent diesels. You have 96 exclusive of
maintenance out of service. You are meeting your goal,
depending on how you decide to define it. Why do you care
if the other 4 percent would be all due to human
performance, if you are meeting your equipment goals? And I
think that they are right.
However, if the problem that is giving me the four
percent unreliability, which is an acceptable number, if the
problem is due to underlying programs and processes and
procedures, then I worry about common cause across multiple
trains within a system, as well as across the plant. And I
think that that is the rationale for worrying about these
things and not stopping only at the equipment failure level.
MR. POWERS: And I think a general issue of
problematic failure is something that we still have to
wrestle with in this new plant assessment process.
MR. ROSENTHAL: I will get to that in about a
minute and a half.
So you can dissect those events and look for
commonalities. And you can do it in terms of knowledge,
procedures, training, you know, which is the maintenance
department, which is the operators. I think if you put six
people together, you would end up with eight ways of cutting
it. And you are going to hear more from INEEL on how they
formally cut it. So I just want to make --
MR. APOSTOLAKIS: So we should not ask you.
MR. ROSENTHAL: I know. Pass the buck. Some
people are more interested in programs. Some people are
more interested in processes. But my only point is that we
need to take it apart and bend it and see where to go. And
I would assert that that effort would be risk informing the
human performance plan.
I want to get into the plan itself, just two more
slides. We broke up -- we have four major elements. One is
the oversight process. And we should talk about the
relationship of the ASP to the oversight process. Normal
NRR-type licensing monitoring activities at NRR is one of
the questions. We do want to risk inform the plan.
Nathan Sue (phonetic) now has the lead for --
well, not only for fire, but now he is taking over the human
reliability work, of which Athena is only a part. And we
need to be plug compatible with Nathan's work. And we have
had some discussions.
And I want to talk about emerging technologies,
for which I have a difficult time putting a risk number on
MR. APOSTOLAKIS: How closely are you working with
the Athena folks? Is anybody from Athena here?
MR. ROSENTHAL: Nobody from Athena is here.
PARTICIPANT: We have one here.
MR. ROSENTHAL: I'm sorry.
MR. GERTMAN: I have been working with them of
late on --
MR. APOSTOLAKIS: What you say doesn't matter
unless you come to the microphone.
This is David Gertman. He said that he is working
MR. GERTMAN: I am David Gertman from INEEL. The
Idaho National Engineering Laboratory is working with the
Athena team on pressurized thermal shock in two ways.
First, Bill Galion (phonetic), one of our PRA analysts, is
reviewing sequences and working with the team for the events
and the modeling.
And myself and a licensed examiner have been
working on a review of over-cooling events going through the
LERs and trying to determine human performance influences
and shaping factors that contributed to those events. That
work is ongoing. And so far we have reviewed about 50
events, and we have about 15 that have a human performance
involvement. I don't know if that ratio will hold as we go
through the 140 that are identified as the total sample.
MR. APOSTOLAKIS: So your participation is
primarily in applying Athena to issues of interest. Are you
participating also in the development, in model development?
MR. PERSENSKY: I will take that question, if I
MR. APOSTOLAKIS: Sure.
MR. PERSENSKY: I am Jay Persensky from Jack's
branch. I won't try to repeat the name of it. I actually
invited Nathan to come to this meeting. But at this point,
except for Dave, I think the entire Athena team is down at
Oconee working on an Athena-related effort.
I was given a copy of the forward of the upcoming
Athena report. And I was told I could tell you a little bit
about it. Generally the direction that they are taking at
Athena now is not further development directly, but they are
going to try to apply it along with other techniques. The
program is more an HRA-related program rather than
Athena-related program. But the focus is going to be on the
Two major areas of application will be PTS and
fire. During that process, learning from the use of it,
there may be further development. But the focus is now on
application as opposed to development. And as I said, we
have been working with Nathan in terms of how we might
better support them. And that is what is reflected in the
plan document. He would be glad to be here, except he is
enjoying downtown Oconee instead.
MR. APOSTOLAKIS: Okay. Thank you.
MR. ROSENTHAL: So there are four aspects of the
plan. And I want to work across. The darkened and the
flags are work that the agency has ongoing. And the rounded
rectangles is work that is explicitly in the plan. And we
are showing it this way to see how it fits together. Of
course, if you are going to do inspections, RES develops
tools to do inspections. And so you see the supplemental
inspection on human performance and an evaluation protocol
that is classic-type tool building that we do.
But I want to emphasize this characterizes the
effects of human performance in the oversight process. This
is an anticipated user need from NRR, where it is somewhere
in the management approval process. It is almost delivered.
And this answers the -- this is an attempt to
answer the question that we just spoke about. Can you -- we
recognize the human performance and the plan assessment
processes as a cross-cutting issue. It is a hypothesis that
you can look at equipment reliability and know all that you
need to know. And if the diesels are nine-six and you
wanted nine-five, that is good enough.
And that hypothesis is that you could look at the
outcome of the equipment performance, and you don't need to
look at the underlying reasons, as long as things are okay.
When things would be degrading, then you would look deeper.
An alternate hypothesis that comes out of the work
that we have done on the accident sequence precursor is that
there are aspects of safety which are not revealed in simple
equipment reliability and outcome numbers and that get into
programs and processes that you should be looking at.
And let's just say that they are both hypotheses.
In a fiscal 2000/2001 activity is with some discipline is to
match up the 50 ASP events against the now proposed April
plant assessment process and systematically say, what would
be covered within the current process of those events, what
And then we would propose how we might go forward.
And that, of course, we would have to work with NRR on that.
And you might go forward in the form of potentially
developing a PI. I doubt it, but at least we should have
that as an option. You might propose to have some sort of
supplemental inspection or be part of the baseline
But rather than leaving these two things as a
hypothesis, that you could do everything by knowing the
outcome and the reliability of the equipment and the PIs or
that you must have a separate module on human performance,
let's go take the data and match it up and see where we
stand. And I am sure we will end up at some middle ground.
Ideally, I would have done that work for this
meeting, but we have not done it yet. Although I think that
the work that we have done so far on the 50 ASP events and
looking at what is in the PRAs, that puts a real leg up
compared to where we were a year ago. We have --
MR. APOSTOLAKIS: So the preliminary work tends to
support which hypothesis, the first or the second?
MR. ROSENTHAL: In my mind, the second.
MR. APOSTOLAKIS: In your mind, the second. Now
why is the team that is developing the reactor, the revised
reactor oversight process, why is that team acting as if
hypothesis one were true? I mean, they state it very
clearly in the report, 007, SECY-007, that safety conscious
work environment, human performance and -- what is the third
MR. ROSENTHAL: Corrective action program.
MR. APOSTOLAKIS: Corrective action program. That
they don't need special attention because there is a flaw
there. We will see it in the performance of the equipment.
MR. ROSENTHAL: I consider it great success that I
can stand up here and characterize the statement as a
hypothesis to be tested rather than a truth.
MR. APOSTOLAKIS: And some of us are grateful,
MR. ROSENTHAL: Okay. So that is actually the
bulk of the work that we would do with respect to risk
informing the oversight process, with respect to human
The next branch down is really NRR activities.
And it does get back to saying what is reality, because if I
only look at the results from contemporaneous PRAs and then
go look at things like what is their training program, what
is the condition of their simulator, what is NPO doing, et
cetera, then those are activities that NRR does all the
You will see a bubble called policy review here.
That policy review bubble includes the issue of fatigue.
NRR has the lead for the fatigue issue. We did have a
meeting, a public meeting, with interested parties, Quigley,
the NEI, the PROS, NPO, UCS. It was an NRR -- Jay and I
were at that meeting. So that issue is being taken on. And
you read his statement. He is not being ignored. But that
is part of the plan.
Let me just go on to the third led, risk
informing. We have an activity to go risk inform part 50.
And we ultimately get down to say, what is needed in PRA?
The current thought now is that this human performance
effort would provide data on requests to the HRA analysts to
improve their -- so they could do their work.
I think that there is an element where the
operating experience can be used to, in fact, drive the HRA
and the PRA. So --
MR. APOSTOLAKIS: Sure. I don't know what data
you are going to give them, Jack. I really don't. And I
read in the document here that you will use Halden among
other things to do that.
But maybe we can pursue that some other time
because I remember Dennis Weiss (phonetic) saying clearly,
when he presented the Athena work, that they will not
develop tables with numbers. They will not -- I mean,
everything is past specific and event specific. And you
have to use the Athena to analyze it.
Maybe I am not doing justice to what he said. But
basically, I don't know what kind of data you can develop.
Maybe information rather than data --
MR. ROSENTHAL: Okay. Then let me --
MR. APOSTOLAKIS: -- regarding shaping factors,
you know, that kind of stuff.
MR. ROSENTHAL: Let me make two points. The one
that Jay made is that clearly today, we see Athena as only
one of an overall HRA activity. Two, my -- and now I am
going to get vaguer.
In my old AEOD days, we had done a study of
events, human factors and events. A lot of them were shot
down. And we had maybe like a dozen events. That work
ended up being used in the shut down risk studies that were
done by Brookhaven and CNDO. And it was only a dozen
events. And I was sort of modest. And they said it is only
a dozen, but that is the best data they had. So it got
Just as a vision, I think that if we could take
apart the most important events, the 50 events, in some
manner, that we can provide some numerical information to
the HRA process and --
MR. APOSTOLAKIS: In terms of what has happened,
MR. ROSENTHAL: -- for modest money in comparison,
I think that that would be --
MR. APOSTOLAKIS: Now you said something very
interesting earlier. You said that you view Athena only as
one HRA effort. HRA stands for human reliability analysis.
MR. ROSENTHAL: Yes, sir.
MR. APOSTOLAKIS: And Athena is one? What is
MR. ROSENTHAL: Well, of course -- I mean, you
know, there is a whole array of tools.
MR. APOSTOLAKIS: Yes. But I mean in terms of
recovery actions and so on, the name of the game is Athena,
MR. ROSENTHAL: We did Wolf Creek with a time
dependent recovery model, HCR.
MR. APOSTOLAKIS: Yes. But I think --
MR. ROSENTHAL: We did. I mean, that is what we
did the numerical --
MR. APOSTOLAKIS: Right. The human cognitive
MR. ROSENTHAL: Yes. Yes. We looked at the
integral over how much time he had to react before he tried
MR. APOSTOLAKIS: When did you do this?
MR. ROSENTHAL: That is how we quantified the Wolf
Emerging technologies: I want to say -- okay.
This is an area in which we can risk inform again, but I
cannot put a risk achievement word on it. You are going to
hear about the contribution hauled into that effort, because
we know that you are interested in it. And you are going to
hear a whole presentation from Brookhaven. So I am going to
stop very shortly on it.
And you are going to hear -- you will not hear
today about a digital INC plan, but we keep talking about
the back of the panel and the front of the panel, where the
electronic guys have the back of the panel and inside the
But to the extent that there are information
systems, the performance guys have the front of the panel.
So there will be some work that we pick up there.
We had a meeting where Halden made a presentation
to EPRI and U.S. Utilities in Rockville a few months ago.
And I got to sit next to one of the guys from Calvert
Cliffs. And what became very apparent was that Calvert
Cliffs will go into live extension with a hybrid control
room and with old-fashioned pistol grips to run equipment.
And up above are going to be flat panel displays
of new information. And it will not simply be the
information we have now displayed in a fancier form. But it
will be more and better information, more hierarchy, more
structure, more levels of abstraction.
We had an event maybe six months ago at Beaver
Valley, where they lost an electrical box. And 130 alarms
go off. That is not fair to the operators. That event was
important because they did not trip the reactor cooling
pumps, and they lost cooling at the pumps. Well, okay. It
is a setup.
So alarm prioritization is happening or will
happen at plants. You will have these displays. These are
information systems. And you can argue that that is the
Alternately, one could argue that if we review it
-- that we are going to review it. And so it is our
business, and we are prepared to review it. Or if we choose
not to review it because they make the changes under 1559,
then we are tacitly giving approval. It is either explicit
or tacit. But we know that it is going on.
And I would assert that we have to be in a -- if
we find something that is not safe, we should not approve
it. But if we are not prepared to review it because we have
not anticipated the needs and done things in a timely
fashion, then shame on us. And so that this emerging
technology block is trying to prepare for the future.
Okay. The last thing I want to pick up is, we are
interested in economic deregulation, the changing of what
this grid will look like. We will hear a presentation from
Dr. Bier in just a little while on work that has been done
to date. Clearly we know that we -- well, we believe that
we are going to have six to eight merchant producers that
the organization will be different. There will be economies
of scale. There will be financial pressures on them.
The paradigm of being a base-loaded plant may well
change. If you had an extra megawatt last July or August,
when it was $2,000 per million BTU in the Midwest for a few
days, that might be the time that you make the profit on
your plant for the year. And all the time that you are base
loaded at a penny a kilowatt hour doesn't matter. So even
the paradigms may change.
We know that the legal situation is changing,
because everything is being bought up and sold. And we
believe that we should be out in front at least to
understand what these pressures are and how it might change
the regulatory arena. That is an RES sponsored, not -- it
is a very modest effort, but it is an RES sponsored effort
rather than a user need.
The digital INC work will be concurring with NRR.
I mean, it is being developed jointly by both staffs. And
that will be user need. The control station design is all
Okay. In the presentation are tables that -- it
is just tabular form of the bubbles. And I would propose
that I not discuss them, that you hear from the experts that
we brought in today. And then after that, Jay will pick up
and talk about where we go in the future.
MR. APOSTOLAKIS: This is nitpicking, but is the
top box accurate reading nuclear power plant safety? And
you have reactor oversight. Are you maintaining nuclear
power plant safety or something like that?
MR. ROSENTHAL: Maintain safety. In fact, we have
four cornerstones. And for the RES prioritization about
work, which is a different activity that I have
responsibility for, we rank our programs in terms of
maintain safety, burden reduction, public confidence and
efficiency and effectiveness.
When we were thinking about this, we said -- at
least in my mind, we are doing very little for public --
directly in the public confidence arena on this chart.
I have a different activity that is not on this
chart to develop tools for risk communication, because I
think the NRC very much needs to be able to do risk
communication. So it is a branch activity that is not part
of this plan.
Okay. So that is a confidence. And then we were
thinking many of our activities are burden reduction, I mean
in RES. And when we thought about it, in fact very little
of the things I am showing you are burden reduction. I
don't think that they are.
I think that really all fall within the maintain
safety vector. And after a fair amount of discussion, that
is why we decided to label it, I should have labeled it
maintain. But we think, in fact, that is what we are doing.
MR. APOSTOLAKIS: What else do you want to do?
MR. ROSENTHAL: Okay. The next --
MR. APOSTOLAKIS: Do you have the future
activities? You are skipping that?
MR. ROSENTHAL: We are going to get back to that
at the end.
MR. APOSTOLAKIS: Okay. Now I have a series of
comments, minor comments, on the SECY itself. When should I
tell you about them?
MR. ROSENTHAL: End.
MR. POWERS: He is liable to break. I mean,
holding that pressure in to make those comments.
MR. APOSTOLAKIS: So we will take a different kind
of break, then. I promise that we will take a break every
Who is next? Maybe we can take the 10-minute
break now. Okay.
MR. APOSTOLAKIS: The meeting is back in session.
We will hear from -- tell us who you are. There
are two ways of stating this. One is, please give us some
of your background. The other is, what is it that qualifies
you to stand up there and talk to us?
MR. HALLBERT: I think I am going to talk about my
I am Bruce Hallbert. With me today is David
Gertman. We are here from the Idaho National Engineering
and Environmental Laboratory. We are here to talk about a
program that we are carrying out for the U.S. NRC on the
quantitative analysis of risk association with human
performance. A program manager back here at the NRC is Gene
The objectives of this work is to study how human
performance influences risk at commercial nuclear power
plants. In addition, as part of our work, we have been
working to identify and characterize how human performance
influences significant operating events.
We are doing these things to support and provide a
technical basis for the human performance program plan as
part of other efforts that are also being conducted for that
This afternoon David and I are going to change
back and forth in the presentation. I am going to talk a
bit about the method and the approach of our work. He is
going to talk then about the finding or the analysis and
some of our findings. And then I will conclude with the
For this program, we use significant operating
events from the accident sequence precursor program being
conducted at the Oak Ridge National Laboratory. The
criterion for significant operating events means that from
the ASP program the conditional core damage probability was
identified as 1E minus 5 or greater. That was our criterion
for selecting events for analysis.
We selected events from the time period 1992 to
1997, 1997 being the most recent period for which our
reports were produced in that program. The analyses
focused -- two kinds of analyses were performed. One what a
quantitative type of analysis. And this analysis involved
human factors, people working with people from our PRA
departments at the laboratory. We used existing PRA methods
and models, specifically --
MR. POWERS: What do you mean? Existing PRA
methods and models could be the things that are ancient and
horrific back to the farmer curves and times like that, or
they could be the most modern and up-to-date things.
MR. HALLBERT: This is -- I will tell you right
now what we are using. We used the ASP SPAR models.
MR. POWERS: I don't think my question has
MR. HALLBERT: Okay.
MR. POWERS: It could be the most ancient thing in
the world or it could be the most modern and up-to-date
MR. HALLBERT: My understanding is that the SPAR
models, which are the standardized plant analysis and risk
models, are very modern standardized plant risk models.
Beyond that, I am not in a position to talk about the PRA
and the SPAR models specifically.
MR. POWERS: So you just used whatever somebody
MR. HALLBERT: No. We used -- David, would you
like to address -- you have to come up here.
David Gertman will speak to that question.
MR. GERTMAN: I am David Gertman. We went to our
PRA analysis group. And the SPAR models are
state-of-the-art, the most recent version with significant
detail. They are the Rev 2QA models that contain the super
And they have been a development effort with NRC
and Oak Ridge National Lab and the Idaho National
Engineering Laboratory. These were the most recent and
available with software libraries PRA models for the plants.
MR. POWERS: If you were doing thermal hydraulics
and told me you used a RELAC (phonetic) code, I would know
where to go and read a review, peer review of those. Where
would I go to read a peer review of these SPAR models?
MR. GERTMAN: Peer review, I am not sure. If you
went to referred international proceedings, you could go to
PSA, I guess, 99 or the last PSAM conference. A lot of the
development work has been out of RES under Ed Roderick
(phonetic). And that has been an NRC effort ongoing for
It is fairly well-known and internationally
documented. Beyond that, I cannot respond more than that
technically to it.
MR. HALLBERT: It is our understand -- and we are
not PRA practitioners, PRA experts, we work with the PRA
analysts -- it is our understanding from them that these
SPAR models are very current, very up to date advance models
for conducting risk analysis.
MR. POWERS: you a licensee making this
presentation, and you came in and told me "I used a model,
and I haven't got a clue whether it was peer reviewed or has
any pedigree to it or not," you probably would not even get
a chance to give a talk.
And I can -- I remain -- I know exactly what the
SPAR models are. And I remain distressed that they are not
-- do not have the kind of peer review that has been
accorded to the phenomenological models, including those
We demand that the licensees' probabilistic risk
assessments have some sort of certification or comply with
some standard, but our own work doesn't have that.
MR. HALLBERT: These were the models that we did
use, notwithstanding those issues. We used these models to
calculate importance measures. And the importance measures
that we used were basically the CCDP-CDP values, which is
the risk increase from the events. We used these to
determine the contribution of human performance to event
Specifically, we would run the models. We would
look at each of the individual human actions in there, look
at the increase and look at the associated amount of risk
increase that was represented by those human actions. That
comprised the quantitative portion of the analysis and its
There was also a qualitative analysis performed.
We worked with licensed operator examiners and those kinds
of people, plant operations specialists, to review events,
the same events that we analyzed quantitatively to try to
determine how specific human actions and processes -- and we
will talk about what those are -- in the plan influenced the
And I guess in the simplest terms, we were trying
to identify the causes, what caused the events to occur.
I would like to now hand over the presentation to
David, who will talk about the analysis and some of our
findings to date. I also want to stress that this is work
in progress, and we have not completed the program. SO what
you are getting is where we are right now.
MR. GERTMAN: Thank you, Bruce.
As Bruce was saying, we have reviewed 35 operating
events to date. Our primary source of information for these
events has been LERs and, where available, augmented
inspection team reports, AITs. And we might have one IIT in
there as well.
We went ahead and we determined that 24 of these
events has significant human performance involvement. And
the criterion we used for significant human performance
involvement included the following: Did human performance
contribute to an unavailability, to a demand failure, to an
initiating event, or were operator actions taken that were
improper or failed to be taken post-initiator? So that was
our definition of having a human performance involvement.
Eleven of these events indicated no such
involvement to that extent. Looking at those, we did not
see any other types of differences within the events. If
you took those out and said, what is unique about these,
there wasn't any discernible pattern. We did do that with
Then the importance for the 20 events, which was
the conditional core damage probability minus the core
damage probability, that was importance measure that we took
from the red guide, 1.174, range from 1E-6 for one of the
millstone events to 5.2E-3 Wolf Creek. This was not the
Wolf Creek event that was mentioned earlier. This the Wolf
Creek frazzle icing event that I am sure you are familiar with.
Three of the events were in the E-3 range, the
significant events. And the way we assessed the
contribution, in general, if you look at this equation, it
really boils down to the ration of the conditional core
damage probability due to human error when compared with
conditional core damage probability for the event.
And we went ahead and we looked at those
components that were not available or failed on demand, and
we saw what proportion of the variance did they account for.
And that is how we were able to determine that range of the
In some cases, it was more than one or two
components that were not available because of that human
MR. APOSTOLAKIS: So, David, CCDP sub HE, what
exactly is that?
MR. GERTMAN: That refers to those components that
were not available or that failed due to a human factors
involvement. For example, if the breaker was unavailable
because of the way it was maintained, either the
verification process failed or the procedure used was not up
to industry standard. So it was really going back to the
We had very few errors that came from following
emergency operating procedures, which is a lot of what the
post-initiator research in HRA looks at. In fact, what we
found is, if you went to operator actions that were in
error, they tended to be operators following either normal
or abnormal procedures. And this is where the errors came
from. So that was an interesting detail from the data.
And the contribution ranged from 10 percent for
just one event up to 100 percent for 16 events, which means
that the components that were unavailable or if you have the
initiating event that the components afterwards, they were
unavailable due to human error, due to problems with
procedures and maintenance, that sort of thing, failure to
follow trends in industry, pay attention to internal
engineering notices, that sort of thing.
MR. APOSTOLAKIS: Now when you say human error, it
is not necessarily one error, right?
MR. GERTMAN: No. That is --
MR. APOSTOLAKIS: It is a number of little things.
MR. GERTMAN: Yes. That is precisely the point.
If we look at multiple smaller failures in the events
analyzed, they tended to range from 6 to 12 per event. For
example, if we took a look at Wolf Creek in the frazzle
icing incident that occurred, that one that was 5.2E-3 that
we mentioned previously, there were a number of things.
There was a latent failure.
The design error was latent, where they thought
the warning lines were undersized, but they thought they
were adequate. It was an engineering decision that the pump
house could not be subject to frazzle icing that was in
There was a latent failure, also, in terms of
ignoring the Army Corps of Engineers notice that said
frazzle icing conditions were possible to affect the moving
trash screens under the water.
In addition to that, you have had some active
failures. You have operators who are trying to do a
procedure that sort of decoupled the ESW, emergency service
water, from service water. And they did it without a
procedure. Now at that utility at that time, you could it
without a procedure. But what you had to do is you had to
have verification behind you, if you went by skill of the
craft. And they didn't do that.
So see what happens is, it really quickly
escalates to between 6 and 12 smaller failures. And that
was a fairly large finding for this dataset. And that was
consistent. There is only maybe two or three that only had
four small errors, as opposed to seven or above.
MR. APOSTOLAKIS: Coming back to the equation,
that will be different from 100 percent only if there were
some other things that happened, like a pump was unavailable
due to maintenance or something. It has nothing to do with
MR. GERTMAN: That's right. It had nothing to do
MR. APOSTOLAKIS: Otherwise this is 100 percent.
MR. GERTMAN: Yes. If it was the insulation
failure on a transformer, and it would not have been easily
observed, it would be close to random hardware failure, yes.
MR. ROSENTHAL: Note that, you know, on my list
earlier of things like the pressure locking of gate valves,
we did not -- that is a design problem. We just did not
want to exaggerate. Now, of course, you could always say,
well, the design is a human -- but we just didn't want to
put it on -- I want to make another point. And that is, I
know that the ACRS is another activity on measures. And I
know that you are doing some work on that.
MR. APOSTOLAKIS: Measures for what?
MR. ROSENTHAL: Measures. Okay. We did not want
to use terms like fossil-vesly (phonetic) or risk
achievement worth, et cetera, which are traditionally
associated with core damage frequencies, when here we are
talking about incremental changes in conditional core damage
probabilities. So we are still using still another term,
because we thought it would be -- you know, it just wouldn't
be proper to use those terms.
And if you want to pursue that, I would recommend
that you do it within the context of the points measures
work, if you are interested in it.
MR. POWERS: I got the impression from the speaker
that this is a simplistic idea that we talk about, that we
just do a rollout or a fossil-vesly (phonetic) analysis on
the human. It just would not cover 90 percent of the things
that he found in here. I mean, he just doesn't address it.
MR. ROSENTHAL: Oh, you mean going back in a PRN.
MR. POWERS: Yes.
MR. ROSENTHAL: Right. But even to use the
concept of RAW when looking at decrements in CCDP, I think
would not be true. So we didn't want to use the -- so that
is why we are phrasing it this way. But I would assert that
if you want to explore that more, you have that other forum
to talk about how do you measure on events rather than on
MR. APOSTOLAKIS: Well, there is a similar
measure. This is very good, by the way. You avoided the
debate here by not going to the other two. Not the way you
have structured it here, but if you want to look at the CCDP
of the event, due to the event, then this is very similar to
the incremental core damage probability that is used in
Regulatory Guide 1.177, which deals with temporary outages
or equipment out of service. And this is on solid ground.
This is good.
MR. GERTMAN: Most of the errors that we
identified were latent. And we agree with Jim Reason's
definition. He had first called attention to this in -- I
guess back in 1990 in his text on human error, where we say
that latent errors have no immediate observable impact.
Their impact occurs in the future, when you give it the
And again, the ratio we found of these multiple
small errors was a ratio of four to one. So latent errors
were predominant. I think the exact numbers were 82 percent
and 18 percent. But every time you add an event, it changes
slightly, obviously, with such a small sample size.
The large actors within latent errors, there were
three problem areas. The first had to do with failure to
correct problems. This is known deficiencies, failure to
perform trending, failure to perform to internal, as well as
industry notices, figured in events, engineering problems
with design and design change and design acceptance tests,
These are maintenance practices, post maintenance
testing, work package preparation following QA, work
practice sort of issues. These are what were prominent in
MR. APOSTOLAKIS: David, in the first one, when
you say failure to trend, were they expected to trend and
they did not, or they just didn't bother to establish an
MR. GERTMAN: I think it is a combination. In
some cases they would find similar problems with feed
regulating valves or MSSVs over a period of years or a
period of months. And there didn't seem to be any
acknowledgment of this. The failures kept occurring. There
seemed to be no trending program. And the language for that
really came out of the AITs and LERs. It was beta driven.
MR. APOSTOLAKIS: So this is then, I suspect, that
the insight group would call this failure to -- to do what,
have a questioning attitude? This is a safety culture
issue, is it not?
MR. POWERS: it is. It is also an effectiveness
of a corrective action program, because good corrective
action programs will trend. And they will look for repeat
failures. And they will really chase those down to get to
the root cause, so you don't end up six years later with the
thing showing up again in an event.
MR. APOSTOLAKIS: But it is a matter of culture, is
MR. POWERS: Yes.
MR. GERTMAN: Active errors. For the most part,
these were post-initiator errors. The interesting one, the
dominating problem area there, was failures in command and
control. We think of the incorrect operator actions in
following EOPs and maybe even abnormal procedures.
But the command and control kind of issues, if we
go back to the Wolf Creek frazzle icing incident -- well,
no. If we take the sale and river grass intrusion, excuse
me, you go to the situation where the NSSS is going ahead
and giving vague instructions how to control reactivity to
one of the board's operators.
Then you have somebody leaving the boards when the
reactivity is unstable. You have communication coming in
from the field where the river grass is.
You have two supervisors plus a cadre of six other
people in constant communication back and forth with the
control room, which adds a disruption that takes away from
the situation awareness. So there are some aspects of
command and control that came up in these events as well.
And we find that to be fairly important.
And these others --
MR. BARTON: The interesting thing about that is,
when you look at utilities training programs and practicing
in simulators with crew teamwork and interaction, command
and control is always a big issue.
And you are always looking for some senior, the
shift supervisor or shift foreman, to take over that role to
assure that things are done right, and there is command and
control, and it doesn't get like this Salem event.
So there is no mystery here, Joe. I mean, this
stuff is already supposed to be in place. And people are
trained in it and practice it. So you ask yourself, why on
certain days doesn't this all come together? And you end up
with a Salem event. It is all there.
MR. APOSTOLAKIS: Well, on the other hand, you
know, we do have random occurrences of things. Maybe we
have to live with the fact that some of these violations
MR. BONACA: And then you have unevenness in the
crews. At times you find that if you have all things coming
together and you have a crew that is not the best, and you
have some people in the crew that in fact are the weaker
elements, that may combine to give you this kind of
situation. So you have also the randomness.
MR. GERTMAN: That is a good point about you
expect it to be there. If we look at the Oconee and Kiwi
hydro event, we had problems. They had a loss of phone
communication during the event.
We had operators in the hydro station taking
actions unaware it was going to impact the staff at the
power plant. You had a lot -- and you had supervisors out
in the switch yard performing actions instead of being back
in the control room.
All of these things are aspects of command and
control which figure rather prominently in the event, which
are not typically the kind of things that we model in the
HRA community. In fact, for a comparison here -- and this
is not about second generation models. But just going back
to the IPE PRAs and some of the level ones, if we look at
pre-event and human errors, pre-initiator, very few are
explicitly modeled. There is some consideration of
mis-calibrations and restoration after maintenance that come
up. But it has always been assumed that when you
determine a hardware failure rate, that somehow you have
implicitly captured many of the latent human errors. It
doesn't help you reduce the risk, though, because unless you
specify the distribution of these errors, the percent
contribution, or know where it is hurting you, you cannot do
much about it.
So we think this is open. Empirically we don't
know what the contribution to a particular component is from
the human performance work process latent error area is, and
we think that is an important area.
Post to that, if you look at a lot of the IPE
generation, it is limited to active areas of omission. And
again, they seem to be EOP based. What we found was
abnormal and normal operating procedures. And we found
commissions in both the latent case, as well as the active
case. That is just a very quick comparison.
I return you to Bruce to summarize some of these
MR. HALLBERT: Thanks, Dave.
For some time, people have talked about what the
contribution of human performance is to accidents and
safety. In this study, we were asked to look specifically
at the human contribution to risk. One of the points that
Dave made earlier, looking over all those different events,
averaging over them, what we see is that the average
contribution of human performance to these events, to event
importance, was about 90 percent of the event importance.
Another observation from the study is that most of
the incorrect operator actions that cause these events to
occur, occur during normal and abnormal operations, not
during emergency operations, where we see people using EOPs.
It was different in many respects than most of where HRA has
focused in the past.
Latent errors figured very prominently in these
significant events, a ratio on the average of four to one
latent active errors. And some of the kinds here are just
reiterated again. And these are the insidious kinds of
These are the ones where they occur at one point
in time. They may sit there dormant like a trap for months,
many months at a time, before a system or component is
demanded and simply is unavailable or fails.
MR. APOSTOLAKIS: Your third paragraph there,
MR. HALLBERT: Yes.
MR. APOSTOLAKIS: -- put in different words is
saying that the problems are really organizational and
cultural related, safety culture related. Inadequate
attention to owners group and industry notices, I mean, you
can put a fancy term there and say this is organizational
learning, and it has failed. You know, they don't have good
learning. So organizations and culture. And it is
interesting that the agency is not really investigating
those things at this time.
Are you going to inform the Commissioners about
these things? I guess you will.
MR. ROSENTHAL: What? You want to send a letter
that says I told you so?
MR. APOSTOLAKIS: I want Jack to send a letter
MR. ROSENTHAL: You will more about it as the
afternoon goes on.
MR. APOSTOLAKIS: That was a very good response.
MR. ROSENTHAL: What we need to is take the facts
and display out the facts from the real events, and then you
have made a factual case for how you should proceed.
MR. APOSTOLAKIS: Yes. But --
MR. ROSENTHAL: But what we have not done in the
past is lay down all the bricks, put in the rebar in that
MR. APOSTOLAKIS: And I think that is a good
point. Maybe the case was not made to the Commission that
these are important issues. And maybe what you are doing
now is you are beginning to build a case.
MR. POWERS: I think, George, it falls under the
category of leadership and organizational behaviors. And it
is an area that -- you know, we thought the Commission would
need to look at also, we were told. And we went up and
looked at that.
But that is -- you look at the human performance
program, that is the two categories that this whole stuff
falls into. Leadership and organizational behavior
characteristics are failing when you get into these issues.
MR. BONACA: Now, of course, the Commission never
said that these are not important. The commission said it
is none of our business. It is the industry's business to
take care of these. So we have to be careful that we
interpret correctly what they said. I mean, they never said
that these are not important issues for the safe operation,
I guess, of the plant.
The unique value of this presentation somehow is
the fact that there is a quantitative assessment of the
contribution of these issues. And this is based on events
which have occurred. And so it has more bite than things I
have seen before because of that.
MR. APOSTOLAKIS: There is nothing like data,
MR. BONACA: Absolutely.
MR. APOSTOLAKIS: When you talk to engineers, you
better have your data.
MR. HALLBERT: So it is true, these things we are
saying. Of the operating events that we were able to
analyze that had human performance involvement,
approximately 90 percent of the increase in risk was due to
Now, the current means by which human performance,
or the means by which human performance influence hard run
available and other failures in these events was somewhat
different than how it has been explicitly modeled in the IPE
generation of PRAs and level one PRAs of that generation.
And by that, I mean that we don't see a preponderance of
latent errors and pre-initiating events in identified
models. Rather, as David said, these things have been
typically addressed by saying that we assume that these
latent contributions are in the unavailabilities.
BY APOSTOLAKIS: By the way, this has been the
argument ever since I remember years ago, that the first
argument of people who do not want to see research on
organizational issues is exactly that. The failure rates
Why do you want to worry about it? And I think
the answer is what Jack said earlier today, that if it was
only one piece of equipment, we would not really care. The
concern is that you may have an underlying cause that may
affect a number of equipment or actions. And that is really
very different from saying that the failure rate is
MR. HALLBERT: And it is a number of events. And
it is common patterns across events and events that are all
MR. APOSTOLAKIS: Yes. And the last one is saying
something nice about PRA, Bruce?
MR. HALLBERT: Well, no. I think that the next
point I want to make, and this is just to underscore what
David was saying earlier, which is that these events all
involve between 6 and 12 smaller failures, none of which
were sufficient in and by themselves to cause these larger
events. That was somehow also a little bit in contrast to
how we have, being the HRA community, looked at human errors
in the past but fits very well with what Jim Reason has
talked about earlier when he discussed organizational
MR. APOSTOLAKIS: Swiss cheese, right?
MR. HALLBERT: The Swiss cheese model.
MR. APOSTOLAKIS: That all these holes
were -- and we are in trouble.
MR. POWERS: Well, it seems to me that this has
interesting ramifications on the inspection process. And if
I go through and I find a lot of green findings, the sum of
all green findings is still green. But in reality, it may
be red. I think it is programmatic failures that are being
missed in the inspection program.
MR. HALLBERT: The last point is getting back to
the issue of how this work relates to PRAs. Now, for all
the failures that we were able to model in SPAR, we were
able to identify those human actions. So we did not
identify any new initiators or event sequences in the
process of doing this.
Rather, what we found were different ways of
conceptualizing how these initiators and accidents could
occur. But in effect, we didn't identify new initiators or
So one of the issues, that relating to the
completeness issue of PRA, was not really effective.
MR. APOSTOLAKIS: Well, I don't know about the no
new initiators. I mean, the Wolf Creek event, the
organization itself took care of it. So in a sense it was a
MR. HALLBERT: Yes. And part of this is also that
we are working with the PRA groups and the licensed operator
examiner groups in our company right now, reviewing this
work that we are presenting now to try to determine some of
the issues and impacts.
MR. APOSTOLAKIS: If you are talking about the
PRA, I don't think anyone ever will come up with new
initiators, because the PRA has been structured now in a way
that the list that you have is complete. One way or
another, you have either a local or a transient, right?
MR. HALLBERT: Yes.
MR. APOSTOLAKIS: Now there was an interesting
table on page nine of Jack's presentation, which I think
comes from your work. And I would like to talk about it a
MR. HALLBERT: Okay.
MR. APOSTOLAKIS: Jack, do you have the
MR. ROSENTHAL: Yes. Let me say that Gene Trager
and Paul Lewis, who are here, quickly went
through -- well, they identified the 50 events. And they
went through them qualitatively. And that work was just
provided to you. It was done earlier on. And this table is
from their part.
MR. APOSTOLAKIS: This is not from INEEL?
MR. ROSENTHAL: This is from the staff. Then
INEEL has --
MR. APOSTOLAKIS: Can I make a suggestion here? I
would like to make a suggestion to this, to help improve it,
to improve something that is already very good. How about
that? Jack, you are not listening.
Now, I read in the report that work processes are
a prominent part of the work. And what I would suggest in
the future is, instead of saying, for example, that
knowledge -- this is the fourth from the top -- is
Since you are now in the work process space,
perhaps you can tell us which task of the work process
suffered because of the lack of knowledge. Because if I
take maintenance, for example, there is a prioritization
task. And then later on, there is the actual carrying out
of the maintenance.
It seems to me that when you say knowledge, you
mean different things when you talk about prioritization and
when you talk about actually doing maintenance on a valve.
Different kinds of knowledge. In the prioritization, you
have to have a global view of the plant. And you look at
the other requests, and you make a decision.
This is the ranking because this is more important
than that for such and such reason. Right? It requires a
certain body of knowledge.
The journeyman who actually implements the thing
requires a different kind of knowledge. So that has always
been my concern about not only this, but in other places
where you see things like communications, knowledge. Well,
that doesn't mean anything. If you have the plant manager,
he doesn't tell you anything.
But if you say, look, we have observed that in the
prioritization process there were issues with the knowledge
of the people whoa re doing it, then you are specific now.
You are telling people that, look, maybe there is a room for
Same thing with communication. Communications
between whom and whom, between departments, between the
members of the same team, between the organization and
outside identities? See, all these organizational factors
really don't mean much unless you place them in context.
And the context is the work processes.
MR. HALLBERT: Some of these are described in more
detail in the report, George. The taped one is kind of
MR. APOSTOLAKIS: Okay. Yes. I think that is a
positive step forward. But I would still go to specific
tasks within the process and say, this is what was important
for that reason in that task.
MR. HALLBERT: Yes.
MR. APOSTOLAKIS: Because then management, risk
management, can be more effective that way.
MR. ROSENTHAL: Let me respond. Gas and fiscal
MR. APOSTOLAKIS: Well, let me respond. Thank
MR. APOSTOLAKIS: I think it is an important point
to be made, because we have seen a lot of this. And I don't
want to criticize this, because I like what you guys are
doing. But this is an opportunity for me to put it on the
record. You know, you look at papers in the literature,
people give papers and say, oh, knowledge. Well, what
knowledge? What do you mean, knowledge? Everybody at the
plant? Are you talking about vice presidents' knowledge or
So I think that is an important -- I'm sorry.
MR. LEWIS: May I comment?
MR. APOSTOLAKIS: Of course you may, Paul.
MR. LEWIS: No place on the list do we see the
MR. HALLBERT: That is mainly --
MR. LEWIS: It is not important? Oh, okay.
MR. HALLBERT: These were in the report that we
gave you. You don't see -- we worked with the information
directly from the AITs. If it was not called out in the
AITs, then --
MR. APOSTOLAKIS: It seemed to me that it is not
really critiquing the organizational factor that is of
relevance here. It is resource allocation.
MR. LEWIS: I am Paul Lewis. I was the one who
worked on --
MR. APOSTOLAKIS: Because that is what they say.
I mean, that is what Mr. Quigley said, that with
deregulation, you know, there is a reduction in staff. And
people work longer hours. That is what he says, I think.
This is a statement of fact, Mario. That is what he says.
PARTICIPANT: It is in the eyes of the beholder.
MR. APOSTOLAKIS: It is never in the eyes of
Paul, you want to say something.
PARTICIPANT: Paul did the work. Then John
O'Hara, and then we will be back almost on schedule.
MR. LEWIS: My name is Paul Lewis. I was the one
who created these tables, so maybe I can answer part of your
question. You are referring to Table 3?
MR. APOSTOLAKIS: It is the table that is on page
9 of Mr. Rosenthal's presentation. No, that is not the
table I am talking about. I did not ask any questions,
Paul. I just made a statement. So you are adding to my
MR. LEWIS: We provided this to you last week.
There is a different table.
MR. APOSTOLAKIS: There is a different table.
MR. LEWIS: Yes, which you can correlate the
events where a PSF was knowledge with the actual task that
was failed. So if you look at the -- on Table 3 it says
Wolf Creek task P was -- a negative PSF was knowledge. Then
if you go to Table 2, you can see exactly what Wolf Creek
task 2 was.
MR. APOSTOLAKIS: Okay. That's good.
MR. LEWIS: So you can determine exactly which
task was failed because of lack of knowledge.
MR. APOSTOLAKIS: That is exactly what --
MR. PERSENSKY: Paul is referring to Table 3 in
the Attachment 2 to the memo to Larkins (phonetic) from
Jack, dated March 6.
MR. APOSTOLAKIS: Table 3?
MR. PERSENSKY: Table 3.
MR. APOSTOLAKIS: Oh, this is the attachment. I
see. I see. Anyway, I believe you. I didn't mean that you
didn't know how to do it.
MR. APOSTOLAKIS: But all I am saying is that this
is exactly the kind of information that should be
emphasized. That is all I am saying.
Who are you? And why are you there? You notice
that Dr. Hallbert ignored me completely when I asked him to
give some background.
MR. O'HARA: My name is John O'Hara. I am from
Brookhaven National Laboratory from the systems engineering
and safety analysis group. I have been working for a long
time with the NRC on control station technology. And I am
the principal investigator for the projects that you had
asked to hear about today and which I will tell you about
MR. APOSTOLAKIS: And you are a psychologist or an
MR. O'HARA: I am a Ph.D. cognitive psychologist.
I have been working in the engineering fields for about 20
years now. I've been working at Brookhaven Lab for 11
years, a little over 11 years.
Prior to that, I was head of workstation
development at Grumman Space Systems and worked on NASA
projects for the space station.
Prior to that, I was the head of research for the
Department of Transportation's simulated -- transportation
simulated, you know. Prior to that, I was a college
PARTICIPANT: Do you need --
MR. APOSTOLAKIS: Thank you very much. But this
is -- is usually very comfortable.
MR. APOSTOLAKIS: It's very comfortable.
MR. O'HARA: Okay. Today, I am going to report to
you on several projects that have been ongoing, related to
what Jack introduced as emerging technologies.
I have been working -- my NRC colleagues on this
project have been Jerry Wachtel (phonetic) -- on these
projects -- Jerry Wachtel and Joel Kramer, both who -- who
work for Jack.
And my Brookhaven colleagues are Bill Brown, Bill
Stubler (phonetic), and Jim Higgins. And together, we have
pretty much done this work.
Okay. What I would like to do -- you had asked
about three particular programs, but I would like to put
them in the context of -- of the larger picture in which
So I would like to give a little bit of background
to this area of work -- and I will give background to each
one of the individual projects -- a background to the area;
and then how we have gone about guidance development, you
know, what process and method that we followed, to give you
essentially a status report on the three project areas you
had mentioned, the alarm system research, hybrid human
system interface work, and interface management, which is
our more recent one.
And then, I will conclude by giving you the
current status of each one of these and the bigger, you
know, effort in which they are -- they are feeding.
Okay. By way of background, as you very well
know, plants are in a continuous process of modernizing. It
is modernizing in the I&C area that has -- it's -- the
biggest impact on the control room, development control room
design and the human-system interfaces that are in the
But plants do not only change the human-system
interfaces. These are the displays, controls, things like
that, that are in the control room. On the basis of I&C
modifications, sometimes there are modifications that are
made to that equipment itself.
So, for instance, it is -- you may have trouble
replacing components or maintaining the equipment, so it
gets replaced. And typically, when it gets replaced, it is
replaced with a digital system.
A lot of -- for instance, the older alarm systems,
it is very hard to maintain them with the old equipment, so
there are replacements that take on a digital flavor.
So new -- new human-system interfaces are
introduced into -- into the plant. And they bring along
with them, you know, characteristics, functions, features
that are different than the old equipment.
In addition to that, the complexity or the
complexion, I should say, of the control room changes. It
becomes one of a more hybrid control room where there is a
mixture of both the old equipment and -- and the new
And as we know, the extent of the modifications
can -- can range quite widely. It can be a, you know,
relatively small scale replacement of a particular
component; or in many plants, it is the introduction of
numerous new systems, and numerous new computer systems that
work their way into the plant over -- over time.
And then in the case of some plants, like Calvert
Cliffs, the control room modifications can be much more
Okay. The -- the overall focus for our work has
been, first and foremost, since it is largely our areas of
the emerging technology, to try to understand what those
technologies are, you know. How is the technology changing?
You know, how is -- how are display systems any different
today than they might have been, you know, 30 years ago?
Also what -- when these newer types of systems are
introduced, what kinds of problems might they create,
particularly those problems that might be different from the
problems that we were familiar with with the older
Okay. Since there are many, many areas in which
the plants are changing, to try to look at which ones we
ought to be focusing on and which ones might have greater
safety importance, and then since the research project could
not address everything, to try to prioritize them and look
at those which were more important; for those areas that
guidance development was identified for, to develop that
guidance; and then ultimately these individual efforts
result in -- in design review guidance.
The NRC already has design review guidance for
control rooms and -- and general human-system interfaces in
NUREG-0700. That document was revised a number of years ago
to address very general changes in human computer
interfaces, but not many of these trends that we will talk
So the repository of -- of the guidance that is
developed will be ultimately to be factored into NUREG-0700,
so it is all in one place. Okay.
PARTICIPANT: It's one of your favorite documents.
I mean --
MR. APOSTOLAKIS: Mr. O'Hara, do you expect the
introduction of digital to change the requirement on the
length of the cord of the telephone?
MR. O'HARA: Well, if you could show me that
requirement in NUREG-0700, I would like to see it.
MR. APOSTOLAKIS: Twenty-seven inches, I think it
MR. O'HARA: I don't think there is.
MR. APOSTOLAKIS: The emerging technology emerging
issues box is really intended --
MR. PERSENSKY: Excuse me, George.
MR. APOSTOLAKIS: J.
MR. PERSENSKY: You brought that up several times.
And I would like to get this on the record.
MR. APOSTOLAKIS: Okay.
MR. PERSENSKY: There is no requirement for the
length of the telephone cord in 0700, Rev 0 or in Rev 1.
MR. APOSTOLAKIS: So where did that number come
MR. PERSENSKY: I have no idea. But there has
never been such a requirement.
MR. APOSTOLAKIS: Okay. Maybe it was a goal. Was
it a goal perhaps?
MR. PERSENSKY: It may have been some --
MR. O'HARA: The goal is to go wireless.
MR. PERSENSKY: But -- but to have it on the
record, because it has been brought up several times in the
ACRS, and it is not true. So --
PARTICIPANT: Don't try to dispel our favorite
MR. APOSTOLAKIS: The -- the box on this big
picture that Mr. Rosenthal presented, you are working -- you
are contributing to the last one on the right that says
emerging technology, emerging issues, correct?
Now, it seems to me we have a box like that
because we really want to -- to support the other three,
don't we? Like reactor oversight process, plant licensing
and monitoring and risk informed -- so this should be then
one of the objectives of this -- of this work, to see what
new insights we are going to gain from this evaluation, so
that the other three boxes will benefit.
And you are addressing -- you will be addressing
that, or is too soon in the -- in the --
MR. ROSENTHAL: I -- I think it's implicit, you
know, I mean, the second from the left is the NRR
MR. APOSTOLAKIS: Right.
MR. ROSENTHAL: This is a direct user need to
provide review guidance to NRR so that they can do that
MR. APOSTOLAKIS: Okay.
MR. ROSENTHAL: And the reason, we broke it out as
emergent technology, we look at the RES's vision statement
that was prepared for the Commission, we said that we would
prepare the -- preparing the agency for the future, and that
MR. APOSTOLAKIS: Yes. But I mean, preparing the
agency in the other three areas; that is really what
preparing the agency means, right?
MR. ROSENTHAL: Well -- well, I'm not --
primarily, it is --
MR. APOSTOLAKIS: I mean, you don't care about
emerging issues unless they affect --
MR. ROSENTHAL: Safety --
MR. APOSTOLAKIS: -- the risk informed
regulations, NRR activities and so on.
MR. ROSENTHAL: Yes, sir.
MR. APOSTOLAKIS: Okay. Thank you.
MR. O'HARA: Okay. Just to give you a sort of a
high-level summary of the kinds of things we observed:
The trends -- the trends offer changes in -- in almost every
aspect of human-system interface technology. And many are
the very key -- very key interfaces that the crew uses, both
operations and maintenance crews.
It is -- it is -- it is the displays, the plant
information system, the way information is organized, the
way procedures are presented. It is the way controls can be
So the changes, the -- the digital changes and
upgrades that are occurring really impact on the very key
resources that personnel use to monitor and control the
We also observed, based on lessons learned from
both the nuclear industry and -- and other industries, these
technologies certainly have a great potential to positively
impact performance. You can do a lot with these
technologies. They are very flexible, that you can do much
However, they also have potential to severely
degrade human performance, to confuse operators, to make it
very difficult to complete tasks. So what we see is that
this technology, you know, has benefits, and it also has
MR. POWERS: Now, your -- your -- your words and
the words on the view graph are different. You --
you -- you were careful to say that it had a potential to
enhance, and it had a potential to degrade. And up on the
view graph, it says it can --
MR. O'HARA: Yes. Well --
MR. POWERS: -- as though there were some real
data that supported that.
MR. O'HARA: Yes. There is data that supports the
"can," and -- and if a new system is implemented in a power
plant, it has the potential to, depending on how it is
So this is a finding, but I am sort of saying
that as these technologies become, you know, implemented in
control rooms, we certainly want to be sure about the --
that they do not degrade human performance in any way.
MR. APOSTOLAKIS: Has this been observed in other
MR. O'HARA: Yes. Yes. As a matter of fact, it
was just -- I think it was last year, there was several
issues of Aviation Week and Space Technology that went into
the class cockpit problems, the problems with, for instance,
navigation errors with flight management systems that are
Digital systems, because of the way they operate,
typically create different ways you could make mistakes.
And oftentimes, they are not realized until they actually
get implemented in the systems.
So, yes, they -- this has been, you know, observed
in -- in many industries, and we drew a lot from -- from
MR. POWERS: I think there is a psychological
effect, which probably has somebody's name associated with
it, where something new comes in, things improve, and then
they degrade afterwards, familiarity breeding contempt or
something like that.
Is that -- is that something when you are saying
they improved -- you know, are we just looking at that
effect or --
MR. O'HARA: Yes, we did look at -- we did look at
the way technology is introduced in terms of temporary
changes, because as you can imagine, there is lots of
different ways you can do this.
You can develop a new system. You can put it into
a plant. You can run it in parallel with an old system.
You could put it in a training simulator first, have
operators, you know, get -- get thoroughly familiar with it,
and then at some point have a change-out.
We were looking at these things. In fact, we
continue to look at them, because there are many nuclear
plants right now, which are doing this. But, yes, there
is -- there is definitely, more often than not, the opposite
effect of what you have just described.
It is that there is an initial lack of
familiarity, even if you introduce them into a training
simulator first. You know, operators can get familiar with
it, but it is the day-to-day use that they do not have. And
it is a day-to-day use.
So you might see some errors in initial
implementation, not only by the human operators, but by the
implemented systems, you know, not being, you know -- bugs
creep up as things become actually used.
So I think the -- the greater concern is not so
much an improvement in performance initially and then a
tapering off, but rather an initial when it is introduced a
potential to degrade that performance for some period of
time until the familiarity and -- and bugs work out of the
Okay. With that as a backdrop, we had developed a
-- a methodology or, probably maybe better put is a process,
to develop guidance in -- in the various areas that -- that
I will tell you about.
And really key to trying to -- to establish this
process is to establish or to develop guidance which has --
has some validity. Now, I define validity in the context of
this work in two ways.
We talk about internal validity. Internal
validity refers to the -- the -- literally, the technical
basis on which guidance is developed. So if we are
developing guidance for, for instance, soft controls, you
know, what is -- what are the research studies? What is the
operational experience that we are using to formulate that
design review guidance?
So that is internal to the guidance itself, its
technical basis. So for the lack of a better term, I will
call that internal validity.
External validity has to do with getting some kind
of sanity check on the guidance. And that can be done in
several ways, tests and evaluations of that guidance through
field testing in actual power plants, by designing a system
using that guidance and then testing it, you know, in a --
in a facility, and peer review.
We extensively use peer review, and I will
elaborate on that in a second.
But what that does is, if you can imagine
especially in areas of emerging technology -- I mean there
may be a lot of research talking about, you know, the
different design characteristics of a soft control, for
And, you know, we analyze that and we go out and
we look at these systems and implementation, and we extract
out of that general principles. Well, those general
principles reflect our interpretation of that information,
so that is the internal side of it.
What we are trying to do then is we try to get the
external validation, to have this field-tested, reviewed, so
that to -- you know, basically to bounce it
off -- off real world systems, to try to assure that the
guidance is pretty much as good as we can -- we can get it.
MR. POWERS: If I --
MR. O'HARA: Yes.
MR. POWERS: -- come up with a -- with an approach
on guidance and I'm convinced of its internal validity and I
happen to be on Long Island and so I get a bunch of Long
Island people to peer review it, and what
MR. O'HARA: Yes.
MR. POWERS: -- and I take it down and apply it in
Georgia, am I going to run into a problem?
MR. O'HARA: If that is the way you did it, you
might very well run into a problem. But that is not the way
we do it. We try to get a more broad peer review than just
people from Long Island. As a matter of fact, it is not
people from Long Island.
MR. O'HARA: It is -- I will talk a little bit
more about that. I have a slide on the test and evaluation
MR. POWERS: Well, I mean, it comes into a
question that: Why is this -- in thinking about how we do
our research programs.
MR. O'HARA: Sure is.
MR. POWERS: I mean, these things get very
expensive to do. And some get very interested in doing
international efforts, especially in this area. You've got
the possibility of testing things at Halden --
MR. O'HARA: Yes.
MR. POWERS: -- where you can get a bunch of
Finnish operators come in -- or Swedish operators working on
a Finnish control room or something, some permutation of
that, with perhaps Italians doing the observation and -- and
British guys writing up the report.
The -- the question is: Is the information
transferrable, or is it just -- just hopeless?
MR. O'HARA: I do not think it is hopeless. And I
think what you have to do is you really have to look at what
your questions are.
I mean, there are certain aspects to control room
operations which -- which do not really change a whole lot,
whether you are dealing with the Halden type of control room
or -- or a control room here.
For instance, monitoring detection, you know, you
have resources that you use as an operator to monitor the
plant. You've got an interface that supports you with that.
You have an alarm system. The alarm system that is in a
plant in Lavisa (phonetic) is a lot like an alarm system in
a plant here.
Now, there may be significant differences between
them. But if -- if you can establish on the basis of the
problem that you are trying to look at, and for instance, we
did that. We did a study in Halden on alarm systems.
Alarm systems -- the use of alarm systems is very
similar in the two places. The types of technologies that
are available for power plants, both for what exists in the
plant today, as well as for upgrading, are very similar.
So for that, I would say, yes, you know, that kind
of generalization if you do it thinking about the different
ways in which the results could be -- could differ, you
know, you can put it on the table. You know, you can, you
know, evaluate it and see if you feel that it's a -- it's a
worthwhile piece of data to factor into a -- into a
MR. O'HARA: I guess I don't understand how I go
-- how I make that step. I mean, I -- I got a result from
Halden. And then you say, I don't know whether this
is -- is so overwhelming affected by culture, you know,
the -- just the fact that the educational systems and the
social interaction styles within the Scandinavian countries
are very, very different than they are in the Western part
of the United States.
MR. O'HARA: Yes. Yes.
MR. POWERS: I want -- but I want to apply to the
Western part of the United States. How do I decide what to
MR. O'HARA: Well, as a matter of fact you have
that problem for every single study you look at. I mean,
any given study constrains the real world parameters in
You -- you draw, you know, participants in a
project from a certain population. You are going to put
them, let's say, if it's a simulated state, you're going to
put them in a simulator. Well, that simulator has a certain
You're going to constrain other aspects of the
design, the interface itself. You know, you may be
interested in the alarm systems, like we were. But you
maybe try to hold everything else constant.
Well, that's going to be different than if I went
to -- to a simulator at TTC, or if I went to a simulator in
I mean, I -- I think -- I think what you try to do
is you try to interpret information research results in the
context of all the other research results you're looking at,
what the field is -- is evolving, you know, the field
You know, alarm system research as a -- to use the
Halden example for us, we did do a study of Halden.
And there is work going on elsewhere. So I mean you got to
look at the meaningfulness of that work in -- in the context
of the other findings that are out there. And then I think
you look at the operations.
If that -- if the part of the operations you're
looking at and the technologies that they're using, let's
say, for monitoring fault detection are similar, then I
think generalization is supported.
If they do something -- if you're trying to do a
study on symptom-based procedures, and you grab operators
that have never seen a symptom-based procedure, and now
you're going to do a study and draw conclusions, then I say,
"No. You can't."
That -- you know, you're now dealing with a
fundamental way that they operate that is different than the
population to which you want to generalize.
But I think you have to -- you know, in any given
study, you have to look at the parameters that can affect
the results and those include the operators, you know, what
their modes of operation are, where they come from, the
types of interfaces that they're working with; and you have
to consider all of those things, underlying process models
and their complexity.
I would rather do an alarm system study with
Finnish operators at Halden then I would with university
students at a light box simulator, you know, with just
lights going on and off, for a process that they learned in
two weeks, you know, on a simple simulation.
And I would rather do that, because it -- because
I know the problems with alarm systems involve alarm
avalanche, you know, a -- they're mounted alarms. I mean,
the key problems are alarm avalanche, numbers of alarms, and
linking that alarms to process information. That is what
the alarm system problem is all about.
So to understand that, you've got to look at how
operators receive this high-volume information and -- and --
and make fault detection -- take fault detection actions on
the basis of that.
So I think when you think of doing a study like we
did -- how are we going to do this study? I mean, those are
the kinds of considerations that we went into. And for our
work, Halden did seem like a -- a reasonably good place to
MR. PERSENSKY: In fact, for that experiment, we
went through a very formal process, that takes months to
select the location for the study.
MR. O'HARA: I mean, one of the driving factors is
we wanted to manipulate the alarm system in real time. I
mean, we wanted to be able to change out, so I mean Halden
provided a good facility to do that kind of work.
MR. WACHTEL: Let me just add a comment. I'm
Jerry Wachtel, the principal investigator, project manager
for the work that John is doing for us.
We are talking now about the research that was
conducted and the alarm system and -- and John and Jay have
talked specifically about the reasons we went to Halden.
The other side of this is the independent peer
review, the alpha testing, the beta testing that was done
for the development of Rev 12-0700 and will be done again
for the development of Rev 2.
I would argue that we have brought together
international experts, not just from Halden, but from EDF in
France, from Japan, from Korea, from many folks here in the
U.S., from Canada, and that the -- the robustness of the
guidance that we've developed is greater as a result of the
We're not limited to one nationality or one
culture. We've brought our own culture as well as that of
several other nations and operating systems to bear on this.
And I think our results are stronger as a result.
And I also think that the international -- I mean,
the standards world, in general, is going that way. I mean
the standards have more and more contributions from, you
MR. APOSTOLAKIS: Yes, I suspect that we've
exhausted this issue for today.
MR. APOSTOLAKIS: And now you have to rush a
MR. O'HARA: Okay. Okay. This is the overall
process. As I said, I want to say a little bit more on the
guidance development itself. Okay. I'll just step through
this very quickly.
We tried to use lots of sources of information,
many different sources of information. The reason they're
arranged in a sort of flowchart here is because we really
made a great effort to do it as cost-effectively as
As you go down the steps here, the guidance
development process becomes more and more effortful. You
know, if -- if you could adapt and modify, you know,
existing standards, they're already in -- in guidance form
and -- and the process of -- of converting it to review
guidance for our application is relatively easy, than if
we've got to analyze, you know, individual research papers
and things like that.
So that -- so basically, we're trying to establish
validity. And we're trying to do it as cost effectively as
MR. APOSTOLAKIS: HFE is Human Failure Event?
MR. O'HARA: No, I'm sorry. Human Factors
MR. APOSTOLAKIS: Oh.
MR. O'HARA: I apologize for that.
Okay. The test and evaluation phase, which
addresses the external validity part of it has multiple
layers to it. First of all, we have gotten feedback from
users internationally of NUREG-0700 and tried to collect
information from them about guidance use.
Each of the individual guidance development
efforts such as for alarm systems, for soft controls, each
one of them gets peer-reviewed itself. So as part of our
process, we send the original technical reports out for peer
When the guidance eventually gets integrated into
NUREG-0700, there will be a field tested evaluation, similar
as I've described before.
It will then go to a subject-matter expert panel,
which will include representatives of a cross-section of the
nuclear industry, utilities, vendors, et cetera; and then
ultimately, as you know, for public comment.
Okay. Okay. Now, I'm going to try to touch
briefly on each one of the projects that you had asked
about. Each one of them interestingly had a slightly
different origin, you know, a slightly different beginning,
although I believe every one of them, if I'm correct, were
tied specifically to user needs.
Alarm system work: We had an alarm -- a project
to look at computer-based alarm systems and we published
some preliminary review guidance from that in this document,
which is listed here, NUREG-CR-6105.
However, there were certain -- several areas that
we felt were very significant and were not being addressed
-- or were not addressed adequately. And those -- those
areas dealt with the key issues that I've described before.
You know, the -- the really key human problems
with alarm systems are the numbers of them, how quickly they
come to you, and relating them to what's going on in the
So the focus of the work that we're currently
doing is on alarm processing methods. These are the -- the
algorithms and processing that is done on the alarm
information before it gets presented to the operators. And
most of those processes are done in an effort to reduce the
number of alarms.
How the alarm information is displayed: If you go
and look at any new alarm system, you'll see it is displayed
a lot differently than the old ones were in terms of the
light -- you know, the lighted tiles sweeping across the
Alarms now are presented as combinations of
message lists. They may be integrated into process
And the other is alarm availability. If you're
using alarm processing routines -- I mean, if you're
analyzing that alarm information to reduce the number of
alarms, you've got to decide what you're going to do with
those alarms that are lower priority. Do you take them out
completely? Do you present them? And that deals with the
issue of availability.
Okay. To do this phase of the project, we relied
largely on two sources of information. One is a source we
always use, which is to look at all of the technical
literature available to us.
But in this case, we also did the simulator
experiment that I described before at Halden, where we
systematically manipulated these alarm system
characteristics and measured their effect on -- on operator
And we tried to interpret those results in the
report we wrote in the context of the other literature
that's available; again, not looking at it in isolation of
The results of that were basically that we
developed a characterization of alarm systems. The
characterization is an important step in the process. Let
me just mention quickly what that means.
When we say alarm system characterization, as you
know the staff is -- has to review many different types of
alarm systems. So what we try to develop for each
technology area is a description of the generic
characteristics and functions of that system that the staff
would want to -- to look at. So we developed that for alarm
systems. It includes processing and things like that.
We also used the opportunity to do some
confirmatory research on the existing guidance, as we
actually used some of the guidance that we have developed
in -- in the 6105 document, and used it to help design alarm
features for the -- the Halden tests.
We were able to use the results to clarify and
revise some of that guidance that we used as part of the
confirmatory aspect. And we were able to, using the
results, develop some new guidance in the area of -- of
alarm prioritization display and processing.
Okay. In the area of the hybrids -- okay, the
hybrid project grew out of a number of the technology gaps
that we identified for the first revision of NUREG-0700.
There are a number of technology areas that we
looked at that we didn't feel at the time there was a
sufficient technical basis for us to develop guidance.
It included topics like the ones listed below.
However, it included a lot -- several additional
topics as well. So what we did is we went through a process
of trying to look at how we, you know -- to prioritize these
in terms of what potential impacts they could have on plant
To do that part of the analysis, what we did is we
took all the original topics and we tried to evaluate them
using an approach very similar to what EPRI recommended for
the licensing of digital upgrades, which was a 5059 type of
And what we constructed was a baseline plant
condition, which was the plant, you know, unmodified. And
then we assumed that we made certain modifications to the
plant, such as the introduction of a new computer-based
information system, a new display system.
And then we -- we provided descriptions of those
systems. And we also described -- identified the typical
types of human performance problems that one can have, if
those systems are implemented, you know, poorly, you know,
"What kinds of human factors issues are there?"
We then had those questions, you know, from the
5059 process looked at using PRA analysts, system analysts
and operations analysts.
Then we used that process to try to identify which
of these topical areas that we might consider developing
guidance, but which were most significant. And these were
the ones that emerged as being the most important. And
these are the ones that we eventually undertook guidance
development efforts for.
Information systems has to do with the ways in --
the new ways in which information is portrayed to operators.
It was Jack, I think, who mentioned before higher optical,
higher level displays.
There is also a lot of use of graphics to try to
portray information in graphical terms so operators can more
readily understand it; computerization of procedures
including emergency operating procedures; soft controls,
operation of equipment using, you know, display type of
controls, going through your computer; maintenance of
digital systems; and then the whole modernization process,
how the -- how operators input factors into the development
of a modernization program, and how those systems are
integrated into the existing equipment, which is now very
different than it is, and how it's introduced into
Okay. The most recent one for us and, I guess,
the last one is the interface management area. Let me just
explain what this is for a second.
You know, operators are in the control room to
monitor and control the plant. That is what they are there
for. They monitor. They detect disturbances. They do
situation assessment if things aren't quite right. You
know, they plan responses and they take actions if actions
Okay. We would just for the sake of argument call
those primary tasks. Okay. To do that, operators have to
do other things. They have to do what we call secondary
With these new types of systems, computer-based
systems, those involve things like navigating to
information. They involve things like specifying what
parameters you might want on a trend graph; configuring a
work station; manipulating windows.
It's doing a lot of tasks at the interface, which
aren't really involved in -- in monitoring and controlling
Now, these -- these types of activities, which
increase in number with -- with new digital systems became a
specific concern to NRR.
Through tests and evaluations that were done with
some of the advanced reactors that employed a lot of these
systems, results were showing that operators were spending
lots of time, 40, 50 percent of their time just doing these
tasks, not concentrating on -- on the plant.
So we set out to look at whether or not this had a
-- an effect, and what those effects were. Okay. We used a
variety of lessons learned from -- from other work we had
done, plus we conducted a number of site visits, walk
throughs, interviews with operators of systems, you know,
these computerized systems.
And one thing we tried to do was model human
performance. We tried to see, "Well, what would the effects
be if -- if this were to negatively impact human
performance?" and then to identify "What are the key design
features in these new digital systems that create these
Okay. Okay. In terms of modeling the effects, if
you think of yourself as having a certain amount of
attention, which you do -- it is not infinite; it is finite
-- you need to allocate that attention to the various tasks
you have to do. Okay.
So the way I divided up the operator's tasks into
primary and secondary, operators have to think to some
degree about what's happening in the plant, and they also
have to think about what they need to do at the work station
and at their interface to get the information that they
need. Those are -- the -- the secondary or the interface
Okay. Given that people only have a certain
amount of attention -- it's not infinite -- you can look at
the trade-off that occurs when I allocate my attention one
way or the other.
The NRC's original concern -- and I think the
original concern of many researchers in this area, is that
because we have designed, or we're beginning to introduce
systems that provide vast amounts of plant data, you know,
maybe thousands of display pages, and they get to look at
them through maybe three, four, five CRT's, it's a lot of
time that they spend going and getting out that information
and -- and bringing it up.
Okay. So what we're trying to look at is what --
what are the effects of the allocation, the trade-off the
operators have to make between, you know, getting that
information and -- and monitoring and controlling the plant.
Well, the original concern was this end here.
Now, if you just look at this, it's -- you have so much
cognitive resource, you can supply them to the primary task
where you're not going to do interface management at all.
Okay? So it's low here, high here. (Indicating)
Or you can allocate all your resources to fishing
around for information and not really a lot towards
monitoring and controlling the plant.
And so what we hypothesized is that there were a
number of different effects that could occur. This is
Operators could allocate no -- very little
resource to manipulating the work station, go with what they
have on the screens. Even if they know it's not the best
information, they just may go with it, because they're
trying to diagnose or do something like that.
On the other hand, operators may feel, "Well, gee,
I don't really have the information I need." And now, they
go off on a hunt to get it and to set it up and to configure
their work station to do their tasks where they're way up
Now, performance can suffer at either of those
ends. Performance can suffer down here, because you're
working with a limited set of data. You don't have the
right information you need. And I -- we call that the data
Okay. They could also allocate all their
resources to interface management or an exorbitant amount
where plant performance suffers because they're no longer
aware of what is going on in the plant.
To real operators, there is a happy medium between
where the plant performance is probably optimal, where they
have to share some of their time getting -- you know, doing
these interface management tasks and some not.
Now, the original concern in most of the
literature was this area here. (Indicating) To have all of
the flexibility and presenting the information in these
things is going to drive operators to spend so much time on
that, they can't pay attention to the plant.
Interestingly enough, when we looked at the
literature, we found evidence in both areas. In fact, we
observed in our own studies and then there was a big study
done in Europe by Herzlinger (phonetic) and Herbert where
they looked at digital upgrades to many kinds of plants, not
just nuclear, but fossil plants.
And one of the findings that comes out of that is
that operators very much realize this trade-off that they
have to make. And very often, when things get busy, they
cease doing the interface management tasks. They just don't
do them anymore.
They -- they know there is additional
alarm -- alarm information they could get, but they don't
get it. They stick with what they have, because they're
trying to concentrate on their tasks at hand; or they may
know, "There is a better display I can get, one that is more
appropriate, but I don't want to take the time to go and get
So operators sort of work their way, you know,
back and forth this curve based upon, you know, their
judgment of how good a fit the information is.
Now, what's also interesting is this has a lot of
design implications, because you ask almost any designer of
a power plant, "How did you decide how many displays to put
Well, that's usually something they decide right
up front. "You know, I'm going to -- I'm going to provide
If you ask the question, "Is six CRTs enough,"
there is really -- they don't -- haven't really thought that
But if operators do and -- and by the way, the
reason they don't worry about how many CRTs is because
they've provided the pictures in the information system.
All the operators have to do is go and get them. So they
don't need a lot of display area. But, in fact, what we're
finding is that operators won't always go and get it. And
they know it.
Now, we -- in two of the studies we did, our alarm
system study and our -- and -- and our -- well, I didn't
mention it, but we did a study of control and modernization
program that is going on now.
Operators don't get this additional information,
even when they know it's there. So -- and it turns out the
key design characteristics that drive these interface
management effects are the volume of information. You know,
how much is really in there that you can go and access, how
This is a very interesting thing, too.
Information has tended to be organized in these computer
systems like they were organized in the old plants. You
know, when the designers went to computerize them, they took
the boards and they stuck them in the computer.
But, in fact, if all you have is three of four
CRTs to look at, and your task required you to go across
systems, there is a tremendous amount of fetching displays
and -- and stuff that you have to do.
So we in some ways have made jobs a lot harder.
And this was a -- a prominent result of the upgrade study I
mentioned before by Herzlinger and Herbert, that operators
found these information systems often very difficult to work
Okay. The feature display area, I mentioned;
navigation design, like the features that are in the system
for the operators to get additional information.
And this last one is interesting, too. And you
all probably work with PCS that have tremendous flexibility.
You can do tons of things with them. How much of the
flexibility do you use? Operators are no different.
They don't use -- a lot of designers say, "Well,
I'm not going to make this design decision, because I'll let
the operators do it. The operators know what they'll need
at a certain time. We'll let them construct the display."
So that's like allowing the operators or wanting
the operators to finish off the design process. Well,
that's overhead and workload that a lot of times they don't
want. I mean, they may want it, for not time critical
things, but the amount of HSI flexibility that is built into
the system can often be a real problem for the operators.
So -- so their -- some of the effects are very, very
interesting in this area.
Okay. Just to give you an update as to where we
are, the hybrid studies I mentioned before, they are all
done. Those reports will be out, I think, in March, this
The alarm system reports, they're in final NRC
review and should be -- and they've already been
peer-reviewed. They're now just in the final NRC review.
They should be published in a couple of months, I think.
The interface management work, we're still working
on the -- the guidance development part of it. What I
showed you was some of the technical basis information.
We're still in the last few efforts of -- of trying to
develop guidance from that.
And then in terms of the bigger picture, when all
of the guidance comes out of these documents and into the
NUREG-0700 document, that's a process that actually has
started to happen already. And we expect a draft of that
document to be available this summer for field testing and
then the workshop and things to follow after that.
MR. APOSTOLAKIS: Thank you.
Any comments from the members?
MR. POWERS: I just wondered a -- a study was
mentioned by the speaker just right at the end. I can't
reproduce the names --
MR. O'HARA: Oh, Herzlinger.
MR. POWERS: Herzlinger. Do we have a copy of
MR. APOSTOLAKIS: Let's make sure that Mr. Dudley
MR. O'HARA: I can send you a copy, sure.
MR. POWERS: I think it will be useful to examine
that one. It sounds like --
MR. APOSTOLAKIS: Yes.
MR. O'HARA: Yes. It's a very fascinating study,
because it's a case study.
MR. POWERS: There was some interesting --
interesting events in the Dewie (phonetic) Complex when we
were still running reactors that illustrates both extremes
that you -- you talked about there --
MR. O'HARA: Yes.
MR. POWERS: -- both getting so absorbed
into -- into the paging process on the computer screen that
you don't notice that they had a reactivity incident going
MR. O'HARA: Oh, it -- it really is
MR. POWERS: -- though it's hard to miss.
MR. O'HARA: It really is very interesting. The
Herzlinger study, they didn't even set out to look at this.
I mean, it -- this was a by-product of -- of just looking at
lessons learned from these things.
And -- and we kind of saw it at the right time,
because we were just thinking of these. So it's -- it's a
-- it's a good study, because it's -- it's a field type
MR. APOSTOLAKIS: Okay. We'll take a short break.
(Thereupon, a short break was taken, after
which the following proceedings were had:)
MR. APOSTOLAKIS: So would you tell us a few
things about yourself first?
MS. BIER: Sure. I'm -- I'm a faculty member at
the University of Wisconsin with a joint appointment in
industrial engineering and engineering physics, which is
where the nuclear power -- nuclear engineering program is
housed. I have an extensive background in risk analysis.
I also would like to introduce the -- and
acknowledge the members of my project team. James Joosten,
who is here back in the corner, is a consultant with
extensive experience in the nuclear power industry who
helped us with the United Kingdom case study that you'll
The other three individuals here are with
Christensen Associates, which is a leading economics
PARTICIPANT: And your team won the Rose Bowl.
You forgot to tell us that.
MS. BIER: That's true. And my team won the Rose
MR. APOSTOLAKIS: Do we have a copy of
MS. BIER: You should. There were copies around.
I don't know whether they still need to be distributed.
But, yes, you do have copies.
Also, I want to acknowledge the NRC folks who have
supported this effort, Paul Lewis, Jerry Wachtel and, back a
couple of years, J. Persensky was also involved in getting
the initial idea for this study underway.
To lay a framework of what we actually did and
what the purpose was, when the study first got started, we
decided that it made sense to take a historical case study
approach to looking at deregulation in order to maximize the
reliance on empirical information about what actually
happened in other deregulated industries.
So we based our studies on a combination of
literature reviews and interviews, depending on the
availability of the information in each industry.
We chose three case studies, basically for their
relevance to the U.S. nuclear power industry and the safety
significant issues involved in those industries.
Those were deregulation of the U.S. air and rail
industries, back about 20 years ago, which were extensively
studied; and restructuring of the U.K. electricity industry,
which involved both deregulation and also privatization.
The purpose in our scope of work was essentially
to develop a complete list, or as complete as possible, of
the changes that were observed in these case study
industries that were relevant to safety -- so we weren't
limited to human factors or human performance issues, but
also organizational and equipment reliability issues -- but
with a charge to emphasize those changes that had possible
negative impacts on safety, recognizing that some changes
could also be beneficial to safety.
First with regard to the time scale, I wanted to
point out that adjusting to deregulation is a lengthy
process. Even though the air and rail industries were
deregulated by now more than 20 years ago, by many views,
they are still evolving in response to deregulation today.
And there is a lengthy learning curve associated
with deregulation. Companies do not emerge immediately
after deregulation knowing how to compete effectively and
safely in a deregulated competitive market.
One example, although it's not safety critical
from the airline industry, one of the -- our interviewees
told us that in the air industry, the major airlines used to
turn over their aircraft after six or eight years, sell them
at bargain basement prices, typically into secondary
markets, either cargo operations, third-world passenger
service, that type of thing.
After deregulation, for several years, they
continued selling their aircraft after six or eight years at
bargain basement prices, but now were selling them to their
direct competitors who were using them to pound them into
the ground economically.
And there was apparently a luncheon speaker
talking to an airline executive's group at that time who
commented that the airlines would have actually been better
off taking their planes out into the desert and blowing them
up than selling them to their competitors. But it took
awhile for established ways of doing business to change in
response to deregulation.
With regard to overall safety performance,
economic deregulation does not necessarily lead to a decline
in safety overall. In fact, both the air and rail
industries in the U.S. had, by many standards, better safety
records after deregulation than before.
In the U.K., it's a little harder to judge,
because fortunately we don't have nuclear accidents that we
can count up in our estimators, but there is evidence that
plant managers in the U.K. did focus more intently on issues
such as regulatory compliance and equipment reliability
However, the magnitude and speed of the changes
associated with deregulation pose substantial challenges to
safety management; and as a result of those challenges,
there were safety problems identified in all three of the
case studies that we looked at.
One thing that one can expect in response to
deregulation is major reprioritization of expenditure and
investment from the traditional patterns within the
Several examples of that, in the airline industry,
the airlines substantially lengthened the intervals between
engine maintenance after deregulation. In that particular
instance, they did not experience a higher rate of engine
failures, so that suggests that they appropriately
reoptimized their maintenance policies.
There were dramatic changes in investment in the
rail industry. They cut staffing by about a factor of two
after deregulation, and used both the savings from staff
reductions and other profit improvements to plow more money
into track maintenance, increased their track maintenance by
a factor of five.
And it's generally accepted that the better track
quality resulted in significant reductions in major
collisions, derailments and that type of thing.
The nuclear power industry in the U.K. also
downsized dramatically after deregulation, I believe, an
order of magnitude of factor of two again. Coupled with
increase use of contractors, there the safety picture is
maybe a little more complex.
So one can expect to see major changes in patterns
of expenditure. Not all of those changes will necessarily
be adverse to safety.
But there is certainly the potential for adverse
consequences if companies go too far in cutbacks in safety
critical areas, especially where they may not get immediate
feedback that they've gone too far or may have a hard time
correcting the changes after they've been instituted.
We also found in all three case studies that
deregulation creates major challenges to the maintenance of
an effective safety culture within the industry.
In both the aviation and rail industries, there
were a number of safety problems associated with corporate
culture in the aftermath of major mergers and acquisitions.
And we certainly seem to be seeing a lot of those in the
nuclear power industry today.
The most dramatic of those was the merger of Union
Pacific and Southern Pacific Rail a few years ago. It
resulted in several fatal accidents in the few months after
Also, a lot of freight -- if people were reading
the Wall Street Journal around that time, a lot of freight
was sitting around idle on railroad tracks not being
delivered on a timely basis.
And Peter Passell, the -- a New York Times
economics writer, specifically attributed that to clashes in
the safety cultures and philosophies of the two
organizations involved in the merger.
In the airline industry, new entrant airlines,
Sukipeeco (phonetic) Express and Valuejet type also had
significantly worse safety records, roughly in order of
magnitude worse than the established airlines. Many of
those problems appear to be corporate culture problems.
For example, a new airline might know that it
needs to have a training department, because that's an FAA
requirement. But it may not have a full understanding of
what characteristics an effective training program really
needs to have. So it may have a training department that
exists largely on paper.
There is also some evidence, although
obviously, it's very hard to document, but in the rail
industry interviews, several individuals suggested that
there is greater pressure to under-report minor accidents
and injuries after deregulation than before, things like
And there, again, I think we can see some possible
analogues in the nuclear power industry today.
For example, the incident-free clocks that are being
established at some power plants, while they provide a
positive incentive to achieve safe performance, they also
provide a disincentive to report minor problems.
If I caused -- if I made a mistake that didn't
have any severe safety consequences, nobody saw me do it,
I'm not going to want to report on myself if that's going to
set back the incident-free clock after nine months of
incident-free operation, for example. So there are some
possible issues involved in reporting.
In the U.K. nuclear power industry, the major
corporate culture concerns raised by the regulators there
had to do with the use of contractors, things like loss of
institutional memory, also the fact that contractors did not
necessarily have the same safety culture as the licensee's
And as a result of these kinds of problems, safety
regulators in both the U.S. rail industry and the U.K.
nuclear power industry have found it advisable to begin
requiring prior regulatory review of major organizational
In fact, that's already official in the U.K. in
their license condition number 36. And I'm not sure whether
it's official or -- or still just proposed in the Federal
In both the aviation and rail industries, there
were significant statistical studies on the association
between safety problems and financial difficulties, which
generally suggested that, yes, there was a correlation, that
companies in financial difficulty tended to have worse
The link appears to be strongest for small
companies and companies that were actually unprofitable, as
opposed to only marginally profitable.
Nancy Rose, who did probably the best work in that
area in the aviation industry, actually concluded that more
intense regulatory scrutiny of financially marginal air
carriers would, therefore, be advantageous from the point of
view of safety.
And because companies in financial distress may
have an incentive to cut corners, it's possible that
financial distress would be a leading indicator of safety
problems in the nuclear power industry as well.
Significant concerns were raised regarding
downsizing and fatigue in both the rail industry here and
the nuclear power industry in the U.K.
In the rail industry, many of the problems
surfaced as a result of major accident investigations in
recent years that attributed causes of those accidents to
inadequate staffing, inadequate supervision and fatigue.
Again, many of these problems surfaced in the aftermath of
major mergers and merger related downsizing.
In the U.K., regulators raised concerns that
downsizing led to loss of institutional memory and excessive
reliance on contractors. In some areas, the utilities may
no longer have had any in-house expertise in a particular
area and be entirely reliant on contractors, which raised
questions about whether they could really be intelligent
customers and adequately supervise the work of those
It's interesting how that came about. According
to the interviews that Jim did with British Energy, it
appears that they were anticipating work load reductions due
to efficiencies, economy of scale, integration of safety
functions; announced various severance packages and
agreements; and then found out that the efficiencies, even
if they may be realized eventually, did not come about quite
as fast as they anticipated. In the meantime, they had key
personnel finding other jobs and got themselves into a bind
MR. POWERS: May I ask you a question about this?
MS. BIER: Yes, absolutely.
MR. POWERS: When you say federal investigations
have identified inadequate staffing and fatigue as
contributing factors, how do you know that fatigue is a
MS. BIER: I would have to go back and look at the
details of what's done. In the rail industry, the fatigue
problems are actually really dramatic relative to what they
are in most other industries.
Rail freight operations have no fixed schedules
whatsoever. People work entirely on call and around the
clock. So they may work, you know, from 2:00 a.m. to 10:00
a.m. on Tuesday, then from 8:00 in the morning till 4:00 in
the afternoon on Thursday, and, you know,
with -- with only two hours advance notice. So the fatigue
problems are much more dramatic probably in the rail
industry than in some others.
But I would have to go back and look at the
details of the investigations to know how they determined
that fatigue was a contributor.
MR. POWERS: Well, may I ask the same question?
MS. BIER: Yes.
MR. POWERS: You have "excessive reliance on
contractors," how do I know that reliance is excessive?
MS. BIER: Jim, do you want to take a stab at
that? How did the NII determine that reliance was
MR. JOOSTEN: Well, I'll tell you roughly how they
MR. APOSTOLAKIS: Excuse me.
MS. BIER: I'm sorry.
MR. JOOSTEN: I'm sorry.
MR. APOSTOLAKIS: Come up here.
MR. JOOSTEN: Okay.
Jim Joosten. I'll tell you roughly how they sort
of got tuned into it was through a series of interactions
with the licensee, in which case the regulators would sit on
one -- on one side of the table, and the licensees were on
And they asked a series of questions and almost
every question that they asked the licensee, he had to turn
around and ask his consultant what the answer was.
And at that point, NII started to get suspicious that --
that the licensee was no longer an intelligent customer for
And so they've gone through a process of trying to
evaluate just what constitutes an intelligent customer.
"What -- what does the licensee need to know in order to
uphold his responsibilities as a licensee?"
because ultimately he holds the -- the responsibility for an
accident. It can't be waived off to a third party.
MR. POWERS: What I'm interested in is what
"excessive reliance" is, not what constitutes a good or bad
MR. JOOSTEN: A -- just to give you some examples,
one of their concerns was -- was that you would have a
safety function critical upon a -- and you had no staff that
was cognizant of how to perform that safety function.
For example, they had some graphite experts, who
the company had lost, and now were relying upon contractors
for this expertise. But the -- the problem is that the
company lost control -- the licensee lost control over the
availability of that contractor, because that contractor
could say, "A, you're not paying me enough money," or "B,
I'm committed to somebody else this week."
And so that -- that's a situation where the
expertise was outside of the licensee's direct control when
he needed it.
Another case is -- is, for example, even with
their own staff, if -- if they downsize and now you've got
one fellow trying to -- to work the job for two units, he
might no longer be available when he was needed on one
particular unit. So it -- it -- those are two --
MR. POWERS: That's an availability issue, isn't
MR. JOOSTEN: Yes. But -- but, you know they're
-- they're still -- I would say they've gone through four or
five different drafts of what constitutes an intelligent
customer and even within NII, one department may say
something different than another department at this point.
They -- they're still trying to define it. But --
MR. POWERS: That doesn't occur in the NRC.
MR. APOSTOLAKIS: Well, this is really
interesting, though, because --
MR. JOOSTEN: It's real interesting, yes.
MR. APOSTOLAKIS: Do you mean the NII is going to
check to see what the licensee knows?
MR. JOOSTEN: What they --
MR. APOSTOLAKIS: I can't see us doing that here.
MR. JOOSTEN: Let me just -- let me just -- yes,
let me just say that it's actually pretty similar to what we
do, but the NRC takes what I would call pretty much a
If you look at our FSAR, for example, it's
voluminous; 99 percent of it is hardware. There is just a
few pages dealing with the management organization.
But in the -- in the U.K., they realize that the
safety management was just as critical as the hardware. And
so they've now gone back and required them to define what
constitutes the -- the safety basis, the -- the human side
of the equation. So -- so, you know, how many engineers do
you need, and what functions are -- are safety-critical
So they -- they -- like we do with -- with safety
injection pumps, they've asked them to do the same sort of
an analysis in terms of the human input into safety.
And now they've checked the deltas against that.
If the licensee proposes a change to downgrade the staff or
to reorganize the safety functions, they now check the
before and the after, and try to -- and -- and require the
licensee, like we would in a 5059, to -- to look at the
impact of this change in -- in -- in human -- in human
safety and in the organization before they make the change
and not afterwards.
We sort of operate here sort of retrospectively
waiting for millstones to happen and then go in and try to
clean it up.
So that is really revolutionary, I think, what --
what NII has -- has done here in terms of putting a whole
new focus on the human factor as opposed to just hardware.
PARTICIPANT: You're making him hard to live with.
He's going to quote that back to us.
MR. APOSTOLAKIS: I want a copy of the transcript
as soon as it's available.
MS. BIER: There -- in both the rail and the U.K.
nuclear power industry, safety regulators have also raised
concerns about increased use of overtime after deregulation
and, in some cases, also under-reporting of overtime, which
leaves the regulated party in a situation where it may not
know how much work is really required in order to perform
certain tasks if it's not reported accurately.
With respect to the experiences of safety
regulators, there is some evidence that deregulation does
result in increased workload for regulators.
In the airline industry, the FAA underwent
significant staff and budget cuts right around the time of
deregulation -- very reminiscent of what we're seeing now at
the NRC -- and later found out, somewhat unexpectedly, that
its workload had increased quite dramatically, and that it
really no longer had the staff to cope with the increased
A number of observers of deregulation, some of
whom were very strong proponents of deregulation made
comments around that time, 1988-1990 time frame, that if the
industry had experienced overall increases in accident
rates, Congress would have borne a significant share of the
responsibility for not allocating sufficient staffing and
resources to the FAA to ensure a safe transition to
deregulation. In the --
MR. APOSTOLAKIS: But since these accident rates
MS. BIER: Yes.
MR. APOSTOLAKIS: -- have not gone up, does
Congress and the Department of Transportation -- do they
deserve praise for doing -- maintaining safety, and at the
same time reducing expenses? Why don't they say that?
PARTICIPANT: Good question.
MR. APOSTOLAKIS: In fact, that's an observation.
It's a statement of fact.
MS. BIER: Well, they did reduce cost, but it did
come at a cost in lives, in fact. There are specific
examples that you can find, primarily in the new entrant
airlines, of accidents that happened because of inadequate
oversight or where inadequate FAA oversight may have been a
And I think that it is in -- in the aviation
industry, they were able to withstand that impact because
the new entrant airlines never carried a significant
fraction -- a large fraction of the passenger miles, and the
improvements in other parts of the industry sort of balanced
out the overall safety record.
I'm not sure that we in the nuclear power industry
can afford to have a segment of the industry that is
operating in an unsafe manner.
But, yes, their -- they managed -- one example of
the kinds of management techniques the FAA had to rely on in
order to manage its workload, they need to give check rides
to pilots in order to qualify them for new aircraft and when
they change airlines.
And there was such great turnover in the industry
that the demand for check rides grew beyond what the FAA
could do. They licensed pilots within the individual
airlines to deliver check rides for their own airlines.
And as you might expect, there were occasional
instances of abuse, of pilots signing off on check rides
that had never been given. So, you know, they managed their
workload, but it did come at some price in terms of safety.
In the U.K., the situation was a little different.
There, I think the nuclear installations inspector
recognized in advance that they would require additional
resources to deal with the transition to privatization.
They staffed up rather modestly, but they
recognized that they had to free up some senior people from
routine inspection duties in order to think about more
In addition, as I mentioned earlier, because of
the importance of organizational factors and safety culture
types of issues in deregulation, safety regulators in both
the rail and the U.K. nuclear power industries have begun
requiring prior regulatory approval of major changes.
In the rail industry, that has focused on prior approval of
major mergers of which a number are currently being
In the U.K., the effort has focused mainly on
downsizing, outsourcing and staffing changes, but I think
would be considered to apply to things like mergers and
consolidation of safety functions and so forth.
In both industries, the approach being take is not
prescriptive. The agencies are not prescribing how
regulated parties shall achieve management of safety, but
are basically requiring regulated parties to demonstrate
that they have an adequate plan for managing safety after --
through the transition to these organizational changes.
As is true in any case study, the case studies
that we looked at, deregulation is not a perfect, natural
experiment. In each case, it was confounded with other
factors, some of which were favorable to safety, which might
have compensated for adverse effects of deregulation.
MR. POWERS: I guess I don't understand that. Like
the first one, it says "decades-long trend of improving
MS. BIER: Yes. Yes.
MR. POWERS: -- "may have masked adverse safety
consequences of deregulation." What may not have, too? I
MS. BIER: Right. We don't know --
MR. POWERS: -- what is the --
MS. BIER: Well, the -- we don't -- it's -- it's a
hypothetical question whether safety would have improved
faster or slower in the airline industry in the absence of
deregulation. But they were riding -- this -- this slide, I
think, is actually not in your packet. (Indicating) This is
But they were riding a very significant trend of
improving safety at around the time of deregulation, around
1980. And it's quite possible that that trend would have
been, you know, even more rapid in the absence of
MR. APOSTOLAKIS: So put that back up there again.
MS. BIER: Sure.
MR. APOSTOLAKIS: The rest of the -- where does --
where does the curve go?
MS. BIER: Well, they're -- they're trying to
drive it as close to zero as they can.
MR. APOSTOLAKIS: No, I know. But on the left, in
the 61, 59 to 61 -- my goodness, look at that.
MS. BIER: That -- the heavy line is U.S. and
Canadian. And, in fact, there are some specific examples of
the kinds of technology changes that came in around the time
of deregulation in the airline industry.
That's when you saw the advent of crew resource
management techniques and training. It's when you saw more
widespread use of high-fidelity flight simulators in
training, improved engine reliability, also improved
preventive maintenance practices, and knowledge base for
So there were a number of major technological
changes, some of which may have been accelerated by
deregulation, but some of which may have been just
technological inevitabilities that helped mask adverse
effects of deregulation.
MR. POWERS: Well, I mean, even if they did mask
MS. BIER: Yes.
MR. POWERS: -- the effects -- the effects could
not have been very big.
MS. BIER: Right. That is certainly true.
MR. APOSTOLAKIS: I guess it's just a caution.
MS. BIER: Yes. It's a caution.
MR. APOSTOLAKIS: It's a caution.
MS. BIER: In the rail industry, deregulation led
to significantly improved profitability of the rail
industry. That's due to the specific nature of the economic
regime that the -- that the railroads were operated under
prior to deregulation, which prevented them, for example,
from abandoning unprofitable routes.
And so a lot of the improvement in safety is
attributed to improved financial profitability that made it
possible for them to increase their maintenance
In the U.S. nuclear power industry, some plants
may be financially better off after deregulation than
before, but some are probably going to find deregulation
financially very stressful.
Rail safety -- rail deregulation also took place
at a time when the Federal Railroad Administration was for
other reasons becoming much more activist with respect to
In the U.K., there are a couple of factors. One,
which I mentioned earlier, is the fact that the nuclear
installations inspectorate was very actively involved in
planning for and overseeing the transition to privatization,
which presumably would have had some beneficial effects.
In addition to that, the years immediately
following nuclear power privatization in the U.K. were
accompanied by extensive financial subsidies for nuclear
power, and so the cost-cutting pressures might well have
been much more dramatic in the absence of those subsidies.
So, yes, I think George phrased it appropriately,
that these are some cautions in interpreting the results.
And as a result of these kinds of factors, we
cannot necessarily conclude that safety improvements similar
to those observed in the aviation and rail industry will
necessarily be observed in the nuclear power industry after
MR. POWERS: When Tony Pratangellia (phonetic)
comes and talks to me --
MS. BIER: Yes.
MR. POWERS: -- he puts up slides that say,
"Everything is much greater. It's -- it's terrific." They
look a lot like your airline slide.
MS. BIER: Yes.
MR. POWERS: They come screaming down and they're
down in the noise, and I mean, it's hard --
MS. BIER: Yes.
MR. POWERS: You don't believe they can change
those numbers very much.
MS. BIER: Yes.
MR. POWERS: So why do you -- why are -- why do
you say that the safety improvements couldn't occur? I
mean, it sounds like they are occurring. Certainly, we see
people doing outages now in much better fashion than they
did before, driven by the economic cost of doing an outage.
MS. BIER: Yes.
MR. APOSTOLAKIS: It might not be safer.
MS. BIER: It might not be safer. Some of the
case studies that were just discussed earlier --
MR. POWERS: I think they'll make an argument that
they are. And I think you -- they claim that they can show
me plots that will prove to me that it's safer. I haven't
seen the plots, but I -- they claim that it can be; and
assuredly they seem to be going out of their way to avoid
MS. BIER: Yes. I think that there is an
incentive for the utilities to -- to avoid risk and
regulatory shutdowns in the aftermath of deregulation. And
that incentive is probably greater than it was previously.
There are also some pressures to cut costs and
possibly some learning curves along the way to learning how
to do that appropriately.
And I certainly cannot stand here and argue that
the industry will not maintain the trend that we've observed
over the past ten or twenty years of improving safety in
particular areas. But I wouldn't want to give a guarantee
that they will, either.
MR. POWERS: Well, I see the industry -- industry
leaders on -- on a relatively regular basis announcing that
a safe plant is a profitable plant --
MS. BIER: Yes.
MR. POWERS: -- that an economially run plant is a
well-run plant, things like that. I mean, they seem to say
MS. BIER: Yes.
MR. POWERS: There seems to be a -- a -- a
lot of attention to this.
MS. BIER: Jim, do you want to comment?
MR. JOOSTEN: Yes. Can I just make a quick
MS. BIER: Sure.
MR. JOOSTEN: When I -- when I looked at the U.K.
study, I -- I had -- approached it with the same sort of
skepticism, thinking that I would find a lot of hardware,
you know, cost-cutting, turning back maintenance intervals,
you know, skipping some frequencies, trying to -- just
plain -- you know.
What I actually found was just the opposite. And,
in fact, the -- the financial risks associated with shutting
down a reactor in the U.K. under the new competitive market
were much more intensified than they have been in the past,
because of the power contracts that they get into, which --
which put extreme penalties on a reactor that comes offline
unexpectedly. So their whole philosophy had shifted pretty
much toward reliability, with an emphasis on reliability.
So now in the U.K., the plant manager at Sizewell
(phonetic), for example, instructed his staff that they were
to take their time getting the plant back online -- this is
totally contrary to the way I was brought up at Zion --
MR. POWERS: At where?
MR. JOOSTEN: At Zion.
MR. JOOSTEN: You take your time to get the plant
back online to make sure the maintenance is done right,
because what's more important is once we enter into a
contract, that we are reliable on that contract. So that --
that was one emphasis. But coming back to Vicki's point --
MS. BIER: Yes.
MR. JOOSTEN: -- the -- the reason why it could be
more dramatic here in the United States is not because of
the hardware issue.
The utilities, I expect here, will also put the
money into reliability. You'll also see a reduction in
SCRAM rights. You'll see some improvement in -- in
hardware, which could bring the plant offline or -- or
Where you see the problem, as we saw in the U.K.,
is on the -- the human factors, the organizational aspects
of -- of safety. Now, there, you know, there was just a
general disorganization that took place on a -- on a massive
And what would happen here in the United States
in, you know, my rough estimation is is that you -- the
situation could be dramatically more complex, because there
is 3,200 electricity suppliers here. There was just the
CEGB over -- over there initially. You've got just a -- a
few power stations there. We've got, you know, 100 nuclear
So the -- the size of our system and the -- the
pace of change, which would happen here, would be far more
dramatic than what happened in the U.K. And I would expect
-- and the coordination amongst the regulators is -- is also
less. I think the attention to human factors issues is
So we're not proactively involved yet like the
British regulators were. So I -- I think that the chances
for a -- a -- an accident here, or not -- not necessarily an
accident, but -- for a safety impact here would be much
greater than, say, in the U.K.
MR. BONACA: Yes. One thing that -- if I may?
MS. BIER: Yes. Sure.
MR. BONACA: However, these parallels are being
made -- but there is a fundamental difference in nuclear, it
seems to me, with the dealing with standard costs.
I mean, if you were working for a power plant
until recently, the people really carry the burden in the
nuclear program of -- of invested costs, literally. They
felt a guilt of it, if nothing else. So I mean -- and
therefore, you had a squeeze coming in in trying to compete
with something that was given to you, that you had no
Now, with the dealing with standard cost, truly
the focus is operation and maintenance and -- and power
plants are more capable of -- of dealing with those specific
issues, you know.
I mean, so there are some things that I'm not sure
that parallels in Britain. I don't know if there are. If
there are parallels in the airline industry, I don't think
I think that, in general, however -- I think that
deregulation is bringing a more favorable economic
environment for the operators. I'm talking about the
utilities themselves alone --
MS. BIER: Yes.
MR. BONACA: -- just the operators at the nuclear
MS. BIER: Yes. I think I will jump ahead to my
conclusions and maybe come back to hit some other points, if
we have time. But I think if I were to say what I see as
the single biggest safety challenge associated with
deregulation, it is the change and the transition.
If you look at the number of management changes,
mergers, acquisitions, new management philosophies, even at
a plant that is not necessarily being sold, all of those
things create change and turbulence in the short term.
They may turn out to be good for safety in the
long run, if the plant gets bought by a company that has
greater nuclear expertise, or if economies of scale enable
them to have higher levels of safety expertise within the
company, for example.
But that in the short term, it creates a high
level of confusion where people at the plant may not for a
period of time know what process they need to go through to
get support from engineering, or what process they need to
go through to bring safety issues to senior management's
attention and get resources devoted to resolving them, if
they're suddenly dealing with a brand-new management team
that they haven't worked with before.
That management team is likely to be distracted
and focusing on coming up to speed with, you know, overall
plant operations and an unfamiliar plant.
And I think those kinds of transitional issues are
what I would consider to be probably the most serious safety
problems, not necessarily that deregulation will be bad for
safety in the long term.
MR. APOSTOLAKIS: Vicki?
MS. BIER: Yes.
MR. APOSTOLAKIS: This -- the -- the way you have
stated the lessons learned --
MS. BIER: Yes.
MR. APOSTOLAKIS: -- these are sort of general, a
general kind of way.
MS. BIER: Yes.
MR. APOSTOLAKIS: Now, do you plan to also give
some recommendations or suggestions as to what the NRC, in
fact, can do to contribute? It does -- you know, to say it
takes total commitment --
MS. BIER: Yes. Yes.
MR. APOSTOLAKIS: -- you know, this can be -- I
don't know what to do if you tell me that.
MS. BIER: Yes.
MR. APOSTOLAKIS: But what can a regulatory
agency, in fact, this regulatory agency, do to make sure
that the problems that you --
MR. POWERS: Or even more --
MR. APOSTOLAKIS: What?
MR. POWERS: Even -- even very specifically, can
we understand the problems that may exist within the
workforce, within the safety culture by looking at
performance indicators based on the hardware?
MS. BIER: Well, first of all, I want to preface
this by saying that I've been instructed that the NUREG that
I'm producing shall not include recommendations; but, yes, I
do plan to deliver some to the agency in any case. And so
I'm speaking for myself, not for the -- the official product
of this work.
But, yes, we do have some recommendations. I
think one of the most important ones, getting at your
question, is to revisit the performance oversight process
and ensure whether it is capturing organizational safety
culture kinds of impacts.
Given how important those have turned out to be,
that if we have a process that is predicated on assuming
it's going to capture those, we have to at the very minimum
demonstrate whether it is doing that or not.
And I think that there are other things that the
agency may want to do in the area of organizational culture.
One is just to collect greater baseline data on what kinds
of staffing levels, expertise, organizational structures the
licensees have now, so that it would be in a better position
to assess the safety significance of any changes.
MR. BARTON: That's pretty hard to do when you
take a -- a merger like Unicom (phonetic) and Peeco
MS. BIER: Oh, yes. Yes.
MS. BIER: Absolutely.
MR. APOSTOLAKIS: You're saying --
MS. BIER: Yes.
MR. APOSTOLAKIS: -- we should look at the
organizational culture and so on. I remember there was a
hearing in the Senate and the Commission was testifying.
MS. BIER: Yes.
MR. APOSTOLAKIS: And the chairman of the Senate
subcommittee thought that it was unheard of that a
regulatory agency would tell the licensees how to monitor
their facilities. And he asked, "Does the FAA tell Boeing
what to do?"
MS. BIER: Well, I think the answer to that is the
case that I'm the most familiar with at the Federal Railroad
Administration, no, they are not telling the regulated
parties how to manage. They are requiring that the
regulated parties demonstrate that they have a plan for how
they will manage safety.
And so it is not prescriptive, but it's proactive
in the sense of attempting to demonstrate safety before
changes are made instead of afterwards.
MR. APOSTOLAKIS: Comments?
MR. LEWIS: May I make a brief comment?
MR. APOSTOLAKIS: Yes.
MS. BIER: Yes.
MR. LEWIS: The reason why --
MR. APOSTOLAKIS: Your name?
MR. LEWIS: -- Vicki is not making recommendations
is because --
MR. APOSTOLAKIS: Paul, your name, Paul?
MR. LEWIS: Paul Lewis.
MR. LEWIS: This -- the contract is a grant. And
according to the contract rules, people with grants cannot
make recommendations. If we want a recommendation, then we
have a contract.
MR. LEWIS: If I can -- another comment. Maybe --
MR. APOSTOLAKIS: I -- it should be the other way
MR. APOSTOLAKIS: With grants, you're not supposed
MS. BIER: Speaking as a grantee -- yes.
MR. APOSTOLAKIS: -- to ask for anything specific,
right? You give them the -- the money, and they do the
MS. BIER: Yes.
MR. LEWIS: Would these two slides answer his
question about specific --
MR. APOSTOLAKIS: Is Vicki also not allowed to go
to conferences and present papers with recommendations?
MS. BIER: Oh, I am --
MR. LEWIS: With recommendations, I don't know.
MR. LEWIS: Is she -- I suppose if she states they
are her --
MS. BIER: Yes. I've -- yes, I've been told that
I can provide recommendations to the agency as long as they
are not in the NUREG --
PARTICIPANT: Personal -- if they're personal
MS. BIER: -- as long as they -- right. I can
write a personal letter to the agency with my
recommendations, but -- yes.
Another area that I think is very important to
look at as a recommendation is further study on the effects
of financial pressures; that, yes, deregulation is likely to
be financially beneficial for some plants, but it may not be
financially beneficially for all plants.
And if financial pressure is a leading indicator
of safety problems, which we've seen at least some
indication that it is or might be, that would seem like an
important thing to know and something that maybe the NRC
could devote more research budget to studying.
MR. APOSTOLAKIS: It seems to me the message is
clear that we really have to do something about this safety
culture business, and --
MS. BIER: Thank you.
MR. POWERS: My goodness, that's a shocking
conclusion for you to come to, George. I would never have
expected that of you.
MR. APOSTOLAKIS: I try to surprise you, Dana.
MR. POWERS: Gosh. It was just the power of this
-- these presentations that drove you to that decision
reluctantly, as it may have been.
MR. APOSTOLAKIS: I -- I was -- I was very
skeptical, when I came at 12:00 o'clock. I must say now,
you guys convinced me.
MS. BIER: Well, that's very flattering.
MR. APOSTOLAKIS: Anything else, Vicki?
MS. BIER: I think those are the major issues.
There are some other points, but --
MR. APOSTOLAKIS: Well, thank you very much for an
MS. BIER: Thank you.
MR. APOSTOLAKIS: And the next person is Isabelle
MR. PERSENSKY: I'm actually just here for the
MR. APOSTOLAKIS: What are --
MR. PERSENSKY: I'm here to put up the charts.
MR. APOSTOLAKIS: Do you feel now better, J.?
MR. PERSENSKY: Pardon?
MR. APOSTOLAKIS: Do you feel better that the 27
inches were put to rest?
MR. PERSENSKY: I would like to -- yes, I do feel
MR. APOSTOLAKIS: Good.
MS. SCHOENFELD: I'm Isabelle Schoenfeld. I work
in the Regulatory Effectiveness and Human Factors Branch.
I have worked at NRC in human factors for 15
years. The first four years I was in the NRR in -- in human
factors, doing reviews in human factors and participating in
inspections on training procedures, management organization,
safety culture issues.
And for the last eight years, I've been in
research, working in areas of training, human performance
evaluation, protocol, risk communication. I also serve on
the OECD Committee, CSNI Committee, extended task force on
MR. APOSTOLAKIS: And your training is in what
area? Did you say that?
MS. SCHOENFELD: I have a -- my masters is in
public administration with a specialty in management
MR. APOSTOLAKIS: Thank you.
MS. SCHOENFELD: I'm not going into -- talk about
the characteristics of safety culture. I see that Jack
Sorenson (phonetic) did a very good job of that in the
But I will remind people that the definition
that's generally used for safety culture comes from INSAG-4,
which is: Safety culture is that assembly of
characteristics and attitudes in organizations and
individuals which establishes that, as an overriding
priority, nuclear power plant safety issues receive the
attention warranted by their significance.
And in talking about activities in the
international arena, safety culture activities, I'm going to
briefly describe activities for the NEA, the Nuclear Energy
Agency's Committees on Safety of Nuclear Installations,
Committee on Nuclear Regulatory Activities, the NRA, the
International Atomic Energy Agency, IAEA, and some examples
from individual countries.
Regarding CNRA activities, the NEA established a
task force to advance discussion of how a regulatory
organization recognizes and addresses safety performance
problems that may stem from safety culture weaknesses.
And this resulted in a report entitled, "The Role
of the Nuclear Regulator in Promoting and Evaluating Safety
Culture," which was prepared by Dr. Tom Murley in June of
The report is meant to be the first in a series of
reports, which focuses on early signs of declining safety
performance and the role of the regulator in promoting and
evaluating safety culture.
It addresses the importance of safety culture to
nuclear safety, the role and attitude of the regulator in
promoting safety culture, the role of the regulator in
evaluating safety culture and regulatory response
strategies. A follow-up paper is currently in preparation.
Regarding the CSNI activities, there is a document
titled, "Research Strategies for Human Performance." And in
the area of organization safety culture, this document
called for a workshop on organizational performance, and
also calls for work that would be directed towards the
development of positive indicators for safe organizations.
If -- if and when that work is done, it should be
coordinated with the IAEA, since they have priority in the
safety culture area.
The workshop was held in Switzerland in June of
1998 -- here it says May, but it was June -- sponsored by
the Expanded Task Force on Human Factors. There were 28
participants from 12 countries, and they were from
regulatory bodies, utilities and research institutes.
They produced a state-of-the-art report titled,
"Identification, Assessment of Organizational Factors," in
One of the factors they addressed was
organizational culture, and it was defined as "the shared
assumptions, norms, values attitudes and perceptions of the
members of an organization."
Further, it states that "safety culture is an
aspect of the organizational culture where safety is a
critical factor in the norms, values, attitudes of every
employee throughout the organization."
In addition, CSNI has just recently undergone a
reorganization and the ETF on human factors has now become a
special expert group on human and organizational factors.
And it will report directly to the CSNI, instead of
reporting to a working group.
It will collaborate and respond to requests from
CNRA, the working groups on operating experience, and
working group on risk assessment in particular, and other
working groups of the CSNI. And it will be guided by the
Research, Strategies for Human Performance Document and the
CSNI's strategic plan.
The first meeting of this group will be held in
PARTICIPANT: And Isabelle will be our
MS. SCHOENFELD: The IAEA activities -- IAEA, of
course, does the bulk of the international work in this
area. They have an office devoted to safety culture. They
provide a variety of safety culture services to member
These services are either being given on continued
support during a long-term enhancement process, or they come
in for parts of the enhancement process as -- as needed.
They develop safety culture guidelines. There are
about half-a-dozen-plus reports just addressing -- just
addressing safety culture.
They provide peer review of an organization's
safety culture by an external group. They hold meetings on
safety culture self-assessment. And there is a draft
document based on a meeting that was held in June 1998.
There will be another meeting in 2000, and then a final
They've held workshops in the Eastern European
countries on the management of safety and safety culture.
And they've convened an IAEA working group, which was
comprised of senior representatives of utilities and -- and
-- and senior representatives from -- regulators from
Canada, the United States, Sweden, and IAEA agency staff.
They produced a paper on shortcomings in safety management
symptoms, causes and recovery in 1998.
The senior representatives of the utilities and
regulators from Canada, the United States, Sweden and the
IAEA discussed common factors from recent cases involving
safety management problems, and subsequent recovery
processes, with a view to determining the need for further
work to help prevent such difficulties in the future.
An item of commonality that they've identified in
their report was a need to carefully monitor the change in
safety culture as changes were taking place.
This was deemed necessary in order to ensure the safety
management changes were driving the culture in the right
direction; that is, towards a learning organization and away
from a command/control type.
The working group had six action items for IAEA.
The first was to develop guidelines describing the processes
that could be used by senior corporate management of nuclear
facilities, for early recognition of shortcomings and
degradation of -- in safety management.
Two, develop qualitative and quantitative
performance indicators for senior utility management to
enable them to discern and react to shortcomings and early
deterioration in the performance of safety management;
three, develop guidance for regulatory bodies on how to
detect shortcomings and early signs of degradation; augment
the existing operational safety services, or develop a new
service, which will assess the effectiveness of management
processes used by senior management; prepare documentations
on lessons learned through case studies and the early
recognition of and recovery from degraded performance; and
organize workshops for senior utility management and senior
regulators on that.
Several IAEA activities related to these six
actions are listed on this next couple of slides. I wanted
to go through it. I hope to bring the schedule back on
MR. APOSTOLAKIS: So these -- these are tools that
are available now or --
MS. SCHOENFELD: Some of them are. Some of them
are in -- being developed.
MR. APOSTOLAKIS: OSCART and SCART?
MS. SCHOENFELD: Regarding other countries' safety
culture programs --
MR. APOSTOLAKIS: Excuse me. Who -- who -- I
understand that you are our representative on the CSNI
MS. SCHOENFELD: Yes.
MR. APOSTOLAKIS: The IAEA, do we have anybody, or
they do --
MS. SCHOENFELD: Well, they bring in experts as
MR. APOSTOLAKIS: As needed.
MS. SCHOENFELD: They're not a continuant.
And the working group of senior regulators, Bill Travers
served on that working group.
MR. APOSTOLAKIS: Okay. Now, then, I assume that
INSAG has the overall responsibility, or is it out of their
MS. SCHOENFELD: I'm sorry. Who?
MR. APOSTOLAKIS: The International Nuclear Safety
Advisory Group that came up with the idea of safety culture
MS. SCHOENFELD: Yes.
MR. APOSTOLAKIS: -- are they still in charge, or
MS. SCHOENFELD: Yes. They are -- those are the
people who have these -- the responsibility to develop these
MR. APOSTOLAKIS: Do you remember who they are
MS. SCHOENFELD: Shurston Dahlgren (phonetic)
heads the group in safety culture.
MR. APOSTOLAKIS: Oh, okay. Well, she's not a
member of INSAG.
PARTICIPANT: She's not a member of INSAG.
MS. SCHOENFELD: She -- no. The IAEA safety
culture group. I don't know the member of the INSAG.
MR. APOSTOLAKIS: Okay.
MS. SCHOENFELD: Regarding other countries' safety
culture activities, they fall into several areas, including
regularly scheduled safety culture audits; developing models
of organizational performance, which will include safety
culture; developing and investigating safety culture aspects
of deteriorating performance and events; safety culture
The next four slides provide some examples of
these activities. This information was primarily derived
from an informal survey that I conducted with my colleagues
on the expanded task force. So --
MR. APOSTOLAKIS: I see on page nine, you stop at
the U.K. There is no page ten with the U.S.A.
MS. SCHOENFELD: No.
PARTICIPANT: No. I don't think it's important.
MS. SCHOENFELD: And that concludes my
presentation. If there are any questions --
MR. APOSTOLAKIS: Very good. Thank you very much.
We still have presentations, don't we?
PARTICIPANT: Right. Dave -- Dave Trimble,
MR. APOSTOLAKIS: Yes.
PARTICIPANT: He has promised to be first. And
then J. has just two slides. And then you wanted
time to --
MR. APOSTOLAKIS: Yes. I would like to go around
the table here and get views and -- you will be around?
PARTICIPANT: I can stay as long as you'd like,
but tell me when you can let some of our guests run to the
MR. APOSTOLAKIS: Oh, I -- I think for our
deliberations here, we really need you, but your contractors
can leave, unless they -- they're anxious to find out what
the members think.
PARTICIPANT: I'll be here.
MR. APOSTOLAKIS: I -- I suggest that we finish
everything, with all the presentations by 5:00. So we'll
start going around the table -- okay.
So those who have to catch planes, you are free to
MR. TRIMBLE: Yes. I'm -- I'm Dave Trimble, the
chief of the operator licensing and human performance
section over in NRR. And I have no trouble keeping this
presentation very short.
We -- my background is more of an operational
background, Navy nuclear training supervisor in utility, NRC
resident -- senior resident inspector, and commissioner's
assistant in -- in -- here in this job.
I just wanted to make a couple introductory
comments. We talked about the fatigue issue. I just want
to give a -- a characterization of that, that we -- we
are -- we have two things before us. One, we have a
proposed rulemaking that was submitted by Mr. Quigley that
we're evaluating between now and the December time frame.
And we're also looking at a -- a task that the
Commission gave us which was to reevaluate the -- the
fatigue which, as you well know, went to overtime hours.
MR. BARTON: This rule-making is different than
the one that exists out there now with respect to limiting
the hours that you can work?
MR. TRIMBLE: The proposed rule-making that you
are talking about?
MR. BARTON: Yes.
MR. TRIMBLE: The control -- I guess I would
characterize that, and Dr. DeSaulniers is here today to give
more detail, but, Mr. Quigley's proposal, in large measure,
it does take the current policy guideline values and puts it
into rule format. It makes it mandatory for --
MR. BARTON: It takes the guidelines and makes
MR. TRIMBLE: Yes. It goes beyond it in a couple
of areas, too, like additional training for people, but that
is principally where it is from. The second area I wanted
to touch upon is -- Jack, I think, characterized the user
need that NRR anticipates sending over, and has been
But my understanding of that is it is up to the
last step in there of the office rector, and that should be
taking place here shortly. Our goal here is to talk about
the asterisked items here.
The other items on the slide are pretty much items
that you are familiar with that are ongoing activities. We
thought you would be more interested in the four asterisked
items. And I would like to have Dick Eckenrode, senior
human factors engineer, present those to you.
MR. ECKENRODE: Hi. I am Dick Eckenrode from the
Operative Licensing Human Factors and Plant Support Branch.
That is even bigger than yours. It has been named many
things over the years.
My background is: Actually, I am an aeronautical
engineer. How I got here is a long story, but I have been
40 years in the Human Factors Applications business. I
primarily try and stay out of research, but I've applied
Human Factors principles for over 40 years now. The first
one we want to talk about -- first of all, these activities
here, the one, Fatigue Policy, we will give you a few more
things on that, but the other three are really connected.
So, we are going to do it in a slightly different
order. We will put the fatigue one up first. In February
of 1999, we received a letter from Congressmen Markey,
Dingell, and Klink requesting information on staffing and
the use of overtime. That is the first item on there.
The second one, of course, is the request for
proposed rule-making that you just heard about. And that
has been -- they basically asked for a clear and enforceable
policy on working hours.
MR. BARTON: If I take that new regulation which
is going to basically take the guideline and make it a
regulation, and Inspector finds a utility violates that in
that one of the licensed operators worked more than he was
supposed to by the regulation, and he applies the
significant determination process to that, and it is a "No,
never mind," it is a 10 to the minus 12, CDF, what the hell
have we done?
MR. ECKENRODE: Nothing.
MR. BARTON: That is progress.
MR. ECKENRODE: That is if it was to become a
regulation. We know that the Commission's policy has
weaknesses. First of all, it is designed for an eight-hour
working period. And many of the plants are now in 12 hours.
So it is really not being considered here.
It is not responsive to risk insights. And a lot
of the key terms in it are undefined, such as routine, heavy
use of overtime, unusual circumstances. There is a lot of
-- several other ones in there. Temporary basis, I think is
used. So, that is the other area. There are weaknesses we
You heard that we had a stakeholders meeting a
couple of weeks ago to get issues out. Basically, that was
all of the support to air the issues, get them out in the
open. It was -- I think you heard, NEI and NPO, PROS, UCS,
and the rule-making petitioner were all there.
Based on that, we have about four options. Other
than doing nothing, that is, we have four options. One is
to revise the policy. Second one is to provide guidance to
Part 26, which is the fitness for duty rule. Third one is
to develop an industry standard, and the fourth one is the
We have not, at this point in time, decided on any
of these. It is basically much too early in the process to
do any of this.
MR. BARTON: What would you do in the fitness for
duty rule? It now, I believe, requires, you know,
You know, people work in a continuous observation
program and you look for alcohol, fatigue, drugs, and all
these kinds of things, attention to duty. So that is
already in the rule, is it not?
MR. ECKENRODE: That is correct.
MR. BARTON: Well, what would be different in Part
MR. ECKENRODE: Well, that is the Part 26 rule.
MR. BARTON: Yes, I know. Well, the option is to
provide more guidance in Part 26.
MR. ECKENRODE: Probably primarily a regulation
guide. Words in Part 26 I have here, as a matter of fact,
it says, "Must provide reasonable assurance that nuclear
power plant personnel are not under the influence of any
substance, legal or illegal, or mentally, or physically
impaired for any cause."
And the second part of it is, "Licensee policy
should also address other factors that could affect fitness
for duty such as mental stress, fatigue, and illness."
Those are the words that are in Part 26 now.
MR. BARTON: Right. Sounds like it is all there.
MR. ECKENRODE: Dale, would you like to discuss
MR. TRIMBLE: We are going to have Dr. DeSaulniers
come up and --
MR. DESAULNIERS: I am David DeSaulniers, also a
member of the Operator Licensing Human Performance and Plant
Support Branch and technically on the fatigue policy, and
contact for the petition for the rule-making.
I believe your question was, "What will we do in
the area of providing additional guidance with respect to
Part 26?" Again, as Dick Eckenrode indicated, we are very
early on in the process. So, there is no actual proposal in
place for us.
Specifically, what we could consider doing is
providing a guidance document that would describe guidelines
for a fatigue management program. We could conceive that
program having basic elements of activities that would
prevent fatigue which may be in line with working out
guidelines, activities that would detect fatigue
accordingly, so that we would have a behavioral observation
Whether or not that is adequate to address
fatigue, would have to be addressed. And activities that
licensee could engage in to address mitigation of the
effects of an impaired -- fatigue-impaired personnel on
plant safety by perhaps adding independent review of work
that is being performed by individuals that would be
suspected of being at high risk.
If you have individuals working a significant
amount of overtime, you could perhaps put in other factors
to ensure that either they do not work on safety related
equipment, or that they have additional management controls
to ensure that the work is done properly.
Again, that is just initial thoughts. Nothing has
been -- there is no developed proposal on a particular
regulation guide at this point.
MR. BARTON: Thank you.
MR. ECKENRODE: The other three areas on the
former slide are -- are kind of connected together here in a
Human performance in reactor oversight process:
First of all, there is an assumption that was alluded to by
Jack here that effects of human performance on plant safety
will largely be reflected in the performance indicator and
the inspection findings.
As you are aware, there is concern that that
assumption may or may not be true, that we want to look at
the possibility of other things. So we decided to take a
two-pronged effort here.
One is to provide research for the user need that
would look into operating experience, and past human
performance analyses, and risk analyses that have all been
done. They ask for work that has been done and see if they
cannot come up with an answer to the question.
The second part is that we would like to use our
HFIS, our Human Factors Information System, go in and look
at, first of all, look for about 18 months or so a new
program, the new inspection program. You understand, of
course -- I think you are familiar with HFIS.
It looks at inspection reports, and LERs, and gets
the human performance data out of them. We hope to use this
in the new process with the new inspection procedures, and
do it again.
If there is enough data still left in the
inspection findings, we hope to compare it then to the last
four or five years of historical data to see if we cannot
determine whether these inspection findings and performance
indicators do reflect the human performance problems.
We have -- first of all, the inspection process
now has a series of -- there are baseline procedures. There
are supplemental procedures. And when I say supplemental,
basically, the supplemental ones are based on one or two
white inputs, if you know what the colors are.
The second one is based on one degraded
cornerstone, two white inputs, or a yellow input. And that
is where this human performance inspection procedure would
fit as a supplemental to that.
If they find that the area -- if they find human
performance problems in one of these supplemental
procedures, inspections, they might want to go into this
detail of human performance one that we have been
I cannot really tell you too much about it right
now because it is out for comment at the moment in the
regions. I will give you -- the next slide gives you a
little bit of indication of what is included in it, and it
is just about everything you can think about in human
It does ask questions in all these areas which is
the standard human factors type areas to look at.
Basically, it looks at the corrective action programs. It
goes in and says, "Where is the problem? What is the
problem? And, how did the utility go about correcting it?"
It is looking at their process for correcting all these
MR. BARTON: Correcting human performance
MR. ECKENRODE: Yes. The last part of the thing,
we have been asked to attempt to put together a significance
determination process for human performance. This is in
case the research and so forth does try to tell us that the
performance indicators do not do the job, or the current SDP
does not do the job.
And, frankly, the current SDP does not look at
human performance areas. So we have looked at the -- for a
-- try to develop now a significance determination process
in these six functional areas which cover just about
everything that we think we need to do.
It also looks at it in all the usual human factors
areas, right there. It is based on several premises. The
one that we are trying to develop now, the first premise --
and I will read it to you because I think it is important --
is every human action requires information to initiate the
action and control capability to accomplish the action.
We believe that this will cover all the human
performance activities that are going to come up in the
The second premise is that no information or
control capability is better than incorrect information or
control capability. This is beginning to give us a little
bit of information on significance.
And the third premise, anything less than a
complete failure to perform an action may not be as
risk-significant as a complete failure. And this is going
to require a little work that we have not gotten into yet.
And finally, we are trying to use the accepted
risk guidance that is out there. We are using the approach
of -- in Regulatory Guide 1.174, using probabilistic
risk-informed decisions based on plant-specific changes in
the licensing basis.
And finally, we are going to be using the
information from the Brookhaven preliminary report right now
on the guidance for review of changes in risk-important
human actions. And of that, what we are really doing is
using the generic tasks they have defined, or that they have
They have them identified in two categories. One
is what is considered high risk area, and the other is
potential risk area. I think you are familiar with those
two. I believe you have the reports there. We are using
that information to help define a level of significance.
And it is going to depend an awful lot on
plant-specific IPEs, I think, and PRAs to give us any
further definition beyond that. And that is the things that
we are doing in the NRR right now that are new.
Are there any questions?
MR. APOSTOLAKIS: Thank you. Oh, I am sorry.
MR. SIEBER: Your third premise, is there analysis
that backs up that statement?
MR. ECKENRODE: Well, no. It basically says it
may be less risk significant. All we are doing is
identifying the fact that there may be a different kind of
Time considerations, for instance. You know, the
task may be done, completed, but it may be untimely. And
that may or may not be risk significant. We do not know
yet. But all we are trying to do is indicate the fact that
there could be that condition.
MR. APOSTOLAKIS: Anything else?
Thank you very much. I understand there is one
more short presentation.
MR. PERSENSKY: I am going to use one slide. If
you go back to your original package of slides, page 16,
Jack's slide. Really, when you look at the program as it is
described -- by the way, I am J. Persensky. I work at the
office of Research.
MR. APOSTOLAKIS: We know you. You have done this
MR. PERSENSKY: I have done this several times
If you look at the table that is in the back of
the program, at the very end of the program document, the
SECY, you will note that except for those things that are
called "Continuing," everything ends in 2001.
If you look at the resources section of the SECY,
you will also see that the budget is pretty thin after this
year. Part of the reason for that is because we do not have
the user need yet. Once we have the user need, things may
open up in that area.
But, what is going on right now is one of the
things we said in the future activity is that we are going
to meet with you and continue to interface with the ACRS.
The other is the budget prioritization process.
There is not a prioritization process in this
program because each of the offices has their own
prioritization process for the budget, and that determines
the way things are going to work. That is an ongoing
process right now.
In fact, while we were sitting here, one of the
people came in and ask questions of Jack on some priority
issues within this. The other is we are going to finish up
the work at INEEL for the ASP work.
But probably the biggest thing that I would like
to talk about is the fact that we have a lot of information.
You have been dumped -- a lot of it has been dumped on you
today. We have more, in fact, risk information, what is
going on in other places, what is going on internationally,
user needs, changes in the process.
We are proposing that we have a peer review
workshop where we bring together people from the human
factors community, from the reliability community, from the
industry, from various other agencies that are working on
problems such as this, and say, "Okay. Let us go through
this," and as really a working group of trying to assimilate
data and the information that we have.
From that, take issues such as the question of
Lake Nair (phonetic). Okay. We have identified Lake Nair,
but we have not identified what to do about it. What can we
do? Is it a research issue? Is it a regulatory issue? Is
it really an issue from a PRA perspective?
So, those are the kinds of things we want to
address and we want to bring together. For instance, we
bring Jim Reason in on that part to discuss the Lake Nair
issues. So, that is the next big step.
We do have funding for that in this fiscal year.
And out of that, we would expect to come a further version
of this that has more detail for future work.
In addition to that, of course, the continued work
in international cooperation as Isabelle talked about, the
CSNI, our continued work with IAEA. Halden is -- we have
renewed the contract with them for the next three years
which really means a lot of interaction with 21 other
countries. It is not just the Halden project itself.
And a number of us are involved with standard
groups like IEEE, ANS, ASME, and so we bring together --
bring in information from these groups, as well. And we
hope that eventually we can hold together a longer term
program based on these interactions.
The only other slide was just the slide from the
table that had the schedule information on it.
So, with that, the presentation is done. We are,
in fact, seeking a letter of support for the program.
MR. ROSENTHAL: Yes, while the transcript is
going, I have to make it very clear. We do -- there was a
lot of discussion on safety culture, in one manner or shape
The staff does work for the Commission, and we are
not doing research in safety culture. And, in fact, in the
paper, the attachment page four, we very clearly say that
there was Commission direction --
MR. ECKENRODE: Yes.
MR. ROSENTHAL: -- in 1998, that we not do
research, And we are following the Commission.
MR. BARTON: So you are doing work on safety
culture without research.
MR. ROSENTHAL: We are not spending money doing
research. We're following what's going on overseas. And if
we believe that we have to pursue it, we will not -- we're
not going to go around it. We would go back to the
MR. BARTON: Sure.
MR. ROSENTHAL: I just needed that on the
MR. APOSTOLAKIS: I guess the questions in front
of us are three questions which I will pose to the members.
First question is: What is your overall
assessment of what we heard today? The second is: What
should we present to the full Committee at the April
meeting, or have the staff present, because clearly we
cannot have all the four hours of presentation?
And the last one is whether we should write the
So, who wants to go first? Dana, are you ready?
MR. POWERS: Yes, I guess I will comment a little
bit. His first question addresses what should be presented,
and the only thing that I am not sure about is: What are we
going to write a letter on? I have a feeling that the only
thing that is useful to present to the full committee is the
material that Jack and, at the end, J. Persensky --
MR. BARTON: Initial package of slides?
MR. POWERS: Yes, the initial package of slides.
Most of the other material, I think, was educational for the
subcommittee, but I am not sure that I want to belabor the
entire committee with that.
MR. BONACA: How much time do we have, by the way?
PARTICIPANT: One hour.
MR. BONACA: One hour, okay.
PARTICIPANT: That might not be enough for all of
MR. POWERS: Yes, they may need some pruning and
what not, but I think we are going to have to
understand -- the Committee as a whole is going to have to
understand what to write a letter about.
The disappointments that I have in what was
presented here is it boils down to what I didn't see. I see
the Commission launching a new effort for planned assessment
and inspection in which they have stated, "Yes, there are
these cross-cutting issues, some of which involve human
And they have assumed that the set of PIs and
baseline inspections that they have will reveal any
degradation of human performance fast enough that
corrections can be made before that degradation becomes
catastrophic. And that is fine. I mean, you have to make
assumptions on something here.
But when you make an assumption that profound, I
think that there should be launched an immediate effort to
go out and see if you validate that assumption. And I just
did not see anything in here that was directed into that
MR. APOSTOLAKIS: Except the last presentation of
MR. BARTON: David Tremble's presentation.
MR. APOSTOLAKIS: One or the other.
MR. POWERS: Look, this is a profound assumption
that they are making. They have got kind of a pilot program
going on that goes on way too short of a time to validate
that assumption. I think you have got to get on that. And
if that is wrong, it has some real ramifications on the new
The other thing that I think you have asked for a
lot, is we did not see someone standing up here and saying,
"What this agency needs is the capability to do PRAs with
this accuracy. And to do that, we have to be able to do the
human reliability and human error analysis to this
What I think I learned today was that that was too
simplistic of a question for us to pose. It is more
complicated than that. And I appreciate that information,
but I think that core need is not only what the Committee is
missing, but what the Commission is missing.
Somebody is saying, "I have got to be able to do
my human error analysis this accurately, or this well, or
cover these kinds of topics. And I cannot do that now. And
I can do that if I do this kind of research."
And I just do not see that kind of clear
indication of what it is that the Commission should be
supporting to carry out its mission as it is stated in its
strategic plan, and intimated in a lot of its actions. I
guess those are my two comments.
MR. APOSTOLAKIS: Are you in favor of writing a
MR. POWERS: I am not wild about writing a letter
that is negative. And if I can re-examine the material and
come back supportive, then yes, I want to write a letter.
But, if I have to write a letter that says, "Gee, I think
there is something that is really missing here," I do not
want to write that.
MR. APOSTOLAKIS: Okay.
MR. BONACA: I am in favor of writing a letter
mostly because there is a program. I share your
perspective, but I think that the program has the right
elements and the right applications. I think we have to say
One thing that strikes me, however, is we have a
report from INEEL, and I hope that some of the information
is provided in the early presentation that tells us -- what
we really probably knew from reading LERs and things like
this -- how dominant is human performance on vulnerability
and initiators, too.
And yet, we are still focusing entirely on
equipment in our program now. Let me go just a step
further. Let me give you an example of what I mean by that.
When we look at the oversight process, we are
going to count the number of initiating events, or
initiators. We are going to look at the mitigating system
failures. Now the licensees go a step beyond that. They
have root causes, and they identify where there is human
failure that is causing, in fact, the mitigating system
Why could we not ask the licensees to provide this
information and to be the beginning of a human reliability
assessment? Again, if you do not count necessarily, and you
do not assign a number in the PI, there is information out
there that could be derived even through the assessment
process right now, rather than stopping simply at a
headcount, you know, three trips, X number of mitigating
This information is right there. The licensees
evaluate them through the system. And we could have
immediately some feedback to the human reliability. And let
us not call it, you know, culture because culture is
something a little more vast and vague, and so let us --
MR. APOSTOLAKIS: Well, what is it the licensees
should provide, the --
MR. BARTON: HPES Data, I think that is what they
PARTICIPANT: HPES, Human Performance Evaluation
MR. BONACA: For the number of failures that they
provide. I mean, just as an example, George, that I would
like to maybe give in the letter, is there is information
here that is at our fingertips.
We can get it, and better ways exist, but it still
is not reflected in the regulation, in the processes. And I
think that, you know, there are ways in which it can become
available and used even in the short term.
On the significant examination process, I need to
ask a question of whether or not that is going to be risk
informed. And if it is, still the issue we will have to
address is: Are we going to look only the individual
events, or are we going to look at processes and how they
are affected by repeats of the same? Again, it is an
indication of human performance.
Again, going back, I would recommend that -- I
would lean towards having a letter and trying to bring in
some thoughts about how to use the information that is at
our fingertips and has not been sufficiently utilized.
I will add just one more thing. We have now a
presentation also, coming to us on a different subject which
has to do with the risk based analysis on reactor
performance. It is another area where we made the same
comments in December that it is a wealth of information.
Okay? Data, actual data, that has not been sufficiently
utilized, advertised, and distributed.
MR. APOSTOLAKIS: I thought the last letter, also,
on the oversight process made a good point.
MR. BONACA: I wonder if we should -- we could
MR. BARTON: Tie it together?
MR. BONACA: Tie them together.
MR. APOSTOLAKIS: Okay. You agree, I assume, with
Dana's suggestion that you guys, Jack and J., presented
here, with some pruning, should be okay.
MR. DUDLEY: I thought I also heard a
recommendation that there be at least the results of the
MR. BARTON: Yes, but I thought there were.
MR. APOSTOLAKIS: To what, present them?
MR. DUDLEY: Yes.
MR. APOSTOLAKIS: INEEL has not finished -- has
not finished. It's not finished. Maybe we could insert a
couple of --
PARTICIPANT: Have two summary slides and just --
PARTICIPANT: A summary --
MR. APOSTOLAKIS: And I do not know whether you
want these guys here. It is up to you. We do not interfere
in management decisions.
MR. DUDLEY: Well stated, George.
MR. APOSTOLAKIS: Mr. Sieber.
MR. SIEBER: Right off the bat, I agree with Dr.
Powers and Dr. Bonaca that we ought to have a presentation.
It ought to concentrate on Jack's information.
The thought that comes to mind is that none of
this is new. This Human Performance Evaluation System was
around at least 15 years or maybe more, and it came about
because people when they looked at LERs, saw the trend away
from design deficiencies, and equipment failures causing
events at plants to the point where at least half of them
were caused by human performance failures.
And that is why the number 50 percent feels
comfortable to me because I have seen that number different
places. Now to me, that is risk significant, and to do very
little in the way of evaluating the risk of human
performance problems for doing something to regulate human
performance and behavior, I think ignores some
responsibility that the NRC has toward protecting the public
health and safety.
And perhaps there is a way to weave that kind of a
thought into the introduction to a letter. But to me, I
think that is an impressive number, and I think something
needs to be done, but you cannot do anything until you
quantify it. You cannot quantify it until you have the
analysis technique, and the PRA to do it. And you have to
build that on some kind of a base.
And Dr. Bonaca's idea, I think, is a pretty good
one, provided the licensees will give it to you. And if you
cannot get it, it will be very difficult for the staff to
get that on their own. And so, when I would write a letter,
I would write it to bring that thought forward, that there
is a significant risk.
And the Human Performance Research and tool
development ought to continue because it is probably almost
as significant as the other causes of events in the power
MR. BONACA: Also, the 50 percent which is human
performance regulation, are most insidious because they come
from true random events that may happen out there.
I mean, the others which are equipment related,
you really have an understanding coming from experience and
sort of -- those kind of career performance are totally
insidious because you do not know what happened. Did
somebody do something absolutely unexpected? And here you
have a failure.
MR. SIEBER: Okay. So my letter really would be
positive and supportive of continuing efforts. In fact,
expanding those in light of the risk contribution that this
MR. APOSTOLAKIS: Mr. Barton.
MR. BARTON: Yes, Dr. Apostolakis.
MR. APOSTOLAKIS: I am ready to take notes.
MR. BARTON: Well, I think we got -- we've dumped
a lot of data today. I thought that the overall
presentations were very well done, and well thought out, and
a lot of data, having to sort all of that out just to -- you
know, what I think we would like to hear.
Dana's made it clear of what we want to hear in
the April meeting. I would add one thing to it. I think
some of the criticism we have had on the oversight process
and the SDP, I think what I would like to hear in addition
to Jack and J.'s slides is some more on the planned
activities, the NRR's activities in human performance and
getting the inspection procedure out, and tested, and when
all that might happen. I think that is key to getting that
up and working in the new oversight process.
What I would like to see in the letter: I have
not made up my mind whether it is a negative or a positive.
So I am kind of neutral on the letter, but I think we need
-- I would say write a letter based on -- you
have got input from three people on what might be included.
And I would add to that the need to stress the
work that is going on in safety culture, even though nobody
likes to hear it, and does not want to spend research on it,
I think we have to keep prodding that and saying we think it
is important, and why it is important.
MR. POWER: I wonder if we would be wasting our
powder on that rather than waiting until our senior fellow
comes back with his report on safety and culture.
MR. APOSTOLAKIS: I wanted to raise that issue. I
will raise it in the morning.
Anything else, John?
MR. BARTON: Yes, I guess the other uneasiness I
have is I heard so much, but I do not know what kind of
product I get when --
MR. APOSTOLAKIS: Closure.
MR. BARTON: Closure, yes.
MR. SIEBER: I think there is something new
happening in this area all the time. It is almost like
MR. POWERS: Yes, but you can still use
MR. SIEBER: The regulations are refined enough.
We do not need to --
PARTICIPANT: But human performance --
PARTICIPANT: That's right.
PARTICIPANT: It's --
MR. POWERS: When is something going to come out
that the licensees can use or agency can use?
MR. SIEBER: Well, we ought to define what closure
MR. POWERS: I think what I really learned today
is, and why it was useful to sit in here, I conceived of
having a nice crisp package that says, okay, "Here is a tool
you can use. It is up to date."
And I guess I have learned that it's really a lot
more complicated than that. And it requires more thought on
But on the other hand, I did not see that thought
coming through that said, "Okay. Here is the package. We
are going to give them to you," that takes into account all
of this --
MR. APOSTOLAKIS: Maybe Jack can address that when
MR. POWERS: Now maybe the situation is what J.
said at the last, is they have got this tidal wave coming in
at them, and maybe they have not sorted it out. And if that
is the case, then I am reluctant to write a letter until
they have had a chance to sort it out.
MR. APOSTOLAKIS: Okay. John.
MR. BARTON: That is it.
MR. APOSTOLAKIS: Well, I wanted to raise the
issue of sorts of work that Dana started talking about. It
seems to me that what we have here is two issues that
perhaps we should keep separate.
I think we need to really send a strong message to
the Commission that neglecting this safety culture issue,
with all that it entails, is really a major oversight, a
little bit like -- I think Jack Sieber used that word.
And I am not sure that this is the right forum --
the right opportunity for us to do this because this will
overwhelm the program that the staff has entered today.
Now I understand that, Jack, you are scheduled to
make a presentation to the Committee sometime in the next
two or three months.
MR. SORENSEN: I am not aware of the schedule.
MR. APOSTOLAKIS: Well, maybe we as a subcommittee
can recommend that we move up --
MR. POWERS: You as the person in charge of
activities, the fellow, can make all the recommendations you
MR. APOSTOLAKIS: A recommendation will be
MR. APOSTOLAKIS: But I would really keep the two
separate. I would propose that we write the letter now,
that touches a little bit on the safety culture issue that
says we will address it in the next two months or something,
in a more detailed fashion, and focus on the program that
the staff presented today.
And given our previous letters, I would be
positive with some recommendations for improvements, because
I am positive. I do think that the staff now is on top of
You can always ask, "When am I going to get the
product?" Well, fine. That is a suggestion to them to work
on and improve the thing. This is a monumental effort here.
Surely, we did not expect them to come with a perfect
product today, but I do want to be positive and encouraging.
I think they need it.
And I leave the ground attack on safety culture
and so on for a separate letter so that this will not be
Now, in a series of suggestions I say would be
very reasonable to make and you already gave me several, and
I am sure that others will come up as we discuss the letter.
But I think the overall approach -- let us not
lose sight of the fact that I think today I did not see
anyone getting upset in four hours. I did not see anyone
dismissing what was being presented, unlike other times.
So it seems to me that the staff finally has
gotten a plan that -- with some improvements, will lead
somewhere. And I agree with Jack, I mean, we should stop
doing this every six months. I mean, they can use the
resources doing something else.
MR. BONACA: The other thing I would like to point
out: We can say something about human reliability without
saying something about safety culture.
Safety culture is pretty more undefined right now,
and complex issue that invokes -- involves all kinds of
other things, and that is why probably the Commission is
reluctant to tackle it, because it really has not been
defined. It involves all kinds of management
considerations, cost consideration.
Human reliability, per se, is purely one of the
root causes of failures out there. And so we can address it
in the context, recognizing it brings a lot of other
information coming, it is very valuable. It is a great
effort, and should be continued, and it may lead to
improvements in the oversight system.
MR. APOSTOLAKIS: I would not be completely silent
on the safety culture because it seems to me you --
MR. BONACA: No, I am not saying to be silent.
All I am saying is that you do not have to make such a leap
from what we heard today about --
MR. POWERS: What I think we will be able to do
that the Commission probably has never seen is when a fellow
comes back and reports, we are going to be able to see a
couple of things, I think.
I do not want to prejudge his report, though I
have read the draft version of it. It looks like we are
going to be able to see that it is possible to quantify the
effects of safety culture, and that the data exists out
there. And I think that is something that I do not think
that the Commission really has been apprized of well, that
it is not in a more feel-good type of field in its entirety.
There is a strong element of that, but there are
some guys that have actually tried to quantify things and
The other thing is I think we are going to be able
to tell them there is an optimum in the regulation of safety
culture, that there is clear-cut evidence that if you
over-regulate, safety cultures decay. As you drop back in
the regulation, safety cultures improve. I think that is a
concept that was certainly new to me.
And I guess I share with Jack, that it is a
suggestion right now, maybe not definitively provable, but
it looks very plausible. And it would be one that would be
interesting to pursue.
MR. APOSTOLAKIS: But you are not suggesting that
they do that.
MR. POWERS: No, no. I think we have to wait.
That is why I do not want to cue our shot. I would like to
go in there full force on this thing because I share with
you this uneasiness when I see the whole world looking at
safety culture, and this stands at the poll for reasons that
I think are largely nomenclature.
MR. APOSTOLAKIS: And misunderstanding of what we
are talking about.
MR. APOSTOLAKIS: I think that one of the speakers
-- and I do not remember who it was -- the issue of safety
management is not attractive in our business in this
country, the attention it deserves as it has in another
countries. We are still too much hardware oriented.
And I see it again with DOE announcements, with
NERI, the Nuclear Energy Research Initiative, and so on,
where there were some hints by some workers that maybe we
should look at management of safety and so on. No; the
answer was a resounding no.
Develop new designs, that is how you are going to
convince the public that nuclear power is safe. So there is
an intrinsic mind-set there which I think we should start
attacking because I think it is not right.
So we can wait on that one until our senior fellow
stands up there in defense of this.
I think I got all the information I need and the
input from you. We will have a presentation by Jack and
whoever else he wants, and J., with some maybe cutting out a
few of the views you have now, but adding others as you see
fit, especially from INEEL, and then maybe summarize our
discussions today to the full Committee. And I will then
draft a letter and come with a draft in April. Okay.
MR. PERSENSKY: George, I asked you to put off
your specific comments on the Commission paper earlier
MR. APOSTOLAKIS: On the Commission paper.
MR. PERSENSKY: Yes, you said that you --
MR. APOSTOLAKIS: Yes, I am so tired now.
MR. PERSENSKY: Okay. Well, it worked --
MR. APOSTOLAKIS: I am really -- I will tell you,
on page two -- on -- which page two is this, because there
are two page twos? Page two of the Human Performance
Program. If I had to prioritize my concerns, the second
full paragraph that says, "Sensitivity studies also
MR. PERSENSKY: Yes.
MR. APOSTOLAKIS: I do not like the sensitivity
studies. I mean to say that, you know, small changes in the
human error probability, factors of three to ten times, that
small? And on what basis?
I mean, we are trying to get away from these other
various sensitivity studies. And then it says, "Changes in
AGPs, 29 times up or down." Now why would anyone change the
AGP 29 times up or down to see what the input is on the CDF?
And I want to know how many in the room think that
there would not be a significant impact on the CDF if you
change the human error probability 29 times? I think this
product does not do justice to the rest of the program. It
And maybe you can rephrase it a little bit to say
the sensitivity studies -- but my goodness, 29 times without
And then another one I had was on page four, just
the short paragraph above the new heading, "Based on
permission and direction, there is currently no research
being done." If evidence is starting to suggest that the
agency should more specifically address safety culture, the
staff should bring the issue to the Commission for action.
When I read that, I stopped. I mean the previous two pages
So I do not know. I mean, this "if evidence is
found," it seems to me that you have just found it.
Now -- and you may want to state it that way for your own
reasons. Other than that --
PARTICIPANT: Notwithstanding the evidence found.
MR. APOSTOLAKIS: Okay. Thank you all for coming,
presenters; members, of course. We are adjourned.
[Whereupon, at 5:40 o'clock, p.m., the
subcommittee meeting was concluded.]
Page Last Reviewed/Updated Tuesday, July 12, 2016