HPRCT Workshop
June 21-25, 2010
Richard S. Hartley, Ph.D., P.E.
This presentation was produced under contract number DE-AC04-00AL66620 with
An organization that repeatedly accomplishes
its high hazard mission while avoiding
catastrophic events, despite significant hazards,
dynamic tasks, time constraints, and complex
technologies
A key attribute of being an HRO is to learn from
the organization’s mistakes
Aka a learning organization
2
3
SYSTEM ACCIDENT TIMELINE
1979 - Three Mile Island
1984 – Bhopal India
1986 – NASA Challenger
1986 – Chernobyl
1989 – Exxon Valdez
1996 – Millstone
2001 – World Trade Center
2005 – BP Texas City
2007 – Air Force B-52
2008 – Stock Market Crash
What
is
Next?
Who is Next?
Some types of system failures are so punishing
that they must be avoided at almost any cost.
These classes of events are seen as so harmful
that they disable the organization, radically
limiting its capacity to pursue its goal, and
could lead to its own destruction.
Laporte and Consolini, 1991
5
Is it right for you?
6
DOE TRC and DART Case Rates
All DOE TRC Rate
All DOE DART Case Rate
Cases per 200,000 workhours
4.00
3.50
3.00
2.50
2.00
1.50
1.00
Contractor
ISM
deployed
0.50
0.00
1993
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
YEAR
Data as of 7/7/2009
DOE injury rates have come down significantly since
Integrated Safety Management (ISM) was adopted
7
Cost (¢/kwh)
Rx Trips/
Scrams
Capacity Factor
(% up)
Significant
Events/Unit
Nuclear Energy Institute (NEI) Data
8
Individual Accidents OR Systems Accidents?
9
An accident occurs wherein the worker is not
protected from the plant and is injured (e.g.
radiation exposure, trips, slips, falls, industrial
accident, etc.)
Plant
(hazard)
Human Errors
(receptor)
Focus:
Protect the
worker from
the plant
10
An accident wherein the system fails allowing a
threat (human errors) to release hazard and as a
result many people are adversely affected
Workers, Enterprise, Surrounding Community,
Country
Plant
(hazard)
Human Errors
(threat)
Focus:
Protect the
plant from
the worker
The emphasis on the system accident in no way degrades the
importance of individual safety , it is a pre-requisite of an HRO
11
Goal of a High Reliability Organization
Strive daily for High Reliability Operations
A systems approach
Every individual is not going to have a perfect day
every day
To avoid the catastrophic accident a systems
approach is required
12
Reality Engineering
Understanding Socio-Technical Systems to
Improve Bottom-Line
13
a New
Initiative
TheNot
most
important
thing,
Way to Think
is Logical,
to keep Defensible
the most important
thing,
Based
onimportant
Logic & Science
the
most
thing.
Logic & Science
are
Time
and
New
th
Steven Covey, 8 Habit
Initiative Invariant
Focus on what is important
Measure what is important
14
Take a physics-based system approach
Measure gaps relative to physics-based system
Explicitly account for people
People are not the problem, they are the solution
People are not robots, pounding won’t improve
performance
People provide safety, quality, security, science etc.
Sustain behavior – account for culture
Improve long-term safety, security, quality
15
Spectrum of Safety
Hard Core Safety Physics
• Physics invariant
• Prevent flow of unwanted energy
• Delta function
As Engineers Write
Squishy People Part of Safety
• Average IQ of the organization
• It is a systems approach
• Gaussian curve
As People Do
Spectrum of Safety
Hard Core Safety Physics
• Physics invariant
• Prevent flow of unwanted energy
• Delta function
Old Mind-Set
Compliance-based safety
Squishy People Part of Safety
• Average IQ of the organization
• It is a systems approach
• Gaussian curve
High Reliability Organization
Explicitly consider human error
Take into account org. culture
Maximize delivery of procedures
Improve system safety
Step #1: Ensure the operation has a defined and
justified safety basis
Step #2: Develop and deploy HRO framework to
use strengths of organization to maintain safety
Step #3: Measure performance of organization
to safety basis
Step #4: Leverage organizational learning to
reduce variability to following safety basis
18
Step #1: Ensure the operation has a defined and
justified safety basis
Understand physics and chemistry of processes
Unsafe Zone
Do not Operate Zone (DOZ)
19
Unsafe Zone
Violates physics of safety
High consequence event
In the red part
of the unsafe
zone and as
delineated by
the
deterministic
line, there are
some levels of
physics beyond
which the
outcomes
(consequences)
are certain.
20
Unsafe Zone
Violates physics of safety
High consequence event
DOZ
(don’t operate zone signified by orange cloud)
The orange
cloud signifies
the DOZ
(don’t operate
zone). It
extends to the
unsafe zone
(red circle)
and signifies
that area
which
because of
uncertainty
we try to stay
out of by
establishing
conservative
margins of
safety.
21
Step #1: Ensure the operation has a defined and
justified safety basis
Understand physics and chemistry of processes
Unsafe Zone
Do not Operate Zone (DOZ)
Define and justify safety basis relative to Unsafe
Zone and DOZ
Ensure individual processes are within safety basis
Ensure collective processes are within safety basis
Determine margin of safety
22
Unsafe Zone
The safe
zone/safety
basis (green
oval)
represents a
physics-based
zone bounded
with hazard
analyses and
defined using
operating
procedures.
Violates physics of safety
High consequence event
DOZ
(don’t operate zone signified by orange cloud)
Safe Zone - Safety Basis
Assured safety based on physics
Processes if followed (i.e. stay within
safety basis) assures safety
23
Unsafe Zone
Violates physics of safety
High consequence event
DOZ
(don’t operate zone signified by orange cloud)
Safe Zone - Safety Basis
Assured safety based on physics
The Margin of
Safety represents
the gap between
the established
safety basis and
the unsafe zone.
Processes if followed (i.e. stay within
safety basis) assures safety
Margin of Safety
(i.e. safety
factors)
24
Step #2: Develop and deploy HRO framework to
use strengths of organization to maintain safety
Compliance-based safety
Work-as-imagined equals work-as-done, except
Bad apples
25
Unsafe Zone
Based on
assumption that
most people will
follow
established
safety rules.
Regulation and
oversight
ensure
compliance with
established
safety basis.
Violates physics of safety
High consequence event
DOZ
Engineer’s Field
of Dreams
Build it and they
will come
(don’t operate zone signified by orange cloud)
Safe Zone - Safety Basis
Assured safety based on physics
Processes if followed (i.e. stay within
safety basis) assures safety
Margin of Safety
(i.e. safety
factors)
work-as-imagined =
work-as-done
Management
assumes workas-imagined
equals work-asdone
26
Those that don’t
follow
established
safety systems
are just those
few bad apples
that need to be
removed.
Why do we
remove “bad
apples?”
Unsafe Zone
Violates physics of safety
High consequence event
They represent
the $ M lesson
learned!
DOZ
(don’t operate zone signified by orange cloud)
bad-apples
bad-apples
X
Safe Zone - Safety Basis
Assured safety based on physics
Processes if followed (i.e. stay within
safety basis) assures safety
Margin of Safety
(i.e. safety
factors)
work-as-imagined =
work-as-done
27
Step #2: Develop and deploy HRO framework to
use strengths of organization to maintain safety
Compliance-based safety
Work-as-imagined equals work-as-done, except
Bad apples
HRO Approach to safety
Reality between work-as-imagined vs. work-as-done
Socio-technical systems
Explicit consideration of the affect of organizations on
technical safety
28
Green cloud
signifies
organizations’
struggles to
stay within
safety basis.
Unsafe Zone
Violates physics of safety
High consequence event
DOZ
(don’t operate zone signified by orange cloud)
Safe Zone - Safety Basis
Assured safety based on physics
Processes if followed (i.e. stay within
safety basis) assures safety
work-as-imagined
work-as-done
29
Unsafe Zone
Violates physics of safety
High consequence event
DOZ
(don’t operate zone signified by orange cloud)
Holes in safety
basis because of
poor analysis
(potentially drops
you into the DOZ).
Safe Zone - Safety Basis
Assured safety based on physics
Processes if followed (i.e. stay within
safety basis) assures safety
work-as-imagined
work-as-done
30
Unsafe Zone
Violates physics of safety
High consequence event
DOZ
(don’t operate zone signified by orange cloud)
Safe Zone - Safety Basis
Assured safety based on physics
.
Every
excursion into
DOZ
decreases
margin of
safety.
Processes if followed (i.e. stay within
safety basis) assures safety
work-as-imagined
Reduced
Margin of
Safety
work-as-done
31
Unsafe Zone
Violates physics of safety
High consequence event
DOZ
(don’t operate zone signified by orange cloud)
Safe Zone - Safety Basis
Assured safety based on physics
Processes if followed (i.e. stay within
safety basis) assures safety
work-as-imagined
work-as-done
HROs:
Explicitly
consider how
the
organizational
behavior
affects ability
to buy-in to
the
established
safety basis.
Attempt to
leverage this
to improve the
margin of
safety.
32
Builiding a High Reliability Organization
33
• Ensure system
provides safety
• Manage system,
evaluate variability
• Foster culture of
reliability
• Model
organizational
learning
• Generate decisionmaking info
• Tiered approach
• Refine HRO system
HRO Practice
#1
HRO Practice
#2
Manage the
System, Not
the Parts
Reduce
Variability in
HRO System
HRO Practice
#4
HRO Practice
#3
Learn & Adapt
as an
Organization
Foster a Strong
Culture of
Reliability
• Deploy system
• Evaluate
operations –
meas. variability
• Adjust processes
•Provide capability
to make
conservative
decisions
•Make judgments
based on reality
•Openly question &
verify system
34
The Limits of Safety, Scott D. Sagan
Normal Accidents – Living with High-Risk Technologies, Charles
Perrow
Managing the Unexpected, Karl E. Weick & Kathleen M. Sutcliffe
Managing the Risks of Organizational Accidents, James Reason
Organizational Culture and Leadership, 3rd ed., Edgar Schein
Field Guide to Human Error Investigations, Sidney Dekker
The 8th Habit, From Effectiveness to Greatness, Stephen Covey
Pantex High Reliability Operations Guide
Pantex Causal Factors Analysis Handbook
35
36