Safety Reports Series

N o. 7 3

Low Level Event and

Near Miss Process for
Nuclear Power Plants:
Best Practices
IAEA SAFETY STANDARDS AND RELATED PUBLICATIONS

IAEA SAFETY STANDARDS

Under the terms of Article III of its Statute, the IAEA is authorized to establish or adopt
standards of safety for protection of health and minimization of danger to life and property, and
to provide for the application of these standards.
The publications by means of which the IAEA establishes standards are issued in the
IAEA Safety Standards Series. This series covers nuclear safety, radiation safety, transport
safety and waste safety. The publication categories in the series are Safety Fundamentals,
Safety Requirements and Safety Guides.
Information on the IAEA’s safety standards programme is available at the IAEA Internet
site
http://www-ns.iaea.org/standards/
The site provides the texts in English of published and draft safety standards. The texts
of safety standards issued in Arabic, Chinese, French, Russian and Spanish, the IAEA Safety
Glossary and a status report for safety standards under development are also available. For
further information, please contact the IAEA at PO Box 100, 1400 Vienna, Austria.
All users of IAEA safety standards are invited to inform the IAEA of experience in their
use (e.g. as a basis for national regulations, for safety reviews and for training courses) for the
purpose of ensuring that they continue to meet users’ needs. Information may be provided via
the IAEA Internet site or by post, as above, or by email to [email protected].

RELATED PUBLICATIONS

The IAEA provides for the application of the standards and, under the terms of Articles
III and VIII.C of its Statute, makes available and fosters the exchange of information relating
to peaceful nuclear activities and serves as an intermediary among its Member States for this
purpose.
Reports on safety and protection in nuclear activities are issued as Safety Reports,
which provide practical examples and detailed methods that can be used in support of the
safety standards.
Other safety related IAEA publications are issued as Radiological Assessment
Reports, the International Nuclear Safety Group’s INSAG Reports, Technical Reports and
TECDOCs. The IAEA also issues reports on radiological accidents, training manuals and
practical manuals, and other special safety related publications.
Security related publications are issued in the IAEA Nuclear Security Series.
The IAEA Nuclear Energy Series consists of reports designed to encourage and assist
research on, and development and practical application of, nuclear energy for peaceful uses.
The information is presented in guides, reports on the status of technology and advances, and
best practices for peaceful uses of nuclear energy. The series complements the IAEA’s safety
standards, and provides detailed guidance, experience, good practices and examples in the
areas of nuclear power, the nuclear fuel cycle, radioactive waste management and
decommissioning.
 LOW LEVEL EVENT AND
NEAR MISS PROCESS
FOR NUCLEAR POWER PLANTS:
BEST PRACTICES
 The following States are Members of the International Atomic Energy Agency:

AFGHANISTAN GHANA NIGERIA

ALBANIA GREECE NORWAY
ALGERIA GUATEMALA OMAN
ANGOLA HAITI PAKISTAN
ARGENTINA HOLY SEE PALAU
ARMENIA HONDURAS PANAMA
AUSTRALIA HUNGARY PAPUA NEW GUINEA
AUSTRIA ICELAND PARAGUAY
AZERBAIJAN INDIA PERU
BAHRAIN INDONESIA PHILIPPINES
BANGLADESH IRAN, ISLAMIC REPUBLIC OF POLAND
BELARUS IRAQ PORTUGAL
BELGIUM IRELAND QATAR
BELIZE ISRAEL REPUBLIC OF MOLDOVA
BENIN ITALY ROMANIA
BOLIVIA JAMAICA RUSSIAN FEDERATION
BOSNIA AND HERZEGOVINA JAPAN SAUDI ARABIA
BOTSWANA JORDAN SENEGAL
BRAZIL KAZAKHSTAN SERBIA
BULGARIA KENYA
SEYCHELLES
BURKINA FASO KOREA, REPUBLIC OF
SIERRA LEONE
BURUNDI KUWAIT
SINGAPORE
CAMBODIA KYRGYZSTAN
SLOVAKIA
CAMEROON LAO PEOPLE’S DEMOCRATIC
SLOVENIA
CANADA REPUBLIC
SOUTH AFRICA
CENTRAL AFRICAN LATVIA
SPAIN
REPUBLIC LEBANON
SRI LANKA
CHAD LESOTHO
SUDAN
CHILE LIBERIA
CHINA LIBYA SWEDEN
COLOMBIA LIECHTENSTEIN SWITZERLAND
CONGO LITHUANIA SYRIAN ARAB REPUBLIC
COSTA RICA LUXEMBOURG TAJIKISTAN
CÔTE D’IVOIRE MADAGASCAR THAILAND
CROATIA MALAWI THE FORMER YUGOSLAV
CUBA MALAYSIA REPUBLIC OF MACEDONIA
CYPRUS MALI TUNISIA
CZECH REPUBLIC MALTA TURKEY
DEMOCRATIC REPUBLIC MARSHALL ISLANDS UGANDA
OF THE CONGO MAURITANIA UKRAINE
DENMARK MAURITIUS UNITED ARAB EMIRATES
DOMINICA MEXICO UNITED KINGDOM OF
DOMINICAN REPUBLIC MONACO GREAT BRITAIN AND
ECUADOR MONGOLIA NORTHERN IRELAND
EGYPT MONTENEGRO UNITED REPUBLIC
EL SALVADOR MOROCCO OF TANZANIA
ERITREA MOZAMBIQUE UNITED STATES OF AMERICA
ESTONIA MYANMAR URUGUAY
ETHIOPIA NAMIBIA UZBEKISTAN
FINLAND NEPAL VENEZUELA
FRANCE NETHERLANDS VIETNAM
GABON NEW ZEALAND YEMEN
GEORGIA NICARAGUA ZAMBIA
GERMANY NIGER ZIMBABWE

The Agency’s Statute was approved on 23 October 1956 by the Conference on the Statute of the
IAEA held at United Nations Headquarters, New York; it entered into force on 29 July 1957. The
Headquarters of the Agency are situated in Vienna. Its principal objective is “to accelerate and enlarge the
contribution of atomic energy to peace, health and prosperity throughout the world’’.
 SAFETY REPORT SERIES No. 73

LOW LEVEL EVENT AND

NEAR MISS PROCESS
FOR NUCLEAR POWER PLANTS:
BEST PRACTICES

INTERNATIONAL ATOMIC ENERGY AGENCY

VIENNA, 2012
 COPYRIGHT NOTICE

All IAEA scientific and technical publications are protected by the terms of
the Universal Copyright Convention as adopted in 1952 (Berne) and as revised in
1972 (Paris). The copyright has since been extended by the World Intellectual
Property Organization (Geneva) to include electronic and virtual intellectual
property. Permission to use whole or parts of texts contained in IAEA
publications in printed or electronic form must be obtained and is usually subject
to royalty agreements. Proposals for non-commercial reproductions and
translations are welcomed and considered on a case-by-case basis. Enquiries
should be addressed to the IAEA Publishing Section at:

Marketing and Sales Unit, Publishing Section

International Atomic Energy Agency
Vienna International Centre
PO Box 100
1400 Vienna, Austria
fax: +43 1 2600 29302
tel.: +43 1 2600 22417
email: [email protected]
http://www.iaea.org/books

© IAEA, 2012
Printed by the IAEA in Austria
June 2012
STI/PUB/1545

IAEA Library Cataloguing in Publication Data

Low level event and near miss process for nuclear power plants : best practices.
— Vienna : International Atomic Energy Agency, 2012.
p. ; 24 cm. — (Safety reports series, ISSN 1020–6450 ; no. 73)
STI/PUB/1545
ISBN 978–92–0–126610–1
Includes bibliographical references.

1. Nuclear power plants — Safety measures. 2. Nuclear power plants —

Management. 3. Nuclear accidents — Prevention. I. International Atomic
Energy Agency. II. Series.

IAEAL 12–00748
 FOREWORD

The IAEA programme on the operational safety of nuclear power plants

gives priority to the development and promotion of the proper use of IAEA safety
standards through the provision of assistance to Member States in the application
of safety standards, the performance of safety review missions and the conduct of
training activities based on safety standards.
A number of IAEA safety standards and nuclear safety publications discuss
the processes that need to be put into place for the feedback and analysis of
operating experience (OE) at nuclear power plants. These include: Fundamental
Safety Principles (IAEA Safety Standards Series No. SF-1), Safety of Nuclear
Power Plants: Commissioning and Operation (IAEA Safety Standards Series
No. SSR-2/2), Application of the Management System for Facilities and
Activities (IAEA Safety Standards Series No. GS-G-3.1) and A System for the
Feedback of Experience from Events in Nuclear Installations (IAEA Safety
Standards Series No. NS-G-2.11). Additionally, several IAEA TECDOCs cover
many aspects of the establishment, conduct and continuous improvement of an
OE programme at nuclear power plants, including the consideration of low level
events (LLEs) and near misses (NMs).
Although these IAEA safety standards and nuclear safety publications have
been in existence for several years, 70 per cent of the IAEA Operational Safety
Review Team (OSART) missions carried out at nuclear power plants between
2006 and 2010 identified weaknesses in the reporting and analysis process for
LLEs and NMs. In fact, this has been one of the recurring issues most often
identified in the area of OE during these missions. These weaknesses have been
further confirmed by most of the IAEA Peer Review of the Operational Safety
Performance Experience (PROSPER) missions that have been conducted to date.
Finally, the IAEA International Nuclear Safety Group, in their report entitled
Improving the International System for Operating Experience Feedback
(INSAG-23), also determined that learning opportunities from LLEs and NMs
are not fully realized.
IAEA Member States have called for guidance on practices for the reporting
and analysis of LLEs and NMs. The current publication has been developed to
provide insights into leading practices for managers seeking to develop a new — or
to improve an existing — LLE and NM process, with the goal of improving safety,
production and cost performance.
The IAEA wishes to thank the contributors to the drafting and review of this
publication and their Member States for their valuable contributions. The IAEA
officer responsible for this publication was S. Fotedar of the Division of Nuclear
Installation Safety.
 EDITORIAL NOTE

Although great care has been taken to maintain the accuracy of information contained in
this publication, neither the IAEA nor its Member States assume any responsibility for
consequences which may arise from its use.
The use of particular designations of countries or territories does not imply any
judgement by the publisher, the IAEA, as to the legal status of such countries or territories, of
their authorities and institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as
registered) does not imply any intention to infringe proprietary rights, nor should it be
construed as an endorsement or recommendation on the part of the IAEA.
 CONTENTS

1. INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

1.1. Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2. Objective . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3. Scope. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2. ESSENTIAL MANAGEMENT CHARACTERISTICS . . . . . . . . . . . 6

2.1. Management of the LLE and NM process . . . . . . . . . . . . . . . . . 6

2.1.1. Implementation of a LLE and NM process. . . . . . . . . . . 7
2.1.2. Continuous direction and oversight of the LLE
and NM process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2. Clarity of responsibilities and accountabilities to support a
LLE and NM process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.3. Continuous improvement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.4. Creation and fostering of a ‘blame free’ or
‘just’ environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.5. Reward and recognition strategy . . . . . . . . . . . . . . . . . . . . . . . . 11
2.6. Maintaining a positive reporting environment . . . . . . . . . . . . . . 11
2.7. Maintaining long term goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

3. STAFF SELECTION AND TRAINING . . . . . . . . . . . . . . . . . . . . . . . 13

3.1. Staff selection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3.2. Staff training in the LLE and NM process . . . . . . . . . . . . . . . . . 14

4. CRITERIA AND THRESHOLDS FOR THE IDENTIFICATION

AND REPORTING OF LLEs AND NMs . . . . . . . . . . . . . . . . . . . . . . 15

4.1. Clear and consistent reporting thresholds are established

and communicated . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
4.2. Obstacles to the reporting of LLEs and NMs . . . . . . . . . . . . . . . 17
4.3. User friendly system for reporting of LLEs and NMs . . . . . . . . 18
5. SCREENING ARRANGEMENTS . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

5.1. Establishment of a cross-disciplinary screening process

of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

6. LLE AND NM CODING AND TREND ANALYSIS . . . . . . . . . . . . 20

6.1. Coding of events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

6.2. Trend analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
6.3. Identification of trends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
6.4. Evaluation of identified adverse trends. . . . . . . . . . . . . . . . . . . . 25

7. DISSEMINATION OF INFORMATION ON LLEs

AND NMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

8. MEASURING THE EFFECTIVENESS OF A LLE

AND NM PROCESS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

8.1. Establishment and maintenance of a suite

of process indicators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
8.2. Self-assessment, benchmarking and peer review . . . . . . . . . . . . 27

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

ANNEX I: EXTRACTS FROM THE OSART AND

PROSPER GUIDELINES . . . . . . . . . . . . . . . . . . . . . . . . . . 31

ANNEX II: LLE AND NM PROCESS: EXAMPLES OF

BEST PRACTICE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

ANNEX III: TYPICAL EXAMPLES OF UNREPORTED ISSUES . . . . 59

ANNEX IV: LADDER OF ACCOUNTABILITY . . . . . . . . . . . . . . . . . . 62

ANNEX V: WESTRUM’S CLASSIFICATION OF

ORGANIZATIONAL TYPES . . . . . . . . . . . . . . . . . . . . . . . 63

ANNEX VI: HUDSON’S ORGANIZATIONAL CULTURE

MATURITY LADDER . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

ANNEX VII: CULPABILITY ASSESSMENT . . . . . . . . . . . . . . . . . . . . . 65

ANNEX VIII: THE DANISH SYSTEM FOR REPORTING OF
AVIATION INCIDENTS . . . . . . . . . . . . . . . . . . . . . . . . . . 66

ANNEX IX: EXAMPLES OF TREND ANALYSIS SUCCESS

AT EXELON NUCLEAR . . . . . . . . . . . . . . . . . . . . . . . . . . 75

ANNEX X: THE CORRELATION BETWEEN ACCIDENT

RATES AND COSTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

ANNEX XI: EXAMPLE OF A TREND PROCESS FLOW SHEET. . . . 80

ANNEX XII: BRUCE POWER TREND EVALUATION

CHECK SHEET . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

ANNEX XIII: GOOD PRACTICE ON SHARING OF

NM INFORMATION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

CONTRIBUTORS TO DRAFTING AND REVIEW . . . . . . . . . . . . . . . . . 85

 1. INTRODUCTION

1.1. BACKGROUND

Through the review of industry operating experience (OE), it can be

observed that for every significant event, there are a large number of
consequential events resulting in limited impact and a still larger number of low
level events1 (LLEs) and near misses2 (NMs) that result in no immediate loss or
damage. This observation is captured in the well known safety pyramid shown in
Fig. 1.

FIG. 1. Relationship between events that affect nuclear safety and other, less significant events.

1
A low level event is the discovery of a weakness or a deficiency that could cause an
undesirable effect but has not, owing to the existence of one (or more) barriers of defence in
depth [1].
2
A near miss is a potential significant event that could have occurred as the
consequence of a sequence of actual occurrences but that did not occur, owing to the plant
conditions prevailing at the time [1].

1
 Events at the top of the pyramid, often referred to as significant events, may
result in injury and loss, have an environmental impact and cause significant
disruption of production processes. These significant events are often obvious,
are readily brought to the attention of management, and are normally reviewed
according to nuclear power plant (NPP) protocols.
LLEs and NMs compose the lower portion of the pyramid. These events
have the potential to result in immediate loss, but normally do not. LLEs and
NMs are often less obvious than significant events and consequential events, and
normally have little, if any, immediate impact on individuals or processes.
However, LLEs and NMs provide insight into weaknesses in the defences
necessary to prevent higher level events and offer an opportunity to improve
safety, production and cost performance.
As numerous significant events illustrate, management failure to capture,
understand and remedy LLEs and NMs often foreshadows significant events.
Notable examples where NM precursors have been observed but not effectively
managed include:

— The 1979 Three Mile Island event, in which an unrevealed fault with the
power operated relief valve (PORV) led operators to an inappropriate
course of action, resulting in a loss of primary coolant, a partially uncovered
reactor core and an environmental release of radioactivity. The Kemeny
Commission report revealed that before the event, plants of similar design
had experienced problems with the PORVs on nine separate occasions.
Weaknesses were also identified in OE arrangements for the investigation
and remediation of the accident precursor conditions [2].
— The 1986 Space Shuttle Challenger explosion, in which engineers had
identified and reported degraded O-ring seals on previous missions dating
back to 1982, with degradation increasing as ambient lift-off temperature
decreased. The night before the disaster, management had been warned of
the potential for catastrophic failure when lifting off at ambient
temperatures of 11.6ºC or less (the lift-off temperature was 2.2ºC) [3].
— The 1999 Paddington train crash, in which 31 people died. From 1993 to
1999, eight NMs, or ‘signals passed at danger’ (SPADs), had occurred at
the location (signal 109) where the eventual collision and explosion
occurred. At the time of the crash, the signal was one of 22 signals with the
greatest number of SPADs recorded [4].
— A primary coolant leak at the Davis-Besse NPP in 2002, which led to
significant corrosion of the vessel head and resulted in a quarter inch
stainless steel liner becoming the only reactor coolant pressure boundary. A
number of lower level precursors, including observable leakage at the
reactor vessel head, containment air coolers fouling with increased

2
 frequency, frequent clogging of containment atmosphere radiation
monitoring filters with rust coloured boron deposits, and above normal
primary coolant make-up rates, had not been adequately reviewed and
evaluated via the LLE and NM process. This resulted in significant reactor
downtime and had a great financial impact on the utility and a broad impact
on the nuclear industry as a whole.
— The 1995 incident at the Bruce Nuclear Generating Station in Canada in
which an electrical relay failed to release and a transport trolley (114 t)
carrying a fuelling machine loaded with 16 irradiated fuel bundles failed to
stop at the designated position. The fuelling machine continued
uncontrolled to the physical limits and only came to a stop when the drive
motor tripped on overload. Fortunately, although one cable was severed and
another was shorted, cooling of the irradiated fuel was not immediately
affected; otherwise, the consequences could have been much more
significant. There were at least three LLE or NM precursors that could have
identified the specific relay problem or the deficiencies in the trolley drive
design.3

As these examples illustrate, failure to use LLE and NM data to address and
correct flawed defences can have catastrophic or highly significant results.
Within the context of the nuclear industry, the IAEA and other international
organizations such as the World Association of Nuclear Operators (WANO) and
the Institute of Nuclear Power Operations (INPO) continually promote the
efficient and effective use of a LLE and NM process within the OE field of
activity to reduce the possibility of significant events and improve plant
performance and safety.
In this publication, best practices for the management of LLEs and NMs are
presented, with an emphasis on obtaining operational and strategic value from
such events. The premise of this publication is that LLEs and NMs provide
information important for accident and event prevention at nuclear facilities,
resulting in overall improvements in safety, production and cost performance.
This requires well designed processes for identifying, reporting, conducting trend
and pattern assessment, analysing, disseminating information about and
correcting precursor conditions of LLEs and NMs. This publication is intended to
present best practices for LLE and NM arrangements in the belief these practices
are widely applicable and can be customized to match the majority of nuclear
facilities, and to fit particular organizational and business needs.

3
INTERNATIONAL ATOMIC ENERGY AGENCY, International Reporting System
for Operating Experience (IRS), Report Number 7045, IAEA, Vienna (1997).

3
1.2. OBJECTIVE

The objective of this publication is to provide NPPs and regulatory

organizations with a best practice overview of the development, implementation
and continuous improvement of a LLE and NM process in support of the overall
OE programme.
As identification of LLEs and especially NMs involves reporting one’s own
mistakes, senior management plays a critical role in making this happen. This
publication covers important issues, such as the creation of a ‘blame free’ culture,
which can help senior management in implementing and operating a successful
LLE and NM process in their NPPs/utilities.
To help Member States address IAEA Operational Safety Review Team
(OSART) findings and provide additional clarity to NPPs on what is expected of
a LLE and NM process, questions typically asked during OSART and Peer
Review of Operational Safety Performance Experience (PROSPER) missions for
the review of LLE and NM processes within OE areas are also included in this
publication (see Annex I).

1.3. SCOPE

Evaluation and in-depth analysis of OE are not restricted merely to lessons

learned from safety significant events. They also extend to lessons learned from
situations of lower significance or consequence (LLEs and NMs) that had the
potential to develop into safety significant events but were prevented from doing
so because of plant design features and/or preventive actions by an operator.
Hence, this publication describes the key elements for establishing and
enhancing the LLE and NM portions of existing OE programmes. It also contains
some examples of best practices available in the industry in this area (see
Annex II).
This publication is not intended to describe overall OE programme
arrangements, which are already well described in other IAEA publications (see
Fig. 2). However, as LLEs and NMs are an integral part of a total OE programme,
some references to larger programme aspects are retained in this publication.
Examples of typically unreported LLEs and NMs are provided in Annex III.

4
 Identifying
(IAEA-TECDOC-1581)
Internal events (from
operation, on the job
activities, observations and
inspections).
External OE review
Reports on other nuclear
installations and their
experiences to learn and
preclude a similar event.
Assessment
(PROSPER Guidelines,
IAEA Services Series
No. 10)
Results of self-assessment,
peer review, independent
assessments, regulatory body
inspections, etc., are used to
highlight and eliminate
weaknesses in OE processes.
Utilization and
dissemination of OE
(IAEA-TECDOC-1580)
Ensuring that operating
experience of generic
interest is effectively used
within a plant and shared
with external organizations.
FIG. 2. Typical OE programme arrangements and IAEA publications dealing with its various
elements [5–10].
Reporting of internal events
(IAEA-TECDOC-1581)
A plant level event is identified
and recorded. If reporting criteria
are reached, event is reported, as
appropriate: within the plant
(utility), to regulatory body, to
external organizations.
Screening
(IAEA-TECDOC-1581)
Processes following written
procedures to identify the
significance and frequency
of events and to decide on
the priority and level for
further analysis, as well as
to identify adverse trends.
Corrective actions
(IAEA-TECDOC-1458)
Consideration of the results
of in-depth analysis to
determine actions required
to restore situation
and to prevent recurrence.
Implementation
of actions is to be tracked
and recorded.
Immediate review of
significant events
Prior to changes in plant
conditions or restart of an
operation, an immediate
review of a significant
event is expected, in order
to preclude recurrence.
Investigation
(IAEA-TECDOC-1600)
Detailed and in-depth analysis
to determine the causes of an
event. Based on results,
corrective actions to prevent
recurrence can be taken.
Trend analysis
and review
(IAEA-TECDOC-1477)
Process allowing a developing
or emergent problem to be
recognized so that proactive
action can be taken.
5
 2. ESSENTIAL MANAGEMENT CHARACTERISTICS

2.1. MANAGEMENT OF THE LLE AND NM PROCESS

The IAEA Safety Fundamentals publication Fundamental Safety Principles

[11] states that there is a need to establish leadership and management for safety
using operating experience feedback to prevent recurrence of accidents and to
enhance safety (Principle 3). The IAEA Safety Requirements publication Safety
of Nuclear Power Plants: Commissioning and Operation [12] states that “The
operating organization shall be responsible for instilling an attitude among plant
personnel that encourages the reporting of all events, including low level events
and near misses” (para. 5.31). The IAEA Safety Guide on Application of the
Management System for Facilities and Activities [13] states that managers and
supervisors should encourage and welcome the reporting of potential safety
concerns, incidents and NMs, as well as accident precursors, and should respond
to valid concerns promptly and in a positive manner (para. 2.18). Additionally,
the IAEA Safety Guide on A System for the Feedback of Experience from Events
in Nuclear Installations [14] states that OE is to be reported in a timely manner to
facilitate learning from events. Furthermore, utilities and NPPs are encouraged to
support the collection and analysis of data relating to LLEs and NMs, including
those below the threshold for reporting to regulatory bodies (para. 10.4).
Thus, a key role for NPP managers is to ensure that the OE programme
includes efficient and effective capture, understanding and analysis of LLEs and
NMs, including their trends. This needs to be managed along with the evolution
of an organizational culture and continuous improvement programmes in the
organization.
Managers set the overall strategy to ensure that a LLE and NM process is
established and maintained such that it becomes an essential part of the day to day
and long term operation of the facility. Managers also set expectations for the
identification and reporting of LLEs and NMs. Their decisions regarding the
activities of the OE programme have as their overriding priority the maintenance
and improvement of safety performance. The best performing plants maintain an
appropriate focus on both LLEs and NMs to eliminate the possibility of more
significant events. Managers establish measures of performance to ensure proper
engagement in the identification of LLEs and NMs by various departments. They
also routinely review overall OE programme performance and, where necessary,
provide appropriate direction to correct deviations or shortfalls from desired
performance in the LLE and NM process.

6
2.1.1. Implementation of a LLE and NM process

To implement a LLE and NM process, it is essential to:

— Plan for and make available the necessary resources;

— Develop and implement the process, including required procedure(s);
— Develop a training and retraining plan for process application;
— Communicate and motivate people, and create ownership by all;
— Anticipate dealing with thousands of inputs (e.g. from databases,
investigations, screening, grouping by causes, trend and pattern assessment,
analysis);
— Provide regular and timely feedback to the persons providing input;
— Follow up implementation, seek feedback and adapt the process, as
necessary;
— Consider existing initiatives within an organization when planning
implementation.

2.1.2. Continuous direction and oversight of the LLE and NM process

Managers also provide continuous direction and oversight, leading by

example in order to ensure that identification, reporting and screening of LLEs
and NMs is effective.
In particular, managers:

— Ensure that the concept and benefits of the process are fully understood and
valued;
— Develop expectations and goals for the process;
— Ensure that personnel are trained to understand and correctly implement
procedures;
— Ensure that the process is simple and easy to understand;
— Ensure that staff are ‘calibrated’ to recognize and report deviations from
expected standards in a timely manner;
— Develop and maintain a ‘blame free’ or ‘just’ environment;
— Encourage the reporting of human performance issues;
— Develop a sense of ownership of the process within the NPP;
— Develop inquisitive attitudes and attention to detail;
— Maintain listening attitudes and attention to problems reported by staff;
— Avoid complacency and acceptance of known deficiencies and low
standards;
— Enhance standards through continuous improvement;

7
 — Ensure that the process receives wide support;
— Ensure that the process is aligned to generate meaningful results.

Above all, managers ensure that responsibilities and accountabilities for the
LLE and NM process are clearly communicated and reinforced as it is introduced
and developed.
A desirable additional management objective would be to integrate
experience gained from LLEs and NMs into all aspects of NPP operations. This
includes such elements as work package planning, task performance, and
development of publications and directives.

2.2. CLARITY OF RESPONSIBILITIES AND ACCOUNTABILITIES TO

SUPPORT A LLE AND NM PROCESS

At the organizational level, it is necessary that clear responsibilities and

accountabilities be established to support the LLE and NM process. In cases
where a mechanism for responsibilities and accountabilities is still being
established, NPP managers are to ensure that sufficient interim direction and
increased oversight are provided.
An OE manager is expected to monitor, on an ongoing basis, the LLE and
NM area of OE programme performance and to assess whether this performance
meets the NPP’s stated objectives. It is up to managers to initiate programme
improvements and promote proactive, widespread capture and use of LLE and
NM information.
Accountability for LLEs and NMs does not apply solely to the OE manager
with primary responsibility for completing OE related tasks. It applies to all
managers and team leaders providing cross-functional support to the
OE programme. This accountability ensures that necessary support is available
and well coordinated, and that the whole organization is aligned to OE
programme objectives regarding the reporting and analysis of LLEs and NMs.
The reporting of LLEs and NMs is a vitally important aspect of NPP culture
and is strongly influenced by the attitudes of managers and team leaders.
Managers lead by example, reporting LLE and NM issues where appropriate.
Leaders understand the importance of a thorough LLE and NM process, and
encourage the participation of personnel, using every opportunity to motivate
people to report — for example, through discussion during meetings, plant tours,
training sessions, pre-job briefings, debriefings, bulletins, posters, site
newspapers and the intranet.
Within high performing plants, all organization employees take
responsibility for their own behaviour and are committed to improving

8
themselves as well as the tasks and work environment. In some organizations,
managers have used generic accountability ladder models to communicate and
reinforce such responsibilities among their staff (see Annex IV).
With regard to the LLE and NM process, the goal is for individuals to
exhibit the following behaviours:

— Freely report LLEs and NMs within an OE programme;

— Communicate to create a shared understanding of LLEs and NMs;
— Regularly apply lessons learned from LLEs and NMs to improve
performance.

2.3. CONTINUOUS IMPROVEMENT

Managers often drive continuous improvement through self-assessment

processes or periodic external evaluation and review against industry standards
and best practices (such as IAEA OSART and PROSPER missions, WANO peer
reviews, or INPO assessments). The approaches to such improvements will
depend on an organization’s maturity (see Annexes V and VI). While an
OE programme is wholly dependent on information flow, the Westrum model
[15] is particularly relevant to a culture of open reporting and sharing of
information, and to the fostering of a ‘blame free’ or ‘just’ environment. The
leadership of managers in establishing openness in the reporting culture is
fundamental to the success of a LLE and NM process.

2.4. CREATION AND FOSTERING OF A ‘BLAME FREE’ OR ‘JUST’

ENVIRONMENT

Most LLEs and NMs are caused by error prone circumstances (for example,
work places, work practices, environment, job pressure) rather than error prone
workers. Studies show that almost all industrial events are rooted in latent
organizational weaknesses rather than human error. Managers must remember
that people do not intend to make errors, and that most people want a ‘blame free’
or ‘just’ environment that treats people fairly, honestly and with respect.
Reference [16] provides a model that can be used by managers to help
determine both the level of culpability (accountability) shared between
individuals and the organizational weaknesses related to events (see Annex VII).
Some NPPs use versions of the model in conjunction with their investigations of
human performance events. The model helps managers to identify the prevalent
individual or organizational factors that contributed to the event. The model

9
supports the fair and consistent application of performance coaching — or
discipline, if appropriate — across all departments and work groups.
In one example, Naviair, Denmark’s air traffic service provider, observed
that after a change in the reporting requirements and the law in Denmark, which
made non-punitive confidential reporting possible for aviation professionals, the
number of NMs (separation losses between aircrafts) reported rose from
approximately 15 to between 40 and 50 a year two years after the change was
implemented (see Annex VIII).
Thus, an important role for managers is to create a positive environment in
which personnel feel comfortable reporting LLEs and NMs without undue
concern about a punitive response from management — a so-called blame free or
just environment. Failure to do so can result in decreased performance, including
reduced reporting of LLEs and NMs due to a deterioration of trust between
workers and managers — the so-called blame cycle [16]. Safety policies are
intended to actively encourage effective reporting and, by defining the line
between acceptable performance (often unintended errors) and unacceptable
performance (such as negligence, recklessness, violations or sabotage), provide
fair treatment to those who report.
Often, low level human errors are not self-revealing, except to the
individual who committed the error. Consequently, such errors may not be
accessible for analysis if they are not reported, and a wealth of information may
potentially be lost. To maximize the benefit from LLE and NM information, it is
important that managers foster an environment in which such information is
captured. Major advantages in capturing LLE and NM information from staff are
that:

— Since nothing serious happened in the reported LLE or NM, a free

discussion about the origin of the event is possible with the staff involved.
— The person who made the error may share knowledge about the causal
factors behind LLEs or NMs resulting from non-human error. Causes can
be evaluated for applicability with input from the individuals who
discovered the issue.

It is important that NPP managers continually reinforce expectations for

open communication, encouraging staff to look for ways to learn from the
reporting of LLEs and NMs. Staff also need to recognize that the process includes
an element of personal responsibility and accountability.
Managers are also encouraged to periodically assess the ‘blame free’ or
‘just’ culture through the use of anonymous surveys, which staff can voluntarily
participate in.

10
2.5. REWARD AND RECOGNITION STRATEGY

Ideally, managers will give the topic of LLEs and NMs a high profile and
provide individuals with timely positive reinforcement for identifying, reporting
and learning from their own or others’ errors. Typically, in high performing
plants, a reward and recognition system is established and applied in a way that
motivates the reporting of LLEs and NMs by all personnel and contributes to
building a low-threshold reporting culture. This does not necessarily mean
financial reward; often, staff members who report LLEs and NMs respond well to
praise for sharing their actions among their peer groups.
Some organizations operate an employee of the week/month scheme where
the name and photo of the staff member are published at the plant (sometimes
called a ‘good catch’ scheme). Others award plaques or shields to the best
reporting division or department. Some plants award certificates to those
individuals with the best safety submissions on an annual basis. Other plants use
a lottery scheme wherein people who have made a significant contribution to the
LLE and NM process or who have identified a significant safety related precursor
are entered into prize lotteries, with drawings held quarterly, biannually or
annually. Examples of prizes include vouchers, dinner at a local restaurant or
event tickets.

2.6. MAINTAINING A POSITIVE REPORTING ENVIRONMENT

Once the basic framework of a LLE and NM process has been established,
a major role for managers is to foster an environment in which staff members are
comfortable with the process. The reporting of slips, lapses and errors with no or
only minor consequences is a complex area in which human emotions play a key
factor. Pride, embarrassment, and fear of criticism and possible ridicule by
managers, peers and subordinates are real issues for staff involved in LLE and
NM reporting. For these reasons, it takes time to build up the trust and confidence
of staff. NPPs often avoid including workers’ names in reports of LLEs and NMs,
and take steps to remove any names, where applicable, by using position titles or
other anonymous wording.
Managers’ responses to and actions taken regarding events, including LLEs
and NMs, will determine how successful the process is. In this respect, it is
essential to clearly communicate and reinforce expectations, as well as to
maintain a consistent approach. The saying that “reputations take a lifetime to
build but only seconds to destroy” is never more pertinent than in this field of a
manager’s activities.

11
 There are many examples, if not reported then certainly experienced, where
managers spend years building an OE programme and staff confidence in LLE
and NM reporting only to destroy any staff confidence gained by a single
inappropriate response to a particular event. This can happen when a manager
asks, ‘Who did that?’ rather than, ‘How did that happen?’, or worse still, when he
or she takes punitive action rather than seeking to understand what happened and
why. Additionally, failure to appropriately reinforce good behaviours and actions
can harm an open reporting culture.
Clearly, the nature of an event or a staff member’s action will have a
defining influence on management’s response. However, managers always need
to step back and ask themselves, “Is our investment in the potential long term
benefits of the LLE and NM process worth jeopardizing for our instinctive
reaction to this one event?”
Again, Reason’s model [16] can be used by managers as an aid to determine
the level of culpability (accountability) shared between individuals, and the
organizational weaknesses related to events (see Annex VII).

2.7. MAINTAINING LONG TERM GOALS

Managers in the nuclear industry face many scientific, technical and

personnel related challenges. But none is more pervasive than the continual
pressure of financial support. In this respect, managers continually seek greater
efficiency when perceived non-core business activities come under increased
focus.
The objective of an OE programme, and in particular the LLE and NM
process, is to prevent significant events by using a systematic approach to latent
error identification and reduction. However, some OE practitioners would be
hard pressed to express and share a definitive example of where they have clearly
achieved this objective. Thus, the OE programme is often viewed as an act of
faith and, as such, difficult to support by NPP managers, who are hard pressed to
maintain regulatory standards, engineering upgrades and production within tight
financial constraints. A short term view to rationalize OE support can be a very
tempting proposition for a manager, but each decision must be fully assessed. It is
essential that managers recognize the long term benefits of LLE and NM process
activities.
High performing plants have experienced considerable success in reducing
the frequency, severity and consequences of events within short periods of time
when a strong focus has been put on learning from LLEs and NMs to prevent
higher level events.

12
 For example, a utility in the United States of America (USA) reduced the
number of consequential errors from 3.4 to 0.07 per 10 000 work hours within an
18 month period (see Section II–2 of Annex II). A direct contributor to this
success was the focus on learning from LLEs and NMs to prevent errors and
accidents of greater consequence. Examples of success using equipment trend
analysis in an NPP are detailed in Annex IX.
Additionally, a US study has shown that, on average, each consequential
error costs approximately US $110 000 to address and correct (see Annex X).
More significant station events can cost an NPP much more. Thus a strong LLE
and NM process greatly contributes to improved safety and performance and to
real bottom line cost savings in the long run.

3. STAFF SELECTION AND TRAINING

3.1. STAFF SELECTION

Managers are to ensure that adequate numbers of suitably qualified and

experienced staff are appointed to oversee the defined scope of the
OE programme, and that they are supported at the highest levels of the
organization. High priority is to be given to the appointment of knowledgeable
and respected staff to key OE programme posts to ensure that managers, as well
as engineering, training, operations and maintenance staff, acknowledge and
support OE programme activities.
Best practices indicate that staff who are familiar with plant operational
practices and procedures, plant systems and management processes, and who are
already key plant staff, are most successful in an OE role. Better performing
plants allocate full time staff to oversee the OE programme and ensure that the
appropriate levels of quality and consistency are maintained. Considerable
investment is made in the selection of staff having appropriate analytical skills
and the soft skills necessary to exert appropriate influence on all site staff (from
management to front line operators) with respect to the LLE and NM process. If
necessary, appropriate personal development and coaching opportunities can be
made available.
The LLE and NM process has the potential to generate thousands of reports,
all requiring database input and trend and pattern analysis. Additionally, any
adverse trends identified will require investigation. Managers are to ensure that
an adequate number of staff members are trained in the LLE and NM process as

13
well as in event analysis techniques. This extends to staff beyond those dedicated
to the oversight of the OE programme to those in operation, maintenance and
engineering functions, to ensure that there is a wide base of knowledge
concerning the techniques. Best practice indicates that such trained staff routinely
apply this training so that skills are maintained. Managers are responsible for
keeping an appropriate number of staff available for these activities.

3.2. STAFF TRAINING IN THE LLE AND NM PROCESS

During initial implementation of the LLE and NM process, operations and

maintenance staff frequently challenge the value that is added, often stating, ‘It is
my job to recognize and fix these types of problems.’ Therefore, training for all
staff needs to focus on the longer term systematic and proactive nature of the
process, to be explained via trend and pattern analysis, and it is better to direct
staff away from the more reactive style of ‘It broke and I’ve fixed it’ thinking.
Managers need to ensure that all plant staff are trained to fully appreciate
the benefits of reporting LLEs and NMs, and to understand that their active
participation is expected.
Examples of training topics for OE department managers responsible for
the LLE and NM process include the following:

— Management and improvement of the LLE and NM process;

— Trend codes (the use of codes to identify and analyse the causes of trends);
— Cause analysis methodologies;
— Statistical analysis tools used for trend data;
— Human performance training, to include organizational contributors;
— Self-assessment of the health of a LLE and NM process;
— Development of a strong self-reporting culture;
— Creation of a database on good practices and pitfalls.

Examples of training topics for OE staff and other departments’

OE coordinators include the following:

— LLE and NM process steps;

— Training in plant operational practices and procedures, plant systems and
management processes, and familiarization with key plant staff;
— Trend codes — detailed training;
— Cause analysis methodologies — detailed training;
— Statistical analysis tools used for trend data — detailed training;
— Corrective action development;

14
 — Performance indicator development for a LLE and NM process;
— Human performance training — detailed training;
— Programme effectiveness/self-assessment of the health of a LLE and NM
process;
— Accessing a database — good practices and pitfalls.

Training sessions are an important focus area for managers to establish and
maintain the correct balance of reporting for their nuclear power plant, both
initially when a LLE and NM process is being set up and routinely during staff
refresher training. It is necessary that this training include reviews of recent
examples of significant, consequential events, as well as LLEs and NMs
(possibly using external OE examples). Such an approach is particularly effective
in maintaining focus on what is appropriate to report regarding LLEs and NMs.

4. CRITERIA AND
THRESHOLDS FOR THE IDENTIFICATION AND
REPORTING OF LLEs AND NMs

4.1. CLEAR AND CONSISTENT REPORTING THRESHOLDS ARE

ESTABLISHED AND COMMUNICATED

Managers establish and communicate expectations on the threshold for

identifying and reporting events. Experience shows that the causes of significant
events are usually the same as those of LLEs and NMs. Therefore, it is important
that the identification and reporting threshold be established at an appropriate
level of detail to identify any unwanted or undesirable situation, or any
unintended occurrence (including NMs), which may be useful in preventing
reoccurrences and improving plant and personnel safety, reliability and
performance.
It is imperative that the identification and reporting threshold for LLEs and
NMs be set as low as practically achievable. Ideally, the LLE and NM process
will include issues identified in any of the following key areas: plant systems and
equipment, human performance and organization/administration (including
documentation or processes).
At better performing plants, reporting thresholds may include a full
spectrum ranging from day to day plant defects, event reports and NMs through
to accidents. The advantage of this type of arrangement is that all data can be

15
contained within one database, allowing for extensive and consistent trend and
pattern analysis.
In many organizations, difficulties exist in deciding what should be
included in the LLE and NM process or in other existing processes such as work
management systems or observation programmes. The examples in Table 1 are
meant to help clarify what typically does or does not meet the LLE and NM
reporting threshold.

TABLE 1. EXAMPLES OF REPORTING THRESHOLDS FOR LLEs AND

NMs

Possibly below reporting threshold Likely meets reporting threshold

Single light bulb failure in office area Emergency light bulb failure in office area

Expected oil consumption in compressor Unexpected oil consumption in compressor

Valve packing leakage within acceptable limit Valve packing leakage above acceptable limit

Administrative worker arrives late for work Licensed operator arrives late for work

Worker discovers a formatting error in a Worker discovers a technical error in a

procedure procedure

Worker picks up wrong dosimetry badge, Worker picks up wrong dosimetry badge and
immediately realizes it and replaces it wears it into the work place

Shift operator performs walkdown but forgets Shift operator fails to perform walkdown in
to sign the walkdown checklist in the safety the safety equipment room
equipment room

Job task takes longer than required Job task in radiological area takes longer than
(no consequence) required

Lighting breaker trips Breaker for safety related system trips

Work order contains incorrect name of worker Work order contains incorrect piece of
to perform the work equipment to be worked on

Maintenance worker forgets tools required for Maintenance worker performs maintenance
performance of maintenance task with incorrect tools

Non-critical equipment runs to failure within Unexpected repeat failure of non-critical

acceptable period and with no consequence to equipment — trend for preventive
the plant maintenance

16
 The actual reporting level of events will depend on the organizational
development/maturity (see Annexes V and VI), and on the management systems
and processes that are in place. In a plant with a strong safety culture, the timely
reporting of LLEs and NMs will be well established for conditions that meet
thresholds similar to those described in Table 1.
Each NPP will need to develop its own threshold for reporting LLEs and
NMs based on its current stage of organizational development/maturity. External
benchmarking visits are an extremely useful tool for establishing industry norms
and best practice, and these are well supported through organizations such as the
IAEA, WANO, INPO and various reactor type owner groups.

4.2. OBSTACLES TO THE REPORTING OF LLEs AND NMs

Managers establish an environment where people (plant personnel and

contractors) develop a feeling of responsibility for detecting component and
system failures, and human errors. Nonetheless, people may not be willing to
report LLEs and NMs for the following reasons:

— Reporting tools are unavailable (e.g. no access to forms or computers).

— Reporting tools are too cumbersome (e.g. complicated forms, lack of
computer skills).
— Reports are not adequately reviewed or insufficient feedback is provided.
— Reporting is viewed as unnecessary because the person involved believes
he or she can take care of the situation alone.
— There is a belief that the outcome of reporting will not change anything
(i.e. no action will be taken, or the report will not be used).
— Fear of personal consequences.
— Reporting creates additional work.
— Human nature — reporting of individual mistakes can be embarrassing.
— Group interaction — reporting on others’ mistakes may cause
embarrassment or conflict between individuals or groups.

Many of these obstacles can be overcome by:

— Providing proper training on the use of tools for reporting LLEs and NMs;
— Providing feedback on LLE and NM results;
— Publicizing improvements that result from LLEs and NMs;
— Including the reporter in the development of actions based on his/her own
suggestions;
— Using a quick and simple reporting format/style;

17
 — Creating a well established ‘blame free’ or ‘just’ culture;
— Visible incentive programmes;
— Ensuring active management engagement and support, including
reinforcement of expectations.

4.3. USER FRIENDLY SYSTEM FOR REPORTING OF LLEs AND NMs

In order to create a simple and effective process, and to comply with

timeliness requirements, managers are to ensure that adequate tools for reporting
are readily available. These may include paper based or intranet reporting forms,
multiple communication channels with diverse support, email, and databases to
store, retrieve and analyse LLE and NM information. Depending on the
prevailing culture and organizational maturity, reporting channels may be open,
confidential or anonymous in nature.
The best performing plants now capture in the order of several thousand
events per reactor annually, and have recognized that capture and processing via
paper based systems is too resource intensive. As a result, these plants have
implemented fully electronic OE databases which permit easy input, coding and
trend analysis of high volumes of LLE and NM data, as well as retrieval of
historical data. The capital costs of such systems are outweighed by the benefits,
as they can be managed with fewer human resources than paper based
arrangements and result in significant safety and performance improvement as
well as cost reduction. It is recognized that during the transition from a paper
based system to a fully integrated OE system, many databases may need to be
combined. However, there are many benefits from using a fully integrated
database system, including: improved and simplified data management; more
powerful trend analysis; additional inputs to management decision making;
support for periodic safety reviews, probabilistic safety analysis and risk
assessment; and support for regulatory reviews.
At an NPP in India, the reporting of LLEs and NMs jumped from a few
hundred inputs to a few thousand per year for a twin unit station after the paper
based reporting system was replaced with a web based reporting system (see
Section II–4 of Annex II).

18
 5. SCREENING ARRANGEMENTS

5.1. ESTABLISHMENT OF A CROSS-DISCIPLINARY SCREENING

PROCESS OF EVENTS

Screening of LLE and NM information is undertaken to ensure that all

significant safety relevant matters are considered. The best performing NPPs
perform a prescreening of all reports via a corrective action programme (CAP)
group in order to clarify and enhance reports, and to ensure that immediate
actions are taken, if necessary. Subsequently, a daily screening meeting is held,
which is chaired by a senior manager and supported by representatives from key
functional areas (such as operations, maintenance, engineering, health and safety)
to ensure that proper categorization and action assignment takes place. Best
practice indicates that consistent membership at such screening meetings ensures
consistency in the screening of reports and enables the detection of emerging
trends that may indicate that an unsafe condition is developing.
Screening is used to establish priorities. A qualitative evaluation may also
be used for this purpose. Plants typically use a priority hierarchy such as the
following:

— High priority. Requires immediate attention. Safety or plant reliability is

affected. May require root cause analysis.
— Moderate priority. Of lower significance than high priority, but requires
resolution in a short time. Often requires apparent cause evaluation (less
stringent than root cause analysis).
— Routine priority. A condition that has minimal effect on the safe and reliable
operation of a plant or on personnel. The condition is sufficiently minor that
apparent or root cause analysis is not required.
— Low priority. No further action required; entered into the database for trend
analysis only.

LLEs and NMs usually fall into the last two categories and only require
simple correction or inclusion in trend analysis; however, investigations may be
initiated into special cases after screening. Some NPPs use risk matrices to
determine the significance of reports. These risk assessments determine the
priority of corrective actions; if appropriate, this will result in LLEs and NMs
having as high a priority as some significant events (see Section II–5 of Annex II
for examples of risk analysis matrices).

19
 6. LLE AND NM CODING AND TREND ANALYSIS

Fundamental to the LLE and NM process is the effective analysis and

correction of adverse conditions identified in LLE and NM trend analysis. It has
been shown that the organizational or programmatic common causes of trends are
the same as those that result in significant events. Trend and common cause
analysis of LLEs and NMs allows an NPP to strike the correct balance between
safety and production. As described earlier in this publication, significant events
are costly in terms of losses in both production and company reputation.
Figures 3–5 demonstrate the evolution of a less effective LLE and NM trend
analysis process through to a fully effective process.
In Fig. 3, latent organizational weaknesses remain undetected, since the
NPP is merely reacting to events without proactively identifying and correcting
event precursors through trend analysis and analysis of LLEs and NMs. This
results in the repeated occurrence of significant events. When these events occur,
the NPP reacts to them and puts measures in place that improve safety. However,
the NPP does not take a proactive approach to addressing the underlying or
systemic causes.

FIG. 3. LLE and NM process without LLE and NM reporting and trend analysis.

20
 In Fig. 4, insufficient LLE and NM reporting and trend analysis is
performed; therefore, significant latent organizational weaknesses remain
undetected. The time between significant events is long enough that the
significant organizational weaknesses are not exposed and corrected, resulting in
a catastrophic event.

FIG. 4. LLE and NM process with insufficient LLE and NM reporting and trend analysis.

Figure 5 shows an optimal situation in which regular trend analysis and

correction of LLEs and NMs identifies and corrects latent organizational
weaknesses before they are revealed by a more significant event.

6.1. CODING OF EVENTS

All reports, independent of their severity and/or consequences, need to be

coded and collected in the OE database in order to efficiently deal with the large
amount of data generated by a LLE and NM process. Trend coding systems may
be obtained by starting with standard coding systems such as the WANO event
coding system or the IAEA’s International Reporting System for Operating

21
 FIG. 5. LLE and NM process with regular trend analysis and correction of LLEs and NMs.

Experience (IRS) to attribute direct or apparent cause. Additionally, some

commercially available examples of cause codes include: HPES process,
TapRoot, MORT, and Performance Improvement International (PII), along with
industry specific examples developed by other operators, available via
information exchange programmes. However, experience has shown that these
coding schemes do not always provide adequate levels of detail for trend analysis
of non-consequential LLEs and NMs, and further tailoring for a specific NPP
may be required.
As mentioned in Section 4.3, best practices suggest that computerized
information systems be used to facilitate management of the large amounts of
information generated by the LLE and NM process. Such systems can be adapted
to enable finely structured searches for the information that is needed to detect
trends, patterns and generic issues.
The coding of events plays an essential part in the effectiveness of the
process, since it reduces event information to a few essential characteristics
which are used for further analysis. Proper coding is the basis for a valuable set of
data. In order to achieve this, simple coding schemes are used for LLEs and NMs.
These include:

22
 — Event codes: used in every report to categorize what happened or what
nearly happened;
— Causal codes: used to categorize why an event happened (where possible or
available);
— Key words: may be used to enhance text searching capabilities.

Note that for more complex reports, more than one event code may be
utilized to further enable trend analysis capabilities. Also, free text searches are
often used to further enable the identification and analysis of trends.
Ideally, coding schemes will enable effective trend analysis and analysis of
generated reports. For example, too many trend codes associated with a relatively
low total number of reports can delay the identification of important trends.
Conversely, too few trend codes with a high total number of reports make
analysis of meaningful trends too difficult.
Special attention has to be given to ensuring that events are coded
consistently and that trend codes are collectively reviewed by a multidisciplinary
group with consistent representation. Furthermore, before closing an event report,
it is desirable to review trend codes and, when necessary, update them to reflect
the further evaluation that was performed.
The best performing coding schemes are capable of transforming large
amounts of data into useful information that supports decision making and
reduces workload for staff at a low cost. Good database software enables efficient
and effective coding and analysis of a lot of information. Software needs to be
user friendly and easily available, and provide a wide range of features without
the need for significant training.

6.2. TREND ANALYSIS

Trend analysis is a process based on the analysis of LLE and NM trends

(precursors) used to identify degrading conditions that have not yet resulted in a
significant event. LLEs or NMs form the majority of reports among total reported
events at an NPP. Individually they may appear to be unimportant. However, as
discussed in Section 5.1, a very small number of perceived LLEs and NMs may
turn out to be of high or moderate priority following screening or further
investigation. The majority will be of routine or low priority, which will be
subjected to trend analysis. However, an accumulation of LLEs or NMs in the
same area or with a similar pattern may indicate a weakness in a programme.
It is important to identify trends (improving, declining or stagnant) in plant
performance and other areas that may not be apparent to the day-to-day observer.
To this end, LLE and NM data are to be analysed periodically. It is important that

23
an effective trend analysis process include management involvement and be
proactive instead of reactive in nature.
Better performing plants routinely carry out an important independent
quality check of trend analysis. It is important to monitor the generation of event
reports by departments or sections in order to identify and ensure adequate
engagement in the event reporting process by all sections. Inadequate
engagement can result in undetected shortfalls or deterioration of performance.

6.3. IDENTIFICATION OF TRENDS

Ideally, identification of adverse trends will not be based simply on

numerical values. For example, management may accept many insignificant
lighting problems, but a small number of reactivity control issues can present a
trend that needs to be addressed within a short time frame. Therefore, a key
component of trend analysis has to be the significance of the events constituting
the trend.
Trend reviews are meant to be cyclical and of sufficient frequency to
identify emerging trends. These can be performed through data review meetings
by station management or via the generation of adverse trend reports at a set
frequency.
The data capture and coding process used must have a hierarchical structure
to enable multi-level analysis by a trend evaluator. This helps trend evaluators to
group reports into areas for monitoring and further evaluation.
The most basic trend process is the production of a simple histogram that
counts the frequency of event reports in a certain area for a specified period of
time. The process of determining priority for further investigation can then be
decided by the techniques that are most appropriate to the organization. These
include:

— Basic numerical histogram analysis;

— Above average value histogram analysis;
— Pareto analysis;
— Standard deviation analysis.

There are several types of trend that may indicate that further action is
required. These include:

— Declining performance trend: a steady increase in the number of events

over a period of time.

24
 — Emerging trend: a trend that is just starting to appear at a frequency or
significance level not yet at the acute level that may nonetheless require
proactive correction.
— Acute trend: a large increase in the frequency of events over a short period
of time.
— Watch list monitoring trend: improvement sought within a department or
process for a previously identified deficiency that is not progressing at the
desired rate.
— Unstable process trend: sporadic frequency of events over a long period of
time.
— Negative engagement trend: absence of event report data for a department
or process from which data were expected, revealing a lack of self-
identification or reporting of issues.
— Cognitive trend: identification of a perceived trend by individuals or
groups.

The management of each NPP will need to decide what degree of statistical
boundaries is appropriate for its level of LLE and NM analysis; differing
boundaries reflect the individual maturity levels of plants.
An example of a simplified trend process flow sheet is included in
Annex XI.

6.4. EVALUATION OF IDENTIFIED ADVERSE TRENDS

As previously discussed, it has been determined that the causes of trends of

LLEs and NMs are the same as those of more significant events. At the best
performing plants where high numbers of event reports are generated, rather than
trying to assign corrective actions to each LLE and NM, it is considered very
important to perform careful analysis of the causes of trends that have been
identified. To achieve this, the culture within the organization must accept that
not all event reports will be corrected immediately and that it is acceptable to
close some of these for trend analysis purposes. Failure to adopt this approach can
lead to an overwhelming and debilitating number of corrective actions for an
NPP.
When a trend has been selected for further investigation, it is documented
and a methodical evaluation is initiated. This evaluation needs to identify causes
of the trend. If common causes are identified, then appropriate corrective actions
can be taken in order to eliminate the programmatic or organizational weakness.
At better performing plants, once a trend evaluation has been completed, an
independent quality check by a responsible manager is performed prior to

25
submission of the trend evaluation for approval and action by the station
management team. An example of a trend evaluation check sheet from an NPP is
included in Annex XII.

7. DISSEMINATION OF INFORMATION
ON LLEs AND NMs

In order for staff to continue to be motivated to share and report LLEs and
NMs, timely and effective dissemination and application of data is necessary.
Some common methods used by NPPs to disseminate information include:

— Training activities;
— Just-in-time information;
— Pre-job briefings and work packages;
— Shift briefings;
— Safety meetings;
— Management and work control meetings;
— Plant information display screens;
— Station publications highlighting industry and facility OE information;
— Industry and station OE via electronic bulletin boards and email;
— OE notebooks;
— Utility web sites and databases;
— Information from and to a designer/vendor, if applicable.

After the LLE and NM process has been successful in reducing the number
of significant events, dissemination of information is an essential tool to maintain
staff alertness to potential risks.
Additionally, external organizations such as vendor groups, reactor type
owners groups (e.g. CANDU Owners Group, Westinghouse Owners Group) and
national and international organizations (e.g. INPO, WANO, Electrical Power
Research Institute (EPRI)) exchange LLEs and NMs data, including steps taken
to correct adverse conditions and trends, where appropriate.
It is important for managers to regularly assure plant personnel that their
efforts to identify LLEs and NMs are worthwhile and valued. The engagement of
staff can also be reviewed through anonymous surveys. Results from the LLE and
NM process, together with staff survey results, are therefore fed back to those
involved, as appropriate, and to personnel, who are expected to initiate reports.

26
 Good practice concerning sharing of NM information with plant staff and
contractors, identified during an OSART mission to the Mihama NPP in Japan, is
included in Annex XIII.

8. MEASURING THE EFFECTIVENESS OF A LLE

AND NM PROCESS

8.1. ESTABLISHMENT AND MAINTENANCE OF A SUITE OF PROCESS

INDICATORS

The best performing plants establish and maintain a suite of LLE and NM
indicators to monitor and manage the LLE and NM process. Such indicators are
periodically assessed to pinpoint opportunities to adjust and improve individual
and organizational performance.
Some examples of useful process indicators include:

— Reporting levels, by department;

— Percentage of self-identified issues (departments reporting versus not
reporting their own issues);
— Ratio of internally to externally identified issues (externally identified
issues include those raised by, e.g., regulators, peer reviews, OSART
missions, external audits);
— Number of trend evaluations initiated;
— Trend evaluation quality;
— Ratio of number of trend evaluations targeted to those completed;
— Time required to complete trend evaluations;
— Ratio of LLEs and NMs to significant events;
— Ratio of self-revealing to self-identified events (proactive versus reactive);
— Ratio of LLEs and NMs related to human performance to those related to
equipment;
— Number of corrective actions derived from trend analysis.

8.2. SELF-ASSESSMENT, BENCHMARKING AND PEER REVIEW

Self-assessment reviews assess the effectiveness of an OE programme as a

whole and are to include as one element an assessment of the LLE and

27
NM process. To facilitate a self-assessment programme, indicators of process
effectiveness are developed by the NPP. These may include those listed in
Section 8.1.
External reviews (e.g. OSART, PROSPER, WANO/INPO peer reviews)
determine whether a programme for operating experience feedback, including
LLE and NM activities, meets internationally accepted standards and identifies
areas for improvement. Such reviews normally relate the performance of the LLE
and NM process to international standards and best practices and consider
different approaches to implementation of the process.
In addition to the above methods, high performance organizations also take
advantage of other improvement opportunities. Examples include but are not
limited to:

— Benchmarking visits to better performing NPPs;

— Benchmarking of non-nuclear industries such as the petroleum, chemical,
airline, aerospace, military, medical and health care industries;
— Continuous review of industry best practices;
— Remote benchmarking such as telephone, video link and Internet;
— Technical support missions from the IAEA, WANO, INPO, vendor groups;
— Participation in information exchange groups such as reactor type owner
groups and EPRI.

28
 REFERENCES
[1] INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary,
Terminology Used in Nuclear Safety and Radiation Protection, 2007 Edition, IAEA,
Vienna (2007),
http://www-ns.iaea.org/standards/safety-glossary.asp
[2] KEMENY, J.G., Report of the President’s Commission on the Accident at Three Mile
Island, US Govt Printing Office, Washington, DC (1979).
[3] VAUGHAN, D., The Challenger Launch Decision, University of Chicago Press,
Chicago (1996).
[4] CULLEN, Rt. Hon. Lord, The Ladbroke Grove Rail Inquiry, Part 1, HSE Books, Her
Majesty’s Stationery Office, Norwich (2001).
[5] INTERNATIONAL ATOMIC ENERGY AGENCY, Best Practices in Identifying,
Reporting and Screening Operating Experience at Nuclear Power Plants,
IAEA-TECDOC-1581, IAEA, Vienna (2008).
[6] INTERNATIONAL ATOMIC ENERGY AGENCY, PROSPER Guidelines: Guidelines
for Peer Review and for Plant Self-assessment of Operational Experience Feedback
Process, IAEA Services Series No. 10, IAEA, Vienna (2003).
[7] INTERNATIONAL ATOMIC ENERGY AGENCY, Best Practices in the Organization,
Management and Conduct of an Effective Investigation of Events at Nuclear Power
Plants, IAEA-TECDOC-1600, IAEA, Vienna (2008).
[8] INTERNATIONAL ATOMIC ENERGY AGENCY, Best Practices in the Utilization
and Dissemination of Operating Experience at Nuclear Power Plants,
IAEA-TECDOC-1580, IAEA, Vienna (2008).
[9] INTERNATIONAL ATOMIC ENERGY AGENCY, Effective Corrective Actions to
Enhance Operational Safety of Nuclear Installations, IAEA-TECDOC-1458, IAEA,
Vienna (2005).
[10] INTERNATIONAL ATOMIC ENERGY AGENCY, Trending of Low Level Events and
Near Misses to Enhance Safety Performance in Nuclear Power Plants,
IAEA-TECDOC-1477, IAEA, Vienna (2005).
[11] EUROPEAN ATOMIC ENERGY COMMUNITY, FOOD AND AGRICULTURE
ORGANIZATION OF THE UNITED NATIONS, INTERNATIONAL ATOMIC
ENERGY AGENCY, INTERNATIONAL LABOUR ORGANIZATION,
INTERNATIONAL MARITIME ORGANIZATION, OECD NUCLEAR ENERGY
AGENCY, PAN AMERICAN HEALTH ORGANIZATION, UNITED NATIONS
ENVIRONMENT PROGRAMME, WORLD HEALTH ORGANIZATION,
Fundamental Safety Principles: Safety Fundamentals, IAEA Safety Standards Series
No. SF-1, IAEA, Vienna (2006).
[12] INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants:
Commissioning and Operation, IAEA Safety Standards Series No. SSR-2/2, IAEA,
Vienna (2011).
[13] INTERNATIONAL ATOMIC ENERGY AGENCY, Application of the Management
System for Facilities and Activities, IAEA Safety Standards Series No. GS-G-3.1,
IAEA, Vienna (2006).

29
[14] INTERNATIONAL ATOMIC ENERGY AGENCY, A System for the Feedback of
Experience from Events in Nuclear Installations, IAEA Safety Standards Series
No. NS-G-2.11, IAEA, Vienna (2006).
[15] WESTRUM, R., A typology of organizational cultures, Qual. Saf. Health Care 13
(2004) 22–27.
[16] REASON, J., Managing the Risks of Organizational Accidents, Ashgate, Aldershot
(1997).

30
 Annex I

EXTRACTS FROM THE OSART AND PROSPER GUIDELINES

The following extracts from the IAEA Operational Safety Review Team
(OSART) and IAEA Peer Review of the Effectiveness of the Operational Safety
Performance Experience (PROSPER) review guidelines provide examples of
typical questions used by reviewers to assess LLE and NM process efficiency and
effectiveness at an NPP:

— Does the scope of the OE programme include the reporting of LLE and NM
events?
— Is LLE and NM reporting actively encouraged?
— Is the reporting threshold appropriately chosen to encourage the reporting
of LLEs?
— Is the reporting process user friendly (ease of reporting, availability of
forms/access to computers, access to results and feedback to staff)?
— Is there a declared policy of ‘blame free’/‘just’ reporting? What is the staff
perception? Are actions considered to be punitive?
— Is there evidence in the plant of unreported deficiencies, event precursors or
error likely situations (e.g. defective equipment, poor material conditions,
poor or unsafe working practices, uncontrolled operators’ aids, lack of
document control, operator logbook entries not captured in the LLE and
NM process)?
— Does the event reporting database include LLEs and NMs?
— Does the event screening process include screening of LLEs and NMs?
— Are trend codes adequate to allow for proper coding of LLEs and NMs?
— Is trend analysis carried out on a regular basis, with the results of analysis
reported to management?
— Are corrective actions identified through trend analysis and completed in a
timely manner?
— Are effectiveness reviews performed for corrective actions from trend
analysis, and have the identified trends actually been corrected?
— Does the trend analysis and evaluation process identify generic
implications, precursors of declining performance and root causes of
adverse trends?

These attributes can be used effectively to assist plant focus on self-

assessment of the LLE and NM process.

31
 Annex II

LLE AND NM PROCESS: EXAMPLES OF BEST PRACTICE

The examples contained in this annex are intended to provide insights into
what some of the better performing utilities programmes cover within the LLE
and NM environment. These examples are not intended to be prescriptive; rather,
they provide potential benchmarking opportunities.

II–1. BRUCE POWER, CANADA

Brief description of NPP/utility

— Eight pressurized heavy water reactor CANDU units;

— Units 1 and 2, currently undergoing major refurbishment in a drained and
defuelled condition;
— Bruce A plant: 4 × 750 MW(e);
— Bruce B plant: 4 × 850 MW(e);
— In-service dates for Bruce A units: 1976, 1977, 1978, 1979;
— In-service dates for Bruce B units: 1984, 1985, 1986, 1987.

OE organization

The OE, Corrective Action Programme (CAP) and Human Performance

(HU) Sections are located within the Performance Improvement Department,
which is in the Nuclear Oversight and Regulatory Affairs Division.
The CAP Section is responsible for coordination of screening and analysis
of all internal event reports, including LLEs and NMs. Evaluations are conducted
by subject matter experts and team leads (where teams are used) from line
organizations, with CAP process mentors. Results of analysis and suggested
corrective actions are approved by multidisciplinary teams of managers
(management review meetings (MRMs) for apparent cause evaluations (ACEs),
or corrective action review boards (CARBs) for root cause evaluations (RCEs))
and are then implemented. The completion of corrective actions to prevent
recurrence (CAPRs), which are generated from RCEs only, is also reviewed by
CARBs, in order to facilitate appropriate implementation and timeliness.

32
Management expectations

The station condition record (SCR) process is used to document adverse

conditions, investigation results and corrective actions related to people, the
plant, the environment and the process.
Management’s expectations with regard to the reporting of NMs, LLEs,
error likely situations, incidents, adverse conditions and events are as follows:

— Events, incidents and error likely situations are adequately documented.

— Cause(s) are determined.
— Appropriate corrective action(s) are implemented.
— Lessons learned are identified for communication to internal and external
organizations.

An error likely situation is a behaviour, practice or condition that could

result, but has not yet resulted, in a loss.
Loss is defined as: harm to people; harm to reputation; damage to plant or
property; interrupted productivity; regulatory violation and activity or condition
reportable to the regulatory body; harm to the environment; radiological
exposure; or reduced margin of reactor safety. An incident is an event that could
or does result in unintended harm or damage.
An adverse condition is an undesirable situation, state or circumstance
related to people, the plant, the environment or the process, or an event, an
incident or an error likely situation that has resulted in loss, or that has the
potential to result in loss.
An event is a consequence exceeding some criteria of significance,
involving an unwanted change in either the health or well-being of employees,
the environment or safety margins, or in the ability of the plant to perform its
design functions.

Overview of the programme

Purpose

The SCR process is used to document adverse conditions, investigation

results and corrective actions related to people, the plant, the environment and the
process. A consistent reporting and evaluation process for identified adverse
conditions at Bruce Power is required, to minimize losses related to people, the
plant, the environment and the process by ensuring the following:

33
 — Events, incidents and error likely situations are adequately documented.
— Cause(s) are determined.
— Appropriate corrective action(s) are implemented.
— Lessons learned are identified for communication to internal and external
organizations.

Exceptions

Adverse conditions related to confidential employee relations are excluded.

For security related adverse conditions for which a degree of confidentiality is
required, the intent of the process is to be followed, but the event, its subsequent
investigation and corrective actions are made available for staff review on a need
to know basis only.

Levels of investigation

The following levels of investigation are available. The line manager

recommends an appropriate level of investigation (see Table II–1); the
recommendations are then reviewed and confirmed by corrective action
programme coordinators (CAPCOs) and MRMs.
Root cause investigation. An extensive root cause analysis is to be
completed by a team of individuals or by an individual no more than 28–30 days
from the event date in accordance with BP-PROC-00518, Root Cause
Investigation. The responsible manager is an executive vice president,
vice president or department manager. Resolution category A will be assigned.
Equipment root cause investigation. An extensive root cause analysis is to
be completed by a team of individuals or by an individual no more than
28–30 days from the event date in accordance with BP-PROC-00518, Root Cause
Investigation. The responsible manager is an executive vice president,
vice president or department manager. Resolution category A will be assigned.
Apparent cause evaluation. Requires an investigation into the apparent
cause of the adverse condition in accordance with BP-PROC-00519, Apparent
Cause Evaluation. The investigation is usually conducted by a single investigator
within 35 days of the date the MRM assigns the evaluation. The
responsible manager is a department manager or section manager. Resolution
category B will be assigned.
Equipment apparent cause evaluation. Requires investigation into the
common causes of an adverse trend in accordance with BP-PROC-00644, Trend
Evaluation. The investigation is usually conducted by a single investigator
within 35 days of the date the MRM assigns the evaluation. The

34
TABLE II–1. INVESTIGATION LEVELS FOR EVENTS
Resolution Description
category
A Requires a root cause analysis
or equipment root cause
analysis to determine CAP.
Usually involves a team for a
week or longer.
B Requires apparent cause
evaluation or equipment
apparent cause evaluation
and/or any corrective actions
outstanding.
C Trend evaluation.
D Corrective actions assigned.
E Cause is known and all
corrective actions have been
taken (or MRM decides no
action is required).
Significance Description
level
1 A highly significant
incident/event or substandard
condition that causes a major
reduction in the margin of safety
to the public or to station
personnel and/or which has a
major impact on the
environment or on production or
on other business deliverables.
2 A significant incident/event or
substandard condition that
causes some reduction in the
margin of safety to the public or
to station personnel and/or
which has some impact on the
environment or production or
on other business deliverables.
3 An incident or substandard
condition which is not
significant by itself, but which
has the potential to be more
significant or which may be the
precursor to a more significant
event.
4 A minor incident or condition
adverse to quality which will
help to identify, by means of a
trend analysis, those areas that
need more attention.
5 Not significant, e.g. ‘NE’
resolution category.
If the assigned resolution category or
significance level is different from
recommendations of the front line manager,
a rationale for the change is to be provided.
35
responsible manager is a department manager or section manager. Resolution
category C will be assigned.
Trend evaluation. Requires an investigation into the common causes of an
adverse trend in accordance with procedure BP-PROC-00644, Trend
Evaluation. The investigation is usually conducted by a single investigator
within 35 days of the date the MRM assigns an evaluation. The
responsible manager is a department manager or section manager. Resolution
category C will be assigned.
Corrective actions assigned. Requires specific defined action to correct an
adverse condition. If ‘corrective actions assigned’ is the recommended level of
investigation, the front line manager needs to provide the following information:
a description of the corrective action required, the due date for completion, the
alert group the action ought to be assigned to, and the name of the person who has
accepted the action. Resolution category D will be assigned.
No further action required. This level of investigation is normally only
recommended if the adverse condition has been corrected and documented in the
SCR in the ‘immediate actions taken’ field, or of the adverse condition is being
documented to provide data in support of an adverse trend identification and/or
evaluation. Resolution category E will be assigned.

Daily condition report screening meeting

The daily condition report screening meeting is a daily meeting of

CAPCOs, with a rotating chairperson. The meeting serves as a collegial review of
all prescreened SCRs prior to a station MRM. CAPCOs perform all prescreening
functions including: initial trend code assignment, significance level validation
and recommended investigation level/type/organization. A representative of the
line organizations (the line CAPCO or backup supplied by the line) is required to
attend each screening meeting and to fulfil CAPCO duties on a daily basis (as per
procedure SEC-CAPP-00001, Corrective Action Programme Coordinator). An
SCR is raised to document any failure to meet this requirement.
If the CAPCOs do not have enough information to resolve the SCR at the
initial screening meeting, the issue can be brought back to the next day’s
screening meeting. Of SCRs screened at the initial screening meeting, 90%
concern acceptable performance of the CAPCOs and the line organizations
providing them with the information required (10% are ‘bring backs’). In no case
can an SCR be brought back more than three times.

36
Overview of OE resources

OE and CAP consist of 18 people — one department manager, four

programme administrators, three external operating expenditures (OPEX)
coordinators, seven investigators/coordinators, one administrative assistant and
two business support representatives. These people are functionally assigned
duties for the Bruce A station, Bruce B station and the corporate office (this was
in preparation for ‘fleet model’ Performance Improvement Department staff
deployment in 2010).

Key focus areas

Past and present

— Upgrade of the CAP software program from the existing condition

reporting application to Passport-V10, and Esuite (a web based, user
friendly interface).
— The HU Section is new, with three full time HU managers (Bruce A,
Bruce B, and corporate).
— Hiring of several of the 18 department staff took place in preparation for
deployment to ‘fleet model’ organization with most staff assigned to Bruce
A and Bruce B stations. Staff will continue to report to the performance
indicator (PI) Department manager but will more closely support the
stations in their day-to-day operations.

Future

The Bruce Units 1 and 2 restart project lessons learned/OE process is

challenging, because construction organizations are not accustomed to operating
within a nuclear business culture of openness with regard to the reporting of
LLEs and NMs.
Preparations for the 2011 business plan included an external OPEX
software program for handling and processing external OPEX (incoming) and for
reporting of internal OPEX to the industry (outgoing). An OPEX handling
software upgrade, including significant process efficiencies, is targeted.

37
Successes

— The reporting level for LLEs and NMs has increased from approximately
600 reports per unit eight years ago to approximately 3500 reports per unit
in 2009.
— There has been an increase in the identification of trend evaluations on
identified adverse trends at a significance level of 3 or above. The company
recently implemented an upgraded trend evaluation process that now turns
a number of related SCRs into organizational and/or programmatic causes
which are evaluated via an ACE or RCE, depending on the significance of
the adverse trend.
— Conditions reportable to the Canadian regulator (Regulatory Standard S-99)
have steadily declined as the reporting of issues has increased.
— Conventional safety improvements have been seen, with over 18 million
person-hours worked on the six operating units without a ‘lost time injury’,
(the last one occurred in June 2007). The use of an improved CAP,
including a significant increase in the reporting of LLEs and NMs
(precursor issues), followed by trend evaluations, has been instrumental in
achieving this significant improvement. The benefits to the company,
including reduced loss of morale, reduced loss of production and reduced
accident handling costs, are significant.

Challenges

— How to manage human performance improvement while a rapidly ageing

workforce is replaced with younger workers who are new to the nuclear
industry, including new supervisors and managers.
— How to extend the success in conventional safety management to other key
areas of business performance.

Figure II–1 plots safety events, safety precursors and total SCR generation
at the site from 2006 through 2009. Significant safety events have declined as
SCR generation and subsequent low level precursor identification have
improved.
Figure II–2 plots conditions reportable to the Canadian regulator
(Regulatory Standard S-99), which declined steadily as the reporting of issues
increased from 1 January 2005 to 31 December 2009. As SCR generation and
subsequent low level precursor identification have improved and have been dealt
with, reportable S-99 events have declined.

38
FIG. II–1. Bruce Power: safety events, safety precursors and total SCR generation,
2006–2009.

FIG. II–2. Bruce Power S-99 report trends per operating unit, 2006–2009.

39
II–2. ENTERGY NUCLEAR, USA

Brief description of NPP/utility

Entergy owns ten nuclear stations with 12 plants. These plants are as
follows:

— Grand Gulf (boiling water reactor (BWR)), 1 × 1210 MW(e);

— River Bend (BWR), 1 × 996 MW(e);
— Waterford-3 (pressurized water reactor (PWR)), 1 × 1178 MW(e);
— Arkansas Nuclear One (PWR), 2 × 967 MW(e);
— Indian Point (PWR), 2 × 1033 MW(e);
— James A. Fitzpatrick (BWR), 1 × 850 MW(e);
— Pilgrim (BWR), 1 × 690 MW(e);
— Palisades (PWR), 1 × 798 MW(e);
— Vermont Yankee (BWR), 1 × 626 MW(e);
— Cooper (BWR), 1 × 801 MW(e).

OE organization

The Corrective Action and Assessment (CA&A) Department at each of the

sites generally consists of full time staff, including a department manager,
administrative assistant, corrective action specialist, cause analysis specialist and
OE coordinator. The CA&A Department is responsible for overseeing the
administration of the corrective action programme (CAP), which tracks all
conditions and actions that result from internal inspections, evaluations and
assessments, including LLEs and NMs, as well as the results of inspections,
evaluations and assessments conducted by organizations such as INPO, the
US Nuclear Regulatory Commission (NRC), the US Occupational Safety and
Health Administration (OSHA) and other, similar external organizations.
Additional support is provided by the corporate CA&A Department. The OE
coordinator at each site coordinates internal and external OE for the site to ensure
that internal OE is provided to site departments and to other sites in the fleet for
consideration of applicability. In addition, external OE is evaluated for site and
fleet applicability. The CA&A Department coordinates the reporting and
addressing of conditions reported in the Paperless Condition Reporting System
(PCRS) for the site. This includes all condition levels as described below
(including LLEs and NMs). Strong ownership of specific conditions by the
appropriate department is expected and demonstrated at each site.

40
Management expectations

Company procedures, aligned for all plants in the fleet, provide for the
reporting of adverse conditions and conditions adverse to quality, as well as any
condition that may challenge the safe operation of a plant. Workers are
encouraged and expected to report all conditions at any level, and the programme
is designed to screen conditions to ensure the appropriate response level.

Overview of the programme

The following is a very general overview, intended to provide basic insights

into applicable portions of the process. LLEs and NMs are captured via the CAP
in the PCRS. Any worker can initiate a condition report (CR) at any level. Each
day, a condition review group (CRG), consisting of site management personnel
from each of the major site departments, chaired by the General Manager of
Operations (GMPO/plant manager), screens the CRs initiated on the previous
day. Condition reports are screened in a manner similar to that described in
Section 5 of this publication, as Level A, B, C or D, with A being the most
significant and D the least. LLEs and NMs account for the majority of the
conditions identified, and are normally screened as Level C or D, but may also be
screened as Level B if the CRG determines that an apparent cause evaluation
(ACE) is warranted. LLEs and NMs will generally not rise to Level A, which
comprises more significant conditions requiring a root cause analysis (RCA) to
address the condition. ACEs and RCAs are required to be completed within
30 days, unless there is a compelling reason to allow an extension of this time
frame, to ensure the timely determination of causes and implementation of
corrective actions. Once completed, ACEs and RCAs are presented to a
corrective action review board (CARB) for final approval prior to issuance. LLEs
and NMs are investigated to the extent necessary to address and correct an
identified condition, or in many cases are closed for trend analysis within the
CAP. Monthly and quarterly trend reports are generated to identify trends from
the PCRS, with the majority of the data resulting from LLE and NM conditions.
Various other forums, such as department monthly reviews and Human
Performance Review Board (HURB) meetings are employed to review data and
determine actions necessary to continually improve performance.
In general, plants initiate approximately the following number of condition
reports per reactor annually: Level A — 5–10; Level B — 100–300;
Level C — 1000–2500; Level D — 2000–4500. The spread in reporting levels
can be attributed to different levels of performance across the fleet.

41
Overview of OE resources

As indicated above, the CA&A Department at each of the stations consists,

in general, of a department manager, administrative assistant, corrective action
specialist, cause analysis specialist and OE coordinator. In addition, departments
assign department performance improvement coordinators (DPICs) to coordinate
corrective actions at any level within the department. DPICs are line organization
staff members generally assigned this responsibility as a collateral duty.

Key focus areas

Past

The CAP was developed many years ago and has been continually
developed and improved over time. Experience gained on the job, through
information exchanges, via benchmarking, and by participation in internal and
external assessments shows that initial implementation of a CAP is sometimes
difficult. In the early implementation phases (20 or more years ago), staff
sometimes resisted the change driven by the new programme. However, a strong
commitment and belief in the programme by senior management has resulted in
workers taking full advantage of the process and in significant performance
improvement over time.

Present

The CAP, including the OE programme, is periodically assessed and

evaluated by various mechanisms that include, but are not limited to:

— Department and plant self-assessments.

— WANO/INPO evaluations.
— Regulatory inspections or problem identification and resolution
effectiveness.
— Nuclear insurers.
— Benchmarking of high performing external organizations.
— Particpation in industry information exchange workshops and conferences.
— Monitoring of performance indicators such as:
• Number of Category A–D CRs initiated;
• Average age of CRs and corrective actions;
• Quality grading of cause evaluations;
• Average age of cause evaluations;
• Number of cause evaluations requiring more than 30 days;

42
 • Number of overdue corrective actions;
• Number and rate of industrial accidents, LLEs and NMs related to non-
consequential human performance errors (NCEs), consequential errors,
human performance events.

Future

Work is being done at Entergy Nuclear to gain better results from the data
tracked for NCEs, which equate to LLEs and NMs, by developing a performance
indicator that is intended to track self-identified versus externally identified
NCEs. The aim is to encourage more self-reporting of NCEs, with increased data
and a greater opportunity to learn from LLEs and NMs, resulting in fewer
consequential errors and events. It is recognized that higher level conditions are
prevented by learning from lower level conditions, and thus the focus is on
learning from LLEs and NMs.

Successes

In the early stages of programme implementation, consequential error rates

decreased from 3.4 to approximately .07 errors/10 000 work hours in an 18 month
period. A direct contributor to this success was the focus on learning from LLEs
and NMs to prevent errors and accidents of greater consequence.
Below are additional examples of improved performance due to tracking
and trend analysis of LLEs and NMs:

— Trend analysis of low level industrial safety incidents at one plant led to a
team evaluation of the causes of and contributors to commonalities and to
the development of actions to improve performance. As a result, a 44%
reduction in the number of industrial safety incidents was achieved at that
plant in a six month period.
— Trend analysis of low level industrial safety incidents for a specific fleet
department led to a team evaluation of the causes of and contributors to
commonalities and developing actions to improve performance. As a result,
a 33% reduction in the number of industrial safety incidents was achieved
within that department in a six month period.
— Trend analysis of low level material handling errors resulted in a team
evaluation of the causes of and contributors to commonalities and to the
development of actions to improve performance. As a result, no significant
material handling incidents occurred within the fleet of 12 plants in the
subsequent six month period.

43
Challenges

The number of low level and NM tagging incidents is not acceptable.

However, recent examination of the situation has resulted in the formation of a
team to review LLE and NM data associated with tagging and has identified
common contributors and corrective actions to prevent further occurrences. The
identified actions are in the process of being implemented with expected
performance improvements.

Good practices to share

The programme is very robust with some basic practices for any developing
utility to consider emulating. The following are examples of good practices to
share:

— A strong nuclear safety culture with well trained staff willing to report
incidents at every level;
— A significant focus on industrial safety, human performance and continuous
performance improvement;
— A strong commitment by senior management to the CAP, including the use
of OE and LLE and NM data to prevent future incidents;
— Full time staff administering the CAP, which includes the OE and the LLE
and NM processes;
— Well trained cause evaluators and a strong commitment to providing
resources to complete high quality cause evaluations;
— Encouragement of reporting at every level;
— The possibility for any worker to issue a CR;
— High volumes of corrective action data;
— Continuous monitoring of the programme by CRG, CARB, HURB,
department management, etc.;
— Well developed and implemented corrective action, human performance
and industrial safety performance indicators;
— Information sharing through the OE programme, both internally and with
external organizations;
— A robust OE dissemination and application process;
— A defined and well implemented self-assessment and benchmarking
process overseen by the Self-Assessment Review Board (SARB), chaired
by the site vice president;
— Expectation of and commitment to timely implementation of corrective
actions.

44
 One particularly strong practice has been the implementation of a HURB.
This process permits the periodic presentation of LLE and NM related human
performance data to a senior management team. This results in a strong focus on
continuous human performance improvement and challenges issued by the
HURB to strengthen actions by individual departments.

II–3. EXELON NUCLEAR, USA

Brief description of NPP/utility

Exelon owns 10 nuclear stations with 17 reactors located in the Midwest

and on the East Coast of the USA, making Exelon the largest nuclear utility in the
USA and third largest in the world. Reactor types include Westinghouse PWRs
and General Electric BWRs. Seven of the stations consist of two unit sites, and
three of the stations have one unit. These plants are as follows:

— Braidwood (PWR), 2 × 1250 MW(e);

— Byron (PWR), 2 × 1250 MW(e);
— Clinton (BWR), 1 × 1150 MW(e);
— Dresden (BWR), 2 × 918 MW(e) (uprated);
— LaSalle County (BWR), 2 × 1150 MW(e);
— Limerick (BWR), 2 × 1150 MW(e);
— Oyster Creek (BWR), 1 × 670 MW(e);
— Peach Bottom (BWR) 2 × 1150 MW(e);
— Quad Cities (BWR), 2 × 960 MW(e) (uprated);
— Three Mile Island (PWR), 1 × 1250 MW(e).

The two unit stations employ about 650 full time workers each, and the
single unit stations employ about 450 workers each. During significant outages
staff typically doubles, with a contracted work force used for most of the reactor
and turbine/generator or large project work.

OE organization

Exelon has a relatively small centralized OE organization at both the

corporate office and at each NPP. There are five individuals working in the
corporate office. Their primary duties include governance and oversight of the
corrective action programme (CAP) and OE programmes for all of Exelon. Three
individuals at each station provide local governance and oversight at the station
level. Line organizations at the stations and within the corporate office perform

45
daily CAP functions, including screening, trend analysis and evaluation of
condition reports.

Management expectations

Within Exelon Nuclear, there are clear management expectations that all
deficiencies and equipment failures will be documented within the CAP. This
expectation specifically includes not only consequential deficiencies but also
NMs and LLEs. These low level issues feed into a robust trend analysis process
that is recognized by senior leadership as important to the success of Exelon. In
order to reinforce the reporting of LLEs, assessments and audits, as well as
metrics, measure the amount of reporting to ensure proper engagement in the
programme. The nuclear oversight organization performs a comprehensive CAP
audit every two years across the nuclear fleet to ensure that the CAP is being
utilized from a regulatory compliance perspective as well as adding maximum
value to the company. In addition, the NRC regularly performs a problem
identification and resolution audit of each station’s CAP to ensure that regulatory
compliance has been met.

Overview of the programme

Exelon’s CAP includes both equipment failure screening and processing as

well as organizational issues. Issue reports (IRs) capture the initial deficiency. No
immediate supervisor review of each IR is required unless the originator of the
issue requests a supervisor review. Once initiated, the originator of the issue has
the option to process IRs through the normal screening process or to expedite
screening through the Operations Department for high priority issues. However,
all IRs are screened by an Operations individual during a committee review of
IRs within one business day to ensure that all operability issues are identified.
Once initiated, the IRs (which include both equipment and organizational
issues) are reviewed by a committee of individuals called the Station Ownership
Committee (SOC). If the SOC cannot determine the severity of an issue or the
actions to be taken, then a supervisor review of the IR in question will be
required. The SOC screens IRs each business day; the following individuals must
be present: a licensed senior reactor operator and individuals from regulatory
affairs, maintenance, engineering, work control, work package planning, the
rapid maintenance team, radiation protection and chemistry. Work requests for
equipment failures are generated from this meeting and are given an initial rating
according to severity and priority. Organizational issues are also given a severity
rating, and corrective actions are proposed based on the originator’s information
and recommendations. It is important to note that the members of the SOC are

46
experienced within their discipline to ensure that adequate representation is
achieved during screening. Guidance for assignment of issue severity and priority
is undertaken in accordance with procedural examples for consistency.
Once all information has been gathered and proposed actions have been
assigned to an IR, the IRs are reviewed by the Management Review Committee
(MRC). This committee consists of senior managers, who review all of the IRs
that have been generated, including severity and actions or evaluations assigned.
The ultimate responsibility for CAP implementation resides with this committee
and not with programme administrators. This is how line ownership of a CAP is
achieved.
In 2010, Exelon generated 95 849 IRs within the entire company, with 3053
of these generated at the corporate office and the rest at the ten nuclear stations.
Significance is measured by number at Exelon, with the lowest number being the
most significant. Level 5 issues are typically enhancements. The following
numbers are the breakdown of IRs generated in 2010 by significance level:
Level 1 — 5; Level 2 — 74; Level 3 — 1993; Level 4 — 86 744; Level 5 — 7033.
Typically, LLEs fall into the Level 4 and NMs into the Level 3 categories of
significance.

Key focus areas

Past

Low level trend analysis of issues and evaluation of these trends has proved
to be one of the most successful vehicles at Exelon for driving performance
improvement. As there is a very low reporting threshold, there are many
opportunities to expose low level trends. However, CAP metrics are utilized to
ensure that the right level of engagement is also monitored so that low level
trends are not missed due to lack of data.

Present

The most recent focus area within the company is equipment reliability.
Exelon utilizes an enhanced version of the INPO AP-913 model for equipment
reliability causal determination. This model, in conjunction with the careful
identification of operational critical systems and components, provides the right
focus on equipment reliability trend analysis to ensure that the majority of effort
is expended on issues that can impact nuclear safety and generation.

47
Future

Equipment reliability will continue to be the focus for the foreseeable

future, although many of the causes of equipment reliability issues are rooted in
organizational and programmatic issues, such that when the extent of the cause is
determined, the extent of the condition reaches other areas within various
organizations, such as human performance programmes.

Successes

Annex IX provides examples where trend analysis of LLEs and NMs has
had a positive impact within Exelon.

Challenges

The biggest challenge to the success of the CAP at Exelon is continued

engagement of the work force in using the programme to document deficiencies
and events. Although a significant number of IRs are generated at Exelon,
diversification of individuals generating the issues offers many opportunities for
further improvements in low level trend analysis of events, as trends cannot be
developed unless IRs are being generated to document those issues.

Good practices to share

The common generation of equipment reliability issues along with the

storage of the condition reports in one computer software program ensures
maximum opportunities for equipment failure trend analysis. This provides
valuable input into low level trend analysis and evaluation of critical component
failures. This is one of the biggest competitive advantages that Exelon has
realized from the CAP, as this process is comprehensive from the documentation
of an actual equipment failure through to the evaluation and resolution of the
issues behind such a failure.

II–4. NUCLEAR POWER CORPORATION OF INDIA LIMITED

The Nuclear Power Corporation of India Limited (NPCIL) operates around

20 nuclear power plants all over India, most of which are PHWRs:

— TAPS 1 and 2 (BWR), 2 × 160 MW(e);

— RAPS 1 (PHWR), 1 × 100 MW(e);

48
 — RAPS 2 (PHWR), 1 × 200 MW(e);
— RAPS 3 and 4 (PHWR), 2 × 220 MW(e);
— RAPS 5 and 6 (PHWR), 2 × 220 MW(e);
— MAPS 1 and 2 (PHWR), 2 × 220 MW(e);
— NAPS 1 and 2 (PHWR), 2 × 220 MW(e);
— KAPS 1 and 2 (PHWR), 2 × 220 MW(e);
— Kaiga 1 and 2 (PHWR), 2 × 220 MW(e);
— Kaiga 3 and 4 (PHWR), 2 × 220 MW(e);
— TAPS 3 and 4 (PHWR), 2 × 540 MW(e).

Management expectations

OE is a valuable source of information for learning and for improving the

safety and reliability of NPPs. One of the objectives of operating experience
feedback is to ensure that no safety related events remain undetected and that
corrective actions are taken to prevent the recurrence of events by improving
design, modifying procedures and improving station practices. Since events are
indicators of weakness or failure of the defence in depth barrier, proper reporting
and investigation of events is an important element of operating experience
feedback. For several years, OE has relied on events and significant events
analysis to obtain critical information to feed into the organizational learning
loop. However, the operating performance of NPCIL’s plants has improved
considerably over the past few years, and thus the number of reportable events in
NPPs has also come down. With a reduced number of events, latent shortcomings
in work practices or plant conditions may remain undetected. Since less
significant problems are not reported, their root causes may remain unaddressed.
The cumulative effect of these less significant events could be a slow decline in
the safety performance of NPPs. Experience has shown that a relationship exists
between non-consequential events and significant events. Most of the time, both
share common causes that may lead to serious events. An organization has a large
potential to learn through them.
Thus, there is a need to initiate reporting and analysis of LLEs. Such events
have the potential to be instructive if they are reported and investigated in a
timely and systematic manner. This is particularly important, as these events
usually present a great variety and volume of information for learning. The idea is
to detect and correct minor weaknesses early on so that they cannot develop into
more serious conditions. Individually these events may appear to be unimportant,
but when aggregated with other LLEs, they can reveal features of common
patterns, trends and recurrent information which may be significant for further
enhancing plant safety. An effective LLE reporting system can provide plant staff
and management with information that can be used for self-assessment input.

49
Overview of the programme

LLEs include all deficiency reports (DRs), except those related to

preventive maintenance or condition monitoring and those raised during biennial
shutdown. LLEs may cover deficiencies related to housekeeping, job
observations, audits, corporate reviews, station internal reviews and material
condition. NMs are also to be reported within a LLE reporting system.
To streamline the process of reporting LLEs, a standard format was prepared
and made available on the web based intranet for direct use by all individuals at
each plant. If a person identifies a LLE, he or she is encouraged to fill out the LLE
report provided on the web page. Each departmental LLE coordinator reviews the
LLE reports related to his or her department on a daily basis.
After rectification of a deficiency, an engineer fills out the information on
the LLE category and subcategory, depending on the nature of the defect and
corrective action, taken from the standard drop-down list. The departmental LLE
coordinator reviews the data for correctness.
A station level committee meets at least once a month to review all LLEs
reported during that month. The salient points of the review are presented at one
of the daily station meetings by a planning engineer on a monthly basis. The
responsibilities of departmental LLE coordinators include compilation of
information on LLEs in their department, as well as trend analysis, and analysis
and submission of results to the station LLE coordination committee.

Trend analysis

After the World Association of Nuclear Operators (WANO) technical

support mission on LLEs and NMs, NPCIL issued a revised policy publication on
reporting of LLEs and NMs and a decision was made to change from a paper
based reporting system to a web based reporting system. Since then, reporting has
increased from a few hundred to a few thousand entries per year per twin unit
station. LLEs and NMs reported for Rajasthan Atomic Power Stations (RAPS) 3
and 4 for 2009 are provided in Fig. II–3 under different categories.

Key focus areas

Past

A LLE programme was initiated in 2005. Initially, LLE reporting was being
done on paper in a prescribed format. The coverage area and LLE reporting were

50
FIG. II–3. Total number of LLEs reported at RAPS 3 and 4 during 2009 according to category.
The category codes are as follows: 1.0 — error reduction technique; 2.0 — radiation
protection; 3.0 — industrial/fire safety; 4.0 — work practices; 5.0 — repetitive jobs; 6.0 — low
level maintenance works; 7.0 — environmental conditions; 8.0 — equipment performance.

very low. After the WANO technical support mission in 2007, the organization’s
policy on the reporting of LLEs and NMs was revised.

Present

— Since January 2009, LLE reporting has been computerized. The coverage
area has increased significantly.
— Initially, the data received were absurd, as the defined codes were
inadequate and thus led to improper codification by users.
— Training and refresher training courses were provided to users on the proper
categorization of LLE codes.
— More codes were defined to cater to requirements.
— A periodic review of the programme is being undertaken.

Future

To create awareness, the station training centre has been asked to

periodically conduct seminars/training courses on LLEs. The LLE and NM
process has been made a part of training courses by including a chapter or
30 minute session on LLEs within the following existing training programmes:

— Initial training;
— Refresher training;
— Training on industrial safety and emergency preparedness.

51
Examples of success

After effective implementation of a LLE and NM management process, a

number of emerging trends were identified to initiate corrective actions. For
example, one of the emerging trends identified in 2009 was loose
connections/contacts. It was categorized under category 6.0 ‘low level
maintenance works’, subcategory 6.7 ‘deficiencies in JBs/panels and indicator
lamp not glowing, etc.’ Corrective actions were initiated and the trend started
declining in the first quarter of 2010, as indicated in Figs II–4 and II–5.

FIG. II–4. Success stories: Trend for subcategory 6.7 (deficiencies in JBs/panels, indicator
lamp not glowing, etc.) in 2009 (RAPS 3 and 4).

FIG. II–5. Success stories: Reversal of trend for subcategory 6.7 (deficiencies in JBs/panels,
indicator lamp not glowing, etc.) starting in the first quarter of 2010 (RAPS 3 and 4).

52
Challenges

The events being collected in the LLE and NM process belong primarily to
the area of maintenance, including equipment performance. There is still a need
to capture events in the area of human performance in order to prevent events on
account of human errors.

II–5. MOCHOVCE NPP, SLOVAK REPUBLIC

Brief description of NPP/utility

— Mochovce NPP (water cooled, water moderated power reactor (WWER)),

2 × 440 MW(e);
— Start of operation: 1998.

OE organization

OE programme implementation is coordinated by the OE section, located

within the Safety Division. The OE section consists of four people — a leader,
two root cause investigators and a trend analyst. Approximately 70% of their
effort is spent on LLEs and NMs. Other departments provide human resources as
needed to support effective implementation of the OE programme. The
description below reflects the status prior to the implementation of benchmarking
results in 2009.

Management expectations

Plant managers at all levels are responsible for supporting the identification,
reporting and resolution of NM and LLE events, and for encouraging their staff to
openly communicate with regard to problems encountered in their workplace or
observed elsewhere. The purpose of dealing with operational events and their
precursors is not to identify a guilty person, but instead to find out what
happened, and how and why it happened, so that necessary corrective measures
can be identified to prevent event recurrence or to mitigate consequences.
The prime goal of Mochovce NPP in the feedback area is to minimize the
number of significant events and consequential events. A proactive approach in
this area on behalf of the organization is a precondition to reaching this goal. The
organization’s preventive attitude is based on the use of opportunities to learn
lessons by means of analyses and dealing with operational event precursors.

53
 A major goal of the collection and analysis of LLEs and NMs is to maintain
a certain level of risk awareness, especially when the occurrence of significant
events in an organization is low. Permanent motivation is critical for safety
culture and for the safe behaviour of personnel at all levels.

Overview of the programme

Identification and reporting

Mochovce NPP allows two reporting possibilities, ‘open’ and

‘confidential’. Use of the confidential channel is permitted only for NMs, and
such reporting is accepted only under special conditions (i.e. when there is no
violation and no malevolent action, and when reporting is done by the person who
was ‘at the heart’ of the NM, not by somebody else who observed another’s
unsafe behaviour).
Any employee who identifies a LLE or NM is obliged to report it to his or
her supervisor or, if immediate action is needed, directly to the shift supervisor.

Screening

Screening for immediate response is undertaken by the shift supervisor.

Screening for LLE or NM risk significance is done daily by the OE section and
discussed at the daily screening meeting. An assessment of LLE and NM risk
categories results from the screening. The following matrix is used for
determination of a risk category:

Risk considered to be:

High C1 B1 A

Intermediate D1 C2 B2

Low E D2 C3

Low Intermediate High

Recurrence probability

54
Investigation

Analyses of LLEs and NMs in risk categories A, B1/B2 and C1 are

performed by the OE section (approximately 15–20% of all reported LLEs and
NMs). Such analysis is performed to the level of root causes (using the HPES,
fault tree or TapRoot methodology).
The corrective actions and review board chair has the authority to decide on
the investigation of complex LLE and NM events by a multidisciplinary working
group.
Precursors in risk categories C2/C3, D1/D2 and E fall within the
competence of a particular department which is responsible for event
investigation based on the nature of the event. An appointed staff member of this
department performs event analysis to the level of apparent causes and suggests
corrective measures.
All investigations are done by personnel trained in RCA techniques.

Corrective actions

The CARB approves analysis results and decides on corrective actions

related to events dealt with at this management level, including significant events,
selected LLEs and NMs (risk categories A, B1/B2 and C1).
For LLEs and NMs in risk categories C2/C3, D1/D2 and E, corrective
actions are approved by the relevant department head. He or she also ensures
implementation of the measures. The board only takes into account analysis
results and measures taken at a particular department level.
Corrective actions related to all events are tracked by the OE section, with a
special focus on corrective actions taken to eliminate root causes (risk categories
A, B1/B2 and C1). The status of such corrective actions is regularly reviewed by
the CARB.

Trend analysis

Trend analysis of event codes (including LLEs and NMs) is done by the
OE section. Results of trend analyses are presented in quarterly and annual
reports, which are discussed and approved by the plant director.
Human related codes appointed to LLEs and NMs undergo trend analysis,
and the results are used as one of the main inputs into a human performance
improvement programme at the plant.
If a group of similar LLEs and NMs with human performance issues is
identified, a just-in-time report is developed. Such a report (a summary of lessons

55
learned from LLEs and NMs, or industry OE) is then used in pre-job briefings to
increase personnel awareness of the potential risks connected with a task.
At Mochovce NPP, LLEs and NMs do not cover all problems reported by
personnel. There is another low tier programme managed by the quality
assurance (QA) department. Only minor quality non-conformances (without any
actual risk) and suggestions for improvements can be reported in this programme
(statistically, thousands per year).
Mochovce NPP uses the WANO coding system.

Key focus areas

Past

The reporting of NMs at Mochovce NPP was initiated in 2000, and a

dedicated NM reporting system was established. The number of NM reports
submitted within the system gradually increased, starting from several in 2000 to
more than one hundred in 2003.
In addition to this system, there was also another system for the reporting of
LLEs and significant (consequential) events. A different system implemented by
the QA department was used to report suggestions for improvements, minor
housekeeping issues and minor (without risk) quality non-conformances.
However, the number of reported NM events related to human performance
problems was considered to be relatively small (in relation to the number of
consequential events due to human performance deficiencies). For this reason, in
2004 the plant initiated an improvement project for a LLE and NM programme
with the support of an external consultant company.

Present

In 2004–2005, a special project supported by the DTI (United Kingdom)

and an external consultant was undertaken, leading to the following
improvements:

— A clear definition of NM was created.

— Improvements were made in the reporting form (clarifying expectations,
what the ‘as found’ condition was, the risk generated by the gap,
suggestions for improvement).
— Screening criteria were established for LLEs and NMs and a risk matrix
was introduced.
— Investigation processes were improved through higher participation of
other departments and broad training in RCA techniques.

56
 — More stress was placed on positive reinforcement, improvement of
recognition and reward strategies.
— The training of personnel in OE processes has improved, with a special
focus on benefits generated by the LLE and NM system.

In 2006, an OSART mission recommended the improvement of LLE and

NM reporting within the maintenance division.

Future

The implementation of recent benchmarking results will lead to an overall

change in the organization of the CAP. As a result, functions currently covered by
the OE section will be divided among two new sections:

— Continuous improvement section (seven positions): responsible for

coordinating implementation of the CAP (feedback from internal events
and their precursors within the plant);
— OE section (five positions): responsible for coordinating dissemination of
lessons learned from both internal and external events.

In connection with this change, one electronic plant database will be

established (all problems will be reported to this database).

Successes

— A NM was reported by a maintenance worker through a confidential

channel. The NM was connected to a handling activity during adverse
weather conditions (high wind speeds). A small crane was being used
during the cleaning of an intake cooling water screen panel section. Due to
the wind, the crane became dislodged from its rails, and the maintenance
technician realized that there was a potential for equipment damage or
personal injury. Lessons learned from the NM were used to modify the
crane (improved resistance for operation in bad weather conditions), revise
maintenance procedures to prohibit work in certain weather conditions, and
improve training of maintenance staff.
— After completing maintenance on a pump, a field operator was ordered to
energize the pump motor. By mistake, he energized an adjacent pump
motor. The situation created the potential for injury of personnel. The field
operator’s supervisor reported the incident when he realized the operator’s
error. Lessons learned from the NM were used to improve shift
communication practices.

57
Challenges

Despite many efforts to promote reporting of LLEs and NMs, problems

continue. Consequently, some opportunities to avoid events with consequences
have been missed. For example, a trap (a hole covered by a tin plate) existed on a
maintenance shop roof, which created a risk of falling through the hole for people
working on the roof. This trap was not reported, despite the fact that it had been
identified. Eventually, an inspection technician, who was unaware of the trap,
stepped on the tin plate and fell through the hole onto the shop floor below. As a
consequence, he suffered serious injury.

Challenges for the future

— Maintaining and further improving the reporting culture and personnel

morale in a changing organization;
— Implementing SAP nuclear: reorganization of the CAP and other relevant
processes.

Good practices to share

All personnel receive a systematic ‘education’, including shift personnel (at

least once a year) and daily personnel (once every three years).
Training courses consist of:

— Management policy (reporting expectations, ‘just’ culture);

— How to recognize LLEs and NMs;
— The process, from identification to resolution;
— Benefits of NM reporting;
— Good and bad examples (in-house as well as industrial): success stories,
missed opportunities;
— Feedback from attendees: what to improve in the process.

Frequent critical benchmarking of the LLE and NM programme is required,

including surveys with broad personnel participation to identify potential
obstacles in programme effectiveness.

58
 Annex III

TYPICAL EXAMPLES OF UNREPORTED ISSUES

Failed barriers and failed

Area Brief description Consequences
good work practices

Management Daily screening meeting Lack of knowledgeable Potential to miss

failed to appropriately personnel present at the safety system
recognize the safety daily screening meeting, operability issue.
significance of a feed- failure of stand-in staff to
water isolation valve adequately prepare for the
problem. meeting.

Operations During a routine Operators failed to follow Potential for loss of

changeover of a reactor procedure step cooling water with
auxiliary cooling water by step, inadequate subsequent
pump, operators self- and peer checking. equipment damage.
inadvertently started to
close the wrong pump
discharge valve.

Maintenance Surface anomalies on Equipment receipt Rework time, down

new reactor feed pump inspection, manufacturing power extension.
seals on a BWR were process quality control.
identified just prior to
installation.

Programmes Steps found to be Procedure validation Work stopped to

and missing in work control process inadequate. review and correct
procedures procedure for isolating a procedure, resulting
building steam heater. in lost work time.

Equipment Routine plant inspection Unanticipated equipment Potential for workers

failure tour revealed an failure affecting many to exit the controlled
unidentified failed people. area zone without
interzone boundary appropriate
personal radiation/ monitoring, potential
contamination hand, spread of
foot and clothing contamination
monitor. beyond zone
boundaries, lost work
time for workers
having to look for
operable monitors.

59
 Failed barriers and failed
Area Brief description Consequences
good work practices

Human Portable gamma alarm Situational awareness and Lost time on job to
performance monitors inadvertently questioning attitude not correct the situation,
unplugged during work used, essential equipment potential for
in a radiation area. plug not adequately unplanned radiation
tagged. dose uptake,
worker protection
inappropriately
defeated.

Industrial Workers were observed Supervisor oversight, Workers unduly

safety not properly attaching worker knowledge, peer exposed to fall
fall protection while coaching, pre-job briefing, hazard. Downtime
working from scaffolds. procedure review. for working while
corrective actions are
implemented.

Radiation Workers seen to exit Supervisor oversight, Potential spread of

protection radiation protection area worker knowledge, peer radioactive
without completing coaching, pre-job briefing, contamination
appropriate dressing and procedure review. outside controlled
decontamination areas.
procedures.

Programmes and A system engineer Configuration It was fortunate that

procedures specified work on a management problems, the shift supervisor
safety support system many undocumented caught the error in
but was unaware of an physical changes and long the requested work,
undocumented physical existing temporary otherwise the safety
change to the system. changes. support system
A shift supervisor would have been
caught the error before significantly
work commenced. impaired.

60
 Failed barriers and failed
Area Brief description Consequences
good work practices

Industrial While working from a Worker safety. It was fortunate that

safety scaffold, a contract nobody was in the
maintenance worker fall line of the
dropped a wrench from a wrench, as that
height of 4.5 m. person could have
received serious
injury.

Chemistry A chemistry technician Self-checking. Potential change in

selected the incorrect system parameters
chemical to add to a resulting in entry of
primary coolant system, an action level if the
but a supervisor chemical had been
identified the issue added.
before the chemical was
added.

61
 Annex IV

LADDER OF ACCOUNTABILITY1

The ladder of accountability describes eight levels of accountability

(Fig. IV–1). The top four describe a stance focused on movement toward the
future. The bottom four describe a stance generally focused on the past or on
avoiding discomfort in the present.
This tool provides an organization and individuals with an effective way to
look objectively at an issue that they are dealing with and to make some
deliberate choices about how they want to handle it. The further up the ladder an
organization or individual can move, the more choices will become available.
The greater the percentage of people who choose stances at the top portion of the
ladder, the greater the chance an organization has of collaborating and
successfully attaining its goals.

FIG. IV–1. The ladder of accountability.

1
The material in this annex is extracted from: RIDENOURE, R., Leadership for
Smarties, Southern California Edison, Rosemead, CA (2009).

62
 Annex V

WESTRUM’S CLASSIFICATION OF ORGANIZATIONAL TYPES

Westrum proposes that the handling of information and communication are

key features of organizations. He has identified three different organizational
types (or phases of organizational development); these are outlined in Table V–1.

TABLE V–1. WESTRUM’S CLASSIFICATION OF ORGANIZATIONAL

TYPES

PATHOLOGICAL BUREAUCRATIC GENERATIVE

Do not want to know May not find out Actively seek information

Messengers are shot Listened to if they arrive Messengers are trained

Responsibility is shirked Responsibility is compartmentalized Responsibility is shared

Bridging is discouraged Allowed but neglected Bridging is rewarded

Failure is punished or Organization is just and merciful Inquiry and redirection

covered up

New ideas are New ideas present problems New ideas are welcomed
actively crushed

BIBLIOGRAPHY
WESTRUM, R., A typology of organizational cultures, Qual. Saf. Health Care 13 (2004)
22–27.

63
 Annex VI

HUDSON’S ORGANIZATIONAL CULTURE MATURITY LADDER

Figure VI–1 shows phases of organizational development according to

Hudson’s organizational culture maturity ladder. This model is particularly
relevant to the prevailing culture necessary for successful implementation of an
effective OE programme. In the context of this publication, the managerial
challenge is to lead the development of an organization along these progressive
steps and/or to maintain the ‘generative’ phase.

FIG. VI–1. Hudson’s organizational culture maturity ladder.

BIBLIOGRAPHY
HUDSON, P., “Safety management and safety culture: the long, hard and winding road”, Proc.
1st Natl Conf. Occupational Health and Safety Management Systems (OHSMS), Sydney,
Australia, 2000, OHSMS, Sydney, Australia (2001) 3–31.

64
 Annex VII

CULPABILITY ASSESSMENT

Figure VII–1 presents a decision tree for determining the culpability of

unsafe acts.

Knowingly YES History

NO NO Pass
Were the NO Unauthorized violated safe of unsafe
actions as substitution
substance? operating acts
intended? test?
procedures?

YES NO
YES
NO
Medical Deficiency in
YES condition? Were procedures training &
selection or YES NO
available, workable,
intelligible and experience?
correct?

Were the
YES
consequences NO
as intended?
Blameless
Blameless
error but
NO error
YES corrective
Systems training or
YES induced counselling
NO indicated
Possible
negligent
System error
induced
YES Possible violation
reckless
violation
Substance
abuse
with
Sabotage, Substance
mitigation g
malevolent abuse with hin
inis y
Dim abilit
damage, mitigation
suicide, etc. p
Cul

FIG. VII–1. A culpability decision tree.

BIBLIOGRAPHY
REASON, J., Managing the Risks of Organizational Accidents, Ashgate, Aldershot (1997).

65
 Annex VIII

THE DANISH SYSTEM FOR REPORTING OF AVIATION INCIDENTS1

VIII–1. BRIEF DESCRIPTION

In 2001, a new law was passed by the Danish Parliament mandating the
establishment of a compulsory, strictly non-punitive, and strictly confidential
system for the reporting of aviation incidents. A particular and perhaps unusual
feature of this reporting system is that not only are employees (typically air traffic
controllers and pilots) guaranteed strict immunity against penalties and disclosure
but also any breach against the non-disclosure guarantee is made a punishable
offence.
The re-engineered system in Denmark is a mandatory, non-punitive and
strictly confidential system. The reporting system is mandatory in the sense that
air traffic personnel are obliged to submit reports of events, and it is strictly non-
punitive in the sense that personnel are guaranteed indemnity against prosecution
or disciplinary actions for any event they have reported.
Furthermore, the reporting system is strictly confidential in the sense that
the reporter’s identity may not be revealed outside the agency dealing with
occurrence reports. Reporters of incidents are assured immunity from any penal
and disciplinary measure related to an incident if they submit a report within
72 hours of its occurrence and if it does not involve an accident or deliberate
sabotage or negligence due to substance abuse (e.g. alcohol). Moreover, punitive
measures are stipulated against any breach of the guaranteed confidentiality.
The important distinction between an anonymous and a confidential
reporting system lies in the fact that with an anonymous reporting system reports
are unidentifiable, while with confidential reports the reporter is known. An
anonymous report offers no possibility to derive further facts in the investigation
process. However, with a confidential system the reporter submits his or her name
and can thus be contacted during the investigation process for further clarification
and feedback purposes.

1
The material in this annex is extracted from: EUROPEAN ORGANIZATION FOR
THE SAFETY OF AIR NAVIGATION, EAM 2/GUI 6 — Establishment of ‘Just Culture’
Principles in ATM Safety Data Reporting and Assessment, EUROCONTROL, Brussels
(2006).

66
VIII–2. THE LEGISLATIVE PROCESS IN DENMARK

In 2000, growing concerns about flight safety in Danish airspace were

raised by the Danish Air Traffic Controllers Association. The concern was
associated with losses of separation (incidents of aircraft flying too close
together) which were not being reported due to a fear that the reporter would face
sanctions, particularly if he or she were partly or fully responsible for the
incident. The fear was real, since controllers had previously been prosecuted for
such actions. Furthermore, the Danish press had in the same period been dealing
aggressively with apparent breaches of flight safety within certain airlines. These
two factors — punishment of air traffic controllers with fines or licence
suspension and a focus by the press on aviation safety issues — had the effect of
reducing the reporting of incidents.
The whole aviation system in Denmark suffered from this, with no lessons
being learned or disseminated from these events. It ought to be added, however,
that prior to 2000, the ‘culture of reporting’ in Denmark was comparable to most
north-western European countries — some occurrences were reported, but there
was an acknowledgement of ‘underreporting’. In contrast, Denmark’s neighbour,
Sweden — which has approximately the same amount of civilian air traffic —
reported a considerably larger number of flight safety occurrences than Denmark.
In 2000, in order to push for a change, the chairperson of the Danish Air
Traffic Controllers Association decided to be entirely open about the then current
obstacles to reporting. During an interview on national television, she described
frankly how the system in place at that time was discouraging controllers from
reporting. The journalist interviewing the chairperson had picked up on
observations made by safety researchers that, as described above, Denmark had a
much smaller number of occurrence reports than Sweden. Responding to the
interviewer’s query as to why this was so, the chairperson proclaimed that losses
of separation between aircraft went unreported simply due to the fact that
controllers — for good reasons — feared retribution and disclosure. Moreover,
she pointed out, flight safety was suffering as a consequence. These statements,
broadcast on a prime time news programme, had the immediate effect of
encouraging the Transportation Subcommittee of the Danish Parliament to ask
representatives from the Danish Air Traffic Controllers Association to explain
their case to the Committee. Following this work, the Committee spent several of
their 2000–2001 sessions exploring various pieces of international legislation on
the reporting and investigation of aviation incidents and accidents. As a result, in
2001, the Danish Government proposed a law that would make non-punitive,
strictly confidential reporting possible.
The law grants freedom from prosecution, even if the reporter commits an
erroneous act or omission that would normally be punishable. Furthermore, the

67
reports from this scheme would be granted exemption from the provisions of the
Freedom of Information Act. Investigators would, by law, be obliged to keep
information from the reports undisclosed. However, the law would grant no
immunity if gross negligence or substance abuse was present in the reported
situations, and it would also be punishable by a fine not to report an incident in
aviation.
In most democratic countries, the Freedom of Information Act is almost a
sacred institution. This is also the case in Denmark. It was acknowledged by
politicians and aviation specialists that the public had a right to know the facts
about the level of safety in Danish aviation. In order to accommodate this, it was
written in the law that the regulatory authority of Danish aviation, based on
incoming reports, is required to publish overview statistics twice a year, based on
de-identified data from these reports.
This law was passed unanimously by the Danish Parliament in May 2001.
Compared with other legal norms in Denmark, and probably in most countries,
this law is unique in the sense that it is the only law in Denmark that guarantees
immunity from prosecution when an otherwise punishable offence has been
committed. During the legislative process, public interest in the matter was
surprisingly low, and apart from a few editorials in national newspapers, the
matter was not commented on. After the regulatory authority, based on incoming
flight safety reports, made its first statement, public interest increased. However,
the media were mainly interested not in the system itself, but in the apparently
unsafe nature of Danish aviation.

VIII–3. THE IMPLEMENTATION PROCESS

After the law was passed, the Danish aviation regulatory authority body,
Statens Luftfartsvæsen, implementated the regulatory framework. The regulatory
authority subsequently issued instructions to the following groups, stating that for
these five categories of licence holders it would be mandatory to follow the
reporting system:

— Pilots holding an air transportation pilot’s licence;

— Air traffic controllers;
— Certified aircraft mechanics;
— Certified airports;
— Pilots holding a general aviation pilot’s licence.

Since both pilots and air traffic controllers now have to report various
situations according to the reporting system, it is obvious that these two

68
categories will sometimes be reporting situations basically created by the other.
This will not incriminate either, as long as each professional abides by the
obligation of reporting. This means that, for example, a situation created by air
traffic control and reported by a pilot will not incriminate the controller as long as
the controller reports the same situation.
In order to make it clear which situations these personnel were obliged to
report, the regulatory authority passed guidance material to each of the five
categories. Since the situations that could pose a threat to aviation are different
for each category, each has its own set of descriptions of mandatory reportable
situations. In the following sections, only the material and the process concerning
air traffic control will be dealt with.

VIII–4. REPORTING AND ASSESSMENT OF SAFETY OCCURRENCES IN

AIR TRAFFIC MANAGEMENT

For air traffic control, the regulatory authority issued reporting categories
that were derived from EUROCONTROL requirement ESARR 2.
Within Naviair (the Danish air traffic control service provider employing all
air traffic controllers in Denmark), a high level decision was made to actively
support the implementation process of this new reporting system. This decision
was not made solely because it was mandatory, but also because management
foresaw a benefit to the company’s main product, flight safety. As a consequence,
every air traffic controller received a letter from management explaining the new
system and stating Naviair’s commitment to enhancing flight safety through the
reporting and analysis of safety related events. The incident investigators
responsible for implementation of the new system were given the task of
communicating the change, and were also given a full mandate and support by
management.
An extensive briefing campaign was carried out in order to inform all air
traffic controllers about the new system. In the briefing process, controllers
expressed many concerns, particularly pertaining to confidentiality and the
non-punitive aspect of the system. These concerns were due to the existing
culture and were all anticipated. Typical questions asked during the
implementation process included:

— Can we trust this new system?

— What will it be used for?
— Why do we have more non-productive paperwork?
— We just handle the situations, so why report them?

69
 They were dealt with by explaining the intentions of the law governing the
reporting system: the law would not grant media or others access to the reports,
and it would secure freedom from prosecution. Furthermore, it was emphasized
that no major enhancement of flight safety would be possible if no information
about existing hazards was gathered and disseminated, and that the reporting
system might ultimately be able to explain and hopefully eliminate the flaws that
everybody recognized in everyday operations. Naviair basically asked the air
traffic controllers to trust them, and to take ownership of flight safety. In return,
Naviair would try to deal effectively with flight safety.

VIII–5. RESULTS

The reporting system started to operate on 15 August 2001. During the first
24 hours after its introduction, Naviair received 20 reports from air traffic
controllers. In the first year after the reporting system was put into place, Naviair
received 980 reports, compared with 15 the previous year.
Still, the numbers from the new and the old 12 month period cannot be
compared directly.
With the new reporting system, air traffic controllers became obliged to
report instances that were not compulsory to report beforehand. So the best
comparison would be to compare the numbers of reported losses of separation
between aircraft (which were the only mandatory reportable occurrences before
implementation of the new system). This comparison is fair and informative, and
it serves to show the quite dramatic change in reporting culture, not least because
air traffic controllers were punished for the same situations beforehand.
Losses of separation averaged approximately 15 a year before
implementation, whereas two years after implementation 40–50 losses of
separation were reported per year.
It is important to mention that any company management that puts a system
like this in place has to prepare for new and maybe unpopular information. It may
come as a surprise for the management of any company when more breaches of
safety are being reported. It is very important that this new knowledge not be seen
as a sign that safety is sliding. Rather, it is better interpreted as an uncovering of
things that have existed and gone unreported for years. The paradox remains,
however, that the safest companies will initially be viewed as unsafe companies
due to their willingness to elicit a greater number of reports. In the interim, it
takes courage to be safe.

70
VIII–6. INVESTIGATION

The investigation process is one of the most important parts of a safety

culture. It is of the utmost importance that a company that puts a confidential,
non-punitive reporting system in place be professionally prepared to handle the
challenge, and a formal process has to be set up to handle the resulting reports.
The reports received by Naviair (which are to be submitted within a
maximum of 72 hours after an incident) vary in content from small deviations or
technical malfunctions to serious losses of separation. Naturally, not all situations
will receive the same amount of attention and interest from investigators.
In order to gain maximum flight safety benefit, Naviair has set up priorities
for report handling. In general, all reports are evaluated. This evaluation attempts
to establish whether immediate action is required. These situations would
typically be cases of losses of separation between aircraft, or serious procedural
or technical issues.
All losses of separation between aircraft are investigated thoroughly. These
incidents are categorized and include the following:

— Separation minima infringement;

— Runway incursion where avoidance action was necessary;
— Inadequate separation between aircraft.

Each investigation includes gathering of all factual data such as voice

recordings, radar recordings, flight progress strips, etc. After factual data have
been collected and analysed, an investigator carries out interviews face to face
with the involved controller(s) and other personnel relevant to the situation. The
interviews need to be carried out with a human factor focus based on the HEIDI
taxonomy developed by EUROCONTROL.
When data gathering and interviews are complete, the investigator produces
a written report of the incident, which is to be completed within a maximum of
ten weeks. The ultimate purpose of the report is to recommend changes to prevent
similar incidents.
In Naviair, incident investigators receive training in both investigation
techniques and human factors, and they are required to maintain their operational
status, which has proven useful for maintaining credibility among controllers.
Furthermore, it is recognized that it is not possible to produce a meaningful
incident report without current knowledge of air traffic control operations.
The final report on incidents follows the same format in every investigation.
The report describes the factual circumstances and contains an investigator’s
assessment of the following elements:

71
 — Aircraft proximity and avoidance manoeuvres;
— Safety nets: their impact on and relevance to the incident;
— System aspects;
— Human factors;
— Procedures;
— Conclusion;
— Recommendations.

In order to evaluate the effects of the reporting system, it helps to look into
the content of these incoming reports and note the effect that the investigation of
these reports has had.

VIII–7. FLIGHT SAFETY PARTNERSHIP

Another flight safety enhancing element that has developed since the new
reporting system was implemented is the sharing of flight safety knowledge. As a
result of investigations of incoming reports, Naviair quickly realized that air
traffic control cannot handle flight safety alone. Many potentially hazardous
situations between aircraft arise as a consequence of the interface between air
traffic controllers and pilots (misuse of phraseology, different understandings of
procedures, different expectations, etc.). If there is to be any hope of making a
new breakthrough in flight safety, it will be important to look at flight safety as a
shared process.
In order to deal more effectively with flight safety, Naviair decided to
establish a Flight Safety Forum. Naviair subsequently invited flight safety
officers from all major Danish airlines to participate in discussion and knowledge
sharing of flight safety relevant information. Everybody involved accepted this
invitation; as a result, the Forum meets twice a year and addresses operational
flight safety in Danish airspace. Furthermore, it has been decided to share this
information for use in incident investigation.

VIII–8. SAFETY IMPROVEMENT

It is worth repeating that the overall goal of establishing a flight safety

reporting system is to improve flight safety. In turn, the value of such a system
has to be viewed with regard to its effect on flight safety. This can sometimes be
a difficult task to perform, as a prevented accident will never appear in any
statistics.

72
 When the changes made to the Danish system (machine/procedure/human)
since the reporting system was implemented are examined, it is obvious that
improvements have been made. Before implementation of the reporting system,
many flight safety relevant observations were reported, but to different
departments in Naviair, thus eliminating the advantage of focused information
gathering and dissemination.

VIII–9. CONCLUSION

Today, Naviair feels confident that the system put in place is solidly
founded within the Danish air traffic control system. This assessment is based on
what can be heard when listening to discussions among controllers and support
staff, which take place on and off the record, as well as on the amount and content
of the reports received.
Of course, the system has experienced difficulties. Sometimes air traffic
controllers do feel blamed when they learn of an investigation conclusion.
Equally, in the minds of the individuals involved, a non-punitive confidential
culture may appear to be a general amnesty for every mistake made; but that is
not the case. Most of the investigated incidents have human mistakes as their root
cause. That fact can be hard to be face up to, and in such situations it is important
to confront the responsible individual in a way that inspires proactiveness, for
both the organization and the individual, so that both will learn.
What made all this possible? First of all it is important that a legal
framework is in place to run a reporting system. Even the most well meaning
management will have problems instilling trust if legal action can still be taken
against employees.
Second, the management of any company in a safety critical business —
whether in aviation, medical care, power generation or the nuclear industry —
has to be committed. Safety starts at the top.
In order to give the air traffic controllers themselves the ownership of flight
safety, it is very important that the people who are communicating safety have a
professional background. Many feelings arise, and discussions follow, when
endeavouring to communicate flight safety. These discussions and questions have
to be answered by people who have ‘felt’ the business themselves. Management
has to show support and be visible in safety campaigns, but professional
discussions have to take place among professionals.
The ultimate test of any non-punitive, confidential reporting system (the
legal framework, the confidentiality, the psychology) will come if a country
running such a system experiences an aviation disaster with loss of life. When
this happens, everything takes a new and unknown course. To prepare for this, it

73
is important to focus on the fact that without aviation safety reporting systems,
the likelihood of disasters is much greater.

74
 Annex IX

EXAMPLES OF TREND ANALYSIS SUCCESS AT EXELON NUCLEAR

In 2006, Exelon Nuclear performed a common cause analysis as the result

of an adverse trend in equipment reliability. One of the common causes identified
was equipment failures caused by latent manufacturing defects. As a result, a new
quality based programme was initiated called the Parts Quality Initiative (PQI).
The essence of this programme is to review both internal and external OE for
manufacturing related issues and to analyse these issues for trends. Once a trend
is identified, a condition report is generated, the trend is evaluated and actions are
taken to prevent this manufacturing defect from affecting other plants, systems or
components.
Corrective actions from these evaluated trends will influence which items
will be procured in the future, and verify that items with identified defects are not
contained within the existing inventory. Exhibited latent manufacturing defects
will be related back to the suppliers of deficient parts, with the issue being used in
the assessment of a supplier’s past performance when negotiating a new contract
with that supplier.
Each month, condition reports of all equipment failures of critical
components and parts are reviewed for emerging trends. These condition reports
usually contain failures that have occurred during maintenance or pre-receipt
testing as well as other NMs and significant events that have occurred during the
previous month.
As a result of this programme, there has been an improvement in plant
reliability, which has manifested itself through a decrease in equipment failures
caused by latent manufacturing defects. In the past three years, there have been
almost no equipment failures caused by recent manufacturing defects that have
impacted plant production. The following are some examples of instances where
this programme has prevented more significant events that could have caused
generation losses:

— A trend was identified within Exelon condition reports regarding an anti-

rotation pin that the valve supplier inadvertently omitted from various
check valves used in the extraction steam system. As a result of the
identification of this trend, a review of this model of check valve was
performed in the inventory system, and these valves were found staged in
the outage parts about to be installed at both Byron and Oyster Creek
stations in the upcoming autumn outages. Previously, at a different station,
a failure of these check valves due to the missing anti-rotation pin had
resulted in the valve disc separating from the stem and the disc becoming

75
 lodged in the extraction steam line, resulting in a two day outage. Trend
analysis of these failures and subsequent removal of these valves from the
inventory prevented a future two day unplanned outage, saving the
company more than US $2 million in lost generation and indirect costs, as
well as improving nuclear safety by preventing an unplanned reactor trip.
— A trend was identified at the Braidwood Station regarding several failures
of feedwater heater air supply valves. Further evaluation of this trend
revealed that foreign material (brass chips) had been left inside the valves
by the manufacturer. It was further ascertained that the brass chips had
migrated and affected the valve seating function and could migrate further
into the positioner and impact feedwater valve operations, potentially
affecting generation owing to a loss of feedwater heaters. An inventory
check indicated that three other stations also had these valves; a further
check revealed that the valves also contained the foreign material, which
could have affected those plants as well. The valves were removed from the
inventory, and new valves were procured which were verified not to contain
the foreign material. Previous positioner failure issues had resulted in
3000 MW·h (US $150 000) of lost generation due to a derating during the
failures.
— During the trend identification and analysis of proximity switch failures
within the Exelon system, it was determined that switch failures had
occurred because the manufacturer had wired the switches backwards. As a
result, corrective actions, including reviewing inventory for this type of
proximity switch, were undertaken in the Exelon inventory system. One of
these switches was found as it was about to be installed at a station in a high
radiation area. A new switch was procured and the defective switch was
replaced. Failure of the defective proximity switch would have delayed
operation of the switch, and would have resulted in a production risk
evolution in the summer. Replacing the defective switch would have
resulted in an unnecessary additional radiation dose received by workers
due to the high radiation area it was located in.

The parts quality low level trend analysis process has been recognized as a
good practice by the nuclear industry, INPO and the Electric Power Research
Institute.

76
 Annex X

THE CORRELATION BETWEEN ACCIDENT RATES AND COSTS1

This review of the US nuclear power industry began with the following
rhetorical question: “What is the actual cost to an employer of an accident?” The
intention was to immediately start the reader thinking about the benefit to cost
trade-off in the implementation of accident reduction activities. The primary
hypothesis of the review was that there is a set of accident investigation practices
that yield top quartile organizational safety performance. The secondary
hypothesis was that organizational influences have a greater impact on accident
rates than investigation practices. These activities are within the span of control
of company owners and managers and thus represent opportunities for cost
savings. This review provides direct correlation to cost benefits associated with
the collection and analysis of LLE and NM data.
A descriptive survey was developed to collect information about safety
performance (in the form of OSHA Form 300A data) and accident investigation
practices. Accident investigation practice questions were developed based on the
related literature and the author’s firsthand experience from over 15 years of
accident and organization investigation. The target population for this review was
manufacturers in northeast Pennsylvania. To be more exact, the review involved
manufacturers with more than 20 employees in 16 counties in northeast
Pennsylvania. The descriptive survey was mailed to 972 manufacturing
companies identified in the 16 county target region in March 2006. As of 1 June
2006, 54 organizations (5.5%) had provided a response with complete survey
data. The responses were evaluated and determined to be representative of
manufacturers in Pennsylvania, as well as technology and other industries.
The direct cost to employers of injuries is staggering. In a 2004 report,
Liberty Mutual reported that serious work related injuries cost American
employers US $49.6 billion in 2002 (Liberty Mutual, 2004). The report only
included ‘serious workplace injuries’, which were defined as events through
which the worker missed six or more days. In the 2005 article titled ‘Reduce
Medical Claims: Workplace Ergonomics’, the author cites a much higher figure
that encompasses all injuries: “Six million workers suffer workplace injuries each
year at a cost to US business of more than US $125 billion”. Using the latter
statistic, the average direct cost per injury is nearly US $21 000. These numbers

1
This review of the US Nuclear Power Industry is by T.S. Tonkinson. The views
expressed do not necessarily reflect those of the International Atomic Energy Agency or its
Member States.

77
represent direct costs to employers, such as medical expenses and paid time off.
While this review focused on industrial accidents, a direct correlation has long
being established within the nuclear industry, via the event pyramid, to costs
associated with other types of LLE and NM.
The actual indirect costs to employers from accidents are not well defined or
monitored. In one study, it was estimated that “each $1 of direct costs generated
between US $3 and US $5 of indirect costs”. Assuming this relationship is accurate,
consider several of the direct cost figures discussed previously. The Liberty Mutual
figure of US $49.6 billion in direct costs in 2002 would involve between
US $150 billion and $250 billion in indirect costs. The total lost time value of
US $125 billion in direct costs would involve between US $375 billion and
US $625 billion in indirect costs. The ‘per injury’ value of US $21 000 in direct
costs would involve US $63 000 to US $105 000 in indirect costs.
The intention of the data gathering and analysis was to explore the
relationship between accident rates and accident investigation practices in order
to deduce a set of practices associated with statistically better safety performance.

X–1. FINDINGS

Table X–1 provides a summary of the safety performance data received in

the 54 completed surveys. Actual OSHA recordable injury and OSHA lost work
day rates were calculated. To analyse the significance of the responses to the
accident investigation practice questions, the responses were sorted into quartiles
based on the calculated OSHA recordable accident rate. Quartile breaks are
provided in Table X–1.

X–2. CONCLUSIONS

The results of the review confirm the primary hypothesis that there is a set
of investigation practices that is correlated with better safety performance. The
following practices are considered to be critical elements of an effective accident
investigation programme:

— It is necessary for an organization to have a defined, formal investigation

process: The expectations, prescribed methods and reporting methods are to
be described in writing and be made available in a readily retrievable form. In
addition to tactical ‘how to’ information, management expectations about the
importance of accident investigation, openness of personnel to responding
and the need to support such a programme ought to also be documented.

78
TABLE X–1. SUMMARY OF ACCIDENT DATA PROVIDED BY
RESPONDENTS

Average number of employees 206

Average number of hours worked in 2005 422 183

Average OSHA recordable injury rate 7.47

1st quartile range — OSHA recordable injury rate 0.00–1.46

4th quartile range — OSHA recordable injury rate 9.09–55.78

Average OSHA lost work day case rate 1.97

1st quartile range of OSHA lost work day case rate 0.00–0.00

4th quartile range of OSHA lost work day case rate 3.07–16.40

— It is necessary for organizations to investigate more than just OSHA

recordable accidents: The causes of NMs and minor consequence accidents
(which equates to NMs and LLEs) are the same as the causes of serious
accidents. The difference in consequences is a factor of coincidence of
circumstances. Companies can reduce their accident rates by identifying the
causes of lower level issues and eliminating them (resulting in improved
safety, plant performance and cost reduction).
— Accident investigators are to have formal training: This is necessary to
convey prescribed techniques, management expectations and interpersonal
skills. Accident investigation is as much an art as it is a skill; therefore,
investigators need practice (which is another reason for investigating more
than just serious accidents). In addition to training, some form of
reinforcement is also necessary.
— Root cause analysis (RCA) is necessary for understanding the deeper
reasons behind events: RCA is needed so that appropriate actions can be
developed to prevent recurrence. It is important for causal analysis to
include all factors, including human behaviour and organizational
influences.
— Effective accident investigation programmes have some method of tracking
the actions to closure: Several case study publications emphasize the
applied importance of corrective action tracking and closure.
— Accident and NM investigation reports need to be used as communication
tools for sharing lessons learned from events: An organization can use these
reports to re-emphasize management expectations, reinforce good practices
and warn other employees of situations that may adversely affect them.

79
 Annex XI
EXAMPLE OF A TREND PROCESS FLOW SHEET
Define source data and
exclusions
Time period to review, applicable work
group, etc.
Collect the data
Database queries, spreadsheets with
trend codes listed, etc.
Verify the data
Look for and correct anomalies which
may have been coded incorrectly.
Sort the data
— Calculate cause frequency
— Calculate average significance level
— Calculate the average frequency of all
the identified causes.
Identify common causes
Causal factors with frequencies greater
than the average frequency are then
identified as common causes.
Recommend a level of
investigation for the common
cause/s
It may be possible to recommend
corrective action/s instead
(if they are obvious).
80
Perform an external operating
experience search
Evaluate for applicability to the common
causes.
Line manager review
and approval
Approval of the trend’s common cause/s
identification, and recommended
evaluation or corrective action/s.
Management team review
and approval
Similar to other recommended
evaluations or corrective action/s.
Evaluate the common cause/s
— This step will include one individual
investigation for EACH common cause
identified, using apparent cause or root
cause evaluation, depending on the
significant level, or it may simply be to
complete the recommended corrective
actions identified by the trend evaluation
if they were identified at that stage.
— The approval process for these
investigations (of common causes) is
the same as for any other investigation.
 Annex XII

BRUCE POWER TREND EVALUATION CHECK SHEET

Quality Checklist Yes No

Does the trend evaluation clearly define the scope and impact of the  
trend and the data range?

Are the data points related in a logical manner to ensure an accurate  

outcome?

Are causal factors consistently identified for each data point?  

Has the average frequency been calculated properly?  
Are common causes identified or if not is the basis acceptable?  
Have internal or external OPEX been identified that match the  
common causes?

Is the disposition adequate to ensure that further actions taken will  

be thoroughly identified?

Are event codes and common causal factor codes listed and has the  
SCR been updated with the codes?

Has the responsible manager (or delegate) approved the trend  

evaluation?

Has the “new” SCR(s) been created and SCR number(s)  

documented in the trend evaluation?

Approval
Please ensure this evaluation has been approved by the responsible manager or
designee. Approval cannot be delegated below the level of section manager.

Approved by: Date:

Signature

81
 Annex XIII

GOOD PRACTICE ON SHARING OF NM INFORMATION

XIII–1. SHARING INFORMATION THROUGH THE NEAR MISS

REPORTING CONFERENCE

XIII–1.1. Brief description of NPP

The Mihama NPP has three PWRs of 340 MW(e), 500 MW(e) and
826 MW(e).

XIII–1.2. Contents of good practice

Reinforcement of NM activity is aimed at facilitating efforts to mature the

safety culture. It has been in place since 2008, although the activity itself has long
been executed.
To stimulate reporting, the plant requests information, allowing anonymity.
As a result, 1242 NM events were reported in 2008 and 1432 events were
reported in 2009.
NM information that needs to be widely shared with other workplaces is
compiled, reported and distributed at the Near Miss Reporting Conference,
jointly organized by the Mihama NPP and contractors (members of the Safety
and Health Council). This conference is held twice a year.
At a 2009 conference, the Mihama NPP and contractors presented and
shared about 104 cases. Some examples presented at the conference are as
follows:

— Example 1: Possible entanglement of a leather face cover for welding with

a rolling grinder. A craftsman who had hung a leather face cover around his
neck tried to grind welding equipment. He got close to the rolling grinder.
His leather face cover could been pulled in by the grinder.
— Example 2: Possibility of cutting an electric cable. An engineer tried to
remove an electric lighting panel for repair. He disconnected all electric
cables in the panel but missed one cable which went through the panel.
Fortunately, he realized his mistake and removed the cable. If he had not
realized the situation, the cable might have been cut/damaged.

82
 — Example 3: Vacuum in a pure water tank while draining its contents. The
operator tried to drain the water from a pure water tank. He confirmed that
the vent line was open. After he started the draining operation, he noticed
that the middle part of the tank was slightly deformed. Thus, he stopped the
draining and checked the tank and its piping. As a result, he found a clogged
mesh in the vent line. The clogging material was granular sand which had
been used during sand blasting of the tank.

There is an award system for individuals and contractors at the conference,

which is held twice a year. At each conference, eight or nine individuals and one
contractor are recognized.
In the case of individuals, an award committee chooses good presentations
at the conference.
For contractors, the award is based on analysis of various established
indicators. These indicators examine a variety of factors, such as the frequency of
internal meetings, including pre-job briefings, the frequency of internal training
seminars, the amount of feedback (both facilities and practices) on NMs and the
number of presentations given at a conference. The award system also takes into
account the number of persons employed by each contractor, so that smaller
contractors can also be rewarded.
The above information NM is also utilized among contractors in pre-job
briefings on the site and in their internal seminars.
All of these activities have aided in the prevention of non-conformances
and industrial accidents at the Mihama NPP.

83
.
 CONTRIBUTORS TO DRAFTING AND REVIEW
Abbas, H. Karachi Nuclear Power Complex, Pakistan

Fotedar, S. International Atomic Energy Agency

Ghazaryan, S. Armenian Nuclear Power Plant, Armenia

Humphrey, G. Bruce Power, Canada

Jain, V. Rajasthan Atomic Power Station, India

Khalenko, R. State Nuclear Regulatory Committee, Ukraine

Kilian, H. Gesellschaft für Anlagen- und Reaktorsicherheit mbH,

Germany

Kisel, J. SE a.s., Slovakia

Kuivalainen, H. Radiation and Nuclear Safety Authority (STUK),

Finland

Murry, P. Consultant, United States of America

Okamoto, T. International Atomic Energy Agency

Rheaume, W. Entergy, United States of America

Ross, K. Canadian Nuclear Safety Commission, Canada

Shepherd, P. Consultant, United Kingdom

Tanaka, T. Kansai Electric Power Company, Japan

Trnka, M. CEZ a.s., Czech Republic

Uzunov, R. Kozloduy Nuclear Power Plant, Bulgaria

85
Wang, Z. China National Nuclear Corporation, China

Zahradka, D. Mochovce Nuclear Power Plant, Slovakia

Consultants Meetings

Vienna, Austria: 19–23 October 2009, 15–19 February 2010

Technical Meeting

Vienna, Austria: 26–30 July 2010

86
@





 
 
 

 
  
    
  
!"#

! 
$
!%
'*+-
012"314546
2 78'54965:;;;;<=>78'54965:;;++

7%
@
 <-
7 7FF
 

"!# $
GJ%0
6:6QR559:Q 
2 78466V4+*4:+<=>78466V4+:+*5

7 @
<-
7 7FFRR 

%&
Q
 *V:5=Q %!
6::J1$6:;:'R*4*'!
2 75R+::R+'VR4*V;<=>75R+::R+'VR4*V:

7 @<-
7 7FF
0

X"J 5RV4'9" 0# # 
Z5G9G4
2 78'54;*V6''V<=>78'54;*V;'':

7 @<-
7 7FF

%' 



"
7"
 X "
2 
!
#Q>65:4Q

X

%(%')"! %
!"[!0#Z %4*;5+:659
2 78*6:6'':4V4'*<=>78*6:6+*+65'*'

7@\<-
7 7FF\

* !&
 
Z
#Q#]56+^Z 5_=R::5:53 


2 784V+9565*5<=>784V+9565**V:

7
@ 
<-
7 7FF 


*%
=R
VG#Q>6V=R;V965
">59
2 78445*6:5*9*9<=>78445*6:59:9:

7
@
<-
7 7FF

J%

!!5*V%
X9*64'"">
2 78445*;*:';:6<=>8445*;*:';:6

7 %
@ %

<-
7 7FF %



#$+
#R` X` 
R` Xj33X 5:$RV4554Q
2 78*966+9*9:6:<=>78*966+9*9:6:8*966+9*9:666

7  X@R% X<-
7 7FFR% X

'#+
J
 J Q #Q>56'3R5'V'Q 
2 784'56V;;;;;<=>784'56V;;*;6<
7@
 

& 


j5 = $35VG3
1XQ   1
*::::5
2 78956666'5;96'F6;<=>78956666'5;96+

7
 @% <-
7 7FF


Q 6F;6

" $ 
55:::9
2 789555646'+;+'89555646V;6'*<=>789555646+545V

7 @%  

!+
J

!

{$ J

Q

|#}`
"
'R6:5*'1

2 7849:6*+9V*VV6*+9V*V'6<=>7849:6*+9V*V*+

7
@


<-
7



,)
1\"J 54R'

4"R25:4R::6;
2 78+5446;V+V+6<=>78+5446;V9:;6

7 @\<-
7 7FF\

)"! %-*.-
Z!
Q
$ !Q X6= 6;VR5~XGRX!"Rj! 54;R54:
2 78:6V+95;*:<=>78:6V+95;*'<-
7 7FF


'!&
$J
 
 

Q`10   6:JR;*+6Q[3X
2 7845^:_V4V;*:::*<=>7845^:_V4V;6969'

7@
<-
7 7FF

1

 
 Z V:#Q>5+V46;::"[[ 
2 7845;94'+**::<=>7845;94'5V'9+

7
@
 <-
7 7FF
 
! [

X%#Q>+4:65':![J

2 78456V6*4V555<=>78456V6*5V+++

7
@  <-
7 7FF  

(!&
$
!%
'*+-
012"314546 

2 78'54965:;;;;<=>78'54965:;;++

7%
@
 <-
7 7FF
 

!-0 
"%[ \Z
%6!R5V56J 
2 784+'5*4645**<=>784+'564:5*4V

7
 @%R\
<-
7 7FF%R\
F%\

) 
$\! !FGQ%4R6+::'1

2 784*95;+59*+:<=>784*95V;VVV'4

7@
\  @
\  @
\ 
@
\ 
-
7 7FF
\ 

 &. #&-$
2! 
#{J  
 ! X#Q>69
045j
2 ^_78**+;:'::VVV6<^€

_78**6:;+;4+4;6<=>78**6:;+;4+6:4

^_7@ <^€

_7€

@ <-
7 7FF 
#R

$J2 Q-  J 49 >0  !Z25V6

7
@<-
7 7FF
Q %
 
 
 J #Q>559! %X!j5*2
2 78**5*4+;*+555<=>78**5*4+;*++**

7@ 
 <-
7 7FF 
 

 & -
$ ::*0$"6R:+V4=
 % *' !  ~~5::5;!
^_2 78+::6V4R9'*'86569'4R+4:6<=>786569'4R4*+9

7

@X<-
7 7FFX

 &-*$ %
Q
 *V:5=Q %!
6::J1$6:;:'R*4*'
2 75R+::R+'VR4*V;<=>75R+::R+'VR4*V:

7 @‚-
7 7FF
0

X"J +56 %#XX~54''9
2 78+++VV5;*;:^  R_<=>78+++V'++V*'^  R_

7 @<-
7 7FF

-


1 

2 
  7
$
3  4 
2
5 5
`
 
 " #Q>5::5*::`
 

2 78*456'::66V69^66V4:_<=>78*456'::694:6

7 

@
X<-
7 7FF
XF
12-07071
 R E L AT ED PUBL ICAT IONS

FUNDAMENTAL SAFETY PRINCIPLES

IAEA Safety Standards Series No. SF-1
STI/PUB/1273 (37 pp.; 2006)
ISBN 92–0–110706–4 Price: €25.00
GOVERNMENTAL, LEGAL AND REGULATORY FRAMEWORK
FOR SAFETY
IAEA Safety Standards Series No. GSR Part 1
STI/PUB/1465 (63 pp.; 2010)
ISBN 978–92–0–106410–3 Price: €45.00
THE MANAGEMENT SYSTEM FOR FACILITIES AND ACTIVITIES
IAEA Safety Standards Series No. GS-R-3
STI/PUB/1252 (39 pp.; 2006)
ISBN 92–0–106506–X Price: €25.00
RADIATION PROTECTION AND SAFETY OF RADIATION SOURCES:
INTERNATIONAL BASIC SAFETY STANDARDS: INTERIM EDITION
IAEA Safety Standards Series No. GSR Part 3 (Interim)
STI/PUB/1531 (142 pp.; 2011)
ISBN 978–92–0–120910–8 Price: €65.00
SAFETY ASSESSMENT FOR FACILITIES AND ACTIVITIES
IAEA Safety Standards Series No. GSR Part 4
STI/PUB/1375 (56 pp.; 2009)
ISBN 978–92–0–112808–9 Price: €48.00
PREDISPOSAL MANAGEMENT OF RADIOACTIVE WASTE
IAEA Safety Standards Series No. GSR Part 5
STI/PUB/1368 (38 pp.; 2009)
ISBN 978–92–0–111508–9 Price: €45.00
DECOMMISSIONING OF FACILITIES USING RADIOACTIVE MATERIAL
IAEA Safety Standards Series No. WS-R-5
STI/PUB/1274 (25 pp.; 2006)
ISBN 92–0–110906–7 Price: €25.00
REMEDIATION OF AREAS CONTAMINATED BY PAST ACTIVITIES
AND ACCIDENTS
IAEA Safety Standards Series No. WS-R-3
STI/PUB/1176 (21 pp.; 2003)
ISBN 92–0–112303–5 Price: €15.00
PREPAREDNESS AND RESPONSE FOR A NUCLEAR OR
RADIOLOGICAL EMERGENCY
IAEA Safety Standards Series No. GS-R-2
STI/PUB/1133 (72 pp.; 2002)
ISBN 92–0–116702–4 Price: €20.50

www.iaea.org/books
This publication presents an overview of best
p r a c t ices f or th e de velopm en t, i mpl ementati on and
c o n t i nu ou s im pr ovem en t of a low l e v el e v ent (LLE)
a n d n ear m is s (N M) pr oces s . It prov i des i nsi ghts
in t o l eadin g pr actices f or m anagers seeki ng to
d e ve l o p a n e w — or im pr ove an exi sti ng — LLE and
N M p r oces s , with th e g oal of i mprov i ng safety,
production and cost performance. Use of the
g u id an ce an d bes t pr actices prov i ded wi l l hel p i n
r e c o g n izin g em er g in g adver s e trends on the basi s
o f LL E an d N M an alys is . Pr oacti v el y correcti ng
s u c h tr en ds can h elp to pr e vent the occurrence of
s i g n i fican t e ven ts , an d th er eby enhance the safety
a n d r eliability of n u clear power pl ants.

INTERNATIONAL ATOMIC ENERGY AGENCY

VIENNA
ISBN 978–92–0–126610–1
ISSN 1020–6450