ISMS, The Customer Concept, ORNL Safety Management Philosophy, Self-Assessment
This chapter is interpolated in my narration because a discussion of the Integrated Safety Management System (ISMS) and related topics is necessary in order for the reader to understand the events of 1999-2000, which I believe illustrate aberrant safety management practices by ORNL management and DOE.
The Integrated Safety Management System (ISMS)
As I stated earlier, DOE pursues one management fad after another in the name of greater safety and efficiency. Usually these have originated in corporate America and represent the thinking of some industrial or service management guru. From about 1995 on, apparently at the behest of the Defense Nuclear Facilities Safety Board (DNFSB), DOE has been big on ISMS.
A central concept of ISMS is that line managers are responsible for ensuring that work is conducted safely. “Line managers” — the operational and research (O&R) managers at a site — are in charge of getting the research, production, and environmental cleanup work done. The service and support organizations — e.g., the safety people, human resources people, finance people, and any central maintenance group not part of the O&R organizations — are generally not considered to be part of line management. Making O&R line managers responsible for safety is supposed to motivate a shift of some responsibility away from the safety people and toward the O&R people; the idea is that the O&R people will “buy into” safety and pay more attention to it if they are accountable for it. This was supposed to be a revolutionary idea with ISMS, but as I noted earlier, when the DOE Radiological Control Manual (RCM) came out in 1992, it stated that line managers had significant responsibility for safety. We had heard this idea expressed strongly within DOE even before that. Thus this idea, sold as new, was actually a principle that was applied in the past; the only new aspect thus appeared to be that it was now part of a “system”.
Another important ISMS concept is that in work planning, hazards should be identified and controls chosen in a systematic and settled way, with every relevant discipline involved and with everybody having an understanding of who is to do what. The relevant disciplines would include the various crafts, the various safety disciplines, and the appropriate O&R people. The review of jobs or work processes to determine the hazards and the appropriate controls would thus be consistent with the “graded approach” and it would again promote buy-in on the part of those involved. This concept too was touted as a departure from past practice, but the RCM had already required participation and review by the full range of disciplines, including the activities of what was called the ALARA Committee.
The reader will recall that the graded approach was the idea that the degree of rigor applied — the depth to which documents were reviewed, the amount of time spent, the number of people who had to review and approve work, the completeness of review documentation, etc. — should be commensurate with the degree of hazard of the work. The determination of what level is appropriate is somewhat subjective, obviously. DOE’s requirement in the RCM that trigger levels be set for increasing levels of review for jobs or operations was a graded approach measure. For example, at ORNL and other sites, a radiation dose estimate for a job was to be compared to the preset site or facility dose trigger level in order to determine how high up the supervisory chains (i.e., of the O&R organization and of the rad protection organization) approval needed to be obtained, with higher-level approvals required for higher dose. Rad protection procedures would specify qualitative conditions other than the mostly numerical triggers under which, e.g., a professional safety review by a rad engineer or health physicist would be required. Even when the RCM became merely a nonmandatory technical standard, most sites did not eliminate the triggers because they were a convenient and accepted way to formalize the graded approach to approval.
The graded approach is also used in prescribing job-specific work controls; here the decision is based on the experience and judgment of the rad tech, professional health physicist, or rad engineer and is made in consultation with the O&R people and, if necessary, his own management. This use of the graded approach is appropriate, but the decisions made should still be documented to an adequate level to create a record to facilitate understanding of the job, whether it is a success or something goes wrong.
It should be clear that the graded approach can lend itself to informality and subjectivity, if that is a site’s bent, by (1) minimizing procedural requirements for review and for particular controls that must be applied in specified situations; (2) allowing wide latitude for oral or informal briefings of those involved rather than written work proposals; and (3) allowing for oral or informally documented decisions as to the selection of controls. The graded approach, applied in an informal manner, is the approach of choice for those who seek to minimize documentation and scrutiny of work plans.
The philosophical guidance for ISMS comes from DOE and DNFSB ISMS documents (which the reader may find on the Web). These documents are lengthy, but even so they seem to include mostly general statements, not firm guidance, regarding the degree of formality required in planning work, in identifying and choosing controls, and most of all, in resolving conflicts and differences of opinion. This generality may be appropriate for these documents, given their stated scope, but it makes them lacking in specific direction for rad work. Thus they do not establish a standard of requirements or even a standard of accepted practices for this type of work. So although there was some value to stating ISMS’ precepts explicitly, as a formal system of practice it left something to be desired in the way of specificity.
By a “formal” process I mean a process that is governed by a written procedure or defined organizational structure or both. Usually there is also associated training so that those performing or applying the process will do so in a competent and complete manner. A very formal safety program will have everything proceduralized and defined to the max; a very informal safety program will have a few general procedures and will have many or even most things handled on an ad hoc basis. Of course these two extremes are undesirable, because too much formality does not allow for sufficient flexibility and too little formality allows for an “anything goes” approach to work; too much formality usually requires excessive documentation, with consequent wasted time and resources, while too little formality encourages non-documentation, with consequent recurrent misunderstandings on the part of those receiving only loosely written or oral information and with consequent inability to study current and past work and understand how and why incidents occurred. From about 1995 on, the ORNL approach was toward greater and greater informality, I believe to the greatest degree of any major DOE site. This approach was taken ostensibly to allow for operational flexibility. But an advantage of this that was specifically cited over and over was the avoidance of documentation, while a consequence that was observed by the rad protection people was that violations and errors could be more readily covered up by the O&R people.
Like nearly all such DOE safety initiatives, ISMS was mostly old stuff clothed in new terminology. Safety people had never been exclusively responsible for safety anyway and besides, the RCM had already jacked up the level of O&R involvement in safety planning and O&R accountability for safety results. I recall asking Dr. Sims what we would be doing different post-ISMS from what we had been doing pre-ISMS; he replied that he was having trouble figuring that out himself.
Based on my readings of the DOE and DNFSB ISMS guidance documents and on conversations I had with a DOE-Washington ISMS person and a DNFSB-Washington ISMS person in 1999 (see next chapter), I took the ISMS statement that “line managers are responsible for ensuring that work is conducted safely” to mean that while line managers were responsible for finding out what they needed to do or to have done in order to make sure that all the Federal, ORNL, and job-specific requirements were identified and met, line managers were not supposed to be the sole arbiters of what constituted “compliance”, “safe practice”, or “adequate level of safety”. I inferred from the DOE and DNFSB ISMS documents that what DOE wanted a line manager to do was to consult safety people as necessary and to do what they said he had to do to be in compliance with, e.g., 10 CFR 835, the site rad protection procedures, and the facility safety authorization basis (such as the safety analysis report). The line manager was also supposed to take seriously and usually do what they recommended beyond mere compliance. I inferred that DOE did not intend the line manager to make his own interpretations of safety documents and requirements.
A specific example of what I think DOE did not intend would be a line manager’s overruling a rad tech supervisor who believed that according to a particular rad protection procedure, an operational review was necessary, when the line manager interpreted the procedure to say the review was not necessary. That is, I inferred that DOE intended for the authors/custodians of the safety documents — the safety people themselves — to be the ultimate interpreters of the words that they wrote or that they were the cognizant discipline for. Based on DOE statements about, e.g., 10 CFR 835, I assumed that DOE intended for each site to produce its own site-specific requirements to control how the requirements of the rules and Orders were met; I assumed that DOE expected these to be sufficiently clear, detailed, and rigorous as to ensure that the bare-bones requirements of the regulations and Orders would be met in practice and that necessary other job-specific or facility-specific requirements would be identified and implemented. In particular, I assumed this because DOE said it explicitly when 10 CFR 835 was first issued.
At ORNL, as I will illustrate here and in the next chapter, the central ISMS concept was interpreted in a way that gave the line manager complete control over safety; that is, it was interpreted to mean that the line manager has virtually absolute control and authority over all aspects of work, including safety. It is shocking to a safety professional that the O&R line manager — with his need to meet milestones and his desire to win bonuses — would be placed in a position of such complete authority and thus of such a conflict of interest. This interpretation also didn’t follow from the DOE and DNFSB guidance documents as far as I could tell and was in fact not found in either one as far as I could find.
ORNL’s Interpretation of ISMS; Customer Service
ORNL’s ISMS interpretation created several problems. The most important was that it fed into the “please your customer” philosophy that had also been misapplied at ORNL, as I noted earlier. The “customer” concept is not suitable for safety management and practice because safety people cannot allow the “customer’s” perception of desirability of action or outcome to take precedence over their judgment. When there is a difference of opinion, the dispute should be referred to higher management for resolution, including to higher safety management. The default voice in safety should be that of the safety professional or, when appropriate, the safety technician; in case of a disagreement in the field between safety and O&R people, it should be the O&R line management that has to take its case to higher authority, not the safety people.
In the past at ORNL, the safety people were fairly secure in their authority and line management usually did have to “make a federal case out of” a severe disagreement in order to get a safety determination overridden. But that was increasingly not the case any more at ORNL after the “customer” and ISMS concepts took root. Moreover, as I showed earlier, there were various cases in which line management did not speak with a safety representative about their dissatisfaction with his performance, or even to the safety rep’s supervisor, but took their complaint directly to the safety rep’s division director to get the rep either “recalibrated” or removed. So successful did this tactic prove that, as I noted, we rad protection people were told explicitly that if line management wanted a rad tech, rad tech supervisor, or rad engineer removed from their work, it would be done virtually without question. It was even said at one point by rad protection management that a rad tech would himself then have to find another ORNL complex (area) to work in if there was no alternative work for him in the complex where he was.
ORNL’s ISMS interpretation also allowed unqualified people to make safety decisions. If the line manager is deemed to have not only the responsibility for conducting safe work but also the authority to determine what safe work is, then he is making safety decisions for which his training and experience have likely not prepared him. As some of us safety people have pointed out, saying that the line manager is the ultimate authority on safety, even beyond, say, the safety managers, means that he has to be some kind of Renaissance man of work: he would have to know about the various safety disciplines up to the level of the safety professional, in addition to knowing engineering, scheduling protocols, financial management, personnel management, etc. This is unrealistic on the face of it.
But in addition to the danger of the manager’s making safety decisions that he is arguably not qualified to make, there is the danger that, busy as he is, he might delegate safety decisions to other unqualified or untrained people, such as underlings with no formal safety training or to technicians in cases when the judgment is one usually left to professionals. In particular, the decision as to what should be a safety professional judgment and what can be a technician-level judgment, if not formalized in a procedure, may by default become the province of the line manager, the O&R underling, or the technician. At ORNL, we saw such professional judgments made by the three types mentioned even when a procedure did specifically call for a safety professional’s involvement.
Example of Operational Control of Safety: Chem Tech’s RPP-310 Exemption
To understand how the O&R control of the safety organization worked in practice, consider the May 1999 exemption that ORNL’s Chemical Technology Division (Chem Tech) received from some provisions of RPP-310, the rad protection procedure covering the review of radiological operations and jobs. (I will discuss this in its narrative context in the next chapter, but will give some particulars here to illustrate my point further.) ORP was the author and “owner” of RPP-310, but all the other divisions had reviewed and commented on it at the time it was written and all comments had been resolved before the procedure was made official. Thus it was not something that was “imposed” on Chem Tech, but rather was a consensus document at the time it was promulgated. One purpose of RPP-310 as written was to provide a set of “trigger levels” at which a professional health physics (rad engineering) review would be provided. As I noted earlier, the provision of a set of trigger levels to determine when a formal rad protection review should be performed had been an explicit requirement of the RCM; every other DOE site that had a set of internal procedures that I could access on the Web did have such a provision, even after the RCM became a nonmandatory technical standard. In addition, there was some language in RPP-310 giving other conditions under such a review would have to be done, besides the trigger levels, e.g., a novel or first-time operation would have to be reviewed; this language too was consistent with the RCM.
At ORNL, the determination of the need for a review was left in the hands of line management and the rad tech supervisors assigned to their facilities, in that they were supposed to be familiar with the provisions of the procedure and to follow it by letting the higher-level review group know when they had a job or operation that met the requirements for review. This was a weakness in the procedure as compared with other sites’ procedures: if line management and the rad techs didn’t want to have a review, they simply did not ask for one and the rad engineering group was none the wiser, at least until it was too late. At other sites, there was typically a screening checklist that was filled out for every job or operation either by either line management or by a rad protection representative on the basis of information provided by line management. Such a checklist not only served the purpose of guiding the choice of reviewing or not reviewing, it also documented whether line management had correctly assessed the need for a review and whether they had obtained a review when necessary. The ORNL method, by not creating a review evaluation paper trail, allowed line management to have deniability with respect to missed reviews. That is, they could claim, as they did on various occasions, that they did not understand RPP-310; that they did not interpret RPP-310 to mean that a review was required; that no dose assessment had been done so they did not know that the projected dose exceeded the trigger level; that the rad engineer should have found out the details of the work from the rad techs and then told line management a review was needed; etc.
An important aspect of this evasion of review was the complicity of the rad tech organization. They repeatedly gave line management cover in avoiding reviews by failing to do projected dose assessments, by denying or minimizing the potential for radiological incidents, and by managing to have the rules changed, e.g., by having the contamination level triggers completely removed from RPP-310 so that no amount or type of surface contamination would trigger an independent review by rad engineers. I will repeat that again for emphasis: after 1996, there was no surface contamination trigger whatsoever, so that no amount or type of actual or potential surface contamination would trigger an independent or higher-level review such as had been required by the RCM.
As I explained earlier, the formal, independent, higher-level review at ORNL was originally provided, according to RPP-310, by the rad engineers — all professional health physicists — in the ALARA Engineering Group (AEG) in the Radiological Controls Section. There were several reasons for using this group as the independent, higher-level reviewers. First, they specialized in the more engineering and systems-oriented aspects of rad work, rather than simply in the at-the-scene aspects. They were thus expected to be able to digest complicated safety analyses and other engineering documents, read engineering drawings, and follow highly technical process discussions in meetings. Some people in the rad tech organization (the Radiological Surveillance Section, or RSS) could do this to some extent. However, they tended to do it only occasionally and only for those facilities to which they were assigned, while the rad engineers did it constantly and their “beat” was the entire Lab.
Second, there was a feeling in higher rad protection management that the rad tech organization tended to identify with the facilities they worked for and with the O&R groups that ran them, so that the rad techs often accepted what the O&R people told them and acted as defenders of the O&R people’s actions. The rad engineers, although nominally assigned to particular facilities or areas, were notably more independent and were more likely to ask questions about operations. This was particularly true when their reviews were funded out of overhead and not chargeout, as was the case up until about June of 2000.
Third, the rad engineers had a broader knowledge of hazards and risks based on their more extensive acquaintance with incidents and accidents at other DOE sites and in the nuclear power industry and on the type of courses, seminars, and professional meetings that they attended. While it was true that individual rad techs would most often know more details about particular operations at the facilities they worked for, e.g., whether a particular task produced radioactivity in a dust form, they would not necessarily be familiar with, e.g., the ventilation provisions of a particular building; they might know that a hood was to be used for a certain operation, but they seldom seemed to be aware of any minimum flow requirements for the hood and the operation. The techs also were far less likely to be familiar with the safety basis requirements applicable to the particular facility.
Fourth, although this was not a reason that higher safety management paid much attention to even though it was recognized by supervisory levels, the rad engineers tended to document their reviews more carefully and more consistently than did the rad techs.
Chem Tech did not like having to deal with the rad engineers. The reasons they gave were usually that the rad engineers were ignorant of Chem Tech operations and that the rad engineers were difficult to deal with. However, as I discussed earlier, the reality was that Chem Tech had a history of trying to control all aspects of an operation and of tolerating safety corner-cutters in the interests of meeting operational goals. By the end of 1999, Chem Tech had already cut me and two other safety people out of the high-profile MSRE project and, as I will relate later, had cut Kurt Geber and me out of the work of the important REDC facility and had effectively cut Geber out of the work at the U-233-storing Building 3019. They most often did this by putting pressure on the rad protection division director (or, in one case, on the director of the division (ONS) that included the criticality safety group) to get rid of the people they didn’t like. In the case of Geber and me, the explicit reason given by Sims, our division director, to our section head for our removals was that Chem Tech had threatened ORP with loss of funding by the “outsourcing” of rad protection functions if ORP did not assign to Chem Tech operations rad protection personnel they found agreeable.
The result of cutting out individual rad engineers was that reviews required by RPP-310 were not being done even when another rad engineer was assigned to the project or facility, either because the replacement rad engineer was unable or unwilling to keep track of what was going on with the work or because the project or facility line management were able to mislead the rad engineer as to future plans because the rad engineer did not know enough or could not find out enough to determine what was going on. The net effect was that even before it gained the RPP-310 exemption, Chem Tech used its financial leverage to control the assignment of safety personnel and was able to reduce the number of radiological reviews significantly. The idea that the safety organization had to keep its “customer” happy in order to guarantee its continued survival was thus completely in the ascendent by 1999.
However, Chem Tech’s use of its financial muscle to eliminate “eyes” it could not control was an informal solution and therefore one that was fraught with regulatory peril. There was always the danger that an auditor would notice the failure to involve a rad engineer as required and the consequent violation of RPP-310. I had already pointed out vociferously to my management the irregularity of involvement only, in effect, at the pleasure of line management. My group leader, Mei, and my section head, Mlekodaj, had already pointed out to Sims, on the basis of the rad engineers’ and their own observations, the complicity of RSS in avoiding reviews. So it was undoubtedly clear to ORP and Chem Tech management that it was important to cover their potential vulnerability by formalizing the process of allowing line management to choose their own rad protection reviewers — i.e., by changing the procedure. It should be noted that since the rad techs and their supervisors also served at the pleasure of line management (in that if line management complained about them, they were replaced promptly), the lower-level rad protection review was effectively already controlled by Chem Tech. I believe that this ass-covering aspect was the principal reason that in about March 1999 Chem Tech sent Sims a memo asking that he grant them an exemption to RPP-310 to allow Chem Tech (1) to choose their own RPP-310 independent reviewer and (2) to choose a rad tech supervisor (“or equivalent”) instead of a rad engineer as this reviewer.
How this exemption violated another procedure, RPP-110, and the already approved interpretation of 10 CFR 835 will be described later. But it should be noted that the specific reasons given by Chem Tech for not wanting to use the rad engineers, however knowledgeable they might be, were flexibility and a faster review process, i.e., operational convenience. It should also be remembered that RPP-310 already provided at every level for review by RSS: at the first level by a rad tech and at the second level and above by a rad tech supervisor or manager. Thus the rad techs or their supervisors were always included in the review process anyway. The effect of the exemption allowing the “independent” reviewer to be a rad tech supervisor was actually to reduce the diversity and breadth of the review by substituting a second rad tech supervisor (often from another Chem Tech project or facility) for a rad engineer.
As the RPP-310 exemption showed, line management exerted financial pressure in significant ways on the safety people in order to further operational goals. This contradicted DOE safety policy (“Safety shall not be compromised to achieve operational goals”). It also contradicted what one would think was the aim of ISMS: worker safety through thorough and appropriate evaluation of hazards and controls.
Marketing Supposedly Required Services; Cost-Shifting
Another problem with the “please your customer” emphasis was that instead of having a team effort in ORNL work, we saw that some groups had turned into marketers of services to other groups. It can clearly be a useful concept within certain types of companies to have some internal groups be viewed as providers of services or products to other internal groups and to have accounting practices arranged accordingly. But it should be recognized that there are disadvantages to this approach that may be counterproductive with respect to overall efficiency and to the promotion of teamwork.
Here is a non-safety example of this point. At a company for which I formerly worked, a change was decreed regarding getting copies made. The practice had been that for more than a few copies, the engineer or his secretary would take the masters to the local mail room, where the copies would be made either immediately or within a few hours, as appropriate. Thus the lowest-paid people — the mail room employees — would be performing the time-consuming but low-skill function of running the copier. But in order to reduce the mail room overhead by getting rid of some of the mail room employees, this practice was changed so that all or most copies were henceforth to be made by the engineer or his secretary. This meant that although the overhead costs due to running the mail room went down, the effective charge per copy went up because the worker making the copy was a more highly paid one. Since some time was spent in copying that was formerly spent in engineering or secretarial work, this also represented a decrease in main-task productivity for engineering and secretarial groups. Actually, even more time was spent by the engineers and secretaries than by the mail room employees because the mail room employees did not have to queue up for the use of the machines as the engineers and secretaries did, or walk to the machines from distant offices — the machines were in the mail room so the mail room people moved smoothly from copy job to copy job in their own work space and they could do other work in the copy room (such as sorting mail) up until the second that the copy machine was free for the next copy job. Thus for mail room people the “queueing minutes” were minimal. There was probably some savings in time for the company, in that the engineer might work some free overtime or the secretary might work a little faster due to the extra work of copying, trying to get the same amount of main-task work done in the same work day as formerly. However, clearly there was more low-skill work done by higher-paid people in order to reduce the burden cost of lower-paid people. It is arguable that this represented an overall decrease in productivity for the company.
Such consequences as resulted in the copier example above could easily be anticipated by someone looking at the big picture but would be overlooked by someone seeking only to cut “local” or group-specific costs, or to redistribute costs around a company. Often the reasons given for such changes sound plausible only because the consequences are not obvious or are not acknowledged by management. With the contemporary emphasis on the bottom line, the effects of cost-shifting can be very significant and can distort established relationships. This is particularly true in the area of safety.
An example of cost-shifting at ORNL occurred starting in about 1998. The Office of Safety and Health Protection (OSHP) performed the functions of industrial hygiene and industrial safety, including respirator fit testing and training. Most of the people in OSHP were professionals rather than technicians. In the cost-shifting action, most OSHP functions were transformed into an a la carte system in which the O&R divisions chose the “services” they wanted to purchase and paid for them on that basis. The reason given for the change at the time was that some divisions did not need some of the services provided and others could provide it to themselves by having some of their own people do it or by outsourcing it.
This on its face was plausible, of course; getting the same services cheaper would be a plus for the entire Lab. However, the services would obviously not be the same. First, the people in the divisions who would be doing the work were generally not equivalent to the OSHP people who had been doing it, in terms of training and experience. The divisional replacements might or might not have a college degree, but if they did, it was likely not to be in industrial hygiene or industrial safety or a like area. The training they received to do the work could be via a quickie training course, or they might have been taught to do it on an “I show you and then you do it” basis by a previous practitioner, often with little or no signoff documentation as to the elements of the training. Thus this might often not be an exchange of a formally trained professional for another formally trained professional or technician, but an exchange of a formally trained person for an informally trained person. OSHP, now a provider of mostly optional services, had to undertake to “sell” its services to the other divisions as though it were an independent company, not an institutionally established safety group, in order to keep its people’s jobs (and still they had to downsize).
Second, with a central safety organization there was much more communication among those doing the work than with a bunch of divisional reps working only in and answerable only to their separate divisions. Consequently, there was more consistency and correctness with a central organization: interpretations and applications of regulations were more uniform over the Lab, there was feedback regarding problems or uncertainties between projects, and new information from around the DOE complex was incorporated in practice on a more real-time basis. The divisional radiation control officers (DRCOs) had a loose association in which they met once a month, but this was more like an awareness group than a truly administrative-technical group; I never heard of an analogous divisional safety officer meeting group, but assuming there was one, it too was probably more like an awareness group. There seemed to be no requirement to attend the DRCO meetings even for training, unlike some staff meetings of the central safety organizations; indeed, for a number of years, there was no required training to be a DRCO and even when training was eventually provided, new DRCOs could serve untrained for some length of time.
Third, there was again the issue of independence. With a central organization, the safety people’s authority is backed up, at least theoretically, by their organizational management and they are independent from the O&R people up to a high management level, even up to the site director. But when a safety person is within an O&R division, his ultimate manager within the division is the division director — who is, by definition, an O&R (line) manager. Thus there may be a great deal of pressure applied to the in-division safety person to give in to operational and research needs and requirements; he may even be ordered to do so. Often too, as we saw at ORNL, the DRCOs were not included in operational meetings or informed about activities that clearly they were supposed to be involved in, either by ORNL rad protection procedures or divisional procedures. They were supposed to (and, as we saw, did) knuckle under to this — to show that they were “team players”. There is thus a conflict of interest in letting a division’s own people take a significant role in safety determinations independent of the safety organization: they are accountable to the head of their own division, whose priority may not be safety.
Note too that the quality and consistency of safety coverage tends to be uniform with a strong central safety organization. But it becomes less so if the central organization is weak and even less than that if safety is decentralized, i.e., if the divisions do a lot of their own safety work. Weakening and decentralizing the safety organization may promote more operational efficiency (I don’t think it does in the long run), but it certainly makes for inefficient and often ineffective safety coverage, as I believe we saw come to pass at ORNL. At ORNL, a central safety person was usually assigned to particular site activities or projects or facilities in a matrixed fashion; that is, while he was administratively part of the central safety organization, he was the designated representative of the central organization to a project or facility and in that capacity would be the project or facility team member responsible for providing safety support in his discipline. This seems to be the way most sites provide safety coverage, even while there may be an O&R safety coordinator who is part of the O&R division itself. The matrixed arrangement offers many advantages. The safety person keeps in touch with new developments through the (his) safety organization and his practices are consistent with the policies and practices of the whole safety organization; in this way too, his independence can be maintained (assuming that the safety organization management supports it). But at the same time, the matrixed person maintains continuity of coverage and communication with the project or facility on a day-to-day basis, which is important in fostering his making reasoned judgments using the graded approach and in his keeping track of the often complicated technical details of the work activities. This was the basis for the use of the matrix structure at ORNL.
The three reasons above suggest that while going to the a la carte system might be a cost-saving measure, it was also, broadly speaking, likely to be a quality-sacrificing measure. Only if one could argue that the extra expertise, consistency, etc., of OSHP were somehow wasted or excessive could one conclude that there was no significant decrease in quality and thoroughness in going to the a la carte system. ORNL management, as part of its minimalist application of ISMS, was at pains to convert safety from the level of comfortably adequate (i.e., sometimes a little overkill, once in a while a little “underkill”) to the level of barely adequate. This included personnel qualifications and training. As noted, for the specific case of in-division personnel, it was quite possible and even likely that the people doing the work would not be professional industrial hygienists or industrial safety people or even that they would have only recent training for the new functions they were to perform. In the case of some work, the professional-level training and experience would not always be needed, but in other cases it would. Then the division would have been expected either to approach OSHP for case-specific help or to obtain help from an outside entity on an ad hoc basis. But again, if the division hired its own independent professional safety advisors (e.g., from outside ORNL), the independence problem would arise: if the division respected their authority and followed their recommendations, then all would be well, but if the division cherry-picked which if any advice it would follow, then safety might be compromised.
There was reason to think that the reason given for going to the a la carte system was at least partly spurious. Some time before the (my)1 December 2000 layoff, an OSHP supervisor told me that there had been much discussion in their organization about laying off professionals preferentially: the incentive was that since professionals command higher salaries than technicians, their services were thus relatively expensive on a per-hour basis and the new management, UT-Battelle, thought that money could be saved by laying off many of the professionals and having technicians do most of the work. Also, other people had pointed out to me that if a safety person were in the O&R division, instead of in the central safety organization, his salary and benefits costs were part of division overhead, not ORNL-wide overhead. Near the time of the layoff, it was announced that in the layoff, many OSHP employees would have to go — more than in any other group or division except the craft division. It may have been that OSHP was top-heavy with professionals and might thus have needed to downsize further than other groups, but I thought that, considering the variety and hazard levels involved in much of their work, we would eventually find that much work that had been done (and properly so) by professionals would be handed to OSHP techs or non-OSHP people to do. At any rate, OSHP did lose the highest percentage of any safety organization in that layoff, and the safety organizations as a whole lost a disproportionate percentage of personnel. And certainly within months after the layoff, ORNL was trying to hire an industrial hygiene technician. So it does appear to be true that there was a movement, on a broad basis, toward using people with lower qualifications for the types of work that OSHP did.
ORP itself had also been going in this direction in the last two years. Mei, warned us that we, the rad engineering group, had to try to drum up business to “survive”, saying that we were in competition with other ORNL groups, in particular RSS, and with outside safety service companies. She was told this by her supervision and she was directed explicitly to “market our services”. So she was constantly pointing out to O&R people at meetings, even those held for other purposes, that our group had the capability to do this or that function, such as gamma spectroscopy. By the middle of 2000, we were told, we would be expected to charge out about 80-90% of our time to paying “customers” (and a full 90% in years to come). Charging out means that the entity receiving the safety service — in this case, the division for which the safety work is being done — would pay the safety organization directly for the safety person’s time according to a preset hourly charge rate, rather than having the safety person be paid out of that portion of ORNL overhead allotted to the safety organization. Again, the argument for doing this was that the division receiving such services should be paying for it, rather than having the whole Lab pay for it via Lab overhead. Overall Lab overhead was considered to be too high to attract outside business (it was usually 40% or more); thus charging out of more and more overhead-funded services was appealing.
But note that there would be the same amount of work — it would just come out of a different “pot”. The various divisional operations and projects would have to come up with (some) money in order to pay for the same level of services, most of which were required by procedure. There was thus an incentive for the divisions to minimize the amount of safety services they would need to purchase and further, to minimize the amount of time the safety person spent in providing the service. It was obvious that the move to charging out, especially at the rate of 80-90%, meant that if AEG could not “attract” enough work, some of us would have to go. It was also obvious that if the customer could dictate which individual safety person would do the work and could even specify the level to which the work would be done (e.g., determining the review level themselves), then those safety persons who provided brief and easy reviews, didn’t ask any hard questions, etc., would be chosen to do the work and would meet their 80-90% quota, while the less “round-heeled” ones would not be chosen, regardless of their experience, technical ability, or proven judgment. This is in fact what happened, as I argue in this book.
As can be seen from the above discussion, charging out can be an appropriate way of directing costs to those for whom the work is done instead of distributing them around a whole corporate body, but when coupled with an entirely customer-focussed management policy, charging out may lead to the indifferent or incompetent being retained or given the important assignments while the diligent and competent are let go or are given trivial or unchallenging assignments — because “that’s what the customer wants”.
Why Not Order Out?
Where there is a central professional safety organization that is “of the site” — the “institutional” safety organization — then it is a matter of site-level concern when one or another O&R group is not following recommendations. (Note that the term “institutional safety organization”, as I use it, identifies the site safety organization as an entity in the way that DOE did in, e.g., the RCM and the 10 CFR 835 implementation guides.) There may be sanctions or at least an inquiry by sitewide management when this happens. But where professional safety expertise is sought outside the site, e.g., from consultants, the O&R entity may feel free to ignore those recommendations that it does not like and there may be no “controlling authority” within the site that checks up on whether and how the recommendations are used.
I believe that this was the case at ORNL. ORNL, as part of its contract with DOE, was supposed to oversee and audit the safety determinations made in connection with work done or proposed to be done at ORNL. How ORNL was supposed to do this for outsourced work was not clear. That is, each division had its own internal procedures and many facilities and projects had their own procedures, but with the fiefdom nature of the divisional structure, it was not clear that the overall oversight — auditing at the Lab level of project-level and facility-level work — was being performed adequately. An example of why I believe that it was not was the ORNL P-AAA Screening Committee, with its lack of authority to investigate (dig out information) and its willingness to wait and see if a pattern of deviance developed..
Besides the site’s providing its own oversight, DOE, as oversight regulator, is supposed to make sure that when outside professional expertise is used, the outside experts are indeed competent and independent. DOE is supposed to monitor the quality of the recommendations and conclusions reached by the outside entity (which should not be providing “patty-cake” reviews in order to get future business) and also to monitor whether the recommendations are followed by the site or not. However, DOE most often seems to defer to the judgment of the site as to whether the outside people know their stuff, whether they are providing substantive comments and recommendations, and whether the recommendations should be and are adopted by the site. DOE often seems more interested in, e.g., whether a company is woman- or minority-owned than in whether it is the best company to do the work, or is at least clearly qualified.
I will digress here to address the particular case of design work for new facilities or modifications of existing facilities. This is an area where outside companies are often retained. However, in my experience the outside companies may not have a rad protection specialist on staff and the design engineers may then handle the safety aspects as well as the operational aspects. This precludes the factoring in of best radiological practices based on the comments of a rad protection professional. Even so, however, the site’s own rad engineers are often used only to review and comment on designs after they are produced, rather than being part of the design team. As I noted earlier, this is what occurred within ORNL itself and was a departure from the practice of my earlier years at ORNL. Having the rad engineer(s) see the design only at a late stage interferes with the implementation of radiological procedural requirements and preferred practices into the design until design has progressed significantly. ISMS is supposed to address only work planning, not design, as far as I can tell, so that the change in how the site rad protection specialists were used preceded the implementation of ISMS somewhat (although I think not the promotion of ISMS by DOE). However, this money-saving exclusion of safety specialists until far into the project was much more pronounced with the increased control of safety by the O&R people.
More About the Customer Concept
One problem with ISMS is that it allows (or in ORNL’s interpretation it allows) for the complete application of the customer concept to the O&R-safety interface. A point to note about the customer concept is that it tends to turn each dependent safety group into a cash-earning team — as opposed to all the groups working together as one big team. Each safety group is trying to psych out the cash-bearing groups (the O&R divisions) and figure out their strategy and plans. The safety groups also spend a great deal of time studying their “competition”: the other internal or outside providers of services. As I noted earlier, I heard many discussions of how to “make customers happy” and attract “business” over the last two years that I was at ORNL. It reached such a peak that not only was it was mentioned at every staff and safety meeting, it took up a significant amount of time at such meetings, to the detriment of technical discussions.
The deformations that this emphasis produces in the proper approach to cooperative safety management, never mind ethical behavior, are dismaying. First, it breeds an arrogance and sense of entitlement in the O&R people. Several formerly cooperative and collegial O&R people took on a new attitude over the last few years I was at ORNL, a chip-on-the-shoulder, “Show me where it says that in the [DOE] regs” attitude; others were evasive when asked about particulars of their division’s work, a few even apologizing for not being able to be candid. People who in the past had never been cooperative about following rad rules and who had a history of violating them now seemed to enjoy being overtly aggressive, challenging even established provisions of the procedures. While there were some O&R people who were still always cooperative and supportive, others made it clear that it was their management’s directive to push back at safety requirements and not to implement anything that was not strictly required — with the line division itself making the determination.
Second, the customer concept breeds an overly deferential attitude on the part of the safety professional or technician. He becomes a “provider of services” rather than a prescriber of required safety measures and a true advisor regarding good practices. He is no longer the arbiter of what the regulations require, the expert on what is safe; he can only “recommend” controls and other measures, which the division then decides whether or not to follow. He must thus study how best to present his recommendations to the “customer” in order to make them palatable and to persuade the customer to implement them. He must avoid offending the customer at all costs, in order to guarantee repeat business. The safety person thus goes into a courtier mode, which is counterproductive to good safety practice.
Third, the customer concept breeds a similarly deferential attitude on the part of the (central) safety manager, but here there is the added element of a conflict of interest. The safety manager is supposed to back up his people and assure their independence. But with the customer concept, the needs and requirements of the customer loom much larger in the manager’s scope because he must keep the customer happy to keep himself and his people employed. Thus there is a greater incentive — even a personal incentive — for him to change out or remove people that the O&R people object to, whatever the reason might be, on the grounds that in that way he will retain the customer’s business or at least minimize the trouble to himself and the O&R division.
A safety manager may assert that if he replaces an objected-to person with another person of equal qualifications and experience and if the removed person is given another assignment, then no harm is done. But this is not so. First, there is a disruption to safety coverage when a new person comes on board. Thus with every replacement there is an inefficiency and a possible interruption of oversight. Second, there is a message sent to the O&R people that their needs and requirements, even their mere preferences, are paramount. This tends to de-emphasize the importance of safety in the operational picture and to emphasize operational continuity and convenience. Third, there is a disruption to morale when people are replaced merely at the behest of their customer. This is particularly true when there is no formal investigation of why the safety person and the O&R people are in disagreement and when the explanation given by the safety manager himself is that “the O&R people didn’t want to deal with him/her”.
I spoke with an in-division safety person, a divisional safety officer (DSO), in late 1999. Her division director had been proposed as a member of a professional differences of opinion panel and I was trying to find out, tactfully, what his attitude on safety was. This DSO referred derisively to what she said her division director called “the charge-by-the-minute people”, even though she was aware that I was one of the people he meant. She made it quite clear that her director felt — and that she agreed — that nearly all safety functions could be performed perfectly well by in-division people such as this DSO. Her rudeness and hostility surprised me; I would have thought that she would be more circumspect in speaking to a stranger. It seemed clear that she must indeed be voicing the opinions of her director and was confident that he would back her up. Later, others told me that her director’s attitude was indeed as she had said.
I must point out again that there were some sound divisional rad/safety officers whose experience extended over years and who were committed and professional in their approach to safety. (I especially liked the people who were the RRD, Plant & Equipment, and Solid State DRCOs in the mid-1990s.) Some did not have degrees but had received appropriate training of one sort or another. But these old-line safety officers were most often allies of OSHP and the other safety organizations because (1) they recognized their limitations and would refer questions they felt uncertain about to the safety organizations, (2) they thought that interpretation of the finer points of the regulations was best left to the specialists, and (3) they did seem to credit the safety organizations with having a prime interest in protecting the worker and not in perpetuating their jobs. These officers typically did try to run interference for their divisions in the sense of trying to keep what they regarded as unnecessary central safety “heat” off the O&R people, but this usually took the form of getting together with the safety people for a meeting and talking over issues; unlike some of the latter-day in-division safety folks, the old-line safety officers did not include hiding issues from the safety people as part of their modus operandi.
However, some of these old-line officers seemed to be subjected to significantly increased operational pressures as time went on. The safety officer I knew best, one of these old-line folks, was in a very difficult position due to the nature of his division. I worked with this person over virtually the whole time I was at ORNL and until about 1996, I felt that our relationship was cordial and that he and I were part of the same greater safety team at ORNL. He would call me occasionally to ask a question or to tell me about some radiological aspect of his division’s operations that he thought I ought to know about. But when the divisions began to exert financial pressure on the safety organizations and to squeeze them out of operational matters as much as possible, he seldom called me any more and when I called him, he was sometimes evasive. He made it clear on several occasions that he too was in the dark about some matter, even saying once that “they” didn’t tell him everything that he thought they should tell their rad safety officer. I believe that by keeping their own safety people in the dark and by pressuring them to keep things from the central safety people, the O&R people were further controlling safety management beyond the level that, from DOE ISMS documents, one would assume was necessary or appropriate.
Returning to the implications of issues related to O&R control of safety, I note again that the customer concept is counter to the concept of the “institutional” safety organization since it transforms the safety organization into sub-entities that have to market their services and attempt to appear more attractive than their competitors (whoever they may be). The safety organization may have less time or authorization to deal with the little “brush fires” or difficult issues that arise and have to be dealt with on a non-chargeout basis. For example, as the radiological fetal protection coordinator, I was required to call the pregnant woman’s supervisor and get a charge number for the time I spent in talking with her about declaring her pregnancy and so forth. How could I confidentially counsel, say, an unmarried pregnant woman who was debating about whether to declare her pregnancy or not, if I then had to ask her supervisor for a charge number? Even if she was married, she might want her pregnancy kept secret until her supervisor had a need to know, as might be appropriate if she was a rad worker but seldom did rad work.
Also, even if one does think of a safety person having a customer — i.e., a person for whose benefit his work is mainly done — ORNL’s ISMS interpretation has, in my view, led to the misidentification of who the “customer” is. As I stated earlier, I believe that the principal “customer” — the true beneficiary of the service — would be the worker (and when applicable, the member of the public) whose health and bodily integrity might be affected by the operational work or activity. An additional customer would be DOE, in that the safety person should be responsible for compliance as well as the line manager; this is because the safety person is usually providing informed interpretation and producing job-specific requirements consistent with the Federal and site requirements that DOE wants sites to meet. Also, note that DOE has an interest in having work done safely at DOE sites, so that when DOE is regarded as the customer, this will be an important goal. But when an outside entity, such as a private company, wants work done at a site (i.e., ORNL contracting to do work for them), they are not interested in the safety of the site’s (own) workers; as a practical matter, that is the site’s problem, not theirs. All they want is the product. So they may audit the producer’s QA program but not necessarily his safety program, if the ORNL workers do not do the work at the outside entity’s facility. Thus in the future, as ORNL seeks to privatize some of its work and to sell its services to private customers, there may be even more emphasis on the deadline and less on safe work. DOE, as regulator, has to ensure that this does not happen and must hold the site accountable, hence DOE is still a safety customer here.
Next in the customer lineup would be the site management, because the interests of an individual division or O&R group are not always consistent with the interests of the site as a whole. For example, an O&R (line) manager might try to cut corners to meet his operational goals, in a way that the higher site management might disapprove of if they knew. So the safety person acts as a representative of site management in checking to make sure that the site safety requirements are met. This point is sometimes overlooked by some observers of the DOE world: they have to remember that the management of the whole site gets into trouble with DOE when an individual facility or project does and that thus individual managers’ unilaterally taking undue risks is bad for the site. The term “institutional safety organization” emphasizes the reliance that site management traditionally places on its own safety people to originate site-specific, facility-specific, and job-specific requirements and to ensure compliance. Note that a site that outsourced rad protection functions would still have to have a few rad protection people of its own to perform oversight functions in order to meet its compliance responsibilities.
Finally, the line manager is a customer, in the sense that he wants good information and guidance from the safety person, as promptly as is possible. But when the “customer” is taken to be primarily the line manager or even to be this manager only, and when the highest and most reiterated goal is to please that customer, the independence and the ability of the safety person to protect the worker is undermined. This certainly happened at ORNL, as I hope I make clear by the examples in other chapters.
Methods of Resolution of Differences, Including Defense by Personal Attack
In cases such as cost-shifting, when the consequences are not stated or are not acknowledged by management, many of the company peons will, in a spirit of helpfulness, innocently point out the drawbacks. They will explain earnestly why the new change won’t work out as planned and urge caution. It is at this point that companies that welcome feedback from their employees part company from those that don’t. The latter will squelch those employees who point out difficulties — by having the employees’ managers emphasize “the party line” and give the employees to understand that these decisions are made at a very high level, by upper managers who are privy to knowledge that the peons are not. They will also make statements similar to “We’ve all got to paddle together or we will just go in circles” that suggest — in code — that a dissenting employee is being disloyal and not a team player.
Similarly, when the O&R people override or ignore the rulings or recommendations of the safety people, especially where this violates procedure, the safety person will point this out to the O&R and safety managers because it is his duty. A safety-conscious company will pay attention to the safety person and will have some mechanism in place to check out the concerns. But a company that mouths safety slogans while actually tolerating significant deviations from good safety practice will behave as though the safety person were at fault, or at least require the safety person to “prove” that the O&R entity is guilty.
In such issues of O&R control of safety, it is at this point that the ad hominem attacks start. The safety person is said to be “difficult”, “extreme in his application of the procedures and regulations”, and “blind to the big picture”; he “refuses to negotiate” and “insists that his way is the only way”. While these criticisms may be true in some cases, they are not necessarily relevant to the issue raised by the safety person. That is, if the issue is not investigated and ruled on by higher authority and if the criticism of the safety person’s personality is the sole justification given for O&R inaction or misaction on the issue, then management has allowed the O&R people to use personality allegations as a substitute for examination of the safety issue.
One problem that does not seem to be addressed in the DOE ISMS documents is how differences of opinion in safety are to be resolved. Is there to be a procedure for this? Will the differences be resolved on an ad hoc basis, and if so, who will determine who resolves them? I believe that my whistleblower activities arose to a large extent because there was no mechanism in place for resolving these differences in the rad protection organization at ORNL; it was simply left to the O&R and safety managers to resolve among themselves, usually with no documentation of the differences or of the subsequent resolutions. Consequently, safety disagreements up to and including violations of DOE regulations were handled in an informal manner, with the only written documentation often being only the odd E-mail message, if that.
I said above that there was no mechanism for resolving safety differences of opinion within the rad protection organization at ORNL; I think there wasn’t one in the other safety organizations either, other than having division managers confer. However, there was supposed to be a “professional difference of opinion” process at ORNL that (as I will explain in a future chapter) was handled by the ORNL Office of Employee Concerns (OEC). I first found out about this in October of 1999 when I went to OEC to report my safety concerns. Mylissa Buttram, the OEC person I spoke with, seemed eager to have me use this process, rather than her having to figure out what else to do with my safety concerns; she was not a technical person and did not seem ever to have had to deal with safety concerns before. I was averse to using the professional difference of opinion process because (1) using it would imply that my concerns were “opinions” and not statements based on firmly documented facts and (2) she said that the process was new and had never been used at ORNL. But so as not to appear uncooperative, I agreed to go along with her proposal to use the procedure. I will describe later the abortive and time-wasting effort to use this process, but I note here that since the existence of this process was not generally known to the ordinary employee, since it was controlled by the demonstrably “tame” Ethics/Employee Concerns people, and since its application was so ill-defined, I do not think that an outside auditor would find that it passed muster as an adequate and reliable safety conflict resolution process.
Further Comments on the ORNL Version of ISMS
For the various reasons given above, I believe that the ORNL interpretation of ISMS is not consistent with the way that DOE and DNFSB intended for the system to work. I believe that this interpretation lends itself to re-creation of the bad old days, when the O&R people were said to have controlled every aspect of work and sometimes departed from good safety practices in order to save time, money, or effort. And I believe that under ISMS, ORNL management came to arrange things so that O&R management could indeed control virtually every aspect of work planning and execution, without the internal checks and balances that DOE and DNFSB intended for there to be. ORNL’s ISMS interpretation, coupled with the “customer” philosophy, almost totally dismantled independent internal oversight at ORNL and despite the passage of time since I was laid off, I have no reason to think that the situation has been corrected. In fact, from later indications, I have reason to think that it may have gotten even worse.
The ORNL safety people formerly provided support and compliance review, thus acting as information providers and documenters on the one hand and as the “rad police”, “industrial safety police”, etc., on the other hand. Then we were told that the expressed philosophy of the new management, UT-Battelle, was as follows. We safety people were not the ensurers of compliance any more: we provided only “support services” to line management, which was totally free to accept or reject our “recommendations” and “suggestions” at its option. The rad protection people and, I believe, the other safety people as well were explicitly told not to consider themselves as providing oversight any more. Even if a safety procedure was violated, the safety people could only point it out to their supervisors and to line management and they to line management — it fell virtually exclusively to line management to do anything about it, at their option.
If there is no effective prospective oversight, then deficiencies will be detected only retrospectively. That is, if there is no effective oversight authority before and during the work, then deficiencies in work planning, etc., will be detected only during audits — which in my experience and by their nature are limited in what they can detect — or when an incident occurs, by which time it may be too late for an injured worker. If line management controls what it reports and how it reports it (as noted earlier, at ORNL, the division in which an incident occurs writes the DOE-required occurrence report, thus largely controlling what is said), a near-miss incident or a small incident or even a series of them may go unreported and thus unanalyzed until an incident with real consequences occurs.
Shortly after UT-Battelle took over management of ORNL under contract to DOE on 1 April 2000, I spoke with a person who was working at Hanford at the same time that Dr. William Madia, the new head of ORNL, was head of Pacific Northwest National Laboratory (PNNL), which Battelle runs under contract to DOE. The person told me that at PNNL, Madia’s approach to safety management was to give line managers all the rope they needed to do a good job and then hang them with it, so to speak, if they screwed up. He added that it was a shame that something bad had to happen in order for correction to occur, i.e., that the managers were corrected only after the fact. This seems to agree with the ORNL ISMS interpretation that the line manager should be given almost total leeway in conducting operations, as long as he committed no serious errors — or as long as the errors were not detected.
Another thing that the informant who worked at Hanford while Madia was there told me was that in those days, the PNNL safety people were divided into two groups, the support people and the oversight people. The latter group was much smaller than the first and did its work in the form of audits and inspections (rather than in the form of involvement in the work planning process itself, apparently). This person opined that the UT-Battelle management intent for ORNL might thus be to have this type of structure. But when I asked who the oversight people were to be at ORNL — considering that no such safety audit-type group had been formed to date — the person said it appeared to him that the ORNL P-AAA organization, or rather the head of the new assessment division that included P-AAA functions, would be performing that function. (P-AAA, again, refers to the Price-Anderson Act and Amendments, the law regarding nuclear financial liability). I pointed out to the informant that it did not appear that there were any professional health physicists working in that organization. He was surprised, but said he assumed that the head of the new assessment division would add people on an ad hoc basis to be the rad protection auditors as needed. As I pointed out to him, if the ad hoc people are from outside ORNL, then they may not be familiar with the facilities and the rad protection procedures — which they would need to be in order to provide oversight on an ongoing basis rather than, e.g., as part of an annual review. I found it hard to believe that DOE and DNFSB would find an occasional audit by the P-AAA people, with only outside rad protection expertise, to be adequate self-oversight. On the other hand, as I pointed out to the person, if the ad hoc people are from within ORNL, they would logically be from the rad protection organization; thus there would be pressure on them not to find fault with O&R groups for whom they might be working the day after the audit. So it appeared that ORNL had no true self-oversight in regard to checking up on how the O&R organizations were performing in the safety area on a prospective basis and on a real-time basis.
At ORNL there used to be various independent oversight committees for particular types of facilities. Each committee had a budget (out of ORNL overhead) to pay for the time of its members and its functional expenses, such as the costs of copying. The approval of the appropriate committee was required for certain O&R activities, usually spelled out in its charter. But when it was seen that reduction or elimination of these committees could result in a cost savings, the Radioactive Operations Committee (which reviewed, e.g., proposed operations for nonreactor facilities such as hot cells and glovebox facilities) was disbanded in about 1995. Also, as I related earlier, the Reactor Operations Review Committee (RORC), of which I was a member for 9 years, was eventually made more limited in its scope and had a “gatekeeper” screen the documents that came to it. The largely successful efforts of the Research Reactors Division, whose operations the RORC reviewed, to limit RORC scrutiny, illustrate how oversight could be significantly undercut and made ineffective, while the façade of independent oversight was maintained.
In fairness, however, I have to note that UT-Battelle did correct two safety management philosophy errors on the part of its predecessor, Lockheed Martin Energy Research (LMER). First, under LMER, the ES&H head did not answer directly to the Lab director, but to the associate director whose purview included not only the safety organization but also at least one O&R group as well. The UT-Battelle ES&H manager, answered to the Lab director from the start. (However, he had the radwaste people, an O&R group in functional terms, under him as well, so that in a sense he was also an operational manager.) Second, at one time most of the safety training, including most of the rad worker training, was provided by Chem Tech — an O&R division. As I noted earlier, they were supposed to have safety organization approval of content, but not, e.g., of the amount of time taken in giving the course or the methods of presentation. This delivery of safety training unrelated to their area of expertise by an O&R division was criticized by an outside auditing team. Under UT-Battelle, the training division was made separate from the O&R division. However, UT-Battelle chose the Chem Tech training head to be the ORNL training head and the degree of approval the safety organizations had over content afterward was unclear. Thus although the conflict of interest was removed, the net effect on the quality of the training may have been nil.
DOE ISMS
As part of my 1999-2000 looking into what DOE says about ISMS I had occasion to speak with a DOE-ORO safety specialist regarding my concerns about ORNL’s rad protection procedure violations. This person sympathized, but said that within DOE they were facing the same problem because ISMS applied within DOE also. That is, the DOE safety people had been told that unless they saw a clear violation or at least very significant indicators of a problem, they were supposed to butt out of the contractor’s business and not meddle. (As another DOE person put it, “We pay them [the contractors] to manage, so let them manage”.) This noninterventionist philosophy was, he stated, supposed to be consistent with the application of ISMS, in that allowing the contractor much more freedom to handle safety matters as it saw fit was supposed to be associated with requiring greater accountability. I pointed out that if DOE was less involved in oversight, they would not see the problems and could not call the contractor to account if something went wrong — the contractor could hide or minimize incidents. The DOE person agreed that DOE’s new hands-off approach made oversight more difficult for DOE safety people and he said that they had expressed concerns to their own management about it. He spoke to his supervisor about what I had said; the supervisor then sent me a nice E-mail message reiterating that DOE’s hands were tied, by order from on high. So, far from micromanaging safety as they allegedly did previously, DOE-ORO people became highly restrained about safety enforcement. This experienced DOE person echoed the remark of my Hanford informant above about its being a shame that they (DOE safety oversight) couldn’t do anything corrective until something significant happened.
DOE certified Phase II of ORNL’s ISMS program in September 2000 — meaning that DOE supposedly evaluated it in detail after ORNL had been working on it a while and DOE had already reviewed it once. In Phase II DOE found it to be adequate in both theory and practice. In blessing ORNL’s approach to ISMS, including (apparently) the complete control of safety by O&R management, DOE may have been ignorant of how ORNL was conducting its safety program in practice, but certainly they turned a blind eye to it when I and others told them what was going on. Let me repeat this for emphasis: I believe that DOE in general was not competent or diligent enough to comprehend what ORNL’s ISMS program actually was, i.e., that they did not realize the implications of how it was actually being conducted. Those DOE people who did realize what was going on, either because they were among the few alert folks or because they were told by ORNL or other people, turned their backs on it or were muzzled. In other chapters, I provide what I hope is ample evidence of this.