Assessing and Enhancing Nuclear Safety and Security Culture for Small Facilities that Handle Radioactive Material

The use of radioactive materials is increasing rapidly all over the world. There is, thus, a clear need in the current global landscape for safe and secure applications of radioactive material. For decades, safety and security have been the nuclear industry’s top priorities, particularly in relation to protecting humans from the negative impacts of ionizing radiation. Nuclear security culture prioritizes human safety, but technical guidelines alone can only do so much to protect people. Furthermore, there are still some discrepancies among international guidelines and recommendations regarding the assessment 1 of nuclear safety and security culture—and these protocols primarily target “large” users. This paper assesses the prevailing safety and security culture and the degree to which it is successful in keeping people safe from radioactive materials. The paper also offers some guidance to small users that handle radioactive materials, regarding how they may enhance their own nuclear safety and security cultures.


I. Introduction
In the nuclear industry, both safety and the culture that guides nuclear safety have been generally accepted for decades. Safety culture is regularly assessed by nuclear operators and by many international organizations, such as the International Atomic Energy Agency (IAEA), Operational Safety Review Team (OSART), Assessment of Safety Culture in Organizations Team (ASCOT), and the World Association of Nuclear Operators (WANO). The importance of security and security culture has also been emphasized consistently at Nuclear Security Summits. Though the first summit concentrated primarily on fissile materials, the second in Seoul (2012) and the third in The Hague (2014) made it explicit that radioactive materials should have a status equal to other items at the top of the nuclear security agenda [1]. 1 Although the paper is about the methodology and processes of the assessment, there are no significant differences between an external assessment and a self-assessment. As such, the paper is also applicable for a self-assessment of an organization.
Nuclear safety and security share the same objective: to protect people, society at large, and the environment from the harmful consequences of a nuclear and/or radiological disaster. While some safety issues have no security implications and vice versa, in most cases they are not mutually exclusive and have to be managed in an integrated manner [2]. This paper analyzes the possibility of combining safety and security culture assessments, and it also examines the integrity of management, regulations, and the control of sensitive information.
From a regulatory perspective, there is no distinct line between the safety and security of "large" and "small" "nuclear and other non-nuclear users, other radioactive material-associated facilities or activities" [3]. Regulations and guidelines typically classify users by the diversity of applications and by the applied materials, whether nuclear or radiological. While helpful, such guidelines fail to account for the fact that most facilities do not differ in the type of applied materials they control. This paper advocates for an alternative approach to culture assessments of nuclear users that draws a distinction between large and small facilities 2 , for which anonymity might not be fully protected. More importantly, this paper will analyze and methodize a set of best practices for assessing and enhancing the culture of safety and security in small facilities.

II. Safety and Security Culture
Awareness and assessment are essential in developing and maintaining safety and security. The purpose of a culture assessment is to provide a clear picture of the influence of the human factor on an organization's safety and security regime. Revealing the culture's strengths and weaknesses helps the management and the facility in the enhancement process [4].
Safety and security are two distinct terms. Nuclear safety refers to the protocols meant to reduce the nuclear and radiological risks to humans and the environment, whether they are caused by human error, equipment failure, or an internal or external event (security events can also trigger the release of radioactivity). Security is concerned with reducing a facility's vulnerability to theft of nuclear materialin the form of fresh and irradiated reactor fuel or isotope targets-or other radioactive material. Security also aims to reduce instances of sabotage, resulting in the release of the large inventories of fission and activation products or other high-activity radioactive materials contained in the research reactor facility.
While necessary, safety alone fails to protect nuclear or other radioactive material from theft, sabotage, or other illicit acts. Similarly, security is necessary, but in isolation it does not sufficiently protect people or the environment from a radioactive release caused by a malicious act. While some safety issues have no security implications and vice versa, in most cases they are not mutually exclusive and have to be managed in an integrated manner [2].
Human involvement is a significant factor of safety and security, but technical solutions can protect us only so much. Thus, the importance of safety and security culture is essential. This approach to safety and security is concerned with prevention and, critically, response [5]. Safety and security culture enhancement has three major goals [1]: • Emphasize the importance of safety and security, of the nature and immediacy of the threats and risks, and of personal accountability. • Improve manager commitment and performance, both in terms of enhancing and contributing to a strong culture of safety and security effectiveness.
• Establish an organizational policy and structure that are the basis of a strong safety and security culture.

A. Safety Culture
Safety culture is defined as "the assembly of characteristics and attitudes in organizations and individuals, which establishes that, as an overriding priority, protection and safety issues receive the attention warranted by their significance." Effective safety culture creates an environment in which: • Trust permeates the organization.
• Open reporting of deviations and errors is encouraged.
• Management shows continuous efforts to strive for openness throughout the organization [6].

B. Security Culture
Nuclear security culture is defined as "the assembly of characteristics, attitudes and behavior of individuals, organizations and institutions which serves to support, enhance and sustain nuclear security" [7].
Proper security culture creates a setting in which: • Individuals respect restrictions applying to information relevant to security • Due considerations to maintain security are made when reporting deviations and errors • Individuals adhere to physical security barriers

C. Integrating Safety and Security Culture
The principally shared objective of nuclear security and safety is the protection of people, society, and the environment from potentially harmful consequences of a nuclear event. To develop nuclear safety and security is to instill among all personnel a general awareness of the risks that radioactive material and associated facilities pose, and the sense of responsibility to minimize those risks [9].
Common elements and indicators of good nuclear safety and security cultures are: • Leadership for safety and security is clear; • Accountability for safety and security is clear; • Safety and security are learning-driven; • Safety and security are clearly recognized values; • Safety and security are integrated into all activities.
From a technical perspective, combining safety and security culture in users' assessments would be the optimal approach-it would be more cost-effective and more valid because overly frequent assessments can negatively affect results [9]. On the other hand, consolidating the assessments into one would present some challenges, which demand that users: • Consider more sophisticated technical preparation and evaluation to create an overall organizational culture with an integrated and harmonized safety and security approach. Guidance regarding the assessment of nuclear safety and security cultures has existed for years, but a common and integrated approach is still missing. • Anticipate difficulties with the harmonization of the responsibilities and commitment of the management. The cooperation between the divisions is also challenging. The energies that are spared with the combination are wasted on the collaboration of the different divisions and the misalignment of management. • Bear in mind the varying levels of information sensitivity: it must be considered that safety and security have different levels of information sensitivity and that during an integrated cultural assessment, this information is mixed.

III. Considerations Regarding the Assessment of Small Facilities
Awareness and culture assessment play key roles in developing, maintaining, and enhancing nuclear safety and security culture. The assessment provides a clear picture of the human factor in an organization's security [4] and safety regime. The following section details basic considerations, which offer small facilities a methodology for efficient safety and security culture assessment.

A. International Guidance and Recommendations
Despite the enhancement of the culture being the nominal goal of assessment, it is a relatively new research topic. IAEA is already working on a set of guidelines about the methods of security culture enhancement [3]. The Code of Conduct for the Safety and Security of Radioactive Sources also emphasizes the necessity of a strong culture for safety and security. Unfortunately, it was originally oriented largely for safety and radiation protection as opposed to security. The notion of protecting people from radioactive materials as opposed to protecting those materials from people still takes precedence [4].
In the IAEA [10-12], WANO [13], and WINS [14] guidelines, the model of nuclear safety and security culture already exists as a generic template-its characteristics and indicators are also applicable to regulators and other organizations. On the other hand, it lacks specificity and requires adjustment, addition, and, especially, technical knowledge in order to be adopted by small facilities [4]. Because of the lack of expertise and experience, especially among some users of radioactive sources, it is a challenge to apply some of these directives and regulations to accommodate the needs of small facilities.

B. Barriers of Small Facilities
In addition to the general nature of these guidelines, there are several other differences between the assessment and enhancement of small and large users/facilities. The possible barriers are: • Poor safety and security culture, which consists of the previous barriers.

C. Anonymity
Anonymity is a basic requirement of both safety and security culture assessment [10,11,13,14]. It is essential because with anonymity, people are more likely to be honest and critical [19][20][21][22][23]. Lu and Bol came to the conclusion that participants in anonymous e-peer review performed better on writing performance tasks and provided more critical feedback to their peers than did other participants in the identifiable e-peer review [24]. On the other hand, the failure of anonymity in this context is that the merits of reported opinions can be weaker [25]. Unfortunately, it must be considered that a culture assessment of small facilities may not be viable without sacrificing some anonymity.

D. Reliability and Validity:
Reliability and validity are also important considerations that factor into small facility assessment. Validity refers to the credibility and believability of the assessment. Does the conducted assessment really indicate the culture of security? Does the applied assessment indicate the culture of safety and/or security of the facility? The international protocols [10- 12,14] help with examples and recommendations about the form and language of the assessment, but the basic premise is that the questions have to be clearly articulated and easily understood-the assessment must be translated into the language used by the facility.
Reliability equates to "repeatability," which means that the only reason results should differ is because of a culture change. Re: small facilities, we must think differently and sacrifice repeatability for efficiency. It is a very difficult challenge to perfectly repeat two culture assessments if the whole facility has only ten, twenty, or even fifty employees. The assessment must prioritize safety and security culture, in which the strong and weak points of the culture can be strengthened.

IV. Methods
The various nuclear security and safety culture assessment guidelines [10, 11, 14] list multiple methods of assessing organizations, accounting for the advantages and disadvantages of each method. Each method produces different information and engages the facility in a different way, but applying these methods to small facilities can be difficult.

A. Level Evaluation and Culture Enhancement
Evaluating and enhancing the culture of radiological facilities involves three possible options. These methods perfectly describe the possibilities of small facilities [4].

i. Basic method, observe the metrics
This method is based strictly on statistical methods and information from document review, observations, and other sources. This method indicates only the surface of culture and behavior.

ii. Intermediate, based on the manager
This type of assessment is based on manager participation. Management indexes have limited utility but can pinpoint the functional areas where major deficiencies or gaps are most likely to exist because of inadequate human performance. Although the commitment of management is a prerequisite of successful assessment, the management is just one part of an organization. They make decisions and serve as role models, but it is typically incumbent upon the staff to follow their lead.

iii. Comprehensive, multilevel process, with enhancement
A comprehensive assessment is a multi-stage process comprising both non-interactive and interactive assessment tools that focus on management and adherence to IAEA, WINS, or WANO guidelines. The following technical methods help the facility accomplish assessment on a more comprehensive level.

B. Questionnaire/survey
This is perhaps the most popular method of safety and security culture assessment and has already been deeply analyzed and presented by several international studies [10, 11, 14]. One major advantage is that these surveys represent an easy way to assess many people while allowing a quick turnaround of the data. Compared to other methods, the measurements are very reliable, meaning similar assessment conditions can be easily created.
On the other hand, this method has several limitations. A poorly developed questionnaire can result in false conclusions [11]. But the greatest deficiency of this method is that a statistically sound analysis is not always possible below a certain participant threshold-thresholds that some small facilities fail to exceed. Also, effective assessments must focus on the strengths and weaknesses of the culture, which means these questionnaires are only viable if they ask open-ended questions. Without numbers and scales, survey methods like written review are more difficult to evaluate.

C. Document Review
Reviewing documents reveals how an organization presents itself in writing and where the organization's members share values and basic assumptions. It examines how the organization thinks and intends to behave and can provide insight into how an organization prioritizes-or fails to prioritize-security/safety through its documentation to work in practice. The method is valid and offers great utility because it is grounded in the reality of the organization [11].
The method has some limitations, however, that make it quite difficult for small facilities to apply it. It is usually a very labor-intensive method because assessors are required to identify relevant information within a large number of documents. Even though the number of documents could be even lower in a small organization, directness of the communication [18] could cause difficulties in precise and accurate administration. A lot of documents-programs, logs, results, previous assessments, etc-can be reviewed, but review is most efficient if the examined document has a connection with some other results about culture; not all documents reflect true internal thinking. Another disadvantage is that it is only applicable insofar as it complements other methods, which makes the overall assessment of small facilities a bit more complicated. These factors compound further the existing difficulties and the problem of anonymity.

D. Observation
Cultural observation is different than task observations normally conducted in nuclear facilities. It is comparatively descriptive and not based on normative standards, which provides information about people in their actual work contexts, such as how they interact, their work practices, and what they pay attention to in their daily work. Observations may be used on a continual basis, not just during assessment. Observations can be comprised from focus groups or interviews, or without any interaction.
The greatest shortcoming of observations is the tendency to make false conclusions from small numbers of findings or to examine individual behavior instead of underlying cultural indicators [11]. For this reason, observation alone is not especially recommended for small facilities. Observations also require training and experience to, among other things, reduce the observer effect, where the observed participants behave as they think they should.

E. Interview
For small organizations, the interview is probably the most important method of cultural assessment. It is partially dependent on the behavior of the interviewer, and thus, special qualification and experience are needed. Interviews provide a high degree of interaction, facilitating opportunities for participants to introduce issues and themes they might have noticed.
There are three types of interviews: structured, semi-structured, and unstructured. Structured interviews work with prepared questions, and the interviewers have minimal space to manipulate the topic. It is more of an oral survey than an interview. Semi-structured interviews are meant to gather contextual information about the organization. In unstructured interviews, open questions are asked, allowing the interviewee to steer the interview. The focus is on gaining a deeper understanding of how the interviewee thinks [11].
The biggest limitation of the interview method is the lack of anonymity, which has already been calculated as a factor at small facilities. Indeed, qualified experts are necessary, and the interview is one of the most time-consuming and expensive methods, though it is probably the most adequate method of assessing a small facility.

F. Focus Groups
A focus group is a grouped interview and consists of in-depth discussion and dialogue among a small number of people (6)(7)(8)(9)(10)(11)(12)(13)(14)(15) under the guidance of one to three facilitators. Focus groups are useful for exploring the social dynamics within a group, and as a means of answering qualitative questions, such as "why" as opposed to "how many." For a small facility, a discussion about safety and security culture, and the possible problems with management systems during training could also be an unofficial type of focus group. Focus groups can be used at any stage of the assessment.
The limitation of the focus group is that a skilled facilitator is necessary, one who can handle passivity, or even too much activity, within the group and create a good environment for the conversation [11]. Another limitation is that in a small facility only a small number of focus groups can be organized, and special attention must be paid to reduce dependency within the group as much as possible.

G. Enhancement: The Road to an Effective Culture
Culture enhancement's goal is to develop awareness of possible risks to security and safety and to translate awareness into action and appropriate behavior that addresses those risks. Such actions can only be achieved with the involvement and determined commitment of the management, which at small facilities is even more essential. Key indicators of good safety and security culture are: 1. Education that provides an understanding of the rationale, basic principles, and mechanisms. 2. Training that produces skills, knowledge, and information enabling staff to perform their securityrelated roles and responsibilities.
3. Created awareness that allows staff to recognize threats, risks, and their implications, and has the capacity to address them. 4. Committed staff that understands the necessity of safety and security (education), is fully aware of their safety and security-related roles (training), and are able to combine their knowledge and skills to address risks. Focused people are motivated to contribute to an effective safety and security culture [1].

V. The Assessment Process of Small Facilities
There are already several publications [10,11,14] that recommend processes of nuclear security or safety culture assessment. The following section describes a possible example, showing how both safety and security approaches can be integrated into a single culture assessment and enhancement process. For the assessment, Edgar Schein recommends an integrated "clinical method," where the processes and methods of the assessments and enhancement are integrated [26]. Step 1: Determine the assessment team and be aware of the regulatory requirements and recommendations The assessment team must first be aware of the requirements. Before the assessment, the management must delegate the required resources and assets-and most importantly, support and stand behind the value of nuclear safety and security culture. ii.
Step 2: Prepare the organization for assessment: Training and discussion about the assessment A prerequisite for successful assessment and enhancement programs is the preparation of the facility. IAEA guidance emphasizes the importance of managements' commitment and confidentiality for its participants to conduct assessment on a voluntary basis.

iii.
Step 3: Conduct the initial assessment The method of the first assessment of an organization depends on various factors: • A basic document review is strongly recommended to see how the regulations of the facility connect to the daily routine. • Staging a formal or informal focus group with the management, or with a few competent people, can be useful. • It is not necessarily cost-efficient, but if the facility can afford it, the most recommended initial assessment method is the interview.

B. Repeated Assessment
The assessment of the culture for safety and security is not just a one-time effort to fulfill the requirements of regulations or recommendations. It is a continuous process, which is especially true for small facilities, where there should be no strict line between the process of the assessment and the enhancement. The next steps present guidance for perpetual assessment and enhancement of nuclear security/safety culture. i.
Step 5: Cultural change process, training, and discussion After the initial communication channel of the assessment has opened, the actual enhancement begins. This a long and trying process during which management and staff walk the path of safety and security culture enhancement. They all influence each other with every decision and action. ii.
Step 6: Capture lessons learned and follow-up enhancement A follow-up is not an additional assessment, but rather, merely a summary of the goals that were accomplished, which confirms the effectiveness and indicates the progress of the entire process. The time frame is usually between 6-18 months. iii.
Step 7: Prepare the organization for the assessment Regulations and guidelines recommend repeating assessment every 2-5 years, perhaps with different methods.

iv.
Step 8: Conduct the assessment The difference between the initial and the repeated assessment is method adjustment. Using various methods raises the efficiency. Section III described that for small facilities, some compromises must be made to reduce the requirement of repeatability for efficiency.

v.
Step 9: Summarize and communicate the findings The main purpose of nuclear and radiological safety and security culture is to raise awareness and vigilance; proper communication, training, and assessment can thereby prevent serious incidents and accidents.

VI. Conclusion
With the ever-expanding use of nuclear and radioactive materials, there can be no doubt about the increasing necessity of nuclear safety and security, particularly among small facilities. The major risk to an organization's safe and secure operation is its own staff. The goal of the concept of nuclear safety and security culture, then, is to reduce those risks. Although they share the same goals, there are still some contradictions among the international guidelines and recommendations for culture assessmentespecially as they concern small facilities. This presents another challenge: that the general nature of assessment guidance burdens small facilities; the target audience is often the "large" users. Therefore, there is a real need to specify the methods and processes of nuclear safety and security culture assessment and enhancement to accommodate those small facilities. This paper analyzed the possibility of integrating safety and security culture assessments. It also demonstrates that assessment is not just a single effort to meet the requirements set forth in regulations or recommendations. It is a continuous process, which is especially true for small facilities, in which the relationship between the processes of assessment and enhancement should be more harmonious.