Food safety is a very high-level concern for ordinary consumers. This is true because the food we eat can poison us or ruin our health, and yet consumers have little ability to evaluate the safety of the foods available in the marketplace. Therefore government regulation of food safety appears to be mandatory in any complex society.
Regulation requires several things: science-based regulations on processes and composition of the products that are regulated, consistent and disinterested inspection, effective enforcement of regulations and violations, and oversight by a regulatory agency that is independent from the industry being regulated and insulated from the general political interests of the government within which it exists.
China has experienced many food-contamination scandals in the past twenty years, and food safety is ranked as a high-level concern by many Chinese citizens. In his 2012 post on food safety in China in the Council on Foreign Relations blog (link), Yanzhong Huang writes that “in the spring of 2012, a survey carried out in sixteen major Chinese cities asked urban residents to list ‘the most worrisome safety concerns.’ Food safety topped the list (81.8%), followed by public security (49%), medical care safety (36.4%), transportation safety (34.3%), and environmental safety (20.1%)”. And the public anxiety is well justified; (link). In 2012 Bi Jingquan, then the head of the China Food and Drug Administration, testified that “Chinese food safety departments conducted more than 15 million individual inspections in the first three quarters of the year and found more than 500,000 incidents of illegal behavior” (link). Especially notorious is the milk-melamine contamination scandal of 2008, resulting in hospitalization of over 50,000 affected children and at least six deaths of children and infants.
The question of interest here has to do with China’s governmental system of regulation of safety in the food system. What are the regulatory arrangements currently in place? And do these governmental systems provide a basis for a reasonable level of confidence in the quality and safety of China’s food products?
Liu, Mutukumira, and Chen 2019 (link) provide a detailed and comprehensive analysis of the evolution of food-safety regulation in China since 1949. This resview article is worth studying in detail for the light it sheds on the challenge of establishing an effective system of regulation in a vast population governed by a single-party state. The article is explicit about the food-safety problems that persist on a wide scale in China:
Food safety incidents still occur, including abuse of food additives, adulterated products as well as contamination by pathogenic microorganisms, pesticides, veterinary drug residues, and heavy metals, and use of substandard materials. (abstract)
The authors refer to a number of important instances of widespread food contamination and dangerous sanitary conditions, including “spicy gluten strips” consumed by teenagers.
Liu et al recommend “coregulation” for the China food system, in which government and private producers each play a crucial role in evaluating and ensuring safe food processes and products. They refer to the “Hazard Analysis Critical Control Point (HACCP) system” that should be implemented by food producers and processors (4128), and they emphasize the need in China for a system that succeeds in ensuring safe food at low regulatory cost.
Increasing number of countries uses new coregulation schemes focusing on a specific type of coregulation where regulations are developed by public authorities and then implemented by the coordinated actions of public authorities and food operators or “enforced self-regulation” (Guo, Bai, & Gong, 2019; Rouvière & Caswell, 2012)…. Coregulation aims to combine the advantages of the predictability and binding nature of legislation with the flexibility of self-regulatory approaches. (4128)
Here is their outline of the chronology of food-safety regimes in China since 1949:
Previous posts have discussed some of the organizational dysfunctions associated with “coregulation” and its cognate concepts (link). The failures of design and implementation of the Boeing 737 Max are attributed in large part to the system of delegated regulation used by the Federal Aviation Administration (link, link). And the Nuclear Regulatory Commission too appears to defer extensively to “industry expertise” in its approach to regulation (link). The problems of regulatory capture and weak, ineffective governmental regulatory institutions are well understood in the US and Europe. And this experience supports a healthy skepticism about the likely effectiveness of “coregulation” in China’s food system as well. Earlier posts have emphasized the importance of independence of regulatory agencies from both the political interests of the government and the economic interests of the industry that they regulate. This independence appears to be all but impossible in China’s governmental structure and Party rule.
Another weakness identified in Liu et al concerns the level and organizational home of enforcement of food-safety regulations. “The supervision of food safety is mainly dependent on law enforcement departments” (4128). This system is organizationally flawed for several reasons. First, it implies a lack of coordination, with different jurisdictions (cities, provinces, counties) exercising different levels and forms of enforcement. And second, it raises the prospect of corruption, both petty and large, in which inspectors, supervisors, and enforcers are induced to look the other way at infractions. This problem was noted in a prior post on fire safety regulation in China (link). The localism inherent in the food safety system in China is evident in Figure 1:
And the authors highlight the dysfunction that is latent in this diagram:
The local government is responsible for food safety information. At the same time, the local government accepts the leadership of the central government and is responsible to the central government, which forms a principal-agent relationship under asymmetric information. Meanwhile, food producers are in a position of information superiority over local governments and are regulated by the local governments. Therefore, the relationship of the central government, local governments, and food producers is multiple principal-agent relationship. Under the standard of fiscal decentralization and political assessment, local governments are both food safety regulatory agencies and regional competitive entities, so the collusion between local governments, or different counties, and enterprises becomes a rational choice (Tirole, 1986). (4134)
It appears incontrovertible that “publicity” is an important factor in enhancing safety in any industry. If the public is informed about incidents — whether food safety, chemical plant spills, or nuclear disasters — their concerns can lead to full and rigorous accident investigation and process changes supporting greater safety in the future. Conversely, if government suppresses news media in its ability to provide information about these kinds of incidents, there is much less public pressure leading to more effective safety regulation. Chinese leaders’ determination to tightly control the flow of information is decidedly harmful for the goal of increasing food safety and other dimensions of environmental safety.
Liu et al describe the progression of food safety laws and policies over five decades, and they appear to believe that the situation of food safety has improved in the most recent period. They also note, however, that much remains to be done:
With the enactment of the 2015 FSL, China developed and reinforced various regulatory tools. However, there are areas of the law and regulation that need further work, such as effective coordination among government agencies, a focus on appropriate risk communication, facilitating social governance and responsibility, nurturing a food safety culture from bottom-up, and assisting farmers at the primary level (Roberts & Lin, 2016). (4131)
These areas for future improvement are fundamental for establishing a secure and effective safety regime — whether in the area of food safety or other areas of environmental and industrial safety. And to these we may add several more important factors that are currently absent: independence of regulatory agencies from government direction and industry capture; lack of freedom of information permitting the public to be well informed about incidents when they occur; and an enforcement system that fails to deter and ameliorate bad performance and process inadequacies.
A rapidly rising percentage of the Chinese population is living in high-rise apartment buildings in hundreds of cities around the country. There is concern, however, about the quality and effectiveness of fire-safety regulation and enforcement for these buildings (as well as factories, warehouses, ports, and other structures). This means that high-rise fires represent a growing risk in urban China. Here is a news commentary from CGTN (link) in 2010 describing a particularly tragic high-rise fire that engulfed a 28-story building in Shanghai, killing 58 people. This piece serves to identify the parameters of the problem of fire safety more generally.
It is of course true that high-rise fires have occurred in many cities around the world, including the notorious Grenfell Tower disaster in 2017. And many of those fires also reflect underlying problems of safety regulation in the jurisdictions in which they occurred. But the problems underlying infrastructure safety seem to converge with particular seriousness in urban China. And, crucially, major fire disasters in other countries are carefully scrutinized in public reports, providing accurate and detailed information about the causes of the disaster. This scrutiny creates the political incentive to improve building codes, inspection regimes, and enforcement mechanisms of safety regulations. This open and public scrutiny is not permitted in China today, leaving the public largely ignorant of the background causes of fires, railway crashes, and other large accidents.
It is axiomatic that modern buildings require effective and professionally grounded building codes and construction requirements, adequate fire safety system requirements, and rigorous inspection and enforcement regimes that ensure a high level of compliance with fire safety regulations. Regrettably, it appears that no part of this prescription for fire safety is well developed in China.
The CGTN article mentioned above refers to the “effective” high-level fire safety legislation that the central government adopted in 1998, the Fire Control Law of the People’s Republic of China (link), and this legislation warrants close study. However, close examination suggests that this guiding legislation lacks crucial elements that are needed in order to ensure compliance with safety regulations — especially when compliance is highly costly for the owners/managers of buildings and other facilities. Previous disasters in China suggest a pattern: poor inspection and enforcement prior to an accident or fire, followed by prosecution and punishment of individuals involved in the occurrence of the disaster in the aftermath. But this is not an effective mechanism for ensuring safety. Owners, managers, and officials are more than ready to run the small risk of future prosecution for the sake of gains in the costs of present operations of various facilities.
The systemic factors that act against fire safety in China include at least these pervasive social and political conditions: ineffective and corrupt inspection offices, powerful property managers who are able to ignore safety violations, pressure from the central government to avoid interfering with rapid economic growth, government secrecy about disasters when they occur, and lack of independent journalism capable of freely gathering and publishing information about disasters.
In particular, the fact that the news media (and now social media as well) are tightly controlled in China is a very serious obstacle to improving safety when it comes to accidents, explosions, train wrecks, and fires. The Chinese news media do not publish detailed accounts of disasters as they occur, and they usually are unable to carry out the investigative journalism needed to uncover background conditions that have created the circumstances in which these catastrophes arise (ineffective or corrupt inspection regimes; enforcement agencies that are hampered in their work by the political requirements of the state; corrupt practices by private owners/managers of high-rise properties, factories, and ports; and so on). It is only when the public can become aware of the deficiencies in government and business that have led to a disaster, that reforms can be designed and implemented that make those disasters less likely in the future. But the lack of independent journalism means leaving the public in the dark about these important details of their contemporary lives.
The story quoted above is from CGTN, a Chinese news agency, and this story is unusual for its honesty in addressing some of the deficiencies of safety management and regulation in Shanghai. CGTN is an English-language Chinese news service, owned and operated by Chinese state-owned media organization China Central Television (CCTV). As such it is under full editorial control by offices of the Chinese central government. And the government is rarely willing to have open and honest reporting of major disasters, and the organizational, governmental, and private dysfunctions that led to them. It is noteworthy, therefore, that the story is somewhat explicit about the dysfunctions and corruption that led to the Shanghai disaster. The article quotes an article in China Daily (owned by the publicity department of the CCP) that refers to poor enforcement and corruption:
However, a 2015 article by China Daily called for the Fire Control Law to be more strictly enforced, saying that the Chinese public now “gradually takes it for granted that when a big fire happens there must be a heavy loss of life.”
While saying “China has a good fire protection law,” the newspaper warned that it was frequently violated, with fire engine access blocked by private cars, escape routes often blocked and flammable materials still being “widely used in high buildings.”
The article also pointed at corruption within fire departments, saying inspections have “become a cash cow,” with businesses and construction companies paying bribes in return for lax safety standards being ignored.
So — weak inspections, poor compliance with regulations, and corruption. Both the CCTV report and the China Daily story it quotes are reasonably explicit about unpalatable truths. But note — the CGTN story was prepared for an English-speaking audience, and is not available to ordinary Chinese readers in China. And this appears to be the case for the China Daily article that was quoted as well. And most importantly — the political climate surrounding the journalistic practices of China Daily has tightened very significantly since 2015.
Another major institutional obstacle to safety in China is the lack of genuinely independent regulatory safety agencies. The 1998 Fire Control Law of the People’s Republic of China is indicative. The legislation refers to the responsibility of local authorities (provincial, municipal) to establish fire safety organizations; but it is silent about the nature, resources, and independence of inspection authorities. Here is the language of the first several articles of the Fire Control Law:
Article 2 Fire control work shall follow the policy of devoting major efforts into prevention and combining fire prevention with fire fighting, and shall adhere to the principle of combining the efforts of both specialized organizations and the masses and carry out responsibility system on fire prevention and safety.
Note that this article immediately creates a confusion of responsibility concerning the detailed tasks of establishing fire safety: “specialized organizations” and “the masses” carry out responsibility.
Article 3 The State Council shall lead and the people’s governments at all levels be responsible for fire control work. The people’s government at all levels shall bring fire control work in line with the national economy and social development plan, and ensure that fire control work fit in with the economic construction and social development.
Here too is a harmful diffusion of responsibility: “the people’s governments at all levels [shall] be responsible …”. In addition a new priority is introduced: consistency with the “national economy and social development plan”. This implies that fire safety regulations and agencies at the provincial and municipal level must balance economic needs with the needs of ensuring safety — a potentially fatal division of priorities. If substituting a non-flammable cladding to an 80-story residential building will add one billion yuan to the total cost of the building — does this requirement impede the “national economy and development plan”? Can the owner/managers resist the new regulation on the grounds that it is too costly?
Article 4 The public security department of the State Council shall monitor and administer the nationwide fire control work; the public security organs of local people’s governments above county level shall monitor and administer the fire control work within their administrative region and the fire control institutions of public security organs of the people’s government at the same level shall be responsible for the implementation. Fire control work for military facilities, underground parts of mines and nuclear power plant shall be monitored and administered by their competent units. For fire control work on forest and grassland, in case there are separate regulations, the separate regulations shall be followed.
Here we find specific institutional details about oversight of “nationwide fire control work”: it is the public security organs that are tasked to “monitor and administer” fire control institutions. Plainly, the public security organs have no independence from the political authorities at provincial and national levels; so their conduct is suspect when it comes to the task of “independent, rigorous enforcement of safety regulations”.
Article 5 Any unit and individual shall have the obligation of keeping fire control safety, protecting fire control facilities, preventing fire disaster and reporting fire alarm. Any unit and adult shall have the obligation to take part in organized fire fighting work.
Here we are back to the theme of diffusion of responsibility. “Any unit and individual shall have the obligation of keeping fire control safety” — this statement implies that there should not be free-standing, independent, and well-resourced agencies dedicated to ensuring compliance with fire codes, conducting inspections, and enforcing compliance by reluctant owners.
It seems, then, that the 1998 Fire Control Law is largely lacking in what should have been its primary purpose: specification of the priority of fire safety, establishment of independent safety agencies at various levels of government with independent power of enforcement, and with adequate resources to carry out their fire safety missions, and a clear statement that there should be no interference with the proper inspection and enforcement activities of these agencies — whether by other organs of government or by large owner/operators.
The 1998 Fire Control Law was extended in 2009, and a chapter was added entitled “Supervision and Inspection”. Clauses in this chapter offer somewhat greater specificity about inspections and enforcement of fire-safety regulation. Departments of local and regional government are charged to “conduct targeted fire safety inspections” and “promptly urge the rectification of hidden fire hazards” (Article 52). (Notice that the verb “urge” is used rather than “require”.) Article 53 specifies that the police station (public security) is responsible for “supervising and inspecting the compliance of fire protection laws and regulations”. Article 54 addresses the issue of possible discovery of “hidden fire hazards” during fire inspection; this requires notification of the responsible unit of the necessity of eliminating the hazard. Article 55 specifies that if a fire safety agency discovers that fire protection facilities do not meet safety requirements, it must report to the emergency management department of higher-level government in writing. Article 56 provides specifications aimed at preventing corrupt collaboration between fire departments and units: “Fire rescue agencies … shall not charge fees, shall not use their positions to seek benefits”. And, finally, Article 57 specifies that “all units and individuals have the right to report and sue the illegal activities of the authorities” if necessary. Notice, however, that, first, all of this inspection and enforcement activity occurs within a network of offices and departments dependent ultimately on central government; and second, the legislation remains very unspecific about how this set of expectations about regulation, inspection, and enforcement is to be implemented at the local and provincial levels. There is nothing in this chapter that gives the observer confidence that effective regulations will be written; effective inspection processes will be carried out; and failed inspections will lead to prompt remediation of hazardous conditions.
The Tianjin port explosion in 2015 is a case in point (link, link). Poor regulations, inadequate and ineffective inspections, corruption, and bad behavior by large private and governmental actors culminated in a gigantic pair of explosions of 800 tons of ammonium nitrate. This was one of the worst industrial and environmental disasters in China’s recent history, and resulted in the loss of 173 lives, including 104 poorly equipped fire fighters. Prosecutions ensued after the disaster, including the conviction and suspended death sentence of Ruihai International Logistics Chairman Yu Xuewei for bribery, and the conviction of 48 other individuals for a variety of crimes (link). But punishment after the fact is no substitute for effective, prompt inspection and enforcement of safety requirements.
It is not difficult to identify the organizational dysfunctions in China that make fire safety, railway safety, food safety, and perhaps nuclear safety difficult to attain. What is genuinely difficult is to see how these dysfunctions can be corrected in a single-party state. Censorship, subordination of all agencies to central control, the omnipresence of temptations to corrupt cooperation — all of these factors seem to be systemic within a one-party state. The party state wants to control public opinion; therefore censorship. The party state wants to control all political units; therefore a lack of independence for safety agencies. And positions of decision-making that create lucrative “rent-seeking” opportunities for office holders — therefore corruption, from small payments to local inspectors to massive gifts of wealth to senior officials. A pluralistic, liberal society embodying multiple centers of power and freedom of press and association is almost surely a safer society. Ironically, this was essentially Amartya Sen’s argument in Poverty and Famines: An Essay on Entitlement and Deprivation, his classic analysis of famine and malnutrition: a society embodying a free press and reasonably free political institutions is much more likely to respond quickly to conditions of famine. His comparison was between India in the Bengal famine (1943) and China in the Great Leap Forward famine (1959-61).
Here is a Google translation of Chapter V of the 2009 revision of the Fire Protection Law of the People’s Republic of China mentioned above.
Chapter V Supervision and Inspection
Article 52 Local people’s governments at all levels shall implement a fire protection responsibility system and supervise and inspect the performance of fire safety duties by relevant departments of the people’s government at the same level.
The relevant departments of the local people’s government at or above the county level shall, based on the characteristics of the system, conduct targeted fire safety inspections, and promptly urge the rectification of hidden fire hazards.
Article 53 Fire and rescue agencies shall supervise and inspect the compliance of fire protection laws and regulations by agencies, organizations, enterprises, institutions and other entities in accordance with the law. The police station may be responsible for daily fire control supervision and inspection, and conduct fire protection publicity and education. The specific measures shall be formulated by the public security department of the State Council.
The staff of fire rescue agencies and public security police stations shall present their certificates when conducting fire supervision and inspection.
Article 54: Fire rescue agencies that discover hidden fire hazards during fire supervision and inspection shall notify relevant units or individuals to take immediate measures to eliminate the hidden hazards; if the hidden hazards are not eliminated in time and may seriously threaten public safety, the fire rescue agency shall deal with the dangerous parts in accordance with regulations. Or the place adopts temporary sealing measures.
Article 55: If the fire rescue agency discovers that the urban and rural fire safety layout and public fire protection facilities do not meet the fire safety requirements during the fire supervision and inspection, or finds that there is a major fire hazard affecting public safety in the area, it shall report to the emergency management department in writing. Level People’s Government.
The people’s government that receives the report shall verify the situation in a timely manner, organize or instruct relevant departments and units to take measures to make corrections.
Article 56 The competent department of housing and urban-rural construction, fire rescue agencies and their staff shall conduct fire protection design review, fire protection acceptance, random inspections and fire safety inspections in accordance with statutory powers and procedures, so as to be fair, strict, civilized and efficient.
Housing and urban-rural construction authorities, fire rescue agencies and their staff shall conduct fire protection design review, fire inspection and acceptance, record and spot checks and fire safety inspections, etc., shall not charge fees, shall not use their positions to seek benefits; they shall not use their positions to designate or appoint users, construction units, or Disguisedly designate the brand, sales unit or fire-fighting technical service organization or construction unit of fire-fighting equipment for fire-fighting products.
Article 57 The competent housing and urban-rural construction departments, fire and rescue agencies and their staff perform their duties, should consciously accept the supervision of society and citizens.
All units and individuals have the right to report and sue the illegal activities of the housing and urban-rural construction authorities, fire and rescue agencies and their staff in law enforcement. The agency that receives the report or accusation shall investigate and deal with it in a timely manner in accordance with its duties.
* * * * *
(Here is a detailed technical fire code for China from 2014 (link).)
Charles Perrow takes a particularly negative view of the possibility of safe management of high-risk technologies in Normal Accidents: Living with High-Risk Technologies. His summary of the Three Mile Island accident is illustrative: “The system caused the accident, not the operators” (12). Perrow’s account of TMI is chiefly an account of complex and tightly-coupled system processes, and the difficulty these processes create for operators and managers when they go wrong. And he is doubtful that the industry can safely manage its nuclear plants.
In examining the safety of high-risk industries, our goal should be to identify some of the behavioral, organizational, and regulatory dysfunctions that increase the likelihood and severity of accidents, and to consider organizational and behavioral changes that would serve to reduce the risk and severity of accidents. This is the approach taken by a group of organizational theorists, engineers, and safety experts who explore the idea and practice of a “high reliability organization”. Scott Sagan describes the HRO approach in these terms in The Limits of Safety:
The common assumption of the high reliability theorists is not a naive belief in the ability of human beings to behave with perfect rationality, it is the much more plausible belief that organizations, properly designed and managed, can compensate for well-known human frailties and can therefore be significantly more rational and effective than can individuals. (Sagan, 16)
Sagan lists several conclusions advanced by HRO theorists, based on a small number of studies of high-risk organizational environments. Researchers have identified a set of organizational features that appear to be common among HROs:
Leadership safety objectives: priority on avoiding altogether serious operational failures
Organizational leaders must place high priority on safety in order to communicate this objective clearly and consistently to the rest of the organization
The need for redundancy. Multiple and independent channels of communication, decision-making, and implementation can produce a highly reliable overall system
Decentralization — authority must exist in order to permit rapid and appropriate responses to dangers by individuals closest to the problems
culture – recruit individuals who help maintain a strong organizational culture emphasizing safety and reliability
continuity – maintain continuous operations, vigilance, and training
organizational learning – learn from prior accidents and near-misses.
Improve the use of simulation and imagination of failure scenarios
Here is Sagan’s effort to compare Normal Accident Theory with High Reliability Organization Theory:
The genuinely important question here is whether there are indeed organizational arrangements, design principles, and behavioral practices that are consistently effective in significantly reducing the incidence and harmfulness of accidents in high-risk enterprises, or whether on the other hand, the ideal of a “High Reliability Organization” is more chimera than reality.
A respected organizational theorist who has written on high-reliability organizations and practices extensively is Karl Weick. He and Kathleen Sutcliffe attempt to draw some useable maxims for high reliability in Managing the Unexpected: Sustained Performance in a Complex World. They use several examples of real-world business failures to illustrate their central recommendations, including an in-depth case study of the Washington Mutual financial collapse in 2008.
The chief recommendations of their book come down to five maxims for enhancing reliability:
Pay attention to weak signals of unexpected events
Avoid extreme simplification
Pay close attention to operations
Maintain a commitment to resilience
Defer to expertise
Maxim 1 (preoccupation with failure) encourages a style of thinking — an alertness to unusual activity or anomalous events and a commitment to learning from near-misses in the past. This alertness is both individual and organizational; individual members of the organization need to be alert to weak signals in their areas, and managers need to be receptive to hearing the “bad news” when ominous signals are reported. By paying attention to “weak signals” of possible failure, managers will have more time to design solutions to failures when they emerge.
Maxim 2 addresses the common cognitive mistake of subsuming unusual or unexpected outcomes under more common and harmless categories. Managers should be reluctant to accept simplifications. The Columbia space shuttle disaster seems to fall in this category, where senior NASA managers dismissed evidence of foam strike during lift-off by subsuming it under many earlier instances of debris strikes.
Maxim 3 addresses the organizational failure associated with distant management — top executives who are highly “hands-off” in their knowledge and actions with regard to ongoing operations of the business. (The current Boeing story seems to illustrate this failure; even the decision to move the corporate headquarters to Chicago, very distant from the engineering and manufacturing facilities in Seattle, illustrates a hands-off attitude towards operations.) Executives who look at their work as “the big picture” rather than ensuring high-quality activity within the actual operations of the organization are likely to oversee disaster at some point.
Maxim 4 is both cognitive and organizational. “Resilience” refers to the “ability of an organization (system) to maintain or regain a dynamically stable state, which allows it to continue operations after a major mishap and/ or in the presence of a continuous stress”. A resilient organization is one where process design has been carried out in order to avoid single-point failures, where resources and tools are available to address possible “off-design” failures, and where the interruption of one series of activities (electrical power) does not completely block another vital series of activities (flow of cooling water). A resilient team is one in which multiple capable individuals are ready to work together to solve problems, sometimes in novel ways, to ameliorate the consequences of unexpected failure.
Maxim 5 emphasizes the point that complex activities and processes need to be managed by teams incorporating experience, knowledge, and creativity in order to be able to confront and surmount unexpected failures. Weick and Sutcliffe give telling examples of instances where key expertise was lost at the frontline level through attrition or employee discouragement, and where senior executives substituted their judgment for the recommendations of more expert subordinates.
These maxims involve a substantial dose of cognitive practice, changing the way that employees, managers, and executives think: the importance of paying attention to signs of unexpected outcomes (pumps that repeatedly fail in a refinery), learning from near-misses, making full use of the expertise of members of the organization, …. It is also possible to see how various organizations could be evaluated in terms of their performance on these five maxims — before a serious failure has occurred — and could improve performance accordingly.
It is interesting to observe, however, that Weick and Sutcliffe do not highlight some factors that have been given strong priority in other treatments of high-reliability organizations: the importance of establishing a high priority for system safety in the highest management levels of the organization (which unavoidably competes with cost and profit pressures), the organizational feature of an empowered safety executive outside the scope of production and business executives in the organization, the possible benefits of a somewhat decentralized system of control, the possible benefits of redundancy, the importance of well-designed training aimed at enhancing system safety as well as personal safety, and the importance of creating a culture of honesty and compliance when it comes to safety. When mid-level managers are discouraged from bringing forward their concerns about the “signals” they perceive in their areas, this is a pre-catastrophe situation.
There is a place in the management literature for a handbook of research on high-reliability organizations; at present, such a resource does not exist.
Electronic Health Record systems (EHRs) have been broadly implemented by hospitals and health systems around the country as a way of increasing the accuracy, availability, and timeliness of patient health status and treatment information. (These systems are also sometimes called “Digital Medical Records” (DMRs).) They are generally regarded as an important forward step in improving the quality of healthcare. Here is a description of the advantages of Electronic Health Record systems, according to Athena Health:
The advantages of electronic health records in the clinical setting are numerous and important. In the 2012 edition of the Physician Sentiment IndexTM, published by athenahealth and Sermo, 81% of physicians said they believe EHRs improve access to clinical data. More than two-thirds said an EHR can actually improve patient care.
The use of an electronic health records system offers these clinical advantages:
No bulky paper records to store, manage and retrieve
Easier access to clinical data
The ability to establish and maintain effective clinical workflows
Fewer medical errors, improved patient safety and stronger support for clinical decision-making
Easier participation in Meaningful Use, Patient-Centered Medical Home (PCMH) and other quality programs, with electronic prompts ensuring that required data is recorded at the point of care
The ability to gather and analyze patient data that enables outreach to discreet populations
The opportunity to interact seamlessly with affiliated hospitals, clinics, labs and pharmacies
Considering all the advantages of electronic health records, and the rapidly growing electronic interconnectedness of the health care world, even if EHRs had not been mandated by health care reform, their development and eventual ubiquity in the health care industry was inevitable.
And yet, like any software system, EHR systems are capable of creating new errors; and some of those errors can be harmful to patients.
Nancy Leveson is an important expert on software system safety who has written extensively on the challenges of writing highly reliable software in safety-critical applications. Here are a few apt observations from her book Safeware: System Safety and Computers (1995).
Although it might seem that automation would decrease the risk of operator error, the truth is that automation does not remove people from systems — it merely moves them to maintenance and repair functions and to higher-level supervisory control and decision making. The effects of human decisions and actions can then be extremely serious. At the same time, the increased system complexity makes the decision-making process more difficult. (10)
The increased pace of change lessens opportunity to learn from experience. Small-scale and relatively nonhazardous systems can evolve gradually by trial and error. But learning by trial and error is not possible for many modern products and processes because the pace of change is too fast and the penalties of failure are too great. Design and operating procedures must be right the first time when there is potential for a major fire, explosion, or release of toxic materials. (12)
(To the last statement we might add “or harm to hospital patients through incorrect prescriptions or failed transmission of lab results”.)
The safety implications of computers exercising direct control over potentially dangerous processes are obvious. Less obvious are the dangers when … software generated data is used to make safety-critical decisions, … software is used in design analysis, … safety-critical data (such as blood bank data) is stored in computer databases. The FDA has received reports of software errors in medical instruments that led to mixing up patient names and data, as well as reports of incorrect outputs from laboratory and diagnostic instruments (such as patient monitors, electrocardiogram analyzers, and imaging devices”. (23)
Automatic control systems [like aircraft autopilots] are designed to cope with the immediate effects of a deviation in the process — they are feedback loops that attempt to maintain a constant system state, and as such, they mask the occurrence of a problem in its early stages. An operator will be aware of such problems only if adequate information to detect them is provided. That such information is often not provided may be the result of the different mental models of the designers and experienced operators, or it may merely reflect financial pressures on designers due to the cost of providing operators with independent information. (117)
One of the cases examined in detail in Safeware is the Therac-25 radiation-therapy device, which due to a minor software flaw in the treatment-entry plan module began seriously injuring patients with excessive doses of radiation in 1985-87 (515 ff.). It had operated without incident thousands of times before the first accident.
So Leveson gives ample reason to be cautious about the safety implications of DMRs and the “fault pathways” through which their normal functioning might harm patients. What has been the experience so far, now that the healthcare industry has witnessed widespread adoption of DMR systems?
Two specific issues involving EHR errors affecting patient care have been identified in the past several years. The first is in the area of errors in the administration of prescription drugs, and the second is in the area of the handling and routing of medical test results. Both errors have the potential for harming the patient.
Jennifer Bresnick (link) summarizes the results of a report by the Pennsylvania Patient Safety Authority concerning medication errors caused by DMR systems. Medication errors (wrong medication, wrong dose, wrong patient, wrong frequency) can occur at several stages of the clinical process, including prescribing, transcribing, dispensing, and administration. The digital medical record is intended to dramatically reduce all these sources of error, the Pennsylvania study shows that the DMR can also contribute to errors at each of these stages.
While EHRs and other technologies are intended to reduce errors and improve the safe, standardized, and well-documented delivery of care, some stakeholders believe that digital tools can simply serve to swap one set of mistakes for another. Poor implementation and lackluster user training can leave patients just as vulnerable to medication errors as they were when providers used paper charts, commented Staley Lawes, PharmD, BCPS, Patient Safety Analyst, and Matthew Grissinger, RPh, FISMP, FASCP, Manager of Medication Safety Analysis in the brief. (link)
Part of the blame, according to the Pennsylvania report, belongs to the design of the user interface:
For this reason, it is important to design a system with an intuitive user interface to minimize the risk for human error. Users should be able to easily enter and retrieve data and share information with other healthcare professionals. When systems are designed without these considerations in mind, patients are subject to undue risk. (link)
The report contains several specific design standards that would improve the safety of the DMR system:
The interaction between clinician and software is a key component that is to be taken into consideration when trying to improve the safety of health IT,” the report says. “Incident reports can provide valuable information about the types of HIT-related issues that can cause patient harm, and ongoing HIT system surveillance can help in developing medication safety interventions. (link)
It is clear that ongoing health IT system surveillance and remedial interventions are needed. Efforts to improve health IT safety should include attention to software interoperability, usability, and workflow. The relationship between clinician and software includes complex interactions that must be considered to optimize health IT’s contribution to medication safety.
Yackel and Embi (link) treat the problem of test result management errors in “Unintended errors with EHR-based result management: a case series”. Here is their abstract:
Test result management is an integral aspect of quality clinical care and a crucial part of the ambulatory medicine workflow. Correct and timely communication of results to a provider is the necessary first step in ambulatory result management and has been identified as a weakness in many paper-based systems. While electronic health records (EHRs) hold promise for improving the reliability of result management, the complexities involved make this a challenging task. Experience with test result management is reported, four new categories of result management errors identified are outlined, and solutions developed during a 2-year deployment of a commercial EHR are described. Recommendations for improving test result management with EHRs are then given.
They identify test management errors at four stages of the clinical process:
results not correctly communicated to provider;
results communicated but never received or reviewed by the provider;
results reviewed, but appropriate action not recommended by provider;
appropriate recommendation made by provider, but action not carried out.
They make several key recommendations for improving the performance of DMR systems in managing test results: Develop fault-tolerant systems that automatically report delivery failures; use robust testing to find rare errors that occur both within and between systems; implement tracking mechanisms for critical tests, such as cancer screening and diagnostics; and deliver results directly to patients.
These are just two types of errors that can arise in digital medical record management systems. It is evident that the designers and implementers of DMRs need to take the systems-safety approach described by Nancy Leveson and implement comprehensive safety failure analysis, both in terms of “safety case analysis” (discovery of failure scenarios) and after-event investigation to identify the source of the failure in the software and its human interface.
These examples are not intended to suggest that DMRs are hazardous and should be avoided. On the contrary, the consolidation and convenient presentation of patient information for the provider is clearly an important step forward. But it is crucial that designers and implementers keep safety at the center of their attention, and to have a healthy respect for the ways in which automated systems can incorporate incorrect assumptions, can produce unintended interactions among components, and can be presented in such a confusing way to the human provider that patient care is harmed.
(Here is a case of treatment involving several different errors conveyed through the digital medical record system that involved attaching biopsy and test results to the wrong patient, leading to the wrong treatment for the patient. It is interesting to read because it reflects some of the complexity identified by Leveson in other system failures.)
Allan McDonald’s Truth, Lies, and O-Rings: Inside the Space Shuttle Challenger Disaster (2009) has given me a somewhat different understanding of the Challenger launch disaster than I’ve gained from other sources, including Diane Vaughan’s excellent book The Challenger Launch Decision: Risky Technology, Culture, and Deviance at NASA. McDonald is a Morton Thiokol (MTI) insider who was present through virtually all aspects of the evolving solid rocket program at NASA in the two years leading up to the explosion in January 1986. He was director of the Space Shuttle Solid Rocket Motor Project during part of this time and he represented MTI at the formal Launch Readiness Review panels (LRRs) for several shuttle launches, including the fateful Challenger launch. He was senior management representative for MTI for the launch of STS-51L Challenger. His account gives a great deal of engineering detail about the Morton Thiokol engineering group’s ongoing concerns about the O-rings in the months preceding the Challenger disaster. This serves as a backdrop for a detailed analysis of the dysfunctions in decision-making in both NASA and Morton Thiokol that led to an insufficient priority being given to safety assessments.
It is worth noting that O-rings were a key part of other large solid-fuel rockets, including the Titan rocket. So there was a large base of engineering and test experience with the performance of the O-rings when exposed to the high temperatures and pressures of ignition and firing.
The biggest surprise to me is the level of informed, rigorous, and evidence-based concern that MTI engineers had about the reliability of joint seal afforded by the primary and secondary seals on the solid rocket motors on the Shuttle system. These specialists had a very good and precise understanding of the mechanics of the problem. Further, there was a good engineering understanding of the expected (and required) time-sequence performance of the O-rings during ignition and firing. If the sealing action were delayed by even a few hundredths of a second, hot gas would be able to penetrate past the seal. These were not hypothetical worries, but instead were based on data from earlier launches demonstrating O-ring erosion and soot between the primary and secondary rings showing that super-hot gases had penetrated the primary seal. The worst damage and evidence of blowby had occurred on flight STS-51C January 25, 1985, one year earlier, the lowest-temperature launch yet attempted. And that launch took place when the temperature was 53 degrees.
Launch temperatures for the rescheduled January 28 launch were projected to be extremely cold — 22-26 degrees was forecast on January 27, roughly 30 degrees colder than the previous January launch. The projected temperatures immediately raised alarm concerning the potential effects on the O-rings with the Utah-based engineering team and with McDonald himself. A teleconference meeting was scheduled for January 27 to receive recommendations from the Utah-based Morton Thiokol engineers who were focused on the O-rings problem about the minimum acceptable temperature for launch (95).
I tried to reach Larry Mulloy at his hotel but failed, so I called Cecil Houston, the NASA/MSFC Resident Manager at KSC. I alerted him of our concerns about the sealing capability of the field-joint O-rings at the predicted cold temperatures and asked him to set up the teleconference. (96)
The teleconference began at 8:30 pm on the evening before the launch. McDonald was present in Cape Canaveral for the Flight Readiness Review panel and participated in the teleconference involving the analysis and recommendations from MTI engineering, leading to a recommendation against launching in the expected cold weather conditions.
Thiokol’s engineering presentation consisted of about a dozen charts summarizing the history of the performance of the field-joints, some engineering analysis on the operation of the joints, and some laboratory and full-scale static test data relative to the performance of the O-rings at various temperatures. About half the charts had been prepared by Roger Boisjoly, our chief seal expert on the O-ring Seal Task Force and staff engineer to Jack Kapp, Manager of Applied Mechanics. The remainder were presented by Arnie Thompson, the supervisor of our Structures Section under Jack Kapp, and by Brian Russell, a program manager working for Bob Ebeling. (97)
Boisjoly’s next chart showed how cold temperature would reduce all the factors that helped maintain a good seal in the joint: lower O-ring squeeze due to thermal shrinkage of the O-ring; thicker and more viscous grease around the O-ring, making it slower to move across the O-ring groove; and higher O-ring hardness due to low temperature, making it more difficult for the O-ring to extrude dynamically into the gap for proper sealing. All of these things increased the dynamic actuation time, or timing function, of the O-ring, when at the very same time the O-ring could be eroding, creating a situation where the secondary seal might not be able to seal the motor, not if the primary O-ring was sufficiently eroded to prevent sealing in the joint. (99)
Based on their concerns about temperature and effectiveness of the seals in the critical half-second of ignition, MTI engineering staff prepared the foundation for a recommendation to not launch in temperatures lower than 53 degrees. Their conclusion as presented at the January 27 teleconference was unequivocal against launch under these temperature conditions:
The final chart included the recommendations, which resulted in several strong comments and many very surprising reactions from the NASA participants in the teleconference. The first statement on the “Recommendations” chart stated that the O-ring temperature must be equal to or greater than 53° at launch, and this was primarily based upon the fact that SRM-15, which was the best simulation of this condition, worked at 53 °. The chart ended with a statement that we should project the ambient conditions (temperature and wind) to determine the launch time. (102)
NASA lead Larry Mulloy contested the analysis and evidence in the slides and expressed great concern about the negative launch recommendation, and he asserted that the data were “inconclusive” in establishing a relationship between temperature and O-ring failure.
Mulloy immediately said he could not accept the rationale that was used in arriving at that recommendation. Stan Reinartz then asked George Hardy, Deputy Director of Science and Engineering at NASA/MSFC, for his opinion. Hardy said he was “appalled” that we could make such a recommendation, but that he wouldn’t fly without Morton Thiokol’s concurrence. Hardy also stated that we had only addressed the primary O-ring, and did not address the secondary O-ring, which was in a better position to seal because of the leak-check. Mulloy then shouted, “My God, Thiokol, when do you want me to launch, next April?” He also stated that “the eve of a launch is a helluva time to be generating new launch commit criteria!” Stan Reinartz entered the conversation by saying that he was under the impression that the solid rocket motors were qualified from 40° to 90° and that the 53° recommendation certainly was not consistent with that.” (103)
Joe Kilminster, VP of Space Booster Programs at MTI, then requested a short caucus for the engineering team in Utah to reevaluate the data and consider their response to the skepticism voiced by NASA officials. McDonald did not participate in the caucus, but his reconstruction based on the memories of persons present paints a clear picture. The engineering experts did not change their assessment, and they were overriden by MTI executives Cal Wiggins (VP and General Manager of the Space Division) and Jerry Mason (Senior VP of Wasatch Operations). In opening the caucus discussion, Mason is quoted as saying “we need to make a management decision”. Engineers Boisjoly and Thompson reiterated their technical concerns about the functionality of the O-ring seals at low temperature, with no response from the senior executives. No members of the engineering team spoke up to support a decision to launch. Mason polled the senior executives, including Bob Lund (VP of Engineering), and said to Lund, “It’s time for you, Bob, to take off your engineering hat and put on your management hat.” (111) A positive launch recommendation was then conveyed to NASA, and the process in Florida resumed towards launch.
McDonald spends considerable time indicating the business pressure that MTI was subject to from its largest customer, NASA. NASA was considering creating a second-source option for competing companies for solid fuel motors from MTI and had also delayed signing a large contract (Buy-III fixed cost bid) for the next batch of motors. The collective impact of these actions by NASA could cost MTI over a billion dollars. So MTI management appears to have been under great pressure to accommodate to NASA managers’ preferences concerning the launch decision. And it is hard to avoid the conclusion that their decision placed business interests first and the professional judgments of their safety engineers second. In doing so they placed the lives of seven astronauts at risk, with tragic consequences.
And what about NASA? Here the pressures are somewhat less fully developed than in Vaughan’s account, but the driving commitment to achieve a 24-launch per year schedule seems to have been a primary motivation. Delayed launches significantly undermined this goal, which threatened both the prestige of NASA, the hope of significant commercial revenue for the program, and the assurance of continuing funding from Congress.
McDonald was not a participant in the caucus conference call. But he provides a reconstruction based on information provided by participants. In his understanding the engineers continued to defend their recommendation based on very concrete concerns about the effectiveness of the O-rings in extreme cold. Senior managers indicated their lack of support for this engineering judgment, and in the end Jerry Mason indicated that this would need to be a management decision. The FRR team was then informed that MTI has reconsidered its negative recommendation concerning launch. McDonald refused to sign the launch recommendation document, which was signed by his boss Joe Kilminster and faxed to the LRR team.
In hindsight it seems clear that both MTI executives and NASA executives deferred to business pressures of their respective organizations in the face of well-supported doubts about the safety of the launch. Is this a case of 20-20 vision after the fact? It distinctly appears not to be. The depth of knowledge, analysis, and rational concern that was present in the engineering group for at least a year prior to the Challenger disaster gave very specific and evidence-based reasons to abort this launch. This was not some intuitive, unspecific set of worries; it was an ongoing research problem that greatly concerned the engineers who were directly involved. And it appears there was no significant disagreement or uncertainty among them.
So it is hard to avoid a rather terrible conclusion, that the Challenger disaster was avoidable and should have been prevented. And the culpability lies with senior NASA and MTI executives who placed production pressures and business interests ahead of normal safety assessment procedures, and ahead of safety itself.
It is worth noting that Diane Vaughan’s assessment is directly at odds with this assessment. She writes:
We now return to the eve of the launch. Accounts emphasizing valiant attempts by Thiokol engineers to stop the launch, actions of a few powerful managers who overruled a unanimous engineering position, and managerial failure to pass information about the teleconference to senior NASA administrators, coupled with news of economic strain and production pressure at NASA, led many to suspect that NASA managers had acted as amoral calculators, knowingly violating rules and taking extraordinary risk with human lives in order to keep the shuttle on schedule. However, like the history of decision making, I found that events on the eve of the launch were vastly more complex than the published accounts and media representations of it. From the profusion of information available after the accident, some actions, comments, and actors were brought repeatedly to public attention, finding their way into recorded history. Others, receiving less attention or none, were omitted. The omissions became, for me, details of social context essential for explanation. (LC 6215)
Young, Cook, Boisjoly, and Feynman. Concluding this list of puzzles and contradictions, I found that no one accused any of the NASA managers associated with the launch decision of being an amoral calculator. Although the Presidential Commission report extensively documented and decried the production pressures under which the Shuttle Program operated, no individuals were confirmed or even alleged to have placed economic interests over safety in the decision to launch the Space Shuttle Challenger. For the Commission to acknowledge production pressures and simultaneously fail to connect economic interests and individual actions is, prima facie, extremely suspect. But NASA’s most outspoken critics—Astronaut John Young, Morton Thiokol engineers Al McDonald and Roger Boisjoly, NASA Resource Analyst Richard Cook, and Presidential Commissioner Richard Feynman, who frequently aired their opinions to the media—did not accuse anyone of knowingly violating safety rules, risking lives on the night of January 27 and morning of January 28 to meet a schedule commitment. (kl 1627)
Vaughan’s account includes many of the pivot-points of McDonald’s narrative, but she assigns a different significance to many of them. She prefers her “normalization of deviance” explanation over the “amoral calculator” explanation.
(The Rogers Commission report and supporting documents are available online. Here is a portion of the hearings transcripts in which senior NASA officials provide testimony; link. This segment is critical to the issues raised in McDonald’s account, since it addresses the January 27, 1986 teleconference FRR session in which a recommendation against launch was put forward by MTI engineering and was challenged by NASA senior administrators.)
It is of both intellectual and practical interest to understand how organizations function and how the actors within them choose the actions that they pursue. A common answer to these questions is to refer to the rules and incentives of the organization, and then to attempt to understand the actor’s choices through the lens of rational preference theory. However, it is now increasingly clear that organizations embody distinctive “cultures” that significantly affect the actions of the individuals who operate within their scope. Edgar Schein is a leading expert on the topic of organizational culture. Here is how he defines the concept in Organizational Culture and Leadership. Organizational culture, according to Schein, consists of a set of “basic assumptions about the correct way to perceive, think, feel, and behave, driven by (implicit and explicit) values, norms, and ideals” (Schein, 1990).
Culture is both a dynamic phenomenon that surrounds us at all times, being constantly enacted and created by our interactions with others and shaped by leadership behavior, and a set of structures, routines, rules, and norms that guide and constrain behavior. When one brings culture to the level of the organization and even down to groups within the organization, one can see clearly how culture is created, embedded, evolved, and ultimately manipulated, and, at the same time, how culture constrains, stabilizes, and provides structure and meaning to the group members. These dynamic processes of culture creation and management are the essence of leadership and make one realize that leadership and culture are two sides of the same coin. (3rd edition, p. 1)
According to Schein, there is a cognitive and affective component of action within an organization that has little to do with rational calculation of interests and more to do with how the actors frame their choices. The values and expectations of the organization help to shape the actions of the participants. And one crucial aspect of leaders, according to Schein, is the role they play in helping to shape the culture of the organizations they lead.
It is intriguing that several pressing organizational problems have been found to rotate around the culture of the organization within which behavior takes place. The prevalence of sexual and gender harassment appears to depend a great deal on the culture of respect and civility that an organization has embodied — or has failed to embody. The ways in which accidents occur in large industrial systems seems to depend in part on the culture of safety that has been established within the organization. And the incidence of corrupt and dishonest practices within businesses seems to be influenced by the culture of integrity that the organization has managed to create. In each instance experience seems to demonstrate that “good” culture leads to less socially harmful behavior, while “bad” culture leads to more such behavior.
Consider first the prominence that the idea of safety culture has come to play in the nuclear industry after Three Mile Island and Chernobyl. Here are a few passages from a review document authored by the Advisory Committee on Reactor Safeguards (link).
There also seems to be a general agreement in the nuclear community on the elements of safety culture. Elements commonly included at the organization level are senior management commitment to safety, organizational effectiveness, effective communications, organizational learning, and a working environment that rewards identifying safety issues. Elements commonly identified at the individual level include personal accountability, questioning attitude, and procedural adherence. Financial health of the organization and the impact of regulatory bodies are occasionally identified as external factors potentially affecting safety culture.
The working paper goes on to consider two issues: has research validated the causal relationship between safety culture and safe performance? And should the NRC create regulatory requirements aimed at observing and enhancing the safety culture in a nuclear plant? They note that current safety statistics do not permit measurement of the association between safety culture and safe performance, but that experience in the industry suggests that the answers to both questions are probably affirmative:
On the other hand, even at the current level of industry maturity, we are confronted with events such as the recent reactor vessel head corrosion identified so belatedly at the Davis-Besse Nuclear Power Plant. Problems subsequently identified in other programmatic areas suggest that these may not be isolated events, but the result of a generally degraded plant safety culture. The head degradation was so severe that a major accident could have resulted and was possibly imminent. If, indeed, the true cause of such an event proves to be degradation of the facility’s safety culture, is it acceptable that the reactor oversight program has to wait for an event of such significance to occur before its true root cause, degraded culture, is identified? This event seems to make the case for the need to better understand the issues driving the culture of nuclear power plants and to strive to identify effective performance indicators of resulting latent conditions that would provide leading, rather than lagging, indications of future plant problems. (7-8)
Researchers in the area of sexual harassment have devoted quite a bit of attention to the topic of workplace culture as well. This theme is emphasized in the National Academy study on sexual and gender harassment (link); the authors make the point that gender harassment is chiefly aimed at expressing disrespect towards the target rather than sexual exploitation. This has an important implication for institutional change. An institution that creates a strong core set of values emphasizing civility and respect is less conducive to gender harassment. They summarize this analysis in the statement of findings as well:
Organizational climate is, by far, the greatest predictor of the occurrence of sexual harassment, and ameliorating it can prevent people from sexually harassing others. A person more likely to engage in harassing behaviors is significantly less likely to do so in an environment that does not support harassing behaviors and/or has strong, clear, transparent consequences for these behaviors. (50)
Ben Walsh is representative of this approach. Here is the abstract of a research article by Walsh, Lee, Jensen, McGonagle, and Samnani on workplace incivility (link):
Scholars have called for research on the antecedents of mistreatment in organizations such as workplace incivility, as well as the theoretical mechanisms that explain their linkage. To address this call, the present study draws upon social information processing and social cognitive theories to investigate the relationship between positive leader behaviors—those associated with charismatic leadership and ethical leadership—and workers’ experiences of workplace incivility through their perceptions of norms for respect. Relationships were separately examined in two field studies using multi- source data (employees and coworkers in study 1, employees and supervisors in study 2). Results suggest that charismatic leadership (study 1) and ethical leadership (study 2) are negatively related to employee experiences of workplace incivility through employee perceptions of norms for respect. Norms for respect appear to operate as a mediating mechanism through which positive forms of leadership may negatively relate to workplace incivility. The paper concludes with a discussion of implications for organizations regarding leader behaviors that foster norms for respect and curb uncivil behaviors at work.
David Hess, an expert on corporate corruption, takes a similar approach to the problem of corruption and bribery by officials of multinational corporations (link). Hess argues that bribery often has to do with organizational culture and individual behavior, and that effective steps to reduce the incidence of bribery must proceed on the basis of an adequate analysis of both culture and behavior. And he links this issue to fundamental problems in the area of corporate social responsibility.
Corporations must combat corruption. By allowing their employees to pay bribes they are contributing to a system that prevents the realization of basic human rights in many countries. Ensuring that employees do not pay bribes is not accomplished by simply adopting a compliance and ethics program, however. This essay provided a brief overview of why otherwise good employees pay bribes in the wrong organizational environment, and what corporations must focus on to prevent those situations from arising. In short, preventing bribe payments must be treated as an ethical issue, not just a legal compliance issue, and the corporation must actively manage its corporate culture to ensure it supports the ethical behavior of employees.
As this passage emphasizes, Hess believes that controlling corrupt practices requires changing incentives within the corporation while equally changing the ethical culture of the corporation; he believes that the ethical culture of a company can have effects on the degree to which employees engage in bribery and other corrupt practices.
What is in common among each of these examples — and other examples are available as well — is that intangible features of the work environment are likely to influence behavior of the actors in that environment, and thereby affect the favorable and unfavorable outcomes of the organization’s functioning as well. Moreover, if we take the lead offered by Schein and work on the assumption that leaders can influence culture through their advocacy for the values that the organization embodies, then leadership has a core responsibility to facilitate a work culture that embodies these favorable outcomes. Work culture can be cultivated to encourage safety and to discourage bad outcomes like sexual harassment and corruption.
The Federal agency responsible for investigating chemical and petrochemical accidents in the United States is the Chemical Safety Board (link). The mission of the Board is described in these terms:
The CSB is an independent federal agency charged with investigating industrial chemical accidents. Headquartered in Washington, DC, the agency’s board members are appointed by the President and confirmed by the Senate.
The CSB’s mission is to “drive chemical safety change through independent investigation to protect people and the environment.”The CSB’s vision is “a nation safe from chemical disasters.”The CSB conducts root cause investigations of chemical accidents at fixed industrial facilities. Root causes are usually deficiencies in safety management systems, but can be any factor that would have prevented the accident if that factor had not occurred. Other accident causes often involve equipment failures, human errors, unforeseen chemical reactions or other hazards. The agency does not issue fines or citations, but does make recommendations to plants, regulatory agencies such as the Occupational Safety and Health Administration (OSHA) and the Environmental Protection Agency (EPA), industry organizations, and labor groups. Congress designed the CSB to be non-regulatory and independent of other agencies so that its investigations might, where appropriate, review the effectiveness of regulations and regulatory enforcement.
CSB was legislatively conceived in analogy with the National Transportation Safety Board, and its sole responsibility is to conduct investigations of major chemical accidents in the United States and report its findings to the public. It is not subordinate to OSHA or EPA, but it collaborates with those (and other) Federal agencies as appropriate (link). It has no enforcement powers; its sole function is to investigate, report, and recommend when serious chemical or petrochemical accidents have occurred.
One of its most important investigations concerned the March 23, 2005 Texas City BP refinery explosion. A massive explosion resulted in the deaths of 15 workers, injuries to over 170 workers, and substantial destruction of the refinery infrastructure. CSB conducted an extensive investigation into the “root causes” of the accident, and assigned substantial responsibility to BP’s corporate management of the facility. Here is the final report of that investigation (link), and here is a video prepared by CSB summarizing its main findings (link).
The key findings of the CSB report focus on the responsibility of BP management for the accident. Here is a summary of the CSB assessment of root causes:
The BP Texas City tragedy is an accident with organizational causes embedded in the refinery’s culture. The CSB investigation found that organizational causes linked the numerous safety system failures that extended beyond the ISOM unit. The organizational causes of the March 23, 2005, ISOM explosion are
BP Texas City lacked a reporting and learning culture. Reporting bad news was not encouraged, and often Texas City managers did not effectively investigate incidents or take appropriate corrective action.
BP Group lacked focus on controlling major hazard risk. BP management paid attention to, measured, and rewarded personal safety rather than process safety.
BP Group and Texas City managers provided ineffective leadership and oversight. BP management did not implement adequate safety oversight, provide needed human and economic resources, or consistently model adherence to safety rules and procedures.
BP Group and Texas City did not effectively evaluate the safety implications of major organizational, personnel, and policy changes.
Underlying almost all of these failures to manage this complex process with a priority on “process safety” rather than simply personal safety is a corporate mandate for cost reduction:
In late 2004, BP Group refining leadership ordered a 25 percent budget reduction “challenge” for 2005. The Texas City Business Unit Leader asked for more funds based on the conditions of the Texas City plant, but the Group refining managers did not, at first, agree to his request. Initial budget documents for 2005 reflect a proposed 25 percent cutback in capital expenditures, including on compliance, HSE, and capital expenditures needed to maintain safe plant operations. The Texas City Business Unit Leader told the Group refining executives that the 25 percent cut was too deep, and argued for restoration of the HSE and maintenance-related capital to sustain existing assets in the 2005 budget. The Business Unit Leader was able to negotiate a restoration of less than half the 25 percent cut; however, he indicated that the news of the budget cut negatively affected workforce morale and the belief that the BP Group and Texas City managers were sincere about culture change. (176)
And what about corporate accountability? What did BP have to pay in recompense for its faulty management of the Texas City refinery and the subsequent damages to workers and local residents? The answer is, remarkably little. OSHA assessed a fine of $50.6 million for its violations of safety regulations (link, link), and it committed to spend at least $500M to take corrective steps within the plant to protect the safety of workers. This was a record fine at the time; and yet it might very well be seen by BP corporate executives as a modest cost of doing business in this industry. It does not seem to be of the magnitude that would lead to fundamental change of culture, action, and management within the company.
BP commissioned a major review of BP refinery safety in all five of its US-based refineries following release of the CSB report. This study became the Baker Panel REPORT OF THE BP U.S. REFINERIES INDEPENDENT SAFETY REVIEW PANEL (JANUARY 2007) (link). The Baker Panel consisted of fully qualified experts on industrial and technological safety who were in a very good position to assess the safety management and culture of BP in its operations of its five US-based refineries. The Baker Panel was specifically directed to refrain from attempting to analyze responsibility for the Texas City disaster and to focus its efforts on assessing the safety culture and management direction that were currently to be found in BP’s five refineries. Here are some central findings:
Based on its review, the Panel believes that BP has not provided effective process safety leadership and has not adequately established process safety as a core value across all its five U.S. refineries.
BP has not always ensured that it identified and provided the resources required for strong process safety performance at its U.S. refineries. Despite having numerous staff at different levels of the organization that support process safety, BP does not have a designated, high-ranking leader for process safety dedicated to its refining business.
The Panel also found that BP did not effectively incorporate process safety into management decision-making. BP tended to have a short-term focus, and its decentralized management system and entrepreneurial culture have delegated substantial discretion to U.S. refinery plant managers without clearly defining process safety expectations, responsibilities, or accountabilities.
BP has not instilled a common, unifying process safety culture among its U.S. refineries.
While all of BP’s U.S. refineries have active programs to analyze process hazards, the system as a whole does not ensure adequate identification and rigorous analysis of those hazards.
The Panel’s technical consultants and the Panel observed that BP does have internal standards and programs for managing process risks. However, the Panel’s examination found that BP’s corporate safety management system does not ensure timely compliance with internal process safety standards and programs at BP’s five U.S. refineries.
The Panel also found that BP’s corporate safety management system does not ensure timely implementation of external good engineering practices that support and could improve process safety performance at BP’s five U.S. refineries. (Summary of findings, xii-xiii)
These findings largely validate and support the critical assessment of BP’s safety management practices in the CSB report.
It seems clear that an important part of the substantial improvement that has occurred in aviation safety in the past fifty years is the effective investigation and reporting provided by the NTSB. NTSB is an authoritative and respected bureau of experts whom the public trusts when it comes to discovering the causes of aviation disasters. The CSB has a much shorter institutional history — it was created in 1990 — but we need to ask a parallel question here as well: Does the CSB provide a strong lever for improving safety practices in the chemical and petrochemical industries through its accident investigations; or are industry actors largely free to continue their poor management practices indefinitely, safe in the realization that large chemical accidents are rare and the costs of occasional liability judgments are manageable?
It is intriguing to observe how pervasive organizational and regulatory failures are in our collective lives. Once you are sensitized to these factors, you see them everywhere. A good example is in the business section of today’s print version of the New York Times, August 1, 2019. There are at least five stories in this section that reflect the consequences of organizational and regulatory failure.
The first and most obvious story is one that has received frequent mention in Understanding Society, the Boeing 737 Max disaster. In a story titled “FAA oversight of Boeing scrutinized”, the reporters give information about a Senate hearing on FAA oversight earlier this week. Members of the Senate Appropriations Committee questioned the process of certification of new aircraft currently in use by the FAA.
Citing the Times story, Ms. Collins raised concerns over “instances in which FAA managers appeared to be more concerned with Boeing’s production timeline, rather than the safety recommendations of its own engineers.”
Senator Jack Reed referred to the need for a culture change to rebalance the relationship between regulator and industry. Agency officials continued to defend the certification process, which delegates 96% of the work of certification to the manufacturer.
This story highlights two common sources of organizational and regulatory failure. There is first the fact of “production pressure” coming from the owner of a risky process, involving timing, supply of product, and profitability. This pressure leads the owner to push the organization hard in an effort to achieve goals — often leading to safety and design failures. The second factor identified here is the structural imbalance that exists between powerful companies running complex and costly processes, and the safety agencies tasked to oversee and regulate their behavior. The regulatory agency, in this case the FAA, is under-resourced and lacks the expert staff needed to carry out in depth a serious process of technical oversight. The article does not identify the third factor which has been noted in prior posts on the Boeing disaster, the influence which Boeing has on legislators, government officials, and the executive branch.
A second relevant story (on the same page as the Boeing story) refers to charges filed in Germany against the former CEO of Audi who has been charged concerning his role in the vehicle emissions scandal. This is part of the long-standing deliberate effort by Volkswagen to deceive regulators about the emissions characteristics of their diesel engine and exhaust systems. The charges against the Audi executive involved ordering the development of software designed to cheat diesel emissions testing for their vehicles. This ongoing story is primarily a story about corporate dysfunction, in which corporate leaders were involved in unethical and dishonest activities on behalf of the company. Regulatory failure is not a prominent part of this story, because the efforts at deception were so carefully calculated that it is difficult to see how normal standards of regulatory testing could have defeated them. Here the pressing problem is to understand how professional, experienced executives could have been led to undertake such actions, and how the corporation was vulnerable to this kind of improper behavior at multiple levels within the corporation. Presumably there were staff at multiple levels within these automobile companies who were aware of improper behavior. The story quotes a mid-level staff person who writes in an email that “we won’t make it without a few dirty tricks.” So the difficult question for these corporations is how their internal systems were inadequate to take note of dangerously improper behavior. The costs to Volkswagen and Audi in liability judgments and government penalties are truly vast, and surely outweigh the possible gains of the deception. These costs in the United States alone exceed $22 billion.
A similar story, this time from the tech industry, concerns a settlement of civil claims against Cisco Systems to settle claims “that it sold video surveillance technology that it knew had a significant security flaw to federal, state and local government agencies.” Here again we find a case of corporate dishonesty concerning some of its central products, leading to a public finding of malfeasance. The hard question is, what systems are in place for companies like Cisco that ensure ethical and honest presentation of the characteristics and potential defects of the products that they sell? The imperatives of working always to maximize profits and reduce costs lead to many kinds of dysfunctions within organizations, but this is a well understood hazard. So profit-based companies need to have active and effective programs in place that encourage and enforce honest and safe practices by managers, executives, and frontline workers. Plainly those programs broke down at Cisco, Volkswagen, and Audi. (One of the very useful features of Tom Beauchamp’s book Case Studies in Business, Society, and Ethics is the light Beauchamp sheds through case studies on the genesis of unethical and dishonest behavior within a corporate setting.)
Now we go on to Christopher Flavelle’s story about home-building in flood zones. From a social point of view, it makes no sense to continue to build homes, hotels, and resorts in flood zones. The increasing destruction of violent storms and extreme weather events has been evident at least since the devastation of Hurricane Katrina. Flavelle writes:
There is overwhelming scientific consensus that rising temperatures will increase the frequency and severity of coastal flooding caused by hurricanes, storm surges, heavy rain and tidal floods. At the same time there is the long-term threat of rising seas pushing the high-tide line inexorably inland.
However, Flavelle reports research by Climate Central that shows that the rate of home-building in flood zones since 2010 exceeds the rate of home-building in non-flood zones in eight states. So what are the institutional and behavioral factors that produce this amazingly perverse outcome? The article refers to incentives of local municipalities in generating property-tax revenues and of potential homeowners subject to urban sprawl and desires for second-home properties on the water. Here is a tragically short-sighted development official in Galveston who finds that “the city has been able to deal with the encroaching water, through the installation of pumps and other infrastructure upgrades”: “You can build around it, at least for the circumstances today. It’s really not affected the vitality of things here on the island at all.” The factor that is not emphasized in this article is the role played by the National Flood Insurance Program in the problem of coastal (and riverine) development. If flood insurance rates were calculated in terms of the true riskiness of the proposed residence, hotel, or resort, then it would no longer be economically attractive to do the development. But, as the article makes clear, local officials do not like that answer because it interferes with “development” and property tax growth. ProPublica has an excellent 2013 story on the perverse incentives created by the National Flood Insurance Program, and its inequitable impact on wealthier home-owners and developers (link). Here is an article by Christine Klein and Sandra Zellmer in the SMU Law Review on the dysfunctions of Federal flood policy (link):
Taken together, the stories reveal important lessons, including the inadequacy of engineered flood control structures such as levees and dams, the perverse incentives created by the national flood insurance program, and the need to reform federal leadership over flood hazard control, particularly as delegated to the Army Corps of Engineers.
Here is a final story from the business section of the New York Times illustrating organizational and regulatory dysfunctions — this time from the interface between the health industry and big tech. The story here is an effort that is being made by DeepMind researchers to use artificial intelligence techniques to provide early diagnosis of otherwise mysterious medical conditions like “acute kidney injury” (AKI). The approach proceeds by analyzing large numbers of patient medical records and attempting to identify precursor conditions that would predict the occurrence of AKI. The primary analytical tool mentioned in the article is the set of algorithms associated with neural networks. In this instance the organizational / regulatory dysfunction is latent rather than explicit and has to do with patient privacy. DeepMind is a business unit within the Google empire of businesses, Alphabet. DeepMind researchers gained access to large volumes of patient data from the UK National Health Service. There is now regulatory concern in the UK and the US concerning the privacy of patients whose data may wind up in the DeepMind analysis and ultimately in Google’s direct control. “Some critics question whether corporate labs like DeepMind are the right organization to handle the development of technology with such broad implications for the public.” Here the issue is a complicated one. It is of course a good thing to be able to diagnose disorders like AKI in time to be able to correct them. But the misuse and careless custody of user data by numerous big tech companies, including especially Facebook, suggests that sensitive personal data like medical files need to be carefully secured by effective legislation and regulation. And so far the regulatory system appears to be inadequate for the protection of individual privacy in a world of massive databases and largescale computing capabilities. The recent FTC $5 billion settlement imposed on Facebook, large as it is, may not suffice to change the business practices of Facebook (link).
(I didn’t find anything in the sports section today that illustrates organizational and regulatory dysfunction, but of course these kinds of failures occur in professional and college sports as well. Think of doping scandals in baseball, cycling, and track and field, sexual abuse scandals in gymnastics and swimming, and efforts by top college football programs to evade NCAA regulations on practice time and academic performance.)
The 1986 meltdown of reactor number 4 at the Chernobyl Nuclear Power Plant was the greatest nuclear disaster the world has yet seen. Less well known is the Kyshtym disaster in 1957, which resulted in a massive release of radioactive material in the Eastern Ural region of the Soviet Union. This was a catastrophic underground explosion at a nuclear storage facility near the Mayak power plant in the Eastern Ural region of the USSR. Information about the disaster was tightly restricted by Soviet authorities, with predictably bad consequences.
Zhores Medvedev was one of the first qualified scientists to provide information and hypotheses about the Kyshtym disaster. His book Nuclear Disaster in the Urals was written while he was in exile in Great Britain and appeared in 1980. It is fascinating to learn that his reasoning is based on his study of ecological, biological, and environmental research done by Soviet scientists between 1957 and 1980. Medvedev was able to piece together the extent of contamination and the general nature of the cause of the event from basic information about radioactive contamination in lakes and streams in the region included incidentally in scientific reports from the period.
It is very interesting to find that scientists in the United States were surprisingly skeptical about Medvedev’s assertions. W. Stratton et al published a review analysis in Science in 1979 (link) that found Medvedev’s reasoning unpersuasive.
A steam explosion of one tank is not inconceivable but is most improbable, because the heat generation rate from a given amount of fission products is known precisely and is predictable. Means to dissipate this heat would be a part of the design and could be made highly reliable. (423)
They offer an alternative hypothesis about any possible radioactive contamination in the Kyshtym region — the handful of multimegaton nuclear weapons tests conducted by the USSR in the Novaya Zemlya area.
We suggest that the observed data can be satisfied by postulating localized fallout (perhaps with precipitation) from explosion of a large nuclear weapon, or even from more than one explosion, because we have no limits on the length of time that fallout continued. (425)
And they consider weather patterns during the relevant time period to argue that these tests could have been the source of radiation contamination identified by Medvedev. Novaya Zemlya is over 1000 miles north of Kyshtym (20 degrees of latitude). So the fallout from the nuclear tests may be a possible alternative hypothesis, but it is farfetched. They conclude:
We can only conclude that, though a radiation release incident may well be supported by the available evidence, the magnitude of the incident may have been grossly exaggerated, the source chosen uncritically, and the dispersal mechanism ignored. Even so we find it hard to believe that an area of this magnitude could become contaminated and the event not discussed in detail or by more than one individual for more than 20 years. (425)
The heart of their skepticism depends on an entirely indefensible assumption: that Soviet science, engineering, and management were entirely capable of designing and implementing a safe system for nuclear waste storage. They were perhaps right about the scientific and engineering capabilities of the Soviet system; but the management systems in place were woefully inadequate. Their account rested on an assumption of straightforward application of engineering knowledge to the problem; but they failed to take into account the defects of organization and oversight that were rampant within Soviet industrial systems. And in the end the core of Medvedev’s claims have been validated.
Another official report was compiled by Los Alamos scientists, released in 1982, that concluded unambiguously that Medvedev was mistaken, and that the widespread ecological devastation in the region resulted from small and gradual processes of contamination rather than a massive explosion of waste materials (link). Here is the conclusion put forward by the study’s authors:
What then did happen at Kyshtym? A disastrous nuclear accident that killed hundreds, injured thousands, and contaminated thousands of square miles of land? Or, a series of relatively minor incidents, embellished by rumor, and severely compounded by a history of sloppy practices associated with the complex? The latter seems more highly probable.
So Medvedev is dismissed.
After the collapse of the USSR voluminous records about the Kyshtym disaster became available from secret Soviet files, and those records make it plain that US scientists badly misjudged the nature of the Kyshtym disaster. Medvedev was much closer to the truth than were Stratton and his colleagues or the authors of the Los Alamos report.
A scientific report based on Soviet-era documents that were released after the fall of the Soviet Union appeared in the Journal of Radiological Protection in 2017 (A V Akleyev et al 2017; link). Here is their brief description of the accident:
Starting in the earliest period of Mayak PA activities, large amounts of liquid high-level radioactive waste from the radiochemical facility were placed into long-term controlled storage in metal tanks installed in concrete vaults. Each full tank contained 70–80 tons of radioactive wastes, mainly in the form of nitrate compounds. The tanks were water-cooled and equipped with temperature and liquid-level measurement devices. In September 1957, as a result of a failure of the temperature-control system of tank #14, cooling-water delivery became insufficient and radioactive decay caused an increase in temperature followed by complete evaporation of the water, and the nitrate salt deposits were heated to 330 °C–350 °C. The thermal explosion of tank #14 occurred on 29 September 1957 at 4:20 pm local time. At the time of the explosion the activity of the wastes contained in the tank was about 740 PBq [5, 6]. About 90% of the total activity settled in the immediate vicinity of the explosion site (within distances less than 5 km), primarily in the form of coarse particles. The explosion gave rise to a radioactive plume which dispersed into the atmosphere. About 2 × 106 Ci (74PBq) was dispersed by the wind (north-northeast direction with wind velocity of 5–10 m s−1) and caused the radioactive trace along the path of the plume . Table 1 presents the latest estimates of radionuclide composition of the release used for reconstruction of doses in the EURT area. The mixture corresponded to uranium fission products formed in a nuclear reactor after a decay time of about 1 year, with depletion in 137Cs due to a special treatment of the radioactive waste involving the extraction of 137Cs . (R20-21)
Here is the region of radiation contamination (EURT) that Akleyev et al identify:
This region represents a large area encompassing 23,000 square kilometers (8,880 square miles). Plainly Akleyev et al describe a massive disaster including a very large explosion in an underground nuclear waste storage facility, large-scale dispersal of nuclear materials, and evacuation of population throughout a large region. This is very close to the description provided by Medvedev.
A somewhat surprising finding of the Akleyev study is that the exposed population did not show dramatically worse health outcomes and mortality relative to unexposed populations. For example, “Leukemia mortality rates over a 30-year period after the accident did not differ from those in the group of unexposed people” (R30). Their epidemiological study for cancers overall likewise indicates only a small effect of accidental radiation exposure on cancer incidence:
The attributable risk (AR) of solid cancer incidence in the EURTC, which gives the proportion of excess cancer cases out of the sum of excess and baseline cases, calculated according to the linear model, made up 1.9% over the whole follow-up period. Therefore, only 27 cancer cases out of 1426 could be associated with accidental radiation exposure of the EURT population. AR is highest in the highest dose groups (250–500 mGy and >500 mGy) and exceeds 17%.
In the crash program to produce fissile bomb material, a great deal of plutonium was wasted in the crude separation process. Production officials decided that instead of being dumped irretrievably into the river, the plutonium that had failed to precipitate out, remaining in the extraction solution, should be saved for future processing. A big underground tank farm was built in 1953 to hold processed fission waste. Round steel tanks were installed in banks of 20, sitting on one large concrete slab poured at the bottom of an excavation, 27 feet deep. Each bank was equipped with a heat exchanger, removing the heat buildup from fission-product decay using water pipes wrapped around the tanks. The tanks were then buried under a backfill of dirt. The tanks began immediately to fill with various waste solutions from the extraction plant, with no particular distinction among the vessels. The tanks contained all the undesirable fission products, including cobalt-60, strontium-90, and cesium-137, along with unseparated plutonium and uranium, with both acetate and nitrate solutions pumped into the same volume. One tank could hold probably 100 tons of waste product.
In 1956, a cooling-water pipe broke leading to one of the tanks. It would be a lot of work to dig up the tank, find the leak, and replace the pipe, so instead of going to all that trouble, the engineers in charge just turned off the water and forgot about it.
A year passed. Not having any coolant flow and being insulated from the harsh Siberian winter by the fill dirt, the tank retained heat from the fission-product decay. Temperature inside reached 660 ° Fahrenheit, hot enough to melt lead and cast bullets. Under this condition, the nitrate solutions degraded into ammonium nitrate, or fertilizer, mixed with acetates. The water all boiled away, and what was left was enough solidified ANFO explosive to blow up Sterling Hall several times, being heated to the detonation point and laced with dangerous nuclides. 
Sometime before 11: 00 P.M. on Sunday, September 29, 1957, the bomb went off, throwing a column of black smoke and debris reaching a kilometer into the sky, accented with larger fragments burning orange-red. The 160-ton concrete lid on the tank tumbled upward into the night like a badly thrown discus, and the ground thump was felt many miles away. Residents of Chelyabinsk rushed outside and looked at the lighted display to the northwest, as 20 million curies of radioactive dust spread out over everything sticking above ground. The high-level wind that night was blowing northeast, and a radioactive plume dusted the Earth in a tight line, about 300 kilometers long. This accident had not been a runaway explosion in an overworked Soviet production reactor. It was the world’s first “dirty bomb,” a powerful chemical explosive spreading radioactive nuclides having unusually high body burdens and guaranteed to cause havoc in the biosphere. The accidentally derived explosive in the tank was the equivalent of up to 100 tons of TNT, and there were probably 70 to 80 tons of radioactive waste thrown skyward. (KL 5295)
So what were the primary organizational and social causes of this disaster? One is the haste created in nuclear design and construction created by Stalin’s insistence on moving forward the Soviet nuclear weapons program as rapidly as possible. As is evident in the Chernobyl case as well, the political pressures on engineers and managers that followed from these political priorities often led to disastrous decisions and actions. A second is the institutionalized system of secrecy that surrounded industry generally, the military specifically, and the nuclear industry most especially. A third is the casual attitude taken by Soviet officials towards the health and wellbeing of the population. And a final cause highlighted by Mahaffey’s account is the low level of attention given at the plant level to safety and maintenance of highly risky facilities. Stratton et al based their analysis on the fact that the heat-generating characteristics of nuclear waste were well understood and that effective means existed for controlling those risks. That may be, but what they failed to anticipate is that these risks would be fundamentally disregarded on the ground and in the supervisory system above the Kyshtym reactor complex.
(It is interesting to note that Mahaffey himself underestimates the amount of information that is now available about the effects of the disaster. He writes that “studies of the effects of this disaster are extremely difficult, as records do not exist, and previous residents are hard to track down” (kl 5330). But the Akleyev study mentioned above provides extensive health details about the affected population made possible as a result of data collected during Soviet times and concealed.)
Readers may be skeptical about the practical importance of the topic of nuclear power plant siting decisions, since very few new nuclear plants have been proposed or approved in the United States for decades. However, the topic is one for which there is an extensive historical record, and it is a process that illuminates the challenge for government to balance risk and benefit, private gain and public cost. Moreover, siting inherently brings up issues that are both of concern to the public in general (throughout a state or region of the country) and to the citizens who live in close proximity to the recommended site. The NIMBY problem is unavoidable — it is someone’s backyard, and it is a worrisome neighbor. So this is a good case in terms of which to think creatively about the responsibilities of government for ensuring the public good in the face of risky private activity, and the detailed institutions of regulation and oversight that would work to make wise public outcomes more likely.
I’ve been thinking quite a bit recently about technology failure, government regulation, and risky technologies, and there is a lot to learn about these subjects by looking at the history of nuclear power in the United States. Two books in particular have been interesting to me. Neither is particularly recent, but both shed valuable light on the public-policy context of nuclear decision-making. The first is Joan Aron’s account of the processes that led to the cancellation of the Shoreham nuclear power plant on Long Island in the 1970s (Licensed To Kill?: The Nuclear Regulatory Commission and the Shoreham Power Plant) and the second is Donald Stever, Jr.’s account of the licensing process for the Seabrook nuclear power plant in Seabrook and The Nuclear Regulatory Commission: The Licensing of a Nuclear Power Plant. Both are fascinating books and well worthy of study as a window into government decision-making and regulation. Stever’s book is especially interesting because it is a highly capable analysis of the licensing process, both at the state level and at the level of the NRC, and because Stever himself was a participant. As an assistant attorney general in New Hampshire he was assigned the role of Counsel for the Public throughout the process in New Hampshire.
Joan Aron’s 1997 book Licensed to Kill? is a detailed case study the effort to establish the Shoreham nuclear power plant on Long Island in the 1980s. LILCO had proposed the plant to respond to rising demand for electricity on Long Island as population and energy use rose. And Long Island is a long, narrow island on which traffic congestion at certain times of day is legendary. Evacuation planning was both crucial and in the end, perhaps impossible.
This is an intriguing story, because it led eventually to the cancellation of the operating license for the plant by the NRC after completion of the plant. And the cancellation resulted largely from the effectiveness of public opposition and interest-group political pressure. Aron provides a detailed account of the decisions made by the public utility company LILCO, the AEC and NRC, New York state and local authorities, and citizen activist groups that led to the costliest failed investment in the history of nuclear power in the United States.
In 1991 the NRC made the decision to rescind the operating license for the Shoreham plant, after completion at a cost of over $5 billion but before it had generated a kilowatt of electricity.
Aron’s basic finding is that the project collapsed in costly fiasco because of a loss of trust among the diverse stakeholders: LILCO, the Long Island public, state and local agencies and officials, scientific experts, and the Nuclear Regulatory Commission. The Long Island tabloid Newsday played a role as well, sensationalizing every step of the process and contributing to public distrust of the process. Aron finds that the NRC and LILCO underestimated the need for full analysis of safety and emergency preparedness issues raised by the plant’s design, including the issue of evacuation from a largely inaccessible island full of two million people in the event of disaster. LILCO’s decision to upscale the capacity of the plant in the middle of the process contributed to the failure as well. And the occurrence of the Three Mile Island disaster in 1979 gave new urgency to the concerns experienced by citizens living within fifty miles of the Shoreham site about the risks of a nuclear plant.
As we have seen, Shoreham failed to operate because of intense public opposition, in which the governor played a key role, inspired in part by the utility’s management incompetence and distrust of the NRC. Inefficiencies in the NRC licensing process were largely irrelevant to the outcome. The public by and large ignored NRC’s findings and took the nonsafety of the plant for granted. (131)
The most influential issue was public safety: would it be possible to perform an orderly evacuation of the population near the plant in the event of a serious emergency? Clarke and Perrow (included in Helmut Anheier, ed., When Things Go Wrong: Organizational Failures and Breakdowns) provide an extensive analysis of the failures that occurred during tests of the emergency evacuation plan designed by LILCO. As they demonstrate, the errors that occurred during the evacuation test were both “normal” and potentially deadly.
One thing that comes out of both books is the fact that the commissioning and regulatory processes are far from ideal examples of the rational development of sound public policy. Rather, business interests, institutional shortcomings, lack of procedural knowledge by committee chairs, and dozens of other factors lead to outcomes that appear to fall far short of what the public needs. But in addition to ordinary intrusions into otherwise rational policy deliberations, there are other reasons to believe that decision-making is more complicated and less rational than a simple model of rational public policy formation would suggest. Every decision-maker brings a set of “framing assumptions” about the reality concerning which he or she is deliberating. These framing assumptions impose an unavoidable kind of cognitive bias into collective decision-making. A business executive brings a worldview to the question of regulation of risk that is quite different from that of an ecologist or an environmental activist. This is different from the point often made about self-interest; our framing assumptions do not feel like expressions of self-interest, but rather simply secure convictions about how the world works and what is important in the world. This is one reason why the work of social scientists like Scott Page (The Difference: How the Power of Diversity Creates Better Groups, Firms, Schools, and Societies) on the value of diversity in problem-solving and decision-making is so important: by bringing multiple perspectives and cognitive frames to a problem, we are more likely to get a balanced decision that gives appropriate weight to the legitimate interests and concerns of all involved.
Here is an interesting concrete illustration of cognitive bias (with a generous measure of self-interest as well) in Stever’s discussion of siting decisions for nuclear power plants:
From the time a utility makes the critical in-house decision to choose a site, any further study of alternatives is necessarily negative in approach. Once sufficient corporate assets have been sunk into the chosen site to produce data adequate for state site review, the company’s management has a large enough stake in it to resist suggestions that a full study of site alternatives be undertaken as a part of the state (or for that matter as a part of the NEPA) review process. hence, the company’s methodological approach to evaluating alternates to the chosen site will always be oriented toward the desired conclusion that the chosen site is superior. (Stever 1980 : 30)
This is the bias of sunk costs, both inside the organization and in the cognitive frames of independent decision makers in state agencies.
Stever’s central point here is a very important one: the pace of site selection favors the energy company’s choices over the concerns and preferences of affected groups because the company is in a position to have dedicated substantial resources to development of the preferred site proposal. Likewise, scientific experts have a difficult time making their concerns about habitat or traffic flow heard in the context.
But here is a crucial thing to observe: the siting decision is only one of dozens in the development of a new power plant, which is itself only one of hundreds of government / business decisions made every year. What Stever describes is a structural bias in the regulatory process, not a one-off flaw. At its bottom, this is the task that government faces when considering the creation of a new nuclear power plant: “to assess the various public and private costs and benefits of a site proposed by a utility” (32); and Stever’s analysis makes it doubtful that existing public processes do this in a consistent and effective way. Stever argues that government needs to have more of a role in site selection, not less, as pro-market advocates demand: “The kind of social and environmental cost accounting required for a balanced initial assessment of, and development of, alternative sites should be done by a public body acting not as a reviewer of private choices, but as an active planner” (32).
Notice how this scheme shifts the pace and process from the company to the relevant state agency. The preliminary site selection and screening is done by a state site planning agency, with input then invited from the utilities companies, interest groups, and a formal environmental assessment. This places the power squarely in the hands of the government agency rather than the private owner of the plant — reflecting the overriding interest the public has in ensuring health, safety, and environmental controls.
Stever closes a chapter on regulatory issues with these cogent recommendations (38-39):
Electric utility companies should not be responsible for decisions concerning early nuclear-site planning.
Early site identification, evaluation, and inventorying is a public responsibility that should be undertaken by a public agency, with formal participation by utilities and interest groups, based upon criteria developed by the state legislature.
Prior to the use of a particular site, the state should prepare a complete environmental assessment for it, and hold adjudicatory hearings on contested issues.
Further effort should be made toward assessing the public risk of nuclear power plant sites.
In areas like New England, characterized by geographically small states and high energy demand, serious efforts should be made to develop regional site planning and evaluation.
Nuclear licensing reform should focus on the quality of decision-making.
There should be a continued federal presence in nuclear site selection, and the resolution of environmental problems should not be delegated entirely to the states.
(It is very interesting to me that I have not been able to locate a full organizational study of the Nuclear Regulatory Commission itself.)