While both nuclear safety and nuclear security consider the risk of inadvertent human error, nuclear security places additional emphasis on deliberate acts that are intended to cause harm. Because security deals with deliberate acts, security culture requires different attitudes and behaviour, such as confidentiality of information and efforts to deter malicious acts, as compared with safety culture.
In a similar manner, nuclear security culture refers to the personal dedication and accountability and understanding of all individuals engaged in any activity which has a bearing on the security of nuclear activities.
Therefore, the principal shared objective of security culture and safety culture is to limit the risk resulting from radioactive material and associated facilities. This objective is largely based on common principles, e.g. a questioning attitude, rigorous and prudent approaches, and effective communication and open, two-way- communication.
Many diverse organizations are concerned with nuclear security. These include, in particular, individuals, organizations and institutions engaged in protecting radioactive material and their associated locations, facilities and transport; some of these bodies may have little technical knowledge about nuclear or other radioactive material. This lends greater weight to the need for effective structural, communication, information and exchange systems, and the integration of the functions of these diverse organizations into a unified nuclear security culture.
Competent authorities for safety and security may be located in the same, or different, organizations and may have different forms of supervisory or regulatory power.
In each case, many individuals are part of both the security and safety cultures. For safety culture, all individuals are prevailed upon to share information openly because of this area’s overriding concern for transparency and dialogue. In the same way, security culture requires that individuals respond immediately to confirmed or perceived threats and incidents, and restrict communication to authorized persons with a need to know.
Safety and security cultures coexist and need to reinforce each other because they share the common objective of limiting risk. There will be occasions where there are differences between safety and security requirements.
Therefore, an organization in charge of nuclear matters has to foster an approach that integrates safety and security in a mutually supporting manner.
It is expedient to understand the links between security culture and safety culture. It is clear that these two cultures interact and complement each other in the nuclear field, even if they present their own specific attributes in certain areas. Here the major similarities and dissimilarities associated with these two cultures:
1. SIMILARIES: Security and safety cultures are normally based on the same principles in the main. In safety or in security, the same types of organisations are concerned; for the operators, each organisation must also ensure that these two cultures live side by side. It seems logical that the two cultures can only develop and be maintained if they are promoted at State level and by managers of the organisations concerned, as individuals clearly play a role in their application. Lastly, the same type of requirements are found in the introduction of one or other of these cultures; and
2. DISSIMILARITIES: In terms of human behaviour, safety culture normally revolves around the risk of human errors whilst security culture takes also deliberate acts with the intention of causing harm into consideration. It is therefore important to integrate notions of deterrence and confidentiality in the security culture of all organisations concerned. Differences in involvement can be highlighted for organisations and individuals. For reasons of division of responsibilities and confidentiality of information, a security culture can only be developed with extensive State intervention. Taking into account the external or internal threat to any one country plus the definition of scope of responsibility and access to information is the exclusive remit of each individual State. In addition, the competent authorities in the fields of safety and security may differ; have different structures and a different type of supervisory power.
Worthy of note also is that large numbers of State departments are concerned by security culture. In particular, various intervention bodies are involved in protecting nuclear materials, nuclear facilities and the transport of nuclear materials. This miscellany of actors, all with a special role to play, creates an obligation for structures and communication, information and exchange systems. Organisations must understand and complement each other.
Individuals concerned by both these cultures have potentially specific attitudes, even if appropriation of both cultures is demanded of them. For safety culture, all individuals are requested principally to demonstrate a prudent, questioning attitude and to seek to share information with others in an overriding concern for transparency and dialogue. Security culture requires individuals to show on occasion a speedy reaction to confirmed or assumed threats and that they only communicate information to other authorised people. However, whereas security clearly involves all individuals, some are more especially responsible for applying it and some information must be protected.
The two cultures must not be pitted against each other and one should not have ascendancy over the other.
It is impossible to envisage merging these two cultures into a single entity; they must however coexist and reinforce each other mutually. Each of these cultures must be developed to suit the field of activity of each organisation.
The principal difference between safety culture and security culture may very well be the requirement for secrecy set by security experts, and the lack (and even denial) thereof by safety experts. If, for example, a security measure intends to prevent theft of radioactive material by a terrorist organization, then obviously information about this measure (number of security personnel, or the thickness of the safe in which the source is located) compromises security, and might help the terrorist organization to overcome it. This is not the case for “Classic” safety, absent the threat of deliberate damage. Protection of a package from road accidents and full disclosure of the means of this protection do not increase the chances for such an accident. In fact, as is often the case with people working in a complex technological field, there is a tendency among safety experts to publish their work as much as possible and consult others. The boundaries for secrecy required by security have not been set yet. On one end of the spectrum one may find present security standards which are in the public domain, while on the other end there is a call to put a stop to coverage of radiological terrorism scenarios, which do not detail security measures solely out of fear that it would give terrorists new ideas.
The clash between the two cultures and the fear that one may overtake the other may lead to lack of cooperation, and an injury to “natural” synergy. For example, reservations about the inclusion of security requirements – which have a direct, bearing on safety – in safety standards. The basic solution to this problem appears to be simple; study of the International Atomic Energy Agency’s (IAEA) basic security guidelines reveals that:
- Security requirements or descriptions of security measures are initially generally formulated, and can be published in the public domain; and
- A large part of these requirements have safety connotations.
Obviously, specific security requirements set by individual countries and organizations, which include, for example, the required number of security personnel, cannot be made public. One possible solution to this problem is that any reference to security which has a bearing on safety will also be published in an appropriate safety standard. While this principle is simple and makes clear use of the synergy, it is still far from general acceptance.
The information conflict between safety and security is more serious regarding actions than it is regarding publications:
- Safety experts will require warning signs on vehicles transporting radioactive materials and will prefer to use the signs to supply information on the strength of the source. Security experts may prefer to transport these materials without any markings;
- The transportation of a high activity source will motivate safety experts to announce the fact beforehand, so people may choose to avoid relevant locations. Security experts will be shocked by this idea; and
- In a nuclear facility safety may direct easy emergency access to sensitive locations where a quick intervention may be required, e.g. firefighting.
Security will prefer to limit this access in order to prevent terrorists from exploiting it to cause harm.
It is worth mentioning that nuclear safety is a mature topic, and many countries nowadays have regulatory bodies with a well-established tradition, experts on the matter, and a set of well-tested rules. The increasing need for security of radioactive sources against malicious actions is relatively new. Countries may find themselves without a body whose clear function is to address this matter, and the ‘classic’ regulatory body may lack knowledge and ability to deal with the problem.
Security bodies constantly find themselves pressed for resources, and are unlikely to “volunteer” to take on new responsibilities without an increase in budget and manpower. The suggested potential of shared knowledge and joint action cannot therefore be fulfilled. The code of conduct on the safety and security of radioactive sources naturally compels the countries to take action on the matter: “…that the radioactive sources within its territory, or under its jurisdiction or control, are safely managed and securely protected…”
Therefore, in such a state of events it is up to the country to form the necessary security body. Resource constraints will require that a vigorous action will be needed to persuade officials of the need for such a body. A suitable organization to raise the problem of the lack of a central body to treat radioactive source security is the old regulatory body that deals with safety.
In case of considering should there be a single body for safety as well as security, it must be taken into account the difference between standardizing bodies and regulatory bodies. A standardizing body, for example a national standards organization, or an IAEA standards committee, can choose to form separate standards for safety and security and leave the task of uniting them to the end user organization or the regulator.
A licensee for use of a radioactive source must, eventually, be able to get a clear and definitive answer as to whether the requested licence is granted or not. The tight link in all matters of radiation between safety and security issues leads to a preference for managing the subject by a single entity. Nevertheless, there are certainly quite a few countries where bodies dealing with safety had no call to address security matters in the past and have instead clear cut security bodies, whose cultures and terms may be inherently different from those used by safety experts. This indicates an advantage in addressing the matter by two different bodies while maintaining a tight link between them.
There are several options for the actions of regulatory bodies in aspects of safety and security:
- A single regulatory body with sub-units dealing with safety and security in coordination. This is probably suitable for countries that have worked this way in the past;
- A regulatory body that concentrates on one topic (safety, excluding prevention of deliberate harm, or security) and is assisted by another body that concentrates on the other topic. This structure will suit countries where the regulatory body hardly had any dealings with security matters, and that already have a dominant security body; and
- Two separate regulatory bodies, wherein a licensee must be granted a license by both.
Recognizing that there are different ways of addressing the problem it seems intuitive, while also bearing in mind the constraints that whenever it is possible to incorporate matters of safety and security in an existing structure it is worthwhile to do so.
The growing threat of radiological terrorism has naturally brought about increased activity in its prevention, and involvement of security bodies in the matter, which, as stated before, also contributes to safety. Allegedly, there is an increase in resource allocation, but one must keep in mind that these increased resources are meant to address increased threats. Regulators, for example, which in the past hardly gave any thought to the subject of deliberate harm, now have one more task. Parallel increase in resources is not always easy to obtain. This is indeed a common problem.