Nuclear Security Culture Self-Assessment in a Radioactive Material Associated Facility

The following publication summarizes the short history, fundamentals of International Atomic Energy Agency’s Nuclear Security Culture programme in general and provides details of the recommended self-assessment methodology. A preliminary Nuclear Security Culture (NSC) self-assessment is presented on the basis of the 026 Nuclear Security Technical Document (NST) Draft in a special case of a radioactive material associated facility. Besides the purposes described in the 026 NST Draft, to test the level of the NSC level inside the facility and the problems, the roots of the problems and possible conclusions in it, the main goal was to test the conformance of the guidance itself and the preparedness and attitude about the security self-assessment of the facility. Even though the direct answers and the results are not allowed to be publicized, the conclusions will be instructive for associated facilities as well as for competent authorities.


Fundamentals of Nuclear Security
Nuclear security [1: 15] is prevention and detection of, and response to theft, sabotages, unauthorized access and illegal transfer or other malicious acts involving nuclear and other radioactive materials and associated facilities and activities. The IAEA Nuclear Security Series (NSS) publications [2] are consistent with the nuclear security related international instruments such as the Convention on the Physical Protection of Nuclear Material [3] and the Amendment thereto, [4] the Code of Conduct on the Safety and Security of Radioactive Sources, [5] the Supplementary Guidance on the Import and Export of Radioactive Sources, [6] the United Nations Security Council resolutions 1373 [7] and 1540 [8] and the International Convention for the Suppression of Acts of Nuclear Terrorism. [9]

Background of NSC Self-Assessment Draft Technical Guidance
The first implementing guide level document was published by the IAEA in 2008. The NSS No. 7 [10] provides a model for nuclear security culture including the visible and non-vis-1 e-mail: csurgai.jozsef@uni-nke.hu 2 e-mail: mate.solymosi@somos.hu 3 e-mail: horvathk@haea.gov.hu 4 e-mail: gyula.vass@katved.gov.hu ible elements of NSC based on a general organizational culture model. Nuclear security culture is defined as "the assembly of characteristics, attitudes and behaviour of individuals, organizations and institutions which serves as a means to support and enhance nuclear security." [10: 3] In 2013, the IAEA published NSS 20, [11] "Objective and Essential Elements of a State's Nuclear Security Regime, Nuclear Security Fundamentals." Essential Element 12c of NSS 20 is "Developing, fostering and maintaining a robust nuclear security culture." 026 NST Draft [12] provides a comprehensive methodology for evaluating the level of nuclear security culture. Deductions in this publication focus on security culture assessment in organizations operating facilities using or storing radioactive material.
The IAEA Nuclear Security Plan for 2014-2017 (Plan) reaffirms that a sustainable nuclear security culture is needed to manage activities involving nuclear and other radioactive materials. Under the framework of the IAEA Plan, implementing sustainable nuclear security in States requires adequate time for the institutionalization of a functioning nuclear security culture. The Plan provides a roadmap for achieving these goals. [13] The fundamental of the Hungarian regulation is Act CXVI of 1996 on Atomic Energy [14], which contains a basis for the peaceful use of nuclear energy. The fundamental document of nuclear security regulations is Government Decree 190/2011 (IX. 19.) [15] on physical protection requirements for various applications of atomic energy, and on the corresponding system of licensing, reporting and inspection.
By the No. 7 -Implementing Guide on Nuclear Security Culture, the Hungarian Atomic Energy Authority (HAEA) also published the versions of the guidance, the HAEA: FV 6. [16] Guidance of Nuclear security culture and by the NST 026 the Hungarian Guidance draft: Nuclear security culture self-assessment. [17]

NSC Self-Assessment -Concept and Practice
The purpose of nuclear security culture self-assessment is to provide a clear picture of how much nuclear security is part of the organization's culture. Security culture self-assessment's key role is to develop the organization's nuclear security culture: • it has a heavy focus on perceptions; • regular assessments help managers to understand the reasons for an organization's patterns of behaviour in certain circumstances, because the first step is up to them to take. At first they have to show a good example for the employee; • it helps to devise optimal security arrangements by understanding the deeper ground; • it also helps to predict how the workforce may react to the unknown. The process involves evaluating the key characteristics of nuclear security culture in the organization by comparing what the culture is at present to their optimal parameters. Such evaluations must specify certain indicators as reference levels. The nuclear security culture indicators perform four main functions: • monitor the level of security awareness in the organization; • determine and improve tools and procedures for mapping nuclear security; • provide guidance for making a strategy to improve nuclear security; • motivate the management and staff to take any actions necessary.
The main difference relating to audit-type assessments is that the intangible human elements are in the focus, not the technical issues. The results will rarely point to specific actions and still less to an immediate response. To change culture within an organisation is a longterm challenge.

Self-Assessments Methods by the 026 NST Draft
The IAEA's draft technical guidance NSC self-assessment considers the main questions why different security-related issues emerge, what the root causes of problems are and how nuclear security and nuclear security culture can be enhanced.
The 026 NST Draft describes the four basic assessment techniques to measure the level of NSC. Every method has its own advantages and disadvantages and for an optimal assessment we have to choose carefully from them. We have to take the advantages of the methods and minimize the risk of an inefficient survey. For example, we can combine the methods or make more assessments to check results and processes inside the organisation.
Interviews play a significant role in cultural assessment because they allow the flexible questioning and follow-up questions. This eases the task of getting at the deeper tenets of an organization's culture. Focus-group sessions are more effective for exploring broader security-related issues. They also yield a large amount of information over a relatively short period, but also less valid and trustworthy. Training and briefings for interviewers should ensure that they behave respectfully while showing empathy and open-mindedness. It demands the most time and effort both from the facility and the interviewers also.
The survey is a much more convenient way to obtain input from a large number of employees. Surveys are easy and quick to complete, helping minimize work disruptions while encouraging a high response rate. Even though it is the most cost-efficient way to assess the workers it is the hardest work to make it relatively valid and trustworthy. Document reviews can take place prior to self-assessment to familiarize the team with past security incidents and help to determine NSC. There are three types of document reviews. Reviews can inquire into (a) the literal meaning of documents, helping the team to determine certain work to be carried out; (b) interpretive meaning that goes beyond the document's literal wording into the overall context; and (c) inferences that provide wider context and an opportunity to achieve far-reaching conclusions. A document review is a labour-intensive process with administrative limitations, because not every document is available.
The purpose of conducting observations is to record actual performance and behaviours in real time under different circumstances, especially during normal work, training sessions and emergency drills. Observations are a well-established, time-tested, commonplace tool for managing security. There are two basic approaches to observations as a tool of security culture self-assessment: fact-based management observations and opinion-based cultural observations. Observation can help not only to understand data collected through other methods, but also to design questions for valuable insights. [12]

Gamma Technical Corporation
GAMMA Technical Corporation is located in Budapest, Hungary and was founded in 1920, and during its 90-year existence became one of the largest companies producing NBC defence instruments in the Eastern-European region. The reputation of the facility has been established by the expertise of engineers who contributed to the field's technical development with many inventions and registered patents. [18] Gamma was the first in Hungary to develop and produce nuclear and chemical defence instruments in the 1960s, and is still continues to develop instruments with the purpose of protection, for the use of the Hungarian Defence Forces, the Hungarian Civil Defence and for environmental protection.
Nowadays, in addition to the production, maintenance and authentication of earlier developed instruments, the company develops and introduces several environment protection, civil defence and military used instruments and devices. Among them are civil and military use radiation measuring devices, scintillation crystals, monitoring systems, and meteorological stations, KML ADR, RDO-3221 KOMONDOR Light Armoured Vehicle. [18] The common characteristics of devices based on military requirements are accompanied with customer friendly services. The 5 th generation of Gamma's instruments aims at exploring the sources of these hazards, considering also NATO compatibility requirements. Products are developed for reliable operation even under extreme environmental conditions and are suitable for being used as an integral part of other systems. Manufacturing and development are maintained in accordance with ISO 9001:2009 and NATO AQAP 2110:2006 quality control systems. [18]

Process of the Preliminary Self-Assessment
There are some features that influence the method of the assessment; the most important ones are the size of the organisation, the composition of its workforce and the current and projected security risks. The cost of the self-assessment programme should be continuously estimated and factored into the organization's budget. A good self-assessment is a step-bystep process which combines methods and takes as many of their advantages as possible and avoids disadvantages and unneeded costs.
The preliminary self-assessment consists of similar elements to the final self-assessment, which is described in the 026 NST Draft. First stage of the process is to launch a self-assessment team, which in this case consists of the author, and in professional questions I recourse continuous consultations to Horváth Kristóf. 5 The next step was to decide which method would be sufficient for the preliminary assessment of Gamma Technical Corporation. Considering the presented methods a focus-group session seemed to be the best decision with competent personnel as the radiation-protection officer, a specialist who is responsible for the physical protection and another manager, who has previous nuclear power plant working experience.
Before the assessment a short presentation was delivered about nuclear security, NSC and the upcoming development of self-assessment technical guidance and regulations. The optimal methods of the assessment and the personnel attitude to the assessment were discussed. According to the previous expectations, the facility was cooperative and proactive about the forthcoming assessment and the innovation possibilities. During the preliminary self-assessment certain demands of the facility had to be taken into consideration, for example sound-recordings were not allowed, it was performed as time efficiently as possible, and the results were not allowed to be publicized, only the conclusions about the method.
Regarding the implementation, a questionnaire was sent to the participants before the focus-group session and they had a couple of hours to fill it in and think over their own questions. Because of the small number of participants and the effect of several years' experience of working together and the friendly atmosphere made it possible to ask direct questions and for straightforward answers in order to clear accidental misunderstandings. As described, it was not especially the actual answers, rather more the reactions to the questions and comments that were to be obtained as the purpose of the assessment.

Main Assignments and Questions of the Preliminary Assessment
Examples for security culture indicators of self-assessment were defined in the 026 NST Draft, Appendix II: "Security culture indicators for self-assessment". Accordingly, the preliminary assessment consisted of the following indicators: Visible Security Policy; Clear Roles and Responsibilities; Performance Measurements; Work Environment; Training and Qualifications; Work Management; Information Security; Operations and Maintenance; Determination of Staff Trustworthiness; Quality Assurance; Change Management; Feedback Process; Contingency Plans and Drills; Self-Assessment; Interface with the regulator (and law enforcement bodies); Coordination with off-site organizations; Record Keeping. [12: 33-44] The questions were purposely very similar or almost the same as in the related appendix and between three and five questions were asked for every indicator. The method of the sent questionnaire (which was the theme of the focus-group session) was a six stage relating scale. The purpose was to allow a future comparison of the self-assessment method with other nuclear associated facilities, since Paks Nuclear Power Plant Ltd has been already making safety culture self-assessments, and as a part of such safety culture self-assessments a method of a six-scale survey is used. The same method was used in 2014 for an initial NSC survey in order to facilitate the analysis and comparability.
Even though the questions and the indicators were the same as the self-assessment of the 026 NST Draft the difference lay in the purpose of the assessment. The previously described assessment in the 026 NST Draft tested Nuclear Security Culture. Contrary to that, my intention was to test the method of the introduced assessment in the 026 NST Draft, the recent knowledge of the staff about nuclear security and the attitude of the facility for the up-coming assessment.
In the interview my main questions were the followings: • How is the facility related to the current assessment and the following survey?
• How well are the personnel aware of the attitudes about the competent authorities and legal background? • How is the top manager related to physical protection and the self-assessment?
• What is the level of physical protection and Nuclear Security Culture? • What are the differences between the level, knowledge and requirements in comparison to Paks Nuclear Power Plant Ltd? • Does this kind of facility need an outside expert or specialist for the first self-assessment? The purpose of the questions was almost the same as in the 026 NST Draft, in order to test the knowledge and the self-confidence of the personnel.

Conclusions
The first problem that was met in the focus-group session was the following question, which may also be an interesting challenge in future assessments. "Staff members understand their roles and responsibilities for nuclear security and are encouraged to seek clarification when necessary." The purpose of indicators reveals the problems inside the organisations, which needed to be enhanced. At the same time, when indicators (especially this one) ask directly about a reprehensible attitude or act, it lays a big charge on both the assessment specialist and the personnel too. It is hard to evade such a direct question and not think it will be followed by direct consequences, maybe punishment by the management. In case of a written form it is evidence for the authorities and other organisations. We must find the best compromise between the availability and the trustworthiness of the assessment and usually the assessment specialist should solve this problem.
The conversation cleared up other issues. Even though the personnel is familiar with security issues, have only limited contact with international and nuclear power plant specific security definitions. One of the main conclusions was that in such facilities, that have limited access to nuclear power plants and nuclear security, for the initial and probably for the subsequent self-assessment an outside specialist is necessary. Because of the limited resources it is an important dilemma to decide whether it is worth permanently maintaining such a specialist with the needed knowledge or periodically designating someone to "diagnose" the "illness", the weak points of the NSC. Besides those described above, every case is a unique situation and it should be the results of cooperation between facilities and authorities to decide if external specialist is needed to be engaged or not.
An achievement was that personnel was positive about possible changes and innovations. The physical protection and security is one of the most important requirements of the facility. Not only the security of radioactive materials, but for whole product scale information protection and safeguarding are primary considerations. Regarding this, the high cooperation intention was not unexpected. Because the preliminary assessment was only with the experts in this field, further analysis is needed to declare this result on the whole organisation.
Another possibility to enhance nuclear security culture is to conduct a wider self-assessment analysis to reveal past security incidents and their root causes. These incidents could be the result of physical, technological or human errors. The objective of nuclear security culture development is to acquire such qualities of personal behaviour as personal accountability, adherence to procedures, teamwork and vigilance. It would be useful to start the self-assessment by examining some of these qualities and their derivatives. It depends on the size of the facility, but it would be useful to analyse the official and unofficial communication (also with outsiders), connection net and hierarchy inside the organisation. The goal of the up-coming assessment is to check these hypothesises and questions. Subsequently, a threetiered outcome model must be done, to translate results and possible improvements to the language of the personnel. And the most difficult issue is Stage 6 of 026 NST Draft, to discuss preliminary results throughout the organization and submit a final report for developing a follow-up action plan.
Expectedly the conclusions of the preliminary assessment and the self-assessment will be instructive for the associated facilities and also for the authorities.