Koei-Tecmo | Voir film | HD Black Mirror

Safety in long term radioactive waste management: Insight and oversight

Safety in long term radioactive waste management: Insight and oversight

Safety Science 85 (2016) 258–265 Contents lists available at ScienceDirect Safety Science journal homepage: www.elsevier.com/locate/ssci Safety in ...

306KB Sizes 0 Downloads 19 Views

Safety Science 85 (2016) 258–265

Contents lists available at ScienceDirect

Safety Science journal homepage: www.elsevier.com/locate/ssci

Safety in long term radioactive waste management: Insight and oversight Jantine Schröder a,b, Nicolas Rossignol a,c,⇑, Michiel Van Oudheusden a a

Society and Policy Support Group, Belgian Nuclear Research Centre (SCKCEN), Mol, Belgium University of Antwerp, Belgium c SPIRAL Research Center, Department of Political Science, Faculty of Law, Political Science and Criminology, University of Liège, Belgium b

a r t i c l e

i n f o

Article history: Received 30 September 2015 Received in revised form 12 January 2016 Accepted 4 February 2016

Keywords: Passive safety Active safety Radioactive waste management Geological disposal Oversight

a b s t r a c t High-level, long-lived radioactive waste remains hazardous for periods that go well beyond our human conception of time (many thousands of years). Because active safety measures are considered unreliable, unjustifiable and simply impossible over such long time spans, experts worldwide recommend geological disposal as the preferred strategy for long-term radioactive waste management, to a large extent due to its promise of delivering ‘passive safety’. Passive safety refers to the repository being safe ‘by itself’, i.e. unmediated by human actors and actions. Safety is thus approached technically and delineated as an intrinsic property of the disposal system. As such, the notion of ‘passive safety’ entails a system simplification that allows for approaching safety in a more calculable and predictable manner than would be the case for ‘active safety’. In this article, we describe and analyze the ambiguity of this seemingly straightforward approach to safety. Drawing on constructivist insights from safety science and science and technology studies, we propose a more integrated sociotechnical vision that transcends the active versus passive safety division. The notion of ‘oversight’, as it is currently starting to surface in international radioactive waste management discourses, will be used as a sensitizing concept, offering potential to elaborate such an integrated vision. Ó 2016 Elsevier Ltd. All rights reserved.

1. Introduction Safety is a concept and a norm ‘‘nearly always defined as a condition where nothing goes wrong (injuries, accidents/incidents/ near misses)”: a safe situation is ‘‘marked by the absence of accidents and incidents” (Hollnagel, 2014, p. 22). Such a state rarely exists in reality, and ‘absolute safety’ thus has no, or only limited, operational value. Nuclear experts operationally approach safety as the ‘‘reasonable assurance” of the absence of ‘‘unacceptable danger or risk” following an ‘‘adequate protection” against a delineated hazardous source (OECD-NEA, 2007, 2009, p. 111; Pescatore, 2013, p. 2). Such an approach, based on judgements about what is ‘reasonable’, ‘acceptable’ and ‘adequate’, reflects the multidimensionality and complexity of theorizing, realizing and demonstrating safety. Notwithstanding this conceptual and operational fluidity, decision makers and regulators, especially in fields with a

⇑ Corresponding author at: Quartier Agora – Place des Orateurs 3, Bât. B-31, Bte 8 – 4000 Liège, SPIRAL Research Center, Department of Political Science, Faculty of Law, Political Science and Criminology, University of Liège, Belgium. E-mail addresses: [email protected] (J. Schröder), [email protected] (N. Rossignol), [email protected] (M. Van Oudheusden). http://dx.doi.org/10.1016/j.ssci.2016.02.003 0925-7535/Ó 2016 Elsevier Ltd. All rights reserved.

relatively high collective risk potential such as nuclear technology, desire a solid basis. As the OECD-NEA1 formulates it, safety requirements must be straightforward and it must be possible to scientifically demonstrate whether or not they are met in order to decide to proceed with, or abstain from, certain activities (OECD-NEA, 2007, p. 20). Within the field of Radioactive Waste Management (RWM) this tension between given complexity and wanted clarity of the meaning and concretization of safety is particularly intense, due to the large variety of implicated stakeholders (industries, governments, local communities), the many uncertainties related to the hazard and, last but not least, the extremely long time spans involved. In nuclear research and regulation, safety is more specifically described as the protection of humans and the environment, now and in the future, against the dangers arising from ionizing radiation (e.g. EC, 2011; IAEA, 1997, 2007; ICRP, 2013). To achieve this protection in the context of long-term RWM, the preferred management strategy of experts is Geological Disposal (GD), which is defined and defended to an important degree on the basis of 1 Organisation for Economic Co-operation and Development – Nuclear Energy Agency.

J. Schröder et al. / Safety Science 85 (2016) 258–265

‘passive safety’ (cf. e.g. the European Directive on RWM)2. The differentiation between active and passive safety is based on the respective presence or absence of human action to ensure safety (Forsberg and Weinberg, 1990; IAEA, 2007; World Nuclear Association, 2013). Since safety measures requiring human action are judged unreliable and unjustifiable over the enormous time spans high-level, long-lived radioactive waste remains hazardous (tens of thousands of years), the argumentation for GD’s safety is built up around a passive version of safety, referring to the underground repository, after it has been filled and closed, being safe ‘by itself’. Safety is thus described independent of the existence of human actors, such as implementers and regulators (Pescatore, 2013). It is approached technically and delineated as an intrinsic property of the underground disposal system (OECD-NEA, 2007). As such, the notion of passive safety entails a system simplification that allows for approaching safety in a relatively calculable and predictable manner, based on physical, chemical and geological parameters. In contrast, scholars in the field of science and technology studies (STS) emphasize that safety cannot be approached in disregard of the social realm. To speak sensibly about the safety of technologies, one needs to describe technical, natural and social aspects, and attend to how these aspects interact, particularly when the boundaries between them become fuzzy (Bijker et al., 2014). Turning again to the policy discourse of the RWM expert community, some statements in the context of the safety of GD do resonate with this idea of safety as a sociotechnical issue. The disposal system is for instance described to represent all the arrangements that make a disposal strategy work, including not only technical but also ‘‘administrative measures (such as institutional controls)” (OECD-NEA, 2007, 53). The latter clearly refers to some sort of human action above ground, and thus, keeping the earlier differentiation in mind, to active safety. Nevertheless, at some stage after the filling, closing, sealing and monitoring of the underground facility, a transition from active to passive safety is foreseen, and the licensing of GD facilities is ultimately based on this state of passive performance of the technology and the geology, not on the presumed action of future actors. Throughout this paper, we will describe and analyze the ambiguity of this active versus passive conceptualization of safety. The questions we pose are: How do implicated actors frame safety in the context of long-term RWM? And how meaningful is the distinction between active and passive safety in this regard? We base our analysis on written and oral accounts of nuclear safety experts and on international guiding documents within the field of nuclear safety (from the IAEA3, ICRP4 and OECD-NEA), focusing on the differentiation between active and passive safety. We draw insights from two fields of nuclear technology development in which the notion of passive safety is prominent, but framed differently: waste disposal and reactor technology. Relating the distinction between passive and active safety to the classical differentiation between the technical and the social, we adopt a social-constructivist, STS-inspired approach to safety. We conclude by proposing a more integrated understanding of safety in the context of RWM that transcends the ‘active versus passive safety’ dichotomy. The notion of ‘oversight’, as it is currently emerging in international radioactive waste management discourses, will be used as a sensitizing concept, offering potential to elaborate this more integrated vision.

2 Council Directive 2011/70/EURATOM of 19 July 2011 establishing a Community framework for the responsible and safe management of spent fuel and radioactive waste, Article 4: General Principles. 3 International Atomic Energy Agency. 4 International Commission on Radiological Protection.


2. Nuclear safety: insights from reactor technology Active and passive safety are usually distinguished based on the respective presence or absence of human action for the functioning of nuclear technologies (e.g. Forsberg and Weinberg, 1990; IAEA, 2007; World Nuclear Association, 2013). Although this differentiation appears straightforward, a closer reading of these sources reveals semantic ambiguity. For instance, a distinction between passive safety components and passive safety designs or systems is made. It is explained that ‘‘full passive safety design depends only on physical phenomena such as convection, gravity or resistance to high temperatures, not on the functioning of engineered components” (World Nuclear Association, 2013). The latter would ultimately indeed require human activity, if not for their activation then at least for their maintenance. It thus seems that a distinction can be made between fully passive safety systems and active safety systems with passive safety components. GD facilities are framed as the former, nuclear reactor facilities as the latter, and relevant insights can be drawn from an analysis of this differentiation. The development of passive safety components is highlighted in discourses on nuclear reactor technology as an important improvement in current reactor designs as compared to designs from the past (Pirson, 2010). Examples given are cooling systems based on natural circulation of air and gravity-driven water circulation, and enhanced containment (‘‘shell”) structures to isolate radioactivity within the reactor system. Passive safety became emphasized following a heightened attention for the influence of human error, notably related to emergency situations following the Three Mile Island and Chernobyl accidents (Forsberg and Weinberg, 1990; IAEA, 1996). Passive features are explained as being provided solely by physical phenomena, unmediated by humans in their functioning (Pirson, 2010; Scott de Martinville and Herviou, 2010). The idea of designing a reactor that would ultimately constitute a fully passive safety system has been proposed in the past. As early as the eighties scientists and engineers dreamed of designing reactors that would ultimately set off the risk of human error altogether, by means of building a containment around the reactor that would ensure ultimate protection against any internal or external threat (Forsberg and Weinberg, 1990, p. 149). Forsberg and Weinberg ask a highly relevant question in relation to this idea of passive isolation and containment: even if from a technical point of view containments could be built that provide total assurance of no significant release of radioactivity to the environment, the question remains whether it is a socially acceptable solution to prevent damage from accidents, but not necessarily eliminate those accidents themselves (Forsberg and Weinberg, 1990, p. 149). In other words, Forsberg and Weinberg point out that even if fully passive systems could be designed, society may still not trust the safety of such systems or judge them to be ethically acceptable. This finding became reflected concretely throughout the measures France proposed after the 2011 nuclear disaster in Fukushima, namely a combination of engineering containment bunkers and creating an elite force specifically trained to act rapidly in nuclear emergency situations. Acknowledging that predicting risk is an imperfect art, the passive safety component of the bunker is meant to address any unforeseen, low-probability event. The active safety provision of an elite force, on the other hand, acknowledges that passive safety, however well designed, is fallible and thus concretizes the necessity to also preemptively elaborate mitigation activities (Butler, 2012). Reactor specialists thus highlight that passive safety features always exist in combination with active components (which need external input for their activation). Combining a variety of active and passive safety measures is supported by the safety principle of defence-in-depth (DID), which is arguably the cornerstone of


J. Schröder et al. / Safety Science 85 (2016) 258–265

nuclear reactor design. DID refers to a centuries-old defence strategy which involves the provision of a combination of independent safety barriers (Sklet, 2006). The idea is that if one safety layer fails, others will still be in place and take over.5 Applied to nuclear reactor technology, DID ‘‘consists of recognizing technical, human or organizational failures and to guard against them by successive lines of defence” (Scott de Martinville and Herviou, 2010). The aim of DID is thus to provide redundancy and diversity in the safety provisions, to offer the best possible protection against both internal and external hazards, including accident prevention, control, mitigation and emergency planning measures (IAEA, 1996; Forsberg and Weinberg, 1990; Kadambi, 2013). One of the guiding references related to DID in nuclear safety by the IAEA’s International Nuclear Safety Advisory Group, the INSAG10 report (IAEA, 1996), explains that the concept of DID developed gradually within reactor technology. The original, basic safety functions of controlling the power and cooling the fuel were complemented by the instalment of multiple barriers around the reactor, and then later evolved to also include measures to protect against external hazards, environmental monitoring, on- and offsite emergency management and an assembly of characteristics and attitudes referred to as ‘safety culture’ (IAEA, 1996). DID applied to reactor safety thus seems to encourage the combination of active and passive, and intra-systemic and external safety components. Throughout the INSAG-10 report, DID is also described as a dynamic, iterative concept, informed by experience and the investigation of accidents. ‘‘The evaluation of operating experience is a continuous process to check the assumptions made during the design. [. . .] The results of this evaluation have significantly influenced the design of the current generation of nuclear power plants and also backfilling measures taken in operating plants, and will influence the design of future plants” (IAEA, 1996, p. 19). Overall, DID is thus described as concerning all safety related activities, whether organizational, behavioral or design related (IAEA, 1996, p. 6) and therefore as ‘‘an additional framework for safety beyond that provided by traditional engineering design methods” (Kadambi, 2013) that broadens ostensibly technical components and considerations, such as the ‘‘safety margins of operating reactors” (IAEA, 2003a). In this sense, ‘safety’ is not susceptible of rigid definition, nor is it easily determinable or calculable for instance by classical tools such as probabilistic safety assessment (PSA). As acknowledged by the Advisory Group, ‘‘[a] valid criticism that has been levelled at the PSA methodology is that there are so many moving parts in constructing a good PSA of a complex system that the analyst can obtain almost any desired answer. [. . .] An appraisal of the safety contribution of defence-indepth measures may be possible only by taking a holistic perspective wherein formal models do not play as much of an essential role as integrated assessments based on observation, experience and judgment” (IAEA, 2003a).6 With the aim of developing this holistic perspective and broadening technical and calculation driven safety approaches in safety margin management (e.g. IAEA, 2003a), the IAEA has promoted its Integrated Risk-Informed Decision Making (IRIDM) framework (2011b). IRIDM aims at improving safety by ‘‘enhanced awareness of factors influencing safety and taking each of these factors into account in a decision and its implementation” (IAEA, 2011b, p. 4). It thus endorses the integration of a large variety of elements, including standards and good practice, operating experience, deterministic and probabilistic considerations (PSA),

5 Originating from the field of military defense, the concept found its way into nuclear technology development. Today, it is used in a variety of industries, e.g. the field of computer and information technologies (Sklet, 2006). 6 Quite tellingly, upon analysis of the implications of the Fukushima accident, the US Nuclear Regulatory Commission found that DID is not susceptible of rigid definition, and describes it as ‘a philosophy’ (Butler, 2012).

organizational factors, security considerations, and other elements related for example to economic or radiation protection considerations. In sum, in the field of nuclear reactor technology, safety is framed as a dynamic sociotechnical endeavor, where people and technology work together to achieve protection from ionizing radiation by combining passive and active safety measures. Undoubtedly, the reality of the sociotechnical picture of reactor safety we sketch above and the success of its implementation can be criticized.7 Indeed, taking a closer look at the previously cited INSAG10 report alone already discloses some controversial issues about the ‘‘ambivalent human role” (IAEA, 1996, p. 25) in reactor safety, revealing the complexity of integrating active and passive safety rationales. For instance, actions either not anticipated or differently foreseen in operating or maintenance procedures are described as a major concern with regard to the potential degradation of DID, and the large variety of possible human actions as adding to the considerable difficulty of taking such errors into account (IAEA, 1996, p. 26). Even though the technical approach of designing additional passive safety components may receive priority within nuclear research and regulation, a social approach to tackle such findings is increasingly visible, for instance in the field of safety culture and emergency management (Rossignol et al., 2014). Thus, at least on paper, there exists unanimity about the necessity of actively overseeing and actively complementing the functioning of these passive measures. Overall, reactor safety is depicted as a dynamic field requiring ongoing attention to strike a balance between design and action, the technical and the social, procedures and improvisation, regularities and surprises, laws and judgments (Bijker et al., 2014; Rossignol, 2015).

3. Nuclear safety: Insights from radioactive waste management 3.1. Geological disposal In the previous section, we drew a picture of reactor safety as a dynamic effort that aims at developing more adequate ‘‘manmachine interfaces” (Scott de Martinville and Herviou, 2010) by integrating passive and active safety components. Reactor safety discourses describe redundancy as a combination of active and passive safety functions and DID as a dynamic, iterative, experience-informed effort of integrating technical, human and organizational factors, taking into account internal and external threats. In light of the inevitable complexity of such a holistic safety picture, the value of modeling and calculation is not dismissed, but at least nuanced (Kadambi, 2013). Although critics have pointed out that there remains a large breach between theory and practice (see e.g. Perin, 1998, 2005) it is clear that actors in the field of nuclear reactor technology recognize the need for a more complex appreciation of safety, which takes into account both technical and social components. In this section, we ask how this more complex safety view relates to the safety discourse of GD. Nuclear reactor systems are existing operational systems, usually designed to function for about forty years. In contrast, GD facilities are non-existing, non-productive systems, aimed to function for up to a million years. We will come to show that the analysis of reactor safety provides relevant insights for a reflection on GD safety. GD has since long been endorsed by experts as the safest longterm radioactive waste management strategy (e.g. EC, 2011; IAEA, 1997, 2007; ICRP, 2013). The technology is defined and defended to an important degree on the basis of passive safety. The European Directive on RWM literally prescribes that ‘‘spent fuel and radioactive waste shall be safely managed, including in the long term with 7

For an elaborate critical evaluation, see e.g. Perin (1998, 2005).

J. Schröder et al. / Safety Science 85 (2016) 258–265

passive safety features” (cf. footnote 2). The aim of GD is to bury radioactive waste in the deep underground so that natural radioactive decay can take place over time, and to have any release from the artificial barriers be further delayed and diluted by geological host formations suited for this function (OECD-NEA and ICRP, 2013). To accomplish this goal, geological repositories are to be constructed in the deep underground, away from the human habitat, where the potential for human intrusion is judged limited, so that nature, assisted by technology, can take its course in an undisturbed manner. The RWM implementer and regulator are the actors responsible for safety during the ’operational period’ of the GD facility, but the ultimate, long-term safety ‘actors’ are nonhuman: the waste packaging, the underground installation, and the surrounding geology (such as clay, granite or salt). DID is also a prominent principle within safety guidelines related to RWM. Similar to reactor technology, for RWM technology it implies the implementation of ‘‘multiple safety functions” (IAEA, 2011a; FANC/AFCN et al., 2004) in order to be able ‘‘to depend on different mechanisms and/or components to provide safety functions” (Bruno et al., 2005, p. 2). However, whereas for reactor technology DID and IRIDM more broadly, seem to have been submitted to a complementary technical and social approach, for GD it is understood exclusively technically, deliberately excluding human behavior or societal organization from its final design and functioning. GD’s safety system is conceived and evaluated to solely consist of non-human actors, such as the waste form, the packaging, the backfill, and the host environment and geological formation (IAEA, 2011a, p. 25). After waste emplacement the repository is backfilled and sealed to obtain the highest physical (engineering steadiness) and chemical (an anaerobe environment) stability. Then, after closure, GD exclusively relies on the combination of engineered and natural safety functions, notably radionuclide containment (within the waste matrix), radionuclide isolation (from the biosphere) and release limitation and retardation (combining natural decay and radionuclide retention and migration retardation by the artificial barriers and/or the geological formation) (FANC/AFCN et al., 2004; IAEA, 2011a; Weetjens et al., 2010). In this sense, manmade, engineered barriers can also be described as passive components since neither their designed functioning, nor their eventual failure require human intervention, as geology then takes over. GD experts highlight that all of GD’s safety controls are in-built (ICRP, 2011, p. 9) and constituted by passive, physical or chemical properties or processes, such as impermeability to water, limited corrosion, dissolution, leach rate and solubility (IAEA, 2011a, p. 25). 3.2. Arguments for passive safety Upon analyzing the safety framing of GD, a variety of complementary arguments in favor of a passive, technical safety approach can be found. The following citation summarizes the arguments most commonly mentioned by the RWM expert community: ‘‘our responsibilities to future generations are better discharged by a strategy of final disposal than by reliance on stores which require surveillance, bequeath long-term responsibilities of care, and may in due course be neglected by future societies whose structural stability should not be presumed” (OECD-NEA, 1995, p. 5). Passive safety is thus described as an ethical goal, corresponding to the moral principle of not passing on undue burdens to future generations who did not receive the benefits of the nuclear applications that produced the waste (IAEA, 1995, p. 7; IAEA, 2003b, p. 1). Concurrently, passive safety is depicted as a sociotechnical necessity, as the finances, institutions and knowledge required for an active safety approach cannot be guaranteed in the long run. On a more fundamental level, epistemological arguments – translated into regulatory requirements – for defining


DID solely by means of passive safety features can be found. The safety case, on which the licensing of GD facilities depends, is defined as a major set of efforts that ‘‘demonstrate safety by providing a clear reasoning based on sound scientific and technological principles” (IGD-TP, 2011, p. 25). The OECD-NEA also argues that safety requirements must be straightforward and it must be possible to scientifically demonstrate whether or not they are met in order to decide on whether to proceed with or abstain from certain activities (OECD-NEA, 2007, p. 20). Against this background it becomes clear that GD’s safety case not only aims for, but also essentially depends on passive safety. The long-term safety prediction of GD fundamentally depends on a stable, undisturbed, i.e. passive environment, in order to allow radioactive decay to take place and attenuate and delay the eventual release of any contaminants into the accessible environment (ICRP, 2011, p. 9). GD’s real functioning only starts after its closure (IAEA, 2006, p. 61) and in fact excludes active safety measures (FANC/AFCN et al., 2004, p. 14). We already indicated tensions between active and passive safety rationales within reactor technology discourses, but for RWM the differentiation between active and passive safety is even more outspoken. If present human action in the framework of a useful production process is considered an unpredictable, failuresensitive safety factor (as we explained for reactor safety), this certainly is the case for future human behavior related to a ‘useless’ site. In other words, for the case of GD, activity constitutes a threat to a safety system designed on passivity. Whereas for reactor technology we could describe efforts to combine active and passive safety as an acknowledgement of complexity and unpredictability, for waste disposal passive safety alone is promoted in light of a demand for simplicity and demonstrability. A ‘credible’ safety case for a technology that has to function for thousands of years is simply impossible to design outside the context of passivity safety. This reasoning entails an international agreement among regulators that the consequences of potential future human intrusion ‘‘should not be required to meet regulatory protection goals [. . .] nor be used as a crucial criterion for the repository optimization process” (OECD-NEA, 2009, p. 15). This is justified throughout safety guidelines because ‘‘the passive safety features (barriers) have to be sufficiently robust so as not to require repair or upgrading” (IAEA, 2011a, p. 28). Moreover, even though it is acknowledged that ‘‘by applying the strategy of containment and isolation of waste, it is implicit that if waste were to be disturbed after its disposal in a facility, then radiation doses might be incurred” (IAEA, 2011a, p. 10), the risk of such disturbance is judged low enough as long as ‘‘appropriate sites” are chosen (notably specified as areas with host rocks at great depth and not containing known natural resources” (ICRP, 2011, p. 9; ICRP, 2013, p. 43–44). This judgment is not treated further in the safety case, which, as mentioned earlier, focuses on the safety of the repository ‘by itself’. The biosphere and other geological formations are not considered part of the disposal system as they do not participate in the implementation of the concentration and containment strategy (FANC/AFCN et al., 2004, p. 8). Krupar (2012) in this regard accurately describes GD as a strategy that presumes a divorce of surface from subsurface to allow a containment strategy that presents geological depth as a permanent externality. 3.3. Evaluating the passive safety case The passive safety rationale of GD in our opinion corresponds with what Constance Perin refers to as a ‘‘closed system epistemology” and ‘‘deterministic design”, two safety management strategies that according to the author are prevalent across highhazard industries and activities such as the nuclear industry (Perin, 1998). Deterministic design refers to a resistance to incorporate surprises, dynamics, instability, unpredictability, and to a


J. Schröder et al. / Safety Science 85 (2016) 258–265

tendency to divide technologies into separate components and subsystems that are then treated in an additive, linear and hierarchical order (Perin, 1998, p. 117). The complementary notion of closed-system epistemologies refers to an undervaluation of certain kinds of knowledge, questions, practices and semantics in favor of others, notably proceduralization and standardization, to safeguard a closed-system control logic. Contextualized as such, human action has a high error potential, and is thus left out to the highest possible degree. When reference to human action is made, it is often ‘‘treated similarly as machine appurtenances whose actions and reactions should have outcomes as uniform and predictable as those expected of the technologies under investigation” (Perin, 1998, p. 104). Without wanting to idolize reactor safety, the literature we reviewed allows us to describe DID and IRIDM as incentives to reflect upon the necessity of taking into account internal but also external hazards, radiological release prevention but also mitigation, foreseeable, probable but also unforeseeable, improbable events, material, engineering but also immaterial, organizational aspects, insights from modeling and calculation but also from experience and judgment. The following citation of waste management regulators and implementers illustrates that the safety rationale for RWM clearly struggles with the second components of the aforementioned safety pairs (FANC/AFCN et al., 2004, p. 13 & 15): The confidence in the findings of the safety assessment will be less if the processes and interactions involve an evolution of components that is difficult to assess. As far as possible, simplicity of design should be sought so that the evolution of the components can be assessed based on sound knowledge of the data and of the underlying processes. With respect to the presentation of a body of convincing arguments, the principle of demonstrability assumes that the performances expected from the safety functions are based on a passive system. [. . .] The application of the principle of demonstrability means reducing the possibility for process coupling, limiting, as much as possible, the factors affecting system evolution and the various contrasts and imbalances [. . .] and working in conditions in which the features, events and processes to be taken into account are clear and straightforward. In this way, the number of key parameters is reduced and simpler models can be used. To sum up, for the field of nuclear reactor technology, we explained how DID ‘‘consists of recognizing technical, human or organizational failures and to guard against them by successive lines of defence” (Scott de Martinville and Herviou, 2010) by means of searching for a – precarious – balance between active and passive safety features. Within the field of RWM, the principle of DID also seems to consist of recognizing technical, human or organizational failures, but to guard against them in a remarkably different manner. The proposed strategy of GD can be said to try to eliminate these failure sensitive variables altogether, with geology as the ultimate safety actor. Thus, safety is delineated as an intrinsic, static, design-based property of the GD system (OECD-NEA, 2007, p. 53), and redundancy and DID refer to a combination of solely passive, nonhuman functions. 4. Beyond active versus passive safety: Introducing the notion of oversight In contrast to the safety discourse of reactor technology, which we described as reflecting a dynamic, iterative, experience informed effort of integrating technical and social factors, we referred to the safety discourse of GD as reflecting a much more static, design-based effort that seeks to exclude human and organizational factors. Strictly speaking, society is neither presumed, nor

expected to take part in GD’s long-term safety functioning. However, as rigorous as such a passive, technical framing may be, it cannot exclude the social all together. On the contrary, as we will come to show, GD provides a clear-cut example of the coconstruction of the technical and social, and of the fact that safety is a context-dependent construct and not a fixed system property (Bijker et al., 2014). Several studies have revealed the firm stability of the geological strata under consideration for GD for over a million years (e.g. Mazurek et al., 2004). Nevertheless, there is a ‘ceteris paribus’ (all other things being equal or held constant) condition at play here, reminding us again of Perin’s closed system epistemology and deterministic design. The continuation of geological stability simply cannot be proven when what was simply a ‘rock’ for millions of years suddenly becomes a ‘host rock’ for radioactive waste disposal (Wallace, 2010). More importantly, what is a passive environment today, can become an active environment tomorrow (think e.g. about the intensifying use of the deep underground, such as geothermic energy exploiting, carbon storage, fracking for extracting oil or gas). Overall, although no one will deny that there is more turmoil on the Earth’s surface than underneath it, we simply have no means of ensuring that future generations will live up to the passivity requirements imposed on them by way of the sociotechnical script of GD. In other words, activity may be required to preserve passivity. The segregation between active and passive safety is therefore neither analytically straightforward, nor strategically helpful. Both passive and active safety requires some sort of sociotechnical organization, either to preserve passivity to the highest possible degree, or to conduct the necessary activities. Even if it would be possible to attain final closure and human activity would be limited to safeguarding natural passivity, it ultimately entails ‘doing something’. What this ’something’ is, will depend not only on the physical, chemical and geological context, but also on the historical, political, and geographic context. This is why we propose a constructivist perspective on GD safety, that views safety ‘‘not as an intrinsic and static characteristic, but rather as an emergent property that will depend on and result from specific circumstances” (Bijker et al., 2014, p. 21). In other words, safety is constructed with actors and technologies under modalities that are not given in advance but are continuously (re)adjusted in the process of technology development and implementation. In this respect, ‘oversight’ is a concept that is coming to the foreground in international RWM discourses today, which seemingly reflects this more constructivist vision on safety. Oversight is, for the time being, defined as ‘‘watchful care”, and refers to society ‘‘keeping an eye” on the repository (OECD-NEA and ICRP, 2013; ICRP, 2013). This description remains rather minimalistic, but what seems to be agreed upon is that ‘‘oversight is always by people – including institutions, organizations, societies etc. [. . .] and complements the intrinsic or built-in controls that are carried out, by design, by the technical system itself (OECD-NEA, 2014a)” (Hotzel, 2015). This notion thus reminds us of the insights we drew from reactor technology, in particular the sociotechnical integration emerging in the IRIDM framework. Some concrete oversight provisions mentioned are ‘‘restrictions on land use, environmental monitoring programmes, surveillance under safeguards agreements, and archiving records” (ICRP, 2013, p. 44). In line with oversight, a topic put forward as deserving further attention is the transfer of responsibilities (OECD-NEA, 2014b), anticipating that the actors currently responsible for RWM (the implementer, the regulator) will not be around forever. In a way, oversight reminds us of Alvin Weinberg’s idea of ‘eternal vigilance’: ‘‘We must prevent man from intruding – and this can be assured only by man himself” (Weinberg, 1972, p. 33). Eternal vigilance may theoretically fit the differentiation between active and passive safety, the divorce between surface

J. Schröder et al. / Safety Science 85 (2016) 258–265

and subsurface that the classical GD design prescribes, but only if it follows the prescribed single plot story of avoiding human intrusion. As human activity re-emerges in the RWM discourse, however, the sociotechnical script of GD is challenged as the story of passive safety is opened up to become infused with unpredictable variations on the theme of avoiding intrusion. In other words, one of the key arguments to defend passive safety, the complexity and contingency of human systems (as contrasted to the relative simplicity and reliability of natural systems), will have to be taken into account after all. Put differently, a key tension arises when the active, dynamic safety function of society is acknowledged in contrast with the passive, modeled safety function of the underground facility and geology. Social conduct cannot be modeled and does not obey the ‘closed system epistemology’ and the ‘deterministic design’ that have become dominant in RWM research and policy throughout its predominantly technical framing. Taking these caveats into consideration, we propose a further development of oversight that moves beyond the active versus passive safety idea. If the notion of oversight is to adhere to a strict differentiation between passive and active safety, the former clearly dominating the latter, one risks running into a paradoxical or circular reasoning. The unreliability of human action, the fact that it cannot be modeled and demonstrated, that it cannot be guaranteed to conform to the premises of uniformity, predictability and hierarchical order, will again become the insurmountable hurdle that prompted the passive safety design of GD in the first place. As such, the technical and the social framing of GD do not seem to be sufficiently aligned yet. The premises of the passive safety design of GD entail a contradictory social template; one that demands to control the contingency of human behavior to sustain the predictability of a closed system, while simultaneously acknowledging that this will continuously require activities that befall the same contingency of human behavior which they are meant to guard against. Not only do artifacts not always perform as precisely, straightforwardly and predictable as the axioms, algorithms and models used to design them; this certainly goes for the human actions that accompany the artifacts. Neither oversight, nor the passive functioning of a geological repository can be guaranteed for hundreds of thousands of years. Latour in this regard writes that research is best seen ‘‘as a collective experimentation about what humans and nonhumans together are able to swallow or to withstand” (Latour, 1999, p. 20; cf. also Schröder, 2016). As vague as the meaning and bearing of the notion of oversight may be, we want to be optimistic about this concept. At the very least, it can trigger reflexivity among implicated actors with regard to the complexity yet necessity of going beyond a passive and active safety distinction and combining technical and social safety components. We are inclined to think about this necessity and complexity in terms of an inherent tension at play within longterm RWM, between a demand for decisiveness, controllability and determinability on the one hand (a need for closure), and indecision, uncontrollability and flexibility on the other hand (a need for openness). This tension is not unique to RWM; in fact one could say it is part of the human condition. But the case of RWM, in light of the uncertainties related to the hazards and the enormously long time frames involved, enacts this tension in a remarkably distinct (one could say grotesque) manner. We elaborate upon it here, as it may serve as a sensitizing concept that can aid the apparent misalignment between GD’s technical and social framing. As passivity is not only a goal but also a condition for the designed functioning of GD, the segregation of active and passive safety inevitably follows from a strategy unable to integrate certain concerns and constraints related to this demand for openness, while highlighting the concerns and constraints of this demand for closure. In the end, ‘‘regulations have to find a delicate balance between providing the necessary reliable reference levels for


different review steps while simultaneously maintaining flexibility that allows for further development and adaptations over time, reflecting technical progress as well as societal and political developments” (Brohman, 2014, p. 7). The notion of oversight has the potential to encourage concrete efforts to maintain and balance this tension, as it underlines the need ‘‘to capture and honor residues of ambiguity in human affairs and integrate these into the technical and organizational design of safety margins” (Perin, 1998, p. 116), and acknowledges that ‘‘technologists’ design intentions are one thing, the social cultural, and technical dilemmas, contradictions and paradoxes arising when the technology is operating are another” (Perin, 1998, p. 100). To account for the fact that passive, technical structures will de facto be accompanied by active, social structures, and that safety strategies shape not only the technology but also the society in which the technology is embedded, we encourage a further social framing of GD (Barthe et al., 2014). This effort would go beyond previous attempts in which the social is restricted to ‘societal context’, and the research field of social scientists to initiating and channeling stakeholder participation, as is often the case in radioactive waste governance projects (Bergmans and Schröder, 2012). Rather, it urges actors to adopt a dynamic interpretation of safety, which draws attention to the sociotechnical complexities and uncertainties inherent in safety planning and management. As we argue above, this dynamic take on safety is presently making headway in established safety discourses in the field of reactor technology. We believe this move reflects a broader policy shift from safety government to governance, as it implicates an increasingly multilayered and diversified socio-technical landscape in which a diversity of knowledge and evidence claims are at play, as well as value commitments decision-making stakes, and risk management strategies (Irwin, 2008, p. 508). It also unfolds with new scientific paradigms, such as complexity science. Clearly, it is only by considering safety as an inter-relational system or ‘‘complex adaptive system” that we are able to attend to how safety is coconstructed with and through its environment (see e.g. Duit and Galaz, 2008). We believe the notion of oversight can strengthen and deepen these policy perspectives and scientific paradigms. Although it may not always be clear how to operationalize the concept in what are inevitably messy, real-world situations, the notion facilitates a critically-reflexive attitude toward safety that acknowledges the shortcomings of all too facile distinctions, such as active/passive (Van Oudheusden and Laurent, 2013). Hence, critical reflection about safety should be an integral part of safety construction. For similar reasons, we encourage critical reflection and deliberation on how to conceive of, and implement, holistic or integrated approaches to safety. Whereas the formal aim of combining ostensibly technical (e.g. barrier-related) safety considerations and social ones (e.g. organizational factors), as in the IRIDM framework, is to be welcomed, it remains to be seen how IRIDM measures translate into effective strategies. The ideas presented here may contribute to developing these strategies in ways that render safety management more technically and socially accountable, effective, and resilient in the long run.

5. Conclusion There was a time when GD was conceived of and presented as the solution for radioactive waste, a safe end destination in the deep underground that would eternally isolate these hazardous substances from society without anyone having to worry about it. The technical framing of passive safety seems to have sustained this understanding, which led to a focus on long-term safety designs, where conceptual safety requirements are met with


J. Schröder et al. / Safety Science 85 (2016) 258–265

conceptual compliance proof. As GD projects are moving from research toward the implementation phase, this vision is slowly but steadily losing clout. Even if passive safety systems could be technically achieved, which remains to be seen, they would still be embedded in a socially active safety surrounding, which inevitably elicits sociotechnical dynamics. As such, high-level, longlived RWM displays a contradictory character when safety is conceived in a binary (active versus passive) way: ‘‘its radioactive character prompts more or less lifelong active monitoring and surveillance, yet its life span makes guaranteeing the fulfillment of this demand impossible” (Laes and Schröder, 2010, p. 200). Instead of denying or downplaying this finding, we can adopt a different take on the vulnerability it implies. In line with STS literatures, we outlined that safety is hardly ever given in a static, unambiguous way, as it would require a description of natural, social and technical aspects, which moreover interact as the boundaries between them are often fuzzy (Bijker et al., 2014). STS scholars also highlight that vulnerability is not purely pejorative, as when acknowledged and addressed, it ‘‘may yield a more flexible and resilient society than one that tries to avoid all vulnerabilities” (Bijker et al., 2014, p. 1), not in the least because it allows for collective learning about safety and its management (cf. also Brohman, 2014). We thus proposed oversight as a concept that can do justice to ‘‘the ambiguity, the context-dependency and the constructed character” of safety (Bijker et al., 2014, p. 1). As we have argued, the notion of oversight urges actors to develop a more varied and dynamic safety vision, beyond the active versus passive safety distinction. One reason for this is that ’oversight’ demands a dynamic interpretation of safety, which accounts for the complexities and uncertainties inherent in safety planning and management. Although it is not plain and simple how to implement the concept in the real world, so to speak, the notion facilitates a critically-reflexive attitude toward safety that acknowledges the problematic character of drawing conventional distinctions. Hence, critical reflection about safety and its governance should be fostered. It should also be an integral part of safety management, as it invites exploration of the multiplicity of safety (and related phenomena) rather than downplaying tensions, uncertainties, and various other interconnections that demand ongoing attention and continuous (re)articulation. Acknowledgments Parts of this paper are adaptations of a report written by the first author in the framework of the InSOTEC project, cosupported by the European Atomic Energy Community’s Seventh Framework Programme (FP7/2007/2011) [Grant Number 269906]. The authors wish to thank Anne Bergmans, Göran Sundqvist, Catrinel Turcanu and two anonymous reviewers for their constructive comments. References Barthe, Y., Meyer, M., Sundqvist, G., 2014. Making Technical Democracy Real: the social and technical divide illustrated by European radwaste examples. Report of the EU FP7 project on International Socio-Technical Challenges for Implementing Geological Disposal. Available online from: (Date accessed: 30/09/15). Bergmans, A., Schröder, J., 2012. Review of initiatives addressing socio-technical challenges of RWM & geological disposal in international programmes. Available online from: (Date accessed: 30/09/15). Bijker, W., Hommels, A., Mesman, 2014. Studying vulnerability in technological cultures. In: Hommels, A., Mesman, J., Bijker, W. (Eds.), Vulnerability in Technological Cultures: New Directions in Research and Governance. The MIT Press, Cambridge, Massachusetts, pp. 1–26. Brohman, B., 2014. Topical report: demonstrating safety. Report of the EU FP7 Project on International Socio-Technical Challenges for Implementing Geological Disposal, InSOTEC, InSOTEC. Available online from: (Date accessed: 30/09/15).

Bruno, G., De Preter, P., Grévoz, A., Madoux, J., Nys, V., Raimbault, P., 2005. Geological disposal of radioactive waste: elements of a safety approach. Paper presented at: EUROSAFE 2005 Safety Improvements – Reasons, Strategies, Implementation, 7–8 November 2005, Brussels. Butler, D., 2012. France ‘imagines the unimaginable’. Nature 481 (7380), 121–122. Available online from: (Date accessed: 30/09/15). Duit, A., Galaz, V., 2008. Governance and complexity—emerging issues for governance theory. Governance 21, 311–335. EC, 2011. Council directive 2011/70/EURATOM of 19 July 2011 establishing a community framework for the responsible and safe management of spent fuel and radioactive waste. OJ L 199. EURATOM, Brussels. FANC/AFCN, IRSN, NIRAS/ONDRAF, ANDRA, DGSNR and AVN, 2004. Geological disposal of radioactive waste: elements of a safety approach. Available online from: (Date accessed: 30/09/15). Forsberg, C.W., Weinberg, A.M., 1990. Advanced reactors, passive safety, and acceptance of nuclear energy. Ann. Rev. Energy 15 (1), 133–152. Hollnagel, E., 2014. Is safety a subject for science. Saf. Sci. 67, 21–24. Hotzel, S., 2015. The concept of oversight: its connection to memory keeping and its relevance for the medium term: RK&M project findings. Paper presented at: Constructing memory. An International Conference and Debate on the Preservation of Records, Knowledge and Memory of Radioactive Waste Across Generations, 15–17 September 2014, Verdun. IAEA, 1995. The Principles of Radioactive Waste Management. International Atomic Energy Agency (IAEA), Vienna. IAEA, 1996. Defence in Depth in Nuclear Safety. A Report by the International Nuclear Safety Advisory Group. International Atomic Energy Agency (IAEA), Vienna. IAEA, 1997. Regulatory decision making in the presence of uncertainty in the context of the disposal of long lived radioactive waste. In: Third Report of the Working Group on Principles and Criteria for Radioactive Waste Disposal. International Atomic Energy Agency (IAEA), Vienna. IAEA, 2003a. Safety Margins of Operating Reactors: Analysis of Uncertainties and Implications for Decision Making. International Atomic Energy Agency (IAEA), Vienna. IAEA, 2003b. The Long Term Storage of Radioactive Waste: Safety and Sustainability. A Position Paper of International Experts. International Atomic Energy Agency (IAEA), Vienna. IAEA, 2006. Joint Convention on the Safety of Spent Fuel Management and on the Safety of Radioactive Waste Management. IAEA International Law Series No. 1. IAEA. International Atomic Energy Agency (IAEA), Vienna. IAEA, 2007. IAEA Safety Glossary,, .. Terminology Used in Nuclear Safety and Radiation Protection, 2007 ed. International Atomic Energy Agency (IAEA), Vienna. IAEA, 2011a. IAEA Safety Standards for Protecting People and the Environment: Disposal of Radioactive Waste. International Atomic Energy Agency (IAEA), Vienna. IAEA, 2011b. Framework for an Integrated Risk Informed Decision Making Process INSAG-25. International Atomic Energy Agency (IAEA), Vienna. ICRP, 2011. Radiological Protection in Geological Disposal of Long-lived Solid Radioactive Waste. Draft Report for Consultation. Elsevier Ltd. ICRP, 2013. Radiological Protection in Geological Disposal of Long-Lived Solid Radioactive Waste. ICRP, ICRP, pp. 1–57. IGD-TP, 2011. Strategic research agenda. Implementing Geological Disposal Technology Platform (IGD-TP). Available online from: (Date accessed: 30/09/15). Irwin, I., 2008. STS perspectives on scientific governance. In: Hackett, E., Amsterdamska, O., Lynch, M., Wajcman, J., Cambridge, M.A. (Eds.), The Handbook of Science and Technology Studies. The MIT Press, pp. 583–607. Kadambi, N.P., 2013. Defence in depth in nuclear safety. Nuclear Engineering International Magazine. Available online from: (Date accessed: 30/09/15). Krupar, S., 2012. Transnatural ethics: revisiting the nuclear cleanup of Rocky Flats, CO, through the queer ecology of Nuclia Waste. Cult. Geogr. 19 (3), 303–327. Laes, E., Schröder, J., 2010. ‘‘On the Uses and Disadvantages of History” for radioactive waste management. Risk Hazards Crisis Public Policy 1 (4). Latour, B., 1999. Pandora’s Hope: Essays on the Reality of Science Studies. Harvard University Press, Cambridge, Massachusetts. Mazurek, M., Gautschi, A., Gimmi, T., Leu, W., Marschall, P., Müller, W., Naef, H., Waber, H., 2004. Geological stability: learning from the past to predict longterm future evolution, in geological disposal: building confidence using multiple lines of evidence. In: Proceedings of the AMIGO Workshop, held 3–5 June 2003, Yverdon-les-Bains, Switzerland, OECD-NEA. OECD-NEA, 1995. The Environmental and Ethical Basis of Geological Disposal of Long-lived Radioacitve Waste: A Collective Opinion of the Radioactive Waste Management Committee of the Nuclear Energy Agency. OECD-NEA, Paris. OECD-NEA, 2007. Regulating the Long-term Safety of Geological Disposal. Towards a Common Understanding of the Main Objectives and Bases of Safety Criteria. OECD-NEA, Paris. OECD-NEA, 2009. Towards transparent, proportionate and deliverable regulation for geological disposal. Main Findings from the RWMC Regulators’ Forum Workshop, Tokyo, 20–22 January 2009, OECD-NEA. OECD-NEA, 2014a. Expert group on preservation of records, knowledge and memory across generations: glossary of terms for the preservation of records, knowledge and memory (RK&M) across generations. Definitions as of 3 March

J. Schröder et al. / Safety Science 85 (2016) 258–265 2014. NEA/RWM(2011)14/REV4. OECD-NEA, Paris. Available online from: (Date accessed: 30/09/15). OECD-NEA, 2014b. Foundations and guiding principles for the preservation of records, knowledge and memory across generations: A focus on the postclosure phase of geological repositories. A Collective Statement of the NEA Radioactive Waste Management Committee (RWMC). Paris. Available online from: (Date accessed: 30/09/15). OECD-NEA and ICRP, 2013. Leaflet on Radiological Protection and Geological Disposal: The Guiding Principles and Recommendations of the International Commission on Radiological Protection (ICRP). Perin, C., 1998. Operating as experimenting: synthesizing engineering and scientific values in nuclear power production. Sci. Technol. Human Values 23 (1), 98–128. Perin, C., 2005. Shouldering Risks: The Culture of Control in the Nuclear Power Industry. Princeton University Press, NJ. Pescatore, C., 2013. Safety, safety case and society – lessons from the experience of the forum on stakeholder confidence and other NEA initiatives. Presented at: OECD NEA RWMC ‘Integration Group for the Safety Case’ (IGSC) Symposium ‘‘The Safety Case for Deep Geological Disposal of Radioactive Waste: 2013 Stateof-the-Art”, 7–9 October 2013, Paris, France, OECD-NEA. Pirson, J., 2010. Reactor technologies. Presented at: Topical day on Generation III Reactors, 21 October 2010, Brussels, SCK-CEN. Rossignol, N., 2015. Practices of incident reporting in a nuclear research center: a question of solidarity. Saf. Sci. 80, 170–177.


Rossignol, N., Turcanu, C., Fallon, C., Zwetkoff, C., 2014. ‘‘How are you vulnerable?”: using participation for vulnerability analysis in emergency planning. J. Risk Res., 1–20 Schröder, J., 2016. Geological disposal of radioactive waste: a long-term sociotechnical experiment. Sci. Eng. Ethics (Published online: 17 May 2015). Scott de Martinville, E., Herviou, K., 2010. Safety for Gen 3 reactors: EPR case. Presented at: Topical day on Generation III Reactors. 21 October 2010, Brussels, SCK-CEN. Sklet, S., 2006. Safety barriers: definition, classification, and performance. J. Loss Prev. Process Ind. 19 (5), 494–506. Van Oudheusden, M., Laurent, B., 2013. Shifting and deepening engagements: experimental normativity in public participation in science and technology. Sci. Technol. Innov. Stud. 9 (1), 3–22. Wallace, H., 2010. Rock Solid? A Scientific Review of Geological Disposal of Highlevel Radioactive Waste. GeneWatch, Buxton, Derbyshire, UK. Weetjens, E., Marivoet, J., Seetharam, S., 2010. Performance indicators quantifying the contribution of safety functions to the confinement of radionuclides in a geological repository system. In: 2010 Materials Research Society Spring Meeting, San Fransisco. Weinberg, A., 1972. Social institutions and nuclear energy. Science 177 (4043), 27– 34. World Nuclear Association, 2013. Safety of nuclear power reactors. Available online from: (Date accessed: 30/ 09/15).