Based on NRC documents, the checklist for a new approach to safety assessments includes meeting the following criteria:

The four areas to be addressed have been described in different ways, but they are basically:

This will require an extraordinary level of cooperation on everyone’s part, and the cooperation challenge will only be exceeded by the intellectual challenge. Keep in mind that the real objective is to arrive at some simplified and efficient regulatory approach, but that this is a likely to be a complex undertaking.

The suggestions provided here are from an independent perspective and are not influenced either by the NRC or by the nuclear utility industry.

Assessment Grades

Problem: One of the most striking inconsistencies in the dialog to date is this business of not assigning grades to the good plants while somehow grading the not-so-good plants. The overall plant assessment could be provided at three levels, such as "green," "yellow," and "red." The intermediate grade of "yellow" is intended to serve as a warning, but it has the collateral effect of providing supposedly inaccurate impressions when used in isolation from collateral information such as trends. Indeed, useful collateral information on rates of degradation or improvement are not necessarily available or, if available, are very subjective.

Even if grades could be accurate and fairly used in all areas, the industry is very sensitive to the NRC's trying to issue grades based on what is admittedly a sampling process. Some of the other stakeholders use such grades for purposes that are not necessarily well connected to those results nor timely. There is a need to develop assessment results that meet NRC needs without causing unintended and inappropriate consequences for the licensees. The use of green, yellow, and red graduations does not really do much to avoid the problem.

Suggestions: Assessment grades of interest to the NRC are both level-related and trend-related. Trends are often more important to the NRC regulatory process, so I suggest that they be emphasized more in the assessment process. The performance levels could be as few as two (satisfactory and unsatisfactory), and the trends could be the same as in recent assessments (improving or declining). Of course, trends can also be graded with the use of appropriate adjectives (e.g., rapidly, slowly, consistently), when needed. This approach is more dynamic and meets the needs of the various stakeholders.

While such an approach to grading is neither new or radical, is it adequate? If adequate, how can we meet all of our criteria using such a simple approach? The discussions that follow provide some possible answers.

One of the necessary starting points is to understand nuclear plant management styles. Management styles are likely to be noticeably different between satisfactory and unsatisfactory plants.   Management must deal with a range of intellectual concepts and practical applications, while the NRC is less constrained.  The NRC is free to deal in the conceptual area without much concern for what is practical or impractical (physically or financially) in the field.  With these obvious perspectives in mind, we have to focus quite a bit on plant management.

Management integrity should be rewarded and encouraged. For each regulatory interaction, the possible polarizing situations should be recognized and openly discussed by managers and regulators. Opportunities to promote a cooperative approach should be pursued, and actions demonstrating integrity should be noted and, when feasible, rewarded.

Figure 2 represents a simplified version of what goes on at a nuclear plant. The boundary lines between and around management and the plant functional areas are deliberately shown to be heavy. This represents conditions often found in unsatisfactory nuclear plants in that communications across such interfaces are weak.

While everyone is aware of such management elements as the plant’s objectives and desired safety culture, these fundamental elements are not well implemented over the long haul.  Perhaps it is important for revision participants to pay attention to what promotes communications and what inhibits communication.

While the above management diagram is intended to pertain primarily to the management of nuclear power plants, it is also useful for the NRC to draw appropriate parallels to its own organization. It is important for the NRC regulatory organization to be as facile as the organizations that it is regulating, contributing to the overall efficiency of the regulatory environment and, importantly, increasing its responsiveness to industry issues and undertakings. Indeed, the NRC and all the other stakeholders have a similar organizational structure that is, in fact, dealing with the same types of intellectual and practical issues and, when they are all combined, form a highly complex nuclear safety management environment.
 

The combination of different organizations (Figure 3) is complex even when they share the same culture, principles, and objectives. In those cases where there are also differences in these fundamentals, the combined organizational environment becomes part of the problem. When we extrapolate these simple organizational concepts to include the entire nuclear safety regulatory environment indicated by "others," we can start to appreciate the communication tasks that we face.

Thus, the problem is to find ways to improve communications, develop a program that leads to improved commonality among such concepts as safety culture, principles, objectives, roles, and responsibilities. That is, we must pay attention to the criteria while coming up with creative yet practical approaches to achieving an improved nuclear safety regulatory environment.

Creativity will likely result in culture shock for some of us, if not all of us. We just do not accept change gladly, even if what we have done in the past is not working as well as is needed. The suggestions provided below may take you out of your comfort zone. Nevertheless, as noted by one NRC assessment team leader, the principal reason these suggestions would be rejected is that they reflect too much common sense. (When he made that comment, he did not know that I wrote a book on that subject and placed it on the Internet at http://Technidigm.org.)

As you consider the following ideas, keep in mind that we can have a consistent means of communication and commonality in many other areas without compromising our separate organizational roles and responsibilities. If we are able to come up with a consensus on some of these areas, we will have achieved significant progress. If we can solve every concern, we will have achieved the impossible, so we should be satisfied with reasonable improvements.

A cooperative and inquisitive attitude is as important to the assessment revision process as it is in running a nuclear plant.  Also, keep in mind that if these tasks were easy, they would have been achieved by now. Thus, perhaps the best we can hope for is that at least a few readers will be able to understand and build on these suggestions.

Problem: Nuclear safety roles and responsibilities for the NRC and the licensees must be clearly defined and implemented. We think we know what we want in this area, but it sure is tough to explain, not to mention implement. With the addition of risk-informed and performance-based methods, the gray areas for roles and responsibilities could become more vague rather than less. We need to get our thoughts organized!

Suggestions:

Find Root Causes in Management: A fundamental concept or principle requiring emphasis is that all issues and problems at a nuclear plant should be assessed for a root cause somewhere in management. Problem plants invariably have failed to recognize this fundamental principle and believe that their management is already infallible. In some cases the solution to improper management has been the wholesale replacement of the entire management organization and the managers themselves. Again, every problem or issue has a root cause in management until proven otherwise!

For example, physical plant problems uncovered within the oversight process are usually time-late red flags that indicate more generic management issues. Proper management is required to ensure up-front control of safety programs and purposeful changes in the level of risk.

This management root cause mentality also applies to other organizations, but it usually only has administrative consequences rather than safety consequences. For example, the NRC itself is not immune to management being the root cause of NRC problems. The four regions have different internal cultures and regulatory attitudes as compared with each other and with NRC Headquarters. As is true for the licensees, top management either controls or fails to control the organizational culture and, thus, the approach to business.

There are also opportunities to improve in the management of cross-functional areas impacting risk. Assuming good training and culture are in place, there are still risk contributors at functional area interfaces. Up-front prevention of safety degradations requires cross-functional awareness that must be cultivated systematically in the regulatory and licensee management and organizational structures.

Separate Principles from Objectives: Much of the roles and responsibilities confusion is due to our failure to separate basic principles from our objectives. Principles and objectives often sound the same, so they are difficult for most of us to sort out. It might help if we connected responsibilities with principles and roles with objectives. Then we can make statements such as, "We are all responsible for enforcing basic safety principles as we execute our roles to achieve safety objectives." Several examples of principles and objectives are provided in Section V, Training Points.

Scoring Schemes: Any scoring scheme brings with it opportunities for misuse. When the scoring is overly simple, it is easier for the uninformed to reach simple conclusions that are erroneous. Nevertheless, proper regulatory processes require us to be able to reach conclusions fairly and consistently so that they do not become a problem in themselves. Thus, in order to have the best of both worlds, we need to find a way to grade simply but in the proper context, which invites complexity.

When we focus on management and functional areas as the targets for assessment, we are particularly vulnerable to management resistance and external stakeholder problems. Management does not like to be criticized, and external stakeholders have difficulty dealing with functional area issues in their complex context. Applying the notion that plant managers are responsible for identifying and correcting plant problems without any NRC help, it is relatively easy to construct a scoring scheme that meets their needs.

On the other hand, with a little imagination, we can also construct a regulatory grade that is quite scrutable but that only makes sense when viewed in its context. Of particular importance is the ability to rollup details in a way that establishes a measure of regulatory interest without creating a measure that encourages "comparing apples with oranges."

Licensee’s Role in Self Grading: Each licensee should fulfill its responsibility for proper management and safe operation by grading each departmental functional area. I would suggest the plus and minus 10 range of scores just to keep things simple. A perfect plant would have a plus 10 in every area. The threshold for being safe in each area from a risk perspective would be at the zero point. A totally failing plant in every area would have everything at minus 10.

NRC’s Role in Using Grades: While it is not likely that a licensee would initially admit to being less than perfect in every area, any licensee self evaluation above zero would not be generally be either endorsed or argued by the NRC. The NRC cares about scores at zero and below and about positive scores that are trending down.

The NRC can focus on a narrow area of disagreement that impacts safety without having to evaluate everything. The NRC can propose a "delta score" for any aspect of management or functional area component. Delta scores are only issued for safety related weaknesses. This perspective allows us to separate safety from reliability.

Using this delta scoring approach, the licensee and the NRC might disagree on safety issues, and the NRC might even take enforcement action regarding safety, but the connection of safety issues to overall plant reliability and profitability is significantly weakened using this approach. Those stakeholders who would like to establish a regulatory connection between NRC delta scoring and reliability for most plants would have to do their homework. Delta scores are not needed for plants shut down for safety reasons, whether shutdown by the licensee or by the NRC.

Comparing Delta Scores between Plants: Since delta scores are only applied to disagreements between the licensee and the NRC, the overall grade for a plant can not be based on delta scores. Delta scores can be rolled up for any and all plants by anyone. They can be contemplated by any stakeholder, but they can not be used in isolation for anything other than measuring the level of disagreement that may exist. They are simply a way of providing a focused tool that promotes regulatory dialog.

Delta Scores Are Not One-Way Streets Either: The NRC would not want to have a track record for changing its mind. In order to have a regulatory dialog on an issue or cause the utility to do something that it would not ordinarily do, the NRC would have to formally issue a focused delta score and the associated explanation. This might be in the form of inspection results or proposed enforcement actions.

In those instances where the licensee could not convince the NRC that its compensatory actions or other corrective actions and accommodations are adequate, then the delta scores at issue could be addressed through arbitration or through a formal judicial process. The licensee would not want to be wrong either.

To encourage the development of increased levels of integrity and fairness, it would also be appropriate to require the NRC to pay licensees the same of amount of the proposed fine that is not supported in court or in arbitration. Also, compensation for legal fees would be appropriate.

Database Development and Use: It would be relatively straight forward to record and display licensee self scores and NRC delta scores using personal computers. Take a moment and layout the essential elements of such a database. Based on your individual experience, you will come up with something different from others.

The important conclusion that you will reach is that such a database can be as complex or as simple as desired. After you have thought about this a little, check out the example database provided in the following pages.

Based on the database for a single licensee and for all licensees, summary data is easily calculated. It is even possible to breakdown scores between PWRs and BWRs, between old and newer plants, and for each NRC Region. Shown below is a summary table for the plant data presented on the previous page and an example of comparisons that might exist relative to other plants. Additional comparisons are readily achieved by simply trending this type of data for different periods of time.

Again, it is important to recognize that these are numbers that indicate safety perspectives of the licensees as compared with the those of the NRC. In general, the data are scrutable in terms of safety regulation but do not lend themselves to simple minded evaluations or applications that are not directly related to safety. Indeed, the relevance of such data to such issues as plant reliability are arguable in either direction.

Assessment Grades Conclusion: We started this first section by suggesting that we should consider using a satisfactory/unsatisfactory approach to assessment grades, using trend information for any necessary refinements. We then suggested that this simplified approach might be easier to achieve if all the stakeholders understood and agreed upon basic management issues, such as communications and other common denominators. By emphasizing the assessment of plant common denominators in terms of basic nuclear safety principles and objectives, roles and responsibilities are clarified. This understanding forms the foundation for stabilizing plant safety performance and for assessing that performance. Once this foundation is in place, the application of risk-informed and performance-based data can be more readily applied to determine trends among the different plant designs and risk models. This brings us to the second area of concern – risk and performance.

Now that the nuclear industry has developed and refined its notions of risk, it is attractive to look for a way to apply those notions in a practical way to improve the safety oversight function. We must emphasize practicality because not everything that is theoretically possible can actually be implemented. Also, it is easy to go too far and depend too much on theoretical risk insights, perhaps overlooking real-world drivers that are of more consequence in terms of practical elements of risk that are neither quantitative or objectively measurable.

To operators, this is operator judgment. To engineers, this is engineering judgment. To regulators, this area of judgment is often very uncomfortable. Thus, we like to think we can back up our risk judgments with something called performance. That is, if something works consistently, it must be better than something that does not, risk data notwithstanding.

Problem: Licensees routinely identify and correct the root causes of adverse, risk-related conditions without screening out such actions based on the apparent risk associated with the symptoms of root causes. Risk-informed and performance-based methods may be useful in our efforts to improve regulatory efficiency and scrutability, but we are not sure how to get there from here. If we neglect something that has risk associated with it, it will eventually cause a problem. Thus, while risk helps us with prioritization and scheduling, using it to truncate the overall list of corrective actions may increase risk over time.

Suggestions: Assuming that we have laid a good foundation using the available common denominators, as described above, we can more consistently and predictably apply the sophisticated risk concepts that we also think will improve our focus and, thus, our efficiency. We can also seek to connect risk to these foundation fundamentals, a logical connection because some fundamentals should have huge impacts on risk. For example, we expect to have negative trends in plants having poor safety cultures, removing several barriers important to containing risk.

We can even refine our focus on the barriers to risk impacts in terms of trends, supporting our simplified approach to grading. For example, trends involving responsibilities and fundamental principles may be more risk important than other trends if they are more difficult to correct. A single strong-willed manager (inappropriately viewed as a strong leader by some) who does not understand basic nuclear safety principles and risk issues can launch a series of risk impacts that single-handedly result in an adverse trend in plant safety performance. Indeed, the most obvious examples of this occur at high levels in the organization and provide a source of subordinate derision for years thereafter. Such examples also occur within the NRC, but with less direct impact on nuclear safety.

Applying risk to the fundamentals is interesting, but we really want to a condition where the fundamentals are stabilized so that we can get down to the ripples that have historically been hidden by the waves. From a regulatory as well as an operational perspective, limited resources are easily overwhelmed by the waves, which often show up unexpectedly after several years of negative trends. Again, the first step is to deal with the fundamentals that control the waves.

Once the risk boat is no longer being rocked by these fundamental waves, we can move from gross measurement processes (radical shifts) to those that are more refined (barely noticeable). Using our more refined risk-informed and performance-based concepts, we hope that such things as satisfactory and unsatisfactory plant evaluations can be more easily described in terms of transitory events, proposed plant changes, or data-induced evaluations. We want to be able to add up and trend low levels of risks quantitatively and then be able to show all the stakeholders a logical and repeatable process that leads fairly to any necessary enforcement actions. We want enforcement actions to mean something and to produce timely changes in licensee behavior, but only where change is needed.

In the past, some enforcement actions might have been justified in terms of risk after the decision for enforcement action had already been made. These may have been subjective decisions based on NRC staff ill-founded perceptions of plant fundamentals such as the safety culture and management styles. While the perceptions could turn out to be valid in some cases, it is possible that they were not all valid and that some enforcement actions were viewed as unfair by industry. It is our intent to have excessive risk degradations, if they occur, to be identified and measured early in the field in a cumulative process, one that lends itself to gradually developed trends rather than dramatic reversals.

Having taken responsibility for and established a recognized level of control over basic risk issues, the licensees can then address NRC-perceived adverse issues or trends without having to be labeled unsatisfactory based on one assessment of one system. The NRC issues and trends would no longer suggest that high levels of fundamental risk can be inferred from the relatively small technical assessment sample. Moreover, for those few plants that are found to be fundamentally posing higher levels of risk to public safety, the NRC would have a more scrutable logic for redistributing assessment resources accordingly. The NRC would also have a more recognizable basis for taking enforcement actions, more often dealing with trends but in an increasingly timely manner.

Mathematical risk information or data provide tools for improving plant-specific safety judgments. These mathematical tools are limited in that they must be used by risk-informed managers to have any useful impacts.

Risk-informed technical decisions are most valid within the framework of a good nuclear safety culture, a good training program, and good management processes. That is, emphasis on risk-informed assessment results is inappropriate for plants that are weak on such safety fundamentals.

In general, SROs are the best individuals to apply risk related data in making in-context plant safety decisions, including the development of testing and maintenance priorities. Properly trained operators understand safety system integration, defense-in-depth, and plant emergency dynamics. Thus, a plant where operators are found not to be involved in risk-informed prioritization processes would be suspect from an oversight perspective. By the same token, NRC inspectors or evaluators can not generally reach risk-informed conclusions in the absence an integrated perspective, such as that found in senior operators.

A low-risk event or issue may imply a generic issue of higher risk. While the low-risk instance may not require action, the more generic implications involving higher risk possibilities will generally require action. For example, poor bolting practices observed in a non-safety system or component will generally lead to evaluation of bolting practices applied to safety systems and components.

Probabilistic analysis of combinations of operational and assessment results should be undertaken, creating combinations of adverse precursors in physical systems and in the management arena for the consideration of experienced technical analysts and managers.

Risk-Informed and Performance-Based Regulation Conclusion: Combining these points with those made in Section I, we can use the simplified grading concepts with the more gradual changes in regulatory assessments to structure a more efficient assessment process. This requires a continued cooperative attitude and an inquisitive mindset. None of this discussion up to this point actually meets our goals of practical implementation, but we are edging closer to making that a possibility. In the next section, the rubber meets the road.

To meet the assessment process revision objectives within the stated criteria, we must come up with a realistic approach that allows practical as well as efficient nuclear safety regulation. In particular, we are focused on how to provide assessments of ongoing nuclear plant events and activities such that any necessary regulatory interventions are timely. We have already discussed in Section I and Section II some of the applicable fundamentals. Is there a practical method for bringing all of these things together?

Problem: The net results of the NRC's safety assessment efforts seems to be inconsistent with the amount of resources invested. Considering the marginal risk and reliability impacts of some NRC regulatory activities, the industry is increasingly viewing the NRC's efforts as nonproductive interference that forces nonproductive or wasteful activities on the part of the licensees. From the NRC perspective, requirements-based regulation of the diverse plant designs, material conditions, and operational situations is not efficient under the current redundant and poorly coordinated assessment paradigm. We need a smoother approach to nuclear safety assessments and a better connected enforcement program.

Suggestions: The NRC does not have (and should not have to have) the resources needed to "ensure" nuclear plant safety at a plant that may have an inadequate nuclear safety culture, poor management, or less than excellent training program. However, when these fundamentals are adequate, the NRC's resources should be adequate to detect adverse trends. Enforcement should be in response to uncorrected adverse trends to the extent feasible.

Comprehensive evaluations of a plant's safety issues (e.g., contained in plant issues matrices) require a level of expertise and overall awareness that requires significant resources. Licensees are expected to have such resources at the plant-specific level, but NRC may or may not have such resources. Thus, plant self assessments are central to nuclear safety, and the NRC focuses on identifying exceptions to those self assessments.

Each licensee should be responsible for ensuring the continuous availability and performance of risk-related fundamental resources, including adequate management, operations and support personnel, and the various physical plant resources needed for the safe design, testing, operation, and maintenance of the plant. Assessment of those plant resources by the NRC should be routine, but adverse trends and deficiencies involving fundamentals should dealt with first as high risk issues rather than as potential precursors to high risk issues. In the past, the requirements-based mentality has led us to believe that risk is not increased until a specific requirement has been violated. This is too late and requires too much work to achieve recovery.

Key to success: In a regulatory environment where both the regulator and licensee are responsible for performing their respective principle-based roles cooperatively, it is possible to create a nuclear assessment and enforcement paradigm that reflects those responsibilities. Unfortunately, it is much easier to claim a desire for a paradigm shift than it is to accept one.

In the very conservative environment of nuclear regulation, the possibility that the near-term result of the assessment revision process will be a significant change in assessment paradigms is itself a remote probability. Moreover, the nuclear industry may not have a viable option that does not take us too far in the other direction. Nevertheless, it is essential that the options be placed on the table. One option is to have it both ways, agreeing that disagreements will exist.

The option that I have in mind is similar to one that I proposed almost ten years ago in connection with the then embryonic development of maintenance program assessment improvements. Although it is less quantitative than my original suggestion, the current Maintenance Rule is conceptually consistent. Thus, the option proposed here can be viewed as an extrapolation of the Maintenance Rule, although one does need to use a bit of imagination to come to this conclusion.

The current paradigm: We may each have a different current paradigm in mind, but the differences are of little interest for this discussion. My personal perceptions are consistent with what I think I read in the various transcripts and statements related to this assessment change process, which happens to be consistent with my experience doing safety assessments in all four NRC Regions.

The current paradigm is one of polarization rather than cooperation. The licensees minimize issues and the NRC maximizes them. The licensees are required to report bad things, but this sometimes requires a level of integrity that creates adverse consequences for honest managers.

The NRC fields various inspection teams that focus on details (risk ripples) while largely ignoring fundamentals (risk waves in management , safety culture, and training) even when they are evident. The NRC is only given information asked for, and the licensee shifts and focuses significant resources to address whatever details the NRC team determines to be of interest.

In some cases, the licensee hires additional staff and launches extraordinary self assessments to head off or mitigate as many potential NRC findings and violations as possible. None of this effort is particularly risk significant, although most assessments involve key safety systems that have had problems in the past. The NRC assessment findings often go to the head of the line in priority, with violations of requirements getting enforcement attention without necessarily reflecting any notable increase in overall risk.

My proposal: In view of their respective capabilities and responsibilities, the licensee and the NRC should each evaluate critical safety performance areas, using risk-informed methods and characterizations. Graded areas could be based the functional areas and safety system performance, or they could be more complex such that the fundamentals of each functional area and safety system are graded. We can add fundamentals such as having good system engineer programs, which are actually based on the previously stated fundamentals of management, safety culture, and training. Note that the more we rely on actual performance (results), the more likely we are to have allowed risks to increase before taking action. Nevertheless, we must monitor performance as a means of backup for the more proactive evaluation of the fundamental programs.

The neutral grade is zero: In view of the vulnerability of licensees to having grades that will be misused by others, a satisfactory grade would simply be a zero. Transitory good and bad risk-informed conditions and performance-based data are then graded above or below zero, perhaps up to plus or minus 10. A self assessment of zero or above in all areas would be viewed as satisfactory from a regulatory perspective.

The grading system can be made as complex or as simple as the licensee or the NRC may desire. For example, different systems or functional areas might have limits other than plus and minus 10, depending on risk. Fundamental areas such as training, management, and safety culture may also impact risk more dramatically since they can influence many areas, including the different barriers that provide defense in depth. Also, each functional area could be broken down into as many parts as desired and later rolled up into an average grade that would most often be on the satisfactory side of the zero frame of reference.

The licensee provides the primary assessment grade (however characterized) for each area and sub-area. The NRC may take exception to the licensee's self assessment grade, assigning a lower (but not a higher) grade. When performance-based data become available, the licensee uses the data to adjust the related assigned scores either up or down, using risk-informed methods. The grade change and the associated justification are documented, including the living element that allows the points awarded to return to zero at some time in the future.

Likewise, the NRC might use the same performance based data to lower the NRC version of the score, even further than a decrease announced by the licensee, if deemed appropriate. The NRC scoring is relative to the licensee score, creating a negative delta grade value for the licensee to contemplate and deal with. The licensee is free to disagree with the NRC delta grade. Such deltas then becoming both a management tool and a communications device that can more closely track what is going on from day to day in the risk area. The deltas that may exist between the licensee and NRC scores are also useful in the enforcement area.

The NRC may decide to reduce its delta grades based on time late or time passing considerations. The NRC may also choose not to impose its (negative) delta grade because of the licensee's corrective action response or due to compensating factors that result in a longer-term grade of at least a zero anyway. Zero grades suggest adequacy, but it is generally in the interest of the licensee to achieve and document higher grades in as many of the graded areas as feasible. The licensees and the NRC are free to institute or ignore grades in any of the areas. They are merely communication devices are not end results. They are also difficult to compare among different plants since each plant will have strengths and weaknesses in different areas.

Advantages of my approach: This approach shifts the responsibility for establishing (admitting to) the performance ballpark to the licensee. The licensee knows (or should know) where that ballpark is and should not hesitate to put it on the map in a realistic manner. The NRC may then assess the licensee's characterization on an exception basis, focusing on risk characteristics.

Interestingly enough, and meeting our goals and criteria, under my approach the NRC can no longer generate new assessments of the same functional areas without also considering whether they are redundant or inconsistent with previously identified issues. The licensee may have already assigned and explained a negative grade based on the same information. The licensee may have also identified compensating positive characteristics in the area of concern. Nevertheless, the NRC may identify additional arguments in the details of functional areas that the licensee may not have considered.

Any differences of opinion between the NRC and the licensee serve provide opportunities for dialog and clarification. Both grades are valid, and the delta (difference) between an NRC grade and the licensee grade provides the basis for possible improvements. In the absence of an NRC negative grade, the licensee grade is the grade of record.

Multiple risk impacts in the same graded area will indicate a key weakness. This establishes a basis for developing enforcement methods that are simple and predictable. When we also apply the notion that management root causes are to be identified and corrected, several diverse deficiencies might be applied to establishing the licensee's grade or delta score in a single management area, as may be appropriate and useful.

Extra resources for watch lists are not needed: Under the self-scoring approach, NRC assessment resources can be more effectively applied to emergent waves and ripples in each of the licensee’s self-scoring paradigms. The approach is responsive to changes and can even reflect or replace the plant issues matrix (PIM) data. Licensees can exchange information on improvement strategies without necessarily referring to the NRC for guidance and approval. For those plants having difficulties, the licensee's self assessment scores would be negative and would invite NRC attention but not necessarily any more of its resources. The NRC would shift resources primarily to deal with "differences of opinion" as reflected in a rolling list of NRC negative delta scores.

That is, for the licensees that are having troubles and know it, there is no point assigning additional resources to validate that fact. While it might be appropriate for the NRC to do a double check before the plant goes back on the line, such a check would be focused and would be limited in its demand for NRC oversight resources. For those plants that have fundamental problems in management, training, and safety culture such that they do not even admit to having weaknesses or the need for corrective actions, additional NRC resources might be needed. Those resources would largely be limited to assessments of fundamentals rather than details, assuming that the licensee demonstrates the capability and desire to take the necessary corrective actions.

While there may actually be licensees that would continue to require additional NRC attention, the responsibility for identifying and correcting problems would still remain with the licensees. The NRC is simple not able to accept responsibility for the timely identification and correction of plant issues, and it should not support a culture that expects this. Focus must be on the industry’s responsibility to ensure its own success without playing hide-and-seek with regulators. This must be done by the individual licensees and in a cooperative manner across the entire industry to be successful.

Data Integrity: Using a central database, the NRC could also track its negative delta scores and determine generic issues and acceptable corrective actions. The approach is also Internet friendly and makes everything scrutable at different levels through links to plant-specific and issue-specific explanatory information. The data provide the basis for an NRC decision model that may be as simple as counting deltas or as complex as rolling up and trending the entire industry’s status.

Each licensee and each NRC Region can manage and input its own data when changes occur. All emergent and long-term issues can be linked to a non-redundant data point for all plants or for a single plant, and each such issue must have risk impacts to be credible. Moreover, all requirements and violations would have to be evaluated in terms of risk as applied to functional areas, management, root causes, and basic principles.

One of the primary objectives for enforcement is to correct inappropriate behavior. Such corrections need to be based on fair assessments of the safety risks involved, and they should be the result of an orderly and highly visible process. One way of achieving all of these objectives is to rely on the NRC delta scores described above.

Enforcement consistency: Enforcement actions would be based on actual consequences relative to the licensee's self assessment, with the applicable functional area grade deltas (if any) being used for the purpose of escalation. Various mathematical formulas might be used that would discourage adverse safety behaviors as well as encourage licensees to be open and forthright.

For example, if a licensee claims a strength in an area of positive five but the NRC believes that it is actually a minus four, then the licensee’s consequences for events having root causes in that area would be multiplied by a factor of nine (four plus five). This approach is self-scaling in that the licensee would be motivated to ensure that its assessments are correct and may decide to lower its own grade in an area to minimize NRC delta scores and any possible fines. Of course, it would be more appropriate to agree with the NRC perspective in the first place, rather than be motivated by cost factors. Nevertheless, the licensee will focus quantitatively on each aspect of disagreement, understanding and weighing safety risk issues against whatever non-safety considerations might be involved.

Violations of various requirements that are not arguably relevant to risk would not result in a negative score and, thus, would not require enforcement actions. However, in cases where the licensee fails to recognize or compensate adequately for such risks, resulting in a performance-based problem, the enforcement process would be more severe. In those cases where a NRC negative delta score was not properly addressed by the licensee (hopefully a very unusual occurrence), then the enforcement action would normally be more severe, in proportion to the applicable delta scores.

Other Enforcement Considerations:

• Enforcement consequences should be increased in cases where a licensee meets the letter of a requirement yet knowingly fails to meet the evident intent of that requirement. This would be reflected in management’s safety culture scores. If not voluntarily identified by the licensee that the licensee’s management safety culture avoids addressing intent, then the NRC is free to apply a delta score in this area. Such a score might persist for a year or two and be applied in subsequent situations as well.

• Changes to enforcement program consequences should be gradual, allowing licensees an opportunity to adjust their perspectives and programs to any shifts in risk-related priorities. This might be implemented by allowing the licensees a reasonable amount of time to take corrective actions before considering enforcement. Nevertheless, the delta score might still persist well beyond the enforcement time limit for one issue and be applied to a later issue of similar ilk. This maximizes NRC flexibility and encourages continuing followup by the licensees.

• The basis for determining enforcement requirements, if any, that could result from the same deficiencies found at different plants is seldom the same. Thus, the consequences are expected to be different. The basis is different primarily due to differing safety systems, procedures, and other elements of defense-in-depth. This may include differences in management, training, and safety culture.

• Enforcement actions and related escalations should be tied primarily to the broad areas of nuclear safety culture, management, and training. Unless deficiencies are found in one or more of these areas, the NRC should be reluctant to conclude that there is a licensee deficiency requiring enforcement actions. Although some deficiencies might not fall under one of these areas, a risk-informed safety assessment of a deficiency should in each instance include a discussion of one or more of these areas. Of particular concern is the tendency to take the enforcement route even when a licensee made an honest procedure-related mistake in spite of having a good safety culture, good training, and good management.

• The absence of NRC assessment negative feedback does not in itself justify a conclusion that a licensee is performing in a satisfactory safety framework. It only means that the NRC has not discovered poor performance. It still remains the obligation of the licensee to self assess and know its weaknesses even when the NRC does not.

• Enforcement should be time-aware in that the enforcement relevance of corrected or controlled issues fades with time while the enforcement relevance of uncorrected or uncontrolled issues increases with time. The NRC delta scores should be programmed to increase with time for risk related issues that are not resolved quickly. This can provide a corresponding increase in licensee motivation to take action before a root cause area reaches a score of minus ten. The NRC might even assign specific action thresholds for plants that have reached relatively egregious scores in appropriate areas. Certainly, any self score or NRC score that is well below the assume satisfactory score of zero would require significant action by the licensee and, if not the licensee, by the NRC.

In the process of developing sections I through IV, I identified a number of points that are relevant to some of the key concepts, but that are training details or otherwise peripheral. In view of the already complex nature of the revision process, these details would not contribute much to the immediate effort.

These training points could be considered important in refining some of the approaches suggested in the previous sections. In addition to training, these points may also be used as stimulation for those stakeholders who are highly motivated and interested in the many details that are involved in some of these concepts. These details are simply listed below for your contemplation, discussion, and refinement.

Details:

As already discussed in previous sections, we can clear up a great deal of regulatory confusion on such matters as roles and responsibilities by separating principles from objectives. Some examples of safety principles and objectives that are also relevant for discussions are discussed below.

Examples of Principles – For General Discussion

Obvious principle: Licensees are responsible for developing and maintaining a good safety culture at a nuclear site. The NRC is responsible for developing and maintaining a good nuclear safety culture within the NRC and with regard to its selection of inspectors placed on site.

Not-so-obvious principle: Licensees are responsible for identifying all plant deficiencies, assessing them, and determining required actions. The NRC should be aware of identified deficiencies and corrective actions, evaluating the licensee's overall programs in terms of public safety. (Objectives are often implied by principles, but the principles often apply to several different objectives.)

Obvious principle: In cases where the NRC independently identifies plant deficiencies that the licensee failed to identify and report, the NRC should view this as an indication of a larger problem. The licensee will normally find many more deficiencies than the NRC.

Somewhat new principle: Deficiencies as well as inadequate responses to deficiencies most often have a root cause somewhere in the area of plant management.

Radically new principle: A good nuclear safety culture includes the generally held notion that nothing at a nuclear power plant can be considered "trivial."

Obvious principle: The licensee is primarily responsible for the safe design, testing, operation, and maintenance of the plant.

Instructive principle: Issues must be viewed in terms of trends as well as their apparent risk.

Examples of Objectives – For General Discussion

New objective: Scrutability of the regulatory process is a recently emphasized objective. Regulatory clarity and consistency are best achieved by first focusing on the common denominators found among the various licensees. Common denominators (e.g., training, safety culture, and management) are often identified and discussed, but improving assessment scrutability requires that such common denominators be strengthened. Thus, a key objective for the new assessment process is to identify such common denominators and to state their underlying principles, define the risk-informed performance objectives, and identify performance-based symptoms of satisfactory implementation.

Emphasizing management as an assessment objective: Management is a common denominator that can often be strengthened. In particular, increased emphasis is required on identifying management root-causes for safety issues. A single management root cause can manifest itself in several unrelated areas. When a root cause has multiple impacts, the result is often multiple regulatory requirements to address the symptoms rather than the management root cause. Management does not like to be looked at, but the NRC assessment teams should be more proactive in this fundamental area. Even more fundamental than the root causes found in management processes are those found in management's training and safety culture. Regulatory scrutability can be enhanced at some plants simply by objectively addressing these management fundamentals, which would reduce the number of seemingly unrelated issues.

The ultimate objective: Each licensee attains a level of safety that is so high that the associated level of risk is not only difficult to measure but also difficult to deny from the perspective of any knowledgeable stakeholder.

The minimal objective: Licensee safety performance meets or exceeds regulatory safety requirements and is improving.

An enlightened objective: Licensees meet the intent as well as the letter of regulatory safety requirements. (This is also a basic principle, one that needs more buy in by some managers.)

Reinforcing objective: The NRC assessment process is implemented in a manner that encourages the licensee to proactively pursue a satisfactory and improving safety framework.

Reinforcing objective: Licensees look first to management and management processes for root causes of deficiencies.

Implementing responsibility-based principles through performance-based objectives: Holding people "accountable" for deficiencies starts at the top of the plant organization. Accountability is more intensive at higher levels except when deliberate acts are involved, mitigating but not eliminating that accountability.

Cultural objectives: Plant personnel at all levels are inquisitive and pursue seemingly trivial issues to explore more significant root causes and effects.

Regulator-first objective: The NRC safety culture provides an example of excellence that is seldom exceeded by any licensee safety culture.

On-the-right-track objective: There is evidence that plant safety performance is improving.

Ultimate objective that may never really be achieved: There are no preventable nuclear safety deficiencies.

Other Points to Consider:

• Design basis adequacy, management, and control are increasingly challenged as plants age. That is, design basis information requires more rather than less active management to activate required levels of inspection and control as plants age.

• Knowledge of design basis information was at its peak during the plant design phase. It is difficult to re-establish and maintain design basis information and knowledge of that information during the operating phase.

• Short term and long term corrective actions should be systematically identified and tracked for each issue. Separating short term expectations and corrective actions from those that are long term will increase regulatory clarity or scrutability.
• The regulator and the licensee are naturally polarized stakeholders, a situation that can promote reduced levels of integrity on each side. Polarization can be minimized through improvements in training and through the development of an over-arching nuclear safety culture.

• When facts are used in a regulatory framework, they should be characterized as either complete facts of incomplete facts. For example, violations of regulatory requirements represent isolated facts. In the process considering those violations in terms of risk, many additional in-context facts must be identified and evaluated.

• When opinions or sets of incomplete facts are found in the regulatory arena, further research is generally required. Identification of what is not known improves regulatory scrutability and fairness.

• Issue resolutions should be based on an adequate array of facts such that it becomes possible to apply risk-informed regulation actions fairly and consistently. When regulatory actions are undertaken without all the facts being available, the associated judgments must be stated and a path of later recourse identified.

• Nuclear safety requirements are not adequately stated or constituted if they need to be "interpreted." Also, adequately stated nuclear safety requirements are not understood by all stakeholders indicate a possible deficiency having its root cause in nuclear safety culture, training, and/or management. Nevertheless, all nuclear safety questions that are not fully understood must be promptly challenged and, if needed, stated more clearly.

• Inspectors should have the flexibility to apply or not apply generic regulatory requirements in plant-specific situations. The NRC Team Leader, being a government official, should be delegated the authority to authoritatively determine that a generic industry or regulatory requirement is of no safety or enforcement interest in the plant-specific context.

• Inspectors may feel obligated to find issues. This can result in minor points being exaggerated in inspection reports beyond the risk-informed level. It is difficult for licensees to then counter the inspector's exaggeration without appearing to be defensive or without appearing to less safety conscious than they actually are.

• Depending on the plant context in which a point is applied and on the context of the inspector's experience from which that point springs, a significant range of risk perspectives and actualities may be present. Thus, efficiency can be increased by identifying the range of possible risk perspectives as part of the report development process.

• Inspectors should indicate the associated level of risk (consequences) and comment on the nature of the plant-specific barriers and mitigations that are already in place. If the available barriers and mitigations at the plant in question are not considered by the inspector to be adequate relative to risk, this should be stated in the report.

• Likewise, the inspector should indicate the potential applicability of the point to other plants, which may have different barriers and mitigations. Such information should be made readily accessible to all other plants in an informal manner in an "Inspector Dialog" database. The dated information should be arranged by system and topic. The advantages include rapid promulgation of potential issues as well as the possible ways to minimize the associated risk.

• Issues identified during assessments are applied as feedback to the overall assessment of the plant in the corresponding, applicable areas. They are not all-inclusive listings, but are only indicators that management processes need to improved, generic concerns identified and acted on, and the associated specific deficiencies corrected in a timely manner.

• The results of assessments should be incorporated into the licensee's overall plant management and corrective action programs, with each specific issue being addressed in accordance with its risk based importance as compared with other known issues.

• NRC assessment derived issues should normally require no extraordinary followup or corrective action acceptance relative to other known risk-related issues.

• Nuclear safety can not be ensured if there are weaknesses in one or more of the basic design areas: design basis and as-built documentation, configuration management processes, ongoing testing to design, ongoing maintenance to design; and ongoing training to design.

• Every issue or deficiency must be considered in terms of its short term corrective actions (quick fixes), the long term corrective actions (management programs), and the possible adjustments to long term corrective actions that may be needed later (management program reviews).

• In the absence of a good training program or a good nuclear safety culture, risk-informed processes have no meaning.

• Any adverse condition is a "red flag" and is always of safety significance. Root causes of "red flags" that are most important can not be identified properly unless we are risk-informed.

• When we are risk informed, root causes of adverse conditions may be categorized as risk significant. Risk significant root causes, even when not specifically identifiable, are of prime regulatory and enforcement interest.

• Unidentified and/or uncorrected root causes will eventually lead to increased risks and safety-related consequences. These future risks are often of more safety consequence than the risks that we have already discovered in finding a symptom.

• A risk-informed approach to plant safety issues exists in an environment of technical competence (well trained personnel) and safety consciousness (an excellent nuclear safety culture).
• Deficiencies found at one plant do not necessarily or generally carry the same risk weight if the same or similar deficiencies are applied at another plant.

• Risk information or data collected for and applied to systems, system components, alternative trains and alternative systems are difficult to integrate within the overall defense-in-depth framework. This is due to the presence of less objective lines of defense such as direct operational oversight and general plant management. Thus, risk assessments and safety adequacy determinations are valid only within the framework of a continuing, strong training program and safety culture as applied to all organizational levels and functional areas.

• Efficient risk-informed processes between regulators and licensees require agreement as to what constitutes an adequate, underlying nuclear safety culture and what constitutes adequate training. These areas have historically not been the central focus of inspections or enforcement. While they have often been noted as potential root causes of issues, their assessment and standards of excellence have usually been of addressed as being of secondary (not central) importance. This lack of emphasis is often a result of resource priorities either for the licensee or for the NRC inspection teams.

• NRC and licensee resources for training on safety culture are often limited. Without a strong emphasis on such resources, the proposed risk-informed environment would create new opportunities for the weaker plants to fail.

• Moreover, weaknesses in safety culture are the primary precursors for Watch List plants. Neither the NRC nor the licensees appear to have consistently adequate capabilities in safety culture, either in terms of development or assessment.

• To support risk-based regulation, the NRC and the industry should establish an independent entity (e.g., a Nuclear Performance Academy) to become a high-level authority and source of guidance in these two areas.

• All current and future nuclear industry personnel, regulatory personnel, and nuclear contractors should be required to receive intensive orientation and training on basic nuclear culture, nuclear training expectations, and the nuclear risk-informed environment.

• In addition to the regulators, licensees, and other current stakeholders, an independent entity of overall authority and competence in nuclear training and nuclear safety culture is needed. All stakeholders would be invited to contribute their perspectives and arguments for evaluation, refinement, and appropriate inclusion. The output of such an entity would be nuclear certified personnel having the highest possible level of nuclear safety capability, advocacy, and safety-first integrity.

• Feedback based on actual plant issues or problems that impact the training program, nuclear safety culture, or the risk-based environment is required to achieve the nuclear performance excellence objective.

• The NRC already recognizes the time-late problem in which declining plants are often not identified until after they have become increased risks to public safety. To be able to prevent or mitigate the time-late problem in a risk-informed environment, more substantive common-denominators are needed for all stakeholders in the nuclear training and safety culture areas.

• The proposed nuclear training and excellence entity would be created through legislation and would be headed by a senior nuclear professional of broad experience and, most importantly, having the necessary independence and integrity. He or she would select, hire, train, and certify other persons from among the stakeholders as needed to meet the goal of nuclear training, culture, and risk-informed excellence.

• The opinions of all stakeholders are important in establishing and sustaining a satisfactory risk-informed environment.

• Performance-based, factual inputs to the risk-informed environment must be applied with great circumspectness and caution to avoid the creation of new problems or vulnerabilities. Facts taken out of context and applied elsewhere will have random effects on risk management.

• Overall risk is a function not only of equipment and system reliability. We must include operational and management oversight levels of defense-in-depth as well as the fundamental risk-based foundations found in training and safety culture. Research regarding the relationships or dependencies among all of these factors would be helpful.

• The NRC and the industry should develop their problem solving skills. Better problem solving skills would lead to better insights for the risk-informed environment. Improvements are particularly likely in the areas of multi-component interactions and multi-system interactions. For example, there is too much reliance on component vendors to produce corrective actions, and this reliance diverts attention from the system design, operational, and maintenance areas.

• Emergent issues and problems should not be "preventable." Thus, a valid performance indicator would be the number of management-preventable, risk-significant issues and problems discovered during the rolling assessment period.

• Senior plant managers do not override technical decisions made by junior managers unless they are technically competent to do so. An indication of that technical competence is that the junior managers voluntarily support the decision made.

• Performance indicators related to safety are often used as a reflection of financial management competence. It is inaccurate and a disservice to stakeholders to consider safety indicators outside the context of the plant nuclear safety culture, the plant training program, and the licensee's overall management effectiveness.

• Overall, it is appropriate to rely on the judgments of technically qualified managers with demonstrated integrity.

• A manager's integration of financial and safety issues reflects on that individual's integrity. When technically competent managers favor financial drivers over safety drivers for any reason, they place the issue of integrity on the table.

• When technically incompetent managers are in a position to decide on safety priorities, accountability rises higher in the organization.

• Technical research at the component, system, plant, and overall management levels is needed to provide data needed for risk analysis. Management data for a failed organization are as at least as important as maintenance data for a failed system component.