No. S-01-032
PDF
Version (512 KB)
THE NRC'S PROGRAMS AND PROCESSES FOR
SAFETY OVERSIGHT
Dr. Richard A. Meserve
Chairman, U.S. Nuclear Regulatory Commission
U.S. DOE Executive Safety Conference
Grand Hyatt, Washington, DC
December 11, 2001
Introduction
Good morning. I would like to express my appreciation to General Gordon
and Under Secretary Card for their invitation to speak to you today concerning
the Nuclear Regulatory Commission's safety oversight programs and processes.
(Slide 1) Since the theme of this conference deals with safety management,
I would like to acknowledge that the title of my talk reflects a primary tenet
of our regulatory philosophy - namely, the responsibility for safety management
falls on our licensees' shoulders. The NRC's responsibilities are to monitor
performance, assess the effectiveness of safety management programs and activities,
require corrective actions to deal with deficiencies in those programs and
activities, and to take appropriate enforcement action for failure to comply
with regulatory requirements, which in the most egregious cases could include
suspension or revocation of a license. You have just heard Mr. O'Hanlon address
safety management from the perspective of an NRC licensee; I will be focusing
principally on safety oversight.
Because the NRC is an independent regulator and overseer and does not have
operational responsibilities, the NRC has a relationship with its licensees
that is fundamentally different from DOE's relationship with its contractors.
Nonetheless, I believe that the NRC's recent experiences in implementing oversight
processes and programs that are risk-informed and performance-based can be
helpful as DOE strives to implement Integrated Safety Management throughout
its complex. This belief is based not only on the results we have seen as
we have put our new programs in place, but also on my past experience as a
member of several National Academy of Science panels that were chartered to
evaluate safety issues and performance in the DOE weapons complex and at DOE's
reactors.
In discussing the NRC's safety oversight activities, I will focus primarily
on those dealing with reactors. As most of you are aware, the NRC's regulatory
purview includes not only reactors, but also the use, handling, transport,
and storage of radioactive materials. In fact, there are more than 100 times
as many materials licensees in the U.S. as there are reactor licensees. Nonetheless,
most of the agency's regulatory resources are focused on reactor regulation,
because that is the sector that has the most potential impact on the NRC's
overall safety mission. Because reactor technology has many elements that
are common from licensee to licensee - in contrast to the wide variation in
materials-related activities - it has been easier to put in place our new,
risk-informed oversight process for reactors. Similar programs are underway
in the materials arena, but they are not as far along, for reasons that I
hope will become apparent as I proceed.
Let me turn now to a brief discussion of the bases for plant safety performance,
after which I will describe our reactor oversight process - the way it used
to be and the changes that we have recently implemented.
Reactor Safety Bases
It goes without saying that the NRC aims to insure that nuclear plants are
constructed and operated in a fashion that assures adequate protection of
the public health and safety. The parameters that define the safe operation
of nuclear power plants are derived from a variety of sources, but I will
mention three significant ones. A plant's Final Safety Analysis Report (FSAR),
which is the fundamental document used in licensing the plant, defines the
plant's design bases-essentially, the envelope of conditions under which the
plant's safety systems are able to respond and to bring the plant to a safe
shutdown state without significant damage to the plant or the public. The
plant's Technical Specifications, or Tech Specs, form a part of the license
and define the conditions under which safety systems are considered to be
capable of operating, as well as specifying necessary licensee actions if
and when those systems are not operable. Further, on the regulatory side,
most of the requirements that nuclear power plants must meet can be found
in Part 50 of Title 10 of the Code of Federal Regulations. It is not appropriate
to go through the entire compendium of requirements, but I do want to mention
two of the most essential components. The first is 10 CFR Part 50, Appendix
A, which contains General Design Criteria (or GDCs) for nuclear power plants.
These requirements define a plant's necessary design capabilities at a very
high level. Many of the other regulations in Part 50 cover specific aspects
of plant design that are needed to satisfy the GDCs. The second regulation
is 10 CFR Part 50, Appendix B, which discusses quality assurance requirements,
or QA. The 18 QA criteria in Appendix B define programmatic elements and controls
required for all phases of nuclear plant design, construction, and operation,
including corrective action when deficiencies are identified. Appendix B is
arguably the most powerful of the NRC's regulations, and is the most often
cited for regulatory violations.
The NRC's oversight programs and processes use safety bases, such as those
I have just discussed, in making determinations as to the capability of a
licensee to operate a plant safely. The process has evolved considerably over
the past 20-plus years, with the most far-reaching changes having been introduced
over the last two years. Let me review the way the system used to work, and
then discuss how we have changed and improved it.
Reactor Oversight
The NRC's reactor oversight process as it existed until recently had its
origins in the agency's response to the accident at Three Mile Island. Among
the significant actions taken by the NRC were the stationing of resident inspectors
at every operating power reactor site, and the establishment of an evaluation
process, termed the Systematic Assessment of Licensee Performance, or "SALP."
SALP was largely an inspection-based program, in which the NRC reviewed licensee
performance on a 12- to 24-month cycle in four "functional areas": plant operations,
maintenance, engineering, and plant support. A numerical rating for each area
was determined, and a report was prepared discussing the licensee's performance.
The period between SALP evaluations was based on the licensee's SALP score:
poor performers were rated more frequently, while top plants were assessed
less often. As time went along, two other oversight activities were incorporated
into the process: a semiannual meeting of NRC senior managers, focusing on
plants with poor or declining performance, a product of which was the famous-or,
perhaps infamous-"watch list"; and a semiannual plant performance review,
the purpose of which was to assess overall plant performance and to plan future
inspections.
SALP was developed when there was relatively little operational experience
with nuclear power plants. A governing presumption was that plants were safe
if they were in compliance with NRC regulations. As a result, the focus of
the SALP process was often on compliance, regardless of the safety implications
of a failure to comply. SALP was also the subject of considerable criticism
over the years for a number of other reasons, including:
- Claims that the SALP process was too subjective, too dependent on the
judgment of the inspectors as to whether performance was acceptable;
- Claims that the bases for the numerical scores were, in some cases, obscure,
and the meaning of a particular score was difficult to interpret for both
the licensee and other stakeholders; and
- Claims that the process was largely retrospective, looking at past performance,
and not reflective of the contemporaneous situation. It was asserted that
problems might be cited that had long been corrected, while emergent issues
could be overlooked.
In the mid-1990s, in response to criticism from both inside and outside
NRC and in concert with a decision to move toward a more risk-informed regulatory
philosophy, the agency investigated alternatives to SALP, with the goal of
providing a more objective, timely, and safety-focused process for accomplishing
oversight responsibilities. The result, which we refer to as the Revised Reactor
Oversight Process (or RROP), was implemented on a pilot basis in 1999, and
based on a favorable review by a panel of NRC staff and stakeholder representatives,
was implemented industry-wide in April 2000. I will describe the framework
and the basic elements of the RROP, and the ways in which I believe it improves
the NRC's oversight capabilities. First, however, I should take a few moments
to discuss the NRC's evolution toward a risk-informed regulatory process -
and what "risk-informed" means.
Risk-Informed Regulation
The NRC was a pioneer in the development of a process to help quantify the
risks of nuclear power plant operation by means of probabilistic risk assessment
(or PRA) techniques. Some of you are no doubt familiar with the Reactor Safety
Study sponsored by the NRC in the 1970s and carried out at MIT under Professor
Norman Rasmussen, which represented the first systematic application of PRA
to evaluate nuclear power plant risks. Since that time, the use of PRA has
become widely accepted, and the technology has advanced and matured. At the
same time, the databases on which PRA depends for information on, for example,
equipment failure rates, have expanded as result of the accumulation of more
than 3000 reactor-years of operating experience around the world. As a result,
the NRC determined in the mid-1990s that quantitative risk assessment was
sufficiently developed to serve as one of the bases for making regulatory
decisions. I need to stress here that risk is not the only criterion used
in this regard, because we recognize that there are still uncertainties associated
with the use of PRA techniques. We continue to use elements of our traditional
approach to regulation, such as the need for defense in depth, as part of
the decision-making process, as well. This is why we refer to risk-informed,
rather than risk-based regulation. As we undertook the development
of such a regulatory philosophy, an obvious focus was to use risk to guide
the oversight process. After much hard work on the part of the NRC staff,
the RROP was born.
The Revised Reactor Oversight Process
(Slide 2) The basic framework of the RROP reflects the NRC's overall safety
mission and the elements of operational safety that support that mission.
As you see at the top of the framework-and as I stated earlier-the NRC's mission
is to protect public health and safety. The next level shows the three strategic
performance areas that support the accomplishment of our mission. Reactor
safety refers to protection against the impacts of reactor accidents. Radiation
safety refers primarily to releases as a result of normal operation, as opposed
to accident-related impacts. And you also see a third area, safeguards. This
reflects a separate, but essential part of the NRC's health and safety mission:
to ensure that special nuclear materials are properly protected from accidental
or deliberate misuse. This latter element is clearly not limited to nuclear
power plant sites, but it is an important aspect of our licensees' responsibilities.
The next level of the framework comprises what we call the seven "cornerstones"
that form the foundation for achieving acceptable safety performance. The
four reactor safety cornerstones reflect the NRC's defense-in-depth approach
to safety: accident prevention and the mitigation of accident consequences,
with an appropriate balance between them. That is, our licensees should strive
to see that accidents do not happen. But we also require the capability to
deal with accidents if they should occur, and to minimize their consequences.
The cornerstones follow logically from the accident mitigation and prevention
functions. Accidents begin with initiating events, which should be minimized.
They are kept from progressing by the action of mitigating systems. If those
systems are unavailable or ineffective, there are engineered barriers that
prevent or hinder the release of radioactive material. Should that material
escape into the environment, emergency preparedness provides the means by
which action is taken to protect members of the public from health impacts
of radiation exposure.
The two cornerstones under radiation safety reflect the NRC's regulatory
limits on both worker exposure and routine releases to the environment. The
last cornerstone, related to safeguards, indicates the need to provide protection
against misuse of nuclear materials.
The last row of the framework is also extremely important. These are called
"cross-cutting areas," and reflect aspects of plant operation that are common
to all of the strategic performance areas and cornerstones. These are human
performance, the establishment and maintenance of a safety-conscious work
environment, and problem identification and resolution. These are elements
of what is broadly referred to as "safety culture." I will come back to that
topic, but let me proceed right now to explain how the RROP framework is actually
implemented.
(Slide 3) This slide is very complicated, but for now, I shall focus on
the bottom half, which shows the two means of assessing licensee performance:
performance indicators and inspections. Recall that the goals in developing
this new process were to provide a more objective, timely, and scrutable means
for assessing licensee performance, as well as to improve the focus on issues
of true risk-significance. The issue of objectivity has been addressed by
establishing performance indicators for each of the seven cornerstones. These
indicators are quantitative measures of system performance, such as safety
system functional failures, or, in some cases, programmatic performance, such
as emergency preparedness drill participation. To augment the performance
indicators and to assess performance and programmatic areas for which a quantitative
assessment is not practical, we still conduct inspections. However, the inspection
program has been revised to focus on risk-significant issues, and a baseline
program has been established for all power plant licensees.
Once the performance indicators and inspection findings have been compiled,
their risk-significance must be assessed. For performance indicators, the
numerical values are compared to established thresholds. Inspection findings
are evaluated by means of a significance determination process (or SDP), in
which simplified risk models are used to assess the safety-significance of
each finding. The simplified risk models are, in essence, very generalized
PRAs.
The goals of timeliness and scrutability are served by the reporting process.
Inspection and performance indicator assessments are reported quarterly, and
the results in each area are color-coded, corresponding to the safety-significance
determined in the evaluation process. The next slide illustrates how the information
is displayed, with respect to the performance indicators for each cornerstone.
(Slide 4) This is taken from our website. A "green" finding or performance
indicator indicates very low safety significance. White is the first threshold,
and that color indicates low-to-moderate safety significance. Yellow is the
next threshold, representing substantial safety significance. High safety
significance is indicated by a red performance indicator or inspection finding.
The final step of the assessment process is to evaluate the results to determine
necessary NRC follow-up activities. This is done by means of our "action matrix"
(Slide 5). From the left to the right across the top are the results, increasing
in the level of safety significance. The rows correspond to agency and licensee
actions and communications. This matrix guides the disposition of performance
indicator findings and the results of the NRC's inspection activities. An
"all green" report means that findings are referred back to the licensee for
corrective action, and the subsequent inspection effort will be at the baseline
level. Degradation in safety performance, as indicated by white, yellow, or
red findings, results in increasing levels of NRC oversight in the disposition
of findings and increased inspection effort. The action matrix also indicates
how the agency is to communicate its findings to the licensee and to the public.
As I indicated, the results of the RROP performance assessment determine
how the NRC will conduct inspections at a plant. All plants get at least the
baseline inspection effort, while supplemental inspections may be included
to respond to degradations in safety performance. This permits us to schedule
our inspection activities in advance, and to inform licensees about those
activities. Inspections are planned 12 months ahead for all plants, and are
adjusted every 6 months as determined by the results of quarterly assessments.
Once a year, NRC senior managers meet to discuss the results of plant assessments,
in what is called the Agency Action Review. In addition, the NRC holds public
meetings at plant sites to discuss licensee performance. SDP results are also
used as an input to the NRC's enforcement process, to ensure that enforcement
actions are consistent with the safety significance of regulatory non-compliance.
The RROP has been in operation for all power plant licensees for a little
more than 18 months, and the initial indications are that it has been extremely
successful in accomplishing most of its goals. This is not only the NRC's
conclusion; feedback from our licensees and stakeholders has been largely
positive, as well. Under the new process, our assessments are more timely
and the color-coded results are much easier to understand than was the case
with the old SALP numerical scores. Performance indicators increase the objectivity
of the agency's findings and there is a clear connection between the overall
performance assessment and the commitment of NRC inspection resources and
the enforcement process.
There are still some bumps in the road that must be resolved, and improvements
that we can make to the process. For example, we are studying other performance
indicators to see if we can establish an even better connection to risk. We
also seek performance indicators that will help predict emergent problems,
and thereby permit their avoidance, rather than confirm existing problems.
We are also working to improve the risk assessment tools used in the SDP.
It seems clear at this juncture, however, that the RROP has been a change
for the better from nearly every perspective.
As I indicated in my introductory comments, we are also moving forward in
developing a risk-informed oversight process for our materials licensees.
In terms of day-to-day operations, many of the facilities in the DOE complex
are similar to some of our major materials licensees, such as fuel material
conversion and fabrication establishments, and thus our activities in this
area may be of particular interest to this audience. The NRC is using insights
derived from the RROP to help develop a similar materials oversight process.
For example, we are evaluating the type of performance indicators that would
be most useful and appropriate in assessing materials-related operations.
We are also examining methods for making inspections more risk-informed and
for evaluating the safety significance of inspection findings.
Moreover, in 2000, the NRC established risk-informed requirements for materials
licensees who are authorized to possess more than a critical mass of special
nuclear materials, including operators of enrichment, conversion, and fabrication
facilities. An important element of that program is a requirement for an integrated
safety assessment (or ISA), which in a broad sense is the analog of a PRA
for a reactor. The guidelines for ISAs, which are in 10 CFR 70.61 and 70.62,
include consideration of both chemical and radiological hazards, identification
of potential accident sequences initiated by both internal and external events,
and evaluation of the likelihood and consequences - in other words, the risk
- of the identified accident sequences. Just as reactor PRAs provide a basis
for assessing the risk significance of inspection findings in the RROP, I
anticipate that the ISAs would help establish a similar foundation for materials
licensees. While this effort is still in its early stages, I am hopeful that
it will serve as a basis for broadening the focus of the NRC's initiatives
in risk-informed regulation and for realizing improved safety performance
on the part of our materials licensees.
Safety Culture
Let me now return to an aspect of the RROP that I covered swiftly in my
summary - the "cross-cutting" areas in the RROP. Recall that these included
human performance, a safety-conscious work environment, and problem identification
and resolution. These are all elements of what is referred to today as "safety
culture." The NRC believes that the development of a strong safety culture
is an indispensable part of a licensee's operational effort, and that many
breakdowns in safety performance can be traced to failures in this area. Moreover,
based on the information that I have seen on ISM, I believe that there is
a clear connection between safety culture and successful implementation of
ISM.
Although safety culture is a broad concept, there is general agreement as
to its basic elements. These include management emphasis on safety as the
highest priority; training for all staff, at all levels, to ensure that each
employee understands his or her responsibilities for ensuring safe operations;
conservative, safety-conscious decisionmaking; a philosophy of continuous
improvement, including critical self-assessment and a questioning attitude;
and in the event that problems do arise, a willingness to address problems
promptly and effectively. As I look at the guiding principles and core functions
of ISM, such as line management responsibility for safety, clear roles and
responsibilities, balanced priorities with an emphasis on safety, and a need
for continuous improvement, I believe that most of the elements of safety
culture are either explicitly or implicitly being addressed.
Another aspect of ISM, as I understand it, is its close connection to quality
assurance. Recall that I mentioned the broad reach of our QA rules in 10 CFR
50, Appendix B. In my view, quality assurance in this context should be seen
as a system for ensuring good engineering practice. Among its 18 QA criteria,
Appendix B addresses management involvement; training; use of documented procedures;
appropriate controls for materials, equipment, and processes; and effective
corrective action. It seems clear that a strong safety culture is an essential
element in the implementation of an effective integrated safety management
program, and that a rigorous QA program can help provide the structure for
such a program.
Conclusion
Let me conclude by saying that I hope that the NRC's experiences in implementing
a risk-informed safety oversight program can be useful to DOE and its contractors
in further development and application of ISM. While putting such a program
in place is not easy, I am confident that the end result will be improved,
safety-focused operations across the DOE complex.
Thank you.
Slide 1
Slide 2
Slide 3
Slide 4
Slide 5
|