Review of the Directorate of Security and Safeguards Inspection Processes

Table of contents

Executive summary

The Canadian Nuclear Safety Commission (CNSC) has a mandate, under the Nuclear Safety and Control Act (NSCA), to regulate all nuclear facilities and nuclear-related activities in Canada. Licensing and certification activities are in place to evaluate licence applications and issue licences to those who demonstrate that they are qualified, and to certify persons and prescribed equipment involved in nuclear-related activities.

The Technical Support Branch (TSB) provides leadership and specialized expertise in the areas of nuclear science and engineering, safety analysis, safety management, human factors, personnel training and certification, environmental and radiation protection, security, nuclear emergency management, safeguards, and nuclear non-proliferation. The TSB consists of four directorates: the Directorate of Environmental and Radiation Protection and Assessment (DERPA), the Directorate of Safety Management (DSM), the Directorate of Assessment and Analysis (DAA), and the Directorate of Security and Safeguards (DSS).

DSS provides leadership and technical expertise in developing, implementing and maintaining corporate programs in the fields of security, safeguards, nuclear non-proliferation (including export and import controls) and nuclear emergency management. The directorate is composed of the following four divisions:

  • Nuclear Security Division (NSD)
  • International Safeguards Division (ISD)
  • Non-Proliferation and Export Controls Division (NPECD)
  • Emergency Management Programs Division (EMPD)

The objective of this review was to determine whether DSS had adequate inspection processes and procedures in place to cover each of the five recommendations outlined in the 2016 Office of the Auditor General (OAG) Audit Report on inspection processes (see more details in appendix A: “Findings and recommendations of the 2016 OAG Audit Report” and appendix B: “Review lines of enquiry and criteria”).

The review report includes five recommendations aimed at addressing the areas of improvements noted in appendix C: “2019 Review Recommendations and Management Action Plans”. The review concluded the following:

  • NSD, ISD and EMPD had adequate planning processes in place for the purpose of their inspections. There is opportunity to improve NPECD’s planning process to ensure that it is systematic and risk-informed and includes the minimum required frequency and type of inspections. 
  • No improvement is required to detailed criteria that identify when to conduct Type I inspections.
  • All four DSS divisions followed established procedures to conduct their inspections. An improvement is needed for DSS to update ISD’s inspection procedures. Opportunities exist for all four DSS divisions to communicate the guidance on the retention of records with their inspectors.
  • Lessons-learned exercises were not systematically conducted and the results were not documented by DSS inspectors. In cases where lessons learned were documented by the lead inspectors from the Regulatory Operations Branch (ROB), these lessons were not readily accessible to DSS inspectors. There is opportunity to improve DSS procedures to ensure lessons learned are documented and shared.
  • NPECD met its established service standards for the issuance of final inspection reports, and ISD met its established service standards for the issuance of evaluation forms to the licensees. Improvements are needed for NSD and EMPD’s processes to clarify the roles and responsibilities with ROB as they relate to the preparation of final inspection reports.

Management has agreed with the recommendations and provided a response indicating their commitment to take action (appendix C).

1. Introduction

1.1 Background

OAG 2016 Fall Report

In 2016, the Office of the Auditor General issued the 2016 Fall Reports of the Commissioner of the Environment and Sustainable Development – Report 1—Inspection of Nuclear Power Plants—Canadian Nuclear Safety Commission (the “OAG Audit Report”).

The OAG Audit Report focused on whether the CNSC had adequately managed its site inspections of Canadian nuclear power plants to verify that the environment and the health, safety and security of Canadians were protected.

The OAG Audit Report included five recommendations in relation to planning inspections, conducting inspections and reporting on inspection results (see appendix A for the details of the OAG report findings and recommendations). The CNSC agreed with each of the five recommendations and provided a response detailing the actions that the CNSC had taken or intended to take to address the findings.

In addition, the CNSC President directed all directorates that conduct inspections (that is, including directorates that were not in the scope of the OAG Audit) to address the OAG Audit Report recommendations as they relate to their respective inspection processes.

Directorate of Security and Safeguards (DSS)

DSS provides leadership and technical expertise in developing, implementing and maintaining corporate programs in the fields of security, safeguards, nuclear non-proliferation (including export and import controls) and nuclear emergency management. DSS performs inspections and compliance activities at a wide variety of licensee facilities (mines, conversion facilities, fuel fabrication facilities, reactors, waste management facilities, research and development facilities, laboratories, industrial users, etc.). Each of the four DSS divisions contributes unique expertise to the overall achievement of the directorate’s goals, as described below. DSS performs these inspections and compliance activities at the facilities under the Directorate of Nuclear Cycle and Facilities Regulation (DNCFR), the Directorate of Nuclear Substance Regulation (DNSR) and the Directorate of Power Reactor Regulation (DPRR).

Nuclear Security Division (NSD)

NSD conducts security compliance inspections and evaluations in all areas of physical protection and nuclear security at nuclear facilities and for nuclear materials. Part of NSD’s compliance verification is the Performance Testing Program. NSD provides the expertise necessary to carry out elements of the nuclear security regulatory function by participating in inspections led by ROB inspectors from DNCFR, DPRR and DNSR.

International Safeguards Division (ISD)

ISD is responsible for the implementation of the safeguards agreements between Canada and the International Atomic Energy Agency (IAEA) by providing, among other things, information on and access to nuclear material and activities to the IAEA. ISD also performs desktop reviews of licensee programs and procedures, conducts independent compliance inspections, participates in IAEA-led safeguards inspections, and evaluates the licensees’ operational, design and nuclear material accountancy information. As such, ISD leads its own inspection activities and also supports IAEA-led inspection activities. Since FY 2018–19, ISD has begun participating in inspections led by other directorates.

Non-Proliferation and Export Controls Division (NPECD)

NPECD assesses applications, issues licences, implements control measures and verifies compliance for the export and import of nuclear material and nuclear-related dual-use substances, equipment and technology, and risk-significant radioactive sources. NPECD’s responsibilities fall under the NSCA and the regulations made under the Act, as well as the IAEA’s Code of Conduct on the Safety and Security of Radioactive Sources and its supplementary Guidance on the Import and Export of Radioactive Sources. In this capacity, NPECD leads its own inspection activities and establishes its own inspection processes and procedures based on the CNSC’s inspection procedures.

Emergency Management Programs Division (EMPD)

EMPD conducts emergency preparedness and fire response inspections and evaluations as part of licensing and compliance activities of licensee nuclear emergency programs in accordance with the Class I Nuclear Facilities Regulations and guidance document. These inspections are conducted in support of DNCFR and DPRR inspection activities.

1.2 Authority

The review was conducted under the authority of the approved CNSC’s Risk-Based Audit Plan (RBAP) for 2018–19 to 2020–21, which included an audit of the DSS inspection processes. In subsequent discussions with senior management, it was decided that a reviewFootnote 1 of the DSS inspection processes would be more appropriate and valuable to management than an audit.

1.3 Objective and scope

The objective of this review was to determine whether DSS inspection processes and procedures are in place to cover each of the five recommendations outlined in the OAG Audit Report on CNSC inspection processes. The review lines of inquiry and criteria are set out in detail in appendix B. Specifically, the review assessed whether:

  • DSS has developed or integrated a systematic, risk-informed and well-documented planning process for inspections
  • DSS has developed or integrated detailed criteria to identify when to conduct Type I inspections
  • DSS inspectors followed their procedures
  • DSS has documented and/or participated in lessons learned in carrying out inspections and the lessons learned are accessible to its management and staff
  • DSS has participated in and/or issued timely final inspection reports

The scope of this review examined inspection processes within all four DSS divisions. The review required other branches’ documentation including ROB (DPRR, DNSR and DNCFR). The review assessed one full year of DSS inspections by looking at the data from FY 2017–18.

1.4 Methodology

The review was planned and performed in accordance with the requirements of the Treasury Board’s Policy on Internal Audit and Directive on Internal Audit, which together provide mandatory procedures for internal auditing in the Government of Canada.

The review was conducted in order to obtain a limited level of assurance that the review objective was adequately assessed. The review team performed the following procedures:

  • conducted interviews with management and staff
  • reviewed and analyzed documentation related to the five recommendations from the OAG Audit Report
  • assessed and analyzed the inspection data available for FY 2017–18

1.5 Statement of conformance

The review was conducted in accordance with the Internal Auditing Standards for the Government of Canada, which includes the Institute of Internal Auditors (IIA) International Standards for the Professional Practice of Internal Auditing as supported by the results of the quality assurance and improvement program of the CNSC’s Office of Audit and Ethics (OAE).

The review procedures have been followed to support the accuracy of the findings and conclusions in this report while providing a limited level of assurance.

1.6 Acknowledgement

The review team would like to acknowledge and thank management and staff for their support throughout the conduct of this review.

2. Observations and recommendations

2.1 Line of inquiry 1 – Planning inspections

Criterion 1.1

The CNSC inspection processes, including DSS inspection processes, should include systematic and risk-informed/risk-based well-documented planning processes including the minimum required frequency and type of inspections. (Ref: 2016 OAG Audit Report paragraphs 1.33, 1.21 and 1.32)

Observations

Note: These observations address both sub-criteria 1.1.1 and 1.1.2.

NSD

NSD participated in planning processes led by ROB (DPRR, DNSR and DNCFR). NSD contributed in developing and implementing the CNSC inspection process plan “Power Reactor Regulatory Program (PRRP) Annual Compliance Planning” in September 2016. The plan described the actions taken to establish a risk-informed list of approved compliance activities for FY 2017–18. In addition, NSD participated in developing and implementing the CNSC inspection plan strategy “PRRP Compliance Verification Strategy” in December 2016. The document described the high-level strategic process used by the CNSC to establish a risk-informed Baseline Compliance Plan and Reactive Compliance Plan for nuclear power plants (NPPs), starting in FY 2018–19. NSD also participated in developing and implementing the CNSC inspection annual plan “FY 2017–18 Power Reactor Regulatory Program Annual Compliance Verification Plan” in May 2017. The annual plan described the minimum required frequency and type of inspections.

The review noted the absence of a CNSC nuclear security policy. It would be a good practice for the CNSC to develop and implement a policy to clearly establish the management framework over nuclear security activities, roles and responsibilities, and coordination mechanisms between DSS and other directorates (that is, DNCFR, DPRR and DNSR). NSD noted its plans to develop such a policy by December 2019.

ISD

ISD’s inspections in FY 2017–18 were limited to performing physical inventory taking evaluations of certain licensees in the absence of IAEA physical inventory verifications, and to facilitating IAEA-led inspections; therefore, ISD did not require a risk-based inspection planning process. ISD had a planning document in place for FY 2017–18, which included frequency and type of inspections for FY 2017–18.

NPECD

NPECD’s planning process was set out in the “Assure Compliance Process – Import and Export Licensing” document. This planning process makes reference to the 2012 CNSC “Make a Risk Informed Regulatory Decision” document, which was the basis for NPECD’s risk assessment tracking sheet for FY 2017–18. However, the NPECD planning process was not complete and specific enough to constitute a systematic and risk-informed process specific to NPECD inspections, including the identification of the minimum required frequency and type of inspections.

EMPD

EMPD’s inspectors (subject matter experts) followed the DPRR planning process and procedures in FY 2017–18 in order to support DPRR inspections. EMPD used DPRR’s 2016 planning process “Power Reactor Regulatory Program (PRRP) Annual Compliance Planning”, which described the actions taken to establish a risk-informed process and provided a list of approved compliance activities for FY 2017–18. EMPD also followed DPRR’s annual plan “FY2017–18 Power Reactor Regulatory Program Annual Compliance Verification Plan”, which was approved in October 2016 between DPRR and DSS. There was no planning process in place between EMPD and DNCFR for FY 2017–18. Therefore, EMPD and DNCFR finalized a planning process for the Nuclear Fuel Cycle and Research Reactors Program in February 2019 to ensure an adequate, consistent and risk-informed approach to compliance activities.

Conclusion

NSD, ISD and EMPD adequately implemented a systematic, risk-informed and well-documented inspection planning process. The review found that NPECD’s inspection planning process could be improved to ensure it is systematic and risk-informed, and includes the required frequency and type of inspections.

Recommendation #1
OAE recommendation
  1. DSS (NPECD) should revisit its planning process to update and implement a risk-informed/risk-based methodology that describes the minimum required frequency and type of inspections needed for NPECD to ensure compliance. The planning process should systematically describe NPECD’s annual risk assessment.
  2. Once the planning process is finalized and approved, it should be clearly communicated with NPECD’s inspectors and staff.
Management response and action plan

Management agrees.

  1. NPECD’s “Assure Compliance Process – Import and Export Licensing” document will be revised to incorporate a risk-informed/risk-based methodology and describe NPECD’s annual risk assessment and planning process. The document will address the minimum required frequency and type of inspections needed for NPECD to ensure compliance.
  2. Once the planning process is finalized and approved, it will be clearly communicated with NPECD’s inspectors and staff.

Target date for completion: March 31, 2020

Criterion 1.2

The CNSC inspection processes, including DSS processes, should include detailed criteria to identify when to conduct Type I inspections. (Ref: 2016 OAG Audit Report paragraphs 1.33, 1.21, 1.32, 1.35 and 1.34)

Observations
NSD and EMPD

NSD and EMPD did not participate in conducting Type I inspections in FY 2017–18. NSD and EMPD could be called to support DPRR, DNCFR and DNSR as required for Type I inspections, and NSD and EMPD would follow the CNSC procedures to assist with Type I inspections when required.

ISD and NPECD

ISD and NPECD inspection activities do not fall under the CNSC compliance activities category to perform Type I inspections; therefore, ISD and NPECD do not lead or participate in Type I inspections. There is no requirement for these divisions to have detailed criteria to identify when to conduct Type I inspections.

Conclusion

NSD and EMPD, the two DSS divisions that could be called upon to support DPRR, DNCFR and DNSR for Type I inspections, would follow CNSC detailed criteria for identifying when to conduct Type I inspections. ISD and NPECD inspection activities do not fall under the CNSC compliance activities category to perform Type I inspection. No recommendation is required.

2.2 Line of inquiry 2 – Conducting inspections

Criterion 2.1

DSS should ensure that its inspections follow the procedures. (Ref: 2016 OAG Audit Report paragraphs 1.48, 1.43 and 1.47)

Sub-criterion 2.1.1 – DSS should develop and implement inspection guides for each inspection beforehand, which set out the key steps and criteria.

Observations
NSD

NSD conducts its inspections in collaboration with and following the procedures of DNSR, DNCFR and DPRR. All security inspection guides, checklists and/or templates were completed and approved for the NSD inspections conducted in FY 2017–18.

ISD

Although ISD used its own procedures as guides and/or checklists to perform inspections in FY 2017–18, these procedures have not been updated since their development in FY 2010–11 and have not been approved by the appropriate authority, in this case the Director.

NPECD

NPECD developed and approved the “NPECD Procedure: Conduct of Inspections – Controlled Nuclear Substances, Equipment and Information” in 2016. This procedure includes responsibilities and tasks that the inspectors should perform, as well as inspection templates and requirements for retaining inspection records. NPECD developed and approved its “On-the-Job Training (OJT) Guide” in 2017 to provide NPECD inspectors with a standardized approach to conduct inspections.

EMPD

EMPD used DPRR’s approved inspection guide and DNCFR’s inspection templates to perform its inspections in FY 2017–18.

Conclusion

NSD and EMPD completed inspection guides, checklists and/or templates for all inspections conducted in FY 2017–18. ISD’s inspection procedures require updates and director-level approval. NPECD followed inspection procedures as well as its “On-the-Job Training (OJT) Guide” for conducting inspections during FY 2017–18.

Recommendation #2
OAE recommendation
  1. DSS (ISD) should update and implement revised procedures.
  2. Once the procedures have been updated and approved, they should be clearly communicated with ISD inspectors and staff.
Management response and action plan

Management agrees.

  1. ISD has drafted a work instruction document, “How to Plan, Prepare for, Perform and Close out IAEA Inspections, Complementary Access visits and CNSC Physical Inventory Taking Evaluation” to update and modernize its current inspection procedures. The document will be reviewed by staff and approved by the Director.
  2. Once approved, the work instruction will be communicated clearly with ISD inspectors and staff. 

In addition, since FY 2017–18, ISD has worked with the responsible regulatory program division to develop a field inspection guide (FIG) for inspections at power reactors. As of FY 2018–19, the FIG has been approved, used to support in-field activities and updated to capture experience gained.

Target date for completion: March 31, 2020.

Sub-criterion 2.1.2 – DSS should clearly communicate with staff on which inspection records should be considered transitory and which inspection records should be retained after the inspection reports are issued.

Observations
NSD, ISD and EMPD

NSD, ISD and EMPD inspectors were not aware of any guidance on which inspection records should be considered transitory and which inspection records should be retained, and for how long, after the inspection reports are issued.

The review noted that inspection records are not kept in a centralized location to allow for easy access and retrieval. Due to the sensitivity of the information in NSD, the NSD records are either kept on CNSC-encrypted USB drives, in CNSC-secured cabinets, or sent to the CNSC Records Office. This created a challenge for the review team to obtain the information required for the review. NSD inspectors explained that recording inspection records is challenging due to the lack of a secure network. It is important that NSD implement secure and effective tracking and storing systems for its inspection records, in order to access and retrieve inspection records in a timely manner. NSD noted that the CNSC has launched an initiative to install a Government of Canada Secret Infrastructure (GCSI) at the CNSC’s headquarters and satellite offices. The addition of this secured network will ease the ability to communicate classified information within the CNSC.

NPECD

Although NPECD’s procedures referred to the “Guidance on Retention of Inspection Notes”, as found in the “CNSC Process of Conducting an Inspection”, NPECD inspectors were not aware of the content of this retention guidance.

Conclusion

Opportunities exist for all four DSS divisions to communicate the guidance on retention with their inspectors.

Recommendation #3
OAE recommendation
  1. DSS should adapt the CNSC’s existing retention guide for each one of its divisions.
  2. Once the retention guides are approved, they should be clearly communicated with DSS inspectors and staff.
Management response and action plan

Management agrees.

a.1) ISD, EMPD and NPECD follow the CNSC’s internal guidance with respect to the retention of inspection notes from the “Conducting an Inspection” process document approved in April 2019. As recommended in the process document, NSD, ISD and EMPD will incorporate this guidance into its inspection procedures.

a.2) NSD will review the current record retention guide to ensure there is no deviation in how classified information is to be retained. If required, record retention procedures for sensitive information will be developed in collaboration with ROB directorates, to ensure compliance with the CNSC Management System and Information Security Directive.

b) All DSS divisions will clearly communicate such guidance with its inspectors and staff.

Target date for completion: March 31, 2020

Criterion 2.2

DSS should document and/or participate in lessons learned in carrying out inspections and the lessons learned should be accessible to its management and staff. (Ref: 2016 OAG Audit Report paragraphs 1.50 and 1.49)

Observations

Note: These observations address both sub-criteria 2.2.1 and 2.2.2.

NSD

NSD discussed lessons learned during post-inspection meetings with DPRR, DNCFR and DNSR inspectors in FY 2017–18. Although DPRR, DNCFR and DNSR inspectors documented lessons learned after the meetings, NSD inspectors did not have direct access to the lessons-learned documents to ensure that their input was captured and available to them to inform future inspections.

ISD

ISD’s inspection procedures did not provide a clear definition of lessons learned, and it was found that ISD’s “recommendations” following an inspection are often mistaken for being lessons learned.

NPECD

Although NPECD discussed lessons learned in its inspector meetings, it did not document its lessons learned for FY 2017–18.

EMPD

EMPD inspectors participated in lessons-learned meetings and discussed the lessons learned with DPRR and DNCFR inspectors. The lessons learned were documented by the site inspectors. However, EMPD did not have direct access to the final lessons learned in FY 2017–18.

Conclusion

NSD and EMPD did not have direct access to the lessons learned documented by site inspectors for inspections conducted during FY 2017–18. ISD’s inspection procedures did not provide a clear definition of lessons learned, and lessons learned were not documented by ISD inspectors in FY 2017–18. NPECD did not document lessons learned for inspections conducted in FY 2017–18. There are opportunities for improvement throughout DSS to ensure inspectors’ participation in documenting lessons learned and to ensure these lessons are accessible to management and staff.

Recommendation #4:
OAE recommendation
  1. DSS (NSD and EMPD) should collaborate with DPRR, DNCFR and DNSR to improve how the lead inspector shares the lessons learned once they are finalized (as appropriate in a secure format). This will allow NSD and EMPD inspectors to easily access the lessons learned. Once the procedures are approved, they should be clearly communicated with NSD and EMPD inspectors.
  2. DSS (ISD and NPECD) should develop and implement a lessons-learned process including a clear definition of lessons learned. Once the lessons-learned guide is developed, it should be clearly communicated with ISD and NPECD inspectors.
Management response and action plan

Management agrees.

  1. NSD and EMPD will review the approved process document titled “Conducting an Inspection” to determine if improvements are needed. If required, amended lessons-learned procedures will be brought to DPRR, DNCFR and DNSR to determine the best approach for incorporating the changes, using the multi-key system.
  2. ISD and NPECD will develop and implement lessons-learned processes – aligned with the “Conducting an Inspection” process document – including a clear definition of lessons learned, for their respective inspection processes, and communicate these with their inspectors and staff.

In addition, ISD will also create an internal forum for discussing the lessons learned from CNSC- and IAEA-led inspections and will collect these items and incorporate them into the appropriate internal procedures and work instructions. NPECD has created a template for documenting lessons learned, and this is to be used with the next NPECD inspection.

Target date for completion: August 31, 2020

2.3 Line of inquiry 3 – Reporting inspections

Criterion 3.1

DSS should participate in and/or issue timely final inspection reports. (Ref: 2016 OAG Audit Report paragraphs 1.61 and 1.60)

Observations
NSD

NSD prepared security inspection reports immediately after the inspection guides, checklists and/or templates were completed. NSD established a joint protocol with DNSR in 2016 titled “Roles and Responsibilities for the Application of REGDOC 2.12.3 – Security of Nuclear Substances: Sealed Sources by DNSR and NSD Staff”. The protocol clearly outlined the agreed-upon responsibilities between NSD and DNSR’s divisions including the Operations Inspection Division (OID) and the Accelerators and Class II Facilities Division (ACFD). The protocol provided a list of tools such as forms, templates, checklists and criteria to be used in conducting inspections. However, the unclear roles and responsibilities between NSD and DPRR, and NSD and DNCFR, created uncertainty with respect to final inspection reports (for example, who is responsible for reporting the findings, what should be included in the inspection reports, and how the inspection reports should be finalized).

ISD

Although ISD established and met a seven-day service standard for the issuance of evaluation forms to the licensees after the inspections (physical inventory taking evaluations), it would be a good practice for ISD to develop and implement a service standard for the issuance of final reports.

NPECD

NPECD established a 30-day service standard for the issuance of final inspection reports in its annual inspection plan. All inspections conducted in FY 2017–18 met this service standard, with only one exception for which there was a reasonable justification on file for the delay.

EMPD

EMPD followed the service standard in the DPRR and DNCFR planning processes and procedures. Although the service standard has been followed and the 2017–18 reports were issued within the timeframe, the DPRR and DNCFR inspection processes and procedures were not clear as to who was responsible for writing the inspection report when EMPD’s subject matter experts were participating in inspections.

Conclusion

Although NSD and EMPD followed DPRR, DNCFR and DNSR’s inspection processes, the roles and responsibilities for both NSD and EMPD are not clearly defined with regard to DPRR and DNCFR inspections. This has created uncertainty with respect to producing the final inspection reports. ISD established and met a seven-day service standard for the issuance of evaluation forms to the licensees after the inspections (physical inventory taking evaluations). NPECD has established a 30-day service standard for the issuance of final inspection reports, and this standard was met for inspections conducted in FY 2017–18.

Recommendation #5
OAE recommendation

DSS (NSD and EMPD) in collaboration with DNCFR and DPRR should clarify roles and responsibilities, as they relate to preparing and issuing final inspection reports. Once the procedures are approved, they should be clearly communicated with NSD and EMPD inspectors and staff.

Management response and action plan

Management agrees.

  1. NSD and EMPD will review the approved process document titled “Conducting an Inspection” and the approved NSD procedures to determine if improvements are needed. If required, amended language on roles and responsibilities will be brought to DPRR, DNCFR and DNSR to determine the best approach for incorporating the changes, using the multi-key system.
  2. NSD will develop clear text to be incorporated into existing CNSC management system documents to capture roles and responsibilities of CNSC staff who conduct security compliance inspections. Working groups will be established to define roles, responsibilities and a clear process on how regulatory issues are dispositioned with DPRR, DNCFR and DNSR.

Target date for completion: August 31, 2020

3. Overall conclusion

Overall, DSS has adequate processes in place, or relies on appropriate processes from lead inspectors from DPRR, DNCFR and DNSR, to plan and conduct its inspections. For the most part, the inspection planning processes used by DSS are systematic and risk-informed. However, the review identified opportunities for improvement with respect to NPECD’s planning process to ensure that it is systematic and risk-informed, and includes the required frequency and type of inspections.

NSD and EMPD implemented detailed CNSC criteria for identifying when to conduct Type I inspections. ISD and NPECD inspection activities do not fall under the CNSC compliance activities category to perform Type I inspection.

Once inspections are planned, DSS inspections are carried out in line with established procedures. Improvements are required for DSS to update ISD’s inspection procedures. Opportunities exist for all four DSS divisions to incorporate CNSC guidance on the retention of inspection files into their processes and to communicate this guidance with their inspectors.

Lessons learned are not systematically documented by DSS inspectors. Even in cases where lessons learned are documented by lead inspectors from DPRR, DNCFR and DNSR, the lessons learned are not readily accessible to DSS inspectors and staff.

Improvements are required for NSD and EMPD to clarify roles and responsibilities with DPRR, DNCFR and DNSR as they relate to preparing final inspection reports. ISD met its established service standards for the issuance of evaluation forms to the licensees. NPECD has established its service standards for the issuance of final inspection reports.

The review report includes five recommendations aimed at addressing the areas of improvements noted above. Management agrees with the recommendations and its response indicates its commitment to take action.

Appendix A: Findings and recommendations of the 2016 OAG Audit Report

The following table is an extract from the findings and recommendations in the OAG Audit Report. The numbers in the table indicate the paragraph where each recommendation appears in the report.

Findings Recommendations

Planning inspections

The Canadian Nuclear Safety Commission could not show that it had an adequate, systematic, risk-informed process for planning site inspections at nuclear power plants.

1.33 The Canadian Nuclear Safety Commission should develop and implement a well-documented planning process for site inspections of nuclear power plants that can demonstrate that the process is systematic and risk-informed. This should include determining the minimum required frequency and type of inspections needed to verify compliance, updating the five-year baseline inspection plan, and assessing whether it is assigning the appropriate number and levels of staff to carry out the number of inspections required to verify compliance.
1.35 The Canadian Nuclear Safety Commission should develop detailed criteria to help it identify when to conduct Type I inspections.

Conducting inspections

The Canadian Nuclear Safety Commission did not always follow its own inspection procedures.

1.48 The Canadian Nuclear Safety Commission should ensure that its inspections follow its own procedures. This requires that it develop approved inspection guides with appropriate criteria before conducting inspections to assess that nuclear power plants are complying with applicable regulatory and licence requirements. The Canadian Nuclear Safety Commission should also clearly explain to its staff how to decide which documents should be considered transitory and which documents should be retained after they issue inspection reports.
1.50 The Canadian Nuclear Safety Commission should ensure that it documents lessons learned in carrying out its inspections, to help it make continuous improvements to its inspection practices.

Enforcing compliance with regulatory and licence requirements

The Canadian Nuclear Safety Commission followed up to confirm that nuclear power plants corrected compliance violations it identified, but did not always issue final reports on time.

1.61 The Canadian Nuclear Safety Commission should determine why it does not issue timely final inspection reports and decide whether it needs to make any changes to its processes or standards.

Appendix B: 2019 review lines of inquiry and criteria

The Office of Audit and Ethics based the lines of inquiry and criteria on the OAG Audit Report recommendations.

Line of inquiry 1 – Planning inspections
Review criteria Review sub-criteria

1.1  The CNSC inspection processes, including DSS processes, should include systematic and risk-informed/risk-basedFootnote * well-documented planning processes including the minimum required frequency and type of inspections. (Ref: 2016 OAG Audit Report paragraphs 1.33, 1.21 and 1.32)

1.1.1  DSS should implement a well-documented CNSC planning process and the plan demonstrates a systematic and risk-informed-process.
1.1.2  DSS planning process should demonstrate the minimum required frequency and type of inspections needed to verify compliance.
1.2  The CNSC inspection processes, including DSS processes, should include detailed criteria to identify when to conduct Type I inspections. (Ref: 2016 OAG Audit Report paragraphs 1.33, 1.21, 1.32, 1.35 and 1.34)

1.2.1  DSS should implement CNSC detailed criteria to help it identify when to conduct Type I inspections.

Line of inquiry 2 – Conducting inspections
Review criteria Review sub-criteria

2.1  DSS should ensure that its inspections follow the procedures. (Ref: 2016 OAG Audit Report paragraphs 1.48, 1.43 and 1.47)

2.1.1  DSS should develop and implement inspection guides for each inspection beforehand, which set out the key steps and criteria.

2.1.2  DSS should clearly communicate with staff:

  • which inspection records should be considered transitory
  • which inspection records should be retained after the inspection reports are issued
2.2  DSS should document and/or participate in lessons learned in carrying out inspections and the lessons learned should be accessible to its management and staff. (Ref: 2016 OAG Audit Report paragraphs 1.50 and 1.49)

2.2.1  DSS should document lessons learned in carrying out its inspections to help it make continuous improvement to its inspection practices.

2.2.2  DSS management and staff should have access to the lessons learned carried out after completing inspections.

Line of inquiry 3 – Reporting Inspections
Review criteria Review sub-criteria
3.1  DSS should participate in and/or issue timely final inspection reports. (Ref: 2016 OAG Audit Report paragraphs 1.61 and 1.60) 2.2.3  DSS should document and/or participate in documenting inspections in final inspection reports in a timely manner to address the safety and control issues noted during an inspection.

Appendix C: 2019 review recommendations and Management Action Plan

Planning inspections
OAE Recommendation DSS Management Action Plan (MAP) Target completion date

Criterion 1.1 - Recommendation #1

  1. DSS (NPECD) should revisit its planning process to update and implement a risk-informed/risk-based methodology that describes the minimum required frequency and type of inspections needed for NPECD to ensure compliance. The planning process should systematically describe NPECD’s annual risk assessment.
  2. Once the planning process is finalized and approved, it should be clearly communicated with NPECD’s inspectors and staff.

Management agrees.

  1. NPECD’s “Assure Compliance Process – Import and Export Licensing” document will be revised to incorporate a risk-informed/risk-based methodology and describe NPECD’s annual risk assessment and planning process. The document will address the minimum required frequency and type of inspections needed for NPECD to ensure compliance.
  2. Once the planning process is finalized and approved, it will be clearly communicated with NPECD’s inspectors and staff.
March 31, 2020
Criterion 1.2 - Recommendation # NA NA NA
Conducting Inspections
OAE Recommendation DSS Management Action Plan (MAP) Target completion date

Sub-criterion 2.1.1- Recommendation #2

  1. DSS (ISD) should update and implement revised procedures.
  2. Once the procedures have been updated and approved, they should be clearly communicated with ISD inspectors and staff.

Management agrees.

  1. ISD has drafted a work instruction document, “How to Plan, Prepare for, Perform and Close out IAEA Inspections, Complementary Access visits and CNSC Physical Inventory Taking Evaluation” to update and modernize its current inspection procedures. The document will be reviewed by staff and approved by the Director.
  2. Once approved, the work instruction will be communicated clearly with ISD inspectors and staff.

In addition, since FY 2017–18, ISD has worked with the responsible regulatory program division to develop a field inspection guide (FIG) for inspections at power reactors. As of FY 2018–19, the FIG has been approved, used to support in-field activities, and updated to capture experience gained.

March 31, 2020

Sub-criterion 2.1.2 – Recommendation #3

  1. DSS should adapt the CNSC’s existing retention guide for each one of its divisions.
  2. Once the retention guides are approved, they should be clearly communicated with DSS inspectors and staff.

Management agrees.

a.1) ISD, EMPD and NPECD follow the CNSC’s internal guidance with respect to the retention of inspection notes from the “Conducting an Inspection” process document approved in April 2019. As recommended in the process document, NSD, ISD and EMPD will incorporate this guidance into its inspection procedures.

a.2) NSD will review the current record retention guide to ensure there is no deviation in how classified information is to be retained. If required, record retention procedures for sensitive information will be developed in collaboration with ROB directorates, to ensure compliance with the CNSC Management System and Information Security Directive.

b) All DSS divisions will clearly communicate such guidance with its inspectors and staff.

March 31, 2020

Criterion 2.2 – Recommendation #4:

  1. DSS (NSD and EMPD) should collaborate with DPRR, DNCFR and DNSR to improve how the lead inspector shares the lessons learned once they are finalized (as appropriate in a secure format). This will allow NSD and EMPD inspectors to easily access the lessons learned. Once the procedures are approved, they should be clearly communicated with NSD and EMPD inspectors.
  2. DSS (ISD and NPECD) should develop and implement a lessons-learned process including a clear definition of lessons learned. Once the lessons-learned guide is developed, it should be clearly communicated with ISD and NPECD inspectors.

Management agrees.

  1. NSD and EMPD will review the approved process document titled “Conducting an Inspection” to determine if improvements are needed. If required, amended lessons-learned procedures will be brought to DPRR, DNCFR and DNSR to determine the best approach for incorporating the changes, using the multi-key system.
  2. ISD and NPECD will develop and implement lessons-learned processes – aligned with the “Conducting an Inspection” process document – including a clear definition of lessons learned, for their respective inspection processes, and communicate these with their inspectors and staff.

In addition, ISD will also create an internal forum for discussing the lessons learned from CNSC- and IAEA-led inspections and will collect these items and incorporate them into the appropriate internal procedures and work instructions. NPECD has created a template for documenting lessons learned, and this is to be used with the next NPECD inspection.

August 31, 2020
Reporting Inspections
OAE Recommendation DSS Management Action Plan (MAP) Target completion date

Criterion 3.1 – Recommendation #5:

DSS (NSD and EMPD) in collaboration with DNCFR and DPRR should clarify roles and responsibilities, as they relate to preparing and issuing final inspection reports. Once the procedures are approved, they should be clearly communicated with NSD and EMPD inspectors and staff.

Management agrees.

  1. NSD and EMPD will review the approved process document titled “Conducting an Inspection” and the approved NSD procedures to determine if improvements are needed. If required, amended language on roles and responsibilities will be brought to DPRR, DNCFR and DNSR to determine the best approach for incorporating the changes, using the multi-key system.
  2. NSD will develop clear text to be incorporated into existing CNSC management system documents to capture roles and responsibilities of CNSC staff who conduct security compliance inspections. Working groups will be established to define roles, responsibilities and a clear process on how regulatory issues are dispositioned with DPRR, DNCFR and DNSR.
August 31, 2020

Appendix D: Acronyms

The following table presents acronyms used in this document.

ACFD
Accelerators and Class II Facilities Division
CNSC
Canadian Nuclear Safety Commission
DAA
Directorate of Assessment and Analysis
DERPA
Directorate of Environmental and Radiation Protection and Assessment
DNCFR
Directorate of Nuclear Cycle and Facilities Regulation
DNSR
Directorate of Nuclear Substance Regulation
DPRR
Directorate of Power Reactor Regulation
DSM
Directorate of Safety Management
DSS
Directorate of Security and Safeguards
EMPD
Emergency Management Programs Division
FIG
field inspection guide
FY
fiscal year
GCSI
Government of Canada Secret Infrastructure
IAEA
International Atomic Energy Agency
IIA
Institute of Internal Auditors
ISD
International Safeguards Division
MAP
Management Action Plan
NPECD
Non-Proliferation and Export Controls Division
NPP
nuclear power plant
NSCA
Nuclear Safety and Control Act
NSD
Nuclear Security Division
OAE
The Office of Audit and Ethics
OAG
The Office of the Auditor General of Canada Bottom of Form
OID
Operations Inspection Division
OJT
on-the-job training
PRRP
Power Reactor Regulatory Program
RBAP
Risk-Based Audit Plan
ROB
Regulatory Operations Branch
TSB
Technical Support Branch

Endnotes

Footnote 1

A review provides broad or targeted information on the nature and scope agreed to with the engagement client with less depth and coverage than an audit. When performing a review, the internal auditor maintains independence and objectivity but does not provide the same level of assurance to management on governance, risk management, and process controls.

Return to 1 referrer

Footnote *

Risk-informed vs. risk-based:

Risk informed – A risk-informed approach relies more on judgment and on consideration of various deterministic factors for decision-making.

Risk based – A risk-based approach uses known risk metrics as the basis for decision making.

Return to * referrer

Date modified: