It is a truism that actual plant malfunctions never go ‘by the book’; that is, they are always unique and do not conform to the exact sequence defined in the deterministic or the probabilistic safety analyses. Furthermore, there is never full assurance that all possible failure modes and combinations have been investigated. The most likely cause of this diversity of cause and effect is the known complexity of the plant systems, combined with the much larger complexity that arises from innate human diversity at the operating staff level. Human behaviour, both as individuals and in groups, can exert very large positive as well as negative effects on calculated fre­quencies and consequences. Put in another way, a highly competent operat­ing crew can safely operate even a seriously flawed plant design; at the same time an incompetent operating crew is capable of doing great damage to even an extremely well-designed plant. Lastly, considering the long time span of plant operation (50 to 100 years), all of the important variables can range from fully satisfactory at one point in time to unsatisfactory at a later time. Human managers are always responsible for sustaining high perfor­mance (and hence low risk) at all times — and even they are never perfect. Hence, there is a basic need for audits by an independent regulatory agency.