Design Knowledge and Design Change Management in the Operation of Nuclear Fleets

Cooperation in Reactor Design Evaluation and Licensing Working Group Title: Design Knowledge and Design Change Management in the Operation of Nuclear Fleets Produced by: World Nuclear Association Published: April 2015 Report No. 2015/002

This WNA report reflects the views of industry experts but does not necessarily represent those of any of the WNA’s individual member organizations. Contents

Executive Summary 1

1. Introduction 2

2. CORDEL and Design Change Management 5

3. Design Change and Lessons Learned from Fukushima 6

4. The Licensee’s (Utility / Operating organization) Role and Responsibility 7

5. The Importance of the Vendor and Responsible Designer’s Role 9

6. The Owners’ Group Role for a Standardized Reactor Fleet 12

7. WANO role 14

8. Regulator Role 15

9. Design Authority 16

10. The Aerospace Industry Model 18

11. Conclusions and Recommendations 19

12. References 21

Executive Summary

The operating lifetime of a nuclear plant spans several decades. During this time, the plant may undergo design changes as a result of experience feedback, new knowledge or requirements, and safety reviews.

To ensure that safety remains optimised, these changes must be carried out with a full understanding of and without compromising the design intent.

The licensee, usually the operator, holds prime responsibility for the safety of the plant, and by extension it is fully responsible for design change management. According to the IAEA (SSR-2/1), it should fulfil this responsibility by establishing “a formal system for ensuring the continuing safety of the plant design throughout the lifetime of the nuclear power plant”. This system should include “a formally designated entity responsible for the safety of the plant design within the operating organization’s management system”, an entity referred to as Design Authority according to INSAG 19, which details its role and responsibility.

The requirement to establish a Design Authority within each nuclear plant operating organization may be challenging. Some of these operating organizations will be new, and some will be small. Some may be the first nuclear operator in a particular country. For plants sold on a turnkey basis, the challenge for the operator to develop and maintain the full knowledge of the design of the plant needed for this role may be greater.

This is the reason why the operator (through its Design Authority) may allocate tasks, under its responsibility, to external organizations that have a specialized knowledge of the detailed design of specific parts of the plant. These organizations are the original designers of the plant, including vendors and equipment suppliers, who have the original design intent knowledge. These external organizations are referred to as responsible designers.

CORDEL’s Design Change Management Task Force is investigating options for maintaining design knowledge throughout a plant’s lifetime, while also maintaining the benefit of design standardization throughout a fleet.

Based on surveys carried out to substantiate this report (one assessment and comparison of various owners’ group practices and one questionnaire to utilities to understand different approaches regarding Design Authority), recommendations are proposed regarding design knowledge and design change management.

Utilities operating plants of similar design, or even more of standardized design, should take advantage of this standardization to manage their design changes. In order to retain this benefit, an international fleet-wide approach to design change management should be seen as a vital concept, because it facilitates a large sharing of experience among operators and enables similar solutions to be adopted for design changes.

There are various mechanisms for managing design changes. The operating organization needs to maintain the underlying design knowledge, while involving the plant’s original vendors / designers as needed. Within a standardized fleet, the operator-responsible designer interface over design changes and how they are managed within different organizational and regulatory environments around the world is especially important. This report underlines the importance of a comprehensive cross-involvement of utilities and responsible designers regarding standardized units. The existing opportunities brought by owners’ groups, and by other operators’ groups such as WANO should be fully developed.

In this context, the nuclear industry may also learn from the aerospace industry’s approach to design authority.

1 1 Introduction

Nuclear development around the mechanisms and to maximize their world has the potential to bring contribution to nuclear safety. major benefit for security of supply, energy independence, economic As part of a virtuous circle, efficiency, environment and high skilled standardization of nuclear plant design employment. The two main conditions can further facilitate the development of are first the priority to be given to safety international safety standards, as well in the design and operation of NPPs as help to reduce uncertainties during and second the necessity to reduce licensing and cost overruns during the uncertainties in the cost and time of construction. Maintaining the benefit building and licensing new Generation of that standardization all along the III reactors around the world. fleet’s operating lifetime can contribute to performance optimization during In this context, standardization is a operation and decommissioning. This major tool to improve nuclear plant includes the safety performance of the economics during design approvals, individual units of a worldwide fleet of licensing and construction, with the standardized nuclear plants, which potential to bring also significant would be expected to be enhanced benefits to operational safety. through mutual sharing of experience and an international fleet-wide The concept of standardized reactor approach to design knowledge and designs does not require units to be design change management. completely identical. Rather, all units that use the standardized design This report prepared by the CORDEL technology should at least share the Design Change Management Task same global architecture and the same Force (DCMTF) looks at existing specifications for the nuclear steam and new mechanisms which might supply system design and components, deliver improved benefit from design and associated safety systems. standardization throughout a fleet’s lifetime. The main focus of the In January 2007 the World Nuclear report is on new-build plants, where Association (WNA) established the opportunity for standardization the Cooperation in Reactor Design is greatest, but some of the Evaluation and Licensing (CORDEL) recommendations are also applicable Working Group to promote a dialogue to existing fleets. between the nuclear industry (including reactor vendors and utilities) and a) Causes of design nuclear regulators (national and international organizations) on the change benefits and means of achieving a The operating lifetime of a plant worldwide convergence of reactor spanning several decades means that 1 cf IAEA SSG-25 on Periodic Safety Review safety standards for reactor designs. it will undergo significant changes for Nuclear Power Plants: “It is recognized during this period. INSAG-19 [1] that some States prefer alternative CORDEL has produced two reports describes reasons for changes in plant arrangements to a PSR. For example, some States apply routine comprehensive setting out its mission: i) Benefits design, such as: physical ageing of safety assessment programmes that deal Gained through the International structures, systems and components; with specific safety issues, significant Harmonization of Nuclear Safety obsolescence that may occur in events and changes in safety standards Standards for Reactor Designs [5], hardware and software elements; and operating practices as they arise. Such programmes can, if applied with and ii) a ‘roadmap’ report International safety reassessments (for example appropriate scope, frequency, depth and Standardization of Reactor Designs through periodic safety review (PSR) as rigour, achieve the same outcomes as [6]. In both of these, CORDEL argued required in the EU1) and feedback from the process recommended in this Safety that, besides economic benefits, operating experience; new knowledge Guide. They allow safety to be improved international standardization offers an and research on safety issues; on a continuous basis and avoid the need to implement concurrently a large opportunity to make optimal use of changing regulatory standards; new programme of corrective actions.” best practice and feedback sharing best available techniques; and changes

2 in performance and organizational the operator’s liability for third-party the operating organization through structure. damage in the case of a nuclear safety reports and adequate detailed accident. Nuclear power plant design engineering documentation. However, A fundamental principle of the nuclear and construction involves many much of the highly specialized industry is that the operator has organizations – owner-operators, knowledge - e.g. codes and methods, prime responsibility for safety [2, 3]; architect-engineers, nuclear island ‘know-how’ - underlying the detailed this includes the licensee’s ultimate and balance of plant vendors and design, which is owned by the original responsibility for the design and designers – and must be adapted designers, can be more challenging to design changes. Although the principle to specific site conditions and to acquire. of maintaining standardization along regulatory requirements. It creates the plants’ lifetime is important, it is a large, complex and quite often c) Accountabilities and finally up to the operator to decide unique infrastructure project with the whether or not to implement design operator carrying the overall risk and roles of responsible changes that have been carried out responsibility for safety. designers at other plants around the world. During the construction and Reasons for not implementing Regulators currently expect that every commissioning of existing nuclear certain design modifications might licensee maintains a knowledge and plants, various consortia models were be economic, regulatory or due to understanding of the design that is used, which in some cases raised local conditions (siting etc.). Over needed for safe operation, maintenance questions about where responsibilities time, reactors that were originally and modification of every licensed unit. lay at a particular time. When exactly standardized could therefore become IAEA Safety Standard SSR 2/1 [4] calls should the utility assume its Design more diverse and the safety and for the licensee to maintain design Authority role? Moreover, depending operational benefits of experience integrity and knowledge within its own on its size or organizational structure, feedback could be impaired. organization in “a formally designated the utility may not be able to acquire entity responsible for the safety of the by itself all the detailed, specialist There are several examples where plant design”. INSAG 19 refers to this design knowledge of all the systems standardized fleets in the nuclear entity as the Design Authority [1]. and components important to safety. industry have been successfully For plants sold on a turnkey basis, maintained e.g. French fleet, VVER The role of the Design Authority is to it is even more challenging for the fleet, Westinghouse 4-loop reactors, ensure that: operating company to obtain and ABB-CE System 80 plants, GE BWR • The knowledge of the design maintain all the knowledge needed for Mark 4 plants. This experience can also that is needed for safe operation, its Design Authority role. These issues be found in other industries, such as maintenance and modification of the are likely to become more challenging aerospace. plant is available, and maintained up as the number of countries and utilities to date by the operating organization; operating plants increases. b) The prime • The design requirements and the responsibility of the configuration control are maintained INSAG-19 recognizes that the throughout the plant’s lifetime; accessibility of design knowledge is operating organization not a trivial matter, not least because • Interfaces with responsible designers International discussion and agreement the amount of information is huge: “The and other organizations engaged on standardized designs to achieve operating organization must assure itself in design work are established and a similar level of reactor safety that a formal and rigorous design change controlled; across many jurisdictions is under process exists so that changes can be development but still has a long way to • The necessary engineering expertise made with full knowledge of the original go. The processes needed to maintain and scientific and technical design intent, the design philosophy the benefits of standardization during knowledge are maintained within the and of all the details of implementation operation are at an earlier stage of operating organization; of the design, and that this knowledge is development. • All design changes to the plant are maintained and added to throughout the reviewed, verified, documented and lifetime of the plant”. The legal framework in the nuclear approved. industry gives the licensee (i.e. It is specified in IAEA SSR-2/1 the operating organization) prime This implies that much of the design (requirement 3) that “tasks that are responsibility for the safety of knowledge is transferred by the assigned to external organizations design and operation. This includes original vendor(s) and designer(s) to (referred to as responsible designers)

3 for the design of specific parts of the Despite this guidance, there is no plant shall be taken into account in the internationally agreed mechanism arrangements”. This provision is related in place which would require the to the fact that the operator may assign original designer to provide the tasks for some parts of the plant to detailed knowledge needed to fulfil other entities that have the requisite the Design Authority role. Neither is design knowledge2. INSAG 19 states there a mechanism to ensure that that “the role and accountabilities of the design knowledge is universally applied ’Design Authority’ within the operating throughout the international fleet for organization, the specific roles that the benefit of safety. The exploration of have been assigned to the responsible these topics, including the distribution designers, the precise areas that of accountability between the licensee’s the responsible designers are held Design Authority, which bears the accountable for, and the processes that prime responsibility for safety, and must be followed for each of the parties the “responsible designers”, within a to exercise their responsibilities properly, standardized fleet, forms the basis of must be defined very clearly.” the discussion in this paper.

2 As stipulated in IAEA SSR-2/1 & INSAG 19: The Design Authority may assign tasks “to other entities that do have that specialized knowledge of detailed design; for the reactor system and its supporting systems this would likely be the original vendor of the system”. According to IAEA SSR-2/1, the concept of “responsible designers” can include, beside the original “nuclear vendor” of the NSSS (Nuclear Steam Supply System), and as needed, other equipment suppliers (detailed designers for NSSS equipment as well as non NSSS suppliers).

4 CORDEL and Design 2 Change Management

The World Nuclear Association’s and reviewing support functions Cooperation in Reactor Design offered by owners’ groups. The causes Evaluation and Licensing (CORDEL) of design change and the reasons Working Group aims to promote why design changes are not always standardization of nuclear reactor systematically deployed in today’s designs. fleets are discussed. The report then considers the roles played in the design Standardization offers a unique change process by plant utilities, opportunity to make optimal use of vendors, regulators, owners’ groups and best practice and operating feedback other organizations such as WANO. sharing mechanisms and to maximize their contribution to nuclear safety. It should be noted that there are several options for utilities to organize Operating experience and measures themselves – including within owners’ for improving safety are being shared groups – to fulfil their responsibility as extensively amongst utilities, for regards design knowledge and design example under the auspices of the change management. For instance: World Association of Nuclear Operators i. a utility can have its own in-house (WANO). CORDEL has concluded that engineering resources. This can be the industry should take the opportunity the case for big utilities (or a group presented by standardization and strive of utilities) which have several units to improve these mechanisms still further. in operation. This company can also This raises important questions: How act as ‘reference operator’ through can operating experience sharing be a dedicated relationship with smaller enhanced and the benefit of international or isolated companies operating the standardization be maintained throughout same design; a plant’s lifetime when several reactors of the same design will be run by different ii. a group of utilities operating the same operators in different parts of the world? design can decide to incorporate How should the roles and accountability and share their own engineering for design changes be allocated between resources and experience feedback utilities, vendors and responsible to acquire and maintain this design designers? knowledge; iii. utilities operating the same design can To address these challenges, in decide to group together and organize 2010 CORDEL set up the Design their work in closer connection with Change Management (DCM) Task the original vendor and designers and Force, with the aim of sharing and to benefit from their involvement to analysing existing practices, to establish design knowledge and share identify best practices, and to make experience, with adequate contractual recommendations to improve safety and agreements. maintain standardization throughout the lifetimes of the plants. Representatives This report by WNA CORDEL Working from utilities, vendors, owners groups, Group, which gathers both utility and WANO and the aerospace industry are vendor representatives’ opinions, members of this task force. focuses mainly (though not exclusively) on this third option. The DCM Task Force has analysed design change management within The fundamental issue for this review fleets of similar design stretching is to examine what design knowledge across a number of countries with and design analysis capability must be different regulatory systems. This retained over the lifetime of a nuclear report examines a number of options plant (or fleet of units) by the plant to implement a Design Authority owners/operators and vendor to make by reviewing some ‘best-in-class’ safe decisions for design and operating implementations by licensees, changes, under the oversight of the considering ‘shared accountabilities’ regulators.

5 Design Change and 3 Lessons Learned from Fukushima

The March 2011 accident at Japan’s of the plant. So utilities can choose the Fukushima Daiichi nuclear plant path of making agreements with the raises a number of questions in the vendor and responsible designers to area of design change management. fulfil their Design Authority responsibility. While the magnitude of the external But even the largest utilities may not hazard was clearly not taken into be able to come up with best technical account in the original design basis, solution for design changes in the and the subsequent modifications absence of an international framework of the original units, the accident supporting exchange and compliance highlighted fleet differences such with best practice. as the containment hardened vent. This plant feature was required in the Sharing experience and benchmarking US and design specifications were within owners’ groups on what level developed under an owners’ group of knowledge of the design should initiative. However, detailed design be retained by an operator (through and subsequent implementation its Design Authority) in order to varied, partly due to differences in the ensure safe operation, maintenance original plant design but also due to and modification of the plant would preferences of the individual operators. be beneficial and could result in It provides a good case study for developing common principles. improving a fleet design change Alongside this, the knowledge of the management process for the existing designer should be maintained and and for the next generation of plants, used as an intrinsic element of design within a standardized fleet. change management to ensure the continuing safety of the plant. An operating organization is expected to encompass the role of the Design The objective that the operator by Authority for its plant. One interpretation itself is wholly responsible for the would imply that every utility around the design once a plant is in service is world should maintain all the design challenging to achieve today, and, with staff needed to understand in detail an expansion of the nuclear industry all the mathematical modelling of the worldwide bringing with the potential safety case and of the behaviour of all for fleets of standard Generation III the components of the plant, in order plants ordered on a turnkey basis, it to understand all the consequences could be even more challenging in the of a design change. Some of these future. This raises the need to consider design changes can be subtle. Some the principles and arrangements of consider this an impractical (and also a specific organization while drawing expensive) expectation, depending the benefits of a standardized fleet. on the size of the utility. Operating This might also drive the way a organizations must, of course, maintain turnkey contract is established, which a sound knowledge and understanding must allow the operator to become of the plant and its safety case to be a ‘knowledgeable customer’, able to able to operate the plant safely, and to take on board the ’ownership’ of the maintain it to designers’ specifications. design and to have a clear view of the Only the largest utilities, however, can importance to safety of design issues, afford to retain by themselves a large in order to be able to take informed design support staff throughout the life decisions regarding safety.

6 The Licensee’s (Utility / 4 Operating organization) Role and Responsibility

International standards make clear For small utilities, it may be the primacy of the licensee’s role in challenging to have adequate nuclear safety: “The licensee retains engineering resources to know by the prime responsibility for safety themselves, in sufficient detail, the throughout the lifetime of facilities design they operate and all the reasons and activities, and this responsibility behind the design choices made by the cannot be delegated. Other groups, vendor and the responsible designers. such as designers, manufacturers and However they should have developed constructors, employers, contractors, sufficient knowledge of the design to and consignors and carriers, also be a ‘knowledgeable customer’ and have legal, professional or functional to know what is important to operate responsibilities with regard to safety” their plant safely. This is where the (IAEA-Safety Fundamentals-SF-1). relationship between the utility and the original vendor becomes important in This responsibility can be broken into a order to take advantage of the vendor’s number of areas, notably: establishing own ‘Design Authority’ capability; this and maintaining the necessary would require long-term agreements competence; providing adequate with commercial implications. training and information; establishing procedures and arrangements to When several utilities are operating maintain safety under all conditions; similar units in one country (as is the verifying the appropriate design and case in Japan, Germany and the US), adequate quality of facilities and they work with the same regulator, activities and of their associated and it is beneficial for them to define equipment (cf. IAEA-SF1). common positions on safety issues. VGB in Germany and NEI and owners’ As already specified in the Introduction, groups in the US are organizations according to IAEA SSR-2/1 –(Safety of that play this role of bringing the Nuclear Power plants: Design) - req. utilities together to develop a common 3, each operating organization “shall solution to the same safety/regulatory establish a formal system for ensuring issue, which in itself contributes to the continuing safety of the plant design throughout the lifetime of the nuclear keeping the units similar. In the context power plant”. It shall include “a formally of new build, several US utilities have designated entity responsible for the applied for combined Construction and safety of the plant design within the Operating Licenses (COL) to build the operating organization’s management same few designs. The NEI New Plant system, and tasks that are assigned to Working Group was set up in order to external organizations (referred to as facilitate and speed up the licensing “responsible designers”) for the design process, which in itself supports of specific parts of the plant shall be standardization. Having achieved taken into account in the arrangements.” standardization at the licensing stage, utilities should be encouraged There are a variety of situations to to continue this kind of cooperation consider. These include relatively small during the life of their plants and this is utilities operating a small number of also a potential role for owners’ groups units in a rather isolated context, utilities (Candu owners’ group plays this operating similar units in the same role for some common issues – see country and facing the same regulator, Section 6). through to large utilities operating large fleets in different countries, and there For utilities operating a number of will be combinations of these. similar units in different countries

7 through subsidiaries, they have making any change to their plants, but significant incentives to keep similarities ultimately, they are the only ones legally between these units which include responsible for the decision. sharing operating experience, sharing spare parts and the benefit of a The concept of a utility’s Design common engineering team serving the Authority should be implemented, whole fleet. Even if the subsidiaries while recognizing the importance of the are different companies operating in original designer in design knowledge different regulatory environments, it is and design change management, as likely that these incentives will prevail. was pointed out by INSAG-19.

It is important in all situations that the Utilities should recognize the benefit relationship between a utility and its of participation in owners’ groups, vendor is maintained after plant start-up. and should play an active role in their Some form of contractual agreement organization for standardized units or cooperation should be put in place by sharing enhanced experience on a long-term basis to ensure the feedback. They should also make knowledge management of the design maximum use of cooperation with their as needed. Utilities may struggle to fully international peers within international understand the design basis before organizations such as WANO.

8 The Importance of the 5 Vendor and Responsible Designer’s Role

As explained in footnote 2, the concept the cost is spread across many units of ‘responsible designers’ (IAEA (Figure 2). SSR-2/1) can encompass, beside the original nuclear vendor of the NSSS For a small utility, with a small number (Nuclear Steam Supply System), of plants, the increased burden driven other equipment suppliers (detailed by the increase in the number of SSCs designers for NSSS equipment as considered to have safety attributes well as non-NSSS suppliers). Their may require more support from the role also has to be considered by original designer. the utilities for example within their owners’ group. Often it is they who Figure 2 illustrates historical retain the detailed knowledge of why precedence for a licensee’s the design is how it is. Responsible “ownership” of the design basis. This designers, therefore, need to be might also be applicable in the future involved to a great extent in keeping if a licensee (or country) were to build and improving the safety of a design a sufficiently large fleet of a standard during operation. design. India, for example, has plans for building multiple units of imported The vendor should also play an standard design. In such a case, the important role in remaining up to licensee may have the desire and date with new research findings and capability to own more of the design developments, particularly as impact basis than a country or utility with the understanding of the design basis only one plant of that design. Either for the plant, and with changes in the way, the vendor needs to share in design of the plant. ownership of the design basis with the licensee’s Design Authority, this In general, the distribution of sharing of ownership being tailored to responsibility3 for design change the licensee’s capability. management varies according to the safety classification of a system, Each operating organization has the structure, or component (SSC). When responsibility to collect and analyse the plant is first built and during its the experience feedback (beside early years of operation, the original international experience feedback NSSS designer has a large degree of for major issues). This operating responsibility for any design changes experience may be shared with other of safety-related SSCs. This was utilities within the owners’ group in the case with the first and second order to improve both the safety and generation of nuclear plants. performance of standardized units. It can also be shared, or partly shared, As designs and the regulatory with the vendor/responsible designers requirements evolved, the which could be assigned dedicated relative distribution of these SSC tasks in connection with their detailed classifications changed. A larger design knowledge. Reciprocally, proportion of plant systems and the vendor would also keep utilities components are now considered informed and draw their attention to important to safety (Figure 1). any emerging issues related to design and to maintaining the design basis As a licensee’s fleet size increases, document. however, the ‘cost’ (engineering 3 Responsibility here refers to technical workload) of ‘owning’ the design basis For standardized reactor designs knowledge and contractual responsibility. Prime responsibility always lies with the for standardized designs, even for the role of the vendor/responsible licensee. safety-related SSCs, decreases, as designers in fleet oversight

9 internationally is even more important. The use of ‘service and advisory Vendors, in close collaboration bulletins’ on both safety and with utilities as knowledgeable operational matters needs customers, can play an important role strengthening and should include a in the exchange of information and graded approach reflecting their safety operational experience within ‘their’ significance. The most important fleets across the world. They can matters should be assessed by utilities help maintain design knowledge and in order to decide what action (if any) play an enhanced role, in interaction should be taken: implementation or with utilities/licensees, in studying adaptation, taking into account local and proposing design improvements context or regulatory framework. which might result from this experience Utilities should provide feedback to the feedback. designer regarding actions taken to address the bulletins. For example, the role of the vendor / responsible designer, which could Most vendors have developed or are be shared with the owners having developing inside their organization the whole operating experience, what some vendors call their own could include analysis of operating ‘design authority’, consisting of a experience related to failure modes group of engineers who maintain a and failure rates of similar components historical record of the various designs in a fleet. This could result in the they have produced and all the dissemination of operating experience reasons behind the design choices. that has implications for design and Their role is to review any changes potential design changes through a proposed to or by their customers to strengthened ‘service and advisory check compatibility with the original bulletin’ system. The compiled data design intent. This kind of organization could be far more detailed and is important for ensuring the success valuable than of today as this ‘cost’ is of the modifications considered spread over the whole fleet. Currently, (be it for performance or safety every utility’s responsibility would be to improvements). maintain such a database, by itself or through arrangements with responsible However, the final decision designers. (modification, improvement,

Licensee Only Non-Safety Non-Safety Important to Safety Important to Safety Safety- Safety- Related

DCM Responsibility Vendor Related Involvement in Design Only

Evolution of Designs and Regulations

Figure 1. Increasing number of safety significant SSCs with the evolution of regulation entails increasing contractual responsibility for the vendor

10 experience feedback etc.) lies with technically competent organization. the licensee (utility), taking into This role might be assumed by a consideration its own local context. relevant owners’ group.

In the case of the vendor’s business This emphasizes the need for a well- being transformed, changing established knowledge management ownership or ceasing to exist, it is system as knowledge will have to be important to ensure that the vendor’s passed across successive generations IP (Intellectual Property) assets of engineers within vendors, (including its human resources) are responsible designers but also within a maintained and transferred to another licensee’s Design Authority.

Licensee Only Non-Safety Non-Safety

Important Important to Safety to Safety

Safety- Safety- Related Related

DCM Responsibility Vendor Involvement in Design Only

Size of Standardized Fleet

Figure 2. Increasing licensee’s ownership of design basis with the increase of licensee’s standardized fleet size entails less contractual responsibility for the vendor

11 The Owners’ Group 6 Role for a Standardized Reactor Fleet

Owners’ Groups (OGs) are Findings of the survey are as follows: organizations that bring together utilities • Participants: all OGs include the operating nuclear plants of similar vendor(s) and utilities operating this technology. They also generally include vendor’s reactors. the original vendor of the corresponding • Voluntary or mandatory utility technology. The owners group provides involvement: involvement is a convenient forum in which the utilities voluntary except in Russia, where that operate the vendor’s design, the national regulator mandates and the vendor (and with possible involvement with the original other responsible designers for main designer. In some cases, utilities components) can share operating are motivated to join by the experience and common technical membership benefits offered. There issues and the ways to solve them4. is no mandatory requirement for membership at the international A survey of OGs has been carried out level, with the exception, perhaps, by CORDEL involving: of the VVER operators in Ukraine, • AREVA Owners’ Group (still known where the national regulator as Framatome Owners’ Group or demands mandatory adherence to FROG). the the original designer’s safety • OKB Gidropress (Russian NSSS recommendations. designer). • OG charter: most OGs have a • CANDU Owners’ Group (COG). relatively detailed charter which the • PWR Owners’ Group (PWROG, member utilities sign up to. In some formerly the Westinghouse owners’ cases, only utilities – and not the group). vendor - are voting members (AREVA • Japan PWR Owners’ Group (for MHI- Owners’ Group, and currently under designed plants). review for COG). • Boiling Water Reactor Owners’ Group • Primary areas of activity: OG (BWROG, GE-Hitachi’s design). activities include sharing operational experience, reviewing common safety, These OGs operate in a variety of reliability, and regulatory issues and circumstances: some are single nation even plant economics. In some cases, groups with a single common regulator; issues might be addressed through some include utilities operating in shared research and development. different countries with different OGs have the flexibility to share regulators; some also cover the situation operational experience: the sharing mechanisms can be arranged around 4 of a single utility linking back to the IP ownership can be a potential barrier to design-specific features or around a sharing information on design and may require vendor’s ‘reference’ country. These adequate contractual provisions between the circumstantial differences could account secondary supplier’s issue who may OG members to be in place. for many operational differences. only participate in the relevant activity. 5 While not strictly related to the scope of this The participation may be voluntary, document, the OGs could be a forum for Usually OG membership is voluntary for example where cost sharing is sharing and exchanging about methods used involved. to take into account external events which and assigns no responsibility to the could have an impact on the design. vendor for recommending standard • Database of licensing and safety 6 In this process, risk assessments of solutions or for influencing utilities to issues: although the survey results regulatory compliance issues are evaluated implement them. showed that not all OGs keep a by NRC staff using generic PRA models database of design-specific issues, maintained by the NRC. These models are Some strengths and good/best OG there is usually an alternative, for continuously improved through interactions with licensees who maintain detailed, plant- practices can be identified from the example: a website listing common specific PRA models. survey. issues and analysis (most OGs); the

12 provision of advisory bulletins (COG); about whether or not it should carry organization is available to take over or vendor’s support delivered via out modifications or implement the responsibilities and assets of the televised conferences from vendor’s other measures. Probabilistic Risk designer, the OG could take on this crisis centre (Gidropress). Assessments (PRAs) are a basic role for the whole fleet as a last resort. • OG accountability for plant design element in this analysis, and can be and analysis: generally the OGs, used both for internal and external For the benefit of safety and 5 as expected, do not accept any events that can lead to common standardization of plants during accountability. cause failures (depending upon their lifetime, there would be value in siting and layout). For major internal developing a consistent approach to • OG accountability for plant events, similar plants should have safety reassessment (or Periodic Safety configuration management: similar risk profiles, provided that Reviews as required), which included again, OGs do not generally accept the data input into the PRA comes accountability. However, there were international experience feedback. A from a valid common database. some exceptions to this: in Russia vendor’s analyses and proposals in OGs could develop standard PRA and Ukraine, the vendor’s agreement relation to safety improvements could techniques related to their relevant to any design or configuration be beneficial. These reassessments, designs for main internal events change to the design basis is in turn, may produce new relevant and collect reliability data from mandated by the regulator. safety-related recommendations, which utilities operating these designs as can be shared between the vendor • OG accountability for plant design input to PRA (subject to contractual and other utilities through OGs or changes: Generally none accepted. arrangements or statute linked to other operating experience exchange use of proprietary information or IP). mechanisms, such as WANO. Several conclusions can be drawn from The shared benefits of a modification this overview of OGs’ operations: related to such internal events could In general, all relevant safety-related • It would be worth considering the then be demonstrated to all utilities data should be benchmarked between introduction in the OG mandates of within the OG, with the support the licensees within the OG to inform an objective to maintain the benefit of of the vendor. This would help to decision-making. For the most standardization, so if a design issue avoid implementation of different important issues, there should be a were to be identified by a member technical solutions, thus maintaining clear decision process by the licensee, of an OG, all members should standardization. This concept has based on a graded approach in relation consider the issue’s resolution and already been demonstrated by the to safety importance. Of course, in its implementation. In this context, US NRC Reactor Oversight Program6. parallel, the regulatory bodies will also developing a consistent approach • Given the longevity of a nuclear exert their independent scrutiny and to safety reassessment or Periodic plant, one of the most important assessment and share their views. Safety Reviews (as required), which issues is how the design knowledge would include international experience should be maintained if the original This system would demonstrate the feedback and new knowledge, would designer is no longer available (for safety and economic benefits of be an important goal. The vendor example, if it is no longer in business). maintaining standardization (which analysis and proposals in relation The preferable solution is that the does not necessarily mean full to safety improvements can be designer’s IP is taken over by a new identity). There can be some agreed beneficial. design organization. There may commitment or charter related to • OGs should define a process to be several such changes over an this principle within the OG. But it is ensure that the knowledge of the main operating lifetime spanning several clear (and it is the current industry design differences between plants in decades. The duties, competence experience) that there are other the fleet is maintained and accounted and responsibilities of replacement factors which are also in the licensee’s for. This should involve the vendor. design organizations must be well consideration (such as local context) • Using cost/benefit analysis, a utility defined and understood at the time of that could result in another decision can make informed decisions takeover. However, if no new design framework.

13 7 WANO role

The World Association of Nuclear In order to take into account all these Operators (WANO) is a well-established elements, WANO is currently improving and recognized organization of the way in which design insights are worldwide nuclear operators. With its applied in the peer review process in operating experience program and the order to: peer review program, WANO provides a - Focus attention of the peer review on unique tool for improving performance the aspects of the plant’s operations and safety of operating plants. having the highest safety impact. Currently, the SOERs (Safety Operating Experience Reports) and SERs - Link and weigh the performance (Significant Event Reports) that are of the operating organization widely distributed among its members (peer review findings or Area For are extensively used by operators. Improvements) against fundamental design aspects. Considering design aspects, the Fukushima event has led the nuclear It is possible for non-regulatory industry to question whether WANO organizations which are not operators, activities have been too narrowly such as vendors or responsible defined around operational excellence, designers, under contractual without taking into account enough arrangements with WANO to have consideration of design features. In access to some information restricted response, the WANO Design Project to WANO membership. As this report has been established to provide advocates a better cross-involvement recommendations for expanding the of utilities and responsible designers scope of WANO activities to include or original vendors regarding some aspects of design. standardized units, CORDEL strongly recommends that – within the WANO The WANO approach is based on the framework - operators be encouraged following assumptions: to find an efficient way of sharing • Nuclear safety of a plant depends information within their OGs and that both on its design basis and through such an exchange the vendor/ operational performance. responsible designers could make use of experience feedback and analysis • Criticality of systems or transients, made by utilities (knowledge, lessons and safety consequences of learned etc.) and propose a common observed facts during peer solution to its customers in the most reviews strongly depend on design efficient way. Better usage of OG characteristics as well as operational platforms should be investigated in that performance. respect. • Design understanding and management is one of the factors in major damaging events. • Design is a living object which has to be reviewed in order to be up-to- date, taking into account events or new findings, naturally while keeping control of the safety margins.

14 8 Regulator Role

Regulators are making efforts to actions that could be undertaken now harmonize their activities and share which could help maintain consistency assessments of new designs. The between similar plants under different Multinational Design Evaluation regulatory influences. Two committees Programme (MDEP) is the best known of the Nuclear Energy Agency (NEA) initiative in this direction. It might of the OECD, the Committee on be expected that the results of this the Safety of Nuclear Installations work will not only benefit the initial (CSNI) and the Committee of Nuclear standardization of designs during Regulatory Activities (CNRA) that licensing, but also will support the includes a large number of countries benefit of standardized solutions during from OECD membership, have plant lifetime. been taking initiatives to develop a common analysis process for some One concept that has been discussed, important generic plant events between potentially as a long-term end state for regulators and their Technical Support MDEP, is the formation of ‘Regulators’ Organizations (TSO). Task forces and Groups’ in which a number of regulators workshops have been initiated on, for meet periodically and share operating example, the sump clogging issue and regulatory experiences with a (identified in Barsebäck, 1992) or the common design. Such sharing of electrical event at Forsmark (2006). analysis and resources between These helped regulators to gain a regulators can also be a beneficial better understanding of the event, outcome of standardization regarding lessons learned from the event as well safety. as to come to consistent regulatory positions. These initiatives should be Examples of such regulatory groups supported by the industry by providing exist, namely: the CANDU Senior the required technical inputs in this Regulators’ Group and the VVER process. Industry (both vendors and Regulators’ Forum. Alignment of the utilities) should be encouraged to charters of Regulators’ Groups and of participate in these initiatives in a the OGs could ensure timely and cost- systematic manner. effective implementation of regulator- requirements related to design Most utilities are planning for long term changes with additional assurance of operation (licence extension) of their a consistent design across multiple operating plants. Some regulators, regulatory frameworks. especially in Europe, are using this opportunity to issue new safety This is already the case with the ‘EPR requirements that could result in design Owner-Operators’ Group’ (established modifications and further differences by EDF, in connection with the original in similar plants. This process should NSSS designer AREVA) which interacts be balanced as far as possible with regularly with the EPR Working Group respect to standardization efforts (EPRWG) of MDEP. This OG works on and the corresponding operational harmonized solutions to generic issues, feedback sharing process. The nuclear and keeps track, with the support of industry clearly must be positive about AREVA, of the differences between safety improvements in the context of the EPR projects and together with the lifetime extension, but these should be regulators within EPRWG addresses the reasonably practicable and applied causes of these differences and works across the industry in a harmonized on maintaining harmonisation. way. The regulatory authorities should work with each other on this issue and Given that progress in making reforms both OECD/NEA and IAEA should play is likely to be slow, there are some an instigative role.

15 9 Design Authority

The topic of Design Authority is • In Korea, the Design Authority for fundamental to design responsibility, existing plants as well as for new which includes the themes of this build plants is a formally designated report: design knowledge and design entity, called the Central Research change management. The principle Institute, which lies within the of the operator owning the ultimate operator’s (KHNP’s) organization. responsibility for the design of the KHNP has continuous access to plant implies that the operator is the responsible designers, i.e. the the ‘authority’, the decision maker. original plant vendor KEPCO E&C However, the other connotation of the and the component supplier Doosan. word, implying expert or knowledge KHNP delegates detailed areas of the holder, refers to a vital capability which overall Design Authority responsibility may be challenging for an operator to to the responsible designers. Repeat fulfil by itself in all details. projects are increasing the KHNP in-house Design Authority capability. The original vendor of the plant may KHNP and KEPCO E&C are both be in a good position to fulfil this latter subsidiaries of the government- capability, through suitable commercial owned parent company KEPCO, arrangements to incentivize this. which simplifies matters. Through OG membership, KHNP also gets There are examples of the original support from overseas vendors for its vendor no longer existing as a CANDU and Westinghouse designs. commercial entity which complicates Responsible designers take some this issue further and in such a case a Design Authority responsibility during solution would have to be found by the construction and handover, and utilities within the owners’ group. during the warranty period of two years (four years for the UAE project) A survey has been carried out by of operation. During the plant lifetime, the Design Authority is maintained by CORDEL to understand how different KHNP with support from designers operators are approaching the subject on a project-by-project basis and of Design Authority. This covered five according to specific contractual countries: Republic of Korea, Canada, agreements. For the UAE project, USA, UK and France (EDF). The key KEPCO is developing a ‘Book of questions asked were: Knowledge’ which would contain the • How is design knowledge acquired knowledge base for the execution and maintained over the life of the of the Design Authority function by plant? ENEC. This model, of operator and • How is the Design Authority role designer being part of one company, executed? of obligating the vendor/original • What is the role of the original designer to have roles in the Design designer? Authority, and of the increasing Design Authority capability through • How does the Design Authority succession of standard projects, is discharge its responsibilities for deemed to be a good model and design change and configuration merits further study. management? • In France, EDF is the operator • How does the Design Authority and architect-engineer of its ensure consistency throughout the plants (EDF does not enter into fleet? turnkey contracts). EDF has an • How many full-time equivalent internal organization called Nuclear staff are in the Design Authority Engineering Division (DIN) whose organization? role, among others, is the design organization (according to SSR-2/1) The results are summarized as follows: and the Design Authority (according

16 to INSAG 19). DIN is a senior-level a full technical understanding of division which also coordinates the the plant. There is some evidence allocation of design-related activities of difficulties in certain Design among various EDF engineering Authority areas. In such areas, centres. A contractual relationship delegation via clear contractual with the original NSSS vendor agreements with responsible (Areva) is maintained, but EDF has designers is undertaken. developed its own deep design • In Canada, the Design Authority is knowledge. EDF always seeks to the Chief Nuclear Engineer within incorporate international experience the licensee’s organization. He may feedback during Periodic Safety formally delegate some aspects of Reviews, and some urgent actions Design Authority to plant engineering are implemented without having to staff and to a ‘design agency’ but not wait for PSRs. This model works very overall accountability. Requirements well through consistent operation for this process and role are captured over a long-term programme. formally in Regulatory Document RD- Whilst a very good practice, it may 337 Design of New Nuclear Power be challenging for other utilities Plants (based on IAEA SSR-2/1), and to achieve a capability the size of in the licence itself. For new build EDF’s, which has been built up in Canada, the roles of vendor and over a long period. But there are operator, and the transition of Design lessons to learn, particularly in the Authority from vendor to licensee consistency of EDF’s fleet-wide during handover, are being clarified. approach to design change. • In the USA, reliance on the original It is clear that there are many common designers (NSSS vendors) is experiences in different organizations recognized, as they are the IP but there are also many subtle owners. Also, Original Equipment differences due to, not least, different Manufacturers (OEMs) and maturity levels and situations. The right OGs sometimes develop design balance regarding design knowledge modifications and these have ownership between corporate and plant resulted in design changes in older level is also a subject relevant to each plants being implemented in different utility responsibility. ways according to the licensee’s decisions. In future, a more clearly Further work is required by CORDEL defined joint ownership of design to extract all the learning and to define basis between the operator and functional aspects or principles for designer should be possible, a Design Authority within operating potentially based on Probabilistic organizations, in connection with Risk Assessment. WANO. This work would address key • In the UK, the original plant issues around the need for the Design designers no longer exist as Authority within operating companies separate legal entities for some to have a strong link with an owners’ of the plants although processes group, and also with the vendor have been in place for knowledge (and responsible designers) through transfer to the current organizations. commercial operator-vendor relations. The role of Design Authority is invested in an individual, supported Of course, the regulatory bodies will keep by a team whose aim is to have their oversight on this important issue.

17 The Aerospace Industry 10 Model

In addition to the ideas developed in the CORDEL ‘roadmap’ report [6], discussions have been held with representatives of the aerospace industry on the basisthat they also operate in a highly technological industry in which reliability and safety are vital. The experience feedback from aerospace industry‘s internationally regulated certification process for standardized types of plane holds some interest for the nuclear industry7.

Techniques for adhering to standard designs at an international level were developed many years ago. There are several lessons to be learned, which are covered by a separate report [7], including: • Achievement of a UN-backed political agreement on the acceptance of basic safety requirements and rules (Chicago Convention Annex VIII). • Creation of a pan-European type certification agency (European Aviation Safety Agency, EASA). • Detailed understanding of the Type Certificate process and bi- and multilateral acceptance agreements. • Design change management and maintenance of Type Certificate throughout design lifetime (through use of Airworthiness Directives and Service Bulletins). • Interfaces of responsibilities and allocation of risks and liabilities among designers, manufacturers and operators. • Execution of Design Authority role by manufacturers. • Industry joint processes of standards development and manufacturer’s certification. • Responsibility of national regulators within an internationally agreed framework.

7 CORDEL equally recognizes that the context is different: for instance, the international nuclear liability regime channels responsibility exclusively to the nuclear operator.

18 Conclusions and 11 Recommendations

For a long time, standardization was formally designated entity responsible mainly seen as a tool to improve for the safety of the plant design within nuclear plant economics during design the operating organization (Design approval, licensing and construction. Authority). However, further work needs But successful examples in several to be pursued to identify best practices countries have demonstrated that with respect to discharging the Design standardization can also bring Authority function. Therefore the ability significant benefits to plant safety of utilities to meet this accountability during operation as it offers a wide in all circumstances and all level of international basis for experience details could be challenging. Support exchange from the entire fleet of from or reliance on the plant vendor standard plants worldwide. In order and responsible designers will be to retain the benefit of standardization beneficial in many situations through a throughout plant operation, an sustainable business model based on international fleet-wide approach to clear contractual responsibilities. design change management has to be seen as a vital concept. The existing mechanism of the owners’ group (OG) already WNA’s CORDEL Group has been provides a good point of interaction investigating existing and new between the utilities and the vendor / mechanisms which might deliver responsible designers. And although improved benefit from design OGs are mainly based on voluntary standardization throughout a fleet’s utility involvement, they hold the lifetime. CORDEL’s main focus has potential for further cooperation been on new-build plants where in design standardization. WNA the opportunity for standardization CORDEL can only strongly support is greatest, but some of these and encourage membership of all recommendations are also applicable utilities operating the same design to existing fleets. in OGs, on a worldwide basis, even if different regulatory regimes bring The Fukushima accident provides an some limitations in the globalisation example of institutional problems in of solutions that are implemented. the management of nuclear power In particular, operators could benefit plants’ operation and the lack of from sharing with vendors relevant an international mechanism that elements of experience feedback encourages design changes to be and related analysis at the fleet level implemented across a fleet of similar when design issues are involved. plants, especially regarding severe hazards. There is also successful experience of Regulators’ Groups in which regulators The likely global expansion of nuclear working on a common design of plant power, together with global sales of meet to share experiences, seek to a small number of turnkey new-build harmonize their activities, and target designs will result in fleets spanning a a common approach (MDEP design number of utilities and countries. For specific WG). some utilities, particularly smaller ones where there are limited engineering Discussions with the aviation industry resources, it may be challenging to have identified some key areas of fulfil their Design Authority role up to a potential common interest. detailed level. CORDEL makes the following IAEA SSR-2/1 and INSAG-19 recommendations to address issues recommend the utility’s accountability raised in the above conclusions and for nuclear safety, and therefore for to pursue the benefits of design plant design definition, through a standardization in general:

19 Design Change Management involving utilities and vendors/ • Developing WANO’s relationship with and Design Authority responsible designers, and commercial OGs where OGs could help produce There is a need to develop an arrangements, and without resulting in reports on design-specific issues for international industry framework that: an unnecessary cost burden. dissemination among participating utilities. • Clearly defines the respective roles Owners’ Groups and responsibilities of the utility and • The development of design-informed vendor in the international design More detailed work with OGs is peer reviews which should help to change management process. recommended and should address: identify safety issues or challenges to • The possibility of increased safety functions, especially within a • Describes how the utility defines its opportunities by OGs for standardized fleet. relationship with the vendor with the standardization through joint review view to fulfilling its Design Authority and implementation of design Regulators role. changes, and by developing The benefits of design standardization benchmarks where there is a need Owners’ groups are in a good and to safety throughout operating lifetime for alternative solutions, with a goal to privileged position to provide a forum should be recognized by regulators. maintain standardization. in which utilities can share knowledge Regulators might consider (consistent and assessment of generic safety- • How to strengthen as appropriate the with MDEP): involvement of the original vendors significant issues and potential generic • Setting up Regulators’ Groups design changes with the support of the in OGs, including the use of vendor and task forces and conducting vendor, and bringing in other utilities’ service and advisory bulletins within workshops for specific emergent contributions where needed. This the OGs. vendor’s role should be clearly defined • How to strengthen the role of the technical problems. in vendor-utility agreements which OGs with respect to identification • Developing common guidance should include initial design information and knowledge sharing of significant on generic safety issues in order handover and the potential for changed safety issues, which then should to bring consistent answers and circumstances of the parties throughout result in decisions by utilities to improvements through modifications the lifetime of the plant. be benchmarked between all OG during Periodic Safety Reviews members. (PSRs) and lifetime extension The focus of these agreements should • The sharing within OGs of reliability processes. These could then better be to maintain design standardization in data for main internal events related include international experience all design change decisions, with best to design and standard equipment to feedback. In turn, these PSRs practice being shared internationally be included in PSAs. themselves could also produce across the fleets. new relevant safety-related • The production of OG best practices recommendations, and these could (including on sharing common Further work is required by CORDEL to then be passed onto the utilities principles on the functioning of extract the learning, and propose the and vendor through OGs or other Design Authorities). functional aspects or principles for a operating experience exchange Design Authority implementation within • As far as practical, an efficient mechanisms. operating organizations in connection screening process related to with WANO. This should include a prevention, performance monitoring, Other Industries definition of Design Authority that can accident management and Further discussions with the aerospace be applicable to many different utility/ mitigation. industry should include: vendor/regulator scenarios. It should cover how the role of the Design WANO • Regulatory harmonization and Design Authority, which rests with the operator, Further discussions with WANO about Authority management. can be enhanced and made to work strengthening its role regarding design • Lessons learned from the Type across different organizations with aspects are recommended. These Certificate process and the interfaces different organizational structures, should include: of responsibilities.

20 12 References

[1] Maintaining the Design Integrity of Nuclear Installations throughout their Operating Life, INSAG–19, A report by the International Nuclear Safety Advisory Group, International Atomic Energy Agency, 2003

[2] IAEA Safety Standards, Fundamental Safety Principles, Safety Fundamentals No. SF-1, International Atomic Energy Agency, 2006

[3] Convention on Nuclear Safety, International Atomic Energy Agency, 1994

[4] IAEA Safety Standards, Safety of Nuclear Power Plants: Design, Specific Safety Requirements No. SSR-2/1, International Atomic Energy Agency, 2012

[5] Benefits Gained through International Harmonization of Nuclear Safety Standards for Reactor Designs, World Nuclear Association Discussion Paper, January 2008, http://www.world-nuclear.org/uploadedFiles/org/WNA/ Publications/Working_Group_Reports/ps-cordel.pdf

[6] International Standardization of Reactor Designs, WNA CORDEL Working Group, January 2010, http://www.world-nuclear.org/uploadedFiles/ org/WNA/Publications/Working_Group_Reports/International%20%20 Standardization%20of%20%20Nuclear%20Reactor%20Designs.pdf

[7] Aviation Licensing and Lifetime Management – What Can Nuclear Learn?, WNA CORDEL Working Group, January 2013, http://www.world-nuclear. org/uploadedFiles/org/WNA/Publications/Working_Group_Reports/ CORDELAviationReport.pdf

World Nuclear Association +44 (0)20 7451 1520 Tower House www.world-nuclear.org 10 Southampton Street [email protected] London WC2E 7HA United Kingdom

The World’s Nuclear Association’s Cooperation in Reactor Design Evaluation and Licensing (CORDEL) Working Group promotes the standardization of nuclear reactor designs. This can only be achieved by the development of a worldwide regulatory environment where internationally-accepted standardized reactor designs, certified and approved by a recognized competent authority in the country of origin, can be widely deployed without major design changes due to national regulations.

This report entitled Design Knowledge and Design Change Management in the Operation of Nuclear Fleets looks at existing and new mechanisms which might deliver improved benefit from design standardization throughout a nuclear fleet’s lifetime. Building upon the licensee’s prime responsibility for any design change through its Design Authority, it examines the interactions with vendors and responsible designers, as well as with operating organizations, such as owners’ groups and WANO.

The World Nuclear Association is the international private-sector organization supporting the people, technology, and enterprises that comprise the global nuclear energy industry. WNA members include the full range of enterprises involved in producing nuclear power – from uranium miners to equipment suppliers to generators of electricity. With a secretariat headquartered in London, the WNA serves as a global forum for industry experts and as an authoritative information resource on nuclear energy worldwide.