TRAINING COURSE SERIES No.

15

Regulatory control of
nuclear power plants
Part A (Textbook)

INTERNATIONAL ATOMIC ENERGY AGENCY, VIENNA, 2002

 The originating Section of this publication in the IAEA was:

Safety Co-ordination Section

International Atomic Energy Agency
Wagramer Strasse 5
P.O. Box 100
A-1400 Vienna, Austria

REGULATORY CONTROL OF NUCLEAR POWER PLANTS

PART A (TEXTBOOK)
IAEA, VIENNA, 2002
IAEA–TCS–15
ISSN 1018–5518

© IAEA, 2002
Printed by the IAEA in Austria
September 2002
 FOREWORD

The purpose of this book is to support IAEA training courses and workshops in the
field of regulatory control of nuclear power plants as well as to support the regulatory bodies
of Member States in their own training activities. The target group is the professional staff
members of nuclear safety regulatory bodies supervising nuclear power plants and having
duties and responsibilities in the following regulatory fields: regulatory framework; regulatory
organization; regulatory guidance; licensing and licensing documents; assessment of safety;
and regulatory inspection and enforcement. Important topics such as regulatory competence
and quality of regulatory work as well as emergency preparedness and public communication
are also covered.
The book also presents the key issues of nuclear safety such as ‘defence-in-depth’ and
safety culture and explains how these should be taken into account in regulatory work, e.g.
during safety assessment and regulatory inspection. The book also reflects how nuclear safety
has been developed during the years on the basis of operating experience feedback and results
of safety research by giving topical examples. The examples cover development of operating
procedures and accident management to cope with complicated incidents and severe accidents
to stress the importance of regulatory role in nuclear safety research.
The main target group is new staff members of regulatory bodies, but the book also
offers good examples for more experienced inspectors to be used as comparison and
discussion basis in internal workshops organized by the regulatory bodies for refreshing and
continuing training.
The book was originally compiled on the basis of presentations provided during the
two regulatory control training courses in 1997 and 1998. The written presentations were
collected from the lecturers and compiled before and during the consultants meeting from 16–
20 November 1998 in Vienna, where final compilation was done. The textbook was reviewed
at the beginning of the years 2000 and 2002 by IAEA staff members and consistency with the
latest revisions of safety standards have been ensured. The textbook was completed in the
consultants meeting at the end of 2001 by adding updates on the Nuclear Safety Convention
and US regulatory practices.
The main purpose of the book is to provide written background material to the
participants and to support lecturers of the training courses on Regulatory Control of Nuclear
Power Plants. The idea is to present general practices recommended by the IAEA in its safety
guidance as well as country specific examples of how these general principles and
requirements have been implemented in various countries. Lecturers can provide detailed
information concerning their own countries and organizations but it is often difficult for them
to provide as detailed knowledge on other countries and organizations. Therefore different
examples are valuable for comparison.
The examples selected are representative, showing existing and functional practices,
and also provide a good selection of different practices adopted by different regulatory
organizations. They reflect practices in large and small countries and regulatory bodies. They
do not follow any particular regulatory practice but try to offer several alternatives to be useful
for many inspectors coming from different types of organizations.
The textbook has been compiled from the presentations provided during the training
courses on Regulatory Control of Nuclear Power Plants from 1997 to 2001. The written
presentations were collected from the lecturers and compiled before and during the
consultants meetings held 16–20 November 1998 and 1–5 October 2001 in Vienna by
K. Burkart, Germany, J. Libmann, France, C. Stoiber, United States of America. The IAEA
officer responsible for the publication was I. Aro of the Department of Nuclear Safety.
Ongoing responsibility lies with L. Lederman of the Division of Nuclear Installation Safety.
The course was organized eight times in Europe: in Slovakia, Finland, the Czech
Republic, Germany (four times) and the United Kingdom in 1994–2001 and two times in
Asia: in Indonesia and in the Republic of Korea. Some of the lecturers have participated in
several courses and are also the main contributors to the written text parts. Also several
German lecturers have contributed in various regulatory fields providing German examples.
The Gesellschaft für Anlagen und Reaktorsicherheit (GRS)mbH, Germany, Health and Safety
Executive, United Kingdom, Institute for Protection and Nuclear Safety (IPSN), France, and
Radiation and Nuclear Safety Authority (STUK), Finland, and the US Nuclear Regulatory
Commission provided material support in the form of examples.

EDITORIAL NOTE

The use of particular designations of countries or territories does not imply any judgement by the
publisher, the IAEA, as to the legal status of such countries or territories, of their authorities and
institutions or of the delimitation of their boundaries.
The mention of names of specific companies or products (whether or not indicated as
registered) does not imply any intention to infringe proprietary rights, nor should it be
construed as an endorsement or recommendation on the part of the IAEA.
 CONTENTS

1. LEGISLATIVE AND REGULATORY FRAMEWORK ................................................. 1

1.1. IAEA approach to nuclear safety............................................................................. 1

1.1.1. Historical development ............................................................................. 1
1.1.2. IAEA Nuclear Safety Requirements and Guides ...................................... 2
1.1.3. IAEA requirements for the governmental level and for the operator........ 6
1.1.4. IAEA Requirements for nuclear safety legislation ................................... 6
1.1.5. Safety objectives and safety criteria for nuclear power plants .................. 7
1.2. International safety related conventions ................................................................ 12
1.2.1. Convention on Nuclear Safety ................................................................ 12
1.2.2. Other international nuclear safety related conventions ........................... 24
1.3. National regulatory framework ............................................................................. 27
1.3.1. The state, its structures and its duties...................................................... 27
1.3.2. Responsibilities of the four main organizations...................................... 29
1.3.3. Nuclear safety legislation ........................................................................ 31
1.3.4. National and international institutions for
matters of standardization ....................................................................... 33
1.3.5. Types of regulatory guidance .................................................................. 34
1.3.6. Safety criteria for nuclear power plants................................................... 35
1.4. Illustration through national examples .................................................................. 37
1.4.1. Finland..................................................................................................... 37
1.4.2. Germany .................................................................................................. 40
1.4.3. United Kingdom...................................................................................... 48
1.4.4. Governmental organization for nuclear safety in the USA ..................... 49

2. REGULATORY BODY .................................................................................................. 54

2.1. Regulatory independence ...................................................................................... 54

2.2. Organization and functions of regulatory body ..................................................... 56
2.2.1. IAEA guidance for regulatory organization ............................................ 56
2.2.2. Examples of regulatory organizations ..................................................... 60
2.3. Licensing of a nuclear power plant........................................................................ 76
2.3.1. IAEA approach to licensing .................................................................... 76
2.3.2. Examples of licensing practices .............................................................. 77
2.4. Quality assurance, performance reviews and self-assessment in the
regulatory body...................................................................................................... 90
2.4.1. Quality assurance .................................................................................... 90
2.4.2. Performance reviews — IAEA IRRT services........................................ 92
2.4.3. Quality assurance and self-assessment in the regulatory body —
an example .............................................................................................. 93
2.5. Professionalism and training of regulatory body staff........................................... 96
2.5.1. Regulatory role and duties....................................................................... 98
2.5.2. Rights ...................................................................................................... 98
2.5.3. Obligations .............................................................................................. 99
2.5.4. Responsibilities ....................................................................................... 99
2.5.5. Relationships with the power company................................................. 100
2.5.6. Professional behaviour .......................................................................... 100
2.5.7. Inspection/auditing techniques .............................................................. 100
 2.5.8. Inspection philosophy............................................................................ 101
2.5.9. Maintaining competence ....................................................................... 102
2.5.10. Training of inspectors............................................................................ 102

3. ASSESSMENT OF SAFETY........................................................................................ 103

3.1. IAEA guidance for regulatory review and assessment ........................................ 103
3.1.1. Safety objectives and safety requirements for
review and assessment .......................................................................... 105
3.1.2. Areas for review and assessment........................................................... 106
3.1.3. Review and assessment methodology ................................................... 108
3.1.4. Quality assurance in the review and assessment process ...................... 115
3.1.5. Topics to be covered by regulatory review and assessment .................. 115
3.2. Country specific approaches and experience....................................................... 119
3.2.1. Deterministic safety approach — French experience............................ 119
3.2.2. Assessment of modifications — German and Finnish experience........ 133
3.2.3. Assessment of operational experience — French experience .............. 136
3.2.4. Periodic safety review, reassessment for renewing the
operating licence — French experience ................................................ 148

4. INSPECTION AND ENFORCEMENT BY THE REGULATORY BODY ................ 155

4.1. IAEA guidance on inspection and enforcement .................................................. 155

4.1.1. Regulatory inspection programme ........................................................ 157
4.1.2. Inspection areas ..................................................................................... 159
4.1.3. Implementation of an inspection programme........................................ 159
4.1.4. Enforcement actions.............................................................................. 165
4.2. Examples of specific inspections ........................................................................ 167
4.2.1. Regulatory inspection in Finland .......................................................... 167
4.2.2. Examples of specific inspections — German practices ........................ 179
4.2.3. Inspection practices in the United Kingdom ......................................... 199

5. DOCUMENTATION .................................................................................................... 213

5.1. IAEA guidance for documents generated by the operator and the
regulatory body within an authorization process................................................. 213
5.1.1. Documents produced by the operator.................................................... 213
5.1.2. Documents produced by the regulatory body for a
specific facility ...................................................................................... 217
5.2. Country specific approaches and examples ............................................................ 223
5.2.1. Use of licensing and commissioning documents in Finland ................ 223
5.2.2. Structure and content of the QA manual (Germany)............................. 230
5.2.3. Use of the licensing documents and updating procedures .................... 234

6. DEVELOPING SAFETY .............................................................................................. 238

6.1. The role of the regulator in the development of safety culture............................ 238
6.1.1. Stage of safety culture — safety is solely based on
rules and regulations.............................................................................. 239
6.1.2. Stage of safety culture — good safety performance is an
organizational goal ................................................................................ 240
 6.1.3. Stage of safety culture — safety performance can
always be improved............................................................................... 240
6.1.4. General practices to develop organizational effectiveness.................... 242
6.2. The role of assessment in the development of safety culture .............................. 246
6.2.l. How to measure safety culture .............................................................. 246
6.2.2. Organizational issues............................................................................. 248
6.2.3. Regulatory issues................................................................................... 250
6.2.4. Employee issues .................................................................................... 253
6.2.5. Plant conditions and trending................................................................ 256
6.3. Illustration through national examples ................................................................ 256
6.3.1. Risk-informed, performance-based regulation in the USA................... 256
6.3.2. German safety culture experiences........................................................ 262
6.3.3. Interface of regulator and operator — Finnish experience.................... 269

7. EMERGENCY ARRANGEMENTS............................................................................. 278

7.1. Warning of the emergency management authorities ........................................... 278

7.2. Response of the emergency management authority ............................................ 280
7.3. Assessment .......................................................................................................... 281
7.4. Monitoring and measurements ............................................................................ 282
7.5. Intervention.......................................................................................................... 283
7.6. Plans, resources, work sheets, guidance.............................................................. 284
7.7. Communication with the media and the public................................................... 285
7.8. Decision support systems .................................................................................... 286
7.9. Protection of emergency workers ........................................................................ 286
7.10. Training and exercises......................................................................................... 287
7.11. Co-operation with neighbouring States ............................................................... 288

8. COMMUNICATION WITH THE PUBLIC.................................................................. 288

8.1. General information ............................................................................................ 288

8.1.1. Role of the regulatory authority ............................................................ 288
8.1.2. Fundamentals of nuclear communications ............................................ 290
8.2. Country specific approaches and experience....................................................... 292
8.2.1. Establishing a public information policy in Finland ............................. 292
8.2.2. Criteria for reporting operating events .................................................. 293
8.2.3. STUK’s quarterly reports on the operation of nuclear power plants..... 294
8.2.4. Technical tools to offer prompt information ......................................... 295
8.2.5. Communication is intensified during an incident ................................. 295
8.2.6. The INES classification is a useful tool in informing the public .......... 297
8.2.7. Observations about crisis communication............................................. 298

APPENDICES

Appendix I: Examples of evolution of an operation manual —

Operating procedures ................................................................................. 301
Appendix II: Complementary operating conditions ........................................................ 307

Appendix III: Preparation for the management of severe accidents ................................. 316
Appendix IV: List of the IAEA safety requirements and guides ..................................... 334

Appendix V: List of Finnish YVL guides........................................................................ 338

Appendix VI: IAEA International Nuclear Events Scale (INES) ..................................... 341

Appendix VII: Regulatory control of nuclear power plants —

Syllabus and example course programme (Karlsruhe, 2000) .................... 347

REFERENCES....................................................................................................................... 351

CONTRIBUTORS TO DRAFTING AND REVIEW............................................................ 353

 1. LEGISLATIVE AND REGULATORY FRAMEWORK

1.1. IAEA APPROACH TO NUCLEAR SAFETY

1.1.1. Historical development

From the very beginning of research and industrial development towards peaceful use
of nuclear energy, safety was an important concern and “prevention” was also identified as an
important and effective safety factor. Considering the history of industrial development, this is
one of the first instances, if not the first example, where those in charge of research,
development and industrial realisation were aware not only of the dangers associated with
implementation of the new energy source but also the need to consider safety as a condition
for further realisation. The importance of nuclear safety has been recognised since the early
phase of nuclear power plant development.

After about a quarter of a century of independent national development of nuclear

reactors in a few countries (1950–1975), the need and usefulness of considering the “new”
technology at the international level was felt and has lead to corresponding actions. The
following illustrates the development:

The strong need of international co-operation resulted in the creation of the IAEA in
1956. The objectives and functions of the IAEA are presented in the Statute of the IAEA. The
Article II presents the essence: “The Agency shall seek to accelerate and enlarge the
contribution of atomic energy to peace, health and prosperity throughout the world. It shall
ensure, so far as it is able, that assistance provided by it or at its request or under its
supervision or control is not used in such a way as to further any military purpose.” The
Article III lists main functions of the IAEA including “fostering the exchange of scientific and
technical information”, “encouraging the exchange and training of scientists and experts” and
“establishing standards of safety for protection of health and minimization of danger to life
and property, and providing for the application of these standards to its own operations as
well as to operations making use of IAEA materials, services and information”.

The start, in 1974, of the IAEA NUSS Programme [1] for nuclear power plants
followed, after 10 years of good international co-operation, by the publication of 5 codes of
practice and about 60 safety guides in the IAEA Safety Series. On the basis of experience and
new developments, at both the technological and the “philosophical” level, revision of these
documents has been decided and began at the end of 1980s. This work is still going on to have
a complete revised set of nuclear Safety Standards including Safety Fundamentals,
Requirements and Guides. In 2000, new revised Requirements were published [2–6].

During the last 10 to 15 years, time and effort have been invested in further
international co-operative thinking and discussion on nuclear safety. Results and conclusions
have been and continue to be published by several international organizations, especially by
IAEA in its Safety Series. International nuclear safety advisory group (INSAG) has produced
useful basic philosophical reports such as expression of the basic safety principles which are
reflected in the IAEA Safety Fundamentals [7, 8] and development of concepts e.g. defence in
depth [9] and safety culture [10].

1
 In addition to the safety of nuclear power plants, other safety areas are being
considered. The management of radioactive waste and the transport of nuclear materials are
among the most important of these areas.

The future role of nuclear energy depends on a consistent, demonstrated record of

safety in all applications. Although IAEA is not an international Regulatory Body, its nuclear
safety efforts are directed towards creating multilateral, legally binding agreements, which are
increasingly important mechanism for improving nuclear safety, radiation safety and waste
safety around the world. This is done by means of International Conventions (e.g. nuclear
safety, civil liability, early notification of nuclear accidents and radiological emergencies,
mutual assistance in case of nuclear accidents and radiological emergencies, radioactive waste
management, physical protection [11–14]). International conventions are binding legal
instruments for the countries that sign and ratify them.

The Convention on Nuclear Safety (for nuclear power plants) has been put into force
on October 24, 1996, and is presently in the phase of implementation [11, 14]. A “sister”
Convention on the safety of radioactive waste management has been put into force on 18 June
2001 [13].

1.1.2. IAEA Nuclear Safety Requirements and Guides [1]

[Link]. Development of IAEA Requirements and Guides

The development of nuclear and radiation safety Standards is a statutory function of the
IAEA, which is unique in the United Nations system. The IAEA Statute expressly authorizes
the Agency “to establish standards of safety” and “to provide for the application of these
standards”. Over the years, more than 200 safety standards have been published in the IAEA´s
Safety Series of publications:

x The Nuclear Safety Standards (NUSS);

x The International Basic Safety Standards for Protection Against Ionising Radiation and for
the Safety of Radiation Sources (the Basic Safety Standards), with supporting documents;
x The Radioactive Waste Safety Standards (RADWASS); and
x The Regulations for the Safe Transport of Radioactive Material.

In 1996, a new uniform preparation and review process was introduced, covering all
areas in which the IAEA establishes safety standards. As a consequence, the IAEA´s Safety
Series was being replaced by two new series of safety-related publications, namely:

x The Safety Standards Series;

x The Safety Reports Series.

The purpose is to separate those IAEA Safety Standards publications which spell out
safety objectives, concepts, principles, requirements and guidance — as a basis for national
regulations, or as an indication of how various safety requirements may be met — from those
publications which are issued for the purpose of fostering information exchange in safety.

The publications in the Safety Standards Series will be issued pursuant to the IAEA´s
statutory function to establish safety standards. The publications in the Safety Reports Series

2
will be issued for the purpose of providing information on ways of ensuring safety
(essentially, they will replace the IAEA´s safety practices documents and other publications).

The change took effect in 1996, with the publication in the safety standards series of
the latest edition of the regulations for the safe transport of radioactive material As Safety
Standards Series No. ST-1.

The Safety Standards Series comprises the following levels of documents:

x Safety Fundamentals.
x Safety Requirements.
x Safety Guides.

The series cover nuclear safety, radiation safety, waste safety, and transport safety. It
also covers general topics (such as governmental organization, quality assurance, and
emergency preparedness) relevant to all four of those fields that will be dealt with in a
separate category of general safety documents.

The Safety Fundamentals Documents are the policy documents of the IAEA Safety
Standards series. They state the basic objectives, concepts and principles involved in ensuring
protection and safety in the development and application of atomic energy for peaceful
purposes. They state — without providing technical details and, as a rule, without going into
the application of principles — the rationale for actions necessary in meeting safety
requirements. There are currently three Safety Fundamentals Documents: for nuclear safety,
radiation safety and waste safety. The IAEA has started actions to combine these documents
into one Safety Fundamentals document that then covers all these areas.

The Safety Requirements deal with the basic requirements that must be met in order to
ensure the safety of particular activities. These requirements are governed by the basic
objectives, concepts and principles presented in the safety fundamentals documents. The
written style (with “shall” statements) is that of regulatory documents so that States may adopt
the Safety Requirements at their own discretion, as national regulations. Earlier these safety
requirements documents were called as Codes [5, 6].

The Safety Guides documents contain recommendations (with “should” statements),

based on international experience, regarding measures to ensure that the safety requirements
are met. But unless alternative equivalent measures are implemented, the “should” statements
become “shall” requirements.

IAEA Safety Standards have been developed on the basis of international consensus and
as such they reflect very widely accepted safety levels. During the development or revision of
a safety standard all member states have the possibility to present their comments on the well-
developed draft document, and these comments are taken into account in the final draft that is
sent to NUSSC and CSS for approval. Final approval to take the safety standard into use is
given either by the Director General or Board of Governors depending on the level of the
safety standard. IAEA Safety Standards present some kind of minimum internationally
acceptable level. As such they do not necessarily reflect current requirement level in a specific
country. In some countries, the requirement level for certain issues may be higher for various
reasons, e.g. because of density of population. Each country should define its own acceptable

3
 Atomic
La w

Dec ree Fund a menta ls

IAEA Sa fety Reg ula tion Req uirements

Stand a rd s Series

Reg ulatory Guid es Sa fety Guid es

IAEA Sa fety
Ind ustria l Sta nd a rd s
Rep orts Series

FIG. 1. The hierarchy of legal and regulatory documents and their comparison with the
IAEA Safety Standards.

safety level on the basis of local conditions and governmental practices. In this work the IAEA
Safety Standards are useful because they show key issues and present possible acceptable
solutions. If there are large deviations compared to the internationally agreed safety level,
special consideration should be given to these issues. Figure 1 relates the IAEA Safety
Standards to national nuclear law, regulations and regulatory guides.

The list of IAEA Safety Standards in the field of nuclear facilities is presented in
Appendix IV. The current status of the standards development is presented on the IAEA
Internet site: [Link]/ns/coordinet. The most recent standards are also available through
Internet from the site: [Link]/Worldatom/Books/Featured Series/[Link], where
the actual standards can be read and printed in pdf format.

In addition to the IAEA Safety Fundamentals, Safety Requirements and Guides there is
also an international agreement, the Convention on Nuclear Safety (Vienna, 1994). This
agreement is signed and ratified by the governments of participating countries and with the
ratification the countries bind themselves to fulfil the requirement level presented in the
convention. The level defined by the Convention on Nuclear Safety is very similar to what is
defined by the IAEA Safety Fundamentals. It is important to note that the IAEA Safety
Standards are not binding documents in the member states.

In accordance with the importance of safety IAEA provided for a Commission of

Safety Standards (CSS) as a standing body of senior government officials holding national
responsibilities for establishing standards and other regulatory documents relevant to nuclear,
radiation, waste and transport safety. It has a special overview role with regard to the IAEA’s
Safety Standards and provides advice to the Director General on the overall programme
related to safety standards. Figure 2 shows an organization chart of the CSS’s committees
inside the IAEA.

4
 FIG. 2. The committees for IAEA Safety Standards.

[Link]. Safety requirements

The IAEA has set up the Safety Requirements (earlier Codes), providing a good basis
for the safety of nuclear power plants. Today also the principles recommended by the INSAG
are followed by member states. They include the basic safety principles for NPP, which have
greatly influenced the development of the safety requirements.

In the following a brief outline of the safety requirements are given (see also
Appendix IV):

Governmental organization: The requirements deal with establishing a Regulatory Body,

covers aspects related to the radiological safety of the general public and site personnel and
gives general requirements for organization of the Regulatory Body, the role and
responsibilities of the Regulatory Body, the basic requirements imposed on an applicant, the
licensing process and licensing decisions, and inspection and enforcement by the Regulatory
Body [2].

Design: The requirements give the basic safety requirements that must be incorporated in the
concept and in the detailed design in order to produce a safe plant. Following general practice,
the requirements present the concept of defence in depth, e.g. successive barriers to prevent
the escape of radioactive material. In case of the failure of a barrier, design provisions are
made available to mitigate the consequences of such failures [3].

Operation: The prime responsibility for the safety of the plant rests with the operating
organization. This is the basic concept underlining the requirements for operation. The
requirements deal with safety related aspects of operation including: operating limits and
conditions, commissioning, structure of the operating organization, operating instructions and
procedures, maintenance, testing, inspection, core management and fuel handling, review of
operation and feedback of experience, emergency preparedness, radiation protection and
decommissioning [4].

5
Siting: The requirements specified in the siting Code (not yet revised) deal with the evaluation
of site-related factors to be taken into account to ensure that the plant-site combination does
not constitute an unacceptable risk during the life time of the plant. This includes evaluation
of the potential effect on the site of natural and other phenomena that might affect the area
(i.e. earthquakes, floods, aircraft crashes, chemical explosions), evaluation of effects of the
plant itself on the site (i.e. dispersion of effluents in air and water), and consideration of
population distribution and emergency planning. The Code also covers the role of the owner
of the future plant and the regulatory body in siting [5].

Quality assurance: The requirements specified in the quality assurance (QA) code provide an
efficient management tool that could be used by both the plant management and the regulatory
organization to gain confidence in the safety and quality of a nuclear power plant. The
QA requirements oblige plant designers, constructors, installers and operators to plan,
conduct, and document their work systematically. This allows the verification of all activities
not only by physical inspection or testing of hardware in the plant but also through indirect
methods such as evaluation of the effectiveness of the respective QA programmes [6].

1.1.3. IAEA requirements for the governmental level and for the operator [2]

There are certain prerequisites for the safety of facilities and activities presented in the
Safety Series Documents of the IAEA. These give rise to the requirements presented in
Table I that shall be fulfilled by the legislative and governmental mechanisms of member
states. They cover the establishment of legislation and regulatory framework including
regulator’s independence and authority. They also refer to international safety related
conventions, treaties and agreements which need to be taken into account in the legislation
such as definition of liabilities in respect of nuclear damage and provision of financial
security. They stress also that the regulatory body needs advisory committees, technical
support and regulatory research to support its activities. Safety of facilities contains also
management of spent fuel and nuclear waste, safe transport of nuclear material and
arrangements by governmental emergency response and physical protection.

The prime responsibility for safety shall be assigned to the operator. The operators have
the responsibility for ensuring safety in the siting, design, construction, commissioning,
operation and decommissioning or closure of their facilities, including, as appropriate,
rehabilitation of contaminated areas, and for activities using, transporting or handling
radioactive material. The radioactive waste generators shall have the responsibility for the safe
management of the radioactive waste that they produce. During transportation of radioactive
material, primary reliance for safety is put on the use of approved packaging. Compliance with
the requirements imposed by the regulatory body does not relieve the operator of its prime
responsibility for safety. The operator demonstrates to the satisfaction of the regulatory body
that this responsibility has been and will continue to be discharged.

1.1.4. IAEA requirements for nuclear safety legislation [2]

Legislation is promulgated to provide for the effective control of nuclear, radiation, waste and
transport safety. The IAEA requirements for legislation are presented in Table II. Most of the
requirements for the governmental level also appear as requirements for legislation.

6
TABLE I. IAEA REQUIREMENTS FOR THE GOVERNMENTAL LEVEL [2]
x To establish a legislative and statutory framework to regulate the safety of facilities and activities;
x To establish and maintain a regulatory body which shall be effectively independent from
organizations or bodies charged with the promotion of nuclear technologies or responsible for
facilities or activities. This is necessary so that regulatory judgements can be made, and
enforcement actions taken, without pressure from interests that may compete with safety;
x To assign responsibility to the regulatory body for authorization, regulatory review and
assessment, inspection and enforcement, and for establishing safety principles, criteria,
regulations and guides;
x To provide the regulatory body with adequate authority, power, staffing and financial resources to
discharge its assigned responsibilities;
x To ensure that no other responsibility is assigned to the regulatory body which may jeopardise or
conflict with its responsibility for regulating safety;
x To ensure that adequate arrangements are made for decommissioning, close out or closure, site
rehabilitation and the safe management of spent fuel and radioactive waste;
x To ensure that adequate arrangements are made for the safe transport of radioactive material;
x To establish, if necessary, advisory committees to assist the government and the regulatory body
on safety issues;
x To establish governmental emergency response and intervention capabilities;
x To ensure the adequacy of physical protection arrangements, where they influence safety;
x To provide for adequate financial indemnification arrangements for third parties in the event of a
nuclear or radiation accident in view of the potential damage and injury which may arise from an
accident; and
x To provide for the technological infrastructure necessary to support the safety of facilities and
activities, where these are not provided by other organizations.

If other authorities, which may not meet the requirements of independence, are involved in the
granting of authorizations, it is ensured that the safety requirements of the regulatory body are
not ignored or modified in the regulatory process.

1.1.5. Safety objectives and safety criteria for nuclear power plants

[Link]. Safety objectives

Establishing and maintaining safety is the main purpose for establishing an adequate
framework for surveillance and control of all activities associated with nuclear installations.
For the sake of clarity for all parties involved it is therefore a “must” to give them the frame in
which they can or have to act. The essential part of this frame is a coherent set of safety
objectives. Such a set of safety objectives indicates what has to be achieved, but does not
impose or prescribe the way to reach it.

The essence of the IAEA requirements on nuclear safety published in the nuclear safety
standards documents has been formulated in three overall safety objectives. These three
overall safety objectives read as follows [8].

7
TABLE II. IAEA REQUIREMENTS FOR NUCLEAR LEGISLATION [2]
x Set out objectives for protecting individuals, society and the environment from radiation hazards,
both for the present and in the future;

x Specify facilities, activities and materials that are included in the scope of the legislation and
what is excluded from the requirements of any particular part of the legislation;

x Establish authorization and other processes (e.g. licensing, registration, notification, exemption),
taking into account the potential magnitude and nature of the hazard associated with the facility
or activity and define the different steps of the processes;

x Establish a regulatory body with authority;

x Arrange for funding of the regulatory body adequate for it to function effectively;

x Specify the process for removal of a facility or activity from regulatory control;

x Provide a procedure for review of, and appeal against, regulatory decisions (without
compromising safety);

x Allow for the creation of independent advisory bodies to provide expert opinion and consultation
for the government and regulatory body;

x Set up a means whereby research and development in important safety areas is carried out;

x Define liabilities in respect of nuclear damage;

x Set out the arrangements for provision of financial security in respect of any liabilities;

x Set out the responsibilities and obligations in respect of financial provision for radioactive waste
management and decommissioning;

x Define what is an offence and the corresponding penalties;

x Implement any obligations under international treaties, conventions or agreements;

x Define the involvement of the public and other bodies in the regulatory process; and

x Specify the nature and extent of retrospective application of new requirements to existing
facilities and activities.

General nuclear safety objective

To protect individuals, society and the environment from harm by establishing and
maintaining in nuclear installations effective defences against radiological hazards.

Radiation protection objective

To ensure that in all operational states radiation exposure within the installation or due
to any planned release of radioactive material from the installation is kept below prescribed

8
limits and as low as reasonably achievable, and to ensure mitigation of the radiological
consequences of any accidents.

Technical safety objective

To take all reasonably practicable measures to prevent accidents in nuclear installations

and to mitigate their consequences should they occur; to ensure with a high level of
confidence that, for all possible accidents taken into account in the design of the installation,
including those of very low probability, any radiological consequences would be minor and
below prescribed limits; and to ensure that the likelihood of accidents with serious
radiological consequences is extremely low.

All other principles and criteria relevant to nuclear safety and radiation protection are
derived from these three overall safety objectives. In its report [7], the International Nuclear
Safety Advisory Group has formulated a number of these derived principles and proposed one
possible way of presenting them graphically in a hierarchical presentation and, as they are not
independent from each other, showing also their interrelationship. As they are the immediate
sources of corresponding safety criteria, they will be considered together with such criteria. In
preparing the safety fundamentals, NUSSC went even further in condensing the principles
derived from the three basic safety objectives and identified 25 basic safety principles (see
Table III), which have been taken up as technical basis for the Nuclear Safety Convention (see
Table IV). The defence in depth concept and engineered safety features are dealt with in
Section 3.

[Link]. Basic safety principles

It is useful to see what kind of safety principles have been presented for nuclear power
plants in the safety fundamentals document. Table III summarizes the basic safety principles.
These principles should form a basis for national safety criteria (see 1.3.6). The principles for
governmental organization are described in 1.1.3 and 1.1.4.

The following is an extract of the Safety Fundamentals [8] presenting safety principles
for nuclear power plants:

Management of safety

x Organizations engaged in activities important to safety should establish policies that give
safety matters the highest priority, and shall ensure that these policies are implemented
within a managerial structure having clear divisions of responsibility and clear lines of
communication.

x Organizations engaged in activities important to safety shall establish and implement

appropriate quality assurance programmes that extend throughout the life of the
installation, from siting and design through to decommissioning.

x Organizations engaged in activities important to safety shall ensure that there are sufficient
numbers of adequately trained and authorized staff working in accordance with approved
and validated procedures.

9
TABLE III. 25 IAEA SAFETY PRINCIPLES PRESENTED IN THE SAFETY
FUNDAMENTALS

Government/Organization Design of NPP Operation of NPP

x Legislation x Siting x Operational limits and conditions

x Operator’s responsibility x Prevention of accidents x Competent operators & procedures
x Independent regulator x Defence in depth x Engineering & technical support
x Safety policy: safety first x Proven technology x Emergency operating procedures
x QA programmes x Man-machine interface x Operating experience feedback
x Competent staff x Radiation protection x Waste management
x Human performance x Safety assessment & x Decommissioning
x Emergency response independent verification x Verification: analysis & surveillance
x Commissioning x Systematic safety reassessment

x The capabilities and limitations of human performance shall be taken into account at all
stages in the life of the installation.

x Emergency plans for accident situations shall be prepared and appropriately exercised by
all organizations concerned. The capability to implement emergency plans shall be in
place before an installation commences operation.

Siting

x The site selection shall take into account relevant features that might affect the safety of
the installation, or be affected by the installation, and the feasibility of carrying out
emergency plans. All aspects shall be evaluated for the projected lifetime of the
installation and re-evaluated as necessary to ensure the continued acceptability for safety
of site related factors.

Design and construction

x The design shall ensure that the nuclear installation is suited for reliable, stable and easily
manageable operation. The prime goal shall be the prevention of accidents.

x The design shall include the appropriate application of the defence in depth principle so
that there are several levels of protection and multiple barriers to prevent releases of
radioactive materials, and to ensure that failures or combinations of failures that might
lead to significant radiological consequences are of very low probability.

x Technologies incorporated in a design shall be proven or qualified by experience or testing

or both.

x The systematic consideration of the man-machine interface and human factors shall be
included in all stages of design and in the associated development of operational
requirements.

10
x The exposure to radiation of site personnel and releases of radioactive materials to the
environment shall be made by design as low as reasonably achievable.

x A comprehensive safety assessment and independent verification shall be carried out to

confirm that the design of the installation will fulfil the safety objectives and requirements,
before the operating organization completes its submission to the regulatory body.

Commissioning

x Specific approval by the regulatory body shall be required before the start of normal
operation on the basis of an appropriate safety analysis and a commissioning programme.
The commissioning programme shall provide evidence that the installation as constructed
is consistent with design and safety requirements. Operating procedures shall be validated
to the extent practicable as part of the commissioning programme, with the participation of
the future operating staff.

Operation and maintenance

x A set of operational limits and conditions derived from the safety analysis, tests and
subsequent operational experience shall be defined to identify safe boundaries for
operation. The safety analysis, operating limits and procedures shall be revised as
necessary if the installation is modified.

x Operation, inspection, testing and maintenance and supporting functions shall be

conducted by sufficient numbers of adequately trained and authorized personnel in
accordance with approved procedures.

x Engineering and technical support, with competence in all disciplines important for safety,
shall be available throughout the lifetime of the installation.

x The operating organization shall establish documented and approved procedures as a basis
for operator response to anticipated operational occurrences and accidents.

x The operating organization shall report incidents significant to safety to the regulatory
body. The operating organization and the regulatory body shall establish complementary
programmes to analyse operating experience to ensure that lessons are learned and acted
upon. Such experience shall be shared with relevant national and international bodies.

Radioactive waste management and decommissioning

x The generation of radioactive waste, in terms of both activity and volume, shall be kept to
the minimum practicable by appropriate design measures and operating practices. Waste
treatment and interim storage shall be strictly controlled in a manner consistent with the
requirements for safe final disposal.

x The design of an installation and the decommissioning programme shall take into account
the need to limit exposures during decommissioning to as low as is reasonably achievable.
Prior to the initiation of decommissioning activities, the decommissioning programme
shall be approved by the regulatory body.

11
Verification of safety

x The operating organization shall verify by analysis, surveillance, testing and inspection
that the physical state of the installation and its operation continue in accordance with
operational limits and conditions, safety requirements and the safety analysis.

x Systematic safety reassessments of the installation in accordance with the regulatory

requirements shall be performed throughout its operational lifetime, with account taken of
operating experience and significant new safety information from all relevant sources.

1.2. INTERNATIONAL SAFETY RELATED CONVENTIONS

1.2.1. Convention on Nuclear Safety

[Link]. Introduction

Prior to adoption of the Convention on Nuclear Safety (CNS) [11], the control and
regulation of nuclear energy for peaceful purposes was governed almost exclusively by the
domestic national laws of states using nuclear technology. An important result of the
Convention was to bring the subject of nuclear safety within the ambit of international law for
the first time.

When a state adheres to an international treaty or convention, such as the CNS, that
action has both internal and external legal consequences. Adopting an international instrument
requires a state to conform its internal laws and regulations to the terms of that instrument.
However, by adopting the instrument, a state also incurs obligations to all other states that are
party to the instrument. This means that a state’s activities regarding nuclear safety are
properly subject to review and assessment by other states, through the processes and
procedures contained in the CNS. Under this legal regime, states now have a right (indeed, an
obligation) to make judgements about how other States are conducting their nuclear safety
activities, and whether they are complying with their obligations under the convention.

Three aspects of the Convention on Nuclear Safety are important in understanding its
status as an international law instrument. First, it is useful to provide a context for the CNS by
reviewing the historical and political background of its development and to outline its basic
character under international law. Second, an article-by-article review of the convention’s
substantive provisions is necessary to clarify the overall structure and content of its
obligations. And third, a discussion of the procedural mechanism set forth in the CNS is
essential to understand how it is implemented, both within States and multilaterally.

12
[Link]. Historical and political background

Origins of the Convention on Nuclear Safety

As stated, from the beginning of the nuclear age, regulation of the safety of nuclear
facilities was deemed a matter of strictly national jurisdiction. However, the major reactor
accident at Chernobyl in the USSR (now Ukraine) in 1986 fundamentally changed the
thinking of both the public and governments on this approach. Because of the transboundary
impacts of the accident, many governments urged that an international legal instrument be
adopted to codify basic measures that States should follow to ensure an appropriate level of
safety at their nuclear installations. Immediately following the accident, a number of member
states of the IAEA called for negotiation of a nuclear safety convention. However, at that time
there was insufficient political will to go forward, and the initiative languished for several
years.

Negotiation of the CNS

In September 1991, the General Conference of the IAEA adopted a resolution

requesting the Director General to establish an informal open-ended working group to develop
the text of a safety convention. The terms “informal” and “open-ended” meant that the
convention text would be developed by a body comprised of safety experts, rather than
governmental representatives with firm political instructions, and that the body would be open
to all interested IAEA member states. The work of the expert group was not a formal
diplomatic negotiation, but an extended technical and legal process conducted in some nine
meetings over a 3 year period. This approach permitted consultations on the text to be quite
flexible; less shaped by political considerations than the technical and managerial principles of
good practice on nuclear safety. The working document for the CNS was the IAEA Safety
Fundamentals document which reflected a consensus of technical experts over the previous
years. The fundamental task of the working group was to convert the principles in this non-
binding guidance document into provisions that states would be willing to accept as binding
under international nuclear law. This process obviously involved many compromises and
reformulations. For this reason, the CNS text differs in some respects from the underlining
safety fundamentals documents.

After the open-ended working group produced a basic text, a more formal phase of the
negotiations was needed to transform the informal document into an instrument that could be
codified into international law. In June 1994 a Diplomatic Conference was convened to enable
accredited government representatives to produce such an instrument. The month-long
Diplomatic Conference considered a wide range of controversial issues, and was able to adopt
a consensus text. The Convention was opened for signature by States at the September 1994
IAEA General Conference. However, even after acquiring a number of signatures, a
convention is not legally effective until the required number of States have completed their
domestic procedures to formally approve it. By 1996 the required number of countries (in this
case, 27) had formally completed their internal reviews and expressed approval of the text.
Thus, the CNS entered into force as binding on its parties in October 1996. Some countries
(including the United States of America) delayed approval because of complex internal
procedures or policy reasons. The CNS has now been adopted by substantially all countries
operating nuclear power reactors and several that do not. At the time this book was prepared,
there is only one country that has a nuclear power installation and is not a CNS Party.

13
Basic character of the Convention

The basic character of the Convention is an important issue. International instruments

come in different forms, and the CNS could have been much different in its fundamental
approach to enhancing nuclear safety worldwide.

One type of instrument could be characterized as a “Regulatory Convention”. Such a

Convention would have established reasonably concrete rules for States that would be subject
to supervisory measures implemented by an international secretariat. An example of such an
instrument is the Nuclear Non-Proliferation Treaty (NPT). It establishes an obligation for a
State party to accept the application of IAEA safeguards to certain nuclear activities under its
jurisdiction. And the IAEA has established and maintains a professional Department of
Safeguards to conduct inspections and other procedures in individual countries. During
negotiation of the CNS, it was clear that few countries wanted a regulatory convention in the
field of nuclear safety. They were willing to accept a number of obligations under
international law, but were not willing to have those obligations monitored or enforced by an
international regulatory body. The IAEA role in CNS implementation is, thus, quite limited —
unlike the NPT. The IAEA has promulgated important safety guidance documents that help in
the application of the Convention’s substantive obligations. And the IAEA conducts safety
missions, at the request of its member states, that can help demonstrate compliance with a
nation’s CNS its obligations under the Convention. However, these missions are not
inspections, and their results do not amount to a regulatory system.

A second type of instrument under international law could be called a “Sanctions

Convention”. Such conventions or instruments establish very clear obligations that, if
violated, can lead to stringent penalties or enforcement measures by other parties. Many such
instruments cover commercial or trade relationships, where violations can result in financial
penalties or the withdrawal of economic benefits. During negotiations of the CNS, it became
clear that involved experts and delegations were not interested in a sanctions regime where
States parties would be subject to specific penalties for lack of compliance.

The rejection of the “regulatory” and “sanctions” approaches led the negotiators to focus
on a third alternative. For lack of a better term, that came to be known as an “Incentive
Convention”. An “Incentive Convention” is basically an instrument that contains a set of
international obligations and an implementation process that produces political pressure on a
State to comply with its obligations conscientiously and rigorously. In the case of the CNS,
implementation is grounded in a so-called “peer review process” in which states prepare
national reports demonstrating their compliance with the CNS and other countries are given
an opportunity to review and comment on those reports at periodic meetings of the parties.
This “peer review process” was judged most likely to encourage conscientious application of
the CNS, without the disadvantages of a “regulatory” or “sanctions” approach.

[Link]. Initial provisions

A number of initial provisions in the CNS are important to understanding how the
instrument is to be implemented.

14
Preamble of the Convention

The preamble of an international Convention is set forth at the beginning of the

instrument to explain its underlying factual and policy bases. The CNS preamble consists of
ten paragraphs, only a few of which are of particular interest.

Paragraph (iv) of the preamble establishes the desire of the parties to promote an
effective nuclear safety culture. This is the only place in the Safety Convention where the term
safety culture is mentioned. Safety culture is a central concept for the enhancement of nuclear
safety. However, the concept is difficult to define and inherently impossible to establish as a
specific international law obligation. Nevertheless, the CNS parties felt that the importance of
safety culture should be emphasized, recorded the need to promote the concept in the
convention’s preamble.

Paragraph (v) of the preamble recognizes that accidents at nuclear installations have the
potential for transboundary impacts. This is one of the fundamental reasons why it is desirable
to have an international treaty covering the subject.

In a very important paragraph (viii), the preamble describes the relationship of

fundamental safety principles developed by the IAEA to the international law obligations
contained in the CNS. Some governments wanted to have the Convention including a
provision that would have adopted IAEA Safety Standards as international law obligations.
However, as mentioned earlier, most States were not willing to give principles developed as
voluntary guidelines a binding legal effect. However, most states agreed that the CNS should
include some recognition of the value of IAEA Standards in achieving safety. Paragraph (viii)
in the preamble seeks to accomplish this objective in the following statement: “recognizing
that this Convention entails a commitment to the application of fundamental safety principles
for nuclear installations rather than of detailed safety standards, and that there are
internationally formulated safety guidelines which are updated from time to time and so can
provide guidance on contemporary means of achieving a high level of safety”. There was also
general agreement that IAEA Safety Standards could be referred to by parties in explaining
how they had implemented specific articles of the convention. Therefore, IAEA Safety
Standards have been imported indirectly into the CNS as an efficient way of demonstrating
how a party has complied with its obligations.

Paragraph (viii) recognizes another important aspect of nuclear safety; namely, that
technical and management approaches evolve over time. One of the concerns expressed by
some experts in negotiating the CNS was how the instrument could codify standards or rules,
but do so in a way that would enable them to adjust to change. The CNS parties acknowledge
this issue in paragraph (viii) of the preamble, which states the view that practical
implementation of the CNS can benefit from referring to the evolving body of internationally
formulated (i.e. IAEA) standards to help achieve the Convention’s objectives.

Objectives of the Convention

Although the provisions of international conventions that define their objectives are not
— strictly speaking — obligations, they are important as a means for interpreting and applying
these legal instruments. If an obligation in a convention is unclear or contradictory, the
objectives of the instrument — as stated in an introductory article — can be used to interpret
its proper meaning.

15
 In Article 1 the CNS explicitly identifies the following three objectives:

x To achieve and maintain a high level of nuclear safety worldwide through the
enhancement of national measures and international co-operation including, where
appropriate, safety-related technical co-operation;

x To establish and maintain effective defences in nuclear installations against potential

radiological hazards in order to protect individuals, society and the environment from
harmful effects of ionizing radiation from such installations;
x To prevent accidents with radiological consequences and to mitigate such consequences
should they occur.

Scope of the Convention

A threshold issue for any legal instrument is to determine what activities it will cover.
This basic issue was debated in both the expert working group and at the Diplomatic
Conference. Many countries sought a broad scope of coverage, to include not only power
reactors, but also research and test reactors, fuel cycle facilities, nuclear waste management
and even military activities. Other countries felt that including several major subjects in one
instrument would create difficulties: first, in obtaining approval of the CNS under their
national systems; and second, to in implementing an efficient and effective review process
under the CNS. It was finally decided that the primary focus should be on nuclear power
reactors: first, because such installations posed the greatest risks of major injury (including
transboundary damage); and because a clearer expert consensus had been developed on
fundamental safety elements for power reactors.

Therefore, Article 3 defines the scope of the Convention as covering nuclear

installations (defined in Article 2.i) as land based civil nuclear power reactors). The CNS
includes one limited exception to the exclusion of nuclear waste; namely, it also covers
storage, handling and treatment facilities for radioactive materials that are on the same site
and directly related to the operation of the installation.

Implementing the CNS through national law

Article 4 of the Convention states that a contracting party “shall take, within the
framework of its national law, the legislative, regulatory and administrative measures and
other steps necessary for implementing its obligations under this convention.” This provision
explicitly recognizes the “internal” legal effect of the CNS mentioned earlier. Some
international lawyers might argue that Article 4 is not needed, because international law
principles require every country to implement its treaty obligations in good faith, which
includes making any necessary changes to domestic legal provisions.

Safety of existing installations

The most difficult article in the CNS is Article 6: Existing nuclear installations. It was
the most contentious provision in the convention, as well as the last article to be agreed at the
diplomatic conference. Article 6 deals with the issue that engendered the political pressure to
negotiate the Convention in the first place; namely, how to ensure the safety of nuclear
installations constructed to earlier standards. In reality, this article covers all power reactors in

16
operation at the time the CNS entered into force. However, its real focus is reactors
constructed without robust containment structures and without application of other modern
“defence-in-depth” principles. The primary debate was over what actions countries should
take regarding installations that arguably lack modern safety features. Some experts argued
that an installation should be considered “safe enough” if it complied with requirements
existing at the time it was constructed and first operated. Most parties, however, felt that such
an approach would be inconsistent with the primary objective of CNS; namely, to raise
nuclear safety levels. The requirements of Article 6 fall into four categories.

x First, a state party is to take appropriate steps to ensure that safety is reviewed as soon as
possible. This means that operators and regulators must examine the safety case for
existing reactors. The article does not detail how this is to be done. However, by
implication, the review must be based on up-to-date standards.

x Second, a state party must ensure that all reasonably practicable improvements are made
to upgrade safety. This does not mean that all measures to improve safety must be taken,
but that those that are reasonable from a technical, economic, management perspective
should be implemented in a timely manner.

x Third, if a state party cannot upgrade its nuclear installations to this new level of safety, it
has to make plans to shut them down.

x Fourth, the timing of shut-down can take into account various factors, including the
whole energy context, possible alternatives and social, environmental and economic
impact.

The most contentious debate revolved around defining the factors to be considered in
shutting down a reactor that would not meet the current highest level of safety. The factors
finally adopted obviously represent a compromise between States that wanted a very stringent
safety-related standard for shutdown and those that wanted other factors to be considered. In
the final analysis, the extended list of factors that may be considered includes so many non-
safety-related elements that the provision fails to provide any precise guidance on whether a
particular facility should be shut down. However, the presence of Article 6 in the CNS means
that parties must include information on their reviews of existing facilities in their respective
national reports and must justify any decision to continue to operate installations that do not
meet current safety standards.

[Link]. Technical provisions of the CNS

Having considered the history of the Convention and some of the initial provisions that
describe its basic character and approach, it is necessary to review its so-called “technical
articles”; namely, those that contain the specific obligations of parties under the CNS regime.

Legislative and regulatory framework

The first section of technical articles deals with general safety considerations, beginning
with the important subject of legislative and regulatory framework.

17
 Article 7 requires a State Party to establish and maintain a legislative and regulatory
framework for nuclear safety, a framework that includes the classic elements of regulation:
safety requirements and regulations; a system of licensing; inspection and assessment; and an
enforcement process.

Article 8 sets forth requirements for the regulatory body, including the essential
elements of adequate authority, competence and financial and human resources to fulfil its
assigned responsibilities. This article also treats the very important issue of the regulatory
independence, stating that contracting parties must take appropriate steps to ensure an
effective separation between the functions of the regulatory body and those of any other body
or organization concerned with the promotion or utilization of nuclear energy. This “effective
separation” principle lies at the heart of regulatory independence.

Article 9 is a very important codification of the well-recognized principle that the

operator of the facility has the primary responsibility for safety. Although other actors in the
nuclear field (architects, engineers, regulators, contractors, suppliers) have important roles to
play in achieving safety, the operating organization is the entity that must finally ensure that
an installation is safe.

General safety considerations

The general safety consideration part of the Convention consists of seven separate
provisions (Articles 10–16): priority to safety; financial and human resources; human factors;
quality assurance; assessment and verification; radiation protection; and an important article
on emergency preparedness. These articles have been drafted as broad principles and apply to
all aspects of a nuclear installation. Since most are self-explanatory, their language will not be
reviewed in detail. As will be evident, they codify well-understood concepts in nuclear safety,
such as the ALARA (as low as reasonably achievable) principle for radiation protection
(Article 15). It is also interesting to note, however, that this section contains the only provision
specifically directed to States that do not operate nuclear facilities. Article 16.1.3 requires
parties that do not have a nuclear installation on their territories to prepare and test emergency
plans to cover possible radiological emergencies resulting from a nuclear installation in the
vicinity.

Safety of installations

The next section of the Convention (Articles 17–19) covers familiar safety-related
subjects, including siting, design, and operation of nuclear installations. Article 18 codifies
other familiar safety principles, including defence in depth, human factors and the man-
machine interface. Article 19 — Operation is the longest technical article in the Convention,
containing eight separate sub-articles that were originally drafted as separate articles. This
article codifies a number of familiar nuclear safety principles, including: operational limits
(sub-article ii); incident reporting (sub-article vi); analysis of operating experience (sub-article
vii); and waste minimization (sub-article viii). Table IV summarizes these provisions, not all
of which will be discussed in detail.

[Link]. Implementation process under the CNS

Because of its “incentive” character, the CNS review process lies at the heart of the
convention. The basic model for this process was the review process under the Nuclear Non

18
Proliferation Treaty. Many international conventions or treaties conduct review processes.
Each such process is somewhat different, reflecting the particular subject matter and policy
considerations in the field of its coverage. Under the CNS, the parties were constructing — for
the first time — a review process to apply to nuclear reactor safety.

Basic requirements for the review process

The provisions dealing with how this review process is to be structured are found in
Chapter 3 — “Meetings of the Contracting Parties” (Articles 20–28). These provisions are
extremely general, leaving most of the decisions concerning the form and content of the
review process to the procedural rules that will be developed later. Several important
provisions should be noted:
x The first authorizes the formation of sub-groups for the purpose of reviewing specific
subjects contained in the national reports mandated in Article 5 (Article 20.2). As will be
seen, this Article 20.2 provision was basically re-written by the parties when they decided
that sub-groups would not be organized by subject.

TABLE IV. TECHNICAL PROVISIONS OF THE CONVENTION ON NUCLEAR

SAFETY
Legislation and regulation General safety Safety of installation
consideration
x Legislation and regulatory x Priority to safety x Siting: effect of environment to
framework NPP
x Safety requirements and x Financing for safety x Siting: effect of NPP to
regulations environment
x System of licensing x Competence of staff x Siting: re-evaluation/consulting
x Regulatory inspection and x Human performance x Design: defence in depth
assessment
x Enforcement x Quality assurance x Design: proven technology
x Regulator with authority x Safety assessment x Easily manageable operation
x Independent regulator x Verification: analysis x Initial authorization and
and survey commissioning
x Operator’s responsibility x Radiation protection x Operational limits and conditions
x Emergency preparedness x Procedures for operations, etc.
x Emergency operating procedures
x Engineering and technical support
x Incident reporting
x Operating experience feedback
x Waste management

x A second provision says that contracting parties shall have a “reasonable opportunity” to
discuss the reports of others Article 20.3). The article leaves unspecified what should be
considered a “reasonable opportunity”.
x The third requirement is that the parties will conduct a preparatory meeting within six
months after entry in the force of the Convention to develop the procedures for the review
process. (Article 21.1). Also, the first review meeting is to be conducted no later than two

19
 and half years after entry into force (Article 21.2). The interval between the meetings
should be no longer than 3 years (Article 21/3).
x Procedural arrangements for the meetings of the parties are to be contained in rules of
procedure and financial rules to be adopted by a consensus of the parties (Article 22).
x An important provision (Article 24) requires parties to attend meetings, one of the few
concrete obligations (in addition to preparing a national report) in the CNS.
x Article 27 permits parties to seek confidentiality of information they provide.
x And finally, Article 28 provides that the IAEA “shall provide the secretariat” for the
meetings.
Phases of the CNS review process

Even a close reading of Chapter 3 of the CNS will not provide the reader with a clear
picture of how the Convention’s review process is to be conducted. To simplify a somewhat
complicated subject, the review process can be divided into six phases:

x Phase 1 — Each State party prepares a national report, describing how it has met the
obligations contained in the Convention;

x Phase 2 — States parties receive the national reports of all other parties and review them
(this means that each country must consider some 50 reports);

x Phase 3 — States parties develop questions and comments that are transmitted to the
relevant countries through the respective country group co-ordinators not less than
60 days before the meeting;

x Phase 4 — States parties attend the CNS review meeting in Vienna, where they discuss
the reports of other parties in country groups, present their own national reports and
respond to questions and comments submitted prior to the meeting and any made during
country group sessions;

x Phase 5 — Country group rapporteurs develop an oral report to be delivered at the final
plenary identifying main issues, themes or conclusions arising from group discussions;

x Phase 6 — The entire meeting of the parties considers and approves by consensus a
summary report of the overall meeting prepared by the President.

National reports

Article 5 contains one of the few precise obligations in the convention; namely, to
prepare and make available a national report, including a self-assessment of steps and
measures taken to implement the convention. Failure to prepare such a report constitutes one
of the few clear cases in which a violation of the CNS can be demonstrated. Neither the CNS
text nor the procedural rules provide much guidance on the form, content or length of these
reports. The preparatory meeting adopted rule 40.2, which recognizes that each party has the
right to submit reports with the “form, length and structure” it believes necessary. With
45 countries preparing national reports, a very complex set of documentation could have
resulted, making the task of comparing and contrasting the nuclear safety situation in different

20
countries very difficult. However, most countries did what is reasonable, following the basic
outline of the CNS articles. Also, at the first review meeting, most national reports turned out
to be less than 100 pages in length.

Neither the CNS text nor the procedural rules indicate who is responsible for preparing
the national reports? The Convention only establishes a national obligation to report, an
obligation that can be implemented by any nationally-designated entity. The issue of who
prepares the report bears an interesting relationship to Article 9, which provides that primary
responsibility for the safety of a nuclear installation rests with the operator. Given this
provision, one might have expected national reports to be prepared in substantial part by
operating organizations. In fact, at the first review meeting, national reports were prepared by
the regulatory organization in each country.

Country groups

When a national report is prepared and submitted, what happens at the meeting to
implement the “peer review” that lies at the heart of this “incentive” convention? One of the
central issues debated at the preparatory meeting of CNS I was whether you would organize
sub-groups on the basis of subject matter (as the language of Article 20.2 suggests) or on
some other basis, such as geographic grouping or technology (e.g. certain reactor types). A
consensus finally concluded that safety should be viewed as a whole for each country.
National reports should be reviewed comprehensively to assess the overall status of nuclear
safety in each country. It follows that the best way accomplish this overall review is to form
sub-groups organized by countries.

The preparatory meeting basically decided how many countries could be reviewed in the
time available (two weeks) and divided the 45 parties into a corresponding number of groups
(six), each with 7 or 8 members. This arrangement allowed one day for the review of the
national report of each nuclear -power state, with less time for non-nuclear-power states. In
assigning countries to groups, it was decided that diverse groups would produce a better
review. Therefore, countries were assigned according to the number of reactors they operated.
The country with largest number of reactors was assigned to group 1; the country with the
second largest number to group 2; the country with the third largest number to group 3; and so
forth.

After an introductory presentation by the reporting country, the country groups

discussed each national report in detail. This discussion had been previewed in questions and
comments submitted previously through designated country group coordinators.

Confidentiality

A contentious issue during the CNS negotiations concerned whether some or all of the
CNS process, including national reports should be kept confidential. The issue is important
because of its relation to the central concept of the Convention as an “incentive” instrument.
Many governments argued that, unless national reports were made public, and the CNS review
also conducted openly, the Convention would not achieve one of its important — though
unstated — objectives: to increase public confidence in the safety of nuclear installations.
Other governments argued strongly that a public review process would be a disincentive for
many countries to be candid about the problems they might be experiencing in nuclear safety.
The result was that countries were allowed to submit confidential reports (Article 27.1 and

21
27.2) and that the debates during the review of reports would be confidential (Article 27.3).
However, in the CNS I process, no national report was submitted as confidential. Indeed, most
of the national reports were placed by their countries on the Internet. However, the discussions
in country groups and plenary debates at CNS I were held in confidence, with only the
summary report under Article 25 made public.

Languages

The issue of what languages could be used in the CNS review was expected to create
difficulties, given the fact that the United Nations system recognizes six official languages. It
was recognized that interpretation of the meeting and translation of documents into all six
languages would be enormously expensive, far beyond the budgets of the parties or the IAEA.
To cut the cost of review, there were proposals to adopt a single working language. Article 26
preserves the principle that all official languages are equal, providing that the languages of the
meetings of the CNS contracting parties shall be Arabic, Chinese, English, French, Russian
and Spanish. However, a pragmatic and financially acceptable compromise was provided to
permit adoption of one or more working languages under the rules of procedure. The rules of
procedures for the first meeting provided, that in any meeting of the review process a country
can request one of the official languages. However, most of the sessions were conducted in
English — as the primary working language — with some sessions being conducted with
Russian translation. This made the costs of interpretation/translation much less expensive.

Rapporteurs’ oral reports and records of the CNS meeting

Under the procedural rules, a oral report by a rapporteur from each country group was to
be made at the final plenary meeting. These oral reports were to provide the basis for the
written summary report provided by Article 25. It was decided that notes upon which the oral
reports be prepared by the rapporteurs would be kept as permanent records by the IAEA
Secretariat. Country group sessions were to be conducted on a confidential basis, with no
records. The issue of record-keeping for plenary sessions was treated separately under rule 42,
where it was agreed that plenaries would be electronically recorded. However, due to a
bureaucratic oversight, no such recordings were made, except for the final day’s plenary. As a
result of these procedural decisions, the documentary records of the CNS review meetings are
very sparse. The most substantive information is contained in the oral reports of country group
rapporteurs, whose notes are available only to CNS parties.

Summary report of the review meeting

Article 25 of the CNS provides that the contracting parties “shall adopt, by consensus,
and make available to the public a document addressing issues discussed an conclusions
reached during the meeting.” With 45 separate states represented at the meeting, any one of
which could block consensus on the wording of such a report, it is — perhaps — surprising
that the President of the first CNS review meeting (Mr. Lars Högberg of Sweden) was able to
produce an eight-page summary report that achieved consensus.

Results of the first CNS review meeting (CNS I)

The first review meeting of the contracting parties of the CNS, conducted in April 1999
was attended by 45 contracting parties. As discussed previously, the primary achievement of
this meeting was to establish detailed procedural and financial arrangements for a process that

22
was left quite vague in the text of the Convention itself. Except for three non-nuclear
countries, all parties met their fundamental obligations to prepare national reports (Article 5)
and to be represented at the meeting (Article 24.1). These national reports, most of which
were made public (many on the world wide web), represent a useful record of the state of
nuclear safety worldwide as of the end of the last millennium. They provide a baseline for
future assessment of whether levels of nuclear safety in any particular country, or generally,
are being raised or are deteriorating. As also mentioned, the country groups at CNS I
conducted active discussions of the nuclear safety programmes of each party, with oral reports
in the final plenary by group rapporteurs. The final summary report prepared by the President
and agreed by consensus also contains some indicative observations on matters important to
enhancing nuclear safety. Some of the most notable are the following:

x The legislative framework is well established in most countries;

x Some countries who started their nuclear programme some decades ago have found that
their legislation now needs updating;

x All contracting parties had established regulatory bodies. For some countries, questions
were raised as to the effective independence, administrative position, and the human and
financial resources of their regulatory bodies;

x The status and position of the regulatory bodies remains an important topic to be dealt
with in future national reports and review meetings. Special attention should be given to
the development of assured human and financial resources;

x The advantages and limitations of regulations of a detailed prescriptive nature as

compared to less prescriptive, goal oriented approaches and the complementary use of risk
based assessments were discussed. Although no preferable approach was identified, some
countries have agreed to review their experience and report at the next review meeting.

The second CNS review meeting (CNS II)

The schedule for the second CNS review meeting is April 2002. A preparatory meeting
conducted in September 2001 decided to make only very modest adjustments to the process
used for the first meeting in 1999. The rules of procedure and financial rules for this process
were amended only to provide that the chairs and rapporteurs in any country group are not
nationals of any state in that group. This addresses the potential conflict-of-interest problem
raised at the first meeting, where — in some few instances — country group chairs or
rapporteurs took decisions concerning the safety record of their own countries. As a result of
new parties and some changes in the nuclear programme of states parties, the composition of
country groups at the CNS II are different. Some differences of emphasis in the review at
CNS II can be expected. At CNS I, substantial attention was paid to the legislative and
regulatory framework of each party; a threshold issue that need not be repeated, unless a
country has revised its laws or reorganized its regulatory institutions.

23
1.2.2. Other international nuclear safety related conventions

[Link]. Convention on Early Notification of a Nuclear Accident [12]

The Convention on Early Notification of a Nuclear Accident establishes a notification

system for nuclear accidents that have the potential for international transboundary release that
could be of radiological safety significance for another state.

The objective of the Convention is to provide relevant information about nuclear

accidents as early as possible in order that transboundary radiological consequences can be
minimized. The scope of the Convention is any accident involving facilities or activities from
which a radioactive release occurs or is likely to occur and which may result in a
transboundary release that could be of radiological safety significance for another state.
Facilities or activities involved are: nuclear reactor; fuel cycle or waste handling facility or
respective transportation and storage; manufacture, use, transport or disposal of radioisotopes.

Obligations of contracting parties are the following: A state party having a nuclear or
radiological accident going on in its territory shall:

x Make the accident known to the IAEA and other states parties competent authorities and
points of contact;
x Notify those states which may be affected the nature, time of occurrence and exact location
of the nuclear accident;
x Provide promptly the states affected with such available information relevant to minimize
the radiological consequences;
x Respond promptly to a request for further information or consultations sought by affected
state party;
x Ensure the provision of further information: e.g. Facility or activity, cause and foreseeable
development, meteorological and hydrological conditions, and off-site protective measures
taken or planned; and
x To supplement information at appropriate intervals.

Obligations to the IAEA are the following:

x To ensure confidentiality of confident information (applies also to other state parties);

x To maintain an up-to-date list of points of contact and provide it to others;
x To assist non-nuclear countries in investigations concerning radiation monitoring systems;
x To provide depositary functions.

[Link]. Convention on Assistance in the case of a Nuclear Accident or Radiological

Emergency [12]

The Convention on Assistance in the case of a Nuclear Accident or Radiological

Emergency sets out an international framework for co-operation among parties and with the

24
IAEA to facilitate prompt assistance and support in the event of nuclear accidents or
radiological emergencies.

Objectives of the Convention are:

x To establish an international framework to facilitate prompt provision of assistance in the

event of a nuclear accident or radiological emergency to mitigate its consequences;
x States parties shall co-operate between themselves and with the IAEA to facilitate prompt
assistance;
x States parties may agree on bilateral arrangements for preventing or minimizing injury and
damage.

Scope of the Convention is the following: In the event of a nuclear accident or

radiological emergency, whether or not such an accident or emergency takes place in one’s
own country, a state party may call for assistance from any other state, IAEA or other
international intergovernmental organizations where appropriate.

Obligations of contracting parties are as follows:

x A requesting state party shall specify the scope and type of assistance needed and provide
the information necessary for determining the extent of assistance to be given;
x A state party to which a request is directed shall promptly decide and notify whether it is
in a position to render the assistance requested and in which extent;
x IAEA shall respond to a request for assistance, make available appropriate resources,
transmit promptly the request to other states and international organizations and co-
ordinate the assistance at international level;
x The assisting state shall, designate a person responsible for staff and equipment delivered,
co-ordinate the assistance relating medical treatment, make efforts to co-ordinate release
of information;
x The requesting state shall co-ordinate the assistance in its territory, provide local facilities
and services for effective administration, ensure the protection of personnel and equipment
delivered, facilitate entry, stay and departure of personnel, ensure the ownership and return
of equipment, afford privileges and immunities to personnel.

The state parties shall inform points of contact to the IAEA and others, identify and
notify the IAEA about experts, equipments and materials which could be delivered, protect
the confidentiality of confidential information, facilitate transit through its territory of duly
notified personnel, and co-operate to facilitate the settlement of legal proceedings and claims.

The IAEA shall:

x Collect and disseminate information concerning experts, equipment and materials
available,
x Develop methodologies and techniques to response to nuclear accidents;
x Assist a state party in preparing emergency plans and appropriate legislation;
x Develop training programmes for personnel;

25
x Transmit requests for assistance and maintain an up-to-date list of points of contact;
x Establish and maintain liaison with relevant international organizations;
x Offer its good offices in the event of accident and perform depositary functions.

[Link]. The Joint Convention on the Safety of Spent Fuel Management and on the Safety of
Radioactive Waste Management

The Joint Convention on the Safety of Spent Fuel Management and on the Safety of
Radioactive Waste Management was adopted at a Diplomatic Conference in September 1997
and has been put into force 18 June 2001 [13].

Preamble of the Convention presents the following background: Radioactive waste

should be disposed of in the state in which it was generated whilst recognizing that safe and
efficient management might be fostered through agreements among contracting parties. Any
state has the right to ban import of foreign spent fuel and radioactive waste. Also the
importance of informing the public on the issue has been recognized. Application of relevant
safety standards should be promoted and the international control system should be
strengthened.

Scope of the Convention covers Safety of Spent Fuel and Radioactive Waste
Management excluding off-site transportation and discharges.

Each contracting party shall take appropriate steps to ensure that individuals, society and
the environment are adequately protected against radiological hazards. Safety aspects are
continuously taken into account.

Each contracting party shall take legislative, regulatory and administrative measures and
other steps necessary to implement its obligations. Regulatory body should have an adequate
authority, competence and financial and human resources to fulfil its assigned responsibilities
and have effective independence from other functions. Prime responsibility rests with the
holder of the licence or with contracting party if there is no license holder.

Each contracting party shall submit for review a report to each review meeting of
contracting parties. The report shall address the measures taken to implement each of the
obligations of the convention. The report should address contracting party’s spent fuel
management policy and practices, radioactive waste management policy and practices, criteria
used to define and categorize radioactive waste and include a list of spent fuel management
and waste management facilities.

The IAEA shall:

x Provide the secretariat for the meetings of the contracting parties, convene, prepare and
service the meetings;
x Transmit information received or prepared in accordance with the convention;
x Provide other services in support of meetings as requested by consensus;
x Be the depository of the convention.

26
[Link]. Convention on civil liability for nuclear damage

Following the Chernobyl accident, the IAEA initiated work on all aspects of nuclear
liability with a view to improving the basic conventions on Civil Liability for Nuclear
Damage and establishing a comprehensive liability regime. In 1988, as a result of joint efforts
by the IAEA and OECD/NEA, the joint protocol relating to the application of the Vienna
Convention and the Paris Convention was adopted. The joint protocol established a link
between the Conventions combining them into one expanded liability regime. Parties to the
joint protocol are treated as though they were parties to both conventions and a choice of law
rule is provided to determine which of the two conventions should apply to the exclusion of
the other in respect of the same incident [14].

1.3. NATIONAL REGULATORY FRAMEWORK

1.3.1. The state, its structures and its duties

The state is basically characterized by its sovereignty, which is the basis for
establishing an orderly society. One way of realising and maintaining such a society rests on
adequate structures (national authorities, social, economical and/or industrial organizations)
and on fulfilling corresponding duties. Usually, these duties and structures are distributed in
four levels according to their nature and the competencies they need for implementation. The
first three levels involve the national authorities, namely: (1) the legislative level (parliament);
(2) the executive level (government); (3) the judiciary level (court). These are the regulators.
The fourth level has a different nature and covers the many social, economical and industrial
aspects; it includes all those (individuals and organizations) living and acting under the law of
the state in various areas such as industry, trade, handicraft, business organizations,
agriculture, etc. At that fourth level, we find all those that have to or want to do some
“business”. They are the regulated.

To illustrate this in the nuclear energy perspective, it is useful to mention the main
functions, duties and responsibilities of organizations (and individuals) at these different
levels.

The legislative (parliament) defines and promulgates the legislative frame in which
man and society can develop initiative and activities, (e.g. use of nuclear energy). It sets (by
legislation) an acceptable frame to allow such activities, i.e. giving individuals or
organizations the freedom to undertake such activities, but also setting limits to this freedom,
so as to ensure protection of other people and society. The parliament establishes further the
competence and gives the means to (legally) control activities.

The government (executive) implements the legislation (e.g. though execution of

control and surveillance of nuclear facilities); it creates adequate conditions for beneficial
activities (e.g. adequate education). The government is further responsible for ensuring that
any and all activities remain within the legislative frame, within the acceptable limits and
harmless to others. As a consequence, the government has the competence and duty to control
such activities and the power to intervene in order to prevent harmful evolution (e.g. though
licensing, review and assessment, inspection and enforcement).

27
 The court (judiciary) will judge, if necessary, the legality of decisions and actions and
make decisions in cases of contradictory opinions among the “regulated” or between the
regulator and the regulated.

Concerning the fourth level, covering the whole of the regulated industry, which is
very broad, a short characterisation would be either trivial or incomplete; some consideration
will be given below in the Chapter on “responsibilities of the four main actors” in connection
with the industry in charge of implementing a nuclear energy programme.

In the implementation of a national nuclear energy programme, the key-elements are

then: the state and the people of state, the state's legislative (parliament) and the state's
executive (government), various governmental bodies, in particular the regulatory body (for
nuclear safety), and the industry (involving organizations such as utilities and manufacturers).
Concerning the conditions of success of performance, a few rules have to be applied and
respected:
x The role of each organization has to be clearly defined;
x Each organization has to know perfectly its role and has to have competence;
x Each organization is responsible for its own actions;
x Co-operation and co-ordination are to be ensured for the success of the performance;
x Each organization knows and respects the role of the others (i.e. responsibilities and
competence of the others).

The word “responsibilities” appears in many aspects as an important key word.

Responsibilities are in particular always characterised by the following:
x Responsibilities must be clearly defined;
x Responsibilities cannot be shared;
x Responsibilities cannot be delegated.

When an organization bears a specific responsibility, it is always on individuals

belonging to that organization that duties and responsibilities will fall. These are the duties to
— and the responsibilities for — implementing the actions necessitated by taking charge of
the organization's responsibility. These duties will fall first on the organization's head, who
may and usually will delegate parts of the actual work to other individuals within the
organization. But to be noted is the following: despite the distribution of tasks to a set of
individuals — and of the associated individual responsibilities — the organization as such
remains fully responsible for the whole undertaking, and the organization's head remains fully
responsible for the whole work done by his personnel.

The nuclear safety convention, recognising implicitly this, underlines that the state is
responsible for all nuclear installations established on the territory over which it has
jurisdiction. Implementation of this responsibility takes place at several levels and in different
areas. In particular, the responsibility for safety lies with the operating organization. The other
organizations are responsible to establish and maintain adequate conditions so that the
operating organization can fulfil its responsibilities successfully.

28
1.3.2. Responsibilities of the four main organizations

Looking in more detail at the roles of these four organizations we identify the main
characteristics of their duties and responsibilities as well as the interrelationships at the
implementation level.

[Link]. Legislative (parliament)

The legislative (parliament) is responsible for establishing the necessary legislative

framework. That means:

x To allow development of the use of nuclear energy (if the nation has decided to do so).
That means practically to facilitate the realisation of the nuclear energy programme
(promotion); and
x To control through dedicated state's (governmental) organs, i.e. regulatory body, the
realisation of the nuclear energy programme or the operating organization(s), in order to
ensure the protection of the population against the associated risk.

These two tasks are not to be opposed to each other, but they have rather to be
considered as complementary. This is essential and leads to the necessary requirement of
independence of the various organizations.

The second task covers one aspect of implementation and responds to the statement
expressed in the nuclear safety Convention with the phrase “The state is responsible for
nuclear installations”.

[Link]. Government

The government, which is the executive that must implement the state's duties and
activities within the frame established by the legislative (parliament), is for fulfilling the
following global tasks:

x Establishing and maintaining the conditions necessary for controlling from the safety
viewpoint the implementation of the “nuclear energy programme” at all its stages (i.e.
siting, construction, commissioning, operation and decommissioning). This means
enacting an adequate legal framework.

x Establishing and maintaining the dedicated state's organs (regulatory body) to implement
the state's surveillance and control of nuclear energy use within the legislative and
regulatory framework. This implies among other things: establishing the legal power of
the regulatory body as well as assuring adequate resources in manpower and funding for
its efficient functioning.

x Protecting of the population against the risk associated with the use of nuclear energy,
developing and establishing the regulatory framework to govern efficiently the state's
surveillance and control of all stages of the nuclear energy programme.

With respect to the legal framework, there are four primary objectives of the legislation;
namely to provide:

29
x The statutory basis for establishing the regulatory body;
x The legal basis for ensuring the realisation of nuclear power plants without undue
radiological risk;
x The regulatory body with the power to establish and enforce regulations with respect to
nuclear safety;
x The financial indemnification in case of severe accident (this is closely associated with
third party liability);
x The regulatory framework for radiological protection of persons of the population and of
workers as part of public health for all sources of ionising radiation and establish the
corresponding surveillance body within the governmental organization. The legislation
must also establish whether the regulatory body in charge of nuclear safety should also be
responsible for the surveillance of “on-nuclear” sources of ionising radiation.

[Link]. Regulatory body

The term “regulatory body” is used in the IAEA Standards to define an authority or a
system of authorities designated by the government as having legal authority for conducting
the regulatory process, including issuing authorizations, and thereby regulating nuclear,
radiation, radioactive waste and transport safety. It includes the national competent authority
for the regulation of radioactive material transport safety. The number of authorities which
comprise the regulatory body and the relationships between them depends on the overall
organization and traditions of a state’s administration.

For any regulatory body, a prerequisite for discharging the responsibility for state's
surveillance is total independence of judgement and of regulatory decision. Therefore, the
regulatory body cannot bear other responsibilities, particularly responsibilities that could
conflict with safety concerns.

In discharging its responsibility for safety, the regulatory body has to endorse
regulatory functions and to perform regulatory actions. This includes establishment and
implementation of the regulatory framework, assessment of safety, licensing decisions,
inspection and enforcement; evaluation of the feedback of experience; keeping abreast of the
state of the art in science and technology; public information. This will be discussed in more
detail in Section 2 as well as in all other Sections.

[Link]. The industry (electrical utilities, operating organizations, manufacturers/suppliers)

Under this designation, the industry is a complex set of different organizations made
up of the operating organization, of the designer and constructor of the nuclear reactor, of
various suppliers, of industrial organizations doing work under contract for the operating
organization etc.

The industry is in charge of realising the nuclear energy programme and, in so doing,
has the duty to propose ways and means to attain the programme's objectives (and also the
freedom to propose adequate technical solutions). But, by so doing, the industry is responsible
for setting its projects within the legislative and regulatory framework and will also be
responsible for respecting the requirements as well as limits and conditions imposed by the
regulatory body for safety reasons.

30
 It is important to note here that, depending on the basic legal system of the state the
industry may be either a state or governmental institution (state economy) or a group of
private or corporate enterprises (market economy). In both cases, but particularly in the former
case, the legislative framework should ensure real independence of the regulatory body from
the industry.

It is clear that the operating organization has an essential and central role and,
therefore, bears an important responsibility. This has been largely and internationally
recognised and is reflected in several fundamental IAEA publications and, last but not least,
this has been explicitly formulated in the Convention on Nuclear Safety (Article 9). In short,
one basic principle is: “The operating organization bears the prime (or overall) responsibility
for safety”. Because this prime responsibility cannot be delegated the operating organization
assumes globally the sum of “partial responsibilities” attributed to designers, constructors,
suppliers, etc. during the realisation of the project (or programme). This requirement is
implicitly mentioned in the national legislation of many countries. This sets also the
framework for dealing with the important question of civil liability: only the operating
organization can and has to be declared civilly liable.

1.3.3. Nuclear safety legislation

[Link]. Distribution of regulatory requirements between laws, regulations and guidelines

Establishing and amending laws lies in the competency of the parliament: once they
have been approved and put into force, the laws constitute a stability factor as it takes time
and effort to modify them (needing a new discussion in parliament); they are therefore also
somewhat inflexible. Lower tier legislation is usually enacted by the government in its own
competencies and does not need parliamentary approval, but it may also take time and effort
to amend them or to prepare new ones. This is a reason for avoiding fixing too many details in
the legislation; the law should be limited to establish the general frame in which a set of
activities is allowed and made possible, as well as to provide for governmental supervision.

Regulations are promulgated at a lower level. Usually, ministries or other designated

governmental bodies are competent to prepare and edict regulations; at that level, it is easier to
amend an existing regulation or to promulgate a new one: this is the flexibility factor needed
to keep pace with the development of new knowledge and the feedback of experience. Some
administrative regulations are necessary to establish the rules for the licensing process.

Should a regulatory body feel the need to influence the proposals and the choice made
by applicants and to produce some guidance, the intermediate stage of guides (they are not
mandatory) is usually useful, because it would still be easy to accommodate other technical
solutions, should they be better or more suitable from the applicant viewpoint than those
suggested in the guidelines as well as, of course, acceptable for the regulatory body.

The objective of the legal system is double: To allow the performance of activities
within an acceptable frame and to ensure that these activities are conducted in such a way as
to avoid unacceptable consequences.

31
[Link]. Law and lower tier legislation

The law should be short and very general in order to cover many situations, particularly
situations which are not yet actual or even not yet known, without modification of the law. It
should establish the general frame in which a set of activities is allowed and made possible as
well as to be supervised. It should also give the power to the government to enact further and
more detailed lower tier legislation (ordinances, governmental decrees, etc.) as well as to other
governmental bodies (especially to the regulatory body for nuclear safety) the competency to
promulgate relevant and specific regulations. For the states having the level of lower tier
legislation in the competency of the government, it will be necessary to decide whether and
which regulatory requirements should be introduced in this legislation or, alternatively, should
be expressed as regulations enacted by the regulatory body.

[Link]. Regulations and guides — their nature and number

The difference between regulations and guides is clear and concerns above all the form
given to such regulatory documents, not their content: by definition, regulations are mandatory
and guides are non-mandatory. The development of regulatory tools leads to two categories of
regulations and guides: administrative (e.g. defining procedures for conducting the licensing
process in an orderly manner) and technical, e.g. setting particular principles, requirements or
provisions which applicants have to satisfy (regulations) or suggesting ways of attaining the
safety objectives (guides).

For dealing with administrative (or managerial) aspects of the licensing process, a
regulatory body will have to develop regulations rather than guides for obvious reasons: such
regulations will set the rules of procedure and they have to be applied by all those concerned;
they have therefore to be mandatory. Such administrative regulations would deal with subjects
such as: statute and organization of the regulatory body, rules of the licensing process, formal
duties of the applicant(s), financial aspects, etc. They are necessary at an early stage of the
licensing process, before the first application is introduced because they give the rules of
engagement and they make it easier for the regulatory body to manage the licensing process;
the applicant(s) should know and follow them from the beginning.

Concerning the technical level, both categories, regulations and guides, have to be
considered; being based on the overall safety objectives, they will prescribe (regulations) or
suggest (guides) ways or elements such as derived safety objectives, derived principles to be
used in design or operation, requirements and criteria, relation to industrial codes and
standards, etc. necessary or appropriate to satisfy these objectives.

[Link]. The legal pyramid

The legal system of a country may comprise all or most of the following elements
which, by their nature, appear at an appropriate level in the hierarchy of legal documents:
act(s), lower tier legislation (e.g. ordinances, decrees), regulations, guides, international and
industrial standards.

A graphical presentation of these elements can show their level in the legal hierarchy
and indicate their number. The box on the top will contain acts. Underneath, there will be the
larger box containing all lower tier legislation (ordinances, decrees, etc.). Further down, we
have the still larger boxes for the many regulations and below that box there is a box

32
containing regulatory guides. At the bottom there is the largest box containing international
and industrial standards. It is obvious that this pile of boxes of increasing size with the largest
at the bottom and the smallest at the top takes the form of a pyramid, thus the name of “legal
pyramid”. The graphical presentation of legal elements has been used quite frequently and two
examples are given in Figures 3 and 5.

1.3.4. National and international institutions for matters of standardization

In addition to the IAEA Safety Standards a lot of international and national institutions
create technical standards. Examples of such institutions are the International Organization for
Standardization (ISO) or the International Electrotechnical Commission (IEC).

The co-operation between the IAEA and some important international institutions is
well — regulated, for instance in the “Memorandum of Understanding between the IAEA and
the ISO”. It reads: “The ISO recognises the responsibilities of the IAEA ... in particular with
regard to the establishment of standards of safety for the protection of health ... which are
primarily addressed to national regulatory bodies”.
And corresponding: “The IAEA recognises the responsibilities of the ISO as a
specialized international institution for matters of standardization, having as its objectives the
facilitation of international exchange of goods and services...”

In practice this co-operation is managed by “liaisons”. The technical committees of the

standard organization nominate related committees in other organizations and a liaison officer
is delegated to those committees.

Examples for national institutions are the American Nuclear Standards Institute
(ANSI), American Society of Mechanical Engineers (ASME), the German Nuclear Safety
Standards Commission (“Kerntechnischer Ausschuß, KTA”) which is presented in some
detail later, the DIN “Deutsches Institut für Normung e.V.” or the “Association Francaise de
Normalisation AFNOR” in France.

In this way a complete global framework of safety standards and technical

specifications is created by the IAEA and the institutions for matters of standardization.

In each country there are a legal framework and national authorities. The common
features are:

x The existence of a clear statutory and legal framework for nuclear regulation;
x The establishment of the basic industrial, technological, and human resource
infrastructure necessary to ensure nuclear safety;
x An unambiguous recognition that the prime responsibility for the safety of a nuclear
installation rests with the holder of the licence (i.e. the operator of the installation); and
x A national commitment to safety as the fundamental requirement for a nuclear
programme.

Independent of those common features there are differences in the history,

development, current structure and scope of responsibilities of various national nuclear
regulatory bodies. It is therefore the duty of the national nuclear regulatory body to find a

33
specific way to fulfil fundamental safety objectives and to meet technical and policy
challenges on the basis of the national and international safety standards.

1.3.5. Types of regulatory guidance

To establish a clear regulatory guidance the national authority usually uses the whole
spectrum of possibilities that are included in the national pyramid of the legal framework.
That means, in accordance with the hierarchical structure of the IAEA Safety Standards,
consisting of Safety Fundamentals, Safety Requirements and Safety Guides, the authority will
develop ordinances, guidelines or recommendations, depending on the subject which is
treated. These ordinances, guidelines or recommendations usually have different audiences.
They could be mandatory for everyone, they could be mandatory only for the administration or
they could be just recommendations of a group of experts with a non-mandatory nature.
Nevertheless, these recommendations could obtain great practical importance, as the licensing
authorities usually demand the proof of their fulfilment within the scope of the safety
assessment.

These different documents are established in different procedures. They could be

enacted by the government, promulgated by the authority or just published by the authority.
Depending on the kind of document the preparation takes place with or without the
participation of the public.

Safety standards and the way in which those are treated are part of the safety culture of
a country. The approaches vary, but three general types of regulatory guidance can be
observed. They are described in an IAEA Bulletin [1]:

“Compliance-based” regulation. This approach typically involves the regulator

providing prescriptive standards and requirements — the same for every plant — for operators
to follow. In this regime, inspection and enforcement are largely a matter of verifying
compliance with these rules and penalising non-compliance. The KTA safety standards are an
example of this type. They are presented in detail in [Link].

“Performance-based” regulation. In this approach, licensees are required to comply

with safety objectives, but have some flexibility to decide how they achieve that. Safety
performance indicators are used by the regulator to observe trends in safety, and inspection
activities focus on these indicators. A difficulty with this approach, however, is that the
indicators used can be manipulated (i.e. efforts may be devoted to improving the indicators,
rather than improving safety itself). Furthermore, it is difficult to find safety performance
indicators that are predictive — i.e. that can be used to identify potential problems before they
develop into real ones — and therefore this approach remains essentially reactive. As an
example, one consequence of improving safety culture may be an increase in the number of
safety related “events“ or problems reported, as the result of better reporting by staff. It is
important that regulators (as well as managers) are able to distinguish a positive trend of this
type from a negative one in which more problems are occurring because of deteriorating
safety performance. This requires a more sophisticated approach to inspection than simple
“incident counting”, and more positive safety indicators may be of value.

An example of this type is the NRC maintenance rule. The US Nuclear Regulatory
Commission has begun a transition from the prescriptive regulations of the past to a more risk
and performance based approach which takes into consideration risk and plant performance.

34
10 CFR 50.65, requirements for monitoring the effectiveness of maintenance at nuclear power
plants” is an example of a performance based rule that mandates consideration of risk and
plant performance. This type of regulation gives each licencee the flexibility to determine the
most efficient and effective way to meet the requirements. The increased use of risk and
performance based regulation is made feasible by the continuing refinements in methods for
analysing and quantifying risk through the use of PSA and improvements in the evaluation
and analysis of plant and equipment performance data through licensee programmes such as
nuclear plant reliability data system (NPRDS), plant performance indicators, and those
mandated by the maintenance rule.

An example for the formal establishment of a reporting system is the German “Nuclear
Safety Officer and reporting ordinance” or the Finnish guide YVL 1.5 “reporting nuclear
power plant operation to the Institute of Radiation Protection”.

Process-based regulation (or integral supervision of nuclear power plants). This

approach takes specific account of the fact that the safe operation of nuclear facilities depends
on the effectiveness of the organizational processes established to operate, maintain, modify,
and improve a facility. Briefly put, the process approach focuses on the organizational systems
that the facility has developed to assure the ongoing safe operation from the perspective of the
facility’s internal logic. It recognises that the design of organizational processes must remain
flexible in order to allow the facility to create processes that are internally consistent, adapted
to their history, culture and business strategy, and that allocate resources in the most rational
way. A process based approach attempts to allow this flexibility while forcing the facility to
think very carefully about the logic of their processes. It demonstrates to the regulator that
they have taken a very rigorous approach to the design, implementation, and ongoing
evaluation of their key processes and that they are alert to opportunities to improve their
systems.

A combination of the above three approaches can be used, since they are not mutually
exclusive.

An example of this kind of regulation is the new KTA working programme “KTA
2000”. In this new programme all German requirements concerning nuclear safety are
classified in three levels, similar to the structure of the new IAEA Safety Standards series.

Notwithstanding the paramount importance of regulations and standards, they need to

be implemented on the management and working level within an integrated approach to
national and international “safety culture”.

1.3.6. Safety criteria for nuclear power plants

Safety criteria are a means to help implementing safety principles and requirements.
Safety criteria indicate the way (or one of the ways) to satisfy a principle or a requirement.
Nature of safety criteria may be technical, administrative, organizational, etc. and it can be
qualitative or quantitative. It can be relevant to engineering, to radiological protection, to man-
machine-interface (human factors), or to physical protection, etc.

Safety criteria may be established either by the regulatory body or by the

applicant/licensee:

35
x In the non-prescriptive approach, the applicant/licensee proposes a set of safety criteria by
defining them and using them in its application; these safety criteria are eventually
approved, modified or rejected by the regulatory body after review and assessment;

x In the prescriptive approach, safety criteria are established by the regulatory body; they
can be established as regulations (they are then mandatory) or as guidelines (they indicate
in this case how the regulatory body intends to conduct the review and assessment
process); they have to be available early enough in order to be considered by the
applicant/licensee and its suppliers in preparing the application.

The regulatory body is responsible for ensuring that an adequate and complete set of
safety criteria is available and that each applicable criterion is or will be satisfied. Safety
criteria are necessary for, and applied during, each phase of the licensing process, namely:
siting, design, construction, operation, decommissioning as appropriate. Safety criteria should
not only be compatible with, but should express the way to implement internationally agreed
basic safety objectives and their supporting fundamental safety principles.
A systematic approach to establishing a coherent set of safety criteria may be to
consider all fundamental safety principles enunciated in safety fundamentals [8] as presented
in [Link] or the derived principles presented by INSAG [7] (basic safety principles, namely:
3 fundamental management principles, 3 defence in depth principles, 6 general technical
principles, 50 specific principles).

Another approach may be based on the set of safety criteria in force in the country of
origin of the reactor and on a complementary check against the above mentioned safety
principles. Each principle or, respectively, each requirement is the source of at least one
criterion, but mostly of several complementary safety criteria, usually to be considered at the
different stages of the licensing process (siting, design, construction, commissioning,
operation, decommissioning).

[Link]. Examples of safety criteria

The siting and design requirements are presented by the IAEA in its requirements
documents on siting and design [3, 5]. The most well known national example of safety
criteria is given by the US NRC in the Code of Federal Regulation (CFR), in particular in title
10 “Atomic Energy”, Part 50 “licensing of production and utilisation facilities” with its
Appendix A “general design criteria for nuclear power plants” (64 criteria). Another, more
recent example is the decision of the council of state of Finland on the general regulations for
the safety of nuclear power plants (1991), (27 sections containing criteria).

In Germany details concerning the legal provisions set out in the Atomic Energy Act
and the Radiation Protection Ordinance are given by the safety criteria. They contain the
safety principles to be applied during design, construction and operation of NPPs in order to
ensure that the provisions against damage are taken in accordance with the present state of
science and technology. The safety criteria consist of 11 paragraphs containing 33 criteria.
Examples of the subjects covered are: testability, exposure of the environment to radiation,
effects of load combinations due to external events; protection against fire and explosions;
residual heat removal after loss of coolant; external hazards; heat removal from the
containment, single failure criteria and its application etc.

36
 In Switzerland the overall safety objectives are formulated in an indirect way in the
Atomic Energy Act. There are only very few technical requirements in regulations. But the
Swiss Safety Authority (HSK) makes use of regulations and guidelines from the countries of
origin of the reactors (USA and Germany). The Inspectorate will develop its own guidelines
only if it has a different opinion on specific aspects or if it will apply more stringent
requirements than those in force in the country of origin. Translated extract from the Atomic
Energy Act (1959) states: The application for construction, operation or modification of a
nuclear installation shall be supported by a detailed technical report (safety analysis report).
The licensing authority shall obtain an (independent) expert's opinion (safety evaluation
report) showing, in particular, whether the project includes all measures that can be reasonably
required for the protection of individuals, of third party property or of important rights. A
summary of safety objectives is given in the Booklet presenting the HSK: “Nuclear
installations must be constructed and operated such that the safety of the operating personnel,
the general public and the environment is maintained.”

1.4. ILLUSTRATION THROUGH NATIONAL EXAMPLES [15]

1.4.1. Finland

[Link]. Governmental organization

Nuclear Energy and Radiation Protection Acts and Decrees define the regulatory
framework in Finland. General safety requirements are given by decisions by the state council
(i.e. cabinet of ministers). Responsibility on nuclear safety rests on the licensee. The
governmental is presented in Fig. 3. Radiation and Nuclear Safety Authority — STUK is an
independent regulatory organization for regulating and reviewing nuclear and radiation safety.
Administratively (e.g. concerning budget matters) STUK is under the Ministry of Social
Affairs and Health. Licence applications for nuclear facilities are handled by the Ministry of
Trade and Industry. STUK gives its statement on the safety of nuclear facilities when
licensing is concerned.

MINISTRY OF SOCIAL STUK - RADIATION

AFFAIRS AND HEALTH AND NUCLEAR
- administrative authority SAFETY AUTHORITY
for the use of radiation - independent regulatory and
research organisation

MINISTRY OF TRADE
AND INDUSTRY
- administrative authority for
the use of nuclear energy

MINISTRY OF THE
INTERIOR
- protection of the general Ministry of Environment
public in emergency conditions Ministry of Defence
Ministry of Transport
Ministry of Agriculture
Finnish Meteorological
MINISTRY OF Institute
FOREIGN AFFAIRS Customs Authority
- nuclear safety in regions National Food
surrounding Finland Administration

FIG. 3. Finland — governmental organization.

37
[Link]. Hierarchy and development of regulatory guidance in Finland

Hierarchical levels of guidance

In Finland the relevant legislation is the Nuclear Energy Act and Decree, the Radiation
Act and Decree and the Nuclear Liability Act, as well as the Act and Decree on STUK. These
acts and decrees define the regulatory framework in Finland. (See Fig. 4). Typically the
following topics are presented in the Nuclear Energy Act: general principles, overall good of
society, safety, nuclear materials, waste management, physical protection, explosives,
licensing, supervisory authority, sanctioning etc.
In Finland the council of state gives general regulations concerning safety, security and
emergency preparedness. These regulations are mandatory. It is STUK’s responsibility to
prepare these regulations, except for the regulation concerning public rescue services, which
are prepared by the Ministry of the Interior. So far, following general regulations exist:

x The decision of the Council of State on the general regulations for the safety of nuclear
power plants (395/1991);

x The decision of the Council of State on the general regulations for the safety of a disposal
facility for reactor waste (398/1991);

x The decision of the Council of State on the general regulations for the physical protection
of nuclear power plants (396/1991);

x The decision of the Council of State on the general regulations for the emergency response
arrangements at nuclear power plants (397/1991).

Acts,
Decrees

Decisions by the Council

of State

YVL-Guides

Industrial and International Standards etc as basis

for applications (IAEA, ASME, ANSI, KTA, DIN etc)

FIG. 4. Hierarchy of regulations and standards in Finland.

Detailed regulations and regulatory guides (YVL guides) are issued by STUK. The
Nuclear Energy Act gives a mandate to STUK to issue detailed technical and administrative
guidance. YVL guides now include about 65 guides in the following eight series:

x General guides;
x Systems;

38
x Pressure vessels;
x Civil engineering;
x Equipment and components;
x Nuclear materials;
x Radiation protection;
x Radioactive waste management.

The list of YVL guides is presented in Appendix V. More than 30 guides have been
revised in the period 1992–1997. The guides are also translated into English. These guides are
rules, which the licensee shall comply with, unless STUK has been presented with another
acceptable procedure or solution by which the safety level laid down in the YVL guides is
achieved. The actual YVL guides are available in English through Internet at the site
[Link]/english/publications.

Developing regulatory (YVL) guides

Through YVL guides, STUK shows the utilities the required safety level and the
regulatory body’s supervision and inspection practices. Issues handled in the YVL guides
therefore cover plant design and operation as well as regulatory control and inspection related
topics. YVL guides give design criteria for systems, components and structures of NPP (e.g.
YVL 1.0, YVL 2.1, YVL 2.7, YVL 3.1, YVL 4.1, YVL 5.5). They give guidance on accident
analysis, PSA and respective design criteria (e.g. YVL 2.2, YVL 2.8). They provide guidance
on administrative and organizational issues like QA, document control, training and
qualification, safety committee practices (e.g. YVL 1.4, YVL 1.9, YVL 1.7, YVL 1.6). They
give guidance on commissioning, testing, operation of NPP´s, event investigation, reporting to
the STUK (e.g. YVL 2.5, YVL 1.5, YVL 1.11). They give guidance on plant modifications,
repair work, maintenance, in-service inspection, outage control (e.g. YVL 1.8, YVL 1.13,
YVL 3.8). They provide guidance on radiation protection, physical protection and waste
management (e.g. YVL 7.1, YVL 8.1). With such guidance there will be no surprises to the
utilities if new NPPs or plant modifications are planned or if operational practices are
changed.

The development of YVL guides contains the following phases. The decision is made
that a new guide is needed, a working group is formed, and a schedule agreed. The outcome is
draft 1, prepared by the working group. IAEA Safety Standards are taken into account when
Finnish regulatory guides are written. Draft 1 is then sent for internal comments within STUK,
and the outcome is draft 2. This is then sent for external comments to power companies, etc.
and the outcome is draft 3. This is presented to the STUK nuclear safety department
management meeting for approval, and the final draft 4 is sent for comment to the Nuclear
Safety Advisory Board. After considering their comments the guide is brought into force by
the Director General of STUK.

Internal regulatory guidance (STUK)

STUK’s administrative and YTV quality manual defines working practices inside the
regulatory body. The emergency plan for STUK defines tasks and working procedures for all
departments concerning accident situations. YTV guides prepared by the nuclear reactor
regulation department and collected into the YTV quality manual define working and
inspection practices in the supervision of NPPs. General inspection procedures prepared for

39
the periodic inspections are included in the YTV quality manual and detailed procedures for
each inspection are collected in a specific folder. Responsibility for the upkeep of the
inspection procedure lies with the inspector who has the main responsibility for the inspection
in question.

Example of guidance (criteria for assessment during licensing phase)

The Nuclear Energy Act and Decree define the necessary steps, e.g. stages of licensing
process of nuclear facilities (decision in principle, construction permit, operating licence) and
licensing documents. General design criteria for the NPP are given in the decision of the
council of state. YVL guide 1.1 [16] defines the regulatory body’s role in licensing and
commissioning. Detailed guidance for safety review and commissioning is given in YVL
guides.

General design criteria define the safety level and form a basis for safety assessment
review reports. YVL 1.1 provides administrative details; the what, when and how for the
regulatory body and for the utility. YVL guides 2.2, 6.2, 7.1 and 2.8 give criteria for accident
analysis and PSA. YVL 1.0 covers plant design. YVL 2.1 covers safety classification. YVL
2.7 covers failure criteria. YVL 1.4 covers QA. YVL 2.5 covers pre-operational and start-up
testing of NPP.

YVL guides 3.0–3.9 handle pressure vessels. YVL guides 4.1–4.3 handle concrete and
steel structures. YVL guides 5.3–5.8 handle other equipment like valves, pumps, automation,
ventilation, etc. YVL guides 7.1–7.18 handle radiation protection and emergency planning and
preparedness. YVL guides, group 6 covers nuclear materials. YVL guides, group 8 covers
nuclear waste management.

International standards provide background information on recommended practices

such as the IAEA Safety Standards series. ASME, ANSI, USNRC regulatory guides, etc.
provide one good national example. US NRC standard format for PSAR/FSAR and standard
review plans provide a model for the assessment of safety reports.

1.4.2. Germany

[Link]. Governmental organization

As indicated by its name, Germany is a Federal state. The Federal Constitution

therefore contains detailed provisions on the legislative and administrative competencies of
the Federation (Bund) and the individual states (Länder). Pursuant to the Federal Act of 1959
on the Peaceful Uses of Atomic Energy and Protection Against Hazards (Atomic Energy Act)
the supreme authorities of the Länder, designated by their governments, are competent for the
granting, withdrawal and revocation of licences for nuclear installations.

The Atomic Energy Act empowers the Bund to issue ordinances and general
administrative regulations that are mainly implemented by the Länder acting on behalf of the
Federation. The federal control and supervision relate to the legality and expediency of the
implementation of the Atomic Energy Act by the Länder. The competent authorities of the
Länder are subject to the directives of the competent supreme federal authority, in this case,
the Federal Ministry for the Environment, Nature Conservation and Nuclear Safety (BMU).
The governmental organization is presented in Fig. 5.

40
[Link]. Application of safety legislation: licensing prerequisites in Germany [17]

According to German law, nuclear facilities may not be built and put in operation
before a state licence has been granted. The purpose of this governmental control is to achieve
the best protection possible against the dangers of nuclear energy. The safety philosophies
presume that a nuclear facility represents a man-machine-system. For this reason, the German
Atomic Energy Act stipulates that both facility and personnel must meet stringent
requirements. The applicant has to fulfil the following licensing prerequisites in order to
obtain a licence:

x Personal licensing prerequisites: the applicant and the management personnel have to be
reliable, and the operating personnel have to have sufficient technical knowledge;

x Licensing prerequisites related to the facility: the facility has to be designed in such a way
that necessary provisions against damage due to the construction and operation have been
made in accordance with state-of-the-art science and technology, sufficient protection
against sabotage from outside has to be guaranteed, the location has to be chosen in
keeping with ecological standards, and there needs to be sufficient provision to meet any
legal liability for damages.

Federal Ministry for the Environment,

Nature Conservation and Nuclear safety
(BMU)

Advisory Committees: Further Federal Ministries

Reactor Safety Commission (RSK)
Comm. of Radiological Protection

Expert Organisations: Federal Office for Radiation Protection

GRS

Länder Ministry in Charge of Licensing,

Supervision and Inspection of Nuclear Installations

Further State and General Public

Local Authorities

Expert Organisations: Experts on Non-Nuclear Issues

Technical Inspection Agencies (TÜV)

Applicant / Licensee

FIG. 5. Germany — governmental organization.

41
Reliability of applicant and personnel

The applicant and management staff have to be especially reliable. The plant manager,
department or sub-department heads, the responsible shift personnel (shift supervisor and
deputy shift supervisor) as well as reactor operators and radiological protection officers a part
of the management staff have to ensure they manage the hazardous technology with diligence
and in a fail-safe manner. The examination of reliability requires an overall assessment of the
person in question which also takes into account his/her general behaviour. The examination
of reliability also includes evaluation of the physical and psychological aptitude for special
activities, besides personal integrity. Before being employed at a nuclear power plant, the
personnel will be subject to a security clearance.
Technical qualification of personnel

The second licensing prerequisite related to personnel concerns the proof of technical
knowledge. The management personnel have to furnish proof of special technical knowledge
and other operations personnel have to furnish proof of adequate knowledge of safe plant
operation and of the possible dangers and the protective measures to be applied.

Prevention of damage

The most important licensing prerequisite concerns the plant itself. It stipulates that
precautions are taken against damage resulting from construction and operation of the plant
according to state-of-the-art science and technology. This means that the plant design has to
correspond to the latest developments in both science and technology in order to practically
eliminate damages. During examination of the damage prevention measures for their
correspondence to the latest scientific developments, the licensing authority may not rely on
the prevailing scientific opinion, but has to consider all demonstrable scientific findings. If the
required precautions corresponding to the most recent scientific knowledge cannot be taken,
the licence must not be granted. In addition, the topics of defence in depth-concept are
mentioned as design prerequisites (see Section 3).

Sabotage protection

Further to the main plant-related licensing prerequisite, which is accident prevention,

the applicant has to furnish proof of protection against interference and other impacts by third
parties. This means, above all, protection against acts of sabotage.

Ecology

The applicant has to demonstrate that the choice of plant location does not conflict
with public interests, especially with regard to environmental impact. Before a licence is
granted, thorough examination has to be made to answer whether or not another location is to
be preferred because of ecological aspects. For this purpose account must be taken of the
impact of the plant on the environment, in particular on the ground water, climate and air, but
also on soil, animals and plants, nature and landscape as well as on cultural and material
goods. In addition to these environmental goods, contingencies, such as flood, earthquake etc.
have to be considered when choosing the location of the plant.

42
Financial security

The applicant also has to demonstrate that he is provided with the required financial
coverage to meet the legal liability for damages. This provision has to be made in case third
persons are harmed by an accident at the plant despite the safety measures taken. In this case,
the operator will be held liable for the total damage without limitation. For this purpose, the
operator has to furnish proof of the so-called financial security to meet legal liabilities. The
authority stipulates the manner and extent to which security has to be provided. In most cases,
the proof will be furnished by a third party insurance which pays the damages for which the
operator is responsible. Currently, the total of financial security e.g. for a nuclear power plant
is 500 million DM. If this amount should be exceeded in the event of an accident the state is
obliged to indemnify the operator against liability up to 1 billion DM. Beyond this amount, the
operator is held liable to the extent of his property.
[Link]. The German KTA nuclear safety standards

The German Nuclear Safety Standards are an integral part of the well known pyramid
formed by laws, ordinances, guides, standards and codes (Fig. 6). The author of the Atomic
Energy Act and the Ordinances is the legislative power, which is the parliament and the Upper
House of the Federal Parliament (Bundestag, Bundesrat). The author of the German Nuclear
Safety Standards (KTA standards) is the Nuclear Safety Standards Commission (KTA). The
Nuclear Safety Standards Commission (KTA) was established in 1972 and to date 86 Nuclear
Safety Standards have been issued.

Atomic Energy
Act

Ordinances

Safety Criteria and Safety Standards

(KTA-Standards, Regulatory Guides and
RSK-Guidelines)

Technical Standards
(DIN-Standards)

FIG. 6 . Hierarchy of regulations and standards in Germany.

KTA consists of 50 members representing the German nuclear community, i.e. in five
groups of ten members each, the manufacturers, the utilities, the atomic licensing and
supervisory authorities, the safety reviewing organizations and another group of miscellaneous
(nuclear) interests.

The KTA’s objective is to establish safety standards for all kinds of nuclear facilities,
primarily, however, for nuclear power plants. These safety standards reflect the common

43
opinion of the five groups and are based on actual experience gained during the licensing,
construction and operation of nuclear facilities.

Managed by a board with one member from each of the first four above mentioned
groups, the KTA decides in which fields safety standards are to be established. KTA-accepted
drafts of these standards are published and, at the end of a three-month period, reviewed
taking into consideration comments from the public. Final standards are then made public by
the German Federal Ministry for the Environment, Nature Protection and Nuclear Safety
(Bundesministerium für UMW(e)lt, Naturschutz und Reaktorsicherheit) and are thus put into
effect.

After a maximum of five years, an issued nuclear safety standard is reviewed to see if it
still represents modern practice or if modification proceedings have to be started for this
nuclear safety standard.
Day-to-day business of the KTA is carried out by the KTA-secretariat. The head
secretary of the KTA-secretariat is directly responsible to the board of the KTA.

Nuclear safety standards are prepared by KTA-subcommittees as well as by specially

appointed groups of experts, utilizing all national and international efforts of standards
organizations involved in the field of nuclear technology. All work is carried out under the
close supervision of the KTA-secretariat.

This kind of organization reflects an old German tradition. It is the idea of cooperation
between the governmental authorities and the private industry, all being equally entitled, at
least at the level of safety standards. The advantage of such a structure is the high expertise of
its members. A disadvantage is a certain heaviness in the decision process.

[Link]. Qualification requirements of German NPP personnel

Legal requirements

The German Atomic Energy Act states that a licence to operate a nuclear installation
may be granted only if — among other prerequisites — the subsequent requirements are met
for the responsible and for subordinate operating personnel category:

x No facts shall be known that give rise to any doubt as to the reliability of the personnel
responsible for the management and control of operation of the installation (responsible
operating personnel), and these personnel shall have the requisite competence.

x It is ensured that the persons who are otherwise engaged in the operation of the installation
(subordinate operating personnel) have the necessary knowledge concerning safe operation
of the installation, the possible hazards, and the safety measures to be applied.

The following functions are carried out by the responsible operating personnel: station
superintendents, nuclear safety commissioners, radiation protection commissioners, operation
superintendents, maintenance superintendents, technical superintendents, training officers,
physical protection commissioners, shift supervisors, control room operators and their
respective alternates. For these personnel the legal qualification requirements cover reliability
and requisite competence. The subordinate operating personnel category comprises all

44
personnel engaged in operation who are not included among the aforementioned responsible
personnel. For these personnel only a clearly defined amount of necessary knowledge
concerning plant safety and safety of the personnel, related to their respective tasks and
working places, is required.

Guidelines regarding qualification requirements

The licensing requirements of the Atomic Energy Act concerning the qualification of
personnel have been further specified for nuclear power plants in guidelines:

x Guideline for the proof of the requisite competence of personnel at nuclear power plants;
x Guideline for the content of the examination of the technical qualification of responsible
shift personnel at nuclear power plants;
x Guideline for programmes for the preservation of the technical qualification of responsible
shift personnel at nuclear power plants;
x Guideline for the ensurance of the necessary knowledge of subordinate operating
personnel;
x Guideline for the technical radiation protection commissioners at nuclear power plants and
other facilities for fission of nuclear fuel;
x Guideline on requirements regarding the physical protection commissioners and security
guards at nuclear facilities of category I;
x Guideline for the security screening for trustworthiness of personnel at nuclear
installations, during the transport and use of nuclear material and high-level radiation
sources.
Responsible operating personnel

The verification of the requisite competence of the responsible operating personnel is

mainly based upon performance evaluation rather than upon special examinations. The
documentation of each responsible operating personnel shall proof, that the respective
employee has:

x A basic professional qualification;

x The requisite safety-related knowledge;
x The ability to specify, initiate and carry out all measures and actions necessary for the safe
operation of the plant;
x A minimum practical experience (between 6 months and 3 years);
x Special nuclear, plant-specific lectures and in-plant technical training;
x Full-scope simulator training (8 weeks for PWR, 7 weeks for BWR);
x Successful completion of a written and oral examination;
x Special didactic training for training officers.

45
 Most of the safety-related nuclear fundamentals are taught to shift supervisors and
control room operator candidates in special courses at nuclear training centres which
administer final exams. All training centres have adopted a model-catalogue of about 2000
questions and sample answers for the written exams. The oral exam, administered by a special
board of examiners has to be taken individually.

Shift supervisors, their alternates and control operators have to take a written and an
oral examination at their respective plant. The examination is held by a board of examiners
which consists of three members of the responsible operating personnel category of the plant,
two outside experts under contract of the authority, and one representative of the competent
authority.

No examination is required at a simulator. However, the simulator training personnel

have to evaluate, to document and to testify to the training success for each trainee, including
a compilation of possible weakness or deficiencies in knowledge and ability. A responsible
representative of the respective nuclear power plant, to which the shift operating crew being
trained belongs, will accompany the shift crew and will closely observe his personnel and
their training results.

Requalification requirements

The licensing requirement concerning the competence of responsible operation

personnel implies the obligation of the licensee to keep the competence of his employees at
the level defined by the current state of science and technology throughout their working life.
The licencee has to provide for regular retraining activities, for instance in-plant lectures,
external training courses, simulator training (up to 20 days within 3 years). The success of the
retraining activities shall be monitored and documented by the plant management, and has to
be demonstrated to the competent authority upon request. For extended plant outages the
requalification programmes have to be intensified and modified, taking into account the
current plant state and the activities which could not be carried out because of the plant
outage.

Reliability requirements

The Atomic Energy Act requires that no known facts shall give rise to any doubt as to
the reliability of the responsible operating personnel and this personnel have been security
screened for trustworthiness. The security screening procedure is repeated every five years for
all personnel.

Requirements regarding the qualification of subordinate operating personnel

For subordinate operations personnel (all personnel not belonging to the responsible
operating personnel category) only the necessary knowledge concerning safe operation of the
plant, possible hazards, and safety measures to be applied is required by law. This necessary
knowledge depends upon the characteristic of the plant and the respective function or
responsibility of the personnel, and on the number of other subordinate personnel supervised.
The specification of the necessary knowledge is complicated by the fact that subordinate
personnel from one day to the next may be assigned to tasks with different nuclear safety
implications, under different working conditions and during major inspections even together
with hundreds of off-site personnel who do not know the plant well. Therefore, for

46
subordinate personnel the necessary knowledge has to be specified in a flexible way in order
to allow for adaptation to various parameters. The following requirements concerning the
insurance of the necessary knowledge have been specified:

x All subordinate operating personnel shall receive instructions covering safety-related

knowledge and its application to their everyday work;

x They shall receive a special briefing at the respective working place prior to the
commencement of work;

x They shall have professional qualification and practical experience.

For all activities that are regularly carried out by subordinate personnel the licensee
shall assign personnel to one of the following categories, according to their level of
responsibility (it is understood that category “A” to “D” personnel in general are executing
instructions given by responsible operating personnel):

A: Personnel who plan activities that may have bearing on the safety of the plant or on its safe
operation, or who co-ordinate the preparation or execution of such activities;

B: Personnel who operate and control important systems like turbine, ventilation systems,
cooling water systems from a central position within the scope of the operating
instructions or the instructions of the shift supervisor;

C: Personnel who execute work or inspections and tests on items important to safety, or who
substantially participate in the preparation or execution of such work;

D: Personnel who execute narrowly defined activities in support of work executed on items
important to safety, or who cannot affect the safety of the plant or of its operation because
of the type of and the restrictions on their respective tasks.

The minimum training shall take at least two hours and be repeated every year; it is
meant for subordinate personnel of category “D”. The maximum training for subordinate
personnel shall take several weeks and be repeated every three years; it is meant for personnel
with supervisory functions and whose working activities may have direct effects on safety,
like personnel of category “A” or “B”. As a last step, the licensee has to specify in a training
programme which set of lists on safety-related knowledge will be the basis for training of a
specific category of subordinate personnel.

All subordinate operating personnel are submitted to a security screening process for
trustworthiness. This security screening is an important precaution against sabotage by
undercover agents. The extent and intensity level on the security screening will depend upon
the plant areas, to which the specified person has access, and upon the ability of that person to
jeopardise plant safety. (off-site) personnel not having undergone this screening process have
to be escorted permanently by personnel having a security clearance.

For off-site personnel the instructions concerning the safety-related knowledge may
cause some problems, especially when such personnel are needed at short notice or when time
is not available for providing these instructions. In these cases, such off-site personnel will

47
only be allowed to start working when they have received a special briefing and when an
experienced permanent supervisor has been assigned to them, who has the necessary safety-
related knowledge.

Conclusion

The fact that detailed requirements regarding the qualification of operational personnel
have been specified by the licensing authorities does not guarantee this qualification. It is the
licensee’s obligation and his sole responsibility to train his personnel, to keep them optimally
qualified at any time and to adjust this qualification to any change in the state of science and
technology. He is the only one capable of transforming the regulatory requirements into
operation-oriented training objectives which take into account the constraints and needs of the
actual tasks to be accomplished. There should be close communication between the competent
authority and the licensee whenever qualification requirements are to modified, in order not to
destroy the licensee’s motivation to apply them meaningfully. It has to be kept in mind that it
is not only the qualification of the operating personnel which has an important influence on
the human contribution to plant safety. Whether a man will influence the course of any
accident sequence in a positive way or not, will strongly depend on his qualification; his
success will also be determined by the design of the control room, by his working
environment, by the design of working cycles and working aids, and by his motivation. The
objective of all efforts to optimise the contribution of the “human factor” to the safe operation
of nuclear power plants should therefore represent a simultaneous optimisation of all these
influences.

1.4.3. United Kingdom

The main legislation governing the safety, and enforcement of safety, of nuclear
installations is the Nuclear Installations Act 1965 as amended, together with the health and
safety at work, etc. Act 1974 and the Ionising Radiation Regulations 1985. Under the Nuclear
Installations Act no site may be used for the purpose of constructing, commissioning or
operating any nuclear installation unless a licence has been granted by the Health and Safety
Executive (HSE). A nuclear installation is broadly defined as being an installation where
nuclear fuel is manufactured, enriched or reprocessed, where products from irradiated nuclear
fuel are manufactured, or an installation which is a power or research reactor (some defence
related activities are excluded).

Her Majesties Nuclear Safety Directorate (NSD) as part of the HSE is responsible for
enforcing safety and health legislation at any licensed site. A statutory body called the Health
and Safety Commission (HSC) sits between Government and HSE. The aims of HSC and
HSE together are to protect the health, safety and welfare of employees, and to safeguard
others, principally the public, who may be exposed to risks from industrial activity. The
governmental organization is presented in Fig. 7.

Each nuclear site licence has conditions attached that have the force of law and which
place either absolute requirements or require the making of adequate arrangements and
compliance with those arrangements. A fundamental feature of one condition is the
requirement for the licensee to demonstrate the safety of the proposed operation in a document
known as the “safety case”, prior to the start of that operation. Breach of any law, regulation
or licence condition is a criminal offence and the offender may be prosecuted in the United
Kingdom courts of law.

48
 In the United Kingdom the NSD formulates the overall safety objective as follows: “The
objective is to secure the maintenance and improvement of standards of safety at civil nuclear
installations and the protection of workers and members of the public”. The modus operandi of the
NSD to satisfy the safety objectives is formulated as follows: “The essential regulatory philosophy
underlying safe nuclear power in the UK is to ensure that the licensee establishes a safe design, and
to monitor it by inspection from manufacture to decommissioning through construction,
commissioning, operation and maintenance in order to ensure that the safe design intent is not
violated either deliberately or unintentionally.” NSD does not issue Standards or Codes of practice
for nuclear power plants. Rather it expects each licence applicant to develop their own design
safety criteria and requirements. These criteria are not formally approved or promulgated as
standards or codes. The form of regulation chosen is non-prescriptive but is one that obliges
licensees to understand the risks associated with their plant. They must propose suitable
arrangements for dealing with those risks, and, once “approved” by the NSD, these
arrangements become legally enforceable constraints on the way in which the licensee may
operate.
Department
Environment, Transport
and the Regions

Environment Health & Safety

Agency Commission

Discharge & Disposal Health & Safety

of Radioactive Waste Executive

Nuclear Safety
Directorate (NSD)

FIG. 7. United Kingdom — governmental organization.

1.4.4. Governmental organization for nuclear safety in the USA

[Link]. History of nuclear safety regulation in the USA

The history of the US nuclear regulatory system dates from the initial development of
nuclear technology as part of the country’s wartime programme in the mid-1940’s. In its
earliest phase, virtually all nuclear activities were highly confidential and closely controlled
for security reasons. Since that time, the legal and organizational structure for nuclear energy
has expanded to cover a full range of civilian activities in the nuclear field. The following
chronology summarizes some of the key developments in the history of the US system for
nuclear regulation:

49
x 1946. A new Atomic Energy Act creates the Atomic Energy Commission (AEC) to
exercise civilian control over nuclear energy development and regulation. Under the 1946
Act, nuclear technology begins to become more public and open.

x 1953. On December 8, President Eisenhower delivers an important address to the United

Nations General Assembly entitled “Atomic Power for Peace”. The speech launches the
worldwide “Atoms for Peace” programme that not only gave impetus to the civilian
nuclear programme in the USA, but also supported the transfer of nuclear technology to
other nations.

x 1954. A substantially revised Atomic Energy Act authorizes the transfer of a broad range of
nuclear technology from the governmental sector to private industry and establishes a
regulatory framework for such activities within the Atomic Energy Commission.

x 1957. Congress enacts the Price-Anderson Act, which adopts limits on liability and a
system of compensation for damage from nuclear accidents, a measure that significantly
encourages the wider development of nuclear power.

x 1961. The US Supreme Court issues its decision in the important Power Reactor
Development Company case, the first major legal challenge to licensing of nuclear power
plants in the USA. The Court affirms the AEC’s two-step licensing process (construction
permit/operating license) and holds that judicial review of regulatory decisions will to
extend to AEC technical safety judgements.

x 1969. Congress enacts the National Environmental Policy Act (NEPA), that requires
preparation of an environmental impact statements (EIS) for all major federal projects.
Reactor construction is considered a major federal project it must receive a permit and
license from the US regulatory body (at that time, the AEC).

x 1974. In a major organizational reform, Congress adopts the Energy Reorganization Act
that abolishes the AEC and creates two new bodies. The US Nuclear Regulatory
Commission (NRC) is established as an independent agency to regulate nuclear energy.
The Energy Research and Development Agency (ERDA) — later the Department of
Energy (DOE) — is given responsibility for development and promotion of nuclear energy.

[Link]. Basic character of the US system of nuclear regulation

Having summarized the history of the US nuclear regulatory system, some consideration
should be given to the reasons why it is structured as it is. Many factors are relevant in
determining the legal and institutional framework for nuclear regulation in any country. The
following factors seem particularly relevant to the US approach.

The US civil nuclear power programme is quite large, with over 100 operating reactors
at over 60 sites. Supervision of such a programme obviously requires a proportionately large
regulatory body. The US programme is technologically diverse. Four reactor vendors have
utilized some 80 designs based on pressured-water reactor (PWR) and boiling-water reactor
(BWR) technology. Unlike a programme that utilizes a standardized design, a diverse system
requires the regulatory body to maintain a larger cadre of technically trained personnel in a
variety of fields.

50
 The US programme also involves a diversity of operating organizations. Until recent
reorganization and consolidation of the electric utility industry, some 45 separate companies
were operating nuclear power plants in geographically dispersed locations. Such a programme
requires a regulatory system that is organized to monitor nuclear safety on a regional and site-
specific basis.

The US legal system, in general, reflects a long tradition of independent regulatory

bodies responsible for assuring health and safety in various areas of industrial and economic
development (e.g. food and drugs, railroads). This provided a clear model for the
organizational structure of a regulatory body in the nuclear field. The US constitutional system
is federal, with the 50 state governments exercising significant powers (e.g. police,
environment, local land use, economic regulation of electric utilities). However, the
US system also provides a dominant role for the federal government in certain areas deemed
essential to national interests. Sometimes called the doctrine of “pre-emption”, the federal role
has been particularly broad in the nuclear area, primarily because of its military origins and
security aspects.

The US has a tradition of active legislative involvement in all areas of public policy.
Congress expects to conduct vigorous oversight of regulatory bodies on a regular basis.
Regulatory officials expect to appear regularly before legislative committees to explain their
activities, as well as to support annual budget requests. Judicial review of the actions of all
government agencies is routine in the USA An independent court system enforces the legal
accountability of regulatory bodies, including those in the nuclear area. Since nuclear energy
is controversial, most significant regulatory decisions are likely to be challenged in court. This
requires that the regulatory body have substantial legal expertise to defend its decision-
making. In general, US governmental activities are conducted in a very open and transparent
process. Nuclear regulation is no exception in this regard. This openness includes a strong
tradition of public participation in agency decision making, in which so-called “stake-holders”
(i.e. parties with some identifiable interest) have the right to participate in agency proceedings
by submitting oral or written testimony. Openness is assured through a number of laws that
are not particular to the nuclear field, but to all aspects of government. The Freedom of
Information Act, Government in the Sunshine Act and Federal Advisory Committee Act (to
name only a few) include requirements for government transparency.

With regard to the financing of regulatory activities, the USA has moved to a system in
which the regulated industry funds substantially all of the costs of regulation. The US Nuclear
Regulatory Commission is funded by fees assessed against licensees. This represents a change
from the original approach of funding regulation from taxes paid by all citizens. The
arrangement — known as “full cost recovery” — means that persons using nuclear-generated
electricity or nuclear techniques eventually pay the regulatory bill. A more recent factor that is
having a major impact on the US nuclear regulatory system is the process of de-regulation and
reorganization in the nation’s electric utility industry. The impacts of these developments are
diverse and unpredictable. One major effect is a change in the number and even identity of
utilities operating nuclear power reactors. This will require close regulatory oversight to
confirm that new entities have the technical and financial resources to ensure safety. Also, a
more competitive electricity market is creating pressures to reduce the costs of regulation, a
factor that could impact regulatory resources.

51
[Link]. The statutory framework for US nuclear regulation

The US nuclear regulatory system is based on a rather extensive and complicated

framework of laws, some of which are specific to the nuclear field, but many of which apply
to all governmental activities. Table V lists the most important legislative acts that govern the
day-to-day regulation of nuclear safety. The most important of these laws is the atomic energy
act of 1954, which establishes the comprehensive framework for the uses of nuclear energy.
The 1954 act has been regularly updated and amended (almost on an annual basis) for the past
half century. Other laws cover specific subject matter areas in the nuclear field, such as waste
management.

TABLE V. US LEGAL FRAMEWORK FOR NUCLEAR ENERGY REGULATION

Specific nuclear-related laws:

x Atomic Energy Act (1954), as amended;

x Price-Anderson Act (Adopts Limits on Liability and a System of Compensation for Damage from
Nuclear Accidents) (1957);
x Energy Reorganization Act (1974);
x Uranium Mill Tailings Control Act (1978);
x Nuclear Non-Proliferation Act (1978);
x Low-Level Radioactive Waste Policy Act (1980);
x Nuclear Waste Policy Act (1982);
x Low-Level Radioactive Waste Policy Act Amendments (1985);
x Diplomatic Security and Anti-Terrorism Act (1986);
x Nuclear Waste Policy Amendments Act (1987);
x Energy Policy Act (1992);
x Annual NRC Appropriations Acts;

Generally applicable laws:

x National Environmental Policy Act (1969) Requires Impact Statements on Major Projects;
x Administrative Procedure Act;
x Government in the Sunshine Act;
x Freedom of Information Act;
x Federal Advisory Committee Act.

A number of laws that are not specific to the nuclear field have an important impact on
nuclear safety regulation. The most important of these general laws is the national
environmental policy act of 1969. This act requires the preparation of environmental impact
statements for major federal actions, which include the construction of power reactors and
development of waste management facilities, among others. Certain procedural acts of general
applicability also determine how nuclear regulatory bodies implement their responsibilities.
For example, the administrative procedure act governs the way all federal agencies conduct
their business, including provisions for how agency decision making must be conducted and
how persons may challenge actions they believe to be improper.

52
[Link]. Nuclear Regulatory Commission — main responsibilities

As stated previously, since 1974 the US governmental body primarily responsible for
regulation the safety of nuclear activities is the independent Nuclear Regulatory Commission.
The NRC has wide-ranging responsibilities covering most aspects of the nuclear fuel cycle.
the following list summarizes some of its main activities:

x Regulation (through standard-setting, licensing, inspection and enforcement) of the design,

construction, operation and de-commissioning of:
 Commercial nuclear power reactors.
 Research, test and training reactors.
 Medical, academic and industrial uses of nuclear materials.
 Transport, storage and disposal of nuclear materials and nuclear waste.
x Licensing of reactor operators.

x Conducting research on nuclear safety.

x Providing public information related to nuclear safety.

x Coordinating relationships with state governments regarding nuclear safety. The basic
mechanism for this coordination is through a series of state agreements under which
regulatory authority is exercised by state governments based on an NRC determination that
they are compatible and consistent with NRC regulations.

x Maintaining an Incident Response Center to help manage nuclear events and accidents.

x Cooperating with other national governmental bodies and international organizations on

nuclear safety and radiation protection.

x A more extensive discussion of the detailed structure and activities of the Commission is
set forth in Part 2 — Regulatory Body at section [Link] — US Nuclear Regulatory
Commission.

[Link]. Role of other federal agencies and state and local governments

Although the US Nuclear Regulatory Commission exercises the greatest range of

responsibilities for regulating nuclear energy in the USA, other bodies have important roles
that should be briefly mentioned. The most important federal agencies in this regard are the
following:

Department of Energy (DOE): As the Federal agency charged with development and
promotion of nuclear energy, DOE supports a range of activities important to safety. For
example, the department has embarked on a major programme for developing a new
generation of nuclear power reactors that, among other aspects, are intended to have much
greater inherent safety features than current designs. This work is conducted in cooperation
with private industry. DOE also implements an extensive programme of nuclear safety
cooperation with other countries, primarily in Central and Eastern Europe and new
independent states of the former Soviet Union. DOE is also responsible for the safety of
defence-related nuclear activities at its own facilities.

53
Environmental Protection Agency (EPA): EPA has broad responsibilities in the protection of
all aspects of the environment, including water quality, air pollution and toxic wastes.
Although NRC regulates safety at nuclear-related sites, EPA is involved in standard-setting
and regulation of environmental impacts of nuclear activities that may extend beyond a site,
affecting the general population.

Department of Transportation (DOT): DOT regulates transportation of hazardous materials,

including nuclear materials, to ensure safe handling in the movement of such materials in
inter-state commerce.

Department of State (DOS): The State Department coordinates US relations with other nations
and international organizations, including those related to nuclear safety. DOS is typically the
lead federal agency in negotiating international instruments, including those related to nuclear
safety and coordinates with DOE, NRC and other agencies on safety cooperation with foreign
entities.

Department of Defence (DOD): The Defence Department is responsible for the safety of
nuclear materials and activities under its control, including nuclear weapons and nuclear-
powered vessels.

Occupational Health and Safety Administration (OSHA): OSHA administers important

regulatory controls over the protection of workers from dangerous occupational hazards to
health and safety.

State and local governments do not have inherent authority to regulate the radiological
aspects of nuclear energy. However, as noted previously, many states exercise regulatory
control over radiation protection under agreements with the Nuclear Regulatory Commission.
States and local governments also have important responsibilities derived from their
fundamental powers over land use planning and economic development. For example, the
government of a state in which a proposed nuclear power plant is to be constructed must issue
certain kinds of permits related to construction. States also exercise economic regulation of
electricity rates, an activity that can impact the resources available to an operating
organization for maintaining and improving safety at its facilities.

2. REGULATORY BODY

2.1. REGULATORY INDEPENDENCE

The importance of regulatory independence is recognized in the Convention on Nuclear Safety

[11] and the IAEA Safety Requirements on legal and governmental infrastructure for safety
(Ref. [2] ). Both documents address the establishment of a regulatory body and the need for its
separation, or independence, from the promoters of nuclear technology. The primary reason
for this separation is to ensure that regulatory judgements can be made, and enforcement
actions taken, without pressure from interests that may conflict with safety. Furthermore, the
credibility of the regulatory body in the eyes of the general public depends in large part upon
whether the regulatory body is regarded as being independent from the organizations it
regulates, as well as independent from government agencies or industry groups that promote
nuclear technologies.

It is recognized that a regulatory body cannot be absolutely independent in all respects from
the rest of government: it must function within a national system of laws and budget

54
constraints, just as other governmental and private organizations do. Nevertheless, it is
important for its credibility and effectiveness that the regulatory body has effective
independence in order to make the necessary decisions with respect to the safety of workers,
the public and the environment.

The need for independence of the regulatory body does not imply that it needs to have an
adversarial relationship with operators or any other stakeholder.

The following paragraphs provide a more detail discussion of a number of elements of

regulatory independence:

Elements Of Regulatory Independence

Political: The political system shall ensure clear and effective separation of responsibilities
(duties) between the regulatory body and organizations responsible for the development of
nuclear technologies. In this regard, it is important to distinguish between independence and
accountability. The regulatory body should not be subject to political influence or pressure in
taking safety decisions. The regulatory body should however be accountable with regard to
fulfilling its mission to protect workers, the public and the environment from undue radiation
hazards. One way of providing this accountability is by establishing a direct reporting line
from the regulatory body to the highest levels of government. In the case where a regulatory
body reports to a government agency that has responsibility for exploiting or promoting
nuclear technologies, there should be channels of reporting to higher authorities to resolve any
conflicts of interest that may arise. This accountability should not interfere with the
independence of the regulatory body in making specific safety decisions with neutrality and
objectivity.

Legislative: In the legislative framework of a national regulatory system (e.g. atomic laws or
decrees) the role, competence and independence of the regulatory body with respect to safety
should be defined. The regulatory body shall have the authority to adopt or develop safety
regulations that implement laws passed by the legislature. The regulatory body shall also have
the authority to take decisions including enforcement actions. There should be a formal
mechanism for appeal against regulatory decisions, with predefined conditions that must be
met for an appeal to be considered. The regulatory body shall have the responsibility for
adopting or developing safety regulations that implement laws passed by the legislature.

Financial: “The regulatory body shall be provided with adequate authority and power, and it
shall be ensured that it has adequate staffing and financial resources to discharge its assigned
responsibilities.” (Ref. [2], Para. 2.2 (4)) While it is recognized that the regulatory body is in
principle subject to the same financial controls as the rest of government, the budget of the
regulatory body should not be subject to review and approval by government agencies
responsible for exploiting or promoting nuclear technologies.

Competence: The regulatory body should have independent technical expertise in the areas
relevant to its safety mission. The management within the regulatory body should therefore
have the responsibility and authority to recruit staff with the skills and technical expertise they
consider necessary to carry out the regulatory functions. In addition the regulatory body should
maintain awareness of the state of the art in safety technology. In order to have access to
outside technical expertise and advice that is independent of operator or industry
funding/support to support its regulatory decisionmaking, “The regulatory body shall have the
authority to obtain such documents and opinions from private or public organizations or

55
persons as may be necessary and appropriate” (Ref. [2], Para.2.6 (10)). In particular, the
regulatory body shall have the ability to set up and fund independent advisory bodies to
provide expert opinion and advice (Ref. [2], Para. 2.4, (9)) and to award contracts for research
and development projects.

Information to the Public: One of the responsibilities of the regulatory body is to provide
information to the public. “The regulatory body shall have the authority to communicate
independently its regulatory requirements, decisions and opinions and their basis to the
public.” (Ref.[2], Para. 2.6, (11)). Since the public will only have confidence in the safe use of
nuclear technology if the regulatory process and decisions are transparent, government should
set up a system to allow independent experts and experts from major stakeholders (for
example, the industry and the workforce and the public) to provide their views. The experts'
findings should be published.

International: “The regulatory body shall have the authority to liaise with regulatory bodies of
other countries and with international organizations to promote co-operation and exchange of
regulatory information.” (Ref.[2], Para. 2.6, (14)).

2.2. ORGANIZATION AND FUNCTIONS OF REGULATORY BODY

2.2.1. IAEA guidance for regulatory organization [2]1

The prime responsibility for safety is assigned to the operator. The primary objective of
the regulatory body is to ensure that the operator fulfils this responsibility to protect human
health, and the environment from possible adverse effects arising from nuclear facilities and
management of radioactive waste. In order to achieve these objectives the regulatory body
defines policies, safety principles and associated criteria as a basis for its regulatory actions.
Table VI presents the main functions of the regulatory body.

In order to discharge its main responsibilities the regulatory body needs to:

x Establish a process for dealing with application, e.g. issuing of an authorization;

x Provide guidance to the operator on developing and presenting safety assessments or any
other required safety related information;
x Ensure that proprietary information is protected;
x Communicate with, and provide information to, other competent governmental bodies,
international organizations and the public;
Ensure that operating experience is appropriately analysed and that lessons to be learned
are disseminated;
x Ensure that appropriate records relating to the safety of facilities and activities are retained
and retrievable;
x Ensure that its regulatory principles and criteria are adequate and valid, and shall take into
consideration internationally endorsed standards and recommendations;
x Advise the government on matters related to the safety of facilities and activities;
x Confirm the competence of personnel responsible for the safe operation of the facility or
activity; and
x Confirm that safety is managed adequately by the operator.

1
INTERNATIONAL ATOMIC ENERGY AGENCY, Organization and Staffing of the Regulatory Body for
Nuclear Facilities, GS-G-1.1 (in press).

56
TABLE VI. FUNCTIONS OF THE REGULATORY BODY [2]

The regulatory body has the following main functions:

x Establishment, promotion or adoption of regulations and guides, upon which its regulatory actions
are based;
x Review and assessment of submissions on safety from the operators both prior to authorization
and periodically during operation as required;
x Issuing, amending, suspending or revoking of authorizations;
x Carrying out regulatory inspections;
x Ensuring corrective actions if unsafe or potentially unsafe conditions are detected;
x Taking the necessary enforcement actions in the event of safety requirements having been
violated.

The regulatory body may also have additional functions such as:

x Carrying out independent radiological monitoring in and around nuclear facilities;

x Carrying out independent testing and quality control measurements;
x Initiating, co-ordinating and monitoring safety research and development in support of the
regulatory functions;
x Providing personnel monitoring services and medical examinations;
x Monitoring of nuclear non-proliferation;
x Regulatory control of industrial safety.

The regulatory body needs to be structured in a manner that ensures that it is capable of
discharging its responsibilities and fulfilling its functions effectively and efficiently. The
organizational structure and size of the regulatory body are influenced by many factors and it
is not appropriate to recommend a single organization model. The regulatory body needs a
structure and size commensurate with the extent and nature of the facilities and activities it
must regulate, and it needs adequate resources to discharge its responsibilities.
The organizational structure of a regulatory body varies from country to country. The
following sections provide general guidance on the organizational structure based on the
functions of the regulatory body. The principal functions to be carried out are: regulations and
guides, authorization, review and assessment, inspection and enforcement. The regulatory
body has also the function in connection with emergency preparedness. For a large
organization it is often useful to have each of these functions assigned to a discrete section or
division within the regulatory body. Each of these functions need many specialized skills.
Rather than having each functional unit containing its own specialists, it is often practical and
efficient to group the specialists in a matrix such that each organizational unit assigned
responsibility for a function can draw on specialist skills as needed.
Development of regulations and guides requires a considerable amount of resources. If
new or revised regulations and guides are required frequently it may be appropriate to have a
permanent unit to deal with this. Where the need for new or revised regulations and guides is
infrequent it may be sufficient to identify a mechanism whereby such resources can be drawn
together when required. Regulations and guidance cannot be produced in isolation but
consultation both within and outside the regulatory body is needed. In developing regulations
and guides, account is taken of international standards and recommendations, obligations
imposed by any conventions to which the state may be party, relevant industrial standards and
any advances in technology.

57
 Review and assessment are among the main continuous functions of a regulatory body.
It is therefore appropriate to assign this to a person or organizational unit within the regulatory
body. This function often involves drawing together teams of specialists. Review and
assessment is based on regulations and guides. The review and assessment necessitate
effective communication and interaction between different units of the regulatory body. The
main parameters, characteristics and results are recorded and retained, in written form, for
future reference.

Inspection is another continuous function of the regulatory body and can take many
forms. The inspectors may form a permanent part of the inspection unit, or may be drawn
from other parts of the regulatory body as required. Project managers or supervisors should be
appointed to plan and monitor the work of all inspections performed for a facility and draw
the results together. An inspection may result in a requirement for additional review and
assessment or for enforcement action. Therefore, there should be strong and effective links
with all other parts of the regulatory body.

The use of resident inspectors may provide benefits such as improving the ability of the
regulatory body to engage in on-site surveillance of systems, components, tests, process and
other activities of the operator at any time. The full-time presence of inspectors can improve
the ability of the regulatory body to identify and respond promptly to problems. With resident
inspectors, inspection frequency and intensity at any given level of human resources can be
more readily optimised, and the regulatory body may be better informed of operator schedules
and hence better able to coordinate its inspection activities with key operator activities that it
wishes to observe. Where resident inspectors are employed, consideration should be given to
locating more than one at a particular site for mutual support. There should be adequate
communication between resident inspectors and the headquarters to maintain regulatory
effectiveness.

The use of non-resident inspectors may demand less in terms of human resources than
the use of resident inspectors. Non-resident inspectors may inspect more than one site, which
may be a more efficient use of limited resources. Alternatively a non-resident inspector may
be assigned to a particular facility and may co-ordinate inspection activities at that facility.
Furthermore, a non-resident inspector is less likely to become unduly isolated from the
activities and decision making of the regulatory body.

Enforcement actions are designed to respond to non-compliance with specified

conditions and requirements. There are different enforcement actions, from written warnings
to penalties and, ultimately, withdrawal of an authorization. In all cases the operator is
required to remedy the non-compliance, to perform a thorough investigation in accordance
with an agreed time-scale, and to take all necessary measures to prevent recurrence. The
regulatory body shall ensure that the operator has effectively implemented any remedial
actions. The organizational structure of the regulatory body needs to enable enforcement
actions to be taken at appropriate level.

The precise role of the regulatory body in emergencies varies considerably between
states, depending on how it is organized to respond to emergencies in general. In many states,
the regulatory body has an advisory function for the authority responsible for emergency
preparedness. It will therefore be necessary to set up procedures to draw together the
necessary resources when required, and to exercise them as appropriate. The structure of the
regulatory body should clearly indicate a responsible person or group in charge of co-

58
ordinating the development of procedures, liasing with other organizations involved in the
overall emergency preparedness and conducting the exercises.

The regulatory organization needs an administrative support that is an organizational

unit dedicated to general administrative work.

A regulatory body is by its very nature engaged in activities that require professional
legal support. The legal support can be provided as part of the staff of the regulatory body or
provided by another governmental body or obtained through contract. The regulatory body
should be structured to recognise either implicitly or explicitly the interface of legal functions
with technical and management functions. Activities typically requiring professional legal
participation include, e.g. development of basic legislation and regulations including
compatibility with international conventions and agreements, providing legal advice and
representation of the regulatory body in the case of enforcement activities and at the court of
law.

If a regulatory body or its dedicated support organization does not have an adequate
number of qualified personnel or the workload does not justify the recruitment of a full-time
staff, consultants may be used to perform selected tasks. The technical qualifications and
experience of such consultants are at least at the same level as the staff of the regulatory body
performing similar tasks. More generally consultants are used by the regulatory body to assist
in performing tasks requiring an additional level or area of expertise which may arise
occasionally, or to provide a second opinion on important issues. Since the regulatory body
has to evaluate and utilize the work performed by consultants, it defines the scope of the work
to be performed. The consultants are required to provide a detailed written report which
includes the basis and method of evaluation, conclusions and recommendations that will assist
the regulatory body in completing its evaluation.

The government or the regulatory body may choose to give formal structure to the
processes by which expert opinion and advice are provided to the regulatory body. For
example, broadly based advisory committees with membership drawn from other government
departments, regulatory bodies of other countries and scientific organizations can bring broad
perspectives to bear on the formulation of regulatory policy and regulations. Another type of
advisory committee is the technical committee composed of members with a range of
technical skills needed to evaluate complex technical issues. Such committees may have a
defined role in the authorization process. Alternatively, they may be ad hoc, performing a
function similar to that of consultants but for which a number of different skills are needed to
address complex issues. Any advice offered shall not relieve the regulatory body of its
responsibilities for making decisions and recommendations.

The regulatory body encourages facility operators to carry out the research and
development needed to produce adequate argumentation about safety. However, there may be
situations in which the operator’s research and development are insufficient or in which the
regulatory body requires independent research and development to confirm specific important
findings. The regulatory body may need research and development work in support of its
regulatory functions in such areas as inspection techniques, analytical methods or in
developing new regulations and guides. The regulatory body’s organizational structure reflects
these needs either by setting up a research unit or by having staff who can define research and
development needs, initiate, co-ordinate and monitor the work and evaluate the results.
Regardless of how it is carried out, the regulatory body ensures that the research is focused on

59
regulatory needs, whether short or long term, and that the results are disseminated to the
appropriate organizational units.
The actions and responsibilities of many organizations can interact with those of the
regulatory body. Such organization may include government departments, environmental
protection authorities, other bodies with responsibilities for emergency preparedness, physical
protection, water and land use planning authorities, authorities responsible for public,
occupational, health and safety, fire protection authorities, etc. Where regulatory authorities
overlap it may be appropriate to manage the relationship between the bodies by means of a
formal agreement. This should set out each body’s responsibilities, which should lead on any
aspect of overlap and how conflicting requirements should be resolved. In many cases, it may
be appropriate to have regular liaison meetings.
The regulatory body is organized to provide public information regarding its activities,
both on a regular basis and in relation to abnormal events. Information provided to the public
is objective, reflecting the regulatory body’s independence. The regulatory body is as open as
possible while complying with national legislation on confidentiality. This can best be done
by individuals with expertise in the field of public information to ensure that the information
presented is clear and comprehensible. In a large regulatory body, this may warrant the
establishment of a specialized unit.
The safety of facilities and activities is of international concern. Several international
conventions relating to various aspects of safety are in force. National authorities, with the
assistance of the regulatory body, as appropriate, establish arrangements for the exchange of
safety related information, bilaterally or regionally, with neighbouring States and other
interested States, and with relevant intergovernmental organizations, both to fulfil safety
obligations and to promote co-operation. The involvement of the regulatory body in
international co-operation, arranged by means of multilateral or bilateral agreements, could
consist of exchange of information, mutual assistance in regulatory activities, staff training,
regular staff meetings on specific subjects and other matters. Multilateral co-operation could
be organized using different approaches; for example, regional approaches, multilateral based
on design or type of facilities concerned. The regulatory body may also be involved in
fulfilling national obligations under international conventions. These may require subsequent
actions as appropriate.
In the following, different types of organizational arrangements are described as
examples of how the above responsibilities and duties can be organized.
2.2.2. Examples of regulatory organizations [15]
[Link]. Finland
STUK — Radiation and Nuclear Safety Authority acts as the regulatory body for
nuclear power plants in Finland. STUK maintains jurisdiction over nuclear safety, radiation
protection, pressure vessel, and nuclear material and safeguards. STUK gives detailed
technical and administrative instructions relative to the design, construction, commissioning
and operation of nuclear power plants in so called “YVL” guides. Organizational scheme is
presented in Fig. 8. At the end of the year 2000, STUK employed 290 persons. STUK has a
staff of approximately 80 inspectors for the supervision of nuclear power plants (4 units).
Basic educational level of the inspectors of STUK is: approximately 20% engineers, 70%
graduate engineers (diploma) or a corresponding degree, and 10% with a higher degree. There
are training policies and guidelines for the training of inspectors.

60
 FIG. 8. Finland — organization of STUK.

Total finance in 2000 was 129 million FIM (22 million Euros). The sources of funding
of STUK were as follows: states funding allocations (42%); income from monitoring under
public law (29%); expert services (23%); external funding for joint venture (6%), other
funding (2%). Expenditure by sector in 2000 was: nuclear safety (30%); research (29%);
services (21%); radiation safety (8%); environmental radiation monitoring (4%); preparedness
(4%); information (4%).

Regulatory oversight including respective direct costs such as contracted research

activities carried out by STUK is directly charged from the utilities. Other sources of STUK
incomes are the governmental budget and some contracted services. Overhead expenses are
divided to different organizations in relation of working hours carried out. Emergency
preparedness, public information and international and domestic cooperation are paid from the
governmental budget.

[Link]. Switzerland

The legal basis for the regulation and supervision of nuclear activities are: The nuclear
law (1959), the federal amendment to the nuclear law (1978) and the Federal Ordinance about
the supervision of nuclear installations (1983). According to the Ordinance the Federal
Nuclear Safety Inspectorate (HSK) exercises supervision over nuclear installations in
Switzerland. Its main tasks are the establishment of the safety review to be delivered to the
federal government with regard to the granting of a general licence or of permits for
construction, operating, etc. of nuclear installations, and the surveillance and inspection of
these installations. Organizational scheme is presented in Fig. 9.

61
 Direction
HSK

Secretariat & Safety Research &

Central Services, International Programme
Scientific Advisor

Co-ordination of Human Factors,

Supervision of NPPs Organization &
Safety Culture

Department Department Department Section

Mech. & Electrical Design and Safety Radiation Protection Radioactive Waste
Equipment Analysis & Emergency Planning Management

Electrical Mechanical Reactor & PSA & Accident Radiation Radiation

Engineering & Civil Safety Accident Consequences Measurement Workers
& I &C Engineering Technology Management & E P &P & Radioecology Protection

FIG. 9. Swiss Federal Nuclear Safety Inspectorate organization.

The licensee has full responsibility for the safety of his plant. The regulatory body
defines the safety requirements and checks for fulfilment of these requirements. Persons
entrusted with the surveillance may at any time require information and have access to all
documents; they have unhindered access to all installations, offices, and stores.

The inspection personnel belong to HSK as the governmental organization, and also to
private organizations (e.g. for mechanical components, civil structures, and some for radiation
monitoring). The HSK does not have people, who are full time inspectors. Supervision is
carried out by different sections. The co-ordination and inspection section has the duty to co-
ordinate inspection activities. Each site has a site inspector who is a member of this section.
About 70 persons are involved overall in inspection activities of the HSK. They include some
20 persons from private organizations. Inspectors and regulators in the HSK are identical.
Typical qualification is a BS or MS degree and several years of experience in nuclear or non-
nuclear industries. Supplemental training in reactor technology and safety is provided in the
first year.

The annual budget of the Inspectorate (HSK) is approximately 6.2 million Swiss francs
(salaries and infrastructure, including the secretariat of the advisory commission (KSA), but
excluding the Commission as such). In addition, some 7 million Swiss francs are budgeted for
external experts and for research contracts. The expenses of HSK are mostly compensated for
by specific revenue from the federal treasury. Fees have to be paid by the applicants/licensees
for all licensing procedures. The operators of nuclear installations are invoiced by the federal
administration for the actual costs of the supervision by the Inspectorate and its experts.

[Link]. United Kingdom

Her Majesties Nuclear Safety Directorate (NSD) as part of the Health & Safety
Executive (HSE) is responsible for enforcing safety and health legislation at any licensed site.
Organization of NSD is presented in Fig. 10. NSD has about 150 inspectors and
90 administrative support staff. About one third of the inspectors are engaged in site
inspection duties, about one third in assessment, with the rest in project management, strategy
and other related duties. There are also a number of inspectors located elsewhere in HSE
providing advice on policy matters. Inspectors are all technically or professionally qualified.
Typically they hold chartered engineer or equivalent status and have suitable experience in an

62
appropriate field. Internal training programmes cover legal and other activities to ensure that
an Inspector is competent to inspect and enforce legislation. NSD does not employ non-
inspectorial technical or professional staff. Outside experts or specialists are rarely contracted
by NSD to perform inspections but are sometimes contracted to provide assistance or advice
on particular assessment issues.

Chief Inspector
NSD

Division 1 Division 2 Division 3

British Energy British Nuclear Fuels General and Defence
Sites (BNFL) Sites Sites

- Inspection - Inspection - Inspection

- Assessment - Assessment - Assessment
- Projects - Projects - Projects
- Research
- Strategy Director’s Support
Finance/planning
Resource Management
Procedures/guidance

FIG. 10. United Kingdom — Nuclear Installations Inspectorate, organization.

Inspectors appointed by the HSE also have the power to stop unsafe acts or require
improvements to be made within given time scales. Some of the conditions attached to the
licence also give the HSE the power to direct the licensee to undertake a specified task (e.g.
shutdown reactors) and the power to consent or approve to certain activities (e.g. items of high
safety significance). These powers are carefully set out so as to not take away the absolute
responsibility of the licensee for safety on the licensed site.

Neither HSE or NSD are involved in licensing of individuals at the nuclear installation,
but powers in the licence conditions exist to enable the HSE to stop any appointment by the
licensee of persons to key safety related posts such as control room operators. NSD’s actions
are subject to internal review processes and in extreme cases can be subject to review by the
United Kingdom courts of law. The Government sets the policy on siting of nuclear
installations, dealing with radioactive waste and decommissioning which NSD implements
through the granting of site licences and its powers under the site licence conditions. HSE sets
policy in respect of work radiation exposure that is enforced by NSD on licensed nuclear
installations and by other parts of HSE for other industrial and medical uses of radioactive
material. NSD also enforces other safety and health regulations in relation to non-nuclear
hazards at licensed nuclear sites.

The Health and Safety Commission also has a group of nuclear experts called Nuclear
Safety Advisory Committee (NUSAC), which provides advice on matters which may be
referred to it or it has decided to take an interest in. NSD makes presentations to NUSAC and
considers its advice.

63
 Under the Nuclear Installations Act, HSE recovers most of the running costs of NSD,
together with the costs of any research thought necessary from licensees. Fines, which the
United Kingdom courts of law may impose on a licensee or person, go to the courts and not
NSD.

[Link]. US Nuclear Regulatory Commission

The basic legal and organizational framework for nuclear regulation in the USA has
already been described in 1.4.4. The following section includes a basic description of the
structure and responsibilities of the US Nuclear Regulatory Commission (NRC). The
Commission’s organization chart is set forth in Fig. 11.

Organizational structure of the NRC

The NRC is headed by a Commission comprising 5 members, each appointed by the

President of the USA and confirmed by the US Senate. Several measures have been adopted
to ensure the Commission’s independent, non-partisan character. Commissioners serve for
fixed five year terms and can only be removed for legal cause (e.g. violation of law or
dereliction of duty). The Chairman of the Commission is designated by the President from
among the Commissioners and serves in that capacity at the discretion of the President.
Although the Chairman has some special responsibilities regarding management of the
agency, each Commission possesses and equal vote on policy matters. If removed as
Chairman, the person may remain on the Commission for the remainder of his or her term of
office. One of the commissioners’ terms expires each year, providing a regular rotation of
membership. Commissioners may be re-appointed. However, to avoid partisanship, no more
than three of the five commissioners can be members of a single political party.

A few years ago, the NRC was somewhat restructured along the lines of a corporate
business model. In particular, two new officers were designated to manage major
organizational functions. A Chief Information Officer (CIO) was designated to be responsible
for all information technology, communication and computing capabilities. Similarly, a Chief
Financial Officer (CFO) was designated to deal with resource and budget issues. The
Executive Director for Operations (EDO) continues to be the Chief Operating Officer of the
Agency. The EDO maintains management supervision over all NRC’s three main operating
divisions — Materials, Research and State Programmes; Reactor Programmes; and
Management Services. As indicated in Fig. 8 organization chart, these three Divisions
supervise the activities of the various NRC offices covering specific areas of the Agency’s
responsibility. These cover all the traditional areas of regulatory supervision, including
standard-setting, licensing, inspection and enforcement. A number of offices related to the
Commission’s overall administrative functioning are directly supervised by the Commission,
itself. Such offices include: Inspector General; Congressional Affairs; Public Affairs; General
Counsel; and International Programmes. The Commission’s various advisory bodies (such as
the Advisory Committees on Reactor Safeguard and on Waste) also report directly to the
Commission.

Consistent with the large size and geographic breadth of the US programme, the
Commission has also established four regional offices (in Pennsylvania, Georgia, Illinois and
Texas). These regional offices provide a direct link to state and local governments and
individual installations through resident inspectors stationed at each nuclear power plant.

64
 The role of the Office of the Inspector General should be highlighted. This office is
functionally independent of the Commission, issuing reports on how the agency conducts its
business from the standpoint of efficiency, ethics and effectiveness. The office has a separate
budget, approved by the Congress, to avoid any suggestion that the Commission is unduly
influencing its reviews so that the Commission cannot limit its resources if it does not like the
kind of reporting it is getting. As mentioned, the Commission has created two independent
bodies to provide technical advice to the Commission. The Advisory Committee on Nuclear
Waste and the Advisory Committee on Reactor Safeguards (meaning safety) are comprised of
expert scientists and engineers. Law and regulations require that the views of these bodies be
considered in the licensing process.

Regulatory independence and the NRC

Although it is difficult to define regulatory independence, the regulatory framework

within which the NRC functions has been structured to insulate the Commission from outside
influence in its decision making on issues affecting public health, safety, security and the
environment. Key features of this framework are the following:

Separation of functions: As an organization, NRC not only has no responsibility for

promoting or developing nuclear energy, but — importantly — is completely separate from
any other government bodies having such responsibilities.

Political influence: As already noted, no more than three of the five commissioners can come
from a single political party. In a country with two dominant political parties, this helps
protect against partisanship, no matter how much control one party may have on other organs
of government. Commissioners also serve relatively long (5 years) fixed terms, and may also
only be removed for “cause” ( i.e. not because they have lost favor with the current political
leadership.

Conflicts of interest: The Commission implements very strict that prohibit the commissioners
or any of the NRC staff from having a financial or personal interest in entities or subject that
may be subject to their regulatory decisions. Transparency is important in this regard. NRC
employment regulations require annual financial disclosure reports to ensure that improper
relationships are identified and eliminated.

Openness: The concept of transparency goes even further at the NRC. Several laws ensure
that the commission’s decision-making process is conducting in public. For example, the
Government in the Sunshine Act requires advance public notice of meetings, with a right of
attendance by interested parties. The Freedom of Information Act requires broad public access
to any materials used in the decision-making process.

Reporting: An important guarantee of independence is NRC’s ability to provide extensive

safety-related information to the public, media, other governmental bodies, without review or
clearance from any other government agency.

Budget and finance: The NRC covers essentially all of its budget through license fees, as
authorized in an annual appropriations act by the Congress. This “full cost recovery” approach
is believed to provide at least some insulation from political pressures that could result from
having NRC’s resources derived entirely from tax revenues. Further, the NRC is entitled to

65
submit its own budget to the Congress, subject only to review by the President’s Office of
Management and Budget (OMB).

Technical capabilities: For any agency responsible for regulating a complex technology, it is
important to possess adequate scientific, engineering, management, financial and legal
expertise. The NRC’s large staff (almost 3000 employees) reflects high technical competence
and covers cover a wide range of technical areas. This provides important independence from
the regulated industry in terms of assessing information provided by licensees.

Oversight mechanisms: As final insurance against improper decision-making, the NRC

system includes important oversight mechanisms. The internal — but independent — Office
of Inspector General provides a scheduled review of NRC’s management. External oversight
is exercised by the independent judiciary through appeals of NRC decisions to the federal
courts. Congress also conducts oversight that can result in remedial action through legislation
or appropriations.

The eight elements outlined above do not guarantee absolute independence, a status that
is both impossible to achieve and undesirable in principle. However, these elements are
important in assuring that safety judgements are not subordinated to other interests —
political, economic or social. This degree of independence helps maintain public confidence
in the safe uses of nuclear energy, and indispensable prerequisite for its continued use.

NRC implementation of main regulatory functions

In the following is described in greater detail the manner in which the NRC implements
its responsibilities in the main areas of regulatory activity: standard-setting or rulemaking,
licensing, inspection, enforcement, regulatory research and public information.

Standard-setting or rulemaking

At the NRC, regulatory standards are issued through a process called rulemaking. The
process is primarily initiated by the Commission’s technical staff, although any member of the
public can propose that NRC develop, change, cancel or rescind any regulation. The
Commission receives many such requests from environmental organizations and local
organizations. NRC rulemaking is a very open process, with public participation a keystone.
NRC cannot promulgate rules without giving the public an opportunity to make comments.
Before a rule is even drafted, the NRC staff often holds public meetings or workshops to
solicit views on a proposed rule. The preferred approach to rulemaking is to provide advance
notice of a proposed rulemaking in the Federal Register (the daily federal publication that
announces significant government actions). Such an advance notice of proposed rule making
is short, typically about a page long; stating that the Commission is considering adopting a
new rule or changing or cancelling an old one. Some considerations may also be included,
with an indication of initial factors the NRC staff is considering as a basis for the rulemaking.
A period of time (usually not less than 30 days) is provided for comment by stakeholders (i.e.
industry, interest groups, the public). Emergency rules or minor rules may be issued without
public comment, but that is exceptional.

After receiving comments, the NRC staff develops the text of a proposed rule. This text
is also placed in the Federal Register, for specific comment. Depending on the significance of
the issue or on the comments received, the NRC will determine whether to conduct a public

66
hearing on the proposed rule. After comments on the proposed rule are received and
evaluated, and a hearing conducted or denied, a final rule (reflecting any changes considered
appropriate) is published in the Federal Register. NRC rules are subject to challenge in the
federal courts. As previously indicated, such appeals are typically based on whether the
procedure followed in adopting the rule has complied with relevant legal requirements; not
whether the NRC’s technical judgements are correct.

The NRC has recently taken steps to make its rulemaking process even more open and
efficient. The Commission has created a website “NRC Rulemaking Forum” giving advance
notice to the public of rule making and providing a mechanism for receiving comments
electronically. The NRC rulemaking process may appear protracted and cumbersome.
However, it is consistent with the country’s traditions of open and democratic traditions
decision making. It has also been found useful in creating a more stable regulatory system
because Commission decisions are less likely to be challenged or overturned if NRC can
demonstrate that the public has been involved fully and at every stage in establishing
regulatory standards.

Licensing

For some years, NRC’s reactor licensing function has not been particularly active. The
Commission has not received an application for a new nuclear power plant since the late
1970s. However, the Commission has used this period to streamline and update the licensing
process.

The traditional approach to licensing power reactors was a two step process, involving a
separate Construction Permit (CP) and an Operating License (OL). This process is set forth in
Part 50 of the Commission’s rules (in Title 10 of the Code of Federal Regulations (CFR)).
Part 50 lists the extensive requirements such licenses. Extensive evaluation of the licensing
process, urged by the nuclear industry and some in Congress, convinced the Commission that
this two-step process was unnecessarily cumbersome and inefficient. As a result, the NRC
adopted a streamlined, combined CP/OL licensing process that is set forth in Part 52 of the
CFR. Under this approach, an applicant with a pre-approved site and approved design can
obtain a single license permitting him to operate the plant. Part 52 details the requirements for
site and design approvals.

Even under the new Part 52, the reactor licensing process is lengthy and complex. The
following summary identifies the major steps in the NRC process:

x The applicant must submit a safety analysis report (SAR) covering essential factors
including: design criteria and information; comprehensive site data; safety features to
prevent and mitigate hypothetical accidents; an environmental report on potential impacts;
and economic information for purposes of an antitrust review (analyzing possible
competitive economic effects).

x The application must also be reviewed by the Commission’s independent Advisory

Commission on Reactor Safeguards (ACRS).

x The NRC staff prepares an environmental statement that is issued for public comment.

67
x A public hearing on the application is required before one of NRC’s atomic safety and
licensing boards (ASLB). An ASLB is comprised with 3 members, two of which have
technical backgrounds and one who is lawyer. Typically, an ASLB is chaired by the lawyer,
who is expected to deal with legal and procedural issues.

x During this process, the Commission may issue a limited work authorization (LWA) to
permit certain site preparation and initial construction activities on a “reasonable
assurance” that the plant will meet safety and environmental requirements.

x After the public process has been completed a final safety analysis report (FSAR) is
prepared, setting forth details justifying the issuance of the license.

x Under the Part 52 process, the Commission may issue an early site permit (valid for 10–
20 years) and a standard plant design certification (valid for 15 years). A number of sites in
the USA have received early site approval. Also, several standardized plant designs have
been certified. A hearing is mandatory under Part 52, after completion of the ACRS and
NRC staff reviews. An important benefit of the combined Part 52 license is that issues
resolved in early site permit or design certification proceedings cannot be considered at the
combined license stage.

Even in the absence of applications for new nuclear power plants, the NRC has been
confronted with important licensing issues. The first of these is license renewal. Nuclear
plants in the USA were originally licensed for 40 years. A number of operating plants are now
approaching the end of their license terms. This raises the issue of whether (and if so, for how
long) they should be authorized to continue operating. With over one hundred operating
reactors in the USA, the NRC anticipates a large number of requests for license renewal. The
commission’s regulations in Part 54 of Title 10, Code of Federal Regulations, establish
detailed safety requirements for license renewal. The NRC’s primary focus in it license
renewal review is on so-called “passive” and “long-lived” structures and components (e.g.
reactor vessel, reactor coolant pumps, piping, steam generators, pressurizer, valve bodies and
pump casings). A must demonstrate that any ageing effects will not unacceptably effect the
safety of the plant. License renewal also requires another environmental review,
supplementing the original review, for the purpose of assuring that extended operation will
not have unacceptable impacts.

A second major licensing issue confronting the NRC is license transfer. Restructuring
and deregulation of the electricity industry for economic reasons has accelerated in recent
years in the USA. New companies are getting into the business of generating electricity, while
other companies are leaving the business or merging into new legal entities. Where a new
legal entity takes over an existing nuclear plant, continued operation will require a transfer of
the current NRC operating license. For this to happen, the Commission must make a
determination that the new operating organization has the technical, management and
financial capabilities to operate the reactor safely.

Inspection

The third key regulatory function is inspection. NRC conducts a wide range of different
types of inspections of nuclear reactors, fuel cycle facilities and other users of nuclear
material. For nuclear reactors, the Commission inspection programme is primarily conducted

68
through a system of resident inspectors. The Commission has assigned at least two resident
inspectors to each site, with additional inspectors for sites with multiple reactors. Resident
inspectors continually monitor licensee activities on the site, both obtaining and transmitting
early information concerning plant conditions and facility events. The resident inspectors
provide direct contact between NRC management and the licensee. They also evaluate what
additional inspection activities may be needed that they are not competent to conduct
themselves. Many of these special inspection activities are conducted from the NRC’s four
regional offices and some from the Commission headquarters. Specialist inspectors from
headquarters or regional offices typically cover such as radiation protection, instrumentation
and control, earth sciences and fire safety. In terms of overall inspection effort, the NRC
spends an average of approximately 3250 inspection hours (about 6 person-years) on each
reactor annually. The NRC has also developed specific reactor inspection programmes for the
major phases of nuclear power plant construction and operation, including: pre-construction
activity, construction permit activity, pre-operational phase, start-up phase, operations phase
and decommissioning phase.

Outside the power reactor field, NRC also conducts approximately 1700 health and
safety inspections of nuclear materials licensees annually.

Qualification requirements for NRC inspectors include: a college degree in engineering

or physical science, experience in the nuclear industry (except for interns), onsite inspection
training, qualification board and certification and periodic refresher training. The NRC
provides an extensive training and certification programme for inspectors at its training center
in Chattanooga, Tennessee. Much of the training is done through reactor simulators at the
training center on full-scope simulators covering most major reactor designs used in the USA.

Each NRC inspection is fully documented in a formal report that includes: scope of the
inspection and conclusions on the effectiveness of the programme inspected, licensee
management and quality assurance programme, strengths and weaknesses of the licensee,
compliance with NRC requirements, findings to support conclusions and determinations on
violations (generally dealt with in a separate enforcement proceeding).

Finally, with regard to inspection, it should be noted that the NRC has recently
implemented a new reactor oversight process utilizing a risk-informed, performance-based
approach focusing on safety issues deemed of greatest importance. This approach aims at re-
focusing inspection effort and reducing the burden to both regulators and operators by taking
advantage of risk insights. Although it involves the entire range of regulatory activity, it is
particularly relevant to the inspection and enforcement functions. This new approach is
discussed in some detail in 6.3.1 — NRC’s risk-informed, performance-based assessment
programme.

Enforcement

The fourth key regulatory function is enforcement. The importance of the enforcement
function is underlined by the fact that NRC maintains an office of enforcement that is separate
from organizational bodies conducting regulatory inspections. Requiring inspectors to justify
the need for enforcement action by another Commission body, is not only a check on over-
zealous inspectors, but encourages full documentation of violations. The objectives of NRC
enforcement action are to deter licensees from failing to comply with NRC regulatory

69
requirements and to encourage licensees to promptly identify and to correct any violation of
safety significance.

Three types of enforcement actions are employed by the NRC: notice of violation, civil
monetary penalties and orders to modify, suspend or revoke licenses.

Violations are ranked by their significance from severity level I (most serious) to
severity level IV (least serious). NRC considers four factors in determining the level of
significance: actual safety consequences, the potential or future safety consequences, impact
on NRC’s regulatory functions, intent of the violation (e.g. whether the licensee committed
the violation deliberately or was merely careless, or did not understand the requirement).

In applying its enforcement sanction, the Commission may consider civil monetary
penalties for Level III violations (these are routinely used for Level I and II violations). The
Atomic Energy Act authorizes the NRC to penalize a licensee up to 120 thousand dollars per
day. A more severe sanction would be to close down a facility entirely, an action the NRC is
also authorized to do in cases where the public health and safety may be at risk. The amount
of a civil monetary penalty will depend on several factors, including: type of licensed activity,
type of licensee, severity level of the violation, whether the licensee has been the subject of
significant enforcement action in the past two years or past two inspections, whether the
licensee should receive credit for identifying the violation, whether the licensee has taken
prompt and effective action to correct the violation, whether, in view of all the circumstances,
discretion should be exercised with regard to the amount of the penalty.

In 1999, the NRC assessed over a million dollars in civil penalties. The money obtained
through NRC enforcement does not come directly to the Commission, but it goes to the US
Treasury. For serious violations we do have criminal prosecution penalties.

For serious, intentional or repeated violations, criminal penalties (e.g. imprisonment)

may be applicable. In such cases — extremely rare — the NRC will refer the matter to the
Department of Justice for further investigation and possible prosecution.

Regulatory research

NRC has a very substantial regulatory research programme. The Commission usually
refers to its programme as confirmatory research to make clear that its purpose is to support its
regulatory mission, not the development or promotion of nuclear energy. The programme has
three main objectives: to provide independent information to support regulatory decision
making, to assess the potential safety significance of technical issues, and to prepare the NRC
to deal with future safety issues arising from new designs and technology.

NRC’s research budget, which had averaged about $100 million annually, has been
reduced to approximately $70 million in recent years due to government deficit reduction
efforts and other circumstances. With more limited resources, current NRC research activities
have focused on issues of greatest significance for nuclear safety, including: emerging
technologies (e.g. digital instrumentation and control systems), plant ageing issues,
decommissioning, operating experience, and risk-informed regulatory approaches.

More limited resources have also encouraged the NRC to look for opportunities to
conduct cooperative safety research with other nations in joint bilateral or multilateral

70
projects. The NRC maintains a large cooperative programme with Japan, a joint project with
Russia, and with other countries.

Public information

NRC considers public information one of its most important responsibilities. Public
confidence in the safety of nuclear energy depends, to a great extent, on the openness and
credibility of regulators. NRC maintains a separate Office of Public Affairs that reports
directly to the Commission. Each of NRC’s four regional offices also maintains a public
affairs office. As discussed earlier, a number of laws require the Commission (and all other
US government agencies) to provide a broad range of information to the public, the legislative
branch, and to the press and media. Examples of the wide-ranging materials made available by
the Commission are provided in the next section of this Section — NRC regulatory guidance.
The NRC’s website ([Link]) provides access to this information in electronic form.

Regulatory guidance

The system through which the NRC provides regulatory guidance is extremely wide-
ranging and diverse. It should be emphasized that this guidance is not directed solely to
licensees. Of course, guidance is essential in achieving an effective regulator-operator
interface. However, it is also important to recognize that the regulatory guidance has many
stake-holders who seek to review this guidance and to utilize it for their purposes. Such stake-
holders include: local and state governments having important roles in the regulatory process;
other federal agencies; interest groups (i.e. local community groups, environmental
organizations);the press and media; other nations; international organizations; and members of
the general public. It should not be ignored that the primary consumers of regulatory guidance
are NRCs own employees, who will be expected to conduct their responsibilities consistently
with agency policies and standards.

NRC guidance ranges from highly formal documents that are strictly binding on
licensees and NRC staff, to less formal guidance on general Commission policy. This
guidance is also multifunctional, ranging from organization and management procedures,
through standards and technical specifications, to inspection and enforcement requirements.
This guidance also covers many different subjects.

An important feature of NRC’s guidance system is that virtually everything NRC

produces as a guideline is publicly available, resulting in a highly transparent process. Finally,
another important aspect of the NRC system is that it is a process in constant revision and
reinvention. NRC guidance documents are continually reviewed, updated, changed and
cancelled accordingly.

Before discussing some of the most important examples of NRC regulatory guidance, it
may be useful to have a general overview of the types of documentation developed and made
available by the Commission. Table VII — Survey of USNRC guidance documents provides
such an overview.

71
TABLE VII. SURVEY OF US NRC GUIDANCE DOCUMENTS

x Code of Federal Regulations — Title 10

x Regulatory Guides
x NRC Legislation
x NRC Inspection Manual
x ADAMS
x Federal Register Notices
x Standard Programme
x Enforcement Reports
x Inspection and Assessment Reports
x Operational Experience Reports
x Part 21 Reports
x SALP Reports
x Technical Reports
x Administrative Letters
x NRC Bulletins
x Generic Letters
x Information Notices
x Regulatory Issue Summaries
x Inspector General Reports
x Commission Meeting Transcripts
x Preliminary Notifications
x Speeches
x Information Digest

It would not be either possible or useful to attempt to describe all of these documents.
However, they can be easily accessed through the Internet, to provide a detailed picture of
NRC’s regulatory approach.

The legal pyramid of guidance documents

As in most other nations, the legal pyramid in the USA is comprised of the fundamental
law or constitution at the top, regular legislative acts or laws at the next lower level,
regulations at a lower level still, with technical standards and regulatory guidance at the
lowest level. For the USA, the top of the pyramid is occupied by the US Code Annotated, the
official compilation of laws enacted by the Congress. To the extent that these laws sometimes
adopt specific requirements that must be applied by the NRC, they could be considered a form
of regulatory guidance.
Code of Federal Regulations: However, the highest level of material that can be properly
considered NRC guidance is probably the next lower level, which is occupied by the code of
federal regulations (CFR). The CFR comprises the regulatory enactments of all US Federal
agencies. Title 10 of the CFR contains energy-related regulations, including those
promulgated by the NRC. These regulations are promulgated through formal agency
procedures, typically involving the requirement for public notice and opportunity to comment.
Title 10 contains basic standards generally applicable to all NRC licensees, with a range of
technical references. The Index to Title 10 is about 4 pages and lists all subjects in the CFR
that pertain to the business of nuclear regulation. However, only a few parts of the CFR need

72
special mention here. Examples of those particularly relevant to the regulation of the safety of
nuclear reactors include:

Part 2 rules for licensing proceedings.

Part 20 radiation protection standards.
Part 21 reporting defects/non-compliance.
Part 25 fitness for duty reports.
Part 50 licensing of production and utilization facilities (NPPs).
Part 51 environmental protection.
Part 52 early site permits/standard designs.
Part 54 NPP license renewal.
Part 55 operators licenses.
Part 100 reactor site criteria.
Part 171 annual fees for reactor licenses.

NRC regulatory guides: An important category of NRC guidance is regulatory guides (see
Table IV, number 2). These are designed to provide guidance to licensees and applicants on
implementing specific NRC regulations. They explain the methodologies and techniques used
by the staff in evaluating certain problems or accidents. They also provide specific data
needed by the NRC staff in reviewing permits or licenses. They inform a licensee what he has
to submit for the purpose of obtaining authorization to conduct a licensed activity. The
regulatory guides fall within 10 divisions, as follows:

x Power reactors.
x Research and test reactors.
x Fuels and materials facilities.
x Environment and siting.
x Materials and plant protection.
x Products.
x Transportation.
x Occupational health.
x Antitrust and financial protection.
x General.

NRC inspection manual: Very important document is the NRC inspection manual that is
primarily intended to guide NRC inspection staff in regulatory activity. However, it also
provides guidance to licensees and public on how NRC conducts its work including
procedural and organizational matters. The manual is an internal document, it is not subject to
the level of outside review or public participation like the Code of Federal Regulations.

NUREG Documents: Somewhat below the regulations and regulatory guides there are reports
in a numbered series designed NUREG Documents. The series was begun very early in the
history of the Atomic Energy Commission. NUREG Documents are technical reports on
subject of broad interest. They are not regulations, nor even mandatory documents, but they
provide important on technical subjects of broad interests. They also include directories,
manuals, procedural guides for internal NRC use, as well as the proceedings of meetings or
conferences on technical subjects. International agreements are also set forth in NUREG
Documents. Generic environmental impact reports, which are general statements about the
impact of certain kinds of nuclear activities on the environment that are used in the licensing

73
process are also included in this series. Reports about contracts the NRC has negotiated with
other organizations are a final category of NUREG.

Generic communications: Because they do not fit in any other category, NRC has included a
number of documents in a series called “Generic Communications”. The category can include
administrative letters to licensees about aspects of their work that are concerned to the
Commission. The series also includes bulletins on technical or administrative matters,
circulars, generic letters and similar documents (for example, those relating to a common
mode problem in a reactor system). Information notices and regulatory issues summaries are
also circulated to the public. These concise summaries describe the handling of regulatory
issues of particular interest.

Inspector General reports: The Inspector General issues annual and semi-annual reports on
specific topics providing the reports of his investigations on NRC management practices to
ensure efficiency, effectiveness and integrity. This is the important mechanism of the NRC’s
internal quality assurance process. The Inspector General may also report on conduct by
licensees where that conduct affect NRC regulatory programmes. Inspector General reports
are read very carefully on the subject of great interest.

Accessing NRC regulatory guidance documents: The first stopping point for anyone seeking a
particular NRC guidance document is the agency’s website at [Link]. The site is a user-
friendly clearing-house for the complete range of NRC documentation. In addition to the NRC
website, another avenue for research into the Commission’s guidance documents has recently
been developed. ADAMS is the acronym for NRC’s new automated data acquisition and
management system, an information technology engine that puts every piece of paper in the
NRC system into an electronic form that can be accessed by authorized persons. ADAMS will
permit rapid access to every aspect of the NRC regulatory guidance system, enabling the
Commission to communicate with its licensees, the public and other people.

74
 The Commission (5 commissioners)

Advisory Committee Office of the Office of Office of Public Office of General

on Nuclear Waste Inspector General Congressional Affairs Affairs Counsel

Advisory Committee Chief Financial Chief Information Office International Office Commission
on Reactor Safeguards Officer Officer Programs Appellate Adjudicat

Office of Secretary Atomic Safety and

of the Commission Licensing Board
Executive Director
for Operations

Deputy Exec. Dir. for Materials, Deputy Executive Director for Deputy Executive Director
Research and State Programs Reactor Programs for Management Services

Office Nuclear Materials Office of Nuclear Office of State and Office of Office of Office Small Business
Safety & Safeguards Regulatory Research Tribal Programs Administration Human Resources and Civil Rights

Office of Nuclear Office of Office of Incident Response

Reactor Regulation Enforcement Investigations Operations

Region I Region II Region III Region IV

Philadelphia, PA Atlanta, GA Chicago, IL Arlington, TX

FIG. 11. US Nuclear Regulatory Commission — organization.

75
2.3. LICENSING OF A NUCLEAR POWER PLANT

2.3.1. IAEA approach to licensing

The Convention on Nuclear Safety presents in its Article 7 that the legislative and
regulatory framework shall provide for a system of licensing with regard to nuclear
installations and the prohibition of the operation of a nuclear installation without a license.
The license means any authorization granted by the regulatory body to the applicant to have
the overall responsibility for the siting, design, construction, commissioning or operation of a
nuclear installation.

The licence is an official document that authorizes a specified activity or set of

activities in connection with nuclear installations and establishes requirements and conditions
governing the performance of these activities. Such sets of activities are often: siting,
construction, commissioning, operation and decommissioning. Further details concerning
licences are given in [Link].

In this respect, the licence and its set of conditions fulfils several functions: the licence
may be the appropriate (and best) means to develop, interpret and complete the
legislation/regulation when the latter follows non-prescriptive approach, and it will make
mandatory appropriate parts of guides and standards, as well as specific proposals made by the
applicant (this is usually the case in a non-prescriptive approach, where the choice of methods
or solutions will be based on such proposals and submitted to the regulatory body for
approval). The licence could thus fulfil a part of the functions attached to regulations in the
case where appropriate regulations are not available.

The licence is the final result of evaluation (review and assessment) of the application
and formulates the conclusions and decision(s) of the regulatory body relative to it and, as
such, it gives the applicant the formal authorization to proceed within the limits set, on the one
hand, by the legislation and, on the other hand, by the conditions included in the licence.
Licence conditions are always mandatory and have the force of law. They have to be included
in the licence either explicitly or by reference or attachment. Licences may include (parts of)
legislation/regulation and other relevant documents by quoting, by reference or by attachment.

In the licensing process, the licence is at the key-point of starting a new set of activities
of the “applicant” and where the “applicant” becomes a “licensee”.

The licence with its conditions is a living document: it can be adapted (sometimes it
has to be adapted) to a changing situation (e.g. modification of the plant; experience feedback;
new knowledge brought by research); it can also be suspended or revoked. Only the regulatory
body has the legal power to modify, suspend or revoke a licence. The licensee may request a
modification of its licence, but it has to do so through a new application.

More detailed guidance on the format and content of licence document is given in
[Link].

76
2.3.2. Examples of licensing practices

[Link]. USA

The current trends in the USA in the licensing and re-licensing of nuclear power
plants are presented in [Link].

[Link]. United Kingdom

In the UK, the NSD as regulatory body grants only one licence at the creation of the
nuclear facility. At each new stage in the life of the facility, that means also at each stage of
the licensing process, the initial licence will be amended and the set of licence conditions will
be adapted to the new stage. The British licence contains a standard set of 35 licence
conditions. The NSD can modify a licence condition without delay and without a possibility
of appeal. Each nuclear site licence has conditions attached that have the force of law and
which place either absolute requirements or require the making of adequate arrangements and
compliance with those arrangements. A fundamental feature of one condition is the
requirement for the licensee to demonstrate the safety of the proposed operation in a document
known as the “safety case”, prior to the start of that operation. Breach of any law, regulation
or licence condition is a criminal offence and the offender may be prosecuted in the United
Kingdom courts of law.

[Link]. Switzerland

In Switzerland, the licence is a general authorization usually for a whole set of

activities involving one nuclear facility (nuclear power plant or other nuclear facility including
associated radiological aspects) or for a single step in the case of a „small“ project such as a
radiochemical laboratory with only aspects of radiological protection. In the case of the
nuclear facility, it is the government itself (Federal Council) that has the exclusive
competence to grant the licence. A modification of a licence condition needs re-issuing the
licence along the licensing procedure, i.e. including consultation and possibility of appeal.
However, in case of urgency, the Swiss safety authority (HSK), has the power to issue an
order to modify a particular licence condition or even to suspend the licence, but this has to be
eventually confirmed by the licensing authority.

Within the frame of a valid licence, the HSK defines sets of the licensee’s activities for
which its approval is necessary prior to starting specified activities. Upon its approval, the
Inspectorate has the competency to give the corresponding authorizations directly to the
licensee and does it in the form of issuing “execution permits”. This gives to the Inspectorate
a practical and efficient means of controlling the licensing process (e.g. selected parts of
construction work; manufacture of important components; assembling and wiring on site; sets
of commissioning tests; start up after refuelling or after modification or repair; etc.).

[Link]. Licensing and commissioning of nuclear power plants in Finland [16]

In Finland, licensing procedures are presented in the Nuclear Energy Act and Decree.
Licensing documents are handled in more detail in Section 4. Applications are sent to the
Council of State and the administrative body handling the applications is the Ministry of
Trade and Industry. According to the law STUK is the expert body to review the nuclear

77
safety aspects. STUK gives its statement including its stand on nuclear safety and safety
assessment report to the Ministry.

The siting and construction of a nuclear power plant requires the decision in principle of
the council of state stating it is in line with the overall good of society. According to the Nuclear
Energy Act, the decision in principle shall be given to parliament for review so that parliament
may reverse the decision in principle as such or may decide that it remains in force as given. In
the application, one or several plant site and plant type options may be given on which a decision
will be made later. In accordance with Nuclear Energy Act, STUK makes a preliminary safety
assessment of the application. When preparing the safety assessment, STUK invites comments
on the assessment from the advisory committee on nuclear safety and, where necessary, also
from other expert organizations.

A nuclear power plant construction licence as well as an operating licence is applied for
from the council of state. STUK issues statements on the applications for a construction licence
as well as for operating licence. The statements are supplemented with safety assessments. When
preparing the safety assessments, STUK invites statements on them from the advisory
committee on nuclear safety and, where necessary, also from other expert organizations. The
prerequisites for granting a construction and operating licence are prescribed in the Nuclear
Energy Act. In its safety assessment STUK takes a stand on the fulfilment of statutory
requirements as regards the issues to be reviewed by STUK.

According to the Nuclear Energy Decree, the various phases of nuclear facility
construction may be started only after STUK is satisfied for each phase. STUK exercises
detailed control over the construction of the facility. This control aims to ensure that the
conditions of the construction licence, the regulations which apply to pressure vessels and the
approved plans are complied with and that the nuclear facility is built, also in other respects, in
accordance with the regulations issued by virtue of the Nuclear Energy Act. During construction,
control is focused on the working methods in particular to guarantee high quality. The licensee
shall appoint a responsible manager and his deputy for the construction of a nuclear facility who
have approval from STUK for this job. The qualifications required of the responsible manager
are presented in the Nuclear Energy Decree.

Pursuant to the Nuclear Energy Decree, STUK ensures that the operating organization is
adequate and appropriate and that the individuals participating in the use of nuclear energy meet
the qualifications required and that proper training is arranged for them. According to the
Nuclear Energy Decree, the licensee shall appoint a responsible manager and his deputy for the
operation of a nuclear power plant who shall have approval from STUK for this job. Pursuant to
the Nuclear Energy Decree, the operator of the facility systems in the main control room of a
nuclear facility must have STUK's approval for the job.

A trial run is an essential part of a nuclear power plant's commissioning. It serves to

demonstrate that the plant is built and operates according to design. The trial run is divided into
the following main parts: systems tests, fuel loading and pre-criticality tests of reactor systems,
reactor criticality and tests at low power, and tests at various power levels. STUK controls
nuclear power plant trial run by reviewing the overall trial run plans and programmes, by
witnessing the tests conducted at the power plant and by inspecting the trial run result reports.

Nuclear power plant operation is considered to begin when the loading of nuclear fuel
into the reactor is started. At this stage, to ensure that the plant conforms to the regulations that

78
apply to it, STUK makes a specific inspection to ensure that the plant and the operating
organization are ready for the operation. Reactor loading may be started when STUK has
approved the loading application and the reactor and fuel behaviour reports for the first fuel
cycle. The reactor may be made critical and brought to a higher power level in conformity with
STUK's decisions.

When the trial run has ended, the licensee and STUK will carry out an overall
assessment of the results. Based on the results of the trial run, also the technical specifications
are reassessed. Based on the assessment, the licensee makes any necessary changes which are
then approved by STUK.

[Link]. Licensing in Germany: principal parties involved [17]

Licensing authorities

In Germany there is no central licensing authority like in most countries. The

implementation of the nuclear licensing procedure is within the competence of the supreme
authorities of the Länder but the Federal Government retains the ultimate legal power and the
right to overrule local decisions, if necessary. Thus, the construction and operating licence for
a nuclear facility will be granted by the respective Land authority acting as the nuclear
licensing authority. There is co-operation between federal supervisory authorities and nuclear
licensing authorities.

The Supreme Land authorities (ministries), appointed by the Land governments, are
responsible for licences and interim decisions in accordance with the Atomic Energy Act as
well as their withdrawal and revocation. In general, these authorities are the respective
ministries for the environment or economic affairs of the Länder. These authorities also
supervise facilities according to the Atomic Energy Act and the use of nuclear fuels outside
the facilities. In individual cases, they may appoint subordinate authorities to carry out this
task.

Federal offices and advisory committees

The Federal Office For Radiation Protection (BfS) was established as the sovereign
supreme federal authority in Salzgitter in the portfolio of the Federal Minister For The
Environment, Nature Conservation and Reactor Safety (BMU). This Federal Office performs
administrative tasks in the fields of radiation protection, nuclear safety and the transportation
of radioactive substances and radioactive wastes. It supports the BMU in technical and
scientific matters and also does research in fulfilment of its tasks.

Among other things, the Federal Office for radiation protection is responsible for:

x State custody of nuclear fuels;

x Construction and operation of plants of the federal government to secure and permanently
store radioactive wastes;
x The transportation licence for nuclear fuels and large sources, as well as its withdrawal
and revocation;
x The licence for storage of nuclear fuels outside of state custody.

79
 In addition, the Federal Office is the Federal Government Centre for the monitoring of
environmental radioactivity and keeps the radiation protection register. The radiation
protection register includes data on the radiation exposure of persons exposed to radiation due
to their profession, In order to keep watch over the values of the maximum permissible dose
as well as data on compliance with the principles of radiation protection. The Federal Export
Agency and the customs authorities of the Federal Minister of Finance, respectively, are
responsible for licensing the import and extort of nuclear fuels.

The following advisory commissions and one co-ordination panel (Federal

Government/Länder) are available to the BMU for the purpose of federal supervision of the
Länder:

x Reactor Safety Commission (RSK).

x Commission on Radiation Protection (SSK).
x Länder Committee for Nuclear Energy.

RSK and SSK prepare recommendations for the BMU concerning special safety-
related matters in general or on a particular nuclear power plant.

The Reactor Safety Commission advises the BMU on all safety-related matters related
to nuclear reactors and nuclear fuel cycles. In general, the RSK consists of 18 members who
represent the different technical areas of nuclear engineering, as e.g. constructional
engineering, measurement and control engineering, reactor physics, systems control
engineering and the science of materials. As a general rule, membership is limited to three
years and constitutes a personal honorary function without allowing substitution. The
members are appointed by the BMU. They are independent and not bound by directives.

The Commission on Radiation Protection has the task of advising the BMU in all
matters related to the protection against the hazards resulting from ionising radiation. In
general, the SSK consists of 17 members who need to have special knowledge of one of the
following main areas: biophysics, radiochemistry, radiology and nuclear medicine,
radioecology, radiobiology, non-ionising radiation, radiation genetics, radiation protection
medicine, radiation measurements technique and radiation protection technique. As with
RSK, the SSK-membership constitutes a personal honorary function. As a general rule, the
members are appointed by the BMU for a period of three years. They are independent and not
bound by directives.

The Committee for Nuclear Energy debates and co-ordinates questions related to the
application and interpretation of statutes and ordinances pursuant to nuclear law and radiation
protection law. With a BMU-representative in the chair, it consists of referees from the other
Federal ministries as well as the department heads/functional department referees of the
Länder ministries. As an Advisory and Co-ordination body of the Federal government, its
decisions are only recommendations, in practice, however the Committee for Nuclear Energy
plays an important role.

According to the Atomic Energy Act, the construction, operation and possession of
nuclear installations are subject to continuous supervision. The supreme authorities of the
Länder are responsible for exercising supervisory and control functions, which they may
delegate to subordinate agencies, in individual cases. In general, independent experts or expert

80
organizations, namely the technical inspection agencies (TÜV) are involved. In addition,
import, export other professional handling and transportation of radioactive material, as well
as construction and operation of final repositories for radioactive waste are subject to
governmental licensing and supervision.

Länder authorities and technical support organizations (TÜVs)

Within the regulatory body of a state (Land) approximately 5 to 10 person-years per

nuclear power plant unit and year are spent for inspection and supervision. Typically one to
three inspectors are in charge of inspections regarding nuclear safety of one nuclear power
plant unit. Inspection regarding e.g. radiation protection, often is delegated to subordinate
governmental agencies. In addition, supervision for industrial safety and environmental
matters, as legally required for all types of industrial activities is carried out by other
competent agencies.

In general, for all supervisory and inspection programmes independent experts are
assigned by the Länder authorities for examination of reports, reported events, calculations,
technical specifications, safety assessments for modifications and for conducting or assessing
in-service inspections. In most cases, Technische Überwachungsvereine (TÜVs) are assigned
as expert organizations. There are several TÜV-Organizations in Germany, historically
assigned to and working mainly in the individual Federal Länder. Recent developments go for
the formation of larger organizations (holdings, Ltd., Corporate) serving the needs of several
Länder. Including non-nuclear inspection programmes (e.g. for cranes, fire protection,
pressure vessels), which are also carried out by TÜV-personnel, a total manpower of
approximately 30 to 40 man years per nuclear power plant unit each year is spent for
inspection by experts. This does not, however, include safety assessments and expertise for
major modifications, for which a licence is required.

During refuelling outages, the presence of regulatory inspection personnel and experts
at the plant is increased. On average, about 30 experts performing inspections and recurrent
tests are constantly present at the site during the outage. The inspectors of the regulatory body
are in possession of a university degree e.g. engineering, physics, chemical engineering) and
have several years of practical experience in industry, research centres, with technical expert
organizations or in licensing bodies. Personnel of technical expert organizations (TÜV), who
are contracted as experts hold university degrees in technical fields or technical engineering
degrees. For special inspections, e.g. pressure vessel inspection according to the pressure
vessel regulation ordinance, state authorized and licensed inspectors are assigned, also within
the TÜV organizations. The inspectors are trained in professional courses, symposia,
workshops, simulator training courses and, as guests, during actual operation of nuclear
facilities, and by exchange of experience. The inspectors authorized by the supervisory
authorities, as well as experts consulted by them, have access to the nuclear installations, and
may carry out necessary examinations and request pertinent information.

To implement their respective tasks, the staff of the federal ministries and agencies and
of the Länder authorities as well as their material expenses are budgeted within the Federal
and the Länder governmental annual budgets. There are also budgets for research on nuclear
safety and radiation protection.

According to the basic principles of the administration cost act, fees are levied for all
administrative actions in favour of individual persons or private companies. In the case of

81
licensing and supervision of nuclear installations, the Atomic Energy Act provides the
regulation for the charging of costs, including fees and expenses, to the applicant or the
licensee. Details on the respective fees are laid down in the atomic energy act cost ordinance.
For example, the fee for granting a construction licence for a nuclear power plant is set to
2/1000 of the construction costs of the nuclear licensed part of the plant. For other licensing
decisions, fees may range from 1000 to 1 Million DM. In addition, fees for conducting
inspections and measurements are fixed. These fees shall be based on the actual expenses and
will be invoiced to the licensee.

The licensing as well as the inspection authorities may contract experts and expert
organizations (TÜV´s) for expertise and conduct of inspections, provided these expenses are
justified according to the technical needs and difficulties. The expenses for the experts are
reimbursed to the regulatory body by the licensee.

Experts

In the licensing and supervisory procedure pursuant to the Atomic Energy Act or
Radiological Protection Ordinance, the respective authorities may consult experts. Such
consultation by the Länder authorities is normal practice. There are either experts
organizations (e.g. Technical Inspection Agencies such as GRS) or individual experts. The
selection criteria is: technical knowledge, experience, objectiveness, impartiality, neutrality
and reliability. The experts are merely “helpers to the authorities” in establishing the facts of
the case. They do not have any authority to make decisions. Their opinions are subject to the
free evaluation of the evidence by nuclear licensing and supervisory authorities who make the
final decisions.

The essential questions of the examination in the licensing procedure are: (1) Which
requirements are to be fulfilled by systems and components? (2) Can these requirements be
fulfilled according to best practices?

The Atomic Energy Act, the decrees, the general administrative rules and the so-called
technical-scientific regulatory work (as e.g. guidelines, RSK/SSK-recommendations, safety
standards of the nuclear standards committee (KTA-Regeln), German industrial standards
(DIN-Norms) are the measuring instruments for decision-making.

Applicant

In Germany, applicants for the construction of nuclear facilities are in general

independent companies that go on to operate the facility after licensing, i.e. applicant and
operator are one and the same. An exception to this relates to the storage of plutonium and the
treatment and final storage of radioactive substances. In this case, the Federal Office for
Radiation Protection is the applicant and operator.

The manufacturer or supplier of the nuclear facilities, for which the application is
made, supports the applicant in drawing up the application documents.

Involvement of the public

If the licensing authority states that the application, the safety report and the brief
description contain all the necessary information for the citizens, the project can be made

82
public. The planned project will be made public by official printed announcement. Usually,
this is the official gazette for the Land. However, this measure alone is not sufficient, since the
average citizen seldom reads these gazettes. Therefore, it is prescribed by law that the project
has to be announced locally by the press published in the area of the facility concerned.

After public announcement, the most important part of public participation begins. The
application, safety report and brief description are made available for public inspection at the
licensing authority and a suitable location near the project site. During the so-called
presentation period, written objections can be raised. The term “objection” means any kind of
opposition and arguments against the planned project. Thus, there are no formal limitations.
The objections, however, have to be confined to the subject of the procedure. If sufficient
objections are raised within the set period, a hearing will be scheduled.

The Hearing constitutes the conclusion of public participation. This Hearing serves
several purposes. On the one hand, the objections raised within the permitted time are
discussed to clarify the concerns of those objecting. On the other hand, those objecting shall
be granted the right of audience by being given the opportunity to specify their written
objections orally. Further, those objecting shall receive information on other, in many cases
also contrary, opinions.

The Hearing is conducted by a representative of the licensing authority. This person

has to arrange the procedure formally in such a way that all aspects are considered. None of
the objections may remain non-discussed. Therefore, the leader of the Hearing stipulates the
order of the subjects to be discussed at the beginning of the hearing.

The licensing authority has to examine all of the aspects presented and must make a
decision at the end of the licensing procedure. This is a difficult task because of the often
conflicting positions of the different persons involved.

[Link]. Licensing in Germany: legal aspects and procedures of assessment [17]

Objective and reason for an assessment

According to the Atomic Energy Act a licence may only be granted if the licensing
prerequisites are given. This is to be examined by the respective licensing authority which can
either carry out the examinations itself or consult experts. Generally, experts are consulted to
show whether or not protective provisions have been made against damage due to the
construction and operation of the plant in accordance with best engineering practices and if
protection against interference and other impacts by third persons can be ensured.

If a nuclear facility is built, a separate experts opinion is ordered for each partial
licence, as a general rule. Partial licences have to be applied for by the applicant separately
according to the Nuclear Licensing Procedures Ordinance. Thus, the applicant determines the
number of partial licences, as far as there is a legitimate interest in doing so.

Appointment of experts by the authority

Pursuant to the Atomic Energy Act, the responsible authorities are entitled to consult
experts. In general, these experts come from experts organizations. Foremost among these are
Technical Inspection Agencies and GRS. The law, however, also permits consultation with

83
independent individual experts. There are no stipulations regarding special qualification
prerequisites by ordinance, but primarily each expert has to possess technical knowledge and
must be impartial and reliable.

Due to the wide range of technical issues to be clarified when assessing a nuclear
facility, the experts consulted may, upon agreement with the authority, confer sub- contracts
on additional experts, as e.g. GRS. In this respect, the principles on the allocation of sub-
contracts by experts of the Länder Committee for Nuclear Energy are to be observed.

Documents to be submitted

According to the requirements of the nuclear licensing procedures ordinance, a safety

report, among other things, has to be attached to the application for nuclear licensing,
describing the hazards connected with the plant and the safety measures provided. In 1976 the
Home Secretary (the minister responsible for reactor safety at that time) published “advice
giving outline criteria for a standardized safety report for nuclear power plants equipped with
pressurised water reactor or boiling water reactor”. The publication of the Home Secretary
contains guidance for each section of the outline which should be considered when drawing
up a safety report. A further list, which is the "collection of information necessary for the
examination in the nuclear licensing and supervisory procedures (ZPI), comprises the
documents required for the experts opinion, in addition to the safety report, and which also are
necessary for the accompanying control. The requisition of documents is stated in thematic
order and structured according to submission dates within each subject.

The requisition of documents is subdivided into two categories. Documents of category

“A” are to be submitted for examination of the licensing prerequisites, and documents
belonging to category “B” are related to the fulfilment of constructional requirements or the
accompanying control. The ZPI-list comprises about 50 pages and was developed from the
experiences gained from previous licensing procedures. In particular cases, deviations from it
are possible by non-requisition of single documents stated in the ZPI, or requisition of
additional documents. As a general rule, the required documents are to be submitted by the
applicants.

Assessment criteria

The criteria relevant for an assessment can be ordered hierarchically according to the
their obligatory character. As a matter of course, the Atomic Energy Act and ordinances
belonging to it, as e.g. the radiological protection ordinance, are to be observed as binding.

For nuclear power plants, safety criteria and safety-related guidelines are also to be
observed. The safety criteria include principles on safety-related requirements to ensure
accident prevention according to the Atomic Energy Act. Incidents are listed in the safety-
related guidelines. If an applicant has based the plant design on this, a licensing authority may
regard the accident prevention requirements as fulfilled.

All directives inferior to ordinances are not legally binding. In general, however, they
represent the “modern most up-to-date science and technology” quoted in the Atomic Energy
Act. An expert has to examine this before their implementation. If need be, he has to consider
the latest operating experiences or latest research results.

84
 The Reactor Safety Commission, the Advisory Body of the Federal Minister for the
Environment, Nature Conservation and Reactor Safety, drafted guidelines for pressurised
water reactors and boiling water reactors as a basis for their advisory activities. As the Reactor
Safety Commission debates all significant licensing decisions and makes recommendations on
the respective facts of the case, the RSK guidelines usually also are regarded as assessment
criteria.

In some areas, e.g. over pressure protection for pressure vessels and steam generators,
there are no special nuclear regulations. In this respect, the requirements in accordance with
regulations for conventional engineering are to be adapted to nuclear requirements, taking into
account e.g. aspects of radiation protection.

The nuclear regulatory work is subject to change. It is amended and modified. The
safety standards of the nuclear standards committee (KTA-Regeln) for example are examined
with regard to their relevance to the current situation every five years. The Technical
Inspection Agencies issue loose-leaf summaries for internal use on the nuclear regulatory
work entitled TÜVIS (TÜV information systems) to ensure the application of the latest
regulations. At present, this loose-leaf collection consists of 18 files and is being revised
continuously.

An important tool for assessing the safety of nuclear facilities is the application of
probabilistic methods. It is recommended in the safety criteria for nuclear power plants under
“Principles on Safety Provisions” to determine the reliability of essential safety-related
systems and plant components with the aid of probabilistic methods, as a supplement to the
deterministic overall safety assessment of nuclear power plants. Currently, these are often
applied.

Form and contents of the assessment

It is the objective of the expert organizations to proceed according to uniform rules

regarding the kind and scope of the assessment. For this purpose, when the technical
inspections agencies became associated, the head office for nuclear engineering of the
technical inspection agency (TÜV-Leitstelle Kerntechnik) decided on a standard outline and a
directive for safety assessment requirements for nuclear power plants with pressurised water
reactors and boiling water reactors. Further, there is the “General Guideline on the preparation
of experts opinions in nuclear administrative procedures” of the Home Secretary issued in
1983.

The outline of an experts opinion corresponds to the outline of a standard safety report.
According to the guidelines mentioned above, the introduction of the opinion embodies the
task and assignment of duties. This is followed by a description of the facts of the case to be
examined, all of which are solely based on the application documents.

The assessment criteria for the layout of the respective safety equipment put up by the
manufacturer are stated in the section “assessment criteria” and are examined with regard to
completeness and applicability.

The inspections carried out by the expert for the advisory assessment of the facts of the
case are stated in the section “description of the inspections”. In the simplest case, it is a
matter of comparison with the regulation requirements. Calculations are also carried out by

85
the applicant, sometimes with diverse computer programmes, e.g. in the field of failure
analysis, strength, probabilistic or physical design. In many cases, conservative estimates are
sufficient to substantiate the experts opinions.

The examination of the completeness of supporting material submitted is an important

part of the activities of the experts. It has to be examined, for example, whether or not all
postulated incidents and the resulting loads have been taken into account.

Based on a comparison of the examination results with the safety assessment standards
an experts assessment of the facts of the case is carried out. For this purpose, the positive and
negative results of the examinations are discussed in detail. Should the occasion arise that a
positive overall result can only be achieved by fulfilment of later requirements by the
applicant, these requirements have to be worked out carefully in accordance with the results of
the experts opinion. These requirements, however, must be feasible.

The expert has to sign his opinion personally with the following statement: " hereby
declare to have delivered this opinion impartially according to the best of my knowledge and
belief and free of pre-decided results'.

Licensing steps

The nuclear licensing authority not only has to examine the formal and material nuclear
licensing prerequisites, but also has to observe other regulations under public law.

Even though the authority states that the applicant of the project has fulfilled all
nuclear licensing prerequisites as well as all other regulations under public law, and even if
the result of the environmental impact assessment was positive for the applicant, the nuclear
licence does not necessarily have to be granted. Now, the authority may use its discretion, as
the authority is vested with the so-called rejection discretion according to the German Atomic
Energy Act. This means that the authority may reject the application even if all licensing
prerequisites have been met. Nevertheless, the discretionary considerations have to be
reasonable and, in particular, correspond to the specific appropriation in accordance with the
Atomic Energy Act. Thus, an arbitrary decision will not be allowed. A “discretion” is only
possible if aspects concerning single nuclear licensing prerequisites and other regulations
under public law could not have been examined up till then.

In general, many aspects and partly contrary points of view are being brought together
through the involvement of citizens and authorities. The licensing authority has to consider
decision alternatives thoroughly on the basis of these aspects.

Rejection of the project application

If the licensing prerequisites have not been fulfilled and fulfilment cannot be ensured
by additional conditions, the application for construction and operation has to be rejected.

Preliminary decision

It is possible that the applicant applied for a preliminary decision instead of a licence. It
is permitted by law to issue a preliminary decision on special subjects if the granting of a
nuclear licence depends on a positive response to special items. Thus, only questions at the

86
preliminary stage of a later licensing procedure will be clarified. By this, the preliminary
decision anticipates statements of the later construction or operating licence. It is not
prescribed by law which items can be clarified in advance by a preliminary decision. Only the
preliminary decision on the plant location is expressly stated.

Full licence

The full licence for construction and operation of a nuclear facility is the guiding
principle of the law. In general, however, such a project is so complex that it cannot be coped
with by a single official decision. Therefore, it is common practice with major projects to
divide the entire licensing procedure into several steps. The procedure subdivided into several
sections, each of them ending with a decision-in -part of the authorities, i.e. the partial licence.

Partial licences

The stepwise procedure has several advantages. By subdividing the information

material into several sections the procedure becomes more transparent. The work can be
planned efficiently, thus saving time and costs. Moreover, applicant and licensing authority
can each react more flexible in case of particular, small procedural steps. Above all, this
manner of proceeding respects the principle of best possible danger prevention and risk
precautions as each partial licence must correspond to the state of the art. First of all, an
application by the operator for a decision by the authority on partial licensing procedures is
required according to the law. For this purpose, the applicant has to demonstrate a legitimate
interest in partial licences. The legitimate interest of the applicant consists generally of
securing stepwise his considerable investment. The investment risk can be reduced by the
granting of partial licences.

Legal security is provided insofar as the licensing authority is bound by the licensing
decision made. If the facts of the case do not change and the legal situation does not change to
the disadvantage of the applicant, the applicant can count on the continued validity of the
partial licence issued. The discretionary rejection becomes increasingly limited with each
additional partial licence granted until, finally, the applicant has a legal right to the granting of
the last partial licence, which is normally the operating licence.

Just as with a full licence, the partial licence is a beneficial administrative act. It
permits specified actions to be taken such as excavation, construction of the reactor building
or installation of vital operational or safety systems etc. Usually, a partial licence involves
various conditions and referrals.

The partial licence differs from the full licence only by its limited regulatory content. In
contrast to a full licence, the partial licence does not permit the complete construction and
operation of a plant, but only parts of it. This implies that the nuclear licensing authority has
carried out definitively an examination of and judgement on the licensing prerequisites for
each partial licence.

Preliminary positive overall decision

In the end, the total of all partial licences shall be equivalent to the full licence, but this
can only be achieved, if the parts fit together. Therefore, the partial licences must be related to

87
each other. The alignment can only be made if the total project as planned by the applicant is
kept in view. If, for example, the foundation of the reactor building is licensed by the first
partial licence, it is necessary to know the loads on and floor plan of the building. This, on the
other hand, requires an adequate knowledge of the components, systems and machines which
are to be located in the building. Therefore, a licence for a plant component can only be
granted if the licensing authority has clarified the requirements of the total project at the
outset. This implies a decision on the basic approval of the whole project. The preliminary
positive overall decision represents the necessary linking between the licensed plant
component and tie entire plant as planned.

Announcement of the decisions

The nuclear licensing procedure ends with an announcement of the decision of the
authority. The authority has to promulgate its decision and the grounds for it in writing, and,
of course, deliver it also to the applicant. In addition, the decision has to be delivered to the
objectors as well.

Further, the decision will be announced to the public in the official publication gazette
and the local newspapers in the area of the plant. If more than 300 persons raised objections,
the individual serving of the decision will be replaced by a public announcement.

As only the decision together with the instructions for legal remedy will be published,
and not the grounds for the decision, every citizen has the right to inspect the entire decision
within two weeks beginning with the public announcement at the licensing authority or
another office near the nuclear power plant. Upon request, those who object can obtain the
decision in writing from the licensing authority. For this purpose, important partial licences —
as e.g. the first partial licence or the first operating licence — usually are printed in book
form.

Additional licences

Further to licensing pursuant to the Atomic Energy Act, a series of licences is

additionally necessary due to parallel laws.

Regional planning procedure

The regional planning procedure serves the purpose of examining if and, where
applicable, under which conditions the planned nuclear power plant meets the requirements of
regional planning.

Construction licence procedure

All facilities to be built at a nuclear power plant require a licence according to building
laws just as for conventional construction projects. In general, several partial construction
licences will be granted. The first partial construction licence may not be granted before the
first nuclear partial licence has been granted. In some Länder, the nuclear licensing according
to the Atomic Energy Act includes the construction licence.

88
Licensing procedure according to Emission Control Act

A licence according to the Federal Emission Control Act is required for cooling towers,
conventional boiler systems and start-up boilers.

Permission procedures according to water law

The lowering of the ground water level, the treatment and drawing off of surface water
during construction as well as the tapping and discharge of cooling water later during
operation, all require permissions according to the water law.

Industrial law procedures

Reactor pressure vessels, steam generators and all other pressure vessels have to be
licensed according to the industrial law, particularly with regard to maintaining industrial
health and safety standards.

Plan approval procedure

According to the Atomic Energy Act, the Länder have to establish land collecting
points for the interim storage of radioactive waste produced in their territories and the federal
government has to establish facilities for safe custody and final storage of radioactive wastes.
The construction and operation of these federal facilities as well as all major modifications of
such facilities or their operation are subject to plan approval. The procedure for it is stipulated
in the administrative procedure law.

An important difference between plan approval procedure and licensing is the

placement of all licences and similar official documents under one authority, i.e. the plan
approval authority, unless otherwise stipulated by law. Only the regulations of mining and
deep-storage law are not subject to plan approval.

The plan approval represents an official function with regard to the facility plan. On the
basis of a particularly formal procedure, the admissibility of specified facilities with regard to
all public interests affected shall be determined. Further, all relationships related to public law
between the operator and the persons affected by the plan shall be regulated finally in such a
way that the required licences and similar documents subject to other legislative provisions
are replaced by the decision of the plain approval authority. The incontestability of the legal
continuity of the licence under public law shall be guaranteed by this decision.

The procedure ends with the plan approval decision comprising all licences under the
respective laws regarding areas of speciality. In contrast to the licensing procedure for nuclear
power plants, partial licences are not provided for in the plan approval procedure.

A particular regulation with regard to the mining law is stipulated in the Atomic
Energy Act. The plan approval does not cover the admissibility of final storage according to
the mining and deep-storage law. The decision on admissibility is a matter for the responsible
mining authority.

In contrast to the plan approval procedure, the mining law procedure is a continuous
procedure which is carried out parallel to mine operation. It ends with the shutdown of the
mine and, if necessary, the re-cultivation of the premises.

89
2.4. QUALITY ASSURANCE, PERFORMANCE REVIEWS AND SELF-ASSESSMENT
IN THE REGULATORY BODY

2.4.1. Quality assurance

[Link]. IAEA criteria for quality assurance

Quality assurance plays an important role in regulatory activities. Quality assurance

programmes within utilities and their subcontractors and especially the implementation of these
programmes is of vital importance to nuclear safety. Simultaneously, the quality assurance
programme of the regulatory body itself and implementation of the programme are of great
importance. When studying the QA viewpoint of activities of regulatory body the same criteria
as presented for nuclear industries is a good starting point.

Article 13 of the Convention on Nuclear Safety [11] concerns quality assurance and
requires: “Each contracting party shall take the appropriate steps to ensure that quality
assurance programmes are established and implemented with a view to providing confidence
that specified requirements for all activities important to nuclear safety are satisfied throughout
the life of a nuclear installation.”

Basic objectives, concepts and principles to ensure the safety of nuclear facilities are
presented in the IAEA “Safety Fundamentals” [8]. The Safety Fundamentals document forms a
top level publication in the hierarchy of the IAEA Safety Series. Some of those issues concern
quality assurance like:

“Quality assurance practices are an essential part of good management and are to be
applied to all activities affecting the quality of items, processes and services important to safety.
Inherent in the achievement of quality is the adoption of a quality assurance programme, which
includes the planned and systematic actions necessary to provide adequate confidence that
specified requirements are satisfied. Implementation of the quality assurance programme
involves managers, performers of tasks, and those responsible for verification and assessment of
the effectiveness of the programme. It is not a sole domain of a single group. However,
management has the key responsibility to ensure that the programme functions properly and to
establish and cultivate principles that integrate quality assurance practices with daily work
activities.”and

“Quality needs to be verified by a disciplined approach. Thus, quality assurance

practices include:

x A detailed analysis of the objectives to be achieved;

x An analysis of the tasks to be performed;
x The identification of skills required;
x The selection and training of personnel;
x The use of appropriate equipment and procedures;
x The use of document control and record systems;
x The creation of a satisfactory working environment; and
x A recognition of individual responsibilities.

90
 The extent and type of quality verification need to reflect the safety significance and
nature of the individual tasks. Such verification methods include audits, checks and examin-
ations to ensure that each task has been satisfactorily performed or that any necessary actions
have been taken. However, the basic responsibility for achieving quality remains with the
performer of the task, not the verifier.”

The other QA related criteria presented in the Safety Fundamentals Document are as
follows:

x Organizations engaged in activities important to safety shall establish policies that give
safety matters the highest priority, and shall ensure that these policies are implemented
within the managerial structure having clear divisions of responsibility and clear lines of
communication.

x Organizations engaged in activities important to safety shall establish and implement

appropriate quality assurance programmes that extend throughout the life of the
installation, from siting and design through to decommissioning.

x Organizations engaged in activities important to safety shall ensure that there are sufficient
numbers of adequately trained and authorized staff working in accordance with approved
and validated procedures.

x The capabilities and limitations of human performance shall be taken into account at all
stages in the life of the installation.

In accordance with the Safety Fundamentals document the quality assurance principles
shall be applied in all organizations engaged in activities important to nuclear safety.

More detailed IAEA Requirements are presented in [6]. The Requirements document
presents basic requirements and principles that in the light of experience and the current state of
technology must be satisfied to ensure adequate safety. The main objective is to place emphasis
on work results, recognising the responsibilities and contributions of managers, workers and
those who assess the quality of work. The purpose of this kind of performance-based approach
to quality assurance is to prioritise programme implementation and effectiveness, rather than
programme development and documentation.

Plenty of other regulations exist for quality assurance programmes (quality systems). A
series of ISO 9000 documents is a generally approved and largely used foundation. Further, the
regulatory bodies have their own requirements defined in national regulations and safety guides.

[Link]. Quality assurance programmes

The quality assurance programme is a component of good management and is essential to

the achievement and assessment of high quality of products, services and work processes. To
ensure a proper implementation it is important that the quality assurance programme is tailored
to an organization by taking into account existing routines and specific features of the
organization. The requirements constitute the foundation of a comprehensive quality assurance
programme.

91
 These basic requirements are divided into three functional categories:

x Management.
x Performance.
x Assessment.

2.4.2. Performance reviews — IAEA IRRT services

[Link]. Purpose

The International Regulatory Review Team (IRRT) service provides advice and
assistance to member states to strengthen and enhance the effectiveness of their nuclear safety
regulatory body [18].

[Link]. Objective

The key objective of an IRRT mission is to enhance nuclear safety by:

x Providing the host country (regulatory body and governmental authorities) with an
objective review of their nuclear regulatory practices with respect to international
guidelines;
x Providing the host regulatory body with recommendations and suggestions for
improvement in areas where their organization or performance can be improved or falls
short of internationally accepted practices;
x Providing key staff at the host regulatory body with an opportunity to discuss their
practices with experts who have experience of other practices in the same field;
x Providing all member states with information regarding good practices identified in the
course of the review; and
x Providing experts from member states and the IAEA staff with opportunities to broaden
their experience and knowledge of their own field.

[Link]. Scope

An IRRT mission can review following topics:

x Legislative and governmental responsibilities;

x Authority, responsibilities and functions of the regulatory body;
x Organization of the regulatory body;
x Authorization process;
x Review and assessment;
x Inspection and enforcement;
x Development of regulations and guides;
x Emergency preparedness;
x Radioactive waste management and decommissioning;
x Radiation protection, and
x Transport safety.

92
[Link]. Experience

The IRRT service was inaugurated in 1989 and four missions were completed in the
period to 1994. Since 1997 there has been a much greater demand for the service and during
this period missions to Bulgaria, Romania, Slovakia, Ukraine, Switzerland, Slovenia, Czech
Republic, Finland, Hungary and China were completed. Pre-IRRT missions to Viet Nam and
Indonesia have also been completed. There is now a very high demand for the service.
Although the service started with a focus on regulations for NPPs, most missions now include
reviews of regulations in the areas of radiation, radioactive waste and transport safety.

[Link]. Recent developments

The experience gained during the completed missions and the new Safety Requirements
Document on Legal and Governmental Infrastructure have been used to revise and update the
IRRT guidelines. Recent work has concentrated on developing the guidelines for the review of
radiation safety, radioactive waste management and the interface between the regulatory body
and the operator. Follow-up visits are envisaged in the future.

2.4.3. Quality assurance and self-assessment in the regulatory body — an example

The basic elements of the quality assurance programme presented in [Link]. For the
internal QA programme of the regulatory body are reflected in the following country specific
example STUK (Finland).

[Link]. Management

Nuclear Energy and Radiation Protection Acts and Decrees as well as the Decree on
STUK define the regulatory framework in Finland. They also set our objectives and basic duties
in the legislation. General safety requirements are given in the Decisions by the State Council
(i.e. Cabinet of Ministers). Detailed technical and administrative instruction relative to the
design, construction, commissioning and operation of nuclear power plants are given in the YVL
guides published by STUK. These guides form a practical basis for the regulatory work.
Through the YVL guides STUK transfers the legislative requirements to the practical control
and inspection related requirements. In addition to the YVL guides STUK has internal guides
which define administrative and inspection related practices.

The quality assurance programme of Radiation and Nuclear Safety Authority (STUK)
consists of many duties and work processes which are defined in several STUK manuals and in
the department specific YTV manual. In addition to the legislation and YVL guides work
practices are defined in the manuals as follows:

x STUK quality manual;

x Administration manual;
x Financial administration manual;
x Emergency preparedness manual;
x Communications manual.

All of these manuals were established by examining legislation, and considering the
expectations and needs of main counterparts. Co-operation modes, requirements for the nuclear

93
YVL guides. The YTV quality manual and the emergency preparedness manual are the main
internal documents which regulate actions of regulatory control within the department of nuclear
reactor regulation. The organizational structure and individual job descriptions of the nuclear
safety control are included in the YTV quality manual.

Training and qualification

There are training procedures in the YTV quality manual and training manager position
in the organization. The inspector training programme has been developed and implemented.
Necessary knowledge and skills for performing the duties have been identified. Staff selection
methods exists [19].

Document control and records

All information exchanged between the regulatory body, other governmental bodies,
the operator, its contractors, advisory committees and the regulatory body's consultants and as
appropriate, members of the public should be formally recorded upon receipt and stored in a
manner that allows for easy retrieval. It is particularly important that documents related to
enforcement action can be accessed when required.

There is an act controlling archives of governmental organizations. This act requires that
each organization must have an archive rule defining necessary activities in registration. It is a
folder containing the rule and following appendixes: structure of the register, list of documents
which are not registered, registration, detailed structure of the register, handling of secret
documents, borrowing of a document from the register, organization, job descriptions, fees of
copies, protection of documents, destroying of documents. Concerning nuclear power plants
there is a separate substructure for each NPP containing the following headings: NPP
administrative control, licensing document control, NPP systems, components and structures
according to a system list, trial tests, control of operations of NPP (reports etc.), nuclear fuel,
nuclear material, nuclear waste. All these materials are kept permanently, NPP procedures are
kept when they are still valid. After the decommissioning of NPP these documents will be sent
to the national archives for research purposes. There are some documents which are kept until
decommissioning and then 5% of the annual documentation will be sent to national archives.

[Link]. Performance
The YTV quality manual includes also procedures to define safety performance
objectives as well as annual performance objectives as part of longer term strategy. Working
methods which stress quality and satisfactory working environment as well as relationships
with the customer groups are also included.

When applied to the operating NPP’s, regulatory control contains assessment and
inspections which can be divided in three categories as follows:

x Periodic inspections as specified by STUK in plant specific programmes;

x Topical inspections to be requested by a plant owner on a basis of YVL guides;
x Safety re-assessment.

The inspections contained in the periodic inspection programme are focused at safety
significant functions and processes applied by the utility. The control aims to ensure

94
compliance with the regulations and the plans and programmes approved by STUK, and to
assess the appropriateness of the utility activities.

Nuclear power plant operation includes activities which can be implemented only after
STUK’s approval of the activity has been granted. The approvals are tied to preceding
inspections. It is also verified afterwards that the implementation complies with the plans and
meets possible regulatory conditions. Requirements and obligations which apply to
inspections of different topics are presented in the YVL guides.

The important inspections which the operating organization is obliged to request are
the inspections of repairs and modifications. For all the repairs of failed safety significant
components, as well as for all modifications of the safety systems the operating organization
has to present their plans in advance for STUK approval. The plan has to include technical
documentation as needed to verify the acceptability of the functional features, structure, and
materials of the repaired or new equipment. Also the repair or installation method, quality
control, and tests after the work have to be presented. When the work has been completed, the
operating organization has to ask for construction and/or commissioning inspections.

The safety level of the nuclear power plant is re-assessed after any abnormal event, and
the need for corrective measures is considered. To ensure a systematic analysis of the event
and its causes, an investigation team by STUK is nominated. The team has to find out root
causes of equipment failures and human errors and weaknesses in the performance of the
operating organization as a whole. At the end the team has to present a report including
recommendations for corrective actions, intended to prevent re-occurrence of similar events.
A similar parallel activity is required from the operating organization, and it has to submit its
special report for regulatory approval. A thorough evaluation of the situation at the Finnish
plants is also done if an event reported from a foreign nuclear power plant is suspected to be
of such a nature that it might as well occur in our country.

Besides feedback from the operating experience, safety re-assessment is done on the
basis of PSA studies and in view of new information gained from safety research programmes.
Periodic safety reviews are also carried out, e.g. when operating licences of NPP’s are
renewed.

In addition to the regulatory control of nuclear power plant operation, STUK maintains
its preparedness to act in plant emergencies. In an emergency, STUK is the authority
controlling accident management and an expert body providing assistance to the authorities in
charge of the rescue services.

[Link]. Assessment

The regulatory body should have a system to audit, review and monitor all aspects of
its activities such as inspection and enforcement activities to ensure that they are being carried
out in a suitable manner and that changes to them that are needed, due to improvements in
techniques or otherwise, are implemented. This system should consider among other matters,
in the case of inspection and enforcement:

x Inspection guidance and inspection methods;

x Inspection resource allocation;

95
x Procedures within the regulatory body in relation to inspection activities e.g. planning of
inspections;
x Procedures for co-ordination of inspection activities with the review and assessment
process;
x Procedures for involving consultants in inspection activities;
x Recording of documentation;
x Procedures related to enforcement actions.

Effectiveness of the regulatory activities is assessed through normal everyday

supervision and through periodical self-assessment reviews where management, organization,
work methods, quality of work, communication, human aspects etc. are handled through some
systematic review method and where there is a possibility to get feedback internally or from
other organizations. Some outside organizations can be used also for independent assessment
such as IAEA IRRT services to review regulatory activities.

For example in STUK self-assessment project was carried out in 1995–1997. The
criteria set for the Finnish quality award (see Table VIII) were used as model in this
assessment and via this process strengths and weaknesses of our working methods were
identified and relationships with our customer groups were also handled. Topics included
leadership, management and analysis of information and data, strategic planning, human
resource development, process management, results of performance, customer focus and
satisfaction, society and environment related influence. The method is mainly intended for
commercial companies but can be used also in analysing governmental organizations. This
project provided good information for future development. Also work environment
evaluations carried out by external companies as well as communication training sessions
have been organized for improving working conditions and atmosphere.

The periodic inspection programme is reviewed annually through feedback gained

during the previous year. The organizational units and individuals are reviewed through
performance appraisals annually or more frequently. Guides and procedures are reviewed once
in four years and then new developments and work methods can be written in the new
revisions.

The IAEA IRRT mission was carried out in STUK in March 2000. The resulting report
is provided through STUK Internet home pages.

2.5. PROFESSIONALISM AND TRAINING OF REGULATORY BODY STAFF

What is meant by professionalism in an inspector’s work? How can professionalism be

developed? These are the key questions for this Section. Inspectors are proud of their
profession. To develop professionalism it is essential to realize the essence of the job. For
supervisors and training co-ordinators this is particularly important because they transmit their
own performance and behaviour through the training they offer to newcomers.

What is professionalism? It is clear that professionalism means competence in terms of

knowledge and skills, education and experience. But this is not enough. Inspection and
assessment must be conducted in an independent and objective manner. Inspectors are not
power company people, nor are they opponents of nuclear power. They perform independent

96
inspection work according to the guidelines, procedures and criteria in an objective manner.
They communicate in a business-like manner, which means that communication is pertinent
and systematic. Because they are inspectors they have a questioning attitude. They do not
assume too much, they ask for explanation and clarification from licensees and their
representatives. They know this phrase “questioning attitude” also from the safety culture
discussions, and they can help to promote safety culture through their questioning attitude.
Last but not least their appearance, fitness and behaviour is in accordance with the expected
behaviour norms. They have learnt that unsuitable appearance and behaviour may ruin their
chance of reaching their goals. This applies also to their inspection work. They affect their
counterparts through their appearance and behaviour and may improve their possibilities to
carry out inspection and to get better response to their findings.

The inspector understands his/her role and duties and knows his/her rights, obligations
and responsibilities. The inspector knows his/her powers in inspection work. The inspector
has his/her priorities in the right order where nuclear safety is concerned.

TABLE VIII. SELF-ASSESSMENT OF STUK ACTIVITIES. THE CRITERIA OF THE

FINNISH QUALITY AWARD COVER THE FOLLOWING ELEMENTS:

Results of performance Strategic planning

x Product and service quality results; x Strategy development;
x Company operational and financial results; x Strategies and action plans.
x Supplier performance results.
Human resource development and
Customer focus and satisfaction management
x Customer and market knowledge; x Human resource planning and evaluation;
x Customer relationship management; x High performance work systems;
x Customer satisfaction determination; x Employee education, training and
x Customer satisfaction results; development;
x Customer satisfaction comparison. x Employee well-being and satisfaction;
x Results of employee development and
Leadership management.
x Personal leadership of top management;
x Leadership system and organization. Process management
x Design and introduction of products and
Management of information and analysis services;
x Management of information and data; x Product and service production and delivery;
x Competitive comparisons and benchmarking; x Support services;
x Analysis and use of company level inform- x Management of supplier performance;
ation and data.
Society and environment related influence
x Responsibility for the society;
x Management of environmental issues;
x Results of environmental management.


97
2.5.1. Regulatory role and duties

In the following the Radiation and Nuclear Safety Authority (STUK) is used as an
example to clarify the matter. In different countries there are different governmental practices
that must be taken into account if applying the ideas. The philosophy of governmental
regulatory body (STUK in Finland) is as follows:

x The use of radiation and nuclear energy are useful but potentially dangerous activities;
x The government needs to find out the acceptability of the activity from the point of view
of the society and to ensure safety as well as to control the activity;
x For this, the parliament passed the law establishing the STUK and giving the rights and
necessary sanctions to the STUK;
x Then the STUK decides what is right on the basis of powers received from the
parliament.
x An inspector’s role and duties in STUK in Finland are as follows:
 The inspector is a civil servant of the Finnish government;
 The legislation (Nuclear Energy Act) defines the specific role of the Inspectorate, e.g.
the Inspectorate defines safety requirements and the inspectors verify by inspections
the fulfilment of safety requirements;
 The Inspectorate also has a specific role in emergency preparedness.
Other laws like pressure vessel and radiation protection laws increase the role of the
STUK compared to some other western regulatory bodies.

The Nuclear Energy Act defines specific duties of the Inspectorate:

x Handling of permit applications;

x Control of conditions of permits and specification of detailed requirements;
x Set safety requirements;
x Control of fulfilment of safety requirements;
x Set conditions for the persons involved in the use of nuclear power and study the
fulfilment of the conditions;
x Give expert assistance to other authorities;
x Perform necessary research and participate in the international co-operation;
x Refer to decisions and give statements on the base of control.

STUK publishes the regulatory requirements in the form of regulatory guides called
YVL guides. The guide YVL 1.1 “STUK as the regulatory authority for the use of nuclear
energy” [16] presents the forms of control and inspections made by the STUK. For a specific
inspector the duties are defined in the job description.

2.5.2. Rights

According to the Nuclear Energy Act the inspector has the following rights:

x He/she has access to the place of inspection;

x The inspector can inspect, measure and get samples;
x He/she gets necessary information and documents, plans and agreements;
x He/she can give orders, require settlements and reports and have research made.

98
2.5.3. Obligations

In his/her work the inspector must note the following obligations:

x Principle of law. In regulatory work we must follow the law; we know the law and the
subject matter; we know how to act and what kind of rights we have; we act without
delay in an open, correct and honest way.

x Principle of equality. All citizens and organizations must be dealt with equally. In similar
cases there should be similar solutions. This means that we know possible solutions and
the solutions already used. The YVL guides define in many cases the main guidelines.
Supervisors must ensure that these are followed. We are open and honest.

x Principle of correct aims. When considering a solution it is not acceptable to promote

other goals than what is the case.

x Principle of proportional sanctions. Sanctions must be in right relationship to an offence.

Seriousness of an offence is considered on the base of safety importance: we do not shoot
a fly with a gun.

x Principle of objectivity. The regulator must be objective and correct. If one is disqualified
he must pass the matter to another person. Independence is necessary in regulatory work.
A published general attitude may affect the believing on one’s objectivity.

x Principle of effectiveness. The taxpayers pay the final bill. We must be careful when
using public money; we must work with important matters and our actions must not
consume too much time.

x Principle of publicity. Generally matters are public. The regulator must be open if the law
does not say otherwise. Openness means speed in publishing and correct content. Keeping
something secret presumes a decision. Documents under preparation are non-public and
STUK may consider if it gives information. There are three reasons for secrecy of
documents: threat of illegal activity (terrorism), trade secret and protection of privacy.

2.5.4. Responsibilities

In law the inspector has the following responsibilities:

x Disciplinary responsibility. The inspector must act according to his/her duties. In the case
of failure there are sanctions as warning, dismissal for max. six months or final dismissal;

x Responsibility of criminal legislation. Criminal law mentions e.g. the following

responsibilities that concern government officials: bribe offence, offence against secrecy
of documents and misuse of one’s office;

x Responsibility for compensation of loss. If the inspector causes economic loss to the
counterpart because of failure in one’s duties caused by purpose or by grave error or by
neglect of duties the employer carries the responsibility in the first place but the
responsibility may apply to the inspector later. There is also a principle of moderation to

99
 be applied in this kind of cases. As an example a serious case in this respect may be if the
regulatory body (representative) orders the plant to be shut down without reasonable
safety importance.

2.5.5. Relationships with the power company

Relationships with the licensee should be clear. An atmosphere of confidence and

respect should prevail between the two parties. One should remember that a plant manager has
full responsibility for the plant safety. The regulator ensures that operator fulfils this
responsibility. Therefore the inspector gets all the information and documents needed for
assessment and has right to inspect. It is always good to give an operator a chance to comment
and propose a solution for the problem.

If needed the regulator has tools for enforcement. E.g. STUK has strong tools at its
disposal. However, the strong enforcement tools have not been used in practice. We think that
for achievement of a high safety level it is better to motivate people to do good work, rather
than to threaten them by fines or other penalties. Especially we want to avoid charges against
individuals who have committed errors by mistake or due to shortcomings in training and
information provided to them. It is also recognised that the use of legal or monetary penalties
does not resolve the structural root causes of the problems. Experience has shown that a very
effective way of enforcement is public information about abnormal events at the nuclear
power plants.

2.5.6. Professional behaviour

How should a professional inspector behave? The inspector conducts inspection and
assessment independently and in an objective manner. One listens to licensee representatives
carefully so that he/she understands information properly. The inspector communicates in a
pertinent and systematic manner. He/she uses moderate language in oral and written
communication and avoids extreme expressions. One knows how to handle proprietary
information. The inspector avoids negative attitudes and he/she tries to promote safety culture
with positive attitudes.

2.5.7. Inspection/auditing techniques

Inspection/auditing techniques are a special skill the inspector must have if he/she is
going to perform inspections successfully. In the following some key ideas are presented to
stimulate your imagination. A suitable technique depends on the type of inspection. Your
successful ideas and techniques should be discussed with your colleagues because through
experience we learn these things.

There are several methods for acquiring information: review of written material,
interviews with personnel, direct observation of performance, status and activities,
independent testing. Before inspection one must decide what written information to read
before going to the plant and what during the inspection/audit. At the beginning of inspection
the inspector establishes a good communication with the licensee representative and gives the
general overview on the inspection. The inspector takes control of inspection activities: is well
prepared; does not assume but asks questions, takes detailed notes, and adheres to plant rules.
When performing the inspection one pays attention to detail and gets to the root cause of

100
problems; one verifies and evaluates findings and searches for objective evidence; one should
take bigger sample if he/she is unsure of problem scope or existence.

When interviewing people one asks open questions avoiding “yes” or “no” answers,
e.g. by using words how, who, what, when, why, show me and he/she listens the answers
carefully. The inspector does not reveal his/her opinion of the answer and does not compare
different organizations. One does not disagree between the team members during the
interview and one admits if his/her question is beyond the level of his/her knowledge. The
inspector is objective and shows rather positive attitudes than negative and arguing attitudes.
If the inspector finds deficiencies he/she gets admission from the licensee representative.

Professional attitude in inspection is that the inspector tries to find problems and areas
for improvement but leaves finding of solutions to the power company.

2.5.8. Inspection philosophy

It is important for the regulatory body to define inspection philosophy — to formulate

some kind of inspection programme. In Finland the nature of the inspection programme has
been defined in the YVL-guide 1.1. In different countries the inspection philosophy varies
somewhat. What functions well in a small country may not be applicable in a big country and
vice versa. Therefore it is useful for the inspector to exchange information with colleagues
from other countries to get new ideas for developing inspection practices in one’s own
country. E.g. there is a working group of inspection practices (WGIP) of the
OECD/NEA/CNRA for this kind of information exchange among OECD countries and it has
published some useful documents in this respect e.g. presenting the inspection philosophy,
organization and practices in different countries [15].

Inspectors should also have some tools to prioritise inspection work. A safety
classification document is a useful tool in this respect. Use of PSA is also used increasingly to
prioritise inspections. We are nuclear safety inspectors. Therefore the most important
viewpoint in inspection for us is nuclear safety viewpoint. From a philosophical point of view
the application of basic principles of defence-in-depth concept are central. Inspectors should
know the concept so well that he/she even by instinct covers the key points in his/her
inspection work. Application of the concept is a good sign of the right safety culture attitudes.

Starting from the basic principles of “defence-in-depth” thinking, we should

concentrate on the following three lines of defence in our inspection work:

x Prevention of failures.
x Monitoring or detection of failures.
x Making sure that failures cannot recur and mitigation of consequences of failures.

Specifically, when operations, maintenance and technical support of NPPs are

concerned. Each of these topics leads to more detailed sub-items depending on the topic such
as:

x For prevention: are there proper procedures and are they used, preventive maintenance
programmes, tools and working conditions, briefing and training, QA etc.;

101
x For monitoring and detection: are there proper alarms and alarm procedures, surveillance
programmes, testing procedures and criteria, testing lines and measuring devices etc.;

x For experience feedback and mitigation: are there proper operational feedback systems
and methods, component repair and reliability histories, reactor protection system
response, incident procedures, accident management procedures, etc.?

When the organizational and safety culture aspects are considered the following key
items should be considered:

x Policy level commitment.

x Managers’ commitment.
x Individuals’ commitment.

Also in this case each of these topics leads to more detailed subitems to be considered
such as: is there a proper safety policy statement, where are the safety topics handled in the
documentation (policy level, QA manual, Tech. Specs, respective procedures); what is
management and individuals’ opinion on the subject matter: what have they done to minimise
the risk, do they support the finding, what are they going to do to improve the situation, why it
was possible that the inspector made the finding before they realised the unsafe situation, how
often unsafe situations appear, how often inspectors make these findings etc.

Our questions and review should be directed in such a way that these aspects will be
covered if they are applicable in the inspection in question. If our work reflects these aspects
systematically we have good opportunities to promote nuclear safety and safety culture
through our work.

2.5.9. Maintaining competence

How does a professional inspector maintain competence. One follows the development
in his/her technical field of speciality. One keeps up to date with changes in regulatory policy
and practices. One develops his/her skills in inspection and assessment to the highest level for
being able to develop practices and not only to perform routine work.

If this is your goal how do you organize the matter?

2.5.10. Training of inspectors

One of the central prerequisites for professionalism is competence i.e. knowledge,

skills and attitudes needed for the job in question. The IAEA Requirements for Governmental
Organization say that a regulatory body shall ensure that its staff members participate in well-
defined training programmes. Continuing training is also required. For well-defined training
programmes the regulatory body needs training administration as well as initial and
continuing training. Table IX shows the basic elements of regulatory training programme [19].

Organization of training depends on the size and resources of the regulatory body. A
small and inexperienced regulatory body needs external international support. A large and
experienced organization may be self-sufficient. In any case international information
exchange is needed for continuing training to get fresh and new ideas for further development.
Examples of regulatory competencies and training activities in a regulatory body are given in
[20].

102
TABLE IX. ELEMENTS OF REGULATORY TRAINING PROGRAMME

Basic knowledge Communication and management skills

x Familiarization with the law and radiation and x Effective writing skills;
industrial safety; x Interviewing skills;
x Nuclear safety principles and safety culture; x Negotiation skills;
x Plant and systems knowledge; x Leadership and team work skills.
x Accident analysis and emergency planning;
x QA and organizational matters. Continuing training
x Refresher training;
Professional knowledge x Further personal development;
x Regulatory control; x Information exchange and international co-
x Assessment skills; operation.
x Inspection skills;
x Job specific training courses;
On-the-job training.

For the well-defined training administration training manager/coordinator as well as

training policy and necessary training procedures are needed. Job descriptions are needed for
preparing systematic, job specific and individual training programmes. Furthermore training
courses, facilities and training materials should be established. In addition to training courses,
a systematic approach by using individual on-the-job training guidelines is needed. A good
model is provided by the OECD/NEA/CNRA/WGIP through its inspector qualification
guidelines [21].

3. ASSESSMENT OF SAFETY

3.1. IAEA GUIDANCE FOR REGULATORY REVIEW AND ASSESSMENT2

Review and assessment is one of the regulatory body’s principal functions. The size
and composition of the regulatory body, including consultants and advisory committees,
reflect the extent and nature of the facilities that it regulates and may also vary depending on
the phases of the facilities’ life-cycle.

When using consultants, the regulatory body carefully defines the terms of reference
for the review and assessment. Consultants possess a clear understanding of the regulatory
body’s safety objectives. The regulatory body has permanent staff with sufficient competence
to manage the work of consultants and to evaluate the quality and results. The use of
consultants shall not relieve the regulatory body of any of its responsibilities. In particular, the
regulatory body’s responsibility for making decisions and recommendations shall not be
delegated.

2
INTERNATIONAL ATOMIC ENERGY AGENCY, Review and Assessment of Nuclear Facilities by the
Regulatory Body, GS-G-1.2 (in press).

103
 The basic objective of review and assessment is to determine whether the operator’s
submissions demonstrate that the facility complies throughout its lifetime with the safety
objectives, safety principles and safety criteria stipulated or approved by the regulatory body.
The specific objectives of the review and assessment depend on the stage of the lifetime of the
facility. Examples of these specific objectives are presented in Table X.

TABLE X. EXAMPLES OF SPECIFIC OBJECTIVES OF REVIEW AND ASSESSMENT

x To determine whether an operator has the ability and resources to discharge its obligations
associated with any authorization granted for any stage of the lifetime of the facility.

x To determine whether the chosen site is suitable for the proposed facility, account being taken of
the site–facility interaction and, anticipated changes to the site environment during the proposed
period of operation, and to recommend to the appropriate authorities requirements on the site
surroundings that may be considered necessary by the regulatory body.

x To determine, before manufacture, construction, installation or decommissioning, whether the

design related, operational or decommissioning related proposals in relation to the facility, and
other operator statements and commitments, meet the regulatory body’s requirements, and to
impose any further conditions or requirements that may be considered necessary by the regulatory
body.

x To determine whether the commissioning test programme is complete and contains a well defined
set of operational limits, test acceptance criteria, conditions and procedures; whether the
commissioning tests can be safely conducted; and whether the test results are adequate for
confirming the adequacy of all safety related features of the facility.

x To determine whether the operator has a safety management system that meets the regulatory
body’s requirements.

x To determine whether the operational limits and conditions are consistent with the regulatory
body’s requirements, the operational characteristics of the facility and the state of knowledge and
operational experience, and whether an adequate level of safety is maintained.

x To determine whether the operator’s personnel, in terms of both number and competence, meet
the regulatory requirements at all phases of the life-cycle of the facility.

x To determine whether proposed modifications to the facility have been conceived and
implementation planned so that safety is not compromised.

x To evaluate safety reviews performed by the operator including performance indicators.

x To determine whether the operator’s statements and commitments regarding decommissioning

and closure meet the requirements of the regulatory body.

The review and assessment is primarily based on the information submitted by the
operator. For the thorough review and assessment of the operator’s technical submission the
regulatory body acquires an understanding of the design of the facility or equipment, the
safety concept on which the design is based, and the operating principles proposed by the
operator. The regulator satisfies itself that:

104
x The available information demonstrates the safety of the facility or proposed activity;

x The information contained in the operator’s submissions is accurate and sufficient to

enable verification of compliance with regulatory requirements; and

x The technical solutions, and in particular any novel ones, have been proven or qualified by
experience or testing or both, and are capable of achieving the required level of safety.

The regulatory body prepares its own programme of review and assessment of the
facilities and activities under scrutiny. The regulatory body follows the development of a
facility or activity, as applicable, from initial site selection through design, construction,
commissioning and operation to decommissioning. Much of the review and assessment will
be connected with specific stages of the authorization process and the depth and content will
vary accordingly. Co-operation of the operator is essential to ensure that review and
assessment can be carried out in an effective and informed manner.

Management of the review and assessment within the regulatory body is an important
part of the process. It includes planning, preparing guidelines, developing competence and
necessary tools for review and assessment, co-ordinating information exchange and activities
internally and externally, keeping a log on documents and actions, making arrangements for
liaison with consultants and advisory bodies, monitoring the progress, collating and
disseminating the overall findings and reporting the results of review and assessment.

3.1.1. Safety objectives and safety requirements for review and assessment

Safety objectives and basic safety requirements specify safety goals or protection
levels of performance to be achieved at the facility. However, the regulatory body does not
prescribe specific designs, safety management systems or operational procedures. Safety
objectives and safety requirements may be developed by the regulatory body itself or adopted
from safety objectives and safety requirements developed and published by regulatory bodies
in other Member States or by international organizations. If these are to be adopted, a good
understanding of their basis and use in other Member States should be acquired, and
adaptation may be necessary for specific purposes.

In formulating the content and structure of the safety objectives and safety
requirements to be used in its review and assessment process, the regulatory body may
consider a broad range of sources. Examples of these sources are:

x National laws and regulations;

x The requirements and experience of relevant national industries;
x Technical results and experience of research and development;
x Expertise and requirements used by other persons and bodies involved in reviewing and
assessing similar facilities with respect to technology or safety implications;
x Advice obtained from consultants and advisory bodies associated with the regulatory
body;
x Nuclear, radiation and waste safety standards and guidance as well as other information
published, by national and international organizations.

105
 The regulatory body has a clear understanding, at all stages of the authorization
process, of the basic safety objectives and safety requirements that will be used for review and
assessment. As far as is practicable, these basic safety objectives and safety requirements are
communicated to the operator for guidance in preparing its documentation.

3.1.2. Areas for review and assessment

This section outlines the areas of review and assessment. A list of the topics to be
considered in a review and assessment process through out the life-cycle of a nuclear power
plant is given in 3.2. It is important to note that the safety argument presented by the operator
should at all phases deal with the full range of topics to an appropriate level. At all stages the
operator demonstrates that it is in control of the facility and has adequate organization,
management, procedures and resources to discharge its obligations and as appropriate, its
liabilities.

Site evaluation

In considering an application for siting, the regulatory body will tend to concentrate on
characteristics of the site and, as appropriate, the interaction between the proposed facility and
the site. Site selection for many facilities is initially determined by processes not greatly
influenced by highly prescriptive criteria. However, general national policy requirements
concerning remoteness, local population density and transport arrangements apply.

In all cases, the site of the facility is qualified by review and assessment to determine
potential interaction between the proposed facility and the site, and the suitability of the site
from the point of view of safety. This site review and assessment may be performed in parallel
with the design review and assessment or, as in some member states, may be performed at an
earlier stage. Areas of review and assessment that are of particular significance are the impact
of the local environment, natural and human made on the facility’s safety and the demands
that the facility will make on the local infrastructure.

Design, construction, manufacture and installation

Before authorization of construction of the facility, review and assessment will be

concentrated on the operator’s approach to safety and safety standards and how these have
been applied in developing the design. Features such as the physical layout and building of the
facility and the key process elements and expected radiation doses should be clearly
understood and their effect on the safety of the facility throughout its lifetime are assessed at
the design stage. In addition, before authorizing construction, the regulatory body reviews and
assesses the operator’s arrangements for control of construction, manufacture and installation
activities. Once construction has started, many features of the design can be changed only with
great difficulty and at high cost.

Review and assessment of the design will continue during construction, manufacture
and installation, as the details become finalized. Changes to the authorized design in this
phase are analyzed by the operator and reported to the regulatory body which carries out the
necessary review and assessment.

106
Commissioning

Commissioning can be considered in two stages: inactive, before fissile material is

introduced, and active, after fissile material is introduced. Clearly the radiological risks only
arise after the second stage has been started and therefore it is normal to make the start of this
stage a major step in the regulatory authorization. Both stages of commissioning are carried
out against a programme which has been reviewed and assessed by the regulatory body and is
capable of testing whether the as built facility meets the stated requirements.

The inactive stage of the commissioning is aimed at ensuring that the facility has been
constructed, manufactured and installed correctly and in line with the design documentations.
Where deviations from this have occurred they have been recorded and it has been shown that
the safety analysis has not been compromised. The results of inactive commissioning also
confirm the operational features of the facility and lead to the development of detailed
instructions for operators that will be confirmed during the active phase.

Active commissioning with the introduction of fissile material is a major step in the
authorization process. The review and assessment take into consideration the final or ‘as built’
design of the facility as a whole, the commissioning programme and its progress, the
organizational structure, the qualifications of operating personnel, emergency planning, the
preliminary operational limits and conditions, and the preliminary operating procedures.
Where there are deviations from the design parameters, the regulatory body reviews and
assesses additional analysis provided by the operator.

As the active commissioning processes move closer to completion, review and

assessment are concentrated on how the facility is operated and maintained, and on the
procedures for controlling and monitoring operation and responding to deviations or
occurrences. Before authorizing routine operation, the regulatory body reviews and assesses
the results of commissioning tests including correction of eventual non-conformances. The
regulatory body reviews and assesses any proposed changes to the operational limits and
conditions.

Operation

For routine operation the regulatory body requires the operator to report regularly on
adherence to safety objectives and compliance with specified regulatory requirements, and on
efforts made to enhance safety. The regulatory body reviews and assesses the reports and
performs inspections to confirm whether compliance with safety requirements is maintained
and whether the facility is able to continue in operation.

While the need for reassessment may arise in a number of ways, systematic safety
reassessments termed periodic safety reviews (PSRs) need to be carried out by the operator at
intervals to review the cumulative effects of ageing of the facility and of modifications, and
the implications of operating experience and technical developments. The objective is to
assess the facility against current safety requirements and practices and to determine whether
adequate arrangements are in place to maintain its safety. When a review shows that the
facility does not meet current safety requirements, the significance of the shortcoming is
assessed and the possibilities of meeting the requirements are considered. The PSR enables
the regulatory body to judge whether it is acceptable for the facility to continue to be operated
until the next PSR is carried out.

107
Decommissioning

Review and assessment of decommissioning covers the decommissioning plant and the
procedures and methods to be applied, the anticipated doses, the maintenance of safety and the
final state of the facility at the end of decommissioning. An area of particular significance is
the safe management of the radioactive waste generated.

3.1.3. Review and assessment methodology

The review and assessment process is a critical appraisal, performed by the regulatory
body, of information submitted by the operator to demonstrate the safety of the facility.
Review and assessment is undertaken in order to enable the regulatory body to make a
decision or series of decisions on the acceptability of the facility in terms of safety. Decisions
relating to safety are based on the review and assessment of the operator’s submissions, the
studies and evaluations performed independently by the regulatory body itself, and the safety
objectives and specific safety requirements established by the regulatory body. These safety
objectives and safety requirements will themselves be founded on the existing knowledge as
represented by the technological developments in all pertinent fields. Decisions of the
regulatory body should reflect professional judgement by technically competent persons on
the bases of requirements and operational experience throughout the review and assessment
process.

Review and assessment includes consideration of both normal operation and failures,
faults, and events, including human errors that have the potential for causing the exposure of
workers or the public or subjecting the environment to radiation hazards. This safety analysis
is as complete as possible and one of the initial tasks of the review and assessment is to
confirm its completeness. The review and assessment process includes checks on the actual
situation at the site and elsewhere to validate the claims made in the submissions. Operators
often have external peer reviews conducted for them by national or international
organizations. The results of such reviews, if available, could provide the regulatory body
with additional insight to the activities of the operator.

[Link]. Review plan for operator’s submissions

The operator is responsible for submitting documentation in support of its application

for authorization. At each stage of the authorization process the operator will be required to
demonstrate to the satisfaction of the regulatory body that the facility can be sited, designed,
constructed, commissioned, operated, decommissioned or closed without giving rise to undue
radiation hazards to workers, the public and the environment. Any modification to safety
related aspects of a facility or activity is subject to review and assessment, with the potential
magnitude and nature of the associated hazard being taken into account.

For more important submissions by the operator (e.g. safety analysis report) it may be
useful for the regulatory body to perform an acceptance review of the documentation. As a
result of this acceptance review, an application or submission that is grossly deficient in
certain areas is returned to the operator for correction prior to re-submittal.

108
 In carrying out a review and assessment of an operator’s submission the regulatory
body employs a systematic plan to provide assurance that all topics significant to safety will
be covered and that operators with similar facilities are treated equally. This plan includes a
series of procedures that the regulatory body follows for all aspects and topics covered by the
submission in order to identify those items for which applicable safety objectives and
requirements have been met and those for which they have not. An outline of such plan could
be:

x Definition of the scope of the review and assessment process;

x Specification of the purpose and technical bases for the review and assessment process
(these could be considered as acceptance criteria);

x Identification of the additional information needed for the review and assessment;

x Performance of a step by step review and assessment procedure to determine whether the
applicable safety objectives and requirements have been met for each aspect or topic;

x Making decisions concerning the acceptability of the operator’s safety arguments or the
need for further submissions.

Bases for decisions

The regulatory review and assessment will lead to a series of regulatory decisions. At a
certain stage in the authorization process, the regulatory body takes formal actions that will
result in either:

x the granting of an authorization which, if appropriate, imposes conditions or limitations

on the operator’s subsequent activities; or
x the refusal of such an authorization.

The regulatory body formally records the basis for these decisions.

At many stages during the review and assessment process decisions are taken on the
acceptability of various aspects of the facility. The nature of these will vary during the lifetime
of the facility and some will be associated directly with stages of the regulatory authorization
process. The regulatory body recognizes the basis for such decisions that take account of a
number of factors, important among these are:

x The extent to which the safety objectives and requirements have been met;

x The acceptability of the depth and detail of the operator’s submission, with the nature of
the facility and the magnitudes of the risks it presents;

x The state of knowledge concerning particular processes or effects;

x The confidence in the conclusions reached on the basis of the analysis of the situation.

109
 These factors are an integral part of the review and assessment process and receive
special consideration in the documentation produced by the regulatory body. The decisions on
acceptability are taken against a background of safety objectives, precedents and judgements,
the basis for which should be clearly understood. The decision on the safety of the facility, for
example, will always be taken in the light of a requirement to fulfil certain obligations. These
will include operational limits and conditions and obligations in respect of maintenance
programme and the frequency of in-service inspection or acceptance criteria for radioactive
waste.

[Link]. Conduct of review and assessment

The general aim of the regulatory review of safety analysis report, whether
deterministic or probabilistic, is to verify that for each identified barrier the safety measures
are sufficient to provide adequate assurance at the following levels:

x Prevention of failure of the barrier itself and prevention of failure of related systems
during normal operation and in fault conditions;

x Monitoring of any parameter significant to the integrity of the barrier, to allow initiation of
either manual or automatic actions in order to prevent any evolution towards an unsafe
condition;

x Safety action to prevent or limit the release of radioactive material if the barrier has failed;

x For certain applications and depending on the associated risk, mitigation of consequences.

From this analysis, the requirements on the systems, structures, components and
operations can be derived and compared with the provisions made by the operator. The review
and assessment by the regulatory body ensures that the operator has used the safety analysis to
determine these requirements and that the requirements are met in the equipment and
operational procedures. These requirements should cover also, among other things:

x Application of the defence in depth principle;

x Meeting the single failure criterion for safety related systems;
x Requirements for redundancy, diversity and separation;
x Preference for a passive over an active or operator based system for prevention and
protection;
x Criteria relating to human factors and the human-machine interface;
x Dose limits and amount of discharges to the environment and ALARA consideration;
x Criteria for radiological risks to workers and the public;
x Minimization and management of waste generated, including the future decommissioning
phase.

Structures, system and components

From this analysis, the requirements on the structures, systems, components (SSCs) and
operations can be derived and compared with the provisions made by the operator. The review
and assessment by the regulatory body ensure that the operator has used the safety analysis to

110
determine these requirements and that the requirements are met in the equipment and
operational procedures. Specific features that are subject to review and assessment include:

x Safety functions and classification of SSCs;

x Quality of engineered features in terms of good engineering practices or as set out in the
regulatory requirements;
x Control of the facility under normal and fault conditions, with account taken of automatic
systems, the human-machine interface and operating instructions;
x Quality assurance covering SSCs and operational aspects such as training, qualification
and experience of the operator’s personnel and the safety management system.

Organization and management

A well engineered facility may still not achieve the required level of safety if it is not
managed well. The review and assessment by the regulatory body, therefore, include
consideration of the operator’s organization, management, procedures and safety culture
which have a bearing on nuclear, radiation, waste and transport safety and the operation of the
facility. The operator demonstrates by documentary means that there is an effective safety and
the operation of the facility. The operator demonstrates by documentary means that there is an
effective safety management system in place that gives nuclear safety matters the highest
priority.

The review and assessment by the regulatory body cover all aspects of the operator’s
managerial and organizational procedures and systems which have a bearing on nuclear safety
such as: operational feedback; the development of operating limits and conditions; the
planning and monitoring of maintenance, inspection and testing; the production and revision
of safety documentation; and the control of contractors. The regulatory body also reviews and
assesses the operator’s procedures for the control and justification of changes to the operator’s
managerial and organizational procedures and systems that could have an impact on nuclear
safety.

Operational safety performance

The regulatory body reviews periodic reports submitted by the operating organizations,
in accordance with established requirements, to monitor the operational safety performance of
the facility. Additionally, reports on safety significant events are thoroughly reviewed by the
regulatory body to ensure that an effective operational safety experience feedback system is in
place, that no safety related event remains undetected, and that corrective measures are
adopted to prevent the recurrence of safety related events. At times, when the severity of the
event warrants it, the regulatory body may conduct an independent investigation, usually
through a team with appropriately selected areas of expertise, to ensure that the event was
adequately investigated, the correctness of identified root causes, the adequacy of the
implemented corrective and remedial actions taken. The review includes the identification of
lessons to be learned and the process of sharing the associated safety related information.

Radiological consequences under normal conditions

The assessment of routine operation is directed towards the determination of

occupational doses and discharges. These consequences will be compared with those limiting

111
requirements and safety objectives approved by the regulatory body, including meeting the as
low as reasonably achievable (ALARA) principle. The regulatory review and assessment of
the operator’s submission should determine whether it satisfies these requirements and
objectives. In the review and assessment, particular attention should be devoted to a number
of topics that influence the potential radiological consequence to workers, the public and the
environment during routine operation, which include:

x Sources and inventory;

x Occupational radiation exposure and other topics related to radiation protection;
x Radiation protection of the public, with all pathways taken into account;
x Radioactive waste management;
x Discharge, dilution and dispersion of radioactive effluents.

Safety analysis of fault conditions

Consideration of fault conditions strongly influences the design limits for the safety
systems and for most structure, systems and components (SSCs) needed for the operation of
the facility. It will also strongly influence the operational instructions and procedures that
operating personnel should follow. In addition, the potential radiological consequences for
workers, the public and the environment in fault conditions may be much more severe than
those during routine operation. For this reason, the largest part of the review and assessment
effort may be expected to be directed to the safety analysis of fault conditions provided by the
operator. Safety analysis can be considered as two major steps:

x Identification of postulated initiating events (pies) and their frequencies; and

x Evaluation of how these pies develop and their consequences.

The method used for identification of the PIEs should be systematic, and auditable and
as complete a listing of PIEs as possible should be provided. An important feature of the
review and assessment process should be to consider whether the operator’s identification
method meets these requirements and the operator’s list of PIEs is acceptable as the basis for
the safety analysis.

PIEs can be grouped in various ways but a commonly used method is to separate them
into:

x External hazards, which are outside the control of the operator and may result from
naturally occurring or human-made causes, such as seismic, an aircraft crash or
explosions due to liquid inflammable gas transportation;

x Internal faults that result from inherent failures of the facility, such as mechanical or
electrical failures or loss of services; and

x Internal hazards that result from failures of systems which are within the operator’s
control but which are not directly involved in the process, such as fires or spillages of
corrosive material.

Consideration should also be given to human errors, which may be initiators in their
own right or which may exacerbate another fault.

112
 It is usual to classify the PIEs identified according to their initiating frequency and the
potential consequences to which they could lead. The purpose of such classification is to
decide on the level and type of analysis that should be undertaken. The regulatory body should
decide which classification and PIE analysis it requires the operator to provide so that it can
decide whether its safety objectives and requirements have been met. The nature of the facility
and the potential magnitude of the risk it presents will affect these requirements, as well as
affecting the depth and detail of the subsequent analysis.

A typical classification, based on initiating frequency, would determine:

x PIEs that are of high likelihood should be analysed to show that the facility has a robust
tolerance of them, by the provision of safety systems or inherent behaviour tending to
restore a safe state, to prevent the release of radioactive material or limit such a release to
an acceptably low level;

x PIEs that are of low likelihood but that have such severe potential consequences (i.e.
unmitigated consequences) that the facility should have safety systems to prevent the
release of radioactive material or limit it to an acceptable level;

x PIEs which do not fall into these groups should also be analysed with the intention of
determining whether in totality they make an unacceptable contribution to the total risk,
whether the PIEs in the classes defined are at a threshold of escalation of consequences,
and whether the emergency arrangements are sufficient.

The regulatory body should determine the type of analytical considerations and
assumptions to be used in its review and assessment of the operator’s analysis, and should
check that these have been taken into account. It is often the case that for those PIEs which
may affect the design and provision of safety systems, or which affect the safety requirements
on engineering SSCs, a high degree of conservatism is required in the analysis to meet the
requirement of demonstrating that the safety of the facility is robust. This part of the safety
analysis should be coupled with consideration of the engineering and the operational practices.
The regulatory body, as part of its review and assessment, should ensure that all claims made
in the safety analysis for the performance of such systems are met in practice. Similarly, the
engineering systems should be qualified to meet the functional requirement for which they
were designed; for all situations and at all times, and with environmental conditions, ageing
and so on taken into account.

The analyses of fault conditions and long term safety are usually performed using
computer codes. The regulatory review and assessment should include a check that any data,
modelling or computer codes used in calculating either the performance of equipment under
the conditions indicated by the analysis or any radiological consequences are based on
sufficiently well founded knowledge and understanding, and that an adequate degree of
conservatism has been employed. As part of its review and assessment, the regulatory body
should ensure that the computer codes are based on well understood principles. Computer
codes should be validated against experience or experiment that the coding has been done
accurately and the input data have been correctly assigned. In many cases the codes will have
been used widely both nationally and internationally, and so it will be possible to consider
their verification and validity on a generic basis. However, checks should be made to ensure

113
that the code has not been corrupted by modifications and is being used in an appropriate
manner.

As a complement to the deterministic approach the regulatory body should require an

evaluation of the risks arising from the facility. A common method to provide such an
evaluation is for the operator to perform a quantified risk analysis or probabilistic safety
analysis (PSA). PSA provides a comprehensive, structured approach to identifying failure
scenarios and the corresponding damages to the facility and as a last step deriving numerical
estimates of the risk to workers, the public and the environment. PSA provides a systematic
approach for determining whether the safety systems are adequate, the defence in depth
requirements have been met and the risks are as low as reasonably achievable. It is usual in
such analyses to use less conservative assumptions and to consider best estimate values.

The regulatory body should review and assess the PSA to gain confidence that it has
been carried out to an acceptable standard so that the results can be used as an input to the
regulatory decision making process. In the review and assessment, it should be considered
whether the data used in estimating frequencies and probabilities are sufficiently well
founded; whether the bounding of PIEs into groups for analysis, if used, is sound; whether the
identification of failure scenarios is comprehensive; and whether the analyses of the facility’s
response and consequences are acceptable. The PSA should include a consideration of the
sensitivity of the results to uncertainties in data and modelling and the importance of
individual events in the progression of the failure scenario.

The insights gained from PSA should be considered together with those from other
analyses in making a decision regarding the acceptability of the safety of a facility. An
important aspect of PSA is that, as well as giving an estimate of risks, it also provides
information on whether the design is balanced, on the interaction between design features of
the facility, and on where there are weaknesses. These additional aspects should not be
neglected by a regulatory body reviewing a PSA when making its decisions.

Although a fundamental feature of the review and assessment process is the

consideration by the regulatory body of the documentation supplied by the operator, as
another necessary part of the process, the regulatory body should also check claims made in
the documentation, by means of visits and inspections to the facility. Such verification is
carried out by relevant specialists at all stages of the authorization process. These visits will
also allow the regulatory body to supplement the information and data needed for review and
assessment. Additionally, the regulatory body will be able to improve its practical
understanding of the managerial, engineering and operational aspects involved and foster links
with appropriate specialists in the operator’s organization. Where the operator provides some
central functions away from the facility, visits are also made by the regulatory body to this
part of the operator’s organization. The staff of the regulatory body that carry out review and
assessment has the right to visit or designate others to visit on its behalf, the operator’s site
and, if necessary, to visit contractors’ establishments with the knowledge of the operator. The
visits may be a good opportunity to observe the adequacy and effectiveness of the quality
assurance systems of the operator, manufacturers and suppliers.

It is often very useful for the operator to arrange for those preparing or involved in
complex submissions to provide key regulatory assessors with presentation(s) highlighting the
main technical issues raised and analytical techniques used.

114
 The review and assessment process will invariably involve the production of reports
by various experts in the regulatory body and any consultants employed. A document control
system for maintaining records of the process is set up which will allow such documents and
records to be easily retrieved. It is particularly important to be able to locate the bases of
previous decisions, so that consistency can be achieved and any reassessment made necessary
by recent information can be more readily accomplished.

Review and assessment result in a decision on the acceptability of the safety of the
facility that may be connected to a stage in the authorization process. The basis for the
decision is recorded and documented in an appropriate form. This documentation summarizes
the review and assessment performed, and provides a clear conclusion about the safety of the
authorized activity. Typically, the following topics are covered:

x reference to the documentation submitted by the operator;

x basis for the evaluation;
x evaluation performed;
x comparison with regulatory requirements, regulations and guides;
x comparison with another similar (reference) facility when appropriate;
x independent analysis performed by the regulatory body staff, or by consultants or
dedicated support organization on its behalf;
x conclusions with respect to safety;
x additional requirements to be fulfilled by the operator.

3.1.4. Quality assurance in the review and assessment process

The regulatory body has a system to audit, review and monitor all aspects of its review and
assessment process to ensure that it is being carried out in a suitable and efficient manner and
that any changes to the process made necessary owing to improvements in knowledge or
techniques or otherwise are implemented.

3.1.5. Topics to be covered by regulatory review and assessment

Table XI provides a generic list of topics that are considered part of the review and assessment
process throughout the life-cycle of the facility from site selection to decommissioning. Each
topic has been itemized; however, addressing all of them does not necessarily mean that every
safety aspect has been fully covered. It should be noted that, depending on the facility and on
the particular phase of the facility’s life, some of the aspects/topics will be more important
than others and the degree of detail necessary may vary.

115
 TABLE XI. LIST OF IMPORTANT TOPICS FOR REVIEW AND ASSESSMENT
Throughout the lifetime of the facility, the regulatory body reviews and assesses the

116
Physical nature of the facility and its environment information provided by the operator on the facility, in particular the information
covering:
The following information on the facility and the process conducted are provided by the
operator at various stages and used as a basis for review and assessment: x A compilation of the safety analysis and its assumptions;
x Structures, systems and components important to safety;
x Detailed description of the facility, supported by drawings of the layout, the system x Limits and permitted operational states;
and the equipment; x Anticipated operational occurrences;
x Information about the functional capability of the facility, its systems and major x Postulated initiating events for the safety analyses, such as external hazards, internal
items of equipment; faults and internal hazards;
x The findings of tests which validate the functional capability; x Description how defence in depth concept is fulfilled;
x The results of inspections of components; x Analytical methods and computer codes used in the safety analysis and verification
x Maintenance records; and validation of such codes;
x Description of the present physical condition of SSCS based on inspections or tests; x Radioactive releases and radiation exposures under normal operation and fault
x Description of the support facilities available both on and off the site, including conditions;
maintenance and repair shops; x The operator’s safety criteria for analyses of operator action, common cause events,
x Geological, hydrogeological and meteorological conditions; and cross-link effects, single failure criterion, redundancy, diversity and separation.
x Description of off-site characteristics, including population densities, land use,
industrial developments and transportation arrangements (such as airports, and road The impact of the facility is assessed and social and economic issues, land use issues,
and rail systems). technical issues such as detailed considerations of geology and hydrogeology, transport
routes and protection of the environment are taken into account. Both the anticipated
Infrastructural aspects impact and the consequences of fault conditions which are the subject of safety analysis
are considered.
Throughout the lifetime of any facility, operators propose and implement arrangements
for waste management. The regulatory body reviews and assesses proposals for on-site The operating organization and the management system
treatment and storage to ensure that the processed waste and waste packages are
compatible with national strategy, relevant waste acceptance requirements for At all stages of the facility’s lifetime, the operator demonstrates that:
subsequent waste management steps and regulatory requirements. Specifically, the
regulatory body assures itself that the waste or waste packages: x It will be in control of the facility;
x It has an adequate safety management system to be able to manage and control the
x are properly characterized and compatible with the anticipated nature and duration of facility; and
storage pending disposal; x It has resources available to meet its obligations and liabilities in connection with an
x can be subjected to regular surveillance; authorization.
x can be retrieved for further waste management steps.

Transport of radioactive materials and waste and equipment both on and off the site
needs adequate arrangements. The regulatory body reviews and assesses these
arrangements and assures itself that all national and regulatory requirements are met.
Safety analysis The information that the operators provide to the regulatory body for review and
 assessment include: x Systematic and validated methods for staff selection (e.g. testing for aptitude,
knowledge and skills);
x The structure of the operator’s organization, showing that it has adequate control of x Programmes for initial, refresher and upgrade training, including the use of
the activities of its own staff and its contractors; simulators;
x A demonstration of adequate resources for appropriately trained and experienced x Training in safety culture, particularly for managers;
staff, ensuring in-house expertise; x Competence requirements for operation, maintenance, and technical and managerial
x Demonstration of the adequacy of the procedures for control of changes to staff;
organizational structure and resources; x Programmes for feedback of operating experience relating to failures in human
x The specification and documentation of the duties of staff, demonstrating integration performance;
of safety responsibilities into their duties; x Guidelines on fitness for duty in relation to hours of work, health and substance
x Demonstration of the provision or access to a high level of expertise in safety to abuse;
carry out safety and engineering analysis, and associated audit and review functions; x Competence requirements for operation, maintenance, and technical and managerial
x Demonstration of the adequacy of the provisions for financing continuing liabilities staff; and
and decommissioning; and x A system for consideration of the human-machine interface and design and for the
x Any proposals for the use of contractors. analysis of human information requirements and task workload for the control room
and other work stations.
The operator demonstrates an overall safety management system whereby all activities are
controlled to provide an assurance that requirements for quality, safety and the Operational procedures
environment are met. This includes having operational procedures.
The operator demonstrates it has:
The operator demonstrates that it has:
x Formal approval and documentation for all safety related procedures;
x A mechanism for setting of operating and safety targets; x A formal system for modification of a procedure;
x A policy that states that safety takes precedence over production; x Understanding and acceptance of the procedures by management and on-site staff;
x Documented roles and responsibilities of individuals and groups; x Verification that the procedures are followed;
x Procedures for control of modifications to the facility; x Procedures that are adequate in comparison with international good practice;
x Procedures for the feedback of experience to the staff, including the experience x Arrangements for regular review and if necessary, revision of the procedures;
relating to organizational and management failures; x Clear procedures taking into account human factor principles;
x Mechanisms for maintaining the configuration of the facility and its documentation; x Procedures which comply with the assumptions and findings of the safety analysis,
x Formal arrangements for employing and controlling contractors; design and operating experience; and
x Staff training facilities and programmes; x Adequate emergency operating procedures.
x A quality assurance programme and regular quality assurance audits with
independent assessors; Equipment qualification
x A system for ensuring compliance with regulatory requirements;
x Comprehensive, readily retrievable and auditable records of baseline information, The operator provides:
operational and maintenance history;
x Staffing levels for the operation of the facility that take account of absences, shift x A list of equipment covered by the equipment qualification programme and a list of
working and overtime restrictions; control procedures;

117
x Qualified staff available on duty at all times; x A qualification report and other supporting documents (such as equipment
qualification specifications, qualification plan);
 x Verification that the installed equipment matches the qualification requirements; x Feedback of safety related operational data into the operating regime including
x Procedures to maintain qualification during the installed life of the equipment; records and reports of incidents and accidents;

118
x Information on mechanisms for ensuring compliance with these procedures; x Analyses of safety performance indicators such as:
x Documentation on maintenance, testing and inspection programme and a feedback  frequency of unplanned termination of operation
procedure to ensure that ageing degradation of qualified equipment remains  frequency of selected safety system actuation/demands
insignificant;  frequency of safety system failures
x Documentation on an analysis of the effect of equipment failure on other equipment  unavailability of safety systems
qualification and appropriate corrective actions to maintain equipment qualification;  annual individual and collective radiation doses to workers
x Information on protection of qualified equipment from adverse environmental  trends in causes of failures
conditions;  backlog of outstanding maintenance
x Information on the physical integrity and functionality of qualified equipment; and  extent of preventive maintenance
x Records of all qualification measures taken during the installed life of equipment.  extent of corrective maintenance including repair and replacement
 frequency of unplanned operator actions in the interest of safety and their
Management of ageing success rate
 amounts of radioactive waste generated
The operator provides an appropriate programme for the management of ageing of  quantities of radioactive waste in storage
equipment that covers: x Records of radiation doses to persons on site;
x Records of off-site contamination and radiation monitoring data for the site;
x Documented methods and criteria for identifying SSCs covered by the ageing x Records of quantities and relevant characteristics of radioactive waste generated and
management programme; stored in the facility; and
x A list of SSCs covered by the ageing management programme and records which x Records of the quantities of radioactive effluents discharged.
provide information to support the management of ageing;
x An evaluation and documentation of potential ageing degradation that may affect the Experience from other facilities and research findings
safety functions of SSCs;
x Details of the extent of understanding of dominant ageing mechanisms of SSCs; The operator provides information of its arrangements for:
x Details of the programme for timely detection and mitigation of ageing processes
and/or ageing effects; x Feedback of experience relevant to safety from similar facilities and other nuclear
x Acceptance criteria and required safety margins for SSCs; and and non-nuclear facilities;
x Awareness of physical condition of SSCs, including actual safety margins. x Assessment of and actions on the basis of the above experience;
x Determining the need for research and development;
Operator’s safety performance x The receipt of information on the findings of relevant research programmes;
x Assessment of and actions on the research information.
The operator provides details of:

x The system for identifying and classifying safety related incidents;

x The arrangements for root cause analysis of incidents, the lessons learnt and follow-
up measures taken;
x Methods for selecting and recording safety related operational data, including those
for maintenance, testing and inspection;
x Trend analyses of safety related operational data;
3.2. COUNTRY SPECIFIC APPROACHES AND EXPERIENCE

3.2.1. Deterministic safety approach — French experience [22]

The objective of the licensing process is to determine whether the applicant

submissions comply with the safety objectives stipulated or approved by the regulatory body.
Prior to checking this compliance, the technical aspects of these safety objectives must be
reminded.

This presentation is focused on pressurised water reactors of the type developed in

France, but the principles are more general in scope.

[Link]. Determination of specific risks

Nuclear reactors have two specific characteristics that differentiate them from other
energy production installations:

x These reactors accumulate a large quantity of radioactive products (Table XII) from
which staff must be protected and the large scale dispersal of which to the environment
would constitute a major accident;

x Significant energy release continues for a very long time, even after reactor shutdown,
since it is related to the radioactivity of the fission products contained in the reactor core.

Plant safety therefore depends on adequate protection with respect to radiation sources
together with their confinement. If the sources are localised in the appropriate areas provided,
radiation protection can be achieved by the judicious installation of absorbent shields of a
suitable material and thickness. Difficulties arise mainly from dispersal of radioactive
products outside the standard localised areas. The possible causes of such dispersal shall
therefore be investigated.

Radioactive products are, for the most part, produced within the fissile material itself
and it is desirable that they remain there until the fuel has been reprocessed in a suitable plant.
Correct cooling of the fuel and fuel cladding is therefore essential.

TABLE XII. MAXIMUM ACTIVITY OF THE MAIN FISSION PRODUCTS*

Core, 2 h after Spent fuel Primary system Gaseous effluents
shutdown
Rare gases 107 TBq ** 106 TBq 3 102 TBq 2 102 TBq
Iodine 2 107 TBq 106 TBq 20 TBq
Caesium 107 TBq 2 104 TBq

*
900 MW(e) PWR, maximum burnup 33,000 MWd/tU.
**
1 TBq = 1012 Bq = 27 Ci (Curie).

119
 It should be pointed out that:

x Under normal operating conditions, a nuclear reactor has no “natural” power level. In order
to be able to operate for at least a year without refuelling and counterbalance various
power-related effects, the core has to contain a quantity of fissile material far exceeding the
critical mass at cold shutdown. The power level produced by this material consequently
results from combining various parameters which must be controlled from outside;

x Under particular operating conditions, the energy released in a nuclear reactor can increase
extremely quickly, in an uncontrolled manner and can then only be limited by neutron
feedback effects related to temperature rises or fuel dispersal;

x Energy released in fuel that was part of a chain reaction cannot afterwards be annulled,
even when the reaction is over. In fact, radioactive products deriving from fission must
themselves release a certain amount of energy in order to reach a stable state. They do this
with a decay period specific to each element which can be very short (less than 1 second),
or average (months or years) or very long (hundreds or thousands of years). Although
decreasing, the power produced will for a long time be greater than one-thousandth of the
rated power and this calls for continuous cooling (Table XIII).

TABLE XIII. RADIOACTIVE DECAY POWER

Time after shutdown Percentage of the initial Thermal power
thermal power produced in MW
1 second 17% 500
1 minute 5% 150
1 hour 1.5% 45
1 day 0.5% 15
1 week 0.3% 9
1 month 0.15% 4.5
1 year 0.03% 1
10 years 0.003% 0.1
100 years 0.001% 0.03
1000 years 0.0002% 0.006

Prevention of specific risks therefore requires:

x Efficient control of the chain reaction and hence the power produced;

x Fuel cooling assured under thermal hydraulic conditions designed to maintain fuel clad
integrity;

x Containment of radioactive products in the fuel, in the primary coolant and specifically in
the containment building.

Maintaining these three safety functions is the key to reactor safety.

120
[Link]. Potential risks, residual risks, acceptable risks

Estimation of the risks associated with operation of a nuclear installation requires that
a distinction be made, as for all industrial facilities, between potential risks, which would exist
in the absence of all protective measures, and residual risks, which remain despite provisions
made to prevent accidents and, if an accident occurs, to minimise the consequences. Nuclear
safety is specifically concerned with this dual objective.

Potential risks are clearly defined by the radioactive substances involved, so that the
only difficulties involved concern estimating residual risks, since it is impossible to claim that
these can be reduced to zero level. These risks are subject to a double estimation, in terms of
the probability of possible accidents and in terms of seriousness, depending on the gravity of
accident consequences.

The idea of probability arises naturally when problems of safety are broached. The
logical and instinctive approach is to ensure that an accident is all more unlikely the higher the
risk of serious environmental consequences. It is essential that a very severe accident with
major consequences be made highly improbable. This natural approach was the guiding
principle in the early work carried out in the field of nuclear safety. The “Farmer curve” (Fig.
12), produced at the beginning of the seventies, shows an authorized area and a forbidden area
on either side of a curve plotted on a probability versus consequences graph, with the
consequences expressed as radioactive iodine release. Only the symbolic aspect is presented
here.

Consequences
Very
serious
Forbidden area

Authorized area
Slight

Very rare Very frequent

Probability
FIG. 12. Relation between probability and consequences. (Farmer graph).

The designers of nuclear power plants then engaged upon a thorough study and more
precise definition of this curve by matching probability ranges with radiological consequences
that could be considered acceptable. A few years later, the safety organizations specified an
indicative limit for the maximum accident probability likely to give rise to consequences
deemed unacceptable. This by no means implies that situations of even lower probability
should receive no attention. It has to be shown that all types of accidents considered credible
have been taken into account and are covered by the accident studies performed and that the
systems provided to prevent their development or mitigate their consequences, the engineered

121
safety systems built into the installations, effectively enable the safety objectives to be
achieved.

Safety specialists have progressively developed an entire arsenal of principles,

concepts and methods applicable both at the design stage and at the construction and operating
stages. These are, firstly, the barriers, secondly the defence in depth concept, which has been
gradually extended and is presented in what follows, and thirdly the probabilistic studies.

[Link]. Defence in depth concept

Objectives of defence-in-depth

Implementation of defence in depth concept contains several levels of protection,

including successive barriers preventing the release of radioactive material to the
environment. The objectives are as follows:

x To compensate for potential human and component failures;

x To maintain the effectiveness of the barriers by averting damage to the plant and to the
barriers themselves; and
x To protect the public and the environmental from harm in the event that these barriers are
not fully effective.

Barriers

When France adopted the pressurised water reactor system this country had already
built several major nationally designed installations and perfected an appropriate safety
approach, the barrier method.

Protection of the public against the consequences of an accidental release of fission

products rests on the interposition of a series of leak tight barriers. The French practice
considers three barriers (Fig. 13): the fuel cladding, the reactor coolant pressure boundary, the
primary containment but it is known that some countries consider the fuel matrix as a first
barrier which does not really affect this method. Each of these is examined in detail under
three operating conditions:

x Normal operation.
x Normal operating transients.
x Abnormal operating transients.

Safety analysis therefore consists of ensuring the validity of each of these barriers and
their correct operation under normal and accident reactor operating conditions. This kind of
analysis emphasises the progressive nature of safety by distinguishing three successive but
interrelated stages:

x Prevention.
x Monitoring.
x Mitigating action.

122
 3rd barrier : reactor containment building

2nd barrier : Reactor coolant pressure boundary

Steam lines

Steam
generator
1st barrier :
Primary
Fuel
Pool
cladding pump
Claddings
Pressurizeur
Claddings

FIG. 13. Main PWR barriers.

This barrier method is deterministic, since it attests the possibility of a certain number
of accident situations. Applying it during the first 900 MW(e) PWR unit examinations at the
beginning of the 1970s revealed certain difficulties. If the definition of the first barrier is
simple despite its extent, this is not true for the other two barriers. The reactor coolant
pressure boundary is clearly defined within the reactor building. It branches out, however, in a
fairly complex manner in the auxiliary buildings. The spent fuel pit has the same function,
despite its free surface. The reactor building containment is not the only place containing
spent fuel or primary coolant. Delimitation of the third barrier is thus also fairly complex.
Finally and most importantly, this succession of three barriers implies one markedly important
fact: the steam generator tubes with a considerable total surface area and a very thin wall
simultaneously fulfil the function of primary coolant enclosure and containment (second and
third barriers).

These reflections have contributed to the evolution of safety thinking from the barrier
method to the defence in depth concept. This concept in fact includes the barrier method, but
enables an analysis of installations to be carried out which is both more comprehensive and
more detailed.

Levels of defence

The defence in depth concept is not an installation examination technique eliciting a

particular technical solution, but a method of reasoning and a general framework enabling
more complete examination of an entire installation. It was developed in the USA in the
sixties and was notably the design basis for the Westinghouse nuclear power reactors. The
approach linking successively prevention, monitoring and mitigating action is broadened to
cover all safety related components and structures. We shall see that this approach, initially
developed for plant design analysis, is also well adapted to operating organization.

Before describing the different stages involved, the principle can be simply
summarised as follows: Although the precautionary measures taken with respect to errors,
incidents and accidents are, in theory, such as to prevent their occurrence, it is nevertheless

123
assumed that accidents do occur and provisions are made for dealing with them so that their
consequences can be restricted to levels deemed acceptable. This does not obviate the need to
study still more severe situations, the causes of which may as yet be unknown, and to be ready
to confront them under the best possible conditions.

The approach combines the prevention of abnormal situations and their degradation
with the mitigation of their consequences. It is a deterministic method, since a certain number
of incidents and accidents are postulated. The defence in depth concept consists of a set of
actions, items of equipment or procedures, classified in levels, the prime aim of each of which
is to prevent degradation liable to lead to the next level and to mitigate the consequences of
failure of the previous level. The efficiency of mitigation must not lead to cutbacks in
prevention, which takes precedence.

In July 1995, the IAEA International Nuclear Safety Advisory Group adopted a
document on this subject INSAG-10, “Defence in Depth in Nuclear Power Plant Safety”, [9].
This document presents the history of the concept since its inception, how it is currently
applied and indicates advisable modifications for its application to the next generation of
reactors.

The defence in depth concept now comprises five levels. The way in which these levels
are structured may vary from one country to another or be influenced by plant design but the
main principles are common. The presentation below is consistent with the new INSAG
document (See Fig. 14).

First level: Prevention of abnormal operation and failures

The installation must be endowed with excellent intrinsic resistance to its own failures
or specified hazards in order to reduce the risk of failure. This implies that following
preliminary delineation of the installation, as exhaustive a study as possible of its normal and
foreseeable operating conditions be conducted to determine for each major system, structure
or component, the worst mechanical, thermal, pressure stresses or those due to environment,
layout, etc. for which allowance must be made. Normal operating transients and the various
shutdown situations are included in normal operating conditions. The installation components
can then be designed, constructed, installed, checked, tested and operated by following clearly
defined and qualified rules, while allowing adequate margins with regard to specific limits at
all times to underwrite correct behaviour of the installation. These margins should be such that
systems designed to deal with abnormal situations need not be actuated on an everyday basis.

A moderate-paced process with a computer-based control system will diminish

operating staff stress hazards. Man-machine interface provisions and time allowances for
manual intervention can make a significant contribution.

In the same way, the various disturbances or hazards deriving from a source external to
the plant and which the installation must be able to withstand without operating disturbances
or, in other cases, without causing significant radioactive discharge, shall be specified. Site
selection with a view to limiting such constraints can play a decisive role. In this way, it is
possible to determine a reference seismic level, extreme meteorological conditions expressed
as wind speed, weight of snow, maximum over-pressure wave, temperature range, etc. The
new stress factors thus derived shall be used in the same way as before.

124
 Sets of rules and codes define in a precise and prescriptive manner the conditions for
design, supply, manufacture, erection, checking, initial and periodic testing, operation and
preventive maintenance of all safety related equipment and structures in the plant in order to
guarantee their quality in the widest sense of this term. The selection of appropriate staff for
each stage, from design to operation, their appropriate training, the overall organization, the
sharing of responsibilities or the operating procedures contribute to the prevention of failures
throughout plant life. This also applies to the systematic use of operating feedback. On this
basis may be defined the authorized operating range for the plant and its general operating
rules.

Second level: Control of abnormal operation and detection of failures3

The installation must be prevented from straying beyond the authorized operating
conditions which have just been defined and sufficiently reliable regulation, control and
protection* systems must be designed with the capacity to inhibit any abnormal development
before equipment is loaded beyond its rated operating conditions, so defined as to allow
substantial margins with respect to failure risks. Temperature, pressure and nuclear and
thermal power control systems shall be installed to prevent excessive incident development
without interfering with power plant operation. With a plant design procuring a stable core
and high thermal inertia, it is easier to hold the installation within the authorized limits.

Systems for measuring the radioactivity levels of certain fluids and of the atmosphere
in various facilities shall assume monitoring requirements and check the effectiveness of the
various barriers and purification systems. Malfunctions clearly signalled in the control room
can be better dealt with by the operators without undue delay. Finally, the protection systems,
the most important of which is the emergency shutdown system but also including, for
example, safety valves, shall be capable of rapidly arresting any undesirable phenomenon,
inadequately controlled by the relevant systems, even if this entails shutting down the reactor.

Furthermore, a periodic equipment surveillance program enables any abnormal

developments in major equipment to be spotted. Such developments would otherwise be
likely to lead to failures over a period of time. Periodic weld inspections, crack and leak
detection, routine system testing pertain to these preventive surveillance activities.

Third level: Control of accidents within the design basis

The first two levels of defence in depth, prevention and keeping the reactor within the
authorized limits, are designed to eliminate with a high degree of reliability, the risk of plant
failure. However, despite the care devoted to these two levels and with the obvious aim of
safety, a complete series of incidents and accidents is postulated by assuming that failures
could be as serious as a total instantaneous main pipe break in a primary coolant loop or a
steam line or could concern reactivity control. This places us in a deterministic context, which
is one of the essential elements of the safety approach.

3
Control systems are sometimes included in first level provisions. The INSAG document places automatic
shutdown at third level. But these variations make no difference to the general principle.

125
 We are then required to install systems for limiting the effects of these accidents to
acceptable levels, even if this involves the design and installation of safety systems having no
function under normal plant operating conditions. These are the engineered safeguard
systems4. Start-up of these systems must be automatic and human intervention should only be
required after a time lapse allowing for a carefully considered diagnosis to be reached. In the
postulated situations, the correct operation of these systems ensures that core structure
integrity will be unaffected, which means that it can subsequently be cooled. Release to the
environment will consequently be limited.

The choice of incidents and accidents must be made from the beginning of the design
phase of a project so that those systems required for limiting the consequences of incidents or
accidents integrate perfectly with the overall installation design. This choice must be made
with the greatest care as it is very difficult to insert major systems in a completed construction
at a later date.

Fourth level: Control of severe plant conditions including prevention of accident progression
and mitigation of severe accident consequences

In the context of on-going analysis of risks of plant failure, such as the accident which
occurred at Three Mile Island in 1979, it was decided to consider cases of multiple failure and,
more generally, the means required to contend with plant situations which had bypassed the
first three levels of the defence in depth strategy or which were considered as part of the
residual risk. Such situations can lead to core meltdown and consequently to even higher
release levels. The concern here is consequently to reduce the probability of such situations by
preparing appropriate procedures and equipment to withstand additional scenarios
corresponding to multiple failures. These are the complementary measures aimed to prevent
core meltdown.

Every endeavour would also be necessary to limit radioactive release due to a very
serious occurrence which would nevertheless have involved core meltdown and to gain time
to arrange for protective measures for the populations in the vicinity of the site. It is then
essential that the containment function be maintained under the best possible conditions. The
latter accident management actions are defined in emergency procedures and are outlined in
the internal emergency plan and will be discussed in detail in Appendix III.

Fifth level: Mitigation of radiological consequences of significant off-site releases of

radioactive materials

Population protection measures because of high release levels (evacuation,

confinement indoors, with doors and windows closed, distribution of stable iodine tablets,

4
For PWR's built in France, these systems are:
• the emergency core cooling system
• the steam generator auxiliary feedwater supply system
• the containment withstanding an over pressure of about 4 bar rel associated with the systems ensuring internal
spraying, the automatic isolation of penetrations, containment atmosphere monitoring and, in the case of
double-wall containment, depressurization of the annulus.

126
restrictions on certain foodstuffs, etc.) would only be necessary in the event of failure or
inefficiency of the measures described above. So we are still in a defence in depth
connotation. The conditions of this evacuation or confinement are within the scope of the
public authorities. They are supplemented by the preparation of long or short term measures
for checking the consumption or marketing of foodstuffs which could be contaminated. Such
measures are included in the external emergency plans. The decision to implement such
measures will be based on analysis of the situation by the operator and the safety organisms
and then on environmental radioactivity measurements.

Periodical training drills will also be necessary in this area to ensure adequate
efficiency of the resources and linkups provided.

Elements common to the different levels

Defence in depth can only be satisfactorily implemented if care is taken at each level to
ensure:

x appropriate conservatism;
x quality assurance; and
x safety culture.

The notions of conservatism and safety margins, very closely linked with the
deterministic approach, apply more to the first three levels of defence. Severe accidents, on
the other hand, generally require a less conservative approach, and realistic assessment is
preferable when population has to be protected against substantial radioactive release. Each
level of defence can be effective only if the quality of design, materials, structures,
components and systems, operation and maintenance can be relied upon. Finally, all parties
actively involved in plant safety, whether they are operators, constructors, contractors or
members of safety organizations, must be thoroughly versed in safety culture.

General comments

The notion of successive levels of defence implies that these levels are as independent
as possible. It will consequently be very important to ensure that the same event or failure,
whether single or multiple, could not affect several levels simultaneously, thereby calling the
entire approach into question. This would be the case, for example, if a specific failure
inhibited the systems provided to limit the consequences of the event considered. Safety
system reliability must be adequate. Special design, layout and maintenance rules are applied
to them.

The fourth level was set up to fill in the gaps revealed in the situations envisaged prior
to 1975. This level thus covers measures for the prevention of substantial core meltdown that
ought to have been included in the third level, and provisions for the management of more
severe accidents that fit better into this stage in the phasing of preventive actions.

127
 Mitigation of radiological consequences
of significant off-site releases of radioactive materials
Control of severe plant conditions including prevention of accident progression
and mitigation of severe accident consequences

Control of accident within the design basis

Control of abnormal operation and detection of failures

Prevention of abnormal operation

and failures

Conservative design and

high quality in construction and operation

Control, limiting and protective systems

and other surveillance features

Engineered safety features and accident procedures

Complementary measures and accident management

Off-site emergency response

FIG. 14. The defence in depth concept: purposes, methods and means (INSAG-10).

Until recently, levels 4 and 5 were combined in one level. In accordance with the logic
of the defence in depth concept, the need for protective actions with respect to populations in
the vicinity of the site effectively corresponds to the failure, or relative failure, of the measures
taken at the previous level. There must consequently be a differentiation between the two
levels involved.

The efficiency of these principles and methods would be limited if the quality
assurance of all activities involved in the design, supply, manufacture, erection, tests and
inspections, operating preparations and the actual operation itself were not fully ensured. This
depends on the motivation of all concerned and implies appropriate organizational procedures.

Obviously, the quality assurance process is more difficult to apply in the very disturbed
situations covered by the severe accident management but mentioning this idea even in this
case is recalling the need of well structured decision making process and methods to be
prepared for such situations.

[Link]. Defence in depth implementation in operation [22B]

As mentioned, the defence in depth concept is fully applicable for operational activities
and the operating documents as the general operating rules should reflect it in its different
Chapters:

128
Level 1: Prevention
x Plant organization, staff selection and training;
x Normal operation procedures;
x Implementation of the technical specifications.

Level 2: Surveillance
x Periodic testing programme;
x Preventive maintenance programme;
x Incident detection and analysis.

Level 3: Mitigation
x Incident and accident procedures.

Level 4: Accident management

x Beyond design basis accident procedure;
x Internal emergency plan (links with external emergency plan).

Level 5: Emergency response

x External emergency plan.

[Link]. Postulated initiating events [22B]

The defence in depth concept implies that postulated incidents and accidents are
examined by varying the safety functions over a range of possibilities:

x Criticality control (controlling the power);

x Residual power removal (cooling the fuel);
x Radioactive products containment (confining the radioactive material).

The design basis incidents and accidents are chosen to be the most penalising cases
enveloping a family of events of equivalent classes of estimated frequency.

Historical survey

The scope of foreseen situations has evolved over the time thanks to the continual
search for safety improvement, better safety studies and operating experience.

At the beginning of the 1970s, plant design was based on a three-level defence in depth
concept: good design, good surveillance provisions and engineered safeguard systems to limit
the consequences of postulated accidents. These incidents and accidents were assumed to be
due to single failures associated with conventional failure conditions (single failure,
earthquake, loss of external power). Apart from the fuel handling accident, all the scenarios
were assumed to occur during power operation. Duplicating safety related systems was
considered sufficient.

In the mid-1970s, probability studies of total failure of these systems and the associated
consequences showed that duplication was not an entirely satisfactory solution, with the result
that provision was made for complementary measures to contend with these multiple failures.

129
This applies mainly to the scram system, the electrical power, the steam generators feed water
and the ultimate heat sink.

In 1979, the Three Mile Island accident demonstrated that cumulated human and
equipment failures could lead to far more serious consequences than those considered at the
design stage, without calling the overall approach into question. Considering single initiators
or identified multiple failures on a single function was no longer sufficient. Operating
procedures were then reviewed and vastly modified. This was followed by the development
and integration of systems capable of limiting the probability and consequences of severe
accidents.

In 1986, the Chernobyl disaster, although it occurred in a reactor of totally different

design to those used in Western Countries, nevertheless highlighted the organizational
difficulties raised by a severe accident situation (long term release period, consideration of
caesium and strontium, difficulties and drawback of population relocation, insufficiency of the
rate of induced cancer to characterise the effects on the population). Moreover, this accident
led to a review of reactivity accident provisions, with the gradual discovery of several
significant scenarios that had not been previously identified and the subsequent
implementation of requisite preventive measures.

Meanwhile, the publication of probabilistic safety studies demonstrated risks related to

outage situations, seeming thus to confirm trends suggested by operating feedback and the
weight (positive and negative) of the human factors.

Worldwide operating experience shows time after time additional unexpected potential
scenarios and the inadequacy of some initial assumptions (an observed SG tube rupture
frequency 10 to 100 higher than expected). Over the same period, consideration of internal
and external hazards was progressively extended. Consideration of traditional lists of
incidents and accidents is needed but insufficient.

“Excluded” scenarios

Some scenarios cannot be treated along the line of defence in depth as no efficient
engineered safety systems are able to control the situation, to prevent core degradation, to
mitigate the radiological consequences. It is the case when the initiating event induces the
simultaneous destruction of the containment capability

Typical examples are:

x Sudden rupture of the reactor vessel;

x Steam line break between the containment and the main isolation valve;
x Steam generator outer shell rupture;
x Severe criticality accidents.

They must be identified and recognised in order to be excluded thanks to convincing

prevention and surveillance measures.

130
[Link]. Accident analysis [22B]

A formal incident and accident analysis process is needed as a part of the safety
demonstration. It includes several items that could be summarised as follows.

Choice of pessimistic initial conditions

For each scenario the initial conditions should be the worst authorized ones for the
studied phenomena, with uncertainty margins such as:

x Maximum fission products or primary coolant contamination;

x Minimum temperature coefficient (beginning of life) for heating effects like control rod
withdrawal;
x But maximum temperature coefficient (end of life) for cooling events like steam line
rupture.

Implementation of the single failure criterion

This Convention is designed to provide adequate reliability to the engineered safety

features. Special care is needed with 2 × 100% solution for maintenance and any
unavailability.

The single failure criterion can be threatened by any common cause failure such as fire,
flooding or human intervention. Segregated lay-out is needed associated with protective
measures and intervention procedures.

Conventional loads and conditions combinations

The loss of external power sources is added to each abnormal occurrence, incident and
accident with addition of the safe shutdown earthquake SSE at least for the largest breaks.

Appropriate and established design margins

Design and construction codes should fix the level of adequate margin associated with
testing methods.

Prevention of accident degeneration

An incident should not induce another incident of the same category or degenerate in
an incident of the following one. The physical effects and mechanical loads due to an accident
should be considered to avoid additional consequential failures.

Human intervention grace period

Automatic devices should be sufficient to manage the design basis accidents during at
least 20 minutes to decrease the adverse stress effects on the operators.

131
Calculation of radiological consequences

For the design basis accidents these calculations are based on noble gas, and iodine
with very pessimistic transfer coefficients (mainly for iodine although there are very large
differences from one country to another). The assessment assumes that people are living close
to the plant fence and submitted to a unique plume passage (2 hours). Acceptance criteria are
based on health effects on man (increase of fatal cancer rate).

The Chernobyl accident showed the limits of this approach for severe accidents and for
the preparation for external countermeasures. The source terms should be evaluated through
more realistic methods but still be conservative and cover more radioactive materials like
caesium or strontium and with potentially longer releases.

Acceptance criteria are based on ICRP publication N° 63 and consider life disturbance
such as people displacement or soil and foodstuffs contamination.

[Link]. Internal and external hazards [22B]

Internal and external hazards that are not initiating events should not induce such
failures. In addition, they should not decrease the potential of engineered safety system to act
properly when they are needed which requires specific care for the prevention of common
mode failures.

A typical list of internal events is:

x Missiles from inside the containment.
x Results of piping breaks.
x Turbo-generator bursting.
x Protection against load dropping.
x Fire protection.
x Internal flooding.

A typical list of external hazards to be considered as appropriate:

x Earthquakes.
x Soil movements.
x Volcanoes.
x Aircraft crashes.
x Explosions.
x Fires.
x Toxic or corrosive gases.
x Floods.
x Meteorological hazards (wind, snow, hurricane, tornado, extreme temperature).

Probabilistic evaluation can be used for some internal and external events like turbine
missile, aircraft crashes and explosions that need the definition of an indicative threshold. An
annual probability value of 10-7/plant for “unacceptable consequences” is used in some
countries. If needed and to avoid difficult demonstrations, the protection of the equipment is
provided by the capability of the related buildings to withstand the impact in defined

132
conditions. Most of internal and external hazards are coped with by preventive measures but
fires are treated by prevention, surveillance and mitigation.

3.2.2. Assessment of modifications — German and Finnish experience

The operating organization is responsible for plant modifications as it is for the initial
design. As a minimum, any modification that modifies the initial design approved during the
licensing process requires an authorization.
[Link]. German classification of modifications [17]

The scope of permitted activities is stipulated in detail by additional conditions in the

nuclear licences. Under which conditions and in which way modifications of the plant and its
operating mode are to be made is particularly laid down in the Atomic Energy Act (AtG) and
in the licences. This concerns not only modifications of the system design but also
modifications of the operating mode and organization of the plant.

It is stated in Paragraph 7 of the Atomic Energy Act that not only the construction and
operation of nuclear facilities are subject to licensing, but also major modifications to it. The
proceedings in this respect are the same as those applied for licensing of construction or
operation. Details are stipulated in the Nuclear Licensing Procedures Ordinance (AtVfV).

Major modifications, which are subject to licensing therefore, are in general

modifications:

x Leading to a considerable change of activity release during normal operation or during

incidents;

x Leading to an increase of the allowed activity inventory of the plant;

x Leading to a change of the maximum permissible reactor output;

x Concerning the basic design features of the plant or its operation;

x Extending the licensed use of nuclear fuels or the handling of radioactive substances;

x Connected with significant structural changes.

Modifications subject to licensing are to be published and debated in public before the
granting of a license if the impact of the plant on the environment may be changed or
increased following such modifications. By this, the citizens concerns are informed about the
planned modification and are enabled to raise objections or to bring an action against the
license. The general public is not involved in case of insignificant modifications, i.e.
modifications not subject to licensing.

In the operating licences of nuclear facilities, it is in general stipulated by additional

conditions that also modifications not subject to licensing have to be reported to regulatory
authority and may only be carried out within the scope of a prescribed modification procedure.
In most cases the modifications are categorised according to their safety-related relevance:

133
x Modifications having an impact on the safety level of the plant — often denoted as safety-
relevant modifications — in general are subject to approval by the regulatory authority and
can be made contingent upon the fulfilment of specified requirements.

x Modifications having no impact on the safety level of the plant — safety-irrelevant

modifications — can be carried out autonomously by the operator according to plant
internal specifications without special approval of the supervisory authority. These
modifications have only to be reported to the regulatory authority and the experts
consulted to verify the correctness of the categorisation.

x Insignificant modifications as well as editorial changes of written internal regulations may

be performed according to internal specifications without advance information of the
regulatory authority and the authorized expert.

The definition of the different categories of non-significant modifications is somewhat

unclear and is stated differently by each responsible regulatory authority so that only a rough
characterisation can be made:

x Safety-relevant modifications are those of safety systems or other systems relevant for the
nuclear safety and radiation protection, or they are safety-relevant if by the modification
there are potential negative impacts on such systems.

x Not relevant for the safety are modifications to non-nuclear systems as far as there are no
potential impacts on nuclear systems.

x Insignificant modifications are minor modifications in areas without nuclear safety-

related relevance.

x Editorial changes are changes to written internal instructions that do not affect the factual
contents of the instruction.

Implementation of modifications

Safety objectives of a modification should be proposed by the operating organization

or can be notified by the regulators. Technical solutions are always the responsibility of the
operator.

Any modification should:

x Take into account any available information related to any relevant incidents, gathering as
many of them as possible;

x Take into account the initial design basis in order to avoid loss of initial characteristics;

x Be easy to test in a representative manner;

x Be tested as long as needed;

x Be integrated in plant documentation and in operating staff training.

134
 A significant change in operating conditions like an increase of the fuel burn-up rate
should be studied like a significant modification and justified by the applicant to the safety
authority.

Subsequent difficulties should lead to a complete reassessment of the modification

justification and testing.

[Link]. Assessment of system modifications in Finland [23]

A system pre-inspection is carried out in the form of an assessment of the preliminary

and final safety analysis reports and the related topical reports during the construction phase.
During the operation of a nuclear installation, a system pre-inspection of plant modification
can be conducted on the basis of separate system pre-inspection documentation before the
final safety analysis report is changed. Pre-inspection documents shall be submitted to the
regulatory body (STUK) for approval at least concerning the modification of systems in safety
classes 1, 2 and 3 as well as the modification of systems STUK has earlier requested
inspection for other reasons. Modification of systems inspected by STUK earlier are submitted
to STUK at least for information. Also an individual component modification which
significantly changes a system’s operation or its operating parameters is considered a system
modification.

The pre-inspection documents of the system modification contain the following:

x Causes and justification for the modification;

x System design bases;
x Description of the operation of the system’s modified part;
x Analysis of the system;
x Any other reports deemed necessary.

The reasons for modifications are always stated and justified. In the basic system
design it is stated which guides and standards have been used in design. The design bases
include also the following items:

x Safety class;
x Design parameters (pressure, temperature, flow, chemical environment, requirements
concerning leak tightness etc.);
x Ambient conditions;
x Requirements for structural materials.

In the description of the operation of a system’s modified part, the system’s operation
during normal operational stages as well as during anticipated operational transients and
postulated accidents are described. The modification’s impact on operation is described. The
necessary diagrams and drawings as well as the design parameters of the most important
components are included in the description of operation. The description shall be extensive
enough to contain all information required for a system analysis.

The objective of the system analysis is to ascertain that the system operates in
conformity with the design and that the modified system meets the requirements set forth in
the guides and standards applied in system design. In connection with extensive

135
modifications, disturbance and accident analyses for the installation as well as system
reliability analyses are repeated to the extent deemed necessary if the conducting of such
analyses for the system in question was required previously.

Changes eventually proposed to the technical specifications and test run programme of
the modified system are submitted for approval together with pre-inspection documentation,
or, well in advance of the test run. The proposal containing the changes required in a system’s
operating procedures are submitted to STUK prior to the commissioning of the system.
Changes of the final safety analysis report are submitted to STUK after the implementation of
the modification.

As regards work arrangements during a system modification, reports on radiation

protection, fire protection and physical protection are provided where necessary.

3.2.3. Assessment of operational experience — French experience [22]

The main objectives of the assessment of operational experience can be summarised as

follows:

x To avoid re-occurrence of observed failures from equipment or human origin.

x To detect precursors of more severe accidents.
x To assess whether the plant behaviour and equipment reliability are consistent with the
design assumptions. This provides additionally actual equipment reliability data needed
for PSA.
x To assess that the modifications give the desired results without any detrimental secondary
effects.
x To detect as soon as possible ageing phenomena.
x To check the overall quality of operation practices.

For each unit all the information provided must be used locally. Information from other
units of the same type or even very different, from the same country or from abroad is also
beneficial.

The assessment of operational experience must be carefully structured within the

operating organization and within the regulatory body. The presentation of the French practice
illustrates a way to handle this important topic.

Detection and declaration of abnormal events are the responsibility of the operating
organization. Inspections may check that no declaration is missing.

The French context is specific: one organization operating a large number of identical
or similar reactors, of which it is the architect-engineer. At the beginning of 1998, thirty-four
900 MW(e) PWR’s and twenty 1300 MW(e) PWR’s were in service. Two 1400 MW(e) units
went critical and started operating, two others are at the end of the construction phase. Starting
from initial criticality in each plant, this gives an accumulated 900 MW(e) unit experience of
about 550 reactor-years and 1300 MW(e) unit experience of about 200 reactor-years, thus
totalling around 750 reactor-years of experience concerning reactors which are still relatively

136
“young”. The result is that there is a considerable mass of consistent data, which is a huge
advantage for plant operation.

On the other hand, it is obvious that with such a system very fast identification of
problems liable to occur in a whole family of plants is vital, since otherwise a very specific
type of “common mode” failure could lead to national grid power supply deficiencies, which
would be difficult to cope with in a country where three-quarters of the electricity comes from
nuclear power plants. Likewise, any changes or modifications involving a significant
percentage of the installed capacity can only be undertaken in compliance with stringent
requirements and with all due precautions.

[Link]. Incident selection

In order to facilitate the task of both operators and the safety authorities, it was decided
to define two groups of safety-related events, of different levels of severity and to which
different methods of analysis were applied, whereas all other non-safety-related incidents gave
rise to no particular transfer of information.

Safety-related events

Presuming that the technical operating specifications comprise all instructions

pertaining to the availability of plant safety-related equipment and to the limiting values
assigned to the various operating parameters, any failure of such equipment resulting in it
being reported unavailable or any overstepping of a threshold is considered to be a safety-
related event. This definition is fairly straightforward for the operators, since they have to
monitor both this equipment and these parameters, in any case. The necessity for reporting
these events is well understood by the operating personnel, who are accustomed to using these
Specifications, but less well by the maintenance staff. EDF is taking steps to gradually
improve this situation.

As these safety-related events are not in themselves serious incidents, they need not be
the subject of specific reports from the operator, but must, on the other hand, be immediately
entered into a national data base, managed by EDF and accessible to the DSIN and the IPSN.
The number of safety-related events entered into the EDF file increased rapidly between 1990
(2600) and last year (9500 in 1997), faster than the number of operating units, thanks to the
development of the safety culture. The average number of reports per unit is about 175 for the
900 MW(e) plants and 200 for the 1300 MW(e) plants. Certain plants have increased the
number of events reported in compliance with recommendations following an EDF in-house
nuclear inspection.

Significant incidents

Generally speaking, safety-related events do not in themselves call for detailed analysis
nor are they severe accident precursors. The latter are more likely to be found in another
category of operating non-conformance, classified as significant incidents. These are generally
safety-related events which also satisfy certain specific criteria defined by the DSIN after
discussion with the operators. These criteria were precisely defined with a view to obtain their
automatic application without excessively different interpretation from one plat to another.
they were formalised in 1982 but, there again, owing to the difficulties encountered and

137
discussed with the safety organizations, EDF periodically revises the corresponding internal
procedures to improve uniformity of application between the different plants.

The significant incidents reporting criteria may be summarised as follows:

x Emergency shutdown, except in the context of a deliberate scheduled action or defects

affecting the turbogenerator;

x Implementation of an engineered safeguard system, except in the context of a deliberate

scheduled action;

x Any incident where, in any standard operating state, a change of state would be incurred
by application of the technical specifications;

x Long-term unavailability or multiple inoperability;

x Overshooting certain thresholds or authorized values;

x Actual or potential common mode failure (fire, onsite flooding, system interaction, design
or construction error liable to concern several sets of equipment or several plant units,
etc.);

x External hazard: earthquake or plane crash, for example;

x Real or assumed malevolent act;

x Uncontrolled radioactive release or that exceeding the authorized levels;

x Exposure of people beyond the specific worker exposure limits;

x Incident of nuclear origin having caused loss of life or serious injuries;

x Malfunction or incident placing or able to place the plant outside its design basis operating
range;

x Any other event deemed sufficiently important by the operating or safety authority.

A significant incident must be reported to the safety organizations by telex on the day it
occurs or on the next working day and be reported within two months in a detailed analysis
conforming to a given standard procedure. The first analysis is made by the plant concerned
and is supplemented, if required, by a second analysis performed by other specialized EDF
departments. Direct exchanges between safety authority analysts and the operators can be set
up as soon as the telexed report is received. This is particularly the case when it is feared that
at least several plants could be concerned by the faults identified or when a severe accident
precursor is suspected.

The mean number of significant incidents is more or less constant over several years —
about seven to eight per year, per unit — there are significant variations from one site to
another. Almost half of these incidents now occur during unit outages. This confirms the

138
specific difficulties of these periods and probably also witnesses the penetration of safety
culture: perhaps certain incidents with no consequences for plant unit operation would
previously not have been reported.

In any cases, detection and declaration of safety significant events and significant
incidents are the responsibility of the operating organization. Inspections may check that no
declarations are missing.

[Link]. Significant incident analysis methods

The methods described below were gradually elaborated by collective team work.
From the outset, the IPSN has been an instigator, devising approaches to be adopted and
developed by the operating utility.

Collective examination of events and incidents

At the IPSN, supervision of a set of plant units (ideally two units) is particularly
entrusted to a specific assignment engineer. In order to derive maximum benefit from PWR
standardization, each specific assignment engineer is informed of all significant PWR
incidents by circulation of the relevant telexes and reports. All the incidents are reviewed
during weekly meetings, when the most important occurrences are short-listed. During these
meetings, the specific assignment engineers indicate the most significant recent “safety-related
events” and exchange available information on incidents abroad. In this way, each analyst is
informed of occurrences affecting the French PWR population and of significant incidents
reported abroad. In the EDF head office departments, the working method is much the same.

Selection of significant incidents for in-depth analysis

The significant incidents for in-depth analysis are selected during these meetings. The
selection criteria are not formalised but may be outlined as follows:

x Incidents which have an affinity with the corresponding design basis incidents, with an
estimated frequency of below 10-2 per year and per unit, or which are capable of leading
to such incidents, possibly under different operating conditions;

x Incidents not foreseen at the design stage;

x Accumulated safety-related system failures and accumulated errors, whether due to

random faults, common mode failures or system interaction;

x Incidents giving rise to errors resulting from failure to understand plant behaviour or
safety requirements.

x Significant effect on core-melt frequency indicated by PSA.

There is consequently a systematic, although often implicit, reference to the design

rules and criteria, enabling appraisal both of the gravity of the incident and the validity of the
design rules. The 400 to 450 significant incidents on French PWR’s reported every year give
rise to ten to twenty in-depth analyses, each of which may cover several incidents.

139
Example of classification

An example of classification relating to different types of events occurring on the same

function will illustrate the differences between the levels.

When one emergency core cooling train (out of two) is unavailable the technical
specifications require to have reached cold shutdown before a time limit of 3 days if repair
work and requalification cannot be done properly in shorter time.

x The unavailability of one train discovered by a periodic test, having a non generic cause,
and for which repair and requalification can be done in less than 3 days is a safety related
event.

x The unavailability of one train discovered by a periodic test, but possibly generic, and/or
asking for repair and requalification more than 3 days is a safety significant incident.

x Both low-head ECCS pumps tripping on an ECCS signal (as occurred at Blayais 1 in
1991) represents a precursor event.

In depth analysis

The starting point for analysis will be a thorough acquaintance with how the incident
took place, which safety functions were implicated, how operators and equipment behaved,
what the consequences were, together with knowledge of any similar incidents which may
have occurred. Despite the quality of the operator incident reports, the information supplied
usually has to be supplemented by direct contacts with the plant or the relevant EDF head
office departments and, in many cases, by inspection of the buildings and equipment
concerned.

The first action consists in determining whether, in other circumstances, the same
accident would have had far more severe consequences. This is known as exploring the
degeneration paths and can be summed up by the question “what if ? ...”. The second action
consists in seeking the root causes of the incident by tracing back as far as possible along the
branches of the incident cause tree, not only as regards equipment, but also procedures and
human behaviour, differentiating between what is specific to the plant considered and what
could occur at any units of the same type. The third action consists in applying to other
equipment, systems or situations the root causes identified to make sure that they could not
initiate entirely different sequences of consequences, which could be potentially serious.

The analysis then proceeds with the identification of incidents of the same type or of
possible precursor events. It is, of course, obvious that the in-depth analysis of a significant
incident must not be isolated from the overall context of other incidents in France or
elsewhere and that parallels should be freely drawn. So this concerns both events having the
same material, human or organizational origins and incidents arising from similar scenarios.
This grouping of incidents is an essential element in the valid appraisal of data provided by a
significant incident.

The first corrective steps proposed by the operating utility are often simple
compensatory measures, such as instructions aimed at precluding scenarios with more severe

140
consequences further to an initiator of the same type as that observed. Such “administrative”
steps can generally be taken without loss of time and at low cost. Analysts and operators
readily agree on this type of measure. However, it is not so easy to arrive at agreement in cases
where modifications to the plant are deemed necessary, especially if these have to be extended
to other equipment or several plant units.

IPSN in-depth analysis reports on significant incidents systematically conclude with

recommendations that may be reformulated by the DSIN as requests to the operating utility or
special requirements. Before transmission to the DSIN, draft recommendations are, of course,
discussed with the operating authorities both as regards the measures required and the time
allowed for their implementation. These technical contacts provide good opportunities for
deep thinking. They in no way infringe IPSN autonomy, since points of agreement and
disagreement are clearly explained with arguments for or against. It should also be borne in
mind that the IPSN is required to express its decision as to the acceptability of proposals made
by the operating utility. It is not within the scope of its function to prescribe technical
solutions. These have to be determined by those responsible for the installation.

Guidelines for significant incident analysis

This analysis method was gradually structured by the EDF head office departments to
assist the different plants in conducting as exhaustive an analysis as required.

The main steps are as follows:

x Cause analysis:
 Data collection.
 Logical sequence of events.
 Identification of failures and inappropriate actions.
 Identification and explanation of discrepancies with respect to the quality assurance
system.

x Assessment of effective consequences:

 For reactivity control.
 For core cooling control.
 For containment control.

x Identification of operating scenarios disturbed by failures and mistakes:

 Characteristics of the disturbed scenarios.
 Identification of the disturbed scenarios.

x Assessment of potential consequences:

 Elaboration of an event tree for each disturbed scenario identified considering the
initial state, subsequent undermined states, the defence in-depth lines of defence
provided and the quality assurance system.
 Identification of fault conditions elsewhere in the plant, in other units in the plant
considered or on other French sites.

x Corrective actions:
 Required to restart the installation or maintain power operation.
 Required to preclude fault conditions and inappropriate actions.

141
 This method is more and more consistently applied by the plants, resulting in the
gradual improvement of significant incident reporting. It is obviously also applied for all in-
depth analyses deemed necessary by the EDF head office departments.

[Link]. Safety case study: the Three Mile Island accident [22]

The Three Mile Island nuclear power plant is located on the Susquehanna River in
Pennsylvania, USA, 16 km from the state capital, Harrisburg, a city of 90 000. It has two
900 MW(e) units with pressurised water reactors designed by Babcock and Wilcox. The
second unit of the site started commercial operation on December 30, 1978.

The Babcock and Wilcox 900 PWR design uses 2 steam generators of the once-
through type. These steam generators are long, about 28 meters, which induces a specific
layout : the bottom of the steam generators is lower then the core inlets (Fig. 15). Then the
transition to natural convection cooling on the primary side can be difficult in some
conditions. Furthermore, they only contain a small amount of secondary cooling water,
making the installation rather sensitive during certain kinds of transient.

In the case of a loss of normal SG feedwater there is an increase in temperature, hence

in pressure, in the primary cooling system, systematically leading to opening of the pressurizer
relief valve, during a few seconds.

Containment Spraying

Relief Valve

Block Valve Safety Valves

Steam Generator

Pressurizer

Level Indicator

Core

Vessel

Primary Pump

Pressurizer Relief Tank

FIG. 15. Main layout of Three Mile Island NSSS.

142
Simplified scenario

The accident starts at 4:00 a.m. on Wednesday March 28, 1979 with the loss of normal
water supply to the steam generators. The primary transient causes emergency shutdown,
which gradually lowers pressure in the primary cooling system. After 12 seconds the relief
valve receives as normal the command to close but this valve remains jammed open. The
primary cooling system continues to discharge into the pressurizer relief tank, located in the
containment, at a flow-rate of 60 metric tons per hour (there are approximately 200 metric
tons of primary coolant).

The steam generator auxiliary feedwater system pumps start up normally after 30 seconds, but
the connecting valves between the pumps and the steam generators are closed instead of open,
due to a maintenance error. The generators dry out in 2 to 3 minutes, stopping all cooling of
the primary system. Although the position indicator for these valves located in the control
room signal this fault, eight minutes pass before the operators identify the fault and give the
command manually to open the valves. Twenty-five