| Main |
1.1. |
Requirements for the operation of nuclear power plants are established in IAEA Safety Standards Series No. SSR‑2/2 (Rev. 1), Safety of Nuclear Power Plants: Commissioning and Operation [1], while requirements for the design of nuclear power plants are established in IAEA Safety Standards Series No. SSR‑2/1 (Rev. 1), Safety of Nuclear Power Plants: Design [2]. |
| Main |
1.2. |
This Safety Guide provides specific recommendations on controlling activities relating to modifications to nuclear power plants. |
| Main |
1.3. |
This Safety Guide was developed in parallel with six other Safety Guides on the operation of nuclear power plants: IAEA Safety Standards Series No. SSG‑70, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants [3];
IAEA Safety Standards Series No. SSG‑72, The Operating Organization for Nuclear Power Plants [4];
IAEA Safety Standards Series No. SSG‑73, Core Management and Fuel Handling for Nuclear Power Plants [5];
IAEA Safety Standards Series No. SSG‑74, Maintenance, Testing, Surveillance and Inspection in Nuclear Power Plants [6];
IAEA Safety Standards Series No. SSG‑75, Recruitment, Qualification and Training of Personnel for Nuclear Power Plants [7];
IAEA Safety Standards Series No. SSG‑76, Conduct of Operations at Nuclear Power Plants [8].
|
| Main |
1.4. |
The terms used in this Safety Guide are to be understood as defined and explained in the IAEA Safety Glossary [9]. |
| Main |
1.5. |
This Safety Guide supersedes IAEA Safety Standards Series No. NS‑G‑2.3, Modifications to Nuclear Power Plants |
| Main |
1.6. |
The purpose of this Safety Guide is to provide recommendations on controlling activities relating to modifications to nuclear power plants, to meet the requirements established in SSR‑2/2 (Rev. 1) [1], in particular Requirement 11. |
| Main |
1.7. |
The recommendations provided in this Safety Guide are aimed primarily at operating organizations of nuclear power plants and regulatory bodies. |
| Main |
1.8. |
It is expected that this Safety Guide will be used primarily for land based stationary nuclear power plants with water cooled reactors designed for electricity generation or for other production applications (such as district heating or desalination). |
| Main |
1.9. |
This Safety Guide covers modifications to nuclear power plants, including modifications relating to plant configuration and to the operating organization, as well as temporary modifications. The responsibilities of the operating organization for the design, safety assessment and review, control, implementation and testing of these modifications are also within the scope of this Safety Guide. |
| Main |
1.10. |
The modifications made during the design and construction stages of a nuclear power plant are outside the scope of this Safety Guide. |
| Main |
1.11. |
The repair and replacement of equipment and components as part of the maintenance of the plant that lead to new components (e.g. owing to unavailability of spare parts) are within the scope of this Safety Guide. Other repair or replacement of equipment or components are outside the scope of this Safety Guide. Recommendations on such maintenance are provided in SSG‑74 [6]. |
| Main |
1.12. |
The modification and/or refurbishment of nuclear power plants for the purpose of extending their design lifetime could necessitate major design modifications and re‑evaluation of plant safety, and such modifications are within the scope of this Safety Guide. |
| Main |
1.13. |
Recommendations relating to the management of modifications at nuclear power plants are provided in Section 2. Section 3 identifies the roles and responsibilities of the operating organization in relation to the modification programme and the use of contractors and other external organizations. Sections 4 and 5 provide recommendations on modifications and their assessment in respect of safety aspects. Section 6 provides recommendations on temporary modifications. Recommendations on the implementation of modifications relating to plant configuration and of organizational changes are provided in Sections 7 and 8, respectively. Section 9 provides recommendations on the training of personnel, and Section 10 provides recommendations on the management of documentation relating to modifications. Appendix I presents a proposed categorization of modifications based on their importance to safety. Appendix II presents an example of the steps to be followed when developing the overall modification programme. |
| Main |
2.1. |
Requirement 11 of SSR‑2/2 (Rev. 1) [1] states that “The operating organization shall establish and implement a programme to manage modifications.” |
| Main |
2.2. |
Plant modifications are required to be performed in accordance with a management system that is established and implemented by the operating organization in accordance with the requirements established in IAEA Safety Standards Series No. GSR Part 2, Leadership and Management for Safety [10]. Relevant recommendations are provided in IAEA Safety Standards Series No. GS‑G‑3.5, The Management System for Nuclear Installations [11]. |
| Main |
2.3. |
Throughout the lifetime of a nuclear power plant, the operating organization should regularly inspect, test and maintain the plant, in accordance with approved procedures, to ensure that the plant continues to meet the design requirements and remains consistent with the assumptions and results of the safety analysis. The management of plant modifications is required to be consistent with the control of plant configuration (see Requirement 10 and para. 4.38 of SSR‑2/2 (Rev. 1) [1]). Modifications are also required to conform to the design requirements and to the plant configuration documentation that has been revised as part of the modification programme throughout the plant lifetime. No modification to a nuclear power plant, whether temporary or permanent, should affect the plant’s ability to be operated safely in accordance with the intent of the design. |
| Main |
2.4. |
The management of modifications to a nuclear power plant is the responsibility of the operating organization (see Requirement 1 and para. 3.1 of SSR‑2/2 (Rev. 1) [1]). Recommendations on the roles and responsibilities associated with the modification programme are provided in Section 3. |
| Main |
2.5. |
The need for modifications to the plant should be assessed on the basis of the following:Operating experience, including national and international operating experience;
The findings of periodic safety reviews and other relevant safety assessments;
Current safety objectives;
Regulatory requirements;
The adequacy of the design basis for internal and external hazards;
Advances in knowledge;
Improvements in technology;
Unavailability of spare parts.
|
| Main |
2.6. |
Modifications are required to be characterized on the basis of their safety significance (see para. 4.39 of SSR‑2/2 (Rev. 1) [1]) and should be designed and implemented in a time frame that is consistent with this safety significance. A suggested system for categorizing modifications on the basis of their safety significance is shown in Appendix I. |
| Main |
2.7. |
Modifications that might affect safety should be divided into the following two categories: |
| Main |
2.8. |
An example showing the elements of a modification process for safety related modifications is given in Appendix II. The process presented in Appendix II distinguishes between plant configuration (i.e. technical, documentation and procedural) modifications relating to the plant design (see Sections 4 and 7) and modifications to the management system (safety related organizational changes; see Sections 5 and 8). |
| Main |
2.9. |
As part of the programme to manage modifications, changes in the supply chain of products or services should also be considered. |
| Main |
2.10. |
All modifications should be documented in proportion to their safety significance. In cases where this is not readily apparent, the absence of any safety significance should be demonstrated by the operating organization. |
| Main |
2.11. |
Modifications to computer based systems and associated hardware and software are required to be controlled using the same principles and methods that apply generally to modifications (see para. 4.42 of SSR‑2/2 (Rev. 1) [1]). In some cases, issues might arise that uniquely affect computer based applications, and these should be taken into account in the procedure for modifications. Further recommendations are provided in IAEA Safety Standards Series No. SSG‑39, Design of Instrumentation and Control Systems for Nuclear Power Plants [12]. |
| Main |
2.12. |
Paragraph 4.40 of SSR‑2/2 (Rev. 1) [1] states: |
| Main |
2.13. |
When a modification is necessary, the full consequences of the modification for the safety of the plant should be reviewed and the boundaries and impacts of the modification (including physical, system and control boundaries, and the conditions of the environment where the modification will be made) should be defined. Many systems within a nuclear power plant are interrelated; consequently, a modification in one area might affect other areas. A full review should therefore be performed before the final definition of the areas in which modifications are to be applied. Wherever possible, experience from other plants at which similar modifications have been made should be taken into account. |
| Main |
2.14. |
Modifications should be planned taking into account the following:The scope and significance of the modification;
The organizations involved and their responsibilities, and the interactions between these organizations;
Interfaces with nuclear security;
The different phases of the modification and the content of these phases;
The input and output data for modification phases;
The structure of documentation;
The procedures, plans and programmes to be implemented;
Previous experience;
The application of a graded approach;
Items needing special attention, witness and hold points, and reporting.
|
| Main |
2.15. |
Modifications relating to the configuration of the plant and the operational limits and conditions are subject to the requirements for the design of nuclear power plants established in SSR‑2/1 (Rev. 1) [2]. In particular, the capability of the plant to perform all safety functions should be maintained. |
| Main |
2.16. |
The safety policy of the operating organization with regard to modifications should be based on the following:Maintaining barriers (and the protection of such barriers) to radioactive releases;
Strengthening the independence of each level of defence in depth and ensuring the adequate reliability of each level during operation, as a consequence of all modifications and related operational activities.
|
| Main |
2.17. |
A defence in depth approach should be applied to all operational activities relating to modifications to the plant. These activities should be carefully planned, appropriately authorized and carried out by competent personnel in accordance with approved procedures issued under the management system, to achieve a high level of safety performance. In addition, adequate independent safety assessments and verifications should be carried out when designing and implementing modifications, to ensure their reliable accomplishment. |
| Main |
2.18. |
The installation of modified systems and/or equipment should be performed in accordance with the work control system and appropriate testing procedures for the plant. The modifications should be under the control of the operating organization at all times. |
| Main |
2.19. |
Before being put into operation, plant modifications should be tested and checked to demonstrate compliance with the design and to ensure that the correct configuration of the plant is maintained. For modifications that need to be tested under operational conditions (e.g. radiation levels, pressure, temperature), this should be done in accordance with an established commissioning programme. All relevant documents necessary for the operation of the modified plant are required to be updated, and operating personnel are required to be appropriately trained (see para. 4.43 of SSR‑2/2 (Rev. 1) [1]). |
| Main |
2.20. |
Modifications to design features or equipment used for design extension conditions, including mobile and portable equipment, are also required to be performed in accordance with the plant modification programme. |
| Main |
3.1. |
The operating organization retains the prime responsibility for safety, including for all safety implications of modifications (see Requirement 1 of SSR‑2/2 (Rev. 1)). [1]. This responsibility includes arranging for the appropriate review and approval of modifications. The operating organization should apply for the necessary licence or approval from the regulatory body to execute the modification, as appropriate. |
| Main |
3.2. |
Paragraph 4.39 of SSR‑2/2 (Rev. 1) [1] states: |
| Main |
3.3. |
The operating organization is required to maintain a formally designated entity that takes responsibility for the continuing integrity of the plant design (often referred to as the ‘design authority’) (see para. 3.2(f) of SSR‑2/2 (Rev. 1) [1]). This entity should formally approve all modifications. |
| Main |
3.4. |
Paragraph 4.41 of SSR‑2/2 (Rev. 1) [1] states that “The operating organization shall establish a formal system for informing relevant personnel in good time of temporary modifications and of their consequences for the operation and safety of the plant.” |
| Main |
3.5. |
The operating organization should ensure that the appropriate safety analyses have been performed before the implementation of a modification is commenced. Where an independent safety review of the scope and implications of a proposed modification is needed, it should be carried out by personnel who are not involved in the design and implementation of the modification. |
| Main |
3.6. |
The operating organization should arrange for the availability of competent personnel and suitable tools to assist in design studies and development work for modifications on plant items important to safety. These personnel should be involved in the preparation of specifications for modifications, the assessment of proposed designs and the supervision of the engineering work. Special arrangements should be made to support the plant activities relating to plant modifications that involve special tools or analysis methods. |
| Main |
3.7. |
The operating organization should ensure that modifications are carried out in the correct sequence, since subsequent modifications might be dependent upon the completion of previous modifications in a particular sequence. |
| Main |
3.8. |
The operating organization should ensure that modifications are planned and implemented in accordance with the management system (see para. 2.2). |
| Main |
3.9. |
The operating organization is required to carry out periodic safety reviews or safety assessments under alternative arrangements to confirm that the safety analysis for the plant remains valid considering the cumulative effects of modifications (see para. 4.44 of SSR‑2/2 (Rev. 1) [1]). Relevant recommendations are provided in IAEA Safety Standards Series No. SSG‑25, Periodic Safety Review for Nuclear Power Plants [13]. |
| Main |
3.10. |
The operating organization should ensure that any revisions to plant documentation, personnel training and plant simulators necessitated by the modifications are implemented in a complete, correct and timely manner as part of the modification programme. Modifications to plant simulators should be prioritized and implemented on the basis of their scope and significance to ensure appropriate training. |
| Main |
3.11. |
The operating organization should take into account the experience gained from making a modification at a plant for the first time, before making the modification in other parts of the plant or at other plants. |
| Main |
3.12. |
While the operating organization may delegate or subcontract the engineering, assessment and execution of certain tasks for modifications to other organizations, it remains responsible for safety (see para. 4.33 of GSR Part 2 [10]). The operating organization should have staff with sufficient technical knowledge to guide and evaluate any modification work performed on its behalf. |
| Main |
3.13. |
When a contractor is involved in making modifications, the professional competence, experience and qualifications of all personnel involved should be confirmed, and it should be ensured that the contractor’s management system meets the expectations of the operating organization. |
| Main |
3.14. |
In assessing the consequences of a modification for plant safety, the original design organization, architect engineers and/or construction organization should be consulted, as appropriate, in order to provide assurance that the design basis and functions will be preserved following the modification. |
| Main |
4.1. |
For the purposes of this Safety Guide, modifications relating to plant configuration are defined as any permanent or temporary alterations to structures, systems or components, process software, operational limits and conditions, operating procedures or plant configuration documentation. This includes any replacement or refurbishment of existing structures, systems or components. This does not include the replacement of a component by an equivalent component in recognized maintenance activities. |
| Main |
4.2. |
Proposed modifications should be categorized in accordance with their safety significance (see Appendix I). The principles for managing modifications are the same for all categories, but in each step of the modification process the categorization determines the level of detail of the safety review that should be applied. |
| Main |
4.3. |
The criteria used in determining the categorization of each modification should be defined and documented to help ensure the correct assessment of the safety significance associated with the implementation, testing and operation of the modification, even if the modified item is not safety classified. |
| Main |
4.4. |
In accordance with paras 4.6 and 5.2 of IAEA Safety Standards Series No. GSR Part 4 (Rev. 1), Safety Assessment for Facilities and Activities [14], the safety assessment of a nuclear power plant is required to be updated as necessary so as to take into account modifications to the design or operation of the plant. |
| Main |
4.5. |
An initial safety assessment should be carried out before starting a modification to determine whether the proposed modification has any consequences for safety. Human and organizational factors are also required to be considered when assessing the modification (see para. 4.40 of SSR‑2/2 (Rev. 1) [1]). This initial assessment should be carried out by qualified and trained personnel, taking a systematic approach, and should be reviewed by an independent safety expert (see GSR Part 4 (Rev. 1) [14]). The implementation phase for the modification as well as the plant operation after the modification should be considered in the initial safety assessment. The result of the initial safety assessment should lead to a decision on the categorization of the proposed modifications, as described in paras 4.2 and 4.3. |
| Main |
4.6. |
Depending on the results of the initial safety assessment, a more detailed and comprehensive safety assessment might be needed. The extent and complexity of this additional assessment will depend on the nature and extent of the potential consequences of the modification for safety. If the initial assessment has clearly demonstrated that the modification will have no adverse consequences for safety during its implementation nor after the modification is made, then further safety assessment might not be necessary. |
| Main |
4.7. |
Modifications that might affect redundant safety related items should be subject to a comprehensive safety assessment, with particular consideration given to avoiding the possibility of common cause failures and common mode failures. The implementation of such modifications should be performed, if practicable, in a phased sequence in order to collect operating experience and test results on the first redundant train or part of the system, before proceeding to modify the other equivalent redundant trains or parts of the system. |
| Main |
4.8. |
A comprehensive safety assessment should include an evaluation of the effect of the modification on radiological hazards during its implementation and during subsequent commissioning, testing, maintenance, operation and decommissioning of the modified plant. This evaluation should include the effect of the modified plant item and its associated system on physically adjacent systems and plant items, and on interconnected systems or support systems such as electrical power supplies. |
| Main |
4.9. |
The comprehensive safety assessment should demonstrate that the modified plant can be operated safely and that it complies with the system specifications and relevant safety requirements. Special consideration should be given to demonstrating the following:The modification complies with all relevant requirements established in SSR‑2/1 (Rev. 1) [2] and SSR‑2/2 (Rev. 1) [1] for all relevant plant states.
Interfaces with nuclear security have been taken into account.
New or modified systems will not adversely affect the safety of other items important to safety under all plant states.
Due account has been taken of the potential consequences of the modification being inadequately implemented.
The occupational exposures from the implementation of the modification and the occupational exposures and public exposures (including potential exposures due to accidents) as a result of the modification are below approved limits and as low as reasonably achievable. In considering this, the need for the modification and any associated benefits to safety should be taken into account.
The modification can be performed without adversely affecting the safety of the plant and will not introduce new hazards.
The technical or operational effect of the modified system on each of the accident sequences considered in the safety analysis report has been adequately assessed.
Each identified failure mode of the modified system has been assessed by appropriate evaluation methods. In addition to the direct effects on the plant, the effects on items important to safety should also be considered in the assessment.
The impact of potential external events and the consequences of inadequate qualification of the structures, systems and components to withstand them has been assessed and/or analysed.
The environmental impact has been evaluated and considered.
The safety consequences of implementing the modifications (and of any temporary equipment used), and the ability to withstand anticipated operational occurrences and accident conditions during the implementation, have been considered.
The potential interaction with other design changes has been reviewed to ensure control of the plant configuration after implementation of the modification (e.g. because a later change might depend on whether an earlier proposed change has already been made).
The scope of commissioning testing meets system specifications.
The radioactive waste arising from the plant modification will be properly managed.
The need to temporarily disable any safety related plant interlocks, or to suspend any operating restrictions, has been fully assessed before implementation, and steps are in place to ensure the prompt reversal and reinstatement of such measures.
In a case where a modification has already been implemented in a similar plant, any differences between the plants has been properly assessed before design documentation, implementation procedures or test procedures have been duplicated.
|
| Main |
4.10. |
The comprehensive safety assessment should include a re‑evaluation of the deterministic safety analysis and the probabilistic safety analysis, applying the relevant standards for safety evaluation and taking into account uncertainties in data. The results should then be used to inform a conservative decision making process. The results of the analysis can also be used to decide on additional risk reduction measures. |
| Main |
4.11. |
A risk informed approach should be used to assess possible alternative solutions to a proposed modification and to evaluate their impact on safety. This should be based on the results of the probabilistic safety analysis and the deterministic safety analysis, and on engineering judgement and operating experience feedback. |
| Main |
4.12. |
For multiple unit plant sites, the safety assessment for proposed modifications should take account of the potential for internal and external hazards to give rise to impacts on several or all units on the site simultaneously. Any modification proposed to enhance safety by providing interconnections between units should be assessed to show that the modification does not affect compliance with Requirement 33 of SSR‑2/1 (Rev. 1) [2], in which each unit is required to have its own safety systems and to have its own safety features for design extension conditions. |
| Main |
4.13. |
The scope, safety implications and consequences of proposed modifications should be reviewed by personnel not involved in their design or implementation. These reviewers should include representatives of the operating organization as well as engineering personnel, representatives of the design organization, safety experts, other technical experts and advisers on managerial and organizational issues, as appropriate. The reviewers may also include independent external advisers, as necessary (particularly for major modifications), to ensure that a full and adequately informed review of the modification, including all its safety implications for the plant, can be conducted. These reviews should also include appropriate independent validation and verification of software changes for major modifications. |
| Main |
4.14. |
Proposals for modifications submitted for independent review should be in accordance with the management system of the operating organization. The proposals should specify the functional requirements and safety requirements for the proposed modifications and should show how these are to be met. The amount of information needed will depend on the extent and complexity of the modification; however, at a minimum, submissions should include the following:Design documents or amendments to initial design documents for the part of the plant affected by the modification;
A description of the design and justification of the proposed modification;
Sketches, drawings and a list of materials;
Specifications for parts and materials;
Applicable codes and standards and relevant safety analyses;
A safety assessment and, if applicable, proposed modifications to the operating limits and conditions, if any;
An analysis of adverse environmental conditions or operating conditions, including any implications in terms of radioactive waste, contamination, radioactive releases and exposure to radiation;
A description of the methods of fabrication, installation and testing, including the methods of validation and verification of software;
Specification of the operating conditions of the plant, or parts thereof, necessary to implement the modification;
Statement of requirements for the assurance of quality in the management system;
A description of the equipment qualification (see Requirement 13 of SSR‑2/2 (Rev. 1) [1]) and the testing and commissioning to be performed after implementation;
A description of changes to the safety related plant maintenance and ageing management arrangements;
A description of how to determine the effectiveness of the achievement of the objectives of the modification.
|
| Main |
4.15. |
The results of the safety assessments for a modification should be reviewed by the safety committee (or a group of personnel with similar responsibilities) and should be subject to approval by the operating organization. As part of the graded approach, the safety committee should consider the categorization attributed to the modification (i.e. that based on the safety significance), and should request changes as necessary. This could result in a need for additional safety justifications for the modification. |
| Main |
4.16. |
When modifications, including the installation of new or additional structures, systems and components, are first proposed, their compatibility with the original design bases should be assessed. Modifications relating to plant configuration should meet the requirements for the design of nuclear power plants established in SSR‑2/1 (Rev. 1) [2]. In particular, the capability to fulfil the fundamental safety functions (see Requirement 4 of SSR‑2/1 (Rev. 1) [2]) is not to be degraded. |
| Main |
4.17. |
The modifications should, whenever possible, minimize the deviations from the original design and its bases. When such deviations are inevitable, the modifications should be evaluated to ensure that they meet the requirements established in SSR‑2/1 (Rev. 1) [2]. It should be ensured that, once established, the revised design requirements are justified, maintained and made available to all parties involved in the implementation of the modification. |
| Main |
4.18. |
The detailed design of modifications should include specifications for construction, installation, commissioning, equipment qualification and testing (including test acceptance criteria), ageing control and maintenance during operation and decommissioning. |
| Main |
4.19. |
Paragraph 4.8 of SSR‑2/2 (Rev. 1) [1] states that “The operational limits and conditions shall be reviewed and revised as necessary in consideration of experience, developments in technology and approaches to safety, and changes in the plant.” Recommendations on operational limits and conditions are provided in SSG‑70 [3]. |
| Main |
4.20. |
Where alterations to the operational limits and conditions become necessary, they should be considered to be modifications of high safety significance (i.e. Category 1 modifications, as described in Appendix I). |
| Main |
4.21. |
Where it is necessary to modify operational limits and conditions temporarily (e.g. to perform physics tests on a new core), particular care should be taken to ensure that the effects of the modification are analysed. The modified state, although temporary, is required to undergo assessment and approval in the same way as for a permanent modification (see para. 4.40 of SSR‑2/2 (Rev. 1) [1]). Where a permanent approach is available as a reasonable alternative, this should be preferred to a temporary modification of operational limits and conditions. |
| Main |
4.22. |
Modifications to procedures and documentation should be categorized in accordance with their safety significance. A comprehensive and detailed safety assessment (see para. 4.6) should be carried out, as necessary. |
| Main |
4.23. |
Any modifications to procedures and documentation are required to be approved (see para. 7.4 of SSR‑2/2 (Rev. 1) [1]). Modified documents should be verified and validated before use. Any other documents affected by the modifications are required to be revised, and operating personnel are required to be appropriately trained (see para. 4.43 of SSR‑2/2 (Rev. 1) [1]). |
| Main |
4.24. |
A structured modification process should be in place to govern any hardware or software change, including a hardware upgrade, before the implementation of the change. Strict configuration control should be maintained throughout modification processes for software, in particular to resolve any conflicts resulting from modifications being carried out simultaneously. Only those items for which the pre‑installation tests have been successfully completed should be installed in the plant. Recommendations on the design and control of software for nuclear power plants are provided in SSG‑39 [12]. |
| Main |
4.25. |
For modifications to be carried out on computer systems (in particular, software), a comprehensive validation and verification process should be implemented to ensure the suitability of the changes. |
| Main |
4.26. |
Common mode failure deriving from software is required to be taken into consideration for computer based safety systems (see para. 6.37(e) of SSR‑2/1 (Rev. 1) [2]). Thus, due consideration should be given to the recommendations provided in SSG‑39 [12]. |
| Main |
4.27. |
Consistency is required between modifications, design requirements and plant documentation (see Requirement 10 and para. 4.38 of SSR‑2/2 (Rev. 1) [1]). When modifications are made to structures, systems and components or process software, the relevant plant documentation should be modified accordingly. When modifications are to be made to operational limits and conditions (see paras 4.19–4.21), the associated operating instructions and procedures should be modified accordingly (see paras 4.22 and 4.23), and in some cases the associated structures, systems and components might also be subject to modification. |
| Main |
4.28. |
Configuration management should also be used to ensure that the implementation of the modification is in accordance with the design requirements as established in the design documentation. |
| Main |
4.29. |
Consideration should be given to the need to revise procedures, training and plant simulators or training facilities as part of the implementation of the modification (see also para. 4.21 of SSR‑2/2 (Rev. 1) [1]). The procedures to be considered for revision should include operating procedures for normal operation, emergency operating procedures, severe accident management guidelines, surveillance and maintenance procedures, and calibration and testing procedures and plant instructions. |
| Main |
4.30. |
Training is required to be provided for plant personnel on the modified plant structures, systems and components (see para. 4.43 of SSR‑2/2 (Rev. 1) [1]). This training should address all operational states and accident conditions, and maintenance and testing, as appropriate. |
| Main |
4.31. |
Any updates to the configuration of the plant simulator or training facilities should be included within the modification programme, to ensure that this programme accurately reflects all modifications and changes made to the plant. |
| Main |
4.32. |
Procedures should be put in place to avoid two or more potentially conflicting modifications being designed and implemented simultaneously on the same part of the plant or on interrelated parts of the plant. As such, the use of master drawings, safety analysis reports and procedures should be subject to rigorous controls. The operating organization should designate a specific entity (e.g. a section or team of personnel) to manage the modification programme. Requests for modifications should be routed through this entity, which should track modifications until they are fully implemented. When a proposed modification is rejected, this should be formally recorded. The entity responsible for managing modifications should also ensure that the originators of proposed modifications are advised of the need to coordinate their activities. |
| Main |
5.1. |
Requirement 3 of SSR‑2/2 (Rev. 1) [1] states that “The structure of the operating organization and the functions, roles and responsibilities of its personnel shall be established and documented.” The operating organization should set up its organizational structure for the safe operation of nuclear power plants before the commencement of operation. Further recommendations on the operating organization for nuclear power plants are provided in SSG‑72 [4]. |
| Main |
5.2. |
Changes to the structure of the operating organization are required to be considered as part of the formal modification programme and are required to be characterized on the basis of their safety significance (see para. 4.39 of SSR‑2/2 (Rev. 1) [1]). These changes should follow the formal modification process established at the plant (see Appendix II). Benchmarking and analyses of feedback from operating experience relating to organizational changes in the nuclear industry and in other industries should be used to support this process. |
| Main |
5.3. |
Paragraph 3.9 of SSR‑2/2 (Rev. 1) [1] states: |
| Main |
5.4. |
Special attention should be paid to the review and revision of the programme for the training of personnel, to ensure in advance that management and staff have a broad understanding of the new tasks and functions associated with the organizational changes. In particular, it should be ensured that adequate provision has been made to maintain a suitable number of trained and competent personnel in all areas important to safety, and that any new organizational arrangements have been documented with clear and well understood functions, roles and responsibilities. The training needs for these functions, roles and responsibilities should be identified, and training should be provided for relevant staff, as necessary. |
| Main |
5.5. |
Recommendations on the management of plant operations, including the need for the operating organization to establish appropriate documented management programmes, are provided in Section 7 of SSG‑72 [4]. Any modifications to such management programmes should be reviewed by the operating organization to assess their consequences for safety. Modifications to specific operation management programmes could influence other programmes; consequently, a thorough review should be performed to determine the extent to which this might affect safety. |
| Main |
5.6. |
The safety of a nuclear power plant is assessed a number of times (e.g. at the design stage, the commissioning stage and during operation) to ensure that the plant is operated within safety limits and meets its licence conditions. The accuracy of, and confidence in, the safety assessment will depend on the assessment tools and input data with which the assessment is performed. The operating organization should, as part of a process of continuous improvement, consider updating the tools and should check whether the data used remain valid. Examples include improved computer modelling of physical processes, advanced understanding of fault (or accident) conditions, new safety assessment approaches and new in‑service inspection techniques. Any modifications to the existing safety assessment tools should be reviewed for their safety implications, including an assessment of the uncertainty in determining safety margins. |
| Main |
6.1. |
Modifications that are implemented for a limited period of time should be treated as temporary modifications. Examples of temporary modifications are temporary bypass lines, electrical jumper wires, lifted electrical leads, temporary trip point settings, temporary blind flanges and temporary defeats of interlocks. Temporary modifications also include temporary construction and installations used for maintaining the design basis configuration of the plant in unanticipated situations. In some cases, temporary modifications can be made as an intermediate stage in making permanent modifications. |
| Main |
6.2. |
Temporary modifications should not be used instead of permanent modifications to speed up implementation or to bypass a full scope safety assessment. However, the process for temporary modifications should allow for the rapid review and assessment of any proposed modifications that have to be undertaken urgently. Such urgent actions should neither reduce levels of safety nor allow the modification to be implemented without a prior safety assessment. Paragraph 4.40 of SSR‑2/2 (Rev. 1) [1] requires the same modification control measures for both temporary and permanent modifications. |
| Main |
6.3. |
Except in cases of urgent needs or when explicitly permitted by established procedures, the configuration of items important to safety should not be altered (such as by defeating interlocks or installing jumpers) without written orders or instructions from authorized persons. Such alterations should not violate operational limits and conditions. Any alteration should be reviewed by competent persons as soon as possible, before its implementation. Further recommendations on the control of temporary modifications to plant equipment are provided in SSG‑76 [8]. |
| Main |
6.4. |
Paragraph 4.41 of SSR‑2/2 (Rev. 1) [1] states that “Temporary modifications shall be limited in time and number to minimize the cumulative safety significance.” To achieve this, any opportunity should be taken to remove temporary modifications as soon as possible, in particular during outages, or convert them into permanent modifications. Justification should be provided if a temporary modification persists longer than its agreed duration and a new time limit should be specified. |
| Main |
6.5. |
Documents such as drawings and procedures relating to a temporary modification should be clearly marked to show the presence of the modification until the modification is removed or changed to a permanent modification. |
| Main |
6.6. |
The procedure for obtaining authorization to implement a temporary modification should be the same as that for a permanent modification. This procedure should confirm that the temporary modification does not cause a change in the operational limits and conditions, unless this is separately justified, and does not result in any safety issues other than those that have been properly assessed. |
| Main |
6.7. |
In the safety assessment and review of all proposed modifications (temporary and permanent), any existing temporary modifications and the cumulative safety significance of the proposed change should also be considered. |
| Main |
6.8. |
The operating organization should regularly review temporary modifications and decide whether they are still needed. The review should check that associated operating procedures, instructions and drawings, and operator aids conform to the approved configuration. The status of temporary modifications should be periodically reported (typically at monthly intervals) to the plant manager. Those that are considered to be needed permanently should be converted in a timely manner in accordance with the established procedure. |
| Main |
6.9. |
Paragraph 4.41 of SSR‑2/2 (Rev. 1) [1] states: |
| Main |
6.10. |
An appropriate procedure should be established to control temporary modifications at the plant. The following should be included in this procedure:The designation of personnel who are allowed to initiate, approve, perform and remove temporary modifications.
The procedures for technical reviews, in particular safety reviews to be performed before temporary modifications are made. Temporary modifications to items important to safety (including software) should be independently reviewed by personnel not involved in the design or implementation of the temporary modification.
The control of documentation — such as operating flowsheets, operating manuals, maintenance manuals and emergency procedures — to ensure that this documentation reflects temporary modifications and that the plant continues to be operated and maintained safely while the modification is in place.
The logging, labelling and tagging of temporary modifications in a distinctive manner.
Communication with operating personnel and the involvement of such personnel in the implementation of the modification at the initial stage.
The control of temporary modifications by the operators of the main control room.
The procedures for setting a time limit on temporary modifications and the procedure to extend this time limit, if necessary.
Checks to ensure the reinstatement of the plant configuration, and communication with personnel when a modification is removed.
|
| Main |
7.1. |
Requirement 10 of SSR‑2/2 (Rev. 1) [1] states that “The operating organization shall establish and implement a system for plant configuration management to ensure consistency between design requirements, physical configuration and plant documentation.” |
| Main |
7.2. |
For major modification projects, the operating organization should establish the objectives and organizational structure necessary to achieve these objectives. The operating organization should also appoint a project manager, determine and assign responsibilities, provide appropriate control and supervision, and allocate adequate resources. |
| Main |
7.3. |
The implementation of plant modifications, including necessary testing, should be performed in accordance with the plant’s work control system (see Section 7 of SSG‑76 [8]) and appropriate testing procedures. The implementation of modifications should be subject to the usual maintenance procedures (see SSG‑74 [6]) and administrative procedures, together with any additional procedures generated by reviews and safety assessments. |
| Main |
7.4. |
The operating organization is required to ensure that all personnel, including contractors, who will be involved in the implementation of modifications that might affect safety are suitably qualified, experienced and trained (see Requirement 7 of SSR‑2/2 (Rev. 1) [1]). Appropriate time should be allocated for all personnel affected by the modification to familiarize themselves with the changes. |
| Main |
7.5. |
Any change to the scheduling or sequencing of the implementation of a modification, including packages of modifications that might not be fully implemented or that are implemented in several stages, should be properly assessed and documented with regard to safety and operability. |
| Main |
7.6. |
The following safety aspects of the modification should be considered in a systematic manner:Exposure to radiation, including ensuring that radiation doses are as low as reasonably achievable;
Radioactive waste management, including transport, decontamination and dismantling, as applicable;
Measures to reduce the spread of contamination;
Safe operation of the plant during the implementation of the modification;
The impact of the modification on non‑radiation‑related safety;
Working with personal protective equipment and working in confined spaces or at height.
|
| Main |
7.7. |
The plant should be put in an appropriate safe operating condition for the modification to be made. The system to be modified should also be placed in a safe operating condition. |
| Main |
7.8. |
Consideration should be given to the need for special temporary emergency operating procedures if specific additional hazards associated with the implementation of the modification have been identified. |
| Main |
7.9. |
The process for the control of software changes should include provisions to ensure that all copies of the software (e.g. the master copy, the copy of the software in use, and any development copies) are secure; duplicate copies of any software should be strictly controlled. |
| Main |
7.10. |
Post‑modification testing is required to be performed (see para. 4.40 of SSR‑2/2 (Rev. 1) [1]), and this testing should verify the operability of the overall system as well as the operability of specific components or subsystems involved in the modification. The testing programme should include checks, measurements and evaluations before, during and on completion of the modification. Testing and commissioning of modifications (which may include pre‑installation tests of equipment and mock‑ups), including equipment qualification, should be aimed at demonstrating that the modifications meet their design specifications for all operational states, in design basis accidents and, where appropriate, for design extension conditions. |
| Main |
7.11. |
Tests should be planned as part of the initial design of the modification. The testing of equipment before installation in the plant should be considered. Tests should include specific acceptance criteria based on performance criteria and testing provisions as part of the modification programme. |
| Main |
7.12. |
The commissioning test plan, including the justification for the scope of testing, should be independently reviewed in conjunction with the safety assessment for the modification and should then be made subject to approval by the plant management. The testing should not rely solely on the tests performed by the supplier (i.e. on tests which might not involve testing the complete system in a real configuration) and should verify that any connected systems are not improperly affected by the modification. Commissioning testing should also be used to validate new or revised operating procedures. |
| Main |
7.13. |
A qualification programme for structures, systems and components relating to the modification should be established, as necessary. |
| Main |
7.14. |
Arrangements should be made for the verification and validation of any changes to procedures, operational limits and conditions, and/or software, and this should be done as part of the commissioning. Validation can be done by testing on simulation models or by specially controlled operational tests to confirm that changes are operable and produce the desired results. When conditions do not allow testing to be conducted after the implementation of the modification, testing should be done in advance on specific test facilities. The ability to execute a testing programme successfully and efficiently might depend on the accessibility of the modified system for on‑line measurements and might necessitate special provisions for testing and measurement. The need for such special provisions should be assessed at the design stage of the modification. |
| Main |
7.15. |
Special precautions should be taken with modifications to safety related software, which should be thoroughly tested off‑line before it is put on‑line. If possible, the software should be run in parallel during plant operation (but not connected to plant systems) while its compliance with the design under real plant conditions is checked. |
| Main |
7.16. |
The final approval of modifications before routine operation should be based on the successful completion of the commissioning tests and verification that the information and experience obtained confirms compliance with regard to the design. A modification commissioning report, including the acceptance criteria and the results of commissioning tests, should be produced to assist in this task. The report should be reviewed by the safety committee of the plant and should be made subject to approval by the plant management as a basis for permitting the normal operation of the modified plant. |
| Main |
7.17. |
Before a modification at a nuclear power plant is put into operation, the following should be ensured:All the documentation affected by the plant modification, such as the safety analysis report , operational limits and conditions, drawings, operating and emergency procedures, periodic maintenance and testing procedures, and equipment indexes (commonly used for system operation, tag‑outs and maintenance), has been updated and is available. Documents should not be released for use until the modification has been completed.
The as‑built configuration of modified systems has been verified and the design documentation and, if affected, the design basis document have been updated.
Relevant personnel have been informed and trained in relation to the modification.
Records for design, commissioning, the application of the management system, testing and installation have been reviewed for completeness and accuracy.
The schedule of equipment to be put into operation when needed has been updated.
|
| Main |
7.18. |
The modification of computer systems (in particular, software) during operation should be allowed only if supported by a detailed justification. Modifications to parameter settings that might need to be varied during the operation of the plant (such as trip settings and calibration constants) should only be undertaken on qualified equipment and by qualified personnel. The extent of the variation in parameters at the plant should be limited to the range that is justified in the plant safety analysis. |
| Main |
7.19. |
The correct alignment of all systems and components affected by the modification should be verified independently (within the operating organization) after the modification has been implemented and the commissioning tests have been performed. |
| Main |
7.20. |
To ensure reliable configuration control after implementation of the modification, the status of other design modifications should also be reviewed to ensure that any assumptions about the implementation of these modifications remain valid. |
| Main |
7.21. |
The completion of the modification should include a check that all temporary connections, procedures and arrangements used in implementing the modification have been removed or cancelled and that the plant has been returned to full operational status. It should also include a check that the plant documentation, including the surveillance programme, has been revised to take into account the modification and that the configuration of the plant corresponds to the revised documentation. |
| Main |
7.22. |
The impact of modifications on the plant simulator and associated computer codes should be evaluated to determine whether appropriate modifications have been incorporated and whether the effects of these modifications have been assessed. |
| Main |
7.23. |
The list of spare parts and consumables to be kept in storage at the plant as a consequence of a modification should be reviewed and updated. |
| Main |
8.1. |
Proposed organizational changes should be clearly defined, and their safety implications are required to be assessed (see para. 4.40 of SSR‑2/2 (Rev. 1) [1]). During the implementation of organizational change, the adequacy of safety arrangements should be maintained, especially during the transition phase before the new organizational arrangements have become fully established. Organizational changes should be properly planned well in advance. The possible need for additional resources to cope with any increased workload during the transition phase should be considered. |
| Main |
8.2. |
Operating personnel should be involved in any restructuring of the operating organization in order to avoid undue uncertainty and concern with regard to the planned changes. |
| Main |
8.3. |
Large organizational changes should be implemented in steps, if appropriate. The implementation and completion of each step should be reviewed by a related group, or peer group from another organization or plant, to ensure that the objectives of the changes have been met. |
| Main |
9.1. |
Training is required to be conducted (see para. 4.43 of SSR‑2/2 (Rev. 1) [1]) to ensure that the relevant personnel responsible for operation and maintenance are familiar with the modifications and are sufficiently knowledgeable to operate and maintain the modified equipment in a safe and reliable manner. Further recommendations on the training of plant personnel are provided in in SSG‑75 [7]. |
| Main |
9.2. |
The implications of plant modifications for training needs should be reviewed; if necessary, the training plans should be revised at an early stage of the modification process. The entity responsible for training should determine the needs for the training associated with the modification in consultation with the operating organization. Consideration should be given to the interfaces between modified and unmodified areas. |
| Main |
9.3. |
Appropriate training should be completed, as necessary, before the commissioning, operation and maintenance of the modified system. The training should include written information, procedures, pre‑shift briefings or formal training, as appropriate, depending on the complexity of the modification and its consequences for the operation and maintenance of the plant. |
| Main |
9.4. |
The need for reauthorization of some plant personnel (see para. 3.12 of SSR‑2/2 (Rev. 1) [1]) should be considered before they resume their duties after significant plant modifications relevant to safety have been implemented. Such reauthorization should be made on the basis of a review of the competence of the authorized person in respect of the modified configuration. |
| Main |
9.5. |
Before changes are made to the management system, appropriate training should be given to managers and other personnel on their new responsibilities. |
| Main |
10.1. |
Paragraph 4.42 of SSR‑2/2 (Rev. 1) [1] states that “The plant management shall establish a system for modification control to ensure that plans, documents and computer programs are revised in accordance with modifications.” This system should ensure the following:That all relevant documents affected by the modification are identified and updated, and remain consistent with the plant specific design requirements, and that they accurately reflect the modified plant configuration;
That all changes to the design over the lifetime of the plant are based on the actual status of the plant, as reflected in the current plant documentation;
That the modified plant configuration conforms fully with the documentation and with the licence conditions.
|
| Main |
10.2. |
Information technology applications should be used to support the management of modifications to ensure that the modification process stays consistent with the plant’s physical configuration and the plant documentation. |
| Main |
10.3. |
All relevant plant documents that have been revised or developed during the modification process should be subject to a system of configuration management established and implemented in accordance with Requirement 10 of SSR‑2/2 (Rev. 1) [1]. Changes to these documents should be traceable to the modification and should be submitted for approval before being formally reissued. |
| Main |
10.4. |
Documents relating to modifications, in particular to installation and testing, should be updated as soon as practicable. Responsibilities should be clearly assigned for the revision of all documents, such as drawings (including digital representations), specifications, procedures, safety reports, operational limits and conditions, descriptions of equipment and plant systems, training materials (including for plant simulators), vendor equipment manuals and spare part lists. |
| Main |
10.5. |
Modified operational limits and conditions, and other operational documentation, should be included in plant documentation by means of approved processes and should be subject to review and approval at the same level as for the original operational documentation. |
| Main |
10.6. |
Expired documents should be marked as ‘invalid’ in an unambiguous manner. Recommendations on the suspension or cancellation of documents are provided in paras II.23 and II.24 of IAEA Safety Standards Series No. GS‑G‑3.1, Application of the Management System for Facilities and Activities [15]. |
| Main |
10.7. |
Requirement 15 of SSR‑2/2 (Rev. 1) [1] states that “The operating organization shall establish and maintain a system for the control of records and reports.” Documents and records relating to modifications and to the revised plant configuration should be stored appropriately to preserve access to them throughout the lifetime of the plant. |
| Main |
I.1. |
As described in paras 4.2 and 4.3, proposed modifications should be categorized and prioritized in accordance with their safety significance. This categorization should follow an established procedure, and the initial category proposed should be checked independently. This appendix contains an example method for dividing modifications into three categories. |
| Main |
|
Category 1 |
| Main |
I.2. |
Modifications in Category 1 are capable of having a significant effect on safety or involve an alteration of the principles and conclusions on which the design and the licensing of the plant were based. Such modifications might involve changes in the set of design basis accidents, they might alter the technical solutions adopted for meeting the safety goals or they might lead to changes in the operating rules. Modifications in Category 1 will involve a comprehensive safety assessment and might also necessitate prior approval, an amendment to the operating licence or the issue of a new licence by the regulatory body. |
| Main |
|
Category 2 |
| Main |
I.3. |
Modifications in Category 2 include changes in items important to safety and in associated operational approaches and/or procedures, and usually necessitate an update of the safety analysis report or other licensing documents. Modifications in Category 2 are characterized by a minor influence on safety and no significant alteration to the principles on which the licensing of the plant has been based. For such modifications, there should be no changes to the conclusions in the licensing documents. In the design stage for modifications in Category 2, it should be determined whether there are negative side effects, such as degradation of safety features or an expectation of causing significant radiation exposure from implementing the modification. For modifications in Category 2, the operating organization should inform the regulatory body, in accordance with established procedures. |
| Main |
|
Category 3 |
| Main |
I.4. |
Modifications in Category 3 are minor modifications that can be characterized in one of the following ways:The modification has no consequences for safety.
The items to be modified are classified as items not important to safety and are not mentioned in the licensing documents.
The modification, even if designed or implemented incorrectly, could not affect safety.
|
| Main |
II.1. |
Figure II.1 presents an example of the steps to be followed when developing the overall modification process for safety related modifications. |
| Main |
|
Fig. II.1. Example of the steps for developing the overall modification process. INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Commissioning and Operation, IAEA Safety Standards Series No. SSR‑2/2 (Rev. 1), IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety of Nuclear Power Plants: Design, IAEA Safety Standards Series No. SSR‑2/1 (Rev. 1), IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑70, IAEA, Vienna (in press). INTERNATIONAL ATOMIC ENERGY AGENCY, The Operating Organization for Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑72, IAEA, Vienna (in press). INTERNATIONAL ATOMIC ENERGY AGENCY, Core Management and Fuel Handling for Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑73, IAEA, Vienna (in press). INTERNATIONAL ATOMIC ENERGY AGENCY, Maintenance, Testing, Surveillance and Inspection in Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑74, IAEA, Vienna (in press). INTERNATIONAL ATOMIC ENERGY AGENCY, Recruitment, Qualification and Training of Personnel for Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑75, IAEA, Vienna (in press). INTERNATIONAL ATOMIC ENERGY AGENCY, Conduct of Operations at Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑76, IAEA, Vienna (in press). INTERNATIONAL ATOMIC ENERGY AGENCY, IAEA Safety Glossary: Terminology Used in Nuclear Safety and Radiation Protection, 2018 Edition, IAEA, Vienna (2019). INTERNATIONAL ATOMIC ENERGY AGENCY, Leadership and Management for Safety, IAEA Safety Standards Series No. GSR Part 2, IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, The Management System for Nuclear Installations, IAEA Safety Standards Series No. GS‑G‑3.5, IAEA, Vienna (2009). INTERNATIONAL ATOMIC ENERGY AGENCY, Design of Instrumentation and Control Systems for Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑39, IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, Periodic Safety Review for Nuclear Power Plants, IAEA Safety Standards Series No. SSG‑25, IAEA, Vienna (2013). INTERNATIONAL ATOMIC ENERGY AGENCY, Safety Assessment for Facilities and Activities, IAEA Safety Standards Series No. GSR Part 4 (Rev. 1), IAEA, Vienna (2016). INTERNATIONAL ATOMIC ENERGY AGENCY, Application of the Management System for Facilities and Activities, IAEA Safety Standards Series No. GS‑G‑3.1, IAEA, Vienna (2006).
|