The federal structure of Germany has created a different approach which could be of interest to other countries. The Federal government has legisla­tive power over peaceful development of nuclear power, but the licensing authority belongs to the governments of the Lander or States, which act on behalf of the Federal authority. Technical expertise is mainly held within public or semi-public entities which are called Technical Support Organizations (TSOs), as is common European practice.

Two peculiarities distinguish the German approach to licensing NPPs: there is only one time-unlimited license covering the site, design and con­struction, operation, substantial changes to the licensed features, and decommissioning. This license is issued in the form of partial licenses, typi­cally about four to ten in number. This allows features which need to be constructed only in later stages to be designed in detail at a later time. In this way, the most recent technology can be used and the overall construc­tion time may be shortened. The general design needs to be elaborated to a certain detail at the time of the first partial license. The information pro­vided must allow the authority to make a preliminary positive statement on the whole project. It must also give reasonable assurance that the later detailed design will not result in conflicts with already licensed or even constructed features.

Another peculiarity of the German case which is of special interest is the requirement that precautions against reactor damage must be taken when deemed necessary according to the state of science and technology. This means that no fixed safety goal is given. Rather, the authority has to deter­mine in each licensing procedure what precautions the current state-of-the — art requires. The reference to the state of science means that precautions are not limited to measures for which proven technology exists. If the state of science so requires, new technology has to be developed. The purpose of this arrangement was that, in a rapidly developing area, protection should always be in line with the most recent insights. In practice there have been regulations and standards which normally could be assumed to represent the state-of-the-art, but still the authority has had to assess whether this was indeed the case. This approach is called dynamic safety precaution.

A license must be withdrawn in case of a significant endangerment to personnel or the public, and if the remedy cannot be implemented in rea­sonable time. It must also be withdrawn if adequate provision for damage compensation cannot be demonstrated. In 2002, the maximum electricity production of plants was limited by law to the equivalent of about 32 oper­ating years. The law had to be changed because any of the conditions for withdrawing a license applied. In 2010 the terms of the first agreement were changed to prolong the lifetime of the operating plants to about 40 years for older plants and about 46 years for newer ones. In both cases these changes were accompanied by an agreement between the government and plant operators. In the current situation, as a reaction to the events in Fukushima, the German government has announced the intention to accel­erate the phase-out from nuclear energy by revising these lifetimes.

In the German practice, much attention is given to surveillance during operation. The Internationale Landerkommission Kerntechnik (ILK) has provided information on surveillance activities in the State of Baden- Whrttemberg (ILK, 2006). A so-called basic surveillance is conducted by reviewing the operator’s reports and by performing inspections at the plant, and evaluating their results. This activity takes about five person-years per unit and year. The inspections are performed according to an annual inspec­tion programme with a fixed structure but including some flexibility to take into account former performance and current problems. The programme provides inspection goals, details the items to be considered and points out the time to be spent on the various areas. In total the time spent at the plant with inspections amounts to about 48 days a year per unit. The operator is informed about the results of the inspections and the expectations of the authorities in routine meetings. In case of significant deviations, feedback is made by letter which states the actions the authority requires.

In the normal practice another part of the surveillance is reactive and generally triggered by reportable events at the plant. In the Baden- Wurttemberg experience a working group of individuals with different backgrounds convenes to make a first assessment, and identifies the infor­mation needed or the actions to be required from the operator. The opera­tor’s activities and reports are then followed by the department in charge of the affected unit until the authority is satisfied that the reaction taken is appropriate.

In the German practice, changes to the plant or licensed documents have to be submitted by the operator to the authority. Depending on the signifi­cance of the change, it may need an approval by the authority or a change of the license. Changes are managed by a standard procedure which includes a classification and an assessment by a TSO on the basis of which the authority decides. The work on reportable events and changes takes two to three person-years per year and unit. In performing surveillance, the author­ity is heavily supported by TSOs. In addition to the effort undertaken by the authority, TSOs spend some 30 person-years per year and unit. An important part of their work is the review of tests and inspections which the operator performs. This is done mainly by review of documentation and partially by attending tests and inspections. The TSOs give their assessments in the evaluation of reportable events and on proposed changes. They par­ticipate in the investigations on focal issues and review the 10-year safety reviews performed by the licensee.

The design review aims to anticipate and identify potential problems or inadequacies and initiate corrective actions to ensure the final design meets the design intent. In the review process, the questions to be solved should include, but not be limited to, the following:

• Were design inputs correctly identified, selected and incorporated?

• Have original design requirements been met?

• Are assumptions adequately described and based?

• Was the design methodology appropriate?

• Were procedures followed?

• Is the design output complete and reasonable?

• Is the design output reasonable?

R. GASCA, Asociacion Nuclear Asco — Vandellos II, Spain

Abstract: In order to provide enough confidence that the nuclear station will produce electricity in a safe and reliable way, the implementation of quality assurance principles is necessary. This chapter identifies the main elements for establishing and implementing a quality assurance system for the stages of design, construction commissioning and operation in a nuclear power plant project.

Key words: quality, quality assurance, design, construction, commissioning, operation, management.

21.1 Introduction

The objective of this chapter is to identify the main elements for establish­ing and implementing a quality assurance system for the stages of design, construction, commissioning and operation in a nuclear power plant project. The content is applicable to all individuals and organizations involved in the project and the main objective of the system is to ensure and maximize safety and reliability.

In the general industrial activity, not only in nuclear, the precedent of the quality assurance process was quality control. It was based on the applica­tion of inspection and testing techniques, to verify the quality of a product against a set of acceptance criteria previously specified. The quality assur­ance process is based on the implementation of a set of contour conditions, affecting people, organizations and installations, to avoid or minimize devia­tions and to provide a reasonable assurance of getting a steady-state quality level. The quality assurance process does not eliminate quality control because critical parameters must be specifically controlled in some cases.

To better understand the role of quality assurance in nuclear safety it is convenient to introduce the concept of ‘defence in depth’ and its relationships.

The International Nuclear Safety Group (INSAG) of the International Atomic Energy Agency (IAEA) has established (INSAG, 1996) that defence in depth consists in a hierarchical deployment of different levels of equipment and procedures in order to maintain the effectiveness of physical barriers placed between radiological material and workers, the public or the environment, in normal operation, in anticipated operational occur­rences and, for some barriers, in accidents at the plant. For the effective implementation of defence in depth the IAEA establishes that three basic prerequisites must be considered: conservatism, quality assurance and safety culture. Each level of defence can be effective only if the quality of design, materials, structures, components and systems, operation and main­tenance can be relied upon. Quality assurance programmes can ensure the development of a safe design. They can also ensure that the intent of the design is achieved in the plant as built and that the plant is being operated as intended and maintained as designed.

In this chapter, the most widely applied approach for quality assurance in nuclear projects has been considered. However, the fact that nowadays a new approach called ‘management system’ has been established should be pointed out. This system could be defined as a set of interrelated or interacting elements that establishes policies and objectives and which enables those objectives to be achieved in a safe, efficient and effective manner.

In the area of nuclear installations this new approach has been recently introduced in the IAEA Safety Fundamentals (IAEA, 2006a) and devel­oped in a requirements document (IAEA, 2006b). These documents define the requirements for establishing, implementing, assessing and continually improving a management system that integrates safety, health, environmen­tal, security, quality and economic elements to ensure that safety is properly taken into account in all the activities of an organization. The system con­siders the implications of all actions not within separate management systems but with regard to safety as a whole.

The management system established by the IAEA includes some addi­tional elements such as safety culture, satisfaction of interested parties and an approach to process implementation.

The IAEA has developed additional safety guides, IAEA (2006c) and IAEA (2009), to facilitate the implementation of the above-mentioned approach. Finally it should be pointed out that, for the moment, this new approach established by the IAEA is not widely applied around the world.

Coming back to the main intent of this chapter, basic criteria that are applicable to all stages of a nuclear power plant project will be identified in the following paragraphs and, afterwards, more specific elements related to the management and performance for each stage will be described.

The verification of some kind of calculations or design analysis can be per­formed, comparing the original results to those obtained through other methodologies of analysis or calculation.

When alternative calculations are used to verify original calculations, reviews should be performed to confirm the adequacy of assumptions, the input data, the computer code and any other method of calculation used.

The alternative method used may be simpler or less rigorous than the original one. However, all safety-significant differences must be assessed and justified.

Qualification tests

A test programme performed on a model or prototype may be used as a design verification tool if it is performed under the most adverse design conditions for the specific design features being verified. When criteria cannot be satisfied, testing may be acceptable if the results can be extrapo­lated to the most adverse conditions.

Qualification testing should be performed at qualified testing facilities and in accordance with approved procedures defining the reference require­ments, the test configuration and the acceptance criteria.

The following definitions of basic quality assurance terms used in this chapter have been taken from various publications (AENOR, 1995a) and two IAEA publications (IAEA, 2006b, 2007):

• Design. The process and the result of developing the concept, plans, calculations and specifications.

• Construction. The process of manufacturing, assembling, installing and erecting the structures, systems and components.

• Commissioning. The process by which structures, systems and compo­nents, having been constructed, are made operational and verified to be in accordance with design criteria.

• Nuclear safety. The achievement of proper operating conditions, preven­tion of accidents and mitigation of accident consequences, resulting in protection of workers, the public and the environment from undue radiation hazards.

• Operation. The activities performed to achieve the purpose for which the plant was constructed.

• Regulatory body. The authority or system of authorities designated by a State as having legal authority for conducting the regulatory process.

• Responsible organization. The organization having overall responsibility for the nuclear power plant.

• Quality. The assembly of characteristics and aspects of a product or service that make it adequate to satisfy an expectation.

• Quality assurance. The assembly of planned and systematic actions nec­essary to provide adequate confidence that an item, service or process will perform its intended function as desired.

• Quality assurance programme. The assembly of policies, resources and actions applied to assure the quality required.

This is performed after the final design verification described in the previ­ous paragraphs, under the operating conditions of pre-operational test per­formed during the commissioning phase. It is carried out to confirm by examination and provision of objective evidence that an item conforms to the specified requirements.

Design outputs and change control

The final product of the design process is reflected in the design output documents that shall be adequately identified, stored and retained. A typical list of documents contains the following:

• Specifications

• Drawings

• Verification and validation records

• Technical analysis and safety evaluations.

Changes to design output, including changes to requirements, shall be justi­fied, documented and controlled. Special consideration should be given to the impact of changes on other areas.

In the following paragraphs the main basic criteria, applicable to all stages of a nuclear power project, will be identified and briefly described (IAEA, 2007; AENOR, 1995a).

21.1.1 Programme

A quality assurance programme shall be developed, implemented and maintained. The programme is a set of documents in which the organization establishes the overall measures to accomplish its general objectives. It will contain the organizational structure, functional responsibilities, levels of authority, role descriptions and interfaces in the activities of planning, per­formance and assessment.

During the construction stage there are three main processes that can be developed in parallel:

• The physical implementation of the design, solving the emergent problems

• The safe, reliable and efficient development of the construction and manufacturing activities

• The installation handover for commissioning.

The large number of organizations, interfaces, activities and persons involved in this stage and under tight coordination requires a quality assurance pro­gramme to be adequately established and implemented in order to reach reasonable confidence of final success.

The IAEA has established internationally accepted criteria and practices on quality assurance in construction (IAEA, 1996b).

Personnel shall be trained and qualified in accordance with the assigned task. The training programme should have the following characteristics:

• Provide understanding of the quality assurance programme

• Describe the elements and the operation of the installation

• Provide on-the-job training

• Consider specific qualifications when required

• Ensure updating to the state-of-the-art

• Contain periodic requalification

• Require competent instructors

• Be submitted to ongoing assessment of effectiveness.

21.1.2 Deviations

All deviations from the specified criteria shall be recorded and assessed in order to identify and implement the applicable actions to solve the devia­tion and prevent its recurrence.

The methodology should establish measures to promptly identify, classify, analyse and correct elements, processes and behaviours that do not meet the applicable expectations. Actions to solve deviations should address the causes in order to avoid recurrences.

The construction stage of a nuclear power plant overlaps other stages such as design and commissioning. The responsible organization may establish separate organizations for these stages or combine them under one orga­nization. In any case, the responsibilities and interfaces shall be clearly defined and the status of the plant established.

The responsible organization should identify the person who will occupy the position of head of the construction organization and who will have the overall responsibility for the construction activities. That person should have enough authority and resources to assume the responsibilities of ensuring that construction and installation activities will be carried out in accordance with the applicable requirements and planned programmes.

During the construction stage of a nuclear power plant the main quality — related activities performed are the following:

• Preparing safe working procedures

• Monitoring the activities of all personnel on site

• Planning and coordinating the activities

• Controlling and supervising suppliers

• Carrying out a maintenance programme for equipment that could deteriorate

• Perform a pre-service inspection to obtain the baseline for future in­service inspections

• Arranging the handover between suppliers and organizations.

Whilst the construction organization shall retain responsibility for coordinating and planning the overall construction of the plant, suppliers should be responsible for producing detailed plans and for obtaining the approval.

Considering the number of organizations and companies usually involved in the construction phase, it is necessary that interface arrangements are agreed between participants. Examples of interfaces to be defined in writing are the following:

• Construction organization with suppliers, operating organization, prin­cipal designer, sitting organization and Regulatory Body

• Suppliers with sub-suppliers and with test and commissioning organization.

The construction stage is the previous step for the commissioning period. That is why provisions should be made by the construction organization to control and coordinate the handover of completed works between suppliers and to the commissioning organization. These provisions should include the following:

• A planned and orderly transfer of responsibilities for structures, systems and components

• That documentation of transferred items is complete, accurate and con­tains all non-conformances identified and solved

• Official transfer, signing of documents after a joint check of items and records.

More detailed considerations about the commissioning stage can be found in Section 21.6 and in Chapter 22.

A graded approach, based on the significance for safety, may be applied to the following activities:

• Qualification of special processes and associated personnel

• The need for, the detail and the degree of control of inspection plans

• The level of traceability.