Making a robust safety case for nuclear reactors

à‚ As director for New Nuclear Build of the Health & Safety Executive’s Nuclear Directorate, Kevin Allars is the man responsible for regulating new nuclear power stations in the UK. In this interview with deputy editor Tim Probert, Allars provides a progress report on the Nuclear Directorate’s Generic Design Assessment, which is currently assessing two reactors: Areva’s EPR and the Westinghouse AP1000.à‚ 

PEi: How did you become head of the Health & Safety Executive’s Nuclear Directorate?

Kevin Allars is a 32-year veteran of industry regulation who was appointed as the HSE’s GDA director in February 2009
Allars: I’ve worked in the nuclear industry and the regulatory side of things since I left university, 32 years ago. I worked at BNFL’s [British Nuclear Fuels Limited] Chapelcross plant in Scotland and I joined the HSE [Health & Safety Executive] in 1989. Most of that time has been spent in the nuclear industry, although I also headed the Chemical Industries Division too. Then I became deputy chief inspector for nuclear in 2008 and the nuclear reactor GDA [Generic Design Assessment] director inFebruary 2009.

PEi: You raised a warning about Areva’s EPR reactor’s control and instrumentation system last yearࢀ¦

Allars: We felt the diversity between the control system and the protection system of the EPR was insufficient. Everything you see in a control room, whatever it happens to be, is there to control the reactor and keep it within its parameters; make sure it works, make sure it’s safe.

The protection system should be completely separate, so if the control system goes wrong for any reason and the reactor goes out, then the protection system should see that, shutdown the reactor and start the cooling system. So you want the control system to be separate from the protection system so that a fault from one can’t affect the other.

It should be like a cruise control system in cars: if you switch it on, you’re still in control, but if you apply the brakes then the brakes should work. If they both go through the same wiring then you have the potential for common mode failure.

The other issue was with the ways the instrumentation was actually put together. There is a logical order that the levels of instrumentation should talk to each other and make sure the signals are going in the right direction. In some of the EPR’s C&I [control and instrumentation] it wasn’t doing that, it was in a slightly different order.

There are tiers of issues we raise with the requesting parties in the industry. The highest tier ” i.e. the highest level concern ” would be a Regulatory Issue (RI) and this was the first RI we raised with Areva on the GDA. Previously there were two early issues regarding radioactive waste, but they were really only about getting the right information [from Areva].

We have worked very closely with our counterparts in Finland (STUK), France (ASN) and the USA (NRC), and in October last year we put out a joint regulatory statement about the RI. The NRC did not sign the statement because of their procedures, but they did support it via separate press correspondence. When they received the RI, EDF and Areva gave us a commitment for the UK EPR that they would design and put in a diverse system and that they would modify some of the instrumentation to make sure that it is correct. Last December in our quarterly report we announced that we had had that signal from them in writing and that we had had meetings with them, and so in principle it looked like the RI had been resolved.

We now have their detailed plans about what they are going to do, and it matches what they said they would do in principle, and although we haven’t got the solution all designed and all sorted, we can see a way through, and the information is promising. We can’t say it’s okay yet, because we are still assessing it.

PEi: And in Flamanville 3 in France and Olkiluoto 3 in Finland?

Allars: The reason for putting out the joint statement, with help from the NRC, was that as regulators, we all recognize that the design of the EPR in all four countries is different. Clearly, Flamanville is half-built and so too is OLK3 [Olkiluoto 3], while our one is still on paper.

So the actual solution to the same problem we’ve raised can’t be the same in all three reactors. But the level of safety benefit achieved by the solutions in the four countries had to be identical, and that’s what EDF and Areva agreed to do. You can never get a standardized design for a nuclear reactor, it just won’t happen, but you can get a harmonized design so that the safety standard is equivalent wherever the EPR is being built.

PEi: Will the control and instrumentation RI be fully resolved by the time of the GDA deadline next June?

Allars: The full design may not be ready for June 2011. What we asked them to do for June of this year is to give us enough of a safety case so that we could understand what they were going to do, so that we could make sure that the design to be built at Hinkley Point C is actually going to be safe.

Of course, you don’t actually put in the C&I system on day one, but if you build a safety case and we agree to that case, then make sure that the control system is actually built to the safety case.

If the requesting parties wish to amend the design of the C&I systems, then they have to categorize the changes according to levels of safety. If it is a level of change that is fundamental, they would have to getour agreement.

If it is a minor change, then it goes through their own, internal modifications procedure and they sign it off. We can always go and look at it and, indeed, during their visits, our site inspectors often sample some of the lower category items. For the higher category items, they have to send it to us for assessment and then we write back, in a formal way under the nuclear site licence procedure, and agree to the change.

PEi: How many people have you got working on the EPR?

Allars: We have 62 staff in total working on the GDA. Of those, 32 are nuclear inspectors, who work on both the EPR and Westinghouse’s AP1000 reactor. The two designs are not in competition ” both are going through the process to the same time-scale ” and they receive roughly the same amount of attention. The money that we are charging the requesting parties is roughly equal.

Up to now around à‚£11 million ($17 million) has been spent on each design and it is going to cost around à‚£20 million each by the time the GDA is finished. The requesting parties pay for all the time and effort that we put in, any contractors we use, project management, administrative support and so on. Cost-recovery is different in other countries: some do, some don’t. But in the UK, anything we do for the GDA is fully cost-recoverable.

PEi: You have identified problems with the AP1000ࢀ¦

Allars: This is the second of the RIs we have issued, and of equivalent level of concern to the EPR, and it’s to do with the shield buildings that sit around the pressure vessel.

A traditional shield building would be made up of lots of reinforced concrete with internal steel bars. Westinghouse has decided to build the shield building, and some of the other buildings in the nuclear island, slightly differently using a ‘steel-concrete-steel sandwich’.

That means using a series of steel plates held together with pins, with concrete poured in between each layer. It would then be all bolted together and filled in with concrete.

Our question was whether the strength of this shield building design was good enough to withstand a hit from an aeroplane or any other external hazard. The US NRC asked a very similar question but, unlike us, only for the main reactor building. Westinghouse is working on this now and they have until 30 October to deliver a final solution. If they don’t clear that RI, then the AP1000 design is unacceptable.

A planned EPR reactor in the UK is under scrutiny by the HSE Source: Areva

PEi: How is the strength test assessment conducted?

Allars: We do some computer modelling, but the requesting parties conduct the testing. We could commission some testing ” we have an excellent facility in Buxton that could do this in modelling terms ” but what we tend to do is rely on the requesting parties to do the work.

Westinghouse is doing a combination of assessment with computer modelling and some actual physical testing of these modules in the US. One of my assessors, a civil engineer, has visited the US to see this testing and to talk to Westinghouse and the NRC.

PEi: The AP1000 is, of course, being built in China. Have you had any contact with the Chinese authorities?

Allars: We don’t talk to the Chinese regulators as much as we do with STUK and ASN, purely because they’re further away and they don’t tend to travel. But we’ve been over to China a couple of times, including the civil engineering team. The Chinese regulator has looked at our issues with the AP1000 and they are assessing the implications for their design.

PEi: Is the Chinese regulator as thorough as the HSE?

Allars: Each regulator has its own methods and how they work with their governments is also slightly different. The Multinational Design Evaluation Panel (MDEP) includes all main regulators from around the world and the Chinese sit on that panel. We exchange information via that, so everybody is fully aware of what everyone else is doing, but it’s for each national regulator to look after what’s happening in their own country.

PEi: How transferable is the knowledge gained from, for example, the EPR GDA to, say, Italy, where Areva also wants to build?

Allars: Transferable is probably the wrong word, but we have spoken to the Italians and several other European and non-European nations. There are around 60 nations who want to go nuclear and do not have regulators. They are working with the IAEA [International Atomic Energy Authority] and lots of other people to find out about setting up a regulatory regime.

So, transferable? No. Our reactor Design Acceptance Confirmation [DAC], if we give it, will be given to the requesting parties in this country, but we draw on information from regulators in France, Finland, the US and China to come to our conclusion. The other regulators do the same as us. It’s not transferable, but it’s good knowledge.

PEi: The other issue with the AP1000 is the squib valves.

Allars: Squib valves are very large valves that have to operate very quickly, and they do this via a gunpowder charge that fires them open. These are not in use, at this size (14 inches, 24 inches), in any nuclear power station.

It’s a valve that will hopefully never operate because it’s on the primary circuit. You would want it to operate only in an emergency situation. So we needed more confidence about the reliability of the valve.

This is not an RI, although it was pretty close to being one. We had a lot of questions about the squib valves for Westinghouse, so they invited us over to the US to have a meeting with them, the NRC and with the manufacturer, SPX Corporation. Two assessors went over for a few days and they subsequently gained a great deal more confidence on the reliability figures of the valves, which was the real issue.

So we didn’t raise the valves issue to an RI, but we are still putting a lot of questions to Westinghouse, and they need to address them.

PEi: You have been quoted in the press on several occasions that there will be a ‘meaningful GDA’ by June 2011. Define ‘meaningful’.

Allars: ‘Meaningful’ is really about saying that there is nothing fundamentally wrong with the reactor designs, that we’ve looked in detail at the arguments in the safety case, and that they stack up and meet national nuclear safety assessment principles. So we don’t tick every box to issue a meaningful GDA, but the scope is very wide and we’re not missing anything out. What we won’t say is : “Well, they haven’t provided this, but we’ll say it’s okay and do it later.” We’ve said: “There’s the scope and you’ve got to address every issue and satisfy us on them all.” All we will hand on beyond June 2011 are any resulting issues, which we will call GDA Issues, that aren’t fundamental, but are issues where we can’t say it’s okay, but can see a trajectory where they will be closed out. The requesting parties will give us a time-scaled plan for doing that and we will publish all of that, so everyone can see what still needs to be done before we can say that a reactor design is okay to build and issue the DAC.

PEi: And then?

Allars: The DAC will be provided to our licensing people here, the site inspectors, and they will have to issue what is called a ‘consent’ to actually start construction of the nuclear island. There is a lot of work needed to be done before that consent can be given, but the key one is the DAC.

PEi: Is there a deadline for the outstanding issues with the GDA?

Allars: There is no deadline. However, December 2012 is the date that EDF, as an operator, not a requesting party, wants to start pouring nuclear safety-related concrete. It’s their date, not ours. So it’s up to them to resolve the GDA issues, so that we can issue the DAC.

PEi: Are you concerned that there will be a legal intervention on nuclear site preparatory work by environmentalists?

Allars: The law in the UK allows them to, yes. They could call for a judicial review, or write to members of Parliament. To try and assure the non-governmental organizations (NGOs), including Greenpeace, we’ve met them and held an open day. Last time we met them, in June 2009, they had over 100 questions. All of those questions were published on our website, along with our answers. We receive frequent correspondence from NGOs and we always write back. On 23 June we published ‘Guidance on the Management of GDA Outcomes’. This specifies very clearly what we will do up to June 2011 and what we were doing in raising an interim DAC at that point, if it’s appropriate, with these GDA Issues, with a resolution plan to a final DAC, and what the final DAC means for the consent for construction.

This was sent to Greenpeace and several other NGOs, and we have had no comments back. So Greenpeace knows our process. I’m not saying they are fully in agreement with it, but we will meet them again soon and discuss it further. They may still try to bring a judicial review, but as far as I’m concerned, I’m doing my job following procedure openly and transparently, exactly as set out in the guidance document. We will make sure our assessment is independent and robust.

PEI: Are you confident that EDF will have Hinkley Point C online by 2018?

Allars: Well, that’s down to them. There is a lot of work to be done between now and then. The various regulators look at safety, security, safeguards, the environment, and they have to satisfy all of us, all along the route to 2018 when they want to start drawing the fuel rods. We will do our bit to make sure they do it safely and securely without detriment tothe environment.

More Power Engineering International Issue Articles
Power Engineering International Archives
View Power Generation Articles on

No posts to display