Iaea Safety Standards Series

– 5 –

IAEA SAFETY STANDARDS SERIES

Draft IAEA Safety Report

Application of Configuration Management
in Nuclear Power Plants

(working title)

Draft Revision history

Draft / Date / Description
1 / 26 Jun 02 / Initial draft based on consultants meeting in Vienna 10-14 June, 2002
2 / ·  Added Section 1 (adapted from TECDOC Section 1.1 & 1.2).
·  Reformatted Sections 3 & to include subsections on “Examples of Events and Challenges” and “Examples of Good Practice”
·  Split former 3.3.1 into two subsections – Routine Maintenance and Outage Maintenance
·  Added introductory “road map” paragraphs to sections 3.1, 3.2, and 3.3
·  Added section 3.1.4. 3 “Erosion / Corrosion including External Corrosion

Table of Contents

1 Introduction 4

1.1 Background and Reasons for tThis GuidelineSafety Report 4

1.2 Present Situation a Need for Plant Configuration Management 5

1.3 Scope and Structure of this Safety ReportGuide 6

2 Fundamental Concepts of Configuration Management 87

2.1 Objective of Configuration Management 87

2.2 Disruptions in CM Equilibrium 109

2.2.1 Disruptions between Design Requirements and FCI 109

2.2.2 Disruptions between FCI and the Physical Configuration 1110

2.2.3 Disruptions between Physical Configuration and Design Requirements 1211

2.3 Processes for returning to CM Equilibrium 1311

2.3.1 Evaluate Identified Problem or Desired Change 1312

2.3.2 Change Design Requirements? 1413

2.3.3 Change Physical Configuration? 1413

2.3.4 Change Facility Configuration Information? 1513

2.3.5 Do nothing more 1514

3 Applications of CM 1615

3.1 Design and Physical Configuration of Systems, Structures and Components (SCCs) 1615

3.1.1 Conformity of Facility Configuration Information and Design Requirements 1817

3.1.2 Conformity of Physical Configuration to Design Information 2221

3.1.3 Hidden Challenges to Design Basis and Design Requirements 2322

3.1.4 Challenges to Configuration Resulting from Ageing Effects 2524

3.2 Operational Configuration 2827

3.2.1 Initial Commissioning 2827

3.2.2 Operation 2928

3.2.3 Outages 3129

3.2.4 Outage Implementation 3230

3.2.5 Foreign Material Exclusion (FME) 3231

3.2.6 Recommissioning and Pre Start-up Reviews 3432

3.2.7 Decommissioning 3432

3.3 Maintenance, Procurement and Training 3634

3.3.1 Routine Maintenance Activities 3634

3.3.2 Outage Maintenance Activities 3836

3.3.3 Replacement of components, reconstructions and repair 3836

3.3.4 Procurement of spares, (QA, receipt inspection, supervision of vendors) 3937

3.3.5 Maintenance of spare parts 3937

3.3.6 Surveillance and in-service inspections, (misinterpretation of tests and data) 4038

4 Organisational and human factor aspects. 4239

4.1 Transmission of knowledge. 4239

4.1.1 Transfer of knowledge 4239

4.1.2 Staff’s own personal data bases and experience 4340

4.1.3 Transfer of technical and organizational knowledge (know-why) 4440

4.1.4 University support 4541

4.1.5 Mentoring 4541

4.2 Limitation of ability to perform duties. 4642

4.2.1 Limitation of ability to perform tasks 4642

4.2.2 Knowledge of ageing on human ability 4642

4.2.3 Adaptation of position to evolution of staff members 4743

4.3 Information management. (Focus on human factors) 4743

4.3.1 Information system 4743

4.3.2 Document control 4743

4.3.3 Electronic systems 4844

4.3.4 Management of data 4944

4.4 Supervision and verification of human activities. 4945

4.4.1 Verification that all activities are performed in due time. 4945

4.4.2 Self-checking 5046

4.5 Cultural and motivation aspects. 5147

4.5.1 Safety culture 5147

4.5.2 Questioning attitude 5248

Definitions 5549

References 5751

Appendix A Self-Assessment of Configuration Status 5952

1 Introduction

1.1 Background and Reasons for This Guideline

Configuration Management (CM) requires that process integrated into normal design, operation and maintenance activities of Nuclear Power Plants (NPPs) provide assurance that documents are maintained to reflect the current configuration of structures, systems and components and that they conform to design requirements as expressed in the design documentation. An important objective of configuration management is that accurate information, consistent with the plant physical and operational characteristics, is available in a timely manner, for making safe, knowledgeable, and cost-effective decisions, with confidence. Because the nuclear industry is one of the most regulated and complex industries in the world, the importance of configuration management has been clearly understood, but there is yet no clear roadmap on how to plan and implement configuration management.

The IAEA Safety Standards "Safety of Nuclear Power Plants: Design" NS-R-2, [5] and "Safety of Nuclear Power Plants: Operation" NS-R-2, [6] includes many requirements related to plant configuration. These requirements deal with documentation of all needed actions in updated procedures, as well as with the need for a thorough updating of the documentation associated with modifications. They also emphasise the need to maintain the configuration documentation in strict accordance with the actual Physical Configuration.

An evaluation of past Incident Reporting System data indicates that a significant number of reported events have resulted from errors in the control and maintenance of the configuration of the physical facility, errors in the original design or design modifications, inadequate corrective actions, inadequate testing, and documentation discrepancies. A review of results of IAEA OSART missions and follow-up reports shows also that many findings are related to configuration management deficiencies. Therefore, the IAEA has developed this guidance report on configuration management for nuclear power stations.

The principal concern relating to inadequate configuration management is that a loss of the ability to perform safety actions when needed may result. Other potential impacts on the reliability of the plant with both economic and safety consequences are also of concern. Not having the right information available at the right time and in the right format to engineering and operations staff can lead to human errors having potential safety consequences. The effort required to respond to and correct these errors is greater than the effort required to initially maintain configuration control.

Unnecessary expenditure of staff effort also has direct implications for the economic operation of the facility. For example, in the area of maintenance, configuration errors can cause business related processes lossesprocesses in the production of electric energy. Moreover configuration errors can affect worker safety with potential impact on the environment and worker exposure to radiological and other hazards, such as stored-energy sources. Establishment of an effective CM process can optimise the entire configuration management program is essential to assure that processes are implemented properly and that a culture of configuration management exists at all levels of the organisation.

The purpose of this Guideline Safety Report is to describe the various aspects that need to be considered in the development and implementation of a systematic plant configuration management system. The aspects that should beare considered include design, procurement, operations and maintenance, methods/tools, human factors, cost/benefit, and implementation. A systematic and practical approach for improving configuration management systems, that may be weak or inadequate, is also described. In addition, examples are included from various countries that have implemented or improved such a system and the lessons learned during this implementation.

1.2 Present Situation a Need for Plant Configuration Management

Many nuclear power plants, particularly older facilities, have still not fully consolidated design bases and other relevant documentation. Originally, the documentation for these plants had the same form that was used for design, manufacturing, civil construction, erection, pre-operational testing, operation and maintenance.

The form of the actual design documentation depends on the design (engineering) technology used for initial planning of the plant and also on the contractual model. For example, plants that were designed as "turn-key" by the nuclear system supplier did not have all relevant design documents transferred to the pant owner/operator. There is also a difference in configuration documentation between plants, depending on whether the plant was designed by a single architect/engineer (A/E) or by several designers/suppliers.

Older facilities may have some of the following characteristics:

·  Documentation is dispersed, even that containing very important information,

·  The main design principles are not readily available and sometimes have been lost, although functionality of the plant was approved,

·  The original " know-why" is not readily available for use by plant personnel,

·  Many plant changes have been made, but the cumulative effects of these changes have not been considered,

·  After several years of plant operation, modification, and maintenance, management of the plant does not have a high degree of assurance that the facility documentation reflects actual plant status.

1.3 Scope and Structure of this Safety Guide

Section 2 provides an overview of the objective of Configuration Management to achieve equilibrium among the elements of CM and the methodology to re-establish the equilibrium when it is disrupted.

Each subsection of Section 3 addresses various categories of activities that can have an adverse effect on Configuration Management. Each subsection is divided into two parts entitled

·  “Examples of Events and Challenges” describes some examples of activities that are responsible for disruptions in the CM equilibrium. These examples are based on international experience of specific events in Nuclear Power Plants (NPPs) and the common experience of the authors of this report.

·  “Examples of Good Practices.” Describes the processes and behaviours that can help to avoid these events and challenges.

Section 4 describes organisational and human factors that should beare integrated into the normal activities of NPPs, which can be effective in preventing challenges to Configuration Management in addition to improving safety and operational efficiency.

2 Fundamental Concepts of Configuration Management

2.1 Objective of Configuration Management

The fundamental concept of Configuration Management (CM) is to provide assurance to the owner, operator and regulator that a Nuclear Power Plant (NPP) is designed, operated and maintained in accordance with commitments, which provide for the safety of the public and protect the environment.

The objective of Configuration Management at NPPs is the conformance of three elements illustrated in Figure 1, below.

Figure 1: Objective of Configuration Management

Design Requirements are technical requirements, derived from the design process that impose limits on the final design.

Facility Configuration Information (FCI) is the documentation that defines how the plant is designed, how it is operated and how it is maintained. FCI is categorized as either:

·  Design Information

·  Operational Configuration Information

·  Other configuration information necessary for procurement, operation, maintenance and training activities.

Physical Configuration applies to the installed Structures, Systems and Components (SSCs) and to the operating configuration of those SSCs.

Refer to Definitions section for formal definitions of these terms.

Implementation of effective Configuration Management requires that processes and programs integral to design, operations and maintenance of NPPs be compatible with the objective of CM. These work processes and programs must assure that:

·  Elements conform all the time
When the three elements of the CM Triangle are in conformance, it is said to be in CM Equilibrium. Work processes and programs must provide assurance that this CM Equilibrium is maintained at all times, and that it is restored when there are disruptions, whether cause by inadvertent action or desired changes.

·  All changes are authorised
People who generate design changes and people who manipulate the configuration of components are suitably qualified and experienced, and follow approved procedures.

·  Conformance can be verified
All changes to the design and operating configuration are documented so that the relevant current configuration and past configurations can be determined and verified to have been done correctly.

Conformance with Design basis is assured when consistency is achieved among Design Basis, Design Requirements and Operational Configuration illustrated in Figure 2. Design requirements, which are reflected in the final design documents (Design Information), must conform to the Design Basis. Changes to operational configuration are made only with approved documents, which are written so that limits imposed by the design are not exceeded. Refer to Section 3 of IAEA Safety Guide NS-G-2.2 “Operational Limits and Conditions and Operating Procedures for Nuclear Power Plants” [Ref #3]

Figure 2: Using CM to Protect the Design Basis

2.2 Disruptions in CM Equilibrium

Disruptions can occur between any two elements of CM Triangle in one of three ways:

·  A discrepancy is discovered unintentionally through day-to-day activities

·  A discrepancy is discovered intentionally through a systematic review, assessment, or field walkdown.

·  An intended change to the configuration is desired.

2.2.1 Disruptions between Design Requirements and FCI

Design requirements impose limits on the design, which are reflected in the Design Information documents. If CM disruptions are detected between the Design Requirements and Facility Configuration Information, the Design Information documents should may be reviewed for consistency with Design Requirements. Typical examples of disruptions between Design Requirements and Facility Configuration Information can include errors in analysis, such as incorrect use of design inputs or assumptions and errors in licensing documents

Typical causes for these disruptions can include

·  new or revised design requirements

·  inadequate original design review

·  misreading of design requirements when designing changes

·  changes

Additional examples of these types of CM disruptions and recommended good practices for their resolution are discussed in Section 3.1

2.2.2 Disruptions between FCI and the Physical Configuration

Discrepancies may exist between the Physical Configuration and documents in any of the three categories of Facility Configuration Information.

·  Design Information

·  Operational Configuration Information

·  Other configuration information necessary for procurement, operation, maintenance and training activities.

2.2.2.1 Disruptions between Design Information and Physical Configuration

Typical examples of disruptions between Design Information and the Physical Configuration can include discrepancies between design drawings and as built plant conditions. The cause of these discrepancies usually cannot be determined immediately and may be due to either drawing errors or wrong component installed.

Some causes of these disruptions are

·  Desired change to plant

·  Errors in installation of modifications

·  Poor post-modification testing procedures or execution

Additional examples of these types of CM disruptions and recommended good practices for their resolution are discussed in Section 3.1