 We are going to talk about the nuclear safety. The full day is devoted for topics related to nuclear safety and what IAEA has been doing for promoting nuclear safety and related things. And we are very fortunate we have Peter Turin from the IAEA. He is the section head of nuclear installation safety and he has, Peter has a very vast experience in operating nuclear industry over 40 years and he worked in very key positions in Canadian and UK nuclear industry and he would be having a very enlightening lecture in the first one and a half hour about nuclear installation safety from him. Please make use of the time and interact with him and get as much as you can. And also we have another expert from IAEA, Catherine Asfa from the nuclear standards section. She is an expert on nuclear standards. She will be speaking something about the nuclear standards in the afternoon. And I also have a section about promoting nuclear safety culture through organizational learning followed by what Peter is going to talk now. So now with this introduction I will hand over to Peter to start the session and the proceedings of today. Okay. Thank you. Is this thing working? Can you? Yeah. Yeah. Okay. Good morning everybody. It's a pleasure to be here as usual. It's my third time here. So I'm not sure if that's good or bad, but we'll see. I hear that you're from 30 different countries. So that's fantastic. I heard there's someone from Canada. Okay. I'm also a Canadian citizen as well. So special call out to you. I want you to do very well in the test. I also hear the average age of the group is 30. It looks about right. So next year I'm 60. It's just sort of sobering. Anyway, as was said just a moment ago, I would really prefer if this was as interactive as you can make it. I love taking questions and you throwing things back to me because I say things the way I understand them and sometimes it doesn't come across in a way that the audience will understand best. So please, if I'm speaking too quickly or if I'm not clear in what I say or you just want to ask a question or say something that's in your experience, please do do that. I would genuinely welcome that. The only exception that is Catherine because she knows far too much about what I do and she'll be able to ask me some very awkward questions. But anyway, so I've got an hour and a half and I know that I will not make you an expert in nuclear safety in an hour and a half. So this morning we're really going to touch on some principles, which is why it's called principles and we'll cover some things and maybe talk about some things that have happened. I also want to say that this will not all be techie type stuff. I don't know whether you've got sort of nuclear engineering backgrounds or not, but or whether you're in another field. So it won't be all technical stuff. There's in fact, there's quite a bit on cultural and behavioral stuff, which for me is just as important to nuclear safety as the technical stuff. So with that in mind, so I'm going to talk a little bit of introduction and which is probably what I've just done to be honest. And then I've got just one slide with some reminders about the nuclear industry and why the principles in nuclear safety are so important. I'm going to talk about something called defense in depth, which is a thing that you will see I think if you go to any nuclear power program anywhere in the world. We'll talk about safety systems just to sort of give you some feel about what you would see on any nuclear power plant. And then I'll swap across to some less technical stuff about management and people and safety culture. And then we'll talk a little bit about some examples of what you would hope to see in a good plant, a plant that is safe, that is running well. And maybe some things that are signs of declining performance. So that's it. I guess that's enough, 30 years old average. So that takes me back to 1987, right? Okay, so can anyone give me some examples of the worst disasters we've had in the nuclear power industry? Chernobyl, okay, so that's, I think that was 86. So just before you were born, most of some of you. Fukushima, yeah, absolutely not so long ago. Now six years ago, six and a half years ago. Three mile island, yes, I think that started all off. So well done, you've got the big ones. There's been some others, some other very near misses. There's a plant in America called Davis Bessie. And I think in the early 2000s, it would have been about 2003, 2004, something like that. They discovered fortunately during a refueling outage that they'd almost gone through the pressure boundary on the main pressure vessel. To the extent that was only a cent of a pressure vessel, probably 20 something centimeters thick, there was only a centimeter left. So very, very near miss. Right on the top of the vessel, if it had failed, it probably would have taken some control rods with it. So might have affected the ability to shut down the reactor and all sorts of terrible things. Anybody heard of some criticality incidents? About criticality incidents around the world. We had a one in Japan not too long ago, I guess about 15 years ago in a... Sorry? Tokamura, I think it was, yeah. When some uranium being treated of some radioactive material or fissile material went critical. So good, excellent. So there they are. TMI in the States, fortunately no great release of activity, but it taught us a lot of lessons. The lesson they taught me, anyone who thought, I think about what lessons came out of Three Mile Island. I don't mean not necessarily technical lessons, although there were a lot. I mentioned Davis Bessie a few months ago. The same event that happened and destroyed the reactor at Three Mile Island happened at Davis Bessie a few months before it, where they had a transient on the reactor and the pressure on the reactor went up and the safety valves lifted on the reactor pressurizer. And fortunately, the valve closed again, as it was designed to do. On Three Mile Island, the valve didn't close again. So we'd had that exact same issue at Three Mile Island that we had before at Davis Bessie. But we didn't learn the lesson. So that for me was a very sobering thing. What could we have done if we'd learned those lessons? Right, oops. Again, I'll not try and teach you all about reactors and stuff like that. But pressurized water reactor, the most common sort of reactor in the world. Reactor is here. It has its own circuit of coolants. It's kept under pressure by a device called the pressurizer. Pumps pump the water around, cool the fuel, deliver the heat to a steam generator. The water in the steam generator is at lower pressure, so it's allowed to boil. And from then on, it's a conventional steam-driven power plant. It's all in a big containment building. The thought being that if the worst comes to the worst and we breach the pressure boundary, all of the dangerous material will be kept within the containment building. And it also acts as a radiation shield and as a protective shield against things like aircraft crash and flooding, for instance. Boiling water reactors, the next most popular design. Pretty similar, except you don't have that intermediate step of a separate circuit with a steam generator. The interesting thing for me with regard to these is that if you think about it, there's a branch of mass I'm quite interested in, I think, called topography. And if you put a topographic head on, you could actually say that the fuel is outside the containment building because the pressure boundary actually extends outside the building. So you could actually get into the turbine and if you were able to get past all the equipment and the vows and everything, you could actually make your way directly to the fuel. So there is a sense in which the fuel is outside the containment building. You've got to stretch your imagination to think that, but the point I'm trying to make is there's one less barrier to the radioactive material getting outside. So we have to accommodate that in the design, which of course we do. Okay, so that's another technical stuff. Any questions? Sound familiar? Okay, so we've got some key objectives and the IAEA in particular I think has designed some very nice and very easy to understand fundamental safety objectives. So what is safety all about? It's protecting people. We're not bothered in safety terms if we destroy the plant. It makes no difference to us in safety terms. Economically, it's disastrous with the cost of a new plant these days. But in terms of safety, we are only concerned about the protection of people and the environment from the risks that are inherent in the technology. So that's our fundamental safety objective. And you could go on to the IAEA website if you so wish and you can download this document, Fundamental Safety Principles. I think even if you even just Google SF1 IAEA, you will find that document. And as Catherine will probably tell you, all of our documents are available for free immediately off the internet. So if there's anything you ever need in terms of what the IAEA is doing or talking about, I think you'll be able to find it in terms of standards or guidance or technical documents. So that's a fairly high-level statement or a fairly high-level document. What are we actually trying to do in a bit more detail? Well, we're trying to make sure we are in control of the radiation exposure that people get. You can't run a nuclear plant without people doing maintenance, operating the thing, walking around it, inspecting it, checking it. So you have to be on the plant itself. You can't just sort of put it in a big building and press the big green button and sort of walk away and come back in 18 months' time when it's ready for refueling. Unfortunately, you have to look after it quite carefully. So that means we're going to get radiation exposure. So we have to control that. And of course we also want to control what radioactivity gets into the environment because, again, there isn't a plant that I'm aware of which doesn't involve some release of radioactivity to the environment. In the same way that a coal-fired plant emits radioactivity or an oil-fired plant emits radioactivity. So we're trying to control that. The next thing is I think that these plants are designed and built and operated to pretty high standards. I like to say that because I used to do it. But nevertheless, we are always conscious that although it's very low, there is always a likelihood that we could have an event. We could have an accident. We could destroy a reactor. We could melt through the vessel, happen to Fukushima. We could lose control over the fission chain reaction. It's possible. I learn likely, but it's possible. Or we may inadvertently release radioactivity from the plant. It's possible. You can have leaks on pipes. You can have leaks with valves. You can have transients. It's safe. Open the wrong valve. So we have to try to restrict the likelihood of that happening. And then what about planning? It's great to say we're very good at designing and building and operating these things. And it's also very good to say, but something might go wrong. And it will. So the next thing is, OK, how do we mitigate that? If something happens, what are we going to do to mitigate the consequences, to protect people, to respond to something? So that's the next thing. Some of the main safety issues that people talk about and are often worried about with regard to nuclear. The first one is actually nothing to do necessarily with power production itself. But it's security. People really worry about what happens if somebody gets into a power plant or steals some radioactive material. What would they do with it? What happens if they make a bomb and let it off in a city? And suddenly we have all this radiation around that we can't see and we can't smell, we can't feel and touch. But we'll harm us. So security is one of the issues. It's outside the scope of this thing, but nevertheless it's there. Proliferation is the other one. We all talk about our concerns over whether countries are doing the wrong thing with radioactive material. Are they creating nuclear weapons programs that we don't know about and they could threaten us? And of course that's in the news a lot. Hopefully it will never come to it. So we do a lot to try to prevent fissile material in particular, getting into uncontrolled places. We also try to control what people do with fissile material and whether they enrich it or not or whatever. But in terms of power plants, it's this middle bit. So there's three main things we need to do with regard to this reactor that we've created. I mentioned about containing the radioactivity and the vast majority of all the radioactivity is held within the core of the reactor. There are ancillary circuits and whatever that do become radioactive but the vast majority of the inventory of radiation is inside the pressure vessel. There's also quite a lot inside the spender fuel pool as well but that's probably less hazardous. So we need to contain that radioactivity. We also need to control the power. The power inside the reactor is pretty big. There's been some interesting comparisons such as there's far more power being generated in a modern power plant inside one single reactor than is displayed by the space shuttle on takeoff, way, way more. And that for me always looks very impressive when it's lifting off the launch pad and you can get some feel of the power in there. But the most modern plants are being built now 1500 megawatts. So we're talking about a thermal power, so a reactor power of around 4,000 megawatts. That's a lot of power. I remember once trying to talk with the people on the plant I used to direct and trying to pass across an image of what this power all means. This room is way, way bigger in volume terms than the volume of a reactor core. Way bigger, probably, I don't know, five or six times bigger. Maybe even more. So are you familiar with the one kilowatt electric heater? With the sort of the bar that heats up? It's a bit like the toaster we've got upstairs in the kitchen, in the restaurant upstairs. A one kilowatt bar electric heater? No? Okay. It's a thing that we used to have in the UK a lot in the old days. Well, one of those is 1,000 watts. And, you know, it feels pretty warm. But a 4,000 megawatt reactor means having 4 million of those in a room, say a tenth the size of this room. And all that heat is being transmitted through the cladding of the fuel. So we're trying to get 4,000 megawatts through the cladding of the fuel, which is probably not much more than a millimeter thick. So I hope that gives you some idea of the balance we're trying to strike between this enormous amount of power we're producing in the reactor and how much power we're trying to take out to keep it cool. And of course we're using that power to make electricity. Anyway, so controlling the power is the big thing. And the other interesting thing is we're controlling it not just during normal operation, but of course during events or accidents. We're also having to deal with it once the reactor is shut down. And I will come back to that point. So this thing about controlling the power is one thing, but associated with that closely is cooling the fuel, not just when the plant is operated, but when it's shut down. So is everybody aware of the concept of decay heat? Is that a Samar and Samant? I know it varies, but it's that issue of removing heat when the plant is shut down, that's one of the unique features of nuclear that we'll come back to. So if you can keep the radioactivity control contained and you can keep the power under control and keep the fuel cool, then to be honest you pretty much dealt with the hazards to the workers on the plants and the public and the environment. And you've also protected your asset as well. And it comes I think into two discrete areas. There's technical aspects, the technical bit about safety, all the clever designers and the well-trained operators and the skilled maintainers and the people who understand the concept of the plant design. All that stuff. And then there's the management aspects, which is about people. So we'll talk a little bit about both of those. So hey, time for you to be interactive now. So give me some of the things that caused the risk from nuclear power plants then. No trick questions. What are the risks? We talked about some of them. Any thoughts? Yeah, radiation is the first one. Ionizing radiation causes cell damage, either short-term effects to the person who receives the radiation or potentially genetic effects that can go through the generation. And I can't think of anything worse than to be thought that I'm damaged in a way that my children and their children might be damaged as well. Terrible. So thank you for that. That's a good one. Yeah, yeah. Release of radioactivity causing that problem. Oops, sorry. One, two. You've got the main thing. So the risk, where does that come from? Okay, so you get the radiation directly from fission. A lot of strong gamma rays, x-rays, neutrons in particular. Alpha and beta radiation contained pretty much within the circuit, but a lot of radiation from the physical process. Producing a lot of radioactive materials. Ionizing radiation and risk production. Heat production. I mentioned we've got to keep that under control even when the reactor shut down. So our job in the nuclear industry is to say, okay, so how are we going to deal with that so we can use this useful source of power? So first of all, we have to assess that. How do you assess risk? How would you assess risk? Safety analysis, yeah. And a great answer, but I'm trying to think, what do you think about when you talk about risk? If you're going to go on an aircraft. Consequences. Consequences, yeah, absolutely. That's the sort of the end thing that you're really worried about. So the consequences of an aircraft crash are pretty horrific. So what else do we consider? Probability. Probability, yeah. Yeah. Okay, so the two things are absolutely, you obviously got there straight away. Consequences and probability. Yeah, you're right. I sort of put the severity and the consequences. I lump them together, but I think you're right. I mean, sometimes you can have a lot of consequences, but if they're not very severe, I understand where you're coming from. Yes, from where it comes in. And that's the assessment part, really. I think you're absolutely right. But I wanted to get to this thing about consequences and probability. I drove down there. I drove for five hours or so to get down here today. Catherine flew. So we had different risk profiles. And the same thing happens here, really. The risk of a nuclear accident is very low. But consequences could be very high. And so it's our job to say, okay, we've got to recognize that. We've managed through a lot of technical work we can get probability down, but we also have to recognize it might happen. So how do we deal with the consequences? And that's dealing with the consequences, really, is where we'll get to in a few moments with the thing about protection and safety concepts. So the fact is that nuclear power actually is pretty much unique. And I know that things are either unique or they're not. But nuclear power is unique, really, in terms of this presence of large quantities of dangerous radioactive material. And the fact that, you know, you have to be able to isolate it from the environment. The other thing I think there is a resource of interest to me as an operator and a plant director was fission is an interesting process. It's not really like anything else I've come across. Even explosions, fission is a thing that you can show, you can actually show it mathematically, but we've seen it at Chernobyl. If it gets out of control, it precedes an astonishingly fast rate on extremely short timescales. So you have to be able to shut it down really, really quickly. You know, even if you're in an aircraft, you know, there have been many examples of aircraft, you know, passenger aircraft running out of fuel and the pilots have been able to land the aircraft safely. I think there's one in Canada. We used to use it as a case study, called it the Guindy Glider, which is a rather strange sense of humor, but essentially this passenger aircraft became a glider. So in many things, you have time to deal with it. Even when you're driving, you can see an accident ahead and you can slow down or you can appreciate that somebody's going to walk out in front of you. You have just a few seconds in which to react. When a nuclear reactivity event happens, it happens very, very quickly. So our protection systems need to be pretty reliable and pretty fast-acting. And then once we shut the reactor down, we've got this thing about the fuel still generates heat. It's quite a lot. You immediately have to shut down about 4%, you know, within just a few seconds, down to about 4% power. 4% doesn't sound a lot, except when you're dealing with an initial power of 4,000 megawatts. So you're still dealing with 160 megawatts of heat. And where's that heat going to go? And then the risk analysis, as we've already talked about. So the probability is very low, but the potential harm, the severity of the consequences, you know, potentially quite high. So we've got to have the right things in place. So we don't just attack it in one way, as you'd probably expect. We go for a more holistic view. And we start off on this with the country itself. And I don't know, are any of you in, you know, looking at the sort of the legislative or regulatory side of things, or are you all more on the power side? Okay. So, you know, there are many countries in the world, and some of you may be from those countries in the world, but don't have a nuclear power program, but might be seriously considering them. So I think the place where you will start, and I'm not sure whether you've heard about this already, but you will start from the legislation and the regulation and getting the right framework in place so that things can be controlled correctly right from the outset. So part of that is a component regulator. Does the regulator also know what nuclear power is all about? Or do they just know what's written on the words in the law? Because if all they know about is the words of the law, they might struggle when it gets to the actual technicalities. So, component regulator. Next one. Adequate site. Interesting point. With the benefit of hindsight, would we have chosen Fukushima for a nuclear power plant? Interesting. Your initial reaction, my initial reaction to that question is always, well, of course not. But maybe. Because actually you can deal with the sort of issues that happened at Fukushima. But you would certainly have thought twice, I think, before that. I come from the UK, and also Canadians as well, low seismic risk. So we deal with plants in those countries in a different way. But if you want to build a plant in Mexico or on the Pacific Rim, with a lot of seismic activity, yeah, you have to deal with those things. And they can be dealt with. But we have to know the site characteristics and deal with it. And then these three things also have to work together. So, in terms of the design, we like to have what we call a conservative approach. So we don't want this plant to be built just strong enough. We'll never get worse than earthquake 9. So as long as we can build it to earthquake 9.01, we're good. A conservative design would say, we need to have some safety margins here to deal with these things. Yeah, that is a really good question. And it's one that exercises me a lot right now. Because my worry about the industry's future is that we are destroying its economic viability. So I agree with you to an extent. However, I would say that we don't want to have, and the phrase we bandy around it, the phrase we use is cliff edge effects. So we don't want suddenly, when something happens, to realize we're sort of about to jump over a safety cliff. We want our plants to have an economic viability, which means you can't just build more and more and more and more safety systems. But we don't want them to have this vulnerability to something that we might not have thought of. Because our experience in the industry is that usually something happens and you think we didn't think about that, how we're going to deal with it. So if you've got a little bit of margin in the plants, then you're probably good to go. But thanks for the question. It's a very interesting question. And it's why I think there's a lot of drive now towards newer designs like small modular reactors. Yeah, yeah, yeah. Yeah, that's another very interesting point. I heard a guy who is from one of the London UK universities. And he talks very powerfully on this and about the fact that sometimes the way the nuclear industry speaks and talks about things really just reinforces in the mind of the public that the industry is dangerous. And the reality is the industry is not actually that dangerous in comparative terms. Can I just give you another thing about conservative approach? And it's an example I've used before and it's one that I think is powerful. When you're on a flight, how much fuel do you want the pilot to load onto the aircraft? Just enough to get there? Or would you rather he had just a little bit left so that if the weather closes in you can circle around or maybe go to a different airport or you get diverted on routes, you never know. Now that extra fuel that you carry has a cost for every single ticket that we buy. It's probably not too much. But nevertheless, that's really what I mean by a bit of a conservative approach. Obviously you have to have enough for the mission but then you want to have just a little bit in reserve and that's a judgment that we're all having to make almost every day. Proven engineering practices. Well, this almost goes without saying, engineering now is such a well-developed field and we've even moved on so much further than when I started as a young engineer a long time ago. The defense in depth concept, which I'm going to come to in a moment, the design philosophy of safety systems, which might be something around... Well, when equipment fails, what condition does it fail to? So if you want something to automatically shut a plant down, and these are usually electronic sensors and detectors, if that sensor system fails, is it just going to say, I don't feel so good today. I'm not going to monitor the reactor anymore. Count me out, guys. Or would you rather have a system says, I don't feel too good today. I want you to assume that I think the reactor is in a bad place. So I vote to shut down now, but I don't feel very well. So if another one then decides that the reactor isn't feeling so good, the plant is shut down. So this thing about, does it fail to safety? Or does it fail to danger? I like fail safe. So I'm wondering for a question about... Does it really go for an F and R? Who in the engineering department knows how... Oh, it's a great question, yeah. Okay, so thanks for that question. It's really good, and of the honest, I think SMRs may well be the saviour of the industry going forward as well. And much easier for countries that don't have very big power grids to accommodate as well, because if your power grid is small, you don't want a massive great reactor that if it turns itself off, collapses the entire country's electric grid. So there's lots of reasons why SMRs, I think, could be really good, not just in existing nuclear nations, but also in countries thinking about their first program. So, great question. But I think this principle still applies though, because there are smaller modular type reactors that are built on the same technology. So although, you know, if you go to the plants that they're going to commission soon in China, which is this huge, great French design plant, that's a pressurized water reactor, you know, 1700 megawatts electrical, the biggest plant in the world. But you can build a small modular reactor of a pressurized water design, but which is only 300 or 400 megawatts, which is much more suitable for a new grid, or a smaller grid rather. But it's built on the same engineering principles, the same nuclear principles, and you use the same engineering practices, because it's still using a pressure vessel, it's still using the same physical conditions of temperature, pressure, radiation, et cetera. So you can use it even in some SMRs. Then there are other SMRs of a different design. So what we have now is, for those things, is what you might call an unproven design, but the engineering principles will probably be the same. So as an example, one thing, one design that was being considered very strongly in South Africa until fairly recently, and it's still being talked about occasionally, is the pebble bed modular reactor. Wonderful design in terms of safety, absolutely outstanding. The fuel matrix is so cleverly designed to retain the radioactivity within the fuel itself that you probably don't even need an evacuation zone around the site. Marvelous for safety. It shuts itself down. It doesn't need any massive cooling systems like you would find on the planet that I'm used to in my history. But it's built essentially on gas turbine technology in a way and also pressure vessel technology. And this use of this ceramic fuel, which we do have experience of. Now that's a completely different design to anything that we've got so far. And then you can have things like molten salt reactors where the fuel and the coolant are mixed together intimately, some really good features, but one of which is it doesn't operate at high pressure. It's a molten salt. But the salt itself, because it melts at such a high temperature, it doesn't need to be contained in a pressure vessel. Now, of course it's enclosed and you don't let stuff escape. But there's no pressure problem that you have on a pressurized water reactor or a boiling water reactor. So I guess what I'm trying to say is that the designs are different, but we're still dealing with the same engineering-type principles. So I think the challenge for perhaps some of the countries you've mentioned is, okay, so how do we go from where we are now to having within the country greater skills in these areas? And that's a slightly different question, but a very interesting one. And people like the IAA are there to try and help if we can. That's what I think is needed. So, yeah, I absolutely see a route for countries embarking on those technologies to grow their capabilities and do exactly what I think you're telling me. Does that sort of answer your question, partly at least? So we talked about the design stuff, and then the next bit is all about human beings, because as I say, you can't just sort of, you know, it's not like someone in the lift, you know, just press the button and wait for 18 months. You have to have people to run these things. They're highly automated, of course, highly reliable. I've worked on plants where they have run for literally from the time you turn them on to the time you turn them off again to refuel them, you know, a year or 18 months. They've never shut down in 18 months. But nevertheless, people have to interact with them and you have to qualify and train their staff. You have to organize them into different departments. Who's looking after the radiation safety? Who's looking after the nuclear safety? Who's looking after the design? Who's looking after chemistry? Who's looking after the payment of the people for the work that they do? How are you going to get stuff onto the plant? How are you going to get procurement organization working? What about security? Who's looking after the site? So the organization is very important. And then someone else will talk about safety culture, the behaviors of people. So this isn't just the technical skills or the abilities you give them and you can test them on. This is about safety culture. And I'll talk a little bit about it and I know there's another session on it later as well. Documentation. What records have you got? How do you know the plant design? How do you know how to operate it? When something happens in the control room, my first protocol is, okay, where's the procedure? We all expect people to have thought in advance of the things that could go wrong and how to deal with them. You know, even as an experienced nuclear professional in the control room, you're not there sort of, okay, let's wait for something to go wrong and we'll deal with it, guys. It's not like that. You want to be well-prepared using things that you thought of in advance. You've designed the response. You've tested the response on the simulator. You've tested the response in computer models. And you've tested the response for real when it's happened. And you've learned from the lessons that you've experienced and you've learned from the lessons that others have experienced. And that's all been gathered into your documentation. And then operational safety. So more about things like, okay, we've given you a procedure. But how do I, as the site director, site in my office, know that you're following that procedure at eight o'clock at night or four o'clock in the morning? Procedural adherence. In-service inspections. Making sure that we understand how the plant's degrading because systems and structures will degrade over time. They'll degrade just because they corrode or because they're subject to high radiation levels or repeated temperature and pressure cycles and they will degrade over time. So how do you check that the systems are still within the envelope that you set when you design the place and build the place? And, of course, maintenance comes into that as well. You know, parts wear out. You can replace those parts. You can even replace an entire system. It's expensive, but you have to do it every now and then. Surveillance testing. If my safety injection pump is designed to provide 500 kilograms a second at a pressure of 150 bar, I need to be sure that it's going to do that. There's no point coming back 10 years later and testing it and saying, well, actually, you know, it's only producing 300 kilograms a second now at 140 bar. If that's not enough for its accident mission. So you have to make sure that you continually test in the plant to make sure it can do what you need it to do if things go right. Operating experience, which is learning from other people. I mentioned Davis Bessie, which is a great example in the industry. But, of course, Chernobyl as well and Fukushima. We've learned so much from those accidents. It's just astonishing. I was in Japan recently at a different plant. And as you'd expect, the sea wall protecting them from tsunamis is a very impressive construction now. I think it's 20 meters high. Very good. And then I mentioned earlier emergency planning, which is being ready for something, and accident management, which is actually doing the mitigation out in the field. So, checking for radiation, advising people what to do if they're subject to radiation. Environmental radiation. So, I've talked about this a little bit already, so I won't dwell on it too much. I've already talked about these things, so I won't dwell on it. The more difficult question, I think, for those of us in nuclear management, I think we're all in the same boat. It's this interesting question at the bottom there, because this is all technical stuff. But I want you to start thinking about these. How do you get into people's heads? It's their role. The plant itself doesn't know its role. I assure you, the plant is ignorant. The plant does physical stuff. But it's the people who actually keep a plant safe. I worked in a company which had some very old plants and some very new plants, some that were really well-designed with all sorts of operating experience, and one plant that was the prototype, really, for the commercial-sized plant of that design. And there were loads of mistakes. And it never really fulfilled its promise. But we always used to try and keep in our minds that we could turn the best plant into the worst plant if we didn't have the right people, because the truth is it's the people who actually keep the plant safe. So we want to try and get into the minds of everybody that it's their responsibility, or they have part of the responsibility personally to keep the plant safe. And that's interesting when you're talking with the people who are in security or in administration or in the stores' buildings. How do they, how do you persuade them that what they do is important to nuclear safety? There's another story that I think paints this quite well, which is from the late 60s. I don't remember who it was. I'm not sure if it was an American president or whatever, but it was a very important person going around NASA, the NASA facilities, I assume, in Florida. And it was taken through all of the buildings and happened to go through the warehouse. And there was a guy sweeping the floor. So in the spirit of wanting to talk to everybody, the VIP said to this guy, so what's your job here? So I'm helping to put a man on the moon. So that's what he thought and that's how engaged that person was. He wasn't here to keep the warehouse clean. That was his part of putting a man on the moon. And that's really what this question is about. If you're in security or if you're an admin, paying people or if you're buying stuff, you're not there to do that. You're there to try to do your part to keep the plant safe. All right, defense in depth. I've mentioned that a few times and I thought we'd just do some quick stuff on that. So the idea, as I've already said, is we want to prevent accidents and mitigate them if they occur. So we don't rely on a single thing. We don't say, okay, it's all in the big building. Don't worry, it's all in the big building. Nothing can happen, nothing can go wrong. There are multiple barriers, actually. Multiple physical barriers, multiple techniques, multiple levels of protection. And we make assumptions. The most important assumption is that things will go wrong. Not very often, but things will go wrong. Something goes wrong every day, it's trivial. Occasionally something more serious happens and the plant might shut down and we can restart it. Very occasionally things go wrong and it takes longer. So I think there will be errors. We just didn't think of that. Okay, how do we protect against that now in the future? Or equipment might fail. A diesel generator might fail to start or a pump might not fail to start or it might start and destroy itself. Or we might have an operating error. People will make mistakes and they don't set the plant up properly for when it's called on to start and when it does start, it's damaged. So how do we protect against those failures? That's part of it. We'll come to that. There's a few phrases that we use. Redundancy is one. Can you hold that thought and we'll come to it in a few moments? Or is that just the first part of your question? Yeah, yeah. That's part of what I mean. We'll come to it in a few moments, but there's redundancy, diversity, segregation, separation. So we'll come to all those things in just a few moments. So let me know if, you know, stop me again if we don't deal with what you're talking about. So we have different layers of protection and it's what we call the defense in depth model. So down this column here on the right, sorry, the left-hand side, we put there, well, how often do you expect these levels of protection to be called on? And then as you go down, things get more and more serious. So our objectives change, the way in which we provide the protection changes and the consequences of things going wrong change. So over here, there are things that are going to happen during the lifetime of the plant. We operate normally. And our desire is for the plant to be tolerant of failures. So for instance, if you're supplying water to the steam generators with pumps and you need, say, two pumps to provide the amount of water, well, what happens if one breaks down? Okay, you provide another one. So if one trips, the other one will start automatically and the plant goes up and just continues. It gives a little hiccup and, oh, what happened there? It's a bit more involved in that, obviously. But essentially the plant will run through these failures because it has redundant equipment. But there might be things that happen and you say, okay, if that happens, we want the plant to shut down automatically. So it might be that the control system fails. It happens. We obviously design it to be very reliable, but it might fail. So we design for that. And you might say, okay, as I mentioned earlier, one part of the subsystem says, I don't feel very well. Regard me as saying shut down and another one fails and the plant will automatically shut down. We have a voting system. Everyone gets an equal vote, usually four. The first one votes, I don't feel well. I vote for shut down. The next one, if it fails, it's treated as a shut down vote. Two out of four, plant shuts down automatically. So, of course, it does happen. I've been on several plants where it happened, unfortunately. And then there are the things that we don't want to happen and we're starting now to get into what you might call abnormal events. So there might be a single initiating event. By a single initiating event, it could be something like a fire or a flood or a major equipment failure. Or you could have selected multiple initiating events. So, for instance, if you have a fire, it's not unlikely that some equipment will be flooded or damaged by water because the firefighting systems will kick in and that water has to go somewhere. So I've seen that happen before as well. Or you may have a fire which causes an electrical problem because the smoke damages equipment, gets drawn into electronic components and causes a problem a long, long way away. So you might have a fire in one area but the smoke gets everywhere else and it causes a problem in another part of the plant. So multiple initiating events. In this case, where it's more serious, more widespread, of course our intent is to prevent core damage or at very least limit any releases. So this is where we start to get into the use of safety systems to keep the core cool and protect the fuel, keep it cool and that will minimize or even prevent offsite radiological events. Extremely rare events where you're actually talking now potentially about the core melting. Your objective then is, well, if you've melted the core, the radioactive material within the core is now outside the fuel matrix, so it's going to go somewhere. So your objective is to prevent or certainly need large release, especially early on because if you can prevent release for a period of days, the short lived radiative activity will have decayed away. So of course we have safety features to mitigate that. We protect the containment building. We keep the containment building cool and at low pressure, not just the reactor core. So that protects the containment building. And then the very final level is, okay, things have failed and they've failed big time and we are going to release activity offsite. So now it's about mitigating that radioactive release offsite and protecting people. So what offsite response do we give? How do we know where this radiative activity has gone? We've got to get people out in the field monitoring, checking and then we've got to use that information to provide advice to people. Do they evacuate? Do they shelter? Do they not drink water? Do they not eat food? What do they do? How do we deal with them? And of course we're into the drastic protective measures that you saw at Fukushima and at Chernobyl. Oops, not far through on mine. So the fundamental intent of all that then is to make sure that the essential safety functions that we talked about right at the beginning, which is protecting people in the environment, are achieved with margin. To compensate for things that will go wrong. And to the extent possible, the things that you put in place at all these levels, try to make those independent so that if you have a failure at one level, it isn't affecting failure at another level. So if you have a failure in your core injection systems, it doesn't affect your containment protection systems. So these are some of the physical barriers that we've got. The fuel inside the rods is usually a ceramic, not always, but usually a ceramic. And the advantage of a ceramic is it's very good at holding radioactive materials within it. It's clad in, as I said, a very thin fuel rod, but nevertheless it is inside its own little tiny pressure vessel. That then is within the reactor pressure vessel itself, much bigger, much stronger, but another very effective barrier to escape a radioactivity. And of course, as I say, it's inside a containment building. So even if the fuel melts, and there's a failure of the reactor pressure vessel, you still have the containment building. And of course, we have dedicated systems to protect the fuel pressure vessel and the containment building. And of course, the plant is usually in the middle of a site. So there's a distance to the site boundary. And there's usually, not always, especially if you're used to the pickering sites in Canada, there's usually, in most sites anyway, a certain physical distance to the nearest area of a population. And this is just in diagram form. You've got the actual radioactive material itself inside the fuel matrix, inside the fuel cladding, inside the primary circuit boundary, inside the containment building. And then there's a distance between people, the public, and the actual thing itself. So those are the physical barriers. And then we have the other defense in depth levels, which is things that stop the plant, or keep the plant within its design envelope, the control systems. Then you have things that will kick in if things go wrong, automatic systems to shut the plant down. Then you have layers, a layer which will help to control an accident. And then you have the containment building, and then you have your accident management responses. So all these levels all work together. And as you can see, there are quite a few. There's probably seven or eight there. Yeah. This one? Oh, this one. Oh, this one. Okay. This one. Okay. So yeah, you're right. Thanks for the correction. Actually, this is, it's actually particular to this design. On this particular design, the containment building is designed to withstand pressure. It's also surrounded by a reinforced shell. So that, now they vary from plant to plant, but usually if you have a second containment, it usually has two purposes. The first one is you can monitor and extract the atmosphere from the interspace. So you can get a very early indication if you have any releases from the main containment building. So that's very useful in its own right. But the second thing is it also acts as additional aircraft crash defense as well. No, it's completely separate. There's usually a gap between the two. I mean, I used to work on a plant in the UK called size will be. And it had a containment building. It was a cylindrical dome rather than a spherical one like this one. But that was the containment building that was able to withstand pressure and temperature. So that was the main containment building. Outside it was, and that was about over a meter thick. Outside it was a second concrete shell. And there was about, I don't know, a meter and a half gap between the two shells. The second one was much thinner. But as I say, what it allowed you to do was to monitor any leakage into the interspace and also provided some additional aircraft crash protection. Yes, yes. Oh, well, yeah, I mean, you're right. The steel lining is usually regarded as part of the containment building because you don't regard concrete as pressure tight. When it's pre-stressed, it's very good at withstanding pressure. But the steel lining is what gives it its actual, what you call, leak tightness. Now the steel lining usually is only, you know, maybe a centimeter thick. It's just, it's effectively an impermeable layer. Now, that is, these things do vary. And if you look at the designs being built now in the U.S., the AP-1000 design also being built in China, it's very different. You have a, you actually have some like a, I guess about a 12, 13 centimeter vessel, which is the pressure retaining boundary, no concrete, but then it's surrounded by a bigger concrete shell. So the designs do vary. But thank you, you mentioned a good thing. It's not just the concrete that gives you the pressure seal or the pressure tightness, it's the steel liner as well. Thanks for that. Okay, and we mentioned, you know, how do you design things? Well, one of the things, when we talk about assessments, one thing we do a lot of is a thing that in the U.K. we call fault studies. So we study what might go wrong. So, you know, if you've got a lot of power being generated in a small area, you can imagine that, well, say you lose control of the power. Now that might be because of the control rod, control rod fault happens, or you may lose control of the concentration of boron inside the circuit. So those are what we call reactivity faults. So we deal with those. Or you might say, oh, okay, so we've got a lot of heat being produced and it's all that heat's been taken away to make power. What happens if we, if something stops us taking the power away? So we have, in other words, we lose the, what we call the feed water, or the heat sink. So we say, okay, well, let's imagine we had all those things fail. What would we do? So we study that fault. Or what happens if we lose all the power to the site and all the pumps that pump the water around the reactor stop? What would you then? So you can deal with that as well. What happens if the containment building fails? What happens if there's a fire or an earthquake? So you can design things to deal with certain levels of ground acceleration that you experience in an earthquake. So those are the things that we look at in what we call postulation faults or fault studies. And of course, you know, we put these things in place. So, yeah, if you lose all your offsite power, okay, we provide additional emergency on-site power. That might be batteries, it might be diesels, it might be mobile equipment that you can bring to the site. I'm not going to mention diversity and redundancy here, but again, we will come back to it. So the reactive protection systems are linked to things that will shut the plant down and start those safety features if necessary. Now, some of them are actually passive and I'll talk about that in a moment, but some of them, a lot of them are active, where you know, you say, right, that's what we need and that system is called on to start. We divide the plant on equipment up to make sure that we deal with it in different ways. So the stuff that's important to safety is treated much more rigorously in terms of its design assessment and proving. So we look at all the equipment and the stuff that's important to safety, we also then divide down into safety systems, which are obviously the key things, and stuff that's related to safety, things like fire protection systems and whatever. But in the safety systems, we have a protection system, quite often we have two, and that's the stuff that will detect the fault. The stuff that says, hmm, I've seen that system, that condition over there, that's beyond what I think is safe, I vote to shut the plant down. And when enough of the protection systems reach the same conclusion, they will initiate a safety actuation system, so they will say, okay, we voted, we want the plant shut down, drop the control rods in, increase the forration of the primary circuit or whatever it is you do to shut the plant down. If you've actually gone to the point where shutting the plant down isn't enough, there might be other things that you need to do like emergency feed systems, emergency power systems, containment protection systems, but essentially all these things are the same. You have a protection system which monitors the plant and detects faults. If necessary, that will initiate safety systems, and they of course need some support, electrical systems, lubricating systems, cooling systems. So all of these things are the things that we really concentrate on in terms of quality, testing, maintenance, operating, good procedures. And that's what we use to detect faults, make sure the design function works, and prevent anything that's going wrong from getting worse. That's what we're here about. We're also trying to prevent things going from a control situation to an uncontrolled situation. Mention active and passive systems, things like pumps, electrical power, they're all active. You know, you need to power a pump. It needs a motive force to drive it and to create pressure to put water into the reactor core. It's an active system. It needs power or compressed air or steam. But you can also design passive systems that don't need these other things and that are just reliant on physical things like gravity or pressure differences or temperature differences. So for instance, these pumps are all active. But this accumulator isn't active. It's a passive system. It's filled up. It's filled with pressurized gas usually, and that gas is just prevented from putting water into the reactor because the pressure here is higher. But if you have a leak over here and the pressure falls, the fact that the pressure is higher here than there means it floods the reactor with coolant. You don't need any initiating signals. You don't need any electrical power. It's a passive system. Very reliable. Very handy. Yeah. I think you need both, to be honest, because usually the passive systems are great because they cut out the potential problem of something having to make them work. But usually there are one-shot things. Once this thing has initiated and it's delivered its water to the reactor core, that's it. It's done. It can't be refilled. Well, it can be refilled, but you need an active system to refill it. Whereas the active systems, they need power to run them, but you can usually keep them going. So, for instance, if your problem is you've lost your off-site power and your active system to deal with that is your diesel generators. Well, the diesel generators are fine, but they need fuel. Now, you have a fuel tank which will keep them going for probably two or three days, but eventually the fuel will run out, so you have to bring more fuel onto the site. So that's the difference, I think. So, in my experience, the best solution is a mixture of both. Not necessarily for the same function. No. It's not every safety system will have a passive backup. It depends on whether there's a, if you like, you can design a passive system to deal with that fault. For instance, one of the difficult ones on a reactor is a passive system to shut the plant down. It's where the Pebbleved reactor is very good. But on a pressurized water reactor, it's very difficult to design a passive system that will shut the plant down. The control rods are great because they drop under gravity, so you don't need anything to put them in, but you have to have something that will actually tell them to drop. Again, one of the plants I worked on had a system that was sort of a mix between passive and active, and it was called an emergency-boration system. And essentially, if it realized the rods hadn't dropped in after a demand, it would open some valves, and then it would automatically put boron into the system, which would shut the reactor down. But although the way of getting the boron in was passive, it still needed those signals to work to open the valves. So it was a bit of a mix. That's probably the biggest challenge. So unfortunately, not every system can be passive. Okay, I'm not quite sure what you mean, but I'll give you the example from my experiences because we had this system on the plant I worked out. The reactor was working at about 155 bar. These were pressurized to about 45 bar. So if you had a leak over here, in other words, you were losing water from the reactor, and the pressure would drop, and as soon as it got below 45 bar, it would automatically flood the reactor. So you were losing water, but you were gaining for a while while these were delivering water. You were gaining water. Now, how quickly they run out depends on how big the leak is down here. So it could be a matter of, I don't know, a few seconds, if on a very, very serious leak, to a matter of many, many minutes on a much slower leak. So there is no one answer to your question. Okay, so essentially what you're into here is you're into what's called a loss of current accident, a low current. Given that this whole thing is within a containment building, if you have a leak from this circuit, the water in the containment building will rise. And within the building itself, there will be what we call sumps. So the water, of course, gathers at the lower level, and you can then connect the sumps to an active system which pumps the water back into the reactor. So they won't work normally. They normally draw their water from here. The tank would be caught to mean different. But normally these pumps aren't working normally. This is just sat there. This is full of water. Water comes out of here, gathers in the bottom of the building. Initially, these pumps actually wouldn't be the low pressure pumps, it would be the high pressure pumps. They would draw water from here and pump it into the reactor. If they can't keep the pressure up, these will pump water into the reactor. If they can't keep the pressure up, you're in a situation now where the reactor building itself has a lot of water in it. So you connect these pumps to the bottom of the reactor building. So it's what we call going on to recirculation mode. These pumps are powered by the emergency power supply system. So they're normally powered by the grid system. If you lose the grid, they then are connected to the diesel generators. Now, if you had a complete loss of off-site power, then you're into a very different action scenario. But you would need to have lost the off-site power and all of the diesel generators, making me think back about about 20 years now, which is good. I think most of these things we've covered. Safety in design, defence in depth, radiation protection, design basis of these structures. We also classify them as safety related or not, but we also have a thing called equipment qualification. And you might hear this term a lot. And essentially, the short explanation is that it's relatively easy to make equipment operate under what you might call ambient conditions. Most things in this room, like this projector or the microphones or the clock or the lights, will be fine in these sorts of conditions. In an accident condition within the containment building, there will be high levels of radiation. There will be high pressure. There will be a lot of steam and water. There will be a lot of boric acid. So how would that projector fare if it was subject to a highly moist, steamy, radioactive environment? It might not continue to work. It might just blow up. So environmental qualification is all about making sure that the equipment that you need to work under an accident condition will still work under accident conditions. So we have to test equipment to make sure that all its sensors or its electrical connections aren't going to be affected by the accident condition, but it has to operate in. Otherwise, at the very time you want it to work, it just goes, it fails. So that's obviously good for your entire day. Mobile equipment is in what we call severe accident management mitigation. So what we usually like to do is we like to make sure that the plant design itself will be able to deal with all that you can, all that you expect to throw at it. Yeah. Well, what we then do is provide additional equipment that you can bring onto the site in the event that the site has suffered a major disruption. Now, the preparation that work that we do is we've, and you'll see this on all the plants around the world, I'm pretty sure, is we've installed additional connection points onto the plant so that the immobile equipment that you bring in can very quickly be connected to the plant and that would be water connections or air connections or electrical connections. Now, that has two main benefits. First of all, you may be able to provide additional electrical power to equipment that has lost all its power because all the diesels have failed. So you bring another diesel in from off-site which hasn't obviously been affected. Or you may be able to use some of the existing systems to get water into the reactor or to cool the reactor. Or you may be able to say, well, okay, let's assume that all that over there has failed and I've just got this little bit left. Okay, I can connect in and I can help this little bit and that will still help to deal with this pretty severe accident. Now, we're in an interesting situation where the majority of the world's plants are designed and built before Fukushima. So we've backfitted all of these improvements to those plants. The question I think you might be starting to get towards and the great question is, okay, so if you were building a new plant nowadays, would you build in all those additional features from day one? And of course, I think the answer would be yes. But, you know, I mentioned the AP1000 design. Just out of interest, the AP1000 design is designed not to need external power at all. So if you lose the offsite power and the onsite diesels don't work, you don't need to bring on additional diesels. It's designed not to need additional power. So if you like that, that particular design has had that aspect built in from day one. And that was designed quite so far ago. Yeah, well, I think for radiation monitoring, you would need to have a system, whether it's a separate system or not, I'm less bothered about, but your radiation monitoring system in particular would have to be able to give you accurate information for accident conditions. So for instance, you know, within the containment building, your radiation levels generally are quite low, except for very close into the reactor vessel itself. But in an accident condition, where you may have breached the pressure vessel, the radiation levels will increase substantially. So you have to be able to monitor both sets of circumstances. Now, you might have two systems because sometimes for radiation monitoring, you know, the system that you choose it's a naturally limited range. You're only able to monitor within a certain range. And if your accident conditions are much higher than that, you have to have a separate system that can deal with those higher systems. It's exactly the same as on the reactor itself. You know, you have radiation monitoring or power monitoring systems for very low levels of power during startup, but you also have power range instruments for when the reactor is operating at full power. So yeah, the principle is exactly right. And I mentioned about being able to test the plant and to inspect it and deal with the fact that it will degrade over time, which is aging management and human factors, which we're going to talk about in a few moments. And now we're going to get back to, I think, some of your questions, which is about reliability of SS and C, which is structures, systems and components. Common cause failures. So equipment has to be able to deal with the fact that you might get equipment failure, but you don't want the plant to shut down unnecessarily, but you do want the plant to shut down if you have multiple detections of the same issue, the voting system. But also, you want to make sure that you won't have multiple failures of safety systems from a common cause. So for instance, fire is a very common cause of issues on power plants generally, not just nuclear plants. So you definitely want to make sure that your systems, instructions and components will not be totally defeated by a single event, which might be a fire. And so it's pretty simple. You can segregate plants. You can put each subsystem into a separate concrete room or you might have fire protection equipment like water sprays or gas suppression systems, which will suppress a fire and stop it spreading to affect more than one area. What you're then talking about is multi-unit events. It's not a common cause necessarily, except that the issue might be an earthquake. So an earthquake might be a common cause for lots of things. But essentially, I think the design principles are that each unit has to be able to survive the design hazards that it's faced with. So okay, the accident management procedures have to be able to deal with multi-unit events. So I used to work at a plant in Canada. It had eight units. Now only six were running, but it had six units. And we had to be able to say, okay, each unit has to be able to survive a major fire or a major earthquake or whatever. But in terms of our emergency response, we have to have the capability as an organization to respond to multiple unit failures. Yes? Yeah. Okay. Well, yeah, well, modern designs will have an auxiliary shutdown room where if the main control room, and I don't know how many modules will be controlled from one SM, how many SMR modules will be controlled from one control room. But in modern plants, you have to be able to shut down the plant from a separate location, which is protected. So if you have a fault which affects the main control room, either the plant will shut down automatically anyway, or the operating staff can go to the auxiliary shutdown room and bring the plant to a safe condition. The interesting thing on that is how we've had to back fit that to existing plants. But for a modern plant, that would be designed in from the start. Does that match your experience or not? Yeah, with that, that's your multi-unit. I mean, from a fire perspective, I mean. It comes from nowhere. You have, even the IHC, the problem with the IHC, the control will affect the entire plant in the same control room. Yeah. Well, that's where you get into segregation and separation. So a modern plant, all of the safety-related systems are entirely separate. So they would have separate wiring, separate cable routes. You would separate power routes from instrumentation and control routes. So each unit ought to be separate so that a fault-on-one unit cannot affect another unit. And certainly, that's my experience for over 20 years. And the plant house in the UK, it had four separate safety trains. And each one of those separate safety trains were then entirely separate in the way that its cables were rooted, its power supplies were rooted, its cooling systems were physically laid out on the plant itself. And there was not just physical separation, but there was physical segregation as well. So concrete barriers between different separation groups. So that, I think, deals within one unit. And if there was two units on the site, it would have been the same. So the units themselves would be separated as well. Single failure criterion is what I mentioned earlier. Protection systems says they don't feel well and the system is clever enough to say, okay, I hear you, we're going to continue, but if I have another further failure, then we may shut the plant down. And failsafe, again, I mentioned that, what condition will the plant fail to? Now we get to, I think, your question. I'm glad we got back to it eventually. Redundancy. So redundancy in this sense means we have more equipment than we strictly need. So it may be that safe or post-trip cooling water flows. We can build a pump that will provide all that we need. We just need one pump to do that. That's great, but what happens if that pump fails? So you usually provide redundancy. You can either provide a separate one. So you've got two, each able to do the safety duty, or you might even have three. Or you may have four, but each of those four can only do half duty. So you need two, but you've got four. So one might fail, and you've still got three left. Or one might be on maintenance, and one fails, and you've still got two left. And independence is, I think, where you were coming from to a degree. In other words, I'm sorry, this is slightly different. This is building together the concepts of segregation and separation. So each subsystem or its unit is independent from the other. It's either physically separated in distance, or it's segregated by engineered barriers, et cetera. Or you may even have what we call diversity. And again, there's a couple of plants in the UK where the essential electrical systems are supported by diesel generators. But the safety systems are themselves split into two systems, called an X-train and a Y-train. And they do pretty much the same thing but by a different way. And each X-train and each Y-train has a diesel each. But even the design of the diesel is different, and it's bought from different people. So if you have a design fault on the diesel on the X-train, it should not affect the design of the diesel on the Y-train, because they are literally different machines bought from different people. And then we've got probabilistic safety assessments which is all about people using a lot of data about knowledge of the reliability of systems. So we know roughly how often a transformer will fail or how long a transformer will last. We know how reliable a pump is or how reliable an error-operated valve is. And we can build all those things into a very big, complex calculation which allows us to judge how successful we will be in dealing with a fault. So you just say, okay, a fault has occurred, it involves a loss of feed. So what systems do we need to restore feed? Well, we need a pump. We need valves to operate. We need control systems to initiate. And by knowing how reliable each of those individual items of the chain are, you can make a judgment about how likely it is that the plant will be successful in restoring feed. So then you can say, okay, so if I have a loss of feed incidents which is once a year and nine times out of 10, the plant will restore the feed. So now I'm only going to have a loss of feed once every 10 years. That's not enough. We need more systems. So you can either make the systems more reliable or you can provide redundant systems because if you have two systems, each with a 90% reliability, your overall reliability is 99%. So you can see how you can use redundancy and extra equipment to build up your confidence that the plant will be kept safe. And this is just an example of segregation from, I think this is actually the French design, the EPR, being built in China, Finland, France, and now the UK. This is a plan of the containment building in the middle and I actually think these, I don't know if it's certain, so excuse me if I've got this wrong, but I think these are actually the containment coolers. So there's four of them. I think you need two to keep the containment cool under accident conditions, but they're each fed from their own segregated safeguard buildings and you can see how there is no physical connection between each of the different colored buildings. So if you have a major fire over here, it will not affect these other three safeguard buildings. Even if you have an aircraft crash, it's unlikely to affect all four systems. If you have an explosion or a flood, it's going to affect one of these subsystems, not all four. So that's what we mean by redundancy, separation, segregation. And it goes without saying that all of the power cables, the water routes, et cetera, will also be segregated as well. I mentioned that. I know I'm going over time here. I probably have to accelerate, so excuse me. I want to talk about people. Why do we talk about people? Because it's the people on the plant that can help or hinder nuclear safety and in these uncertain times, it's entirely possible that the people on the plant can actually threaten nuclear safety. We're not going to talk about security. That's a topic on its own right and I'm not qualified to talk about it. But the way people interact and how they behave influences nuclear safety. So I have a question for you then. So who influences behavior? I mean, who influences the behavior of people that we work with or work for us or our bosses? The answer is that we all do, really. Everyone influences each other. The way that we behave, either as supervisors or as workers or as colleagues, actually has a big influence on what other people do. I know that if I were to come in at 10 o'clock every morning and leave at 3, very quickly my team would do the same. Well, it's okay for the section head. Why can't I do it? So I influence their behavior and it's the same with safety, really. If I behave safely, I will influence other people. And if I see someone doing something and they don't realize it's unsafe, if I just say, hey, guys, I'm concerned about your safety, do you realize that that might cause such and such a problem? They will react to that and some people will be annoyed and some people say, gee, I didn't think about that. I really appreciate your help. But how we behave influences safety. So safety culture, it's an awfully long phrase, but there is a group called the International Safety Group and there's some very experienced safety professionals on that and they came up with this definition. It's only one of a few, but they talk about it's what people do, their attitudes, organizations, which makes nuclear safety the overriding priority and makes sure that if something happens and you have to deal with it, do you give it the right priority, warranted by safety? You know, if something in the warehouse, a light fitting in the warehouse fails, we can probably fix it in a couple of weeks. It won't make much difference. But if one of my safety detectors in the Continent Building is broken, I want to fix that very quickly. We have much higher safety significance so we give it attention, warranted by that significance. The IEA talks about things and it talks about safety being clearly recognized by the organization. If you talk to anybody in the organization and said, what's important around here? I would hope that they would say, well, you know, we're a nuclear plant, safety is pretty important to us. And they said, well, what does humanity talk about? They say, well, you know, we've got to do things safely. So leadership for safety is clear. Who is responsible? Who influences it? Accountability for safety? That's everybody. And we integrate safety into everything. So when we talk about maintenance, we make sure that we understand the safety significance of doing the maintenance. The fact that you have to take the plant out of service to maintain it means you've degraded the rest of the plant. So are you doing it safely? If you're driven, that's all about operating experience. We talked about Davis Bessie and Fukushima. You could also say it's the values and behaviors of an organization and it should be modeled by the leaders. And if you guys are going to go into nuclear leadership or nuclear management, then this will become very important for you. So it's modeled by the leaders and everyone understands. They've internalized it. They understand why it's important. And that makes nuclear safety the overriding priority. Now, the question then is, what pressures act against nuclear safety? Any ideas? Nuclear power plant cost us $10 billion to build? Absolutely. These things, they are money machines. They are making money all the time. That's why you build them. You also build to help throw your economy, to be honest as well, and you might need electrical power. I believe they are there to make money. So, when it shuts down, or if it breaks down, the economic pressure, not to shut it down or to get it back quickly. So, the leaders need to make sure, no, we're going to do this right and we're going to get it right for safety and also, to be honest, it pays you back later on anyway. Because if you fix it right, it will run more reliably and make you more money in the long run. We're the other association of nuclear operators. Everyone is responsible for safety. Leaders demonstrate safety. We trust each other to do the right thing. And we trust each other to act safely. We do the right thing because we make the right decisions for safety. We recognize that nuclear is special, but it has these unique properties like heat production after, like radiation hazards. We ask questions. If someone at three mile island said, you know, they have this problem at Davis-Bessie. Could we have that problem here? And if they'd asked that question and said, well, okay, say we had that problem and say that valve didn't close on the pressurizer, would we know? And of course, the answer was no, they wouldn't know. Of course, the instrumentation wasn't good enough. So, questioning attitude. And organization learning is the follow-on from that. And we constantly re-examine nuclear safety. Always ask yourself, is this in the design basis? You know, if this has happened, were we prepared for that? Great questions to ask. So, the safety management systems are the things that we, the management, put in place to promote a safe culture and achieve a good safety performance. I can't stress this one more enough. The regulation of safety. The regulator is not responsible for safety. The people who are responsible for safety are the people who run the facility. The regulator is there to make sure you obey the law of the land. Now, of course, they will ask you difficult questions, but the person operating the facility is responsible for safety. So, obviously, you know, we have to make sure that, you know, we've got the physical barriers in place. We've got the containment building, but if you leave the door open, as you can do, you've completely defeated it. So, yeah. What I've said is absolutely true. Now, of course, the regulator plays a part because the regulations in the land are there to make sure that the operator does the right thing. So, the regulator's role really is to make sure that the operator is obeying the regulations. Now, the regulations will have requirements that obviously satisfy international standards, IA standards, design standards, all that good stuff. But when it comes to it, the regulator is not on the site all the time. The only people on the site all the time who are actually maintaining and operating the plant are the operators. And, you know, the last thing I wanted as a site director is for my operators in the control room because we're complying with the regulations, we're safe. If they think if anybody thinks that just complying with the regulations is safe, we have to address that because it's not that, it's more not. The regulations, for me, are the minimum subset. You know, all it is is the start point. The, all the behaviors, the way that we do things, that's very, very important to say. So, I can't stress this enough. Thank you for the point. You raise a really good point. Of course, the regulators are very influential. Absolutely influential. But responsibility and obligation for safety is with the operator. Because, as I say, you know, things do go wrong. And say you have an accident, what does the regulator do then? The regulator has no people. It has no equipment. We still got to address safety in an accident situation. The only people who can do that are the operators. That's a very good question. It's a really good one for you guys to think about a lot. So, thank you for raising it. We mentioned this before. I will skip through some of these things because it's all about protecting employees, the public and the environment from the hazards. So, it's keeping things within their operating range, being able to deal with accidents when they happen and mitigating any consequences if things really start to go off the site. And this is where I think the operators really have the thing. So, we take good decisions. I always used to say to my shift managers, as an operations manager or as a site director, guys, you've usually got two choices. And as a shift manager, you can either shut the plant down or you can keep it running. If you shut the plant down and you didn't need to shut it down, we can always start it up again. We don't damage it by shutting it down. We, you know, okay, we lost some money, but it's safe. If you don't shut it down and you should have done, we might damage it severely, in which case a very, very long time. Or the regulator could come to us and say, I don't trust your shift manager's decision-making. And the regulator then could say, I want you to stop operating this plant until you convince us that you can operate it safely. Because I don't trust you to shut it down properly when you need to. So, when you look at it like that, safety-oriented decision-making becomes much simpler. If one person keeps shutting it down and he doesn't need to, I could say, come over here. Let me give you some more training. You need help to make your decisions better. That's okay. We can do that. But if we damage the plant and it's off for two years, or the regulator says, shut it down, retrain all your people, three-year training program. Not a good place to be commercially, either. Think of the reputation. Reputational effects. If the local newspaper got to hear that my plant had been shut down because the regulator didn't trust my shift manager's, oh, terrible. It's just not a good place to be. Keeping the plant within its design envelope goes without saying, good procedures, doing them right all the rest of it. We consider everything for safety consequences, especially when we change the design. We will change the design over a 40, 50-year lifetime. And we maintain defense in depth. We've got to train the people well. We've got to get the right people to start with. Train them well. Good processes. Good programs in the field like aging management, inspection programs, etc. Keep the safety systems available. If they break down, fix them straight away. Detecting and correcting problems. Good use of operating experience. Good safety culture. People doing the right thing. When you're not there, as a plant manager, or a site manager, or whatever, even as a supervisor, you can't be there with them all the time. They have to do the right thing when they're on their own. So, of course, you need to inspect that and check and go and look and observe and coach them. With all the best of intentions, your responsibility to help them with that. Incidents usually come from a series of problems that build up and something minor will build up and build up and eventually it becomes more significant. Usually, you'll look back on an incident and you'll see, crikey, if only we'd fixed it then, we could have stopped this. If only we'd realized this was as important as it is, we could have fixed it. A lot of errors exist before. It might be technical, it might be a plant error, a plant problem, a design issue, an installation issue, whatever. Someone known and tolerated by management. Those are the most embarrassing times. These are the things that usually lead up to accidents. Low standards. Acceptance of low standards. Yeah, you don't need. That contamination area, but you're only in there for a few seconds. You don't need to get dressed up with all that protective gear. Don't worry about it, it'll be fine. Not holding people accountable for their behaviors or their safety. I won't read all these things down because I think you can look at the notes and you can see that this is all the things that lead up to accidents. Okay, so what things are good? What would you see on a good plant? This is much more interesting to me. Personal involvement of managers and supervisors in directing improvements. Good communication all the way up and down the organization. All the stuff that you guys have done today, you've asked me questions. What we want is people on the plant to say, boss, I hear that we're going to do that but I'm worried about that because last time we did it, we had this problem and I don't see how we fixed it. That sort of behavior is gold on a plant. So good communication up and down and the management welcoming that sort of input and promoting it and thanking people for it. Good standards to the whole organization in the plant. When you walk around the plant, what does it look like? Does it look tidy? Does it look clean? Is there equipment all over the place? When people maintain the plant, did they leave all this spare stuff on the floor? Good goals, good performance indicators, good leadership programs for supervisors. Being able to learn from experience, teamwork, looking longer term. Not just, okay, we've got to fix this today and get the plant back online. No. How are we going to make this plant more reliable so we never have this problem again? Long term plans. Delegation of responsibility to the lowest level because, to be honest, this is something I suffer with even now. You can't do it all yourself. You have to have people doing this stuff for you. Enthusiastic plant staff, ideally without a lot of turnover, but okay, good training programs. People are motivated to assume responsibility. They want to do this job. They want to take it over. They want to do it well. But listening to the people like me listening to people's problems, so, you know, okay, this went wrong. What problems did you encounter? How can we help you do this job better and more safely next time now? I'll mention the rest. Leadership is, again, it's all about standards and expectations, making sure that what you say is what you do. So there's no point hitting on people for not wearing protective equipment or protective clothing. If you then go out into the plant, you're not wearing helmet, safety glasses, using gloves appropriately, you have to walk the talk as well. Don't tolerate, don't turn a blind eye, because if you tolerate the wrong things, you've essentially validated the wrong behavior and encouraging learning and questioning. These are the things that often nuclear organizations get into, so you may see these in, certainly in existing organizations, maintaining competence, not such a problem on a new fleet, but the fleet I used to work on was 40 years old, a lot of the people were there from commissioning, so just at the time the plant is starting to need a lot of extra modifications, the people who know about the plant designer leave in the organization, they're retiring, so maintaining competence. Questioning attitude I've talked about, communication, external pressures, especially today. A lot of regulatory pressure, a lot of concerns from the public, a lot of commercial pressure. The message I've been trying to say, I'm not sure how clearly I've said it is, if we have many more Fukushima's or Chernobyl's, I don't know how willing the general public on a global scale will be to accept nuclear power programs. We've already seen Germany shutting down, their nuclear program. Switzerland has said they won't build any more nuclear plants. France are going to reduce their proportion of nuclear power down to 50%, might mean closing 17 reactors. South Korea has just said they're going to suspend their build program, so if we have another major nuclear event, I don't know how much tolerance there will be globally for that. So safety is part of the answer to that problem. The safety objectives mean that we've got to keep radiation exposure and all sorts of radiation under control, so that's not just in the reactor, but it's in the ancillary systems as well. We use a lot of physical barriers to contain radioactive material, and one of our objectives is to maintain those safety, the integrity of those barriers to maintain so that we protect the people and the public. And the three fundamental factors then, you know, contain the radioactivity, control the power, and cool the fuel. You do all those three, you're pretty much there. I'm not going to deal too much of this, but essentially this is going back to the level of defence thing, you deal with the issue at the right level. So don't let the worst possible condition and then have to deal with an accident. Deal with the things that will happen most frequently at the top level, and then ask things to get more serious but rarer, put in place more levels of defence that will keep you safe. So, you know, building safety characteristics, safety margins, use active and passive systems where necessary, keep the procedures up to date, make sure the operators are following the procedures, and importantly, deal with safety culture. How do people behave when you're not there? Do they do the right thing? These are some documents that you can just get off the of the IEA website, they deal with safety, and there's some more. And so, finally, I'm sorry I'm half an hour over, I do apologise. For me, nuclear installation is as much about people as it is about engineered systems. Important though as well as engineered systems are, and they're vital, they're absolutely vital. But it's also about the people. So, my question to you is this, I think it's very important that if you're going to go into nuclear management, you get to know the people and how people behave as well as having a good grasp of the technology. Oops. Your behaviour as leaders will influence others. So, again, my question to you is have you considered how you will behave? Because what you do and how you work with people is very important to nuclear safety. So, welcome. It's fun. Enjoy it. Thanks very much.