Executive summary
Date(s) of inspection:
September 2025
Aim of inspection
This planned inspection H25-01 consists of two parts. See IR-53771 for Part 1.
This IR covers part 2, polar crane software modifications:
Part 2: To seek to gain confidence in the traceability and implementation of software changes to support the safety functional requirements (SFRs) when the crane is used for nuclear use.
Subject(s) of inspection
- LC12 - Duly authorised and other suitably qualified and experienced persons - Rating: Green
- LC14 - Safety documentation - Rating: Green
- LC17 - Management systems - Rating: Green
Key findings, inspector's opinions and reasons for judgement made
This was a planned compliance inspection delivering intervention H25-01 part 2, HPC Polar crane software modifications, held at the office of the contractor responsible for developing and qualifying the software for nuclear use.
The Hinkley Point C (HPC) unit 1 polar crane is installed and is currently in use to support construction activities in the containment building. It is not yet commissioned for use in activities where there is potential for a nuclear hazard.
The polar crane control and instrumentation (C&I) systems include a nuclear safety class 2 (C2) programmable logic controller (PLC) and a class 3 (C3) PLC, in addition to a hardwired class 1 safety system. The functionality of the PLCs is specified utilising software.
The July 2024 inspection on commissioning of the HPC unit 1 polar crane (IR-52694) identified that modifications were being made to the software “live” as issues were identified during factory acceptance testing (FAT) and commissioning tests for construction use. Following construction use, the software is developed and qualified such that the crane can be used for activities where there is a potential nuclear consequence (nuclear lifts). The Level 4 regulatory issue RI-12273 was raised to track the need to ensure the live modifications are adequately incorporated into this qualified software.
The aim of this inspection was therefore to build confidence that modifications identified during FAT and commissioning periods are adequately implemented in advance of commissioning the polar crane for nuclear use. The inspection sampled the management processes which govern the development and modification of the software (LC 17), and traced two modifications to confirm adequate implementation, sampling the associated records (LC 14). The inspection also considered NNB’s arrangements for ensuring contractor staff are suitably qualified and experienced personnel (SQEP) to author, test and modify nuclear qualified software (LC 12).
Overall the evidence sampled provided confidence that adequate arrangements to control modifications are in place and are being implemented effectively by SQEP personnel. Throughout the inspection I observed a good level of knowledge from all staff involved.
Following the inspection I have closed RI-12273 actions 1 and 3, and updated action 2 to ensure the modification impact analysis and regression approach is adequately documented. I have also provided six items of advice for consideration by NNB and their contractors.
Conclusion
Throughout the inspection I observed a good level of knowledge from all participants, who consistently demonstrated positive behaviours during the engagement and were open and transparent about the matters discussed. I consider they were receptive to ONR advice offered and demonstrated their commitment to delivering a fit for purpose polar crane.
I judge that an inspection rating of GREEN (no formal action) is appropriate for LC17: management systems.
The focus of the LC17 aspects of the inspection was the processes in place for control of modifications to the nuclear safety qualified polar crane software.
I am broadly content that adequate processes are in place to manage the activities of the organisations involved (NNB, APCO and Amentum). Following the inspection NNB have issued a flow chart to document how these processes interface with each other.
I consider a documented process is required to provide formal guidance on modification impact analysis and regression testing, in the form of a regression plan as described in relevant good practice (RGP) such as IEC 62138. RI-12273 action 2 will track this shortfall to ensure adequate arrangements are in place ahead of nuclear use. However, based on the responses provided by Amentum during the inspection, I am content that adequate regression testing is being carried out.
I judge that an inspection rating of GREEN (no formal action) is appropriate for LC14: safety documentation.
The focus of the LC14 aspects of the inspection was the records produced in support of polar crane software modifications, and evidence that the management processes (the subject of LC17) are being adequately implemented in practice.
Sampling of records for modifications to both the C2 and C3 software during the inspection confirmed adequate traceability from detection of an issue in executing a commissioning procedure (CP) through to a modification being implemented and tested.
Whilst the C3 sample identified an issue where a modification had only been partially implemented, I am content the records were adequately comprehensive to allow this to be identified during the inspection. In addition, I consider that the error would have been detected during commissioning testing on the crane. I am also content the root cause was identified by Amentum, and a commitment made to carry out a gap analysis to confirm no other modifications are affected in a similar way. I provided advice with regards to the risk associated with undertaking process shortcuts.
I judge that an inspection rating of GREEN (no formal action) is appropriate for LC12: duly authorised and other suitably qualified and experienced persons
The focus of the LC12 aspects of the inspection was NNB’s arrangements to ensure that personnel involved in the modification of the polar crane software are SQEP to do so.
Based on evidence sampled I am content that NNB has suitable arrangements in place to ensure Amentum personnel are SQEP. I do not have specific concerns that individuals contributing to the software authoring and modification are not SQEP. Sampling identified a gap in NNB oversight of APCO automation engineers SQEP records, however NNB provided evidence shortly after the inspection which provides adequate confidence.
I intend to update the actions of RI-12273 as follows:
- Action 1 sought information on the types and extent of changes that have been made to the polar crane software by APCO during factory acceptance testing. I consider this action can be closed based on the information provided during this inspection.
- Action 2 seeks information on the regression analysis approach used when modifying the polar crane software. I will update this action to reflect the need for Amentum to have regression process guidance in place, as discussed under LC17.
- Action 3 sought confidence that software modification records are being adequately updated and maintained. I consider this action can be closed based on confidence derived from the sampling of records under the LC14 section of this inspection.