You’re deep into a nuclear project. The schedule is tight, the pressure is real, and somewhere in the back of your mind is the nagging awareness that functional safety is one of those areas where you’re relying on others to get it right — because you can’t be the expert in everything.
Most of the time, that works. Until it doesn’t.
When functional safety gaps surface — at a design review with the design authority watching, mid-delivery when the scope variations start landing, or when a regulator asks a question about a system that’s been running for twenty years — the consequences land on you personally. Not on the contractor who missed it. Not on the engineer with the wrong credentials. On you.
It’s not your fault. Functional safety in the nuclear sector is a specialist discipline that takes years to develop and sits well outside the scope of general project management or engineering practice. But there are three things that, once you know them, will change how you approach every nuclear safety system project you run.
That sinking feeling when a design review goes wrong in front of the design authority — most project leaders who’ve experienced it describe the same thing. The contractor’s expert is in the room. He’s credentialled. He was supposed to have this covered. And yet here you are again.
When a design contractor tells you they have a certified functional safety engineer on the team, it sounds like the box is ticked. In other industries, it probably is. In nuclear, it isn’t.
Many functional safety certifications are built around the process sector. Nuclear has its own requirements that simply don’t appear in that training. A competent process industry engineer can walk into a nuclear project and not know what they don’t know. Their gaps won’t show up in their CV. They’ll show up in your design review — in front of your design authority and your management.
The fix is straightforward: before a contractor’s functional safety resource is accepted, someone with genuine nuclear-specific expertise should independently verify their competence. Not their certificate. Their actual track record on nuclear projects — and whether someone credible can vouch for it.
Mark ran projects at a nuclear defence organisation. Part of his job was making sure contractors delivered to the right standards, no shortcuts.
The design contractor had done exactly the right thing on paper — they had brought in a certified functional safety engineer to lead the work. Credentials solid. Box ticked.
Mark had done everything right on paper. He appointed a contractor. The contractor appointed a certified engineer. Every box appeared ticked.
The problem was that no one had verified whether that expertise translated to nuclear requirements.
Before the design review, we identified the gaps, worked directly with the contractor to correct the design, and briefed the design authority in advance.
The review passed cleanly.
Mark protected the project timeline, avoided a public technical failure, and maintained confidence from both leadership and the design authority.
There is a particular kind of project management pain that comes from sitting across the table from a subcontractor who is telling you, calmly and correctly, that the functional safety work you need was never in their scope. You know it should have been. They know it wasn’t. And now you have to go back to your head of department and explain why the project needs more money.
In this instance it was unavoidable. And it was unavoidable because the moment to get it right had already passed — before the contract was signed.
The fix is to treat functional safety as a procurement issue, not a delivery one. That means performance targets defined before the tender goes out, functional safety obligations written explicitly into the scope, and the requirement for a competent resource made a contract condition from day one. If those elements aren’t in the tender documentation, you will fund them through variations. That’s not pessimism — that’s how it plays out, consistently, on projects where this isn’t addressed upfront.
John was preparing to go to tender for a safety system project. The scope of work had been drafted internally and was almost ready to issue.
John had asked me to review the documentation before it went out. The performance targets had not been defined anywhere in the scope. There was no requirement for the contractor to bring functional safety expertise. Under that tender, a contractor could price and win the work, deliver a design with no formal analysis and no verification, and be entirely within scope.
We went back into a structured hazard analysis before the tender went out. The performance targets were established. The functional safety obligations were written explicitly into the procurement documentation. The requirement for a competent resource was made a contract condition.
Yes, it was a bit more work upfront. But John made the call to get it right at that stage rather than deal with the fallout later — and that decision paid back quickly.
The tender went out correctly. John received proposals from contractors who had actually priced the functional safety work. No mid-project variation. No going back cap in hand asking for more budget.
When the project started, the scope was clear, the contractor knew exactly what was expected, and John was not spending his first three months untangling ambiguity that should never have been there. When his head of department asked how things were tracking, the answer was straightforward. The project delivered what was promised because it had been set up correctly from the start — and that reflects directly on the person who set it up.
There is a particular kind of quiet anxiety that sits with project leaders responsible for safety systems that pre-date modern standards. Nobody asks about them directly. They’ve never failed. But you know — if someone looked closely enough, if a regulator asked the right question — you might not have a good answer.
That anxiety is rational. But the response it usually triggers isn’t.
When the question of compliance comes up on a legacy system, the instinctive response is to assume the whole thing needs to be brought up to modern standards. That assumption creates paralysis. The cost is disproportionate, the work would likely never complete, and it fundamentally misunderstands what the law actually requires.
The goal is not full compliance. The goal is a defensible position — demonstrating that risks are understood, managed, prioritised, and being reduced as far as is reasonably practicable. A documented, evidence-based argument that shows active management is what regulators and the law require. That is achievable without replacing everything, and it is far more commercially realistic than the alternative most organisations assume they’re facing.
Note: The following is illustrative. The specific projects this draws from involve classified programmes. The scenario is representative of a pattern encountered repeatedly in nuclear defence.
Sarah had inherited responsibility for a safety system that had been in service for over twenty years. It pre-dated modern standards. No one had ever formally calculated whether it achieved the risk reduction the hazard required. Maintenance and test records existed but the procedures hadn’t been updated in over a decade. There was no formal record of changes made over the years.
On paper, nothing was wrong. The system had never failed. But there was no defensible position if a regulator scrutinised it — and Sarah knew that.
Rather than hoping the question never came up, Sarah decided to get a proper picture of where things stood. We worked through it systematically — establishing the current hazard picture first, then whether the system would actually do what was needed, verification against the best available data, and a full review of management controls covering documentation, change processes, and test procedures.
The management gaps were as significant as the technical ones. A system that looks acceptable on paper but has undocumented modifications and out-of-date test procedures is a risk the paperwork alone won’t reveal.
Sarah didn’t get a full compliance certificate. She got something more useful: a documented, evidence-based argument she could stand behind, with a prioritised remediation plan. Highest-consequence gaps addressed first. Effort proportionate to risk.
She could answer the regulator’s question. She could brief her own management without qualifications or caveats. The quiet anxiety that had been sitting in the background had a resolution — not because everything was fixed overnight, but because there was a clear, defensible picture of where things stood and what was being done about it. That’s a fundamentally different place to be.
Functional safety problems on nuclear projects rarely happen because project leaders are careless. They happen because the risks stay hidden until they become expensive, public, and career-damaging — and they tend to appear in the same three places: contractor competence, procurement scope, and legacy systems.
Now you know where those risks live and what to do about them before they become your problem. The earlier they’re identified, the cheaper and less painful they are to fix.
That’s where I come in. I work with nuclear project leaders as an independent functional safety technical authority — helping them prevent design failures, avoid procurement mistakes, and build defensible positions on legacy systems.
If you’re approaching a tender, preparing for a design review, or carrying a legacy system you can’t fully account for, let’s have a conversation before a small issue becomes a large one.
Names have been changed but the scenarios are real.
If this post raised a question about your own project, drop it in the comments — I read and reply to every one. And if you know a project leader dealing with any of these situations, feel free to pass it on.
