Safety Case Advice & Support

One key part of any nuclear safety case would be the hazard identification process. This captures all of the possible hazards for a given system. The hazards are assessed determining severity, consequences and frequency. This information is fed back into the risk assessment providing quantitative data for the safety case.

Key to this hazard identification process is performing a Hazard and Operability Study (HAZOP). HAZOP is a ‘bottom up’ systematic technique used for the identification of hazards in any given system. The bottom up approach means that success rides on prediction by Experts based on previous experiences. HAZOP studies excel at analysing hazards in facilities, processes and equipment as well as identifying those that are hard to quantify, these could include Human Error hazards or ones that are difficult to detect and measure.

Methodology

HAZOP Studies consist of four phases: Definition, Preparation, Examination and Documentation.

Definition: is the initial stage of assessment and defines the scope and objectives and responsibilities of the study as well as assembling the team of assessors.

Preparation: this is the planning stage, where the time scale and schedule are determined. In this stage data on the system is also collected to inform the assessment.

Examination: is the largest stage of the assessment. The system is broken down into parts, the design intent for the part is determined and the guide words are applied. Guide words are a systematic set of words used to focus the study and stimulate consistent critical thought across the entire system. Once the consequences and causes of the hazards are identified it is determined whether a significant issue has been discovered. Then any protection or detection mechanisms and mitigating measure can be decided on by the team.

Documentation: this stage is the final part of the process. In here the examination is recorded and signed off on and any follow up procedures are determined and implemented.

A consequence assessment is a quantitative numerical estimation of the effects of a hazard on people (and the environment). This is an important step in the hazards assessment process as it provide a deeper understanding of the hazards identified in the HAZOP process. Two different methods of assessment are used during a consequence analysis, Deterministic and Probabilistic Safety Assessment (DSA & PSA).

Deterministic Safety Assessment aims to determine the effectiveness of “lines of defence”

Design Basis is the range of conditions and events taken explicitly into account in the design of a plant, so that the plant can withstand them without exceeding authorised limits, by the planned operation or safety systems. The objective is to demonstrate that there is in place an appropriate quantity of safety systems, which are of an appropriate quality (i.e. ability to prevent or mitigate the consequences). Deterministic Safety Assessment establishes and confirms the Design Basis for items important to safety, ensuring that the plant design meets safety and radiological criteria (integrity of barriers).

The required quantity of safety systems from Design Basis Accident Analysis is determined from two factors:

1. The unmitigated consequences to the critical group (e.g. public / workers in cell / workers in corridor) from the fault.
2. The initiating event frequency for the fault.

The calculation of both the unmitigated consequences and the initiating event frequency should incorporate demonstrable conservatism.

Probabilistic Safety Assessment analyses the risks associated with a system.

These risks are then expressed in terms of damage to the facility or the surrounding environment.

PSA uses realistic approach to risk as basis for the calculations, producing results that, in principle, give better understanding of the risk profile for the system over a wider range of operating modes than DSA. PSA also considers the system as a whole including any inter-system interactions providing additional information for the safety assessment.

In PSA there are two quantifiers in the analysis that allow for the determining of risk, these are the frequency and magnitude of a given consequence. Determining the magnitude for a given consequence included identifying the potential impact in terms of the dosage uptake for workers on site and for member of the public in the surrounding area. Consideration should be given to the use of realistic data when calculating consequences rather than conservative worst case scenarios.

Determining the frequency of a given consequence can be done through Event Tree (ET) and Fault Tree (FT) analysis.

Both techniques are a top down logical approach.

• FTs run primary events, such as a valve failure, through Boolean logic to a undesired top event such a Loss of Coolant accident. The likelihood for each of these primary events failing is input to the model and thus frequency for a given consequence can be determined.
• ETs are another logic driven process which starts with an initiating event. The event tree branches out to all the possible consequence that a given initiating event could cause. Providing a picture of what could happen should such a failure occur.

These two techniques can been used in conjunction, starting from the initiator event and following through the system events to eventual consequences, with each system event having a corresponding fault tree node with each node have split outcomes depending on the success or failure of the system event. So when combined the probabilities of all the consequences arising from that initiating event are visible.

The final part of the safety case is the ALARP or As Low As Reasonably Practicable Justification.

ALARP is a concept that allows duty holders to weight the risk against the time, funds and effort required to control a given hazard. ALARP is a flexible process that requires judgments to be made by safety assessors and duty holders on whether a risk can be classified as ALARP. Defining ALARP for complex systems, such as those found on nuclear sites, requires building on previous experiences and using formal analysis techniques in order to reach a decision.

To Satisfy a Safety Case it is necessary to show that the risks present in the system are shown to be ALARP. A Risk could be proven ALARP by ‘Best Practice’ or on ‘First Principles’. Best practices are determined beforehand by looking at previous examples and seeing if expected measures are in place, then a consensus of stakeholders can agree if the best practice has been achieved. In complex systems the ‘effort’ involved in mitigating a risk can be hard to quantify, so techniques such as a cost benefit analysis (CBA) can be used to numerically justify the ALARP.

ERIC PD is another analytical technique used in minimising risks and demonstrating that a given risk could be categorised as ALARP.

ERIC PD is an Acronym and each stage is defined below:

E – Eliminate – Redesign the system to remove the presence of the hazard.
R – Replace – Change the system by replacing the hazardous material/process/structure to reduce the hazard.
I – Isolate – Isolate the receptor group from the hazard by removing them from the vicinity or providing containment.
C– Controls – Use engineered measures to manage or reduce the hazard.
P – Protect – if the measures described fail to properly control a risk to ALARP then Personal Protective Equipment is issued to reduce the risk to anybody working with the system.
D – Discipline – Use of operational / administrative control measures to prevent or mitigate the hazard.

This systematic approach allows for a consistent approach to risk reduction even for complex systems which best practice justification isn’t possible.