by Stephen Rice & Andrew Buchan

A new user-centred approach to preparing safety cases

23 December 1999



During the mid 1990s BNFL, in consultation with the UK’s nuclear regulator, began a wide ranging review to consider how best to improve the safety cases for its non-reactor plants, particularly those at its vast Sellafield site. The result is a new type of safety case, called the Continued Operation Safety Report (COSR), which provides a novel approach to preparing and presenting a safety case designed to make it more useful to the operator as well as to demonstrate that the plant is fit to operate.


Important drivers for BNFL’s search for a better safety case for its plants was to make safety more visible and to assist plant operators to “own” their plant’s safety case which will help to enhance safety performance.

The predecessor to the new COSR, the Fully Developed Safety Case (fdSC), provides a rigorous justification for the continued operation of plant, but tended to be lengthy and difficult to understand. (The fdSC is described in the top panel at right.)

BNFL felt that the fdSC does not fully provide a visible demonstration of the ability of the plant engineering to continue to function in the manner that the safety case assumes (this demonstration process is known as “engineering substantiation”). In addition to this lack of visible engineering justification, there is only limited visible ALARP (‘as low as reasonably practicable’) justification for the risk associated with operating the plant. Furthermore, the fdSC sometimes creates the impression that there has been no real drive for improvement during its preparation.

The new approach provides a visibly integrated safety and engineering case for the continued operation of the facility. It also aims to demonstrate that the risk of operating the plant is ALARP and identifies improvements where considered necessary.

To develop visibility, BNFL also considered how best to streamline the safety case. This led to the COSR being a summary type of document which presents as much of the safety arguments as possible (the essence of why the plant is safe) with the detailed analysis work contained in the Continued Operation Safety Case (COSC) that sits beneath the COSR. The result is a document containing about 100 pages that can be easily read in a single shift.

The first approved COSR, for the Site Ion Exchange Plant (SIXEP),* was delivered to the Nuclear Installations Inspectorate (NII) early in 1999. The second, for a radioactive material store, was issued in June 1999. A further five COSRs on a range of BNFL’s non-reactor plants, have been delivered to the NII. They have all been well received by plant operators, as they are easier to understand than the fdSC and identified important modifications that will help improve the safety performance of the plants.

A NEED FOR NEW METHODOLOGIES

The safety case review looked for improved procedures in the way BNFL prepares and presents its safety case. Potentially the most significant improvement identified was a methodology for integrating engineering substantiation into the company’s safety assessments.

The purpose of engineering substantiation is to review all safety functions of a plant and demonstrate that they can be fulfilled. It involves a detailed examination of all operations carried out on plant, the identification of safety hazards associated with those operations, the determination of the safety functions that must be maintained to prevent each hazard from becoming an accident, and the recognition of the structures, systems and components (SSCs) that provide those safety functions. (Safety significant SSCs are identified by means of the HAZAN safety assessment process and by “desktop engineering review” which are discussed later).

Each safety function is classified according to significance (see middle panel) and the SSC is then judged with respect to its dependability in delivering that class of safety function over the lifetime of the plant. An important aspect of engineering substantiation is to compare how the SSC performs relative to modern standards. The significance of any shortfalls in safety terms will be examined when considering the case for making any improvements.

The engineering substantiation work is presented in Design Assessment Reports (DARs) which demonstrate that each SSC will adequately deliver the safety functions claimed in the safety assessment for normal and fault conditions (including external hazards) over the plant life. This is generally achieved through a combination of plant inspections, engineering calculations, performance tests and skilled engineering judgment.

Other important developments were the introduction of Design Basis Accident (DBA) Analysis and Basket Methodology into BNFL’s safety assessments. DBA is aimed at determining the fault tolerance of the engineering design (discussed later). Basket Methodology aims to identify the key safety measures of plant that will need to be replaced (substituted), if the plant were to operate without them being available (eg outage required for maintenance).

AN OVERVIEW OF THE COSR

The purpose of the COSR is to summarise the safety arguments and to highlight the main systems (engineering and procedural) that help to ensure the plant remains safe for a further 10 years of operation. It will be annually reviewed to ensure that it remains current and fully revised if necessary after ten years. The sections of the document are listed in the bottom panel.

The COSR considers all normal operations, potential faults and plant ageing effects with emphasis on the items which perform the key safety functions. In assessing plant performance, a comparison is made with all applicable statutory and company limits, underlying trends and causes for events are considered and changes to systems recommended. It describes current operating philosophy, the plans for the remaining life of the plant and the management arrangements to ensure that the plant is operated safely.

A section on safety assessment summarises the radiological and criticality safety assessments, identifies the main fault sequences which contribute to the risk and describe the safeguards in place to prevent an accident occurring. It also considers other risks which include chemotoxic, external hazards, conventional safety and internal hazards, with the major safeguards highlighted. The hazard identification techniques adopted for the COSR generally comprise of Hazop, desktop engineering review and plant walkdown processes (discussed later).

The ALARP approach adopted is not unique to COSR production. The techniques used should identify improvements that can be made to minimise the risks of hazards occurring on plant, and going beyond this identify any worthwhile further improvements that can reduce the level of risk to as low as reasonably practicable. The COSR approach considers the performance of the plant in the areas of plant discharges, operator dose, industrial safety, engineering and accident risk.

For example, in the area of accident risk, HAZANs are used to identify potential plant improvements. Use is made of the risk criteria so the most effort is directed to those faults that create the greatest risk. It is not just probabilistic type criteria that are used as a measure of fault tolerance. DBA criteria are equally (if not more) important. These criteria are not just related to the quantity of safety measures but also their type. The basic principle is to remove faults if possible by designing them out. Engineering measures are more preferable to operational measures and protective measures more preferable to mitigating systems. These principles are considered at all stages of the hazard assessment.

The conclusions in the COSR set out the programme for improvements. Priority must be given to those improvements that have the greatest safety significance, which will normally be undertaken before the COSR is implemented on the plant.

THE COSR PRODUCTION PROCESS

While the procedures used in developing a COSR are the same as most safety cases, the broader scope of this approach did involve some expansion.

  Fault Identification

The original HAZOP records, which in many cases will form the main source of fault identification for the COSR, are reviewed to confirm their validity and identify any issues in the current COSR scope which have not been addressed. For example, significant modifications to the plant are reviewed to ensure that no new faults have been identified. It is particularly important to review the collective effect of a series of modifications, to ensure that the combined effect does not present a potentially significant increase in the risk of a hazard occurring.

  HAZAN Production

The hazard assessment considers the faults identified from the above process. It considers the consequences of the faults and the protective measures required to prevent an accident occurring. The HAZANs aim to demonstrate that the risk of an accident occurring is as low as reasonably practicable. The most significant part of the assessment is the application of Design Basis Accident Analysis which provides the measure of the fault tolerance of the design. The plant must be capable of withstanding 1 or 2 additional failures depending on the likelihood of the initiating event and the severity of its consequences. Probabilistic risk criteria are also used as a means of determining the acceptability of the design. Developing the necessary failure logic models, to calculate sequence frequencies provides a valuable means of searching out weaknesses in the design.

  Desktop Engineering Review

The desktop engineering review process is a new technique which provides a top down review of the plant and process from first principles. It has proved to be an extremely effective way of identifying SSCs and defining their safety functions.

The desktop review is undertaken by a multi-disciplined team (eg safety, design and plant engineers and operators) who must be familiar with the plant and its mode of operation. The process usually begins with a plant familiarisation visit where processes will be simulated if possible to help aid understanding. The next stage of the process, which is generally done around the table, is to break the plant down into its main process stages (eg receipt, storage, dispatch) and then identify the sub-process steps associated with the main process (eg flask receipt, flask monitoring, removal of flask contents). The diagram gives an example of the many subprocess stages that may be involved.

For each process step, the high level safety function is identified in terms of containment, shielding, criticality avoidance and structural stability. The plant items that contribute towards this safety function under normal conditions (eg pond walls, transport flask) are then defined. A safety function classification is assigned to these items. Credible fault conditions are then considered during each process stage, which could have a radiological consequence. For each fault condition group, the effect on containment, shielding, criticality and structural stability is considered and the plant items that reduce the severity and frequency of the fault are defined. The importance of the item to containment, shielding, criticality avoidance and structural stability (as relevant) is then classified. The process then aims to identify the bounding classification for each safety function associated with the item under normal conditions and the bounding case under fault conditions. The SSCs that form part of the item are then identified and their safety functions defined and classified according to their significance. Any design engineering specifications associated with the item are defined where possible (for example, spacing between storage racks if they provide a criticality safety function).

The desktop review also has the additional benefit of helping plant operators to better understand those features that contribute most significantly to safety, how these items work and how their actions can affect these features. This understanding helps to promote ownership of the safety case. In addition, the desktop process provides a useful cross-check of the potential hazards identified through the HAZOP process.

  Plant Walkdown

The plant walkdown, which supports the engineering substantiation and safety assessment, provides an overall picture and detail which is very difficult to ascertain from drawings or documents viewed in isolation. It aims to confirm the safety functions and safety function classes of each SSC in the engineering schedule and identify omissions. It helps to identify threats to SSCs, especially to identify internal hazards that could initiate a fault sequence and to confirm that the plant normal operations were accurately represented in desktop assumptions. The walkdown also helps to confirm that the physical reality of the plant corroborates DAR assumptions and enables comparisons to be made between existing plant and modern design so improvements can be identified.

BENEFITS OF THE COSR

The second COSR presented the case for the continued operation of a storage facility at Sellafield used to store radioactive material.

The Store receives cans of material which are weighed and analysed before being stored in racks within concrete cells (the racks are designed to store the product safe from criticality). At the appropriate time, the cans will be exported from the plant.

Perhaps the first point to note is that the plant operators have found the COSR easier to understand than the fdSC and so is of more benefit to them. Part of the reason for this is that they have been encouraged to own the COSR and its production process and have helped shape its development so that it provides them with the information that they require. The operators have also been heavily involved in preparing sections of the COSR that may have been written for them previously.

The desktop process proved to be an extremely valuable method of helping plant operators to better understand the safety significance of items on the plant. It also helped them to better understand how engineering on the plant performs its function. The desktop process and walkdown also provided an independent way of confirming that the major faults and associated hazards had been identified on the plant. In the case of the Store, the new approaches did not reveal any significant new faults that could present a safety hazard. This is perhaps not unexpected, as the Store is a relatively simple process and so the potential hazards can be relatively easily identified.

Possibly the most significant benefit of the Store COSR from the application of the new methodologies is that some 120 potential plant improvements were identified from the COSR production process. None of these improvements were sufficiently major, in isolation or in combination, to suggest that the plant was unsafe to operate. However, they do suggest that it could be made safer still. A programme has been established to address these improvement.

One potential improvement, for example, is to introduce a mechanical interlock onto plant which will help prevent damage to a can when it is loaded into the storage channels if there was a breakdown in operational controls. While the operational controls are considered to be sufficiently robust, the interlock will help make the plant safer and should be a relatively simple modification to make. This type of engineered feature is preferred to reliance on operator controls. Another proposed modification aims to improve the seismic qualification of part of the roof around the periphery of the store, which is well away from the stored material. This part of the roof satisfied the seismic performance standards at the time of design, though falls marginally short of modern standards, which use a conservative method of assessment. The seismic performance of the roof can be relatively easily upgraded by tying this section of the roof to that over the main store which easily satisfies modern seismic standards. Other improvements were identified during plant walkdown. For example, an ergonomics walkdown reinforced the need to provide visual as well as audible alarms in areas where ear defenders now have to be worn.

FUTURE DEVELOPMENT

The COSR process is still developing and it is recognised that there is scope for further improvement. A Steering Group has been set up in BNFL to help direct these improvements, with a set of working groups operating beneath it.

The Fully Developed Safety Case

The Fully Developed Safety Case (fdSC), the predecessor to the COSR, provides a rigorous justification for the safe continued operation of often complex nuclear plant. However, in achieving this objective the fdSC, whose main emphasis is on probabilistic safety assessment (PSA), has become a very large, relatively complicated document. The fdSC also tends to comprise of a collection of parts, rather than a fully integrated assessment. Hence, recommendations are often scattered throughout the document in a rather unfocussed way. These features of the fdSC are clearly unhelpful to plant operators. They can also make the regulatory review process difficult and time-consuming.


Main safety function classes

Class 1. Failure could potentially result in a high public or worker dose. The shielding around plants containing highly active liquors would be an example of a Class 1 safety function. A very high degree of confidence is required. Class 2. Failure could lead to medium public or worker consequences, and would generally require coincident failure of other safety measures. Most C&I protective measures will have Class 2 safety functions. Class 3. Failure would result in a relatively low consequence to the public or worker and would generally require the coincident failure of other safety measures.


COSR sections

Introduction Plant & Process Description and Operating Philosophy Review of Operational Safety Experience Safety Assessment Summary Engineering Substantiation Overall ALARP Conclusions & Auditable Trail




Privacy Policy
We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.