safety analysis approaches – isa vs. dsa – one safety analyst’s opinion
DESCRIPTION
Safety Analysis Approaches – ISA vs. DSA – One Safety Analyst’s Opinion. John Farquharson [email protected]. Introduction. - PowerPoint PPT PresentationTRANSCRIPT
Safety Analysis Approaches – ISA vs. DSA – One Safety Analyst’s
Opinion
John Farquharson
1
Introduction
For commercial nuclear fuel cycle facilities (e.g., enrichment, fuel fabrication), the NRC requires compliance with 10 CFR 70.61 through an Integrated Safety Analysis (ISA)
For DOE nonreactor nuclear facilities, the DOE requires compliance with 10 CFR 830 through a Documented Safety Analysis (DSA)
This paper looks at similarities and differences between the ISA and DSA approach
2
Similarities
Both regulations have been in existence for approximately a decade (since ~2000)
The processes analyzed are both nonreactor, nuclear facilities with similar potential accidents of interest (i.e., loss of confinement, fires, nuclear criticality accidents)
3
Similarities (cont.)
Both regulations reference a standard for the structure of the safety basis documents• DOE-STD-3009 for DSAs• NUREG-1513 (ISA guidance)
Both regulations address multiple receptors• “Facility workers”• Co-located workers• Public
4
Similarities (cont.)
Consequence thresholds and categories for radiation and toxic exposures are similar
Likelihood categories are generally similar (order of magnitude bins)
Both standards reference the Center for Chemical Process Safety (CCPS) “red book” for hazard analysis methodology
5
Differences
ISA promotes a layer of protection analysis (LOPA) approach with an approved scenario risk matrix used to:• Judge acceptability of credited controls
– Items relied on for safety (IROFS)
• Provide guidance for probability of failure values for controls
• Screen out low likelihood initiating events
6
Differences (cont.)
DSA is more consequence-driven• Qualitative guidance on acceptable controls• No allowances to screen out initiating events• No approved risk matrix• Some DOE facilities (e.g., Pu) may have potentially
higher consequences as compared to NRC-regulated ISA facilities
7
General Hazard Procedure (either approach)
Perform hazard identification Perform hazard evaluation
• List all available controls Select safety controls
• IROFS for ISA• Safety class or safety significant structures, systems,
and components (SSCs) for DSA Detailed accident analysis Derive agreement for operations of controls
• Management measures for ISA• Technical safety requirements for DSA
8
Main Differences Between DSA and ISA Approach
Method for acceptance of risk due to postulated operational accident
DSA – pick controls based on qualitative guidance• Engineered over administrative controls• Passive over active, etc.
ISA – guidance in risk matrix approach that factors:• Likelihood of postulated initiating event• Probability of failure on demand of IROFS
9
LOPA
More quantitative than a hazard and operability (HAZOP) analysis
Less quantitative than fault tree/event tree analyses
Focuses on one scenario at a time Looks at Independent Layers of Protection (IPLs) Is another tool for judging risk
10
Layers of Defense Against a Possible Accident
11
LOPA is limited to evaluating a single cause-consequence pair
12
IPL1 IPL2 IPL3
Initiating Eventsuccess
Consequencesexceeding criteria
Undesired, buttolerable outcome
Safe outcomesuccess
success
ConsequenceOccurs
ImpactEvent
Frequency
failure
failure
failure
Undesired, buttolerable outcome
Key:Thickness of arrowrepresents frequency ofthe consequence if laterIPLs are not successful
13
DSA Guidance for Choosing Safety Controls
From DOE-STD-3009, choose controls that: 1.Are preventive over mitigative2.Reduce source term3.Are passive over active4.Are engineered over administrative5.Are nearest source 6.Have the fewest active features7.Reduce risk the most8.Are effective for other accidents…
14
ISA Guidance for Choosing Safety Controls
10 CFR 70.61 – Performance Requirements
(b) The risk of high consequence events must be limited. Engineering and administrative controls shall be used to keep events highly unlikely (guidance in NUREG-1520 as <1E-5/yr) or their consequences less than high
• High consequence event– acute worker dose 100 rem – person outside controlled area dose 25 rem
15
ISA Guidance for Choosing Safety Controls (cont.)
10 CFR 70.61 – Performance Requirements (c) The risk of intermediate consequence
events must be limited. Engineering and administrative controls shall be used to keep events unlikely (guidance in NUREG-1520 as <1E-4/yr) or their consequences low
• Intermediate consequence event– not a high consequence event– acute worker dose 25 rem – person outside controlled area dose 5 rem
16
NUREG 1520 — Risk Matrix
Consequence Category 3
High
Likelihood Category 1:
highly unlikely
2 acceptable
1 acceptable 2 acceptable
Consequence Category 2
Intermediate
Consequence Category 1
Low
Standard Review Plan Risk Matrix
6 unacceptable 9 unacceptable
6 unacceptable
Likelihood Category 2:
unlikely
Likelihood Category 3:
not unlikely
3 acceptable
3 acceptable
4 acceptable
17
Likelihood
10 CFR 70.65 requires the applicant to define the likelihood terms “unlikely,” “highly unlikely,” and “credible.” All credible high-consequence events must be highly unlikely, and credible intermediate-consequence events must be unlikely for the risk to be acceptable. Events that are not credible may be exempt from the use of controls
18
Likelihood of Occurrence
Composed of the following two elements:1. The frequency of the initial event occurring despite
prevention measures
2. The reliability or effectiveness of protection measures that protect against the event progressing to the accident
a. IROFSs
i. Active engineered controls (AECs)
ii. Passive engineered controls (PECs)
iii. Administrative IROFSs
1919
Not Credible Events
External events < 1.0E-6/y Process deviations requiring many unlikely
human actions/errors for which there is no motive or reason
Process deviations for which a convincing argument, based on physical laws, shows that they are not possible or unquestionably extremely unlikely
20
Highly Unlikely Events
Double contingency protection Likelihood index < -5 Estimated likelihood below 1.0E-5/y
21
Unlikely Events
Engineered, hardware controls with high grade of management measures
Enhanced administrative controls Likelihood index > -5 and < -4 Estimated likelihood below 1.0E-4/y
22
Likelihood Category
1
2
3
NUREG 1520 — Table A-8: Determination of Likelihood Category
Likelihood Index T (= sum of index numbers)
T - 5
- 5 T - 4
- 4 T
23
NUREG 1520 — Table A-9: Failure Frequency Index Numbers
Frequency Index
Number
-6*
-4*
-3*
Based on Evidence
External event with frequency <10-6/yr
No failures in 30 years for hundreds of similar IROFS in industry
No failures in 30 years for tens of similar IROFS in industry
Based on Type of IROFS**
Exceptionally robust passive engineered IROFS (PEC), or an inherently safe process, or 2 independent active engineered IROFS, PEC, or enhanced administrative IROFS
A single IROFS with redundant parts, each a PEC or AEC
Comments
If initiating event, no IROFS needed
Rarely can be justified by evidence. Further, most types of single IROFS have been observed to fail.
-2*
-1
0
No failure of this type in this plant in 30 years
A few failures may occur during plant lifetime
Failures occur every 1-3 years
A single PEC
A single AEC, an enhanced administrative IROFS, an administrative IROFS with large margin, or a redundant administrative IROFS
A single administrative IROFS
1 Several occurrences per year
Frequent event, inadequate IROFS
2 Occurs every week or more often
Very frequent event, an inadequate IROFS
Not for IROFS, just initiating events
Not for IROFS, just initiating events
24
NUREG 1520 — Table A-10: Failure Probability Index Numbers
Probability Index
Number
-6*
-4 or -5*
Probability of Failure on Demand
10-6
10-4 - 10-5
Based on Type of IROFS
Exceptionally robust passive engineered IROFS (PEC), or an inherently safe process, or 2 redundant IROFS more robust than simple administrative IROFS(AEC, PEC, or enhanced administrative)
Comments
If initiating event, no IROFS needed
Rarely can be justified by evidence. Most types of single IROFS have been observed to fail.
-3 or -4* 10-3 - 10-4 A single passive engineered IROFS (PEC) or an active engineered IROFS (AEC) with high availability
-2 or -3*
-1 or -2
10-2 - 10-3
10-1 - 10-2
A single active engineered IROFS (AEC), or an enhanced administrative IROFS, or an administrative IROFS for routine planned operations
An administrative IROFS that must be performed in response to a rare unplanned demand
25
Footnotes for Tables A-9 and A-10
* Indices less than (more negative than) -1 should not be assigned to IROFS unless the configuration management, auditing, and other management measures are of high quality, because without these measures, the IROFS may be changed or not maintained.
** Failure frequencies based on experience for a particular type of IROFS, as described in this column, may differ from values in column 1; in this case, data from experience take precedence.
Severity of Consequences
The severity of consequences of an accident is measured in terms of resulting health effects, including fatalities or exceeding personnel exposure limits
2727
10 CFR 70.61 – Performance Requirements
High consequence event– Acute worker dose 100 rem – Person outside controlled area dose 25 rem– Person outside controlled area intake 30 mg
soluble U– Acute chemical exposure (from or produced by
licensed material) that could endanger a worker’s life or could cause irreversible or serious, long-lasting health effects to persons outside the controlled area
28
10 CFR 70.61 – Performance Requirements (cont.)
Immediate consequence event– Not a high consequence event– Acute worker dose 25 rem – Person outside controlled area dose 5 rem– 24-hour average release of radioactive material
outside restricted area concentration > 5,000 times Table 2, App B, Part 20
– Acute chemical exposure (from or produced by licensed material) that could cause irreversible or serious, long-lasting worker health effects or mild, transient health effects to persons outside the controlled area
29
Comparisons – DSA vs. ISA
DSA – qualitative guidance on picking controls
ISA – agency-wide accepted risk matrix approach
ISA – justification for operational events being “noncredible”
Same controls selected?
30