Safety analysis approaches isa vs dsa one safety analyst s opinion
This presentation is the property of its rightful owner.
Sponsored Links
1 / 30

Safety Analysis Approaches – ISA vs. DSA – One Safety Analyst’s Opinion PowerPoint PPT Presentation


  • 67 Views
  • Uploaded on
  • Presentation posted in: General

Safety Analysis Approaches – ISA vs. DSA – One Safety Analyst’s Opinion. John Farquharson [email protected] Introduction.

Download Presentation

Safety Analysis Approaches – ISA vs. DSA – One Safety Analyst’s Opinion

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Safety analysis approaches isa vs dsa one safety analyst s opinion

Safety Analysis Approaches – ISA vs. DSA – One Safety Analyst’s Opinion

John Farquharson

[email protected]


Introduction

Introduction

  • For commercial nuclear fuel cycle facilities (e.g., enrichment, fuel fabrication), the NRC requires compliance with 10 CFR 70.61 through an Integrated Safety Analysis (ISA)

  • For DOE nonreactor nuclear facilities, the DOE requires compliance with 10 CFR 830 through a Documented Safety Analysis (DSA)

  • This paper looks at similarities and differences between the ISA and DSA approach


Similarities

Similarities

  • Both regulations have been in existence for approximately a decade (since ~2000)

  • The processes analyzed are both nonreactor, nuclear facilities with similar potential accidents of interest (i.e., loss of confinement, fires, nuclear criticality accidents)


Similarities cont

Similarities (cont.)

  • Both regulations reference a standard for the structure of the safety basis documents

    • DOE-STD-3009 for DSAs

    • NUREG-1513 (ISA guidance)

  • Both regulations address multiple receptors

    • “Facility workers”

    • Co-located workers

    • Public


Similarities cont1

Similarities (cont.)

  • Consequence thresholds and categories for radiation and toxic exposures are similar

  • Likelihood categories are generally similar (order of magnitude bins)

  • Both standards reference the Center for Chemical Process Safety (CCPS) “red book” for hazard analysis methodology


Differences

Differences

  • ISA promotes a layer of protection analysis (LOPA) approach with an approved scenario risk matrix used to:

    • Judge acceptability of credited controls

      • Items relied on for safety (IROFS)

    • Provide guidance for probability of failure values for controls

    • Screen out low likelihood initiating events


Differences cont

Differences (cont.)

  • DSA is more consequence-driven

    • Qualitative guidance on acceptable controls

    • No allowances to screen out initiating events

    • No approved risk matrix

    • Some DOE facilities (e.g., Pu) may have potentially higher consequences as compared to NRC-regulated ISA facilities


General hazard procedure either approach

General Hazard Procedure (either approach)

  • Perform hazard identification

  • Perform hazard evaluation

    • List all available controls

  • Select safety controls

    • IROFS for ISA

    • Safety class or safety significant structures, systems, and components (SSCs) for DSA

  • Detailed accident analysis

  • Derive agreement for operations of controls

    • Management measures for ISA

    • Technical safety requirements for DSA


Main differences between dsa and isa approach

Main Differences Between DSA and ISA Approach

  • Method for acceptance of risk due to postulated operational accident

  • DSA – pick controls based on qualitative guidance

    • Engineered over administrative controls

    • Passive over active, etc.

  • ISA – guidance in risk matrix approach that factors:

    • Likelihood of postulated initiating event

    • Probability of failure on demand of IROFS

9


Safety analysis approaches isa vs dsa one safety analyst s opinion

LOPA

  • More quantitative than a hazard and operability (HAZOP) analysis

  • Less quantitative than fault tree/event tree analyses

  • Focuses on one scenario at a time

  • Looks at Independent Layers of Protection (IPLs)

  • Is another tool for judging risk

10


Layers of defense against a possible accident

Layers of Defense Against a Possible Accident

11


Safety analysis approaches isa vs dsa one safety analyst s opinion

LOPA is limited to evaluating a single cause-consequence pair

12


Safety analysis approaches isa vs dsa one safety analyst s opinion

13


Dsa guidance for choosing safety controls

DSA Guidance for Choosing Safety Controls

From DOE-STD-3009, choose controls that:

  • Are preventive over mitigative

  • Reduce source term

  • Are passive over active

  • Are engineered over administrative

  • Are nearest source

  • Have the fewest active features

  • Reduce risk the most

  • Are effective for other accidents

14


Isa guidance for choosing safety controls

ISA Guidance for Choosing Safety Controls

10 CFR 70.61 – Performance Requirements

(b)The risk of high consequence events must be limited. Engineering and administrative controls shall be used to keep events highly unlikely (guidance in NUREG-1520 as <1E-5/yr) or their consequences less than high

  • High consequence event

    • acute worker dose ³ 100 rem

    • person outside controlled area dose ³ 25 rem

15


Isa guidance for choosing safety controls cont

ISA Guidance for Choosing Safety Controls (cont.)

10 CFR 70.61 – Performance Requirements

(c)The risk of intermediate consequence events must be limited. Engineering and administrative controls shall be used to keep events unlikely (guidance in NUREG-1520 as <1E-4/yr)or their consequences low

  • Intermediate consequence event

    • not a high consequence event

    • acute worker dose ³ 25 rem

    • person outside controlled area dose ³ 5 rem

16


Standard review plan risk matrix

Standard Review Plan Risk Matrix

NUREG 1520 — Risk Matrix

Likelihood Category 1:

highly unlikely

Likelihood Category 2:

unlikely

Likelihood Category 3:

not unlikely

6 unacceptable

9 unacceptable

Consequence Category 3

High

3 acceptable

6 unacceptable

Consequence Category 2

Intermediate

2 acceptable

4 acceptable

Consequence Category 1

Low

1 acceptable

2 acceptable

3 acceptable

17


Likelihood

Likelihood

  • 10 CFR 70.65 requires the applicant to define the likelihood terms “unlikely,” “highly unlikely,” and “credible.” All credible high-consequence events must be highly unlikely, and credible intermediate-consequence events must be unlikely for the risk to be acceptable. Events that are not credible may be exempt from the use of controls

18


Likelihood of occurrence

Likelihood of Occurrence

  • Composed of the following two elements:

    • The frequency of the initial event occurring despite prevention measures

    • The reliability or effectiveness of protection measures that protect against the event progressing to the accident

      • IROFSs

        • Active engineered controls (AECs)

        • Passive engineered controls (PECs)

        • Administrative IROFSs

19


Not credible events

Not Credible Events

  • External events < 1.0E-6/y

  • Process deviations requiring many unlikely human actions/errors for which there is no motive or reason

  • Process deviations for which a convincing argument, based on physical laws, shows that they are not possible or unquestionably extremely unlikely

20


Highly unlikely events

Highly Unlikely Events

  • Double contingency protection

  • Likelihood index < -5

  • Estimated likelihood below 1.0E-5/y

21


Unlikely events

Unlikely Events

  • Engineered, hardware controls with high grade of management measures

  • Enhanced administrative controls

  • Likelihood index > -5 and < -4

  • Estimated likelihood below 1.0E-4/y

22


Safety analysis approaches isa vs dsa one safety analyst s opinion

NUREG 1520 — Table A-8: Determination of Likelihood Category

Likelihood Category

Likelihood Index T (= sum of index numbers)

1

T £ - 5

2

- 5 < T £ - 4

3

- 4 < T

23


Safety analysis approaches isa vs dsa one safety analyst s opinion

Frequency Index Number

Based on Evidence

Based on Type of IROFS**

Comments

-6*

External event with frequency <10-6/yr

If initiating event, no IROFS needed

-4*

No failures in 30 years for hundreds of similar IROFS in industry

Exceptionally robust passive engineered IROFS (PEC), or an inherently safe process, or 2 independent active engineered IROFS, PEC, or enhanced administrative IROFS

Rarely can be justified by evidence. Further, most types of single IROFS have been observed to fail.

-3*

No failures in 30 years for tens of similar IROFS in industry

A single IROFS with redundant parts, each a PEC or AEC

-2*

No failure of this type in this plant in 30 years

A single PEC

-1

A few failures may occur during plant lifetime

A single AEC, an enhanced administrative IROFS, an administrative IROFS with large margin, or a redundant administrative IROFS

0

Failures occur every 1-3 years

A single administrative IROFS

1

Several occurrences per year

Frequent event, inadequate IROFS

Not for IROFS, just initiating events

2

Occurs every week or more often

Very frequent event, an inadequate IROFS

Not for IROFS, just initiating events

NUREG 1520 — Table A-9: Failure Frequency Index Numbers

24


Safety analysis approaches isa vs dsa one safety analyst s opinion

NUREG 1520 — Table A-10: Failure Probability Index Numbers

Probability Index Number

Probability of Failure on Demand

Based on Type of IROFS

Comments

-6*

10-6

If initiating event, no IROFS needed

-4 or -5*

10-4 - 10-5

Exceptionally robust passive engineered IROFS (PEC), or an inherently safe process, or 2 redundant IROFS more robust than simple administrative IROFS(AEC, PEC, or enhanced administrative)

Rarely can be justified by evidence. Most types of single IROFS have been observed to fail.

-3 or -4*

10-3 - 10-4

A single passive engineered IROFS (PEC) or an active engineered IROFS (AEC) with high availability

-2 or -3*

10-2 - 10-3

A single active engineered IROFS (AEC), or an enhanced administrative IROFS, or an administrative IROFS for routine planned operations

-1 or -2

10-1 - 10-2

An administrative IROFS that must be performed in response to a rare unplanned demand

25


Footnotes for tables a 9 and a 10

Footnotes for Tables A-9 and A-10

* Indices less than (more negative than) -1 should not be assigned to IROFS unless the configuration management, auditing, and other management measures are of high quality, because without these measures, the IROFS may be changed or not maintained.

** Failure frequencies based on experience for a particular type of IROFS, as described in this column, may differ from values in column 1; in this case, data from experience take precedence.


Severity of consequences

Severity of Consequences

  • The severity of consequences of an accident is measured in terms of resulting health effects, including fatalities or exceeding personnel exposure limits

27


10 cfr 70 61 performance requirements

10 CFR 70.61 – Performance Requirements

High consequence event

  • Acute worker dose ³ 100 rem

  • Person outside controlled area dose ³ 25 rem

  • Person outside controlled area intake ³ 30 mg soluble U

  • Acute chemical exposure (from or produced by licensed material) that could endanger a worker’s life or could cause irreversible or serious, long-lasting health effects to persons outside the controlled area

28


10 cfr 70 61 performance requirements cont

10 CFR 70.61 – Performance Requirements (cont.)

Immediate consequence event

  • Not a high consequence event

  • Acute worker dose ³ 25 rem

  • Person outside controlled area dose ³ 5 rem

  • 24-hour average release of radioactive material outside restricted area concentration > 5,000 times Table 2, App B, Part 20

  • Acute chemical exposure (from or produced by licensed material) that could cause irreversible or serious, long-lasting worker health effects or mild, transient health effects to persons outside the controlled area

29


Comparisons dsa vs isa

Comparisons – DSA vs. ISA

  • DSA – qualitative guidance on picking controls

  • ISA – agency-wide accepted risk matrix approach

  • ISA – justification for operational events being “noncredible”

  • Same controls selected?

30


  • Login