Issue Date:

21/07/2008

Review Date:

21/07/2011

Issue No:

002

Approved by:

 

A N Hall

Purpose and scope

The Nuclear Installations Inspectorate (NII) of the Health and Safety Executive (HSE) has the responsibility for regulating the safety of nuclear installations in Great Britain. The Safety Assessment Principles (SAPs) for Nuclear Facilities ^[1] provide a framework to guide regulatory decision-making in the nuclear permissioning process. They are supported by Technical Assessment Guides (TAGs) which further aid the decision-making process.  

This Assessment Guide discusses how SAPs ESS 8 and 9, and their underpinning paragraphs 343 and 344, should be interpreted.  Reference is also made to related human factors SAPs EHF 5 and 8 and Paras 380 and 385.  The guidance is intended to ensure that engineered safety systems are designed to keep the facility within its safe operating limits without the need to claim operator action to initiate, moderate or disable safety system action within approximately 30 minutes of the indicated start of the requirement for protective action.  The guidance also considers those operator actions that may be performed within the 30 minute period and sets out NII’s expectations about the nature of, and support for, such actions.

The guidance presented here should be applied in association with Technical Assessment Guidance which states NII’s expectations concerning the treatment of human factors throughout the facility life cycle ^[2], and related underpinning guidance on human factors approaches and methodologies which is in preparation. Reference should also be made to T/AST/003 ^[3] which offers guidance on the application of SAPs concerned with engineered safety systems, including protection and actuation systems.

On nuclear chemical plants, the protection in many cases against the on-site consequences of design basis faults is to evacuate.  This is itself a safety measure, and lies outside the scope of this TAG, which addresses cases where safety systems need to be activated by personnel.  The time claimed for evacuation needs to be supported by appropriate analysis, and may be less than 30 minutes.

Relationship to licence and other relevant legislation

The Nuclear Site Licence Conditions place legal requirements on the licensee to make and implement arrangements to demonstrate that safety is being managed adequately. The following Licence Conditions are pertinent to the application of SAPs ESS8 & 9 and underpinning paras 343 and 344. They will be considered when assessing claims for operator action made in a licensee's safety case.

1. Licence Condition 10: Training - facility personnel who have responsibility for an action which may affect safety shall be adequately trained for that purpose.
2. Licence Condition 11: Emergency Arrangements - the licensee shall make and implement adequate arrangements to respond effectively to any incident ranging from a minor on-site event to a significant release of radioactive material.
3. Licence Condition 12: Duly Authorised and other Suitably Qualified and Experienced Persons - only suitably qualified and experienced persons shall perform duties which may affect the safety of any operations on the site or the duties required by other licence conditions or their arrangements made thereunder.
4. Licence Condition 14: Safety Documentation - the licensee shall prepare and assess safety cases to ensure that the licensee justifies safety during design, construction, manufacture, commissioning, operation and decommissioning.
5. Licence Condition 23: Operating Rules - the licensee shall, in respect of any operation that may affect safety, produce an adequate safety case to demonstrate the safety of that operation and to identify the conditions and limits necessary in the interests of safety.
6. Licence Condition 24: Operating Instructions - all operations which may affect safety, shall be undertaken in accordance with written operating instructions.
7. Licence Condition 26: Control and Supervision of Operations - safety-related operations shall be carried out under the control and supervision of suitably qualified and experienced personnel.
8. Licence Condition 27: Safety Mechanisms, Devices and Circuits - plant shall not be used unless safety mechanisms, devices and circuits are installed and maintained to an adequate standard.

Relationship to SAPs, WENRA Reference Levels and IAEA Safety standards

This Assessment Guide is intended to interpret three distinct elements relating to the early initiation of safety systems.  These are the automatic initiation of safety systems (discussed in Section 4.1); the practice for limiting claims made for operator safety actions within approximately 30 minutes (discussed in Section 4.2); and the scope for allowing operator action which may enhance, but does not impede, the operation of safety systems (discussed in Section 4.3).  Some general considerations are summarised in Section 4.4. SAPs relevant to this guidance include the following:

SAP ESS8 states: 

“A safety system should be automatically initiated and normally no human intervention should be necessary following the start of a requirement for protective action”.

Para 343 states: 

“The design should be such that facility personnel cannot negate correct safety system action at any time but they can initiate safety system functions and can perform necessary actions to deal with circumstances that might prejudice safety”.

SAP ESS9 states: 

“Where human intervention is necessary following the start of a requirement for protective action, then the time before such intervention is required should be demonstrated to be sufficient”.

Para 344 states: 

“The practice on UK civil nuclear power reactor facilities is that no human intervention should be necessary for approximately 30 minutes following the start of a requirement for protective action. It would be expected that this practice continues to be met”.

SAP EHF 2 states:

“When designing systems, the allocation of safety actions between humans and technology should be substantiated and dependence on human action to maintain a safe state should be minimised”.

Para 380 states:

“The (task) analysis should demonstrate the feasibility of these actions within the available timescales and should inform the way they are designed and supported to achieve reliable task performance….”

SAP EHF 7 states:

“User interfaces, comprising controls, indications, recording instrumentation and alarms should be provided at appropriate locations and should be suitable and sufficient to support effective monitoring and control of the plant during all plant states”.

Para 385 states:

“The user interface should:

1. enable the operator to determine plant states and the availability, and status, of plant equipment;
2. provide a conspicuous early warning of any safety-related changes in plant state;
3. provide the means of confirming safety system challenges and identifying, initiating and confirming necessary safety actions;
4. support effective diagnosis of plant deviations; and
5. enable the operator to determine and execute appropriate system actions, including actions to overcome failures of automated safety systems or to reset a safety system after its operation”.

This guidance is consistent with WENRA Reactor Safety reference levels Issue E Design Basis Envelope for Existing Reactors ^[4].  S 9.3 states that:

”Activations and manoeuvring of the safety functions shall be automated or accomplished by passive means such that operator action to initiate safety systems is not necessary within 30 minutes after the initiating event.  Any operator actions required by the design within 30 minutes after the initiating event shall be justified.

Advice to assessors

Automatic safety system initiation

Safety systems are provided to reduce the frequency, or limit the consequences, of fault sequences, and to achieve and maintain a defined safe state (SAP ESS1).  Automatic safety system initiation is normally regarded as being a more reliable means of instigating the correct functioning of appropriate plant and equipment than human (“operator”) action, especially where early protective action is required.  Licensees should therefore be able to demonstrate that early protection against design basis faults is achieved through automatic initiation of safety systems and that the safety case does not need to claim early action by operators to initiate, moderate or disable safety systems.  This principle is developed in the following sections.  It is subject to application of the overriding ALARP principle.

Definition of the 30 minute period

Para 344 of the SAPs states NII’s expectations that there should be a nominal period of approximately 30 minutes, taken to commence upon the indication of a reactor trip or plant protection signal, within which the safety of the facility should not be dependent upon the operator carrying out any control actions which actuate, or contribute towards the control, or effectiveness, of safety systems.

The 30 minute period stated in Para 344 is not based on a systematic analysis of the time which the operator needs to prepare a response to design basis events.  Any time estimate arising from such an analysis would be event-specific and would depend upon the design of the facility, how it is operated and how operator actions are supported.  Rather, Para 344 is a conservative deterministic design principle intended to reduce the potential for erroneous operator action to impact on safety.  This principle is based on the premise that the likelihood of operator error is highest immediately after the onset of an event, when the operator may be exposed to a stressful situation, presented with a large number of indications and alarms, but falls as the operator has more time to reach an informed and considered decision. 

Operational definition of the 30 minute period

SAP ESS13 requires that there should be a means of indicating to the operator that a demand for safety system action has arisen.  The point at which the 30 minute period is taken to commence should correspond not to the reactor trip or safety system actuation itself, but to the moment when the demand for safety system operation is indicated to the operator (although for many events the initiating event and the indication are likely to occur at much the same time).  Thus, a full 30 minute period should be available for the operator to monitor the developing situation before it may become necessary to claim operator safety action.  This interpretation allows the schedule presented in Figure 1 to be determined for those design basis fault sequences which claim operator safety actions:

Figure 1.  Key stages arising from application of SAP ESS 8 and para 344 to design basis events

Key:

T0 demand for safety system operation
T1 indication of demand for safety system operation to operator
T2 point from which manual safety system actions may ordinarily be claimed
T3 point by which safety system operation must have commenced for facility to be brought to safe (e.g. shutdown) condition
T4 facility in safe quiescent state

Figure 1 shows that, following an event which demands safety system operation (T0), the safety system must be brought into operation by time T3 in order for the facility to be brought into a safe state by time T4. Ordinarily, this should be achieved automatically (ESS8).  However, in any event for which operator safety actions are claimed, three separate periods of activity must be considered:

1. the safety case should define the time period T0-T1  as, together with T4 this allows the subsequent periods T1-T2 and T2-T3 to be defined
2. operator safety actions  should not be claimed to start within 30 minutes of the initiating event being indicated (T1-T2).  Information about facility status may be gathered during this period, and the safety case should demonstrate that sufficient time is available to gather and interpret the information needed to support the performance of operator safety actions which commence after the 30 minute period. 
3. the safety case should demonstrate that claimed operator safety actions after this point are themselves feasible in the time available (T2-T3)

When considering b) and c) above, the Assessor should bear in mind that available time itself is never the sole, and may not be the dominant, influence on operator performance: other pertinent factors include the task demands, interface design, provision and clarity of procedures, adequacy of training, working environment etc.  The Assessor should ensure that claims on operator safety action are adequately supported (SAPs EHF 5, EHF 7 and Paras 380 and 385).  Guidance on the factors to be considered when reviewing such claims is provided in separate TAGs which are currently being developed.  If the safety case is unable to substantiate the claims that are made on operator performance, then the facility design, or its mode of operation, should be modified to remove the need to claim operator action or to modify that claim such that it can be substantiated.

Provision for operator safety action within the 30 minute period

SAPs ESS8, ESS9 and underpinning paras 343 and 344 are intended to minimise the potential for inappropriate operator action in the early stages of a disturbance.  However, for some faults, early operator action could also have a positive impact on safety by reinforcing the safety system. The licensee may also wish to initiate early operator action for commercial reasons.

It is sensible to take advantage of the operational flexibility offered by early operator action, so long as this action does not need to be claimed in DBA aspects of the safety case and does not have the potential to impair facility safety (para 343).  The following principles may therefore be applied:

1. Since an operator may determine a need for a safety system function before it is initiated automatically, then manual initiation should be possible provided that this does not negate or impair correct safety system action overall.
2. If a safety system fails to operate correctly, or to achieve its desired functional performance when a demand is placed upon it by a  protection signal, the operator should be able to carry out simple and well-rehearsed remedial actions during the 30 minute period in order to restore the correct functioning of that system or to achieve an effective transition to a safe state.  This is consistent with WENRA guidance (Annex E, para 10.9 ^[4]).
3. Where it is proposed to allow operator action to reinforce or support safety system performance within the 30 minute period, there should be a clear and direct means of confirming to operating personnel that a demand for safety system action has arisen, and if so whether the safety system has operated correctly, and whether any limiting condition has been exceeded (SAP ESS 13).  The safety case should demonstrate that human factors principles have been applied in the design of facility, equipment and administrative arrangements and that reliable operator performance is supported (SAP EHF 7 and Paras 380, 385).  Guidance on the factors to be considered when reviewing such claims is under development. 
4. During the 30 minute period it should not be possible for operators to disable or moderate a functioning safety system so long as a  protection signal continues to demand the operation of that system (i.e., the safety system is responding correctly given a current demand).  Nuclear facilities should be designed so that they can accommodate spurious or inappropriate safety system operation. Spurious initiation should appear in the list of design basis faults (FA5) since it is unlikely that spurious initiation can be shown to occur less frequently than 10-5 per year.

General considerations

Claims for early operator safety action in severe accidents

Rigorous application of design basis analysis should ensure that severe accidents are highly unlikely, but suitable and sufficient severe accident analysis is still required to ensure that risks are reduced so far as is reasonably practicable, and to support the facility PSA.   Although SAPs ESS8, ESS9 and underpinning paras 343 and 344 apply specifically to design basis fault sequences, and NII’s expectations concerning claims for operator safety action within the 30 minute period do not apply, claims for early operator action to mitigate severe accidents, as referred to in SAPs paras FA15 and 16, should also be scrutinised.

Although it is appropriate to take a best estimate approach to analysing severe accident fault sequences (SAPs para 547) the licensee’s assessments of claims for operator action should take due account of the factors that may impact upon human performance in such sequences.   The operator's direct experience of beyond design basis events will have been restricted to emergency exercises and, perhaps, some sessions with the limited models in training simulators. These limitations, together with the potential stress and uncertainty associated with severe accidents, make it important to treat any claims for early operator action in response to such events with considerable caution.  Further guidance on the factors to be considered in such assessments will be provided in a separate TAG.

Treatment of claims for early operator safety action in existing civil reactor facilities

SAPs ESS8, ESS9 and underpinning paras 343 and 344 should be regarded as general principles against which a facility design is assessed.  No exceptions should normally be made for new facilities at the design stage.  For existing facilities, however, where cases which do not comply with this principle are encountered, claims for operator action to initiate, support or moderate safety system operation should be assessed on a case-by-case basis.  In such circumstances, licensees should provide a robust justification of the claim for early operator action which should demonstrate why it is not reasonably practicable to achieve the desired safety system performance automatically.  Normally, this should include human factors analysis to describe the claimed operator actions, establish their feasibility and identify potential improvements.  Guidance on the factors to be considered when reviewing such claims is under development, but some of the key expectations are drawn out below:

1. Suitable and sufficient alarms and other indications of the need for operator action should be available within the control room.  These should be unambiguous, obvious and robust.  Inspectors need to be satisfied that the potential for the operator failing to detect the relevant alarms and indications, and identify the correct actions, is minimised.
2. The actions required of the operator should be simple, well-understood and must be stated clearly in operating instructions.  Feedback should be provided to confirm the effectiveness of the operator's actions.  Inspectors need to be satisfied that the potential for error in carrying out the actions is minimised.
3. The licensee should confirm a commitment to carry out regular training which covers the operator's tasks, and monitoring of performance.  Particular emphasis should be placed on the decision-making aspects of the tasks, noting the pressures which may be brought about by the potential safety significance of the actions, coupled with their lack of frequency and potential commercial impact.

References

1. Safety Assessment Principles for Nuclear Facilities. HSE 2006
2. T/AST/058, Technical Assessment Guidance: Human Factors Integration Plan (in draft)
3. T/AST/003, Technical Assessment Guide ‘Safety Systems’. 2002
4. Western European Nuclear Regulators’ Association. WENRA Reactor Safety Reference Levels.  January 2007