Office for Nuclear Regulation
An agency of HSE

ONR guidance on the demonstration of ALARP (as low as reasonably practicable)

T/AST/005 - Issue 4 - Rev 1

Issue date:
20-01-2009
Review date:
20-01-2013
Open Government Status:
Fully Open
Approved by :
A N Hall

Demonstration of ALARP - Executive summary

This Technical Assessment Guide (TAG) represents specific guidance for ONR inspectors on what they should expect of a licensee in meeting its legal requirement to reduce risks so far as is reasonably practicable.

The ONR ALARP TAG is part of a sequence of documents, headed by R2P2 and including the ALARP Guides for use by HSE inspectors published on the website. It is intended that ONR inspectors make use of all these documents in considering licensees' cases or arguments.

The requirement for risks to be ALARP is fundamental and applies to all activities within the scope of the Health and Safety at Work Act. It is important that inspectors in whatever role are aware of the need to ensure that licensees meet this requirement. In simple terms it is a requirement to take all measures to reduce risk which are not unreasonably costly. In many cases this is not done explicitly, but rather by the establishment and/or use of relevant good practices and standards. The development of good practices and standards includes ALARP considerations so in many cases meeting them is sufficient. In other cases, either where standards and relevant good practices are less evident or not fully applicable, the onus is on the licensee to implement measures to the point where the costs of any further measures would be grossly disproportionate to the risks they would reduce.

To aid use of this TAG in regulatory activities, a checklist is provided in annex 1 which references back to the appropriate text in the main body of the TAG. It is recognised that it is unlikely that all of the check points in annex 1 will apply in any single case, and inspectors will need to select those that are appropriate to the specific circumstances.

1  Purpose and scope

1.1  The purpose of this Technical Assessment Guide (TAG) is to provide advice to inspectors to help them judge whether a licensee has met the requirement to reduce the risks as low as reasonably practicable (ALARP). This means that measures should be taken to reduce the risks unless the costs of doing so are disproportionately high compared with the risk averted. The TAG is intended to be used for all regulatory functions within ONR. The text below provides general background and guidance which is summarised into a series of check points in annex 1 for inspectors to consider.

2  Relationship to licence and other relevant legislation

2.1  The Health and Safety at Work etc. Act 1974 [HSWA] is the basic legal requirement concerning health and safety related to work activities. Other legislation such as the Nuclear Installations Act 1965 (as amended) [NIA] are subordinate to it. The HSWA places duties on employers to ensure the health, safety and welfare of their employees (Section 2) and to conduct their operations so that persons not in their employment are not exposed to risks to their health and safety (Section 3). The employer is required to ensure that these duties are met "so far as is reasonably practicable". This principle, abbreviated to SFAIRP, is therefore the basic legal requirement to which an employer needs to conform. ALARP and SFAIRP require the same tests to be applied and are effectively the same thing, though the terms are not interchangeable in legal proceedings which must employ the wording in the legislation. Specific legal requirements in relation to radiation protection are contained in the Ionising Radiation Regulations 1999 [IRR], which put into UK law the Euratom Basic Safety Standard Directive 96/29/Euratom. IRR, regulation 8, requires that exposure should be restricted SFAIRP. Other relevant legislation is contained in the Management of Health and Safety at Work regulations, which requires a suitable and sufficient risk assessment, and in the Control of Major Accident Hazards Regulations 1999 [COMAH].

2.2  This TAG is written against the background of Reducing Risks Protecting People PDF (R2P2) (1) and the supporting documents published on the Internet which give guidance to HSE inspectors on ALARP. This TAG extends the HSE guidance to specific aspects of how ONR operates, the use of a licensing regime and other ONR guidance on inspection and assessment. Thus R2P2, the Internet guides and this TAG taken together represent ONR guidance to its inspectors on ALARP. R2P2 sets out HSE's overall framework for decision making to aid consistency and coherence across the full range of risks falling within the scope of the HSWA. This framework represents HSE's risk management philosophy and is based on "The Tolerability of Risks from Nuclear Power Stations" (TOR PDF) published in 1992 (2). TOR defines risks which are so high they are unacceptable unless there are exceptional circumstances, and risks which are so low that they may be considered broadly acceptable and no further regulatory pressure to reduce risks further would be applied. Between these levels inspectors should consider whether risks have been reduced to ALARP. R2P2 explains the decision making process in HSE rather than providing guidance to individual duty-holders. HSE's approach is essentially risk based and R2P2 addresses the qualitative and quantitative role of risk assessment and the key role of good practice in determining control measures. Based on legal precedent, R2P2 considers risk to be the "possibility of danger" and HSE regards anything which presents the possibility of danger as a hazard.

2.3  The HSE ALARP guides published on the Internet are:

2.4  Licence conditions are attached by HSE to the site licence in the interests of safety and with respect to the handling, treatment, and disposal of nuclear matter. The Licence Conditions directly related to safety carry with them the intent of the HSWA and the consequent need to demonstrate that risks are ALARP. Licence Condition 14 requires arrangements to "produce and assess safety cases .... to justify safety". Licence Condition 23 requires an adequate safety case to be produced and that the plant is operated in accordance with the safety case. The Licence Conditions covering handling, treatment and disposal of waste, such as Licence Condition 32, explicitly require certain activities to be managed ALARP.

2.5  The demonstration that activities involving routine exposures of persons on-site to ionising radiation are ALARP has to be carried out in many situations at the time the activity is planned. The detailed workings which it would be expected to find in a written safety case to demonstrate ALARP are unlikely to be feasible or desirable for many day-to-day activities, but the general requirements set out below should inform the judgements made. Under the IRRs, the licensee has to carry out a risk assessment prior to work commencing, to review progress during the job (for example tracking a dose budget) and to consider not only the plant but also procedures and training aspects.

2.6  Many decisions on what is needed to meet ALARP for conventional safety are made at the time Regulations are being written and judgements of acceptability are made directly against the requirements of these Regulations.

3  Safety assessment principles (SAPs), WENRA reference levels and IAEA standards

3.1  The SAPs (10) were developed against the background of the legal requirements and the TOR philosophy, and have been benchmarked against the IAEA Safety Standards. They contain engineering and operational principles, safety analysis requirements and numerical targets and legal limits. The need to demonstrate ALARP is an overriding and all embracing requirement. Paragraph 13 of SAPs emphasises that "The principles should be used in judging whether ALARP is achieved....... This has not been stated in each case to avoid repetition". Furthermore it is also a requirement of SAPs that "priority should be given to achieving an overall balance of safety rather than satisfying each SAP or making an ALARP assessment against each SAP". SAPs expect that a safety case (see T/AST/051 PDF (25)) should provide an analysis of normal operation, fault analysis covering Design Basis Analysis, Severe Accident Analysis and a Probabilistic Safety Analysis (PSA), and analysis of the engineering design and operations.

3.2  The TOR philosophy has been translated in certain specific cases into numerical targets in the form of Basic Safety Levels (BSLs) and Basic Safety Objectives (BSOs). It is however, essential that these are applied against a background of good engineering and operational practices. The BSOs represent broadly acceptable levels below which regulatory resources will generally not be used to seek further improvements, and where assessors should confine themselves to considering the validity of the arguments presented (SAPs para 573). This is a pragmatic approach to enable better use of HSE resources; it is not a green light for duty holders to forgo ALARP considerations at such levels.

3.3  It is HSE policy that a new facility or activity should at least meet the BSLs (Note that in a few cases the BSLs are legal limits derived from IRR - these are designated as BSL(LL)). All the other targets are guidance for ONR inspectors and not mandatory. Some existing facilities may have been designed and constructed to different safety standards and deteriorated over time so that analysis may show BSLs are exceeded. In these cases, provided the BSL is not a legal limit, it may be allowable for operation to continue if: i) it has been shown that no reasonably practicable options are available to reduce risks further in the short term; and ii) a longer term plan to manage and reduce risks within as short a period as reasonably practicable is in place. In general, ONR will concentrate on assessment of ALARP where the risks are above BSOs.

3.4  The SAPs numerical targets cover normal operation, design basis analysis and risks from accidents. They include consideration of risks and doses affecting individuals on and off the site and for societal effects. Targets for both facilities and sites are defined.

3.5  The criteria for determining whether an explicit ALARP demonstration is required in relation to the Engineering SAPs, which represent ONR's views of relevant good practice, are not set out in absolute terms. However, if the relevant SAP is evidently well satisfied, then the installation is meeting the equivalent of the TOR broadly acceptable criterion on that particular point and, therefore, there is no need for further ONR assessment against ALARP (see also section on good practice paras 5.1 - 5.10). It is expected that any non-conformance with design principles would be explicitly referenced and justified within the safety case.

3.6  Of particular value in contrasting the options for improvement is the hierarchy of safety measures set out in the Engineering Key Principles (EKP 1-4 and supporting guidance, particularly para 146). Essentially the SAPs approach is: avoid the hazard; design to achieve fault tolerance; maintain safe conditions by passive means rather than active systems; initiate protection automatically in preference to manually; and prevent faults from occurring / escalating rather than mitigating their consequences. This philosophy is also embodied in para 8 of HSE's ALARP in Design paper (5).

3.7  This part of the TAG has concentrated on the SAPs and the nuclear safety case; the legal requirement for SFAIRP and ALARP applies to all regulations under the HSWA. Some parts of regulations such as the IRRs are included within SAPs but not all.

3.8  WENRA Reference Levels and IAEA safety standards are discussed in paragraph 6.5 of this guide.

4  Advice to inspectors – General points

4.1  The essence of a demonstration that risks have been reduced ALARP is to show that the "costs" of improving safety further would be grossly disproportionate to the benefits that would accrue from implementing any further options for improvement or change to the status quo. This does not mean that a detailed analysis is necessary: the emphasis must be on an analysis which is fit for purpose. Neither does it mean that a quantitative argument based on risk estimates is always necessary as the qualitative features such as the deterministic engineering principles may be sufficient in making a case. However, ONR requires PSA in addition to deterministic analysis for systems where there are significant hazards and complexity. Assessing an ALARP demonstration is essentially a consideration of whether an adequate argument has been made that a further reduction in risk would not be feasible at a reasonable cost, given the magnitude of the risk. However where there are several risks which interact, whether arising from a single hazard or from different connected hazards, there may be a need for balancing to achieve the best overall solution (see para 6.8).

4.2  The demonstration of ALARP will involve the licensee in evaluating the risks and considering whether it would be reasonably practicable to implement further safety measures beyond the initial proposals. This ought to include the consideration of a number of options to identify which is the ALARP solution and making this consideration transparent. In reality there may only be a limited number of options for dealing with a particular health and safety issue. However, features such as: good practice that HSE may have accepted as relevant good practice; an option adopted elsewhere in similar circumstances; and the extent to which this option has worked in practice, often provide strong indications of what the ALARP solution might be.

The following represent principles which are likely to need addressing in most cases:

1)  The application of ALARP can only be to risks which the licensee controls (e.g. it is not a requirement for nuclear power plant operators to consider other forms of electrical generation or to include the risks arising from the production elsewhere of equipment used by the plant).

2)  Affordability, i.e. whether a company is in a position to fund improvements, is not a legitimate factor in the ALARP argument, though the cost of implementing the improvement is.

3)  Simplistic application of ALARP should not be used to argue against meeting relevant laws or regulations, or declared Government Policy such as that on Radwaste and decommissioning (11a & 11b).

4)  ALARP demonstrations ought to consider the various options which could improve the level of safety, and implement the option or combination of options which achieves the lowest level of residual risk provided this is reasonably practicable (para 50 of the HSE ALARP Principles (3)). It is not adequate to start with the cheapest option first and only consider the more expensive options for the additional marginal improvement they would give. The timescale for implementation may be a factor in the choice of options.

5)  Options may include partial implementation or implementation of more than one measure as appropriate. It is not valid to argue that a solution requires only whole or single measures.

6)  For an existing plant, the need is to compare the plant with modern standards, consider the importance of any shortfalls and what options exist for improvement, again starting with the safest and then consider the reasonable practicability of implementing them. Older plants may meet the ALARP requirement at higher risks than new ones (para 52 of the HSE ALARP Principles (3)).

7)  Surrogate criteria, e.g. SAPs dealing with engineering principles, may be used in determining the need for an ALARP demonstration. In these cases, to make the demonstration, the Licensee may need to consider the consequences of accidents (the detriments) directly, in terms of deaths/injuries, food bans etc, so that they can be compared with the sacrifice entailed by implementation of any measures (see also para 5.19). This does not imply a CBA but it does require consideration of the costs in relation to the effects of an accident.

8)  The ALARP case should be fit for purpose. If the risks are high then a demonstration of ALARP would need to be more rigorous than if the risks are low. The degree of rigour should also depend on the consequence level. For higher consequence situations the consequences should weigh more heavily than the frequency estimates. Furthermore thought should be given to the robustness of the conclusions with respect to uncertainties and to any assumptions employed in the demonstration.

9)  If the ALARP demonstration employs a comparison of costs and risk reduction benefits to rule out an improvement, it must be shown that the costs of the improvement would be "grossly disproportionate" (see Cost Benefit Analysis Principles (7)). The law does not recognise an acceptable region other than when ALARP has been met so there is unlikely to be any sympathy in the courts for parity of costs and benefits, even at the TOR Broadly Acceptable level. Advice from HSE solicitors is that the courts would still seek "gross disproportion". There is no precise legal factor or HSE algorithm for gross disproportion. For the purposes of this TAG, it is suggested that the evidence given by John Locke, then Director General of HSE, at the Sizewell B Public Inquiry provides a starting point. Although this evidence was produced some time ago, no subsequent legal proceedings or public inquiries have countered these views or provided alternatives. In his evidence, Locke suggested a disproportion factor of up to 3 for workers. For risks to the public the factor would depend on the level of risk, and where the risks were low (consequence and likelihood) a factor of about 2 is suggested, whereas for higher risks the factor would be about 10 times.

The NRPB (now HPA) has produced guidance relating to the dose saved resulting from routine exposure or minor accidents i.e. stochastic effects, up to about 100 mSv. They recommend that an increasing multiplier is used as the dose increases and comparison of licensees submissions with this approach may be valuable as part of ONR's assessment (12).

For our purposes, it is suggested that a factor of less than 10 in the vicinity of the BSL (i.e. ToR unacceptable level) is unlikely to be acceptable and, for hazards that can cause large consequences, the factor may need to be larger still.

5  Advice to inspectors – Detailed requirements

Relevant good practice

5.1  The ALARP demonstration should consider first and foremost factors relating to engineering, operations and the management of safety. These expectations are often referred to by the general term "good practice". HSE (4) defines good practice as "..those standards for controlling risk which have been judged and recognised by HSE as satisfying the law when applied to a particular relevant case in an appropriate manner." In nuclear safety applications, where there is a clear potential for major accidents, the best available practice which is appropriate for the application would normally be required to meet relevant good practice for new designs. Annex 3 contains further guidance on the application of ALARP for new civil nuclear reactors in the context of Generic Design Assessment (19)

5.2  For existing plant, relevant good practice is established by using the standards etc that would be applied to a new design as a benchmark and subjecting any shortfalls in the existing plant to the test of reasonable practicability - that is: unless the sacrifice entailed in moving towards the benchmark is grossly disproportionate to the safety benefit, the licensee should make that move (see also para 5.2).

5.3  What is accepted as relevant good practice may change over time because of technological innovation which improves the degree of control, cost changes or knowledge about the hazard. For existing plants in Periodic Safety Reviews (PSRs) the plant should be compared with the benchmark of modern standards (see T/AST/050 (22) on PSRs for more information) and due account taken, when considering compliance and the reasonable practicability of improvements, of the age of the plant, its future lifetime and the degree and importance of any shortfall.

5.4  In terms of specific sources of relevant good practice for the nuclear industry there are several legal requirements which must be met and in some cases ACoPs and Guidance have been issued (e.g. the ACoPs to the IRR (13) and on managing safety (14). Government policy is another source that can determine good practice; the latest statement of national policy for the management of radioactive waste and decommissioning is given in “the rolling summary of the current components of the radioactive waste management policy in the UK” (11a) and the “decommissioning of UK nuclear industry’s facilities” (11b).

5.5  Standards exist for many engineering and operational features and it is a feature of new designs that a licensee will set out design standards, which may be based on non-UK standards, and these standards will be subject to assessment by ONR to ensure they represent relevant good practice. There are also several international bodies which produce standards or guidance documents: where the UK is tied by international agreements, e.g. EU, the standards have the same status as UK ones; where such agreements do not exist the guidance issued may be considered as authoritative, but subsidiary to UK requirements.  Important elements of Relevant Good Practice  for ONR are the documentation from the IAEA and the Safety Reference Levels developed by WENRA for reactors, decommissioning, and the storage of radioactive waste and spent fuel (20).  IAEA’s documents are developed by international consensus and the UK may use them as the basis, inter alia, for good practice requirements. N.B. The IAEA Safety Standards were used to benchmark the 2006 SAPs (10).  The WENRA reference Levels for reactors are much more specific and only apply to existing civil nuclear reactors. The decommissioning safety reference levels apply to all types of nuclear facilities and cover all stages in the lifecycle.  The storage reference levels apply to facilities where radioactive waste or spent fuel is stored for a significant period of time.  The UK is a member of WENRA, has formally signed on to the reference levels and, in line with HSC’s enforcement policy (21) in relation to Relevant Good Practice, we expect them to be followed.

5.6  For ONR the engineering SAPs together with the associated TAGs represent the means by which we judge whether or not licensees' claims of good practice are acceptable. As the TAGs are revised they will be updated in line with the 2006 SAPs and will also explicitly include the WENRA reference levels that are relevant to the TAG in question. Similarly the BMS guidance on inspection provides the means by which many day-to-day relevant good practice decisions are made, though this terminology has not been used in the past. Many of the sources of good practice noted in the above paragraphs are used and referenced in ONR's guidance.

5.7  Another important source of relevant good practice in the nuclear industry is what is done on similar plants. Many licensees have established their own standards reflecting good practices which are acceptable to ONR. However in invoking past practices it is important to be clear that the practice is both still relevant and was implemented for safety reasons. In reaching a decision to implement measures to reduce risks, licensees might take into account additional factors that are not directly safety related (e.g. lower insurance premiums, enhanced commercial reputation etc). It is important that ONR does not take account of such factors in its decision making (see para 19 of R2P2 PDF appendix 3) when determining relevant good practice from what licensees do.

5.8  In many cases licensees will claim that the implementation of particular relevant good practices or standards is sufficient to demonstrate ALARP. In assessing such claims inspectors should apply SAPs ECS.3 to ECS.5 (paras 157 to 161) and in particular may consider:

1)  the good practice or standard should be relevant to the specific application, plant or industry in question.

2)  the good practice or standard should be up-to-date, taking account of the current state-of-the-art: any practice or standard more than a few years old, or not subject to active ongoing monitoring and review or not written by acknowledged experts may be suspect.

3)  the good practice or standard should be the most stringent of all relevant good practices or standards where more than one exists.

4)  the good practice or standard should not be of the form of a minimum requirement with additional consideration of the possibility of doing better.

5)  where a good practice or standard allows for more than one option, these should be tested to determine those which are reasonably practicable.

6)  the good practice or standard should include explicitly all relevant factors, particularly relating to assumptions on the standards of contingent systems or inputs/outputs. Standards and good practices may relate to single Systems, Structures and Components and further consideration may need to be given to possible interactions.

7)  there should be no doubt about the applicability of the good practice or standard to the case in point.

5.9  The disproportion factor (see para 4.2 (9)) is relevant when the qualitative engineering or operational factors in the SAPs are part of an ALARP case. This could affect the degree of compliance with these factors. For example, a greater degree of say redundancy/diversity may be reasonably practicable where the risk is high than for lower risk situations. Similarly the resources and effort to ensure the quality of the engineering would be expected to be appropriate to the level of risk.

5.10  Although the relevant good practice requirements in para 5.8 have been quoted in the context of relevant good practice in making ALARP demonstrations in safety cases, they also provide a useful list to consider in day-to-day dealings with licensees when judging qualitative features of operational safety.

Explicit comparisons

5.11  Deciding what is reasonably practicable involves the exercise of judgement and enforcing authorities will generally expect relevant good practice to be followed. Where relevant good practice in particular cases is not clearly established (see para 5.8 above) health and safety law effectively requires duty holders to establish explicitly the significance of the risks to determine what action needs to be taken. Where it is not possible to demonstrate ALARP by good practice features alone, the benefits of risk reducing measures should be compared with their costs. Sometimes it is helpful to use a common unit, which is generally money, so that the analysis may become a form of Cost Benefit Analysis (CBA). The degree of quantification is case dependent, but must be sufficient to make the case fit for purpose. In particular, a CBA is unlikely to be considered an adequate argument on its own that a situation is ALARP (15). The following paragraphs give further guidance on quantitative approaches, on numerical estimation of risks, and on the application of CBA and other quantitative approaches. Further guidance to inspectors is provided in HSE's generic Principles for CBA (7) the CBA Checklist (9); HSE's policy in regard to CBA is summarised in Appendix 3 of R2P2 PDF (1) and paragraphs 101-108 of its main text.

Risk estimation

5.12  The outline of a quantitative case is relatively straightforward. The benefit requires two estimates of risk: one before the implementation of the improvement and one after. The incremental benefit of the improvement is the difference in risk between the two estimates in terms of the detriments (i.e. all the adverse consequences) and their likelihoods. It is anticipated that a broad comparison of these benefits and the costs of the improvement can in many cases lead to a decision without needing to translate the risk reduction into monetary terms. In other cases the detriments may need to be expressed in terms of money to compare with the costs of the improvement. The level of risk without the improvement sets the starting point on the risk scale and so influences the disproportion factor.

5.13  The use of CBA for comparing the costs of making improvements against the benefits gained is part of the regulatory process during the production of new regulations by HSC/E and Other Government Departments. Less well developed is the use of CBA in decision making within the type of goal-setting regulation which ONR use. TOR PDF (2) Appendix 3 considers the application of CBA to nuclear safety assessment and concludes that whilst it may be useful in some circumstances where quantification can be obtained without disproportionate effort or excessive uncertainty, it was not feasible, at the time of writing, to develop a CBA "rule book" approach that can be applied mechanistically across the board. Although there have been more recent developments in this area (e.g. (9)), this opinion is still considered valid.

5.14  In a quantitative analysis, a numerical value for the disproportion factor (see para 4.2(9)) may be needed. Principles for CBA (7) acknowledges that HSE has no algorithm to determine this factor, which needs to be set on a case-by-case basis. Based on HSC guidance, the choice of factor should take into account societal concerns (see paras 31-35 of the HSE ALARP Principles (3)). Because of the uncertainties, the judgement on an appropriate value of the disproportion factor will depend on the robustness of the analysis and should be one of the parameters varied in a sensitivity analysis. Guidance on disproportion factors is given in para 4.2(9)).

5.15  In considering the effect of a modification, potential changes to the risk from both accidents and normal operation must be considered (see para 6.7). Risks associated with normal operation are covered in T/AST/038 (23). The estimation of risk from accidents may be carried out through a detailed PSA, though in some cases other means of estimating the risks may be appropriate. General aspects of the assessment of PSA are considered in T/AST/030PDF (24); special aspects particular to the ALARP demonstration are considered in this guide.

5.16  In calculating the accident risk it is important that all the changes in risk due to the modification are accounted for (see also para 17 of the HSE ALARP Principles (3)). It is important to be sure that licensees do not understate the value of the benefit from the improvement by limiting the analysis (N.B. this may also apply to qualitative considerations). Assessors should therefore check that licensees have not masked potential improvements which would affect non-dominant risks by considering only changes to the overall risk: all possible risk reductions should be viewed on their own merits. Equally transfers of risk should be considered. For example, in a waste storage plant, a reduction in public exposure as a result of reduced discharges may lead to increased worker doses.

5.17  Some quantitative arguments may involve balancing risks, for example implementation of a modification to reduce risk to the public might lead to a dose uptake during the work. TOR PDF (2) gives the tolerable individual risk to a worker as ten times higher than that to the general public but for ALARP/CBA purposes equal valuation should be assumed (see paras 37 & 38 of the HSE ALARP Principles (3)). The issue of balancing risks may need to involve cooperation with other agencies (EA & SEPA) if some of the risks are associated with authorised discharges and disposals of radioactive waste.

Valuation of detriments

5.18  This section discusses how detriments can be valued to obtain an estimate of the benefit achieved by reducing the risk. This includes detriments from normal operation such as radiation exposures of workers and the public; detriments from accidents which again includes radiation exposures to the public and workers but also includes other detriments such as the need to decontaminate areas, evacuation, relocation and food bans. Valuation of detriments is still a subject of much discussion and research. Currently HSE (see Para 1, app3 of R2P2 PDF (1)) uses a figure of £1million (2001) for the value of preventing a fatality (VPF). In the case of death caused by cancer, HSE takes the view that people are prepared to pay a premium and R2P2 says that a higher figure, twice the above should be used. Research is ongoing on this issue, so these values may be subject to future change. It is suggested here that the higher figure is also appropriate for all radiation deaths. In many cases the monetary value of the detriment for a given dose will be the value of preventing a fatality multiplied by the probability of death occurring for that dose, multiplied by the number of people receiving the dose. For accidents, the likelihood of the accident will be an additional factor.

5.19  Accidental releases of radioactive material may lead to widespread contamination off and on the plant or site. Off-site it will lead to other safety related detriments such as evacuation, relocation, land interdiction and food bans. Attempts to cost all of these have been made by licensees both for reactors and for chemical plant, based on the NRPB (now the Health Protection Agency - HPA) model COCO-1 (16a).  A range of accidents was analysed and costed and in producing an ALARP case the licensee selected the most representative case. This model is now quite dated and a joint project with HPA was undertaken to update it.  The updated model, COCO-2 (16b), published in 2008, takes account of the current UK economic structure, considers some of the economic effects of an accident in more detail and includes some additional sources of loss.  It is expected that, in future, COCO-2 will be the benchmark where the costing of detriments is part of the ALARP demonstration.  Where the demonstration relies on other models, assessors should check the modelling assumptions and , where appropriate, the outputs against those of COCO-2.  On-site there will also be the costs of clean up and those associated with returning the plant to a safe state, which may also increase the eventual cost of de-licensing. Note that the costs of returning the plant to operation should not be included, unless it is needed for safety reasons.  Worker doses may be increased as a result of the clean up which may lead to additional discharges to the environment. It is important that all safety related benefits and detriments are identified and some judgement may be needed to determine what is safety related rather than commercial.

5.20  A further consideration is the extent to which "aversion" and/or "dread" should be used as a multiplier to the cost: the former being applied to large accidents, the latter to particular kinds of accidents. The HSE ALARP Principles (3) paras 31 to 34 indicate that it is HSC policy to consider risk and sacrifice in its social context and that the judgement on whether measures are grossly disproportionate reflect this. HSE is has commissioned research into several aspects of societal concern (16c).  The results of this research have not, so far, led to any changes in HSE’s policy or approach.

5.21  An alternative is to derive a monetary value for what it would be worth spending to avert the risk. This is normally done by evaluating the benefit of preventing an accident suitably multiplied by a disproportion factor (see para 4.2(9)), the likelihood of the accident under consideration and residual lifetime of the installation (i.e. the period over which the risk is imposed). This value can then be compared with the cost of potential risk reduction measures. It may simplify things further to produce a conservative figure for the detriment valuation by assuming that risks are reduced to zero, so that it is more straightforward to demonstrate that costs are grossly disproportionate.

Costs of implementation

5.22  A more difficult area for assessment may well be estimating the costs of the modification as these may require a knowledge of both the engineering design and the costs of components etc. It is likely that the full engineering details of the modifications will not be available so that accurate costings will be difficult. For a robust case to be made by a licensee, sensitivity analysis may need to be used on the cost elements as well as other aspects of the analysis. The assessor may need to seek advice on costings during the assessment.

5.23  The costs of implementation of the measure cover the fabrication (if it is equipment), training, loss of revenue etc and should be offset by any financial gain due to the improvement in, say, increased production. Guidance on the calculation methods in relation to normal operation doses can be found in (14), (7) and (9); HSE's policy in regard to CBA is summarised in Appendix 3 of R2P2 PDF (1) and paragraphs 101-108 of its main text.

5.24  In considering costs it is important that only those relating to health and safety improvements are included. The costs considered should be only those necessary and sufficient for the purpose of reducing the risk and not be for "de luxe" measures where cheaper "standard" measures are available.

5.25  Of the cost factors, the loss of revenue is particularly problematic as it can lead to a paradox. If a plant shutdown is required to implement an improvement, a high revenue earning plant may be able to show it is not reasonably practicable to implement an improvement which a lower revenue plant has implemented. Nevertheless HSE accepts that these costs constitute part of the sacrifice and it is valid to count them (see para 21 of (3)). To avoid undue influence of this factor, consideration of the phasing of implementation to reduce the shutdown costs can be made. For example, it may be reasonable to delay implementation until a planned or other outage. Furthermore, in some circumstances it may be established good practice to shutdown to enable implementation of the improvement, and in such cases costs have already been implicitly accounted for. In such cases, a CBA based argument against implementing good practice of this type would not be acceptable.

5.26  When reviewing proposals to reduce the risks posed by an existing plant, it is likely that there will be a delay before implementing any major improvements, arising for example from the need to design/manufacture equipment. This raises questions regarding how to take this intervening period into account. In such cases, the ALARP considerations should be based on the costs, future life of the plant etc at the time the safety case is made, and not the (shorter) remaining life following implementation. However, the evaluation of the benefits arising from the improvement may take account of the time to implement. In addition, consideration of the risks during the period prior to implementation should apply the Time at Risk guidance discussed in paragraphs 6.3-6.5.

Discounting

5.27  Discounting of costs and benefits in the future is considered to be acceptable, against standard Treasury rules, with allowance made for up-rating benefits to allow for expected future improvement in living standards. For further information relating to the application of discount rates, inspectors are referred to 'The Treasury Green Book' (17), which describes the appraisal and evaluation of Government funded projects.

5.28  Appendix 3 of R2P2 PDF suggests a real rate of return of 6% should be used for discounting purposes, together with an up-rating factor of 4%. There is at present no guidance for discounting over periods in excess of about 50 years; longer periods raise questions on equity between different generations and such cases need to be considered on an individual basis. Licensees may choose to use alternative discount rates for their assessments but these will need to be justified.

6  Difficult areas

6.1  The purpose of this part of the TAG is to consider some of the applications of the ALARP principle which can lead to contentious situations.

Uncertainties

6.2  One of the difficulties in making a robust quantitative argument is that many of the factors, both in the risk and costs, are subject to uncertainties, hence in making a case, particularly where it uses quantitative methods, sensitivity studies to test the robustness of the arguments should be provided. Paragraphs 89 to 93 of R2P2 PDF and appendix 1 of R2P2 recommend the use of a precautionary approach in the face of uncertainty, i.e. to assume that precautions should be taken unless there is a good reason to think that the risk is insignificant (see also SAPs para 28).

Time at risk - through life

6.3  The requirement to carry out an activity such that risks are reduced SFAIRP is not time limited, that is to say that the requirement exists at all times. The variable risk rate due to normal operation is generally averaged out over a year, but brief periods of substantially higher risk than average should be reviewed separately against ALARP requirements. Thus, if there is a change in the plant operational state for a short time, due to say maintenance activities, or if some control measures are removed to allow a job to be done, the plant must still be adequately protected and an ALARP demonstration is required for the new state (see SAPs para 631). Further considerations of Time at Risk can be found in SAPs para 629ff and Annex 2.

Residual time at risk - end of life issues

6.4  The SAPs (para 34) note that as a plant ages the safety margins may be eroded, for example due to the incidence of, or vulnerability to, faults increasing due to wear etc. Reducing the risk level may not be possible so a judgement has to be made whether the continued operation of the plant is acceptable at the higher risk. The future lifetime of the plant may be a factor in making such judgements, but care is needed to ensure that the facility does not operate outside of legal limits and that assumed lifetime is defined irrevocably before allowing such a factor - see (15) and Annex 2. This sort of situation can be difficult where the ageing is gradual and there is no obvious transition from 'safe' to 'not safe'. In such cases, careful monitoring and regular review is likely to be needed.

Time at risk - risks higher than normally acceptable

6.5  Situations may well arise where the risk is so high that it is judged intolerable and in these cases the need arises to manage the situation with the intention of reducing the risks SFAIRP. It is taken as read that these situations will only arise due to unexpected failures, activities which are intended to result in improved safety in the longer term, or where there is a "bigger picture" justifying a temporary tolerance of such a risk. It certainly should not be the case that a plant is allowed to operate at this level of risk unless there is no alternative (see para 572 of the SAPs). In cases where activities to reduce long-term risks mean risks rise in the short-term, efforts should be made to carry out the activities such that the risks are minimised both in magnitude and time and that exposure to operational doses and the potential for accidental releases are balanced. Annex 2 explores this issue further, but any case that involves risks which would not normally be allowable needs careful consideration (see SAPs para 637 and para 6.7).

Arguments for allowing an increase in risk

6.6  A quantitative risk/CBA approach may be used by licensees to try and show that moving to a less protected situation meets the ALARP criteria, sometimes arguing that the increase in risk is more than balanced by the gains in reduced operational costs or increased operating profit. Other factors, particularly those relating to good practice and previous experience, would militate against this argument and, in general, HSE would require previous good practice to be upheld. To succeed in an approach where risks appear to increase, the licensee would have to show changed circumstances, as noted in para 39 of the HSE ALARP Principles (3), or that the existing situation went beyond what was required by ALARP. Any case for reducing safety would have to show that additional safety measures are not reasonably practicable in the new situation. However, where the level of risk is small, and the increase in risk is small and forms part of a package which overall improves health and safety, the situation may be accepted. Other grounds which may be accepted are where the risks are low and the measures in place can be shown to be unduly conservative as a result of new knowledge. In other cases a change may be forced due to it being impossible to replace like for like components due to obsolescence. Another possibility is where the safety case contains generous margins which can be relaxed without any diminution in the required level of safety. Many people feel uncomfortable about accepting increased risks, often referred to as "reverse" or "negative" ALARP, but in the past ONR has accepted cases which meet the above criteria and HSE's ALARP principles (ref 3 para 39) anticipate the need to deal with such situations.

6.7  Some activities, such as those associated with decommissioning, may entail a temporary increase in the risk in order to achieve an overall reduction in the possibility of danger, and consequent decrease in the long-term risk. Such situations are in line with wider Government Policy (11a and 11b) and are allowable provided that the risk increase is itself ALARP and the period of increased risk is kept as short as reasonably practicable. Another area where an increase in risks (on- and/or off-site) can occur is where additional processes need to be carried out on the site to reduce the quantity of radioactive material normally discharged to the environment. This usually results from actions taken by the Environment Agency to reduce discharges to comply with Best Practical Means (BPM). A possible consequence of this is that on-site accumulation of radioactive waste will increase unless a disposal route exists. Even if a disposal route is available, there are Health and Safety aspects of the additional processes to consider. Thus the potential exists to increase risk both on and off the site under fault conditions. In addition operator doses will increase (albeit by a small amount) as a result of the additional operations/maintenance that will need to be carried out. Consequently it is important, during optioneering studies carried out by the licensee to establish the BPM option, that adequate weighting is given to Health and Safety aspects. These studies need careful evaluation by ONR to ensure that the option chosen is also ALARP from a Health and Safety perspective.

Risk trade-offs

6.8  If a change to the design or operation of a plant is implemented to reduce a particular risk, it is highly likely that there will be other effects which could alter the risk profile of the plant. It has already been emphasised that the full effect of the implementation needs to be considered in terms of the reduction in risks, but it should be borne in mind that risks may also be increased in other areas. Risks from radiological hazards can be characterised as being due to accidents or normal operation and affect the public and/or persons on-site, but conventional risks can also be affected by the changes. It is important therefore, when considering implementation of a modification, that any increase in risk in other forms is not greater than the decrease in the area of interest. Paras 36 to 38 of HSE's ALARP Principles (3) refers to this as Risk Transfer and confirms the importance of considering all of the risks within the licensee's control before coming to a decision.

Dose/risk sharing

6.9  When considering doses that are received in normal operation, a certain degree of dose sharing is acceptable to reduce doses to individual workers and hence their risks. The ACoP (13) says that if a choice between restricting doses to individuals and groups has to be made, priority should be given to keeping individual doses as far below dose limits as reasonably practicable. Dose sharing might reduce individual doses further but should not be used as a primary means of complying with dose limits. Priority should instead be given to changing methods of work, improving engineering controls and adopting other means of restricting exposure. In the case of doses received due to accidental releases, the concept of risk sharing for workers by use of occupancy factors may be questionable (see paras 6.11 & 6.12) and individual risk cannot be made acceptable by using many people for short times so each only gets a portion of the risk. The assessment of risk to persons on-site is considered further in the next two paragraphs.

Worker risk

6.10  SAP Target 5 provides a basis for assessing individual risk to persons on-site arising from accidents. This is supplemented by Target 6, which sets targets for the frequency of individual accident sequences based on the consequential dose. Target 6 is specifically intended to emphasise the need for prevention and mitigation through the adoption of appropriate safety measures. Such a target is considered necessary since assessments solely against Target 5 could rely to an unreasonable extent on arguments based on occupancy (see also para 6.11), shift working etc to show the risk to any individual is small, whereas in reality there may be reasonably practicable improvements that would reduce risks to the wider group. In the analysis of an individual fault/event scenario, the risks and protection measure requirements should be assessed with respect to the potential dose to a worker who is exposed to the consequences of the fault/event. The likelihood of a particular fault/event should not be judged acceptable on one plant, and not on another, merely because there are more people working within the first plant to "share" the risk. However when summing risks to an individual worker on a plant from all faults/events, it would be acceptable for a licensee to make arguments that the risks from a plant's operation to any specific individual was less than the simple sum of all the individual "fault/event analysis" estimates due to justified "occupancy" factors (not all persons on-site will be exposed to all the risks from the plant). It should be noted that the demonstration showing that a specific level of individual risk is achieved might not be a sufficient demonstration that all required reasonably practicable measures have been undertaken for the reasons noted in the previous paragraph.

Occupancy factors

6.11  In considering risk to persons on-site the use of occupancy factors is frequently encountered. Occupancy claims need to be considered carefully as the occupancy under consideration can mean different things:

1) the fraction of time a specific individual is on-site. If the risk being estimated is to a specific individual this factor is valid.

2) the fraction of risks on a particular plant a specific individual may be exposed to. Again if specific individual risk is the aim this is valid.

3) the likelihood of a worker being in the vicinity of an accident. Where a worker may be present for part of the time and the fault is random there are two situations to consider: in assessing the risk in cases where the occupancy is controlled it is valid to consider the occupancy factor, but where the occupancy is uncontrolled (e.g. in a corridor) the dose should be assessed assuming a person is present.

6.12  In considering Target 6, it is expected that estimates will be made assuming someone is present, unless adequate control measures are in force to ensure their absence, and the contributions from each fault summed. Low specific individual risk estimates are not particularly valuable if they rely on significant low occupancy factor claims for a specific individual, and the risks to a worker in general are much higher. Should the summed risk to any worker be high, then justified occupancy claims can be considered, along with any proposals to control exposure etc.

Long-term risk assessment

6.13  There is a growing perception that risks that are imposed, that are unevenly distributed, or that affect future generations, should be scrutinised and seen to be justified (R2P2 PDF, paras 47 & 48). Some projects in the nuclear industry, and particularly those associated with radioactive waste management and decommissioning, will run over many years, and the risks that result may affect future generations of workers and the public as well as the present generation. For such cases the risks should be assessed in an holistic manner and not restricted to part of the overall time period or part of a process. It is HSE's view that there seems to be no sound case for advocating that future generations should not be protected at least as well as the present. Although it could be argued that the next few generations may gain some indirect benefit, the uncertainty of how they will view the risks left to them (and indeed the uncertainty of any benefits further into the future) argues for a precautionary approach (R2P2 paras 89-93) and hence a particularly stringent demonstration of the ALARP principle. We would therefore expect to see particular efforts made to demonstrate that risks to future generations are at least consistent with the levels of risk that would be accepted as adequate protection for the present generation. Given the uncertainties in estimating long-term future risks, good practice and the application of the Engineering Key Principles hierarchy with the emphasis on control of hazard (see SAPs EKP 1-4 and supporting guidance, particularly para 146), are likely to be much more important than numerical risk estimates and CBA in establishing the way forward. In this context it is worth bearing in mind that a 1x10 -4/ yr risk for one year implies a low likelihood of someone being hurt, whereas 1x10 -4/ yr for 10000 years implies a high likelihood of an adverse consequence.

SFAIRP and the requirement for risk assessment

6.14  The requirement to carry out a risk assessment and produce a safety case is absolute and cannot be argued against on the grounds that the costs are grossly disproportionate to the risks (see MHSWR for example). HSE does however accept that the scope, depth and effort put into the safety case should be related to the level of risk (see para 4.2(8)).

7  Enforcement

7.1  This guide is aimed at helping ONR inspectors establish whether licensees have met their requirements or, if not, to gauge the extent of the difference between what has been achieved and ONR's expectations. The EMM (18) calls this difference the "Risk Gap" and provides advice on the nature of enforcement action to remedy any shortfall.

8  Checklist

8.1  Finally, attached at Annex 1, is a checklist of the main assessment points which will help inspectors decide whether all the key points have been addressed by the licensee.

References

1)  Reducing risks protecting people. HSE Books 2001 PDF

2)  HSE. The Tolerability of Risk from Nuclear Power Stations, HMSO, 1992 PDF.

3)  Principles and guidelines to assist HSE in its judgements that duty-holders have reduced risk as low as reasonably practicable.

4)  Assessing compliance with the law in individual cases and the use of good practice.

5)  Policy and Guidance on reducing risks as low as reasonably practicable in design.

6)  The Regulation of Nuclear Installations in the UK including Notes for Applicants PDF.

7)  Principles for Cost Benefit Analysis (CBA) in support of ALARP decision.

8)  ALARP "at a glance.

9)  Cost Benefit Analysis (CBA) Checklist.

10)  HSE. Safety Assessment Principles for Nuclear Facilities. First Edition, 2006.

11a)The rolling summary of the current components of the radioactive waste management policy in the UK

11b)  Decommissioning of UK nuclear industry’s facilities

12)  NRPB - Documents of the NRPB vol. 4(2) 1993

13)  HSE. Work with Ionising Radiation, Ionising Radiations Regulations 1999, Approved Code of Practice and Guidance, HSE Books, 2000.
ISBN 0 7176 1746 7

14)  HSE. Managing for Safety at Nuclear Installations, HSE Books, 1996

15)  Harbison, S. A Safety Assessment and Objectives for Plant Designed 40 Years Ago, Paper presented at ENS Conference, TOPSAFE 95, Budapest

16a)  Haywood S M et al COCO-1: Model for Assessing the Costs of Offsite Consequences of Accidental Releases of Radioactivity, NRPB-R243, 1991

16b) COCO-2: A model to Assess the Economic Impact of an Accident, HPA-RPD-046, 2008

16c) Valuation of Health and Safety Benefits: Dread Risks, HSE Research Report RR541

17)  HM Treasury Green Book.

18)  HSE: Enforcement Decision. See links therein to the EMM.

19) Nuclear power station generic design assessment – guidance to requesting parties HSE  

20)  Western European Nuclear Regulators’ Association – WENRA

21)  HSC Enforcement Policy Statement PDF

22) T/AST/050 - ONR Technical Assessment Guide on Periodic Safety Reviews

23)  T/AST/038 - ONR Technical Assessment Guide on Radiological Protection

24)  T/AST/030 - ONR Technical Assessment Guide on Probabilistic Safety Analysis PDF

25)  T/AST/051 - ONR Technical Assessment Guide on the purpose, scope and content of Nuclear safety Cases PDF

Annex 1 - ALARP checklist

Basic points

A1.1  The risks must be ALARP. If the engineering and operation of the plant gives no cause for concern, and the risks are adequately demonstrated to be "broadly acceptable" (i.e. below all the BSOs) then this is sufficient (section 2 & 3) for ONR assessment purposes. If the risks are above the BSO, then inspectors should consider whether these are reduced to ALARP.

A1.2  If the risks exceed BSLs or are otherwise not allowable, e.g. evidently poor engineering (section 2 & 3) or sub-standard operations (procedures or implementation) then further consideration of measures to make the risks ALARP is required.

The following checkpoints may be relevant in reviewing licensees' safety cases or arguments that the risks are ALARP.

1. Has the full range of health and safety detriments been considered adequately (para 4.2 (7)?

2. Does the ALARP argument refer only to those risks which the licensee controls (para 4.2(1))?

3. Affordability is not a legitimate factor in the assessment of costs (para 4.2(2)).

4. ALARP cannot be used to argue against statutory duties or government policy (para 4.2(3)).

5. Have all relevant options been considered by the licensee (para 4.2(4))?

6. Does the licensee's study of the options begin with the safest (as opposed to the cheapest) option (para 4.2(4))?

7. If measures are deemed not reasonably practicable, has partial implementation been considered (para 4.2(5)? Inspectors need also to be wary of "deluxe" measures unduly inflating the cost (para 5.24).

8. If the proposed/implemented measures do not make the risks broadly acceptable, has implementation of additional measures been considered (para 4.2(5)?

9. For measures deemed not reasonably practicable, has the licensee demonstrated gross disproportion (para 4.2(9)), taking due account of aversion (para 5.16) and that the higher the consequences, the more weight they should have in the decision (para 4.2(8))?

10. The ALARP arguments should include explicit consideration of qualitative features related to engineering and other types of relevant good practice (paras 3.5,3.6 and 5.1-5.10).

11a)The rolling summary of the current components of the radioactive waste management policy in the UK

11b)Decommissioning of UK nuclear industry’s facilities PDF

12. Are all of the relevant engineering SAPs met? If not, has the licensee identified and considered any deficiencies from an ALARP perspective (para 3.5)?

13. Has the licensee given adequate consideration to the Engineering Key Principles and the hierarchy of safety measures (para 3.6)?

14. For quantitative ALARP arguments, has the licensee estimated the reduction in risk ( para 5.15)?

15. Have all health and safety effects of the modification been considered in determining the change in risk (paras 5.16 and 6.8)?

16. Has CBA been used to inform, rather than make the ALARP argument? A CBA on its own is not acceptable as an ALARP case (para 5.13).

17. The value of a life should not be below £2m (2001) for cancer- or radiation-induced deaths (para 5.18).

18. Have adequate sensitivity studies demonstrating robustness to uncertainties in all the inputs to the CBA been carried out (paras 6.2 & 5.16)? Are the uncertainties such that a precautionary approach is appropriate (paras 6.2 and 6.13)?

19)  Nuclear power station generic design assessment – guidance to requesting parties HSE PDF 

20)  Western European Nuclear Regulators’ Association – WENRA

21)  HSC Enforcement Policy Statement PDF

22. Discounting over long periods (in excess of 50 years) is problematical (see para 18 of app3 of R2P2) and needs careful consideration (para 5.28).

23. Have the guidelines on CBA in paras 101-8 and app3 of R2P2 and the CBA Checklist been followed? If not is the licensee's analysis justified?

24. ALARP applies at all times and arguments employing Time at Risk may need special consideration. See Annex 2 for further details (paras 6.3-6.5).

25. Reverse ALARP arguments for increased risk are only allowable in special circumstances (paras 6.6 & 6.7).

26. Dose sharing: Has the licensee given adequate consideration to changing working methods, engineering controls or other means of dose restriction before considering dose sharing (para 6.9)?

27. Sharing the risk from an accidental exposure between a group of workers is not allowable (para 6.9).

28. Have occupancy factors in assessments of worker risk been properly considered (para 6.11 & 6.12)?

29. For long-term risks, have relevant good practice and the Engineering Key Principles hierarchy, with the emphasis on "control of hazard" (para 6.13) and consideration of the full life cycle of the installation (para 19 of (5)) been applied?

Annex 2 - Assessment guidelines on time at risk arguments

A2.1 Introduction

A2.1.1  In cases where a risk exists for only a short period, licensees may argue that it is acceptable to not spend resources to improve safety to a level that would be reasonably practicable for continuous, long-term operation. Section A2.2 of this Annex gives assessment guidelines for these situations. Similar arguments may be invoked to argue for the acceptability of safety decreasing as a plant ages, on the grounds that its future life is less than the original design life; guidelines for assessment of such cases are given in section A2.3. For both these situations the expression "time at risk" has been commonly used. For clarity, we use the terms “short term risks” and “residual time at risk” respectively in this document.  The SAPs use the term “time at risk” exclusively for the former situation.

A2.1.2  The risk targets in SAPs (10) are given as frequencies based on annual averages. However, where risks exist for short periods of time, the use of annualised frequencies may be unrealistic. SAP NT.2 and paragraphs 629 to 638 consider this situation. In the context of arguments about the residual time at risk at the end of a plant's life (SAPs para 34), reference (15) states "It is essential that the risk criteria, i.e. the BSLs, are not exceeded under such circumstances and that, for example, a plant is not permitted to operate at high risk, albeit for only a short time" – see SAPs paragraph 572.

A2.2 Guidelines for short-term risks

A2.2.1  Many risks are not constant throughout a year but are actually the result of a series of shorter exposures to differing levels of risk. The discussion of risk and the derived criteria, in both TOR PDF (2) and SAPs, which feed into ALARP demonstrations, implicitly and explicitly refer to risks on a per year basis by aggregating over a typical year of employment or residence (in the case of a member of the general public). There is hence a need to interpret the concepts and criteria for shorter periods.

A2.2.2  In some cases the annual risk will already contain contributions from these states but it is important to recognise that this may disguise large variations in risk. It is emphasised that safety cases should not rely solely on numerical risk estimates, and care should be taken to ensure that a licensee does not treat the ALARP demonstration as an exercise in playing with numbers.

A2.2.3  The guidelines below are intended to provide an overall policy against which to assess whether a licensee has made an adequate demonstration that all reasonably practicable measures to control short-term risks have been taken. Due to the large number of possible reasons for variation in risk, it must be left to the individual assessor to judge whether these requirements have been met in specific cases.

(i)  It is fundamental that there should be sufficient control of hazards available at all times (SAP NT.2). Sufficient protection must be retained or adequate substitution arrangements, based on engineering and operational considerations, put in place. Any reasonable step that can be taken to eliminate or mitigate a hazard should normally be taken irrespective of "time at risk" arguments. Thought should also be given to contingencies to cope if the situation were to deteriorate further.

(ii)  Any period in which the point in time risk exceeds the normal level of risk must be subject to a specific demonstration that risks are controlled ALARP. The degree of robustness required in the ALARP case will depend on both the normal risk and the extent of the temporary increase in risk.

(iii)  The short-term risk must not be intolerable except in special circumstances. Any case made for carrying out any operation which requires the risk to be in the intolerable region, however briefly, needs to be made very rigorously and may include factors which would be considered in an ALARP case and additional considerations. Special circumstances may include situations not originally foreseen in the design of the plant or which are unavoidable due to the need to move to another, less risky, state through a less safe one (see vi below). It would be expected that arrangements would then be put in place to prevent a recurrence of the unforeseen situation.

(iv)  The extent of the time for which the risk is increased should not be the sole argument for acceptability that a situation is ALARP. The safety case should consider whether or not additional measures are necessary. As in any consideration of ALARP, the magnitude of the consequences should also be a factor, as well as the level of risk.

(v)  During operations which impose a planned short-term risk, additional monitoring of the actual plant state should be undertaken to ensure that the mode of operation and the time during which it persists meet the assumptions in the ALARP case.

(vi)  There may be situations, particularly during cleanout and decommissioning, where the risk is increased during the operation with the intention of reducing the risk long-term. Whilst the procedure is continuing, which may be for a significant time, it is expected that suitable engineering and/or operational arrangements will be made to ensure that the risk is ALARP.

A2.3  Guidelines for residual time at risk cases

A2.3.1  Residual time at risk situations are those where increases in the normal risk occur, due to changes in the plant state, but will only exist for a limited period due the restricted future lifetime of the plant. This situation is particularly concerned with the inexorable increase in risk due to ageing and wear-out effects towards the "end-of-life" of a plant, where the risk will be generally increasing monotonically. In these situations a licensee may argue that it is not worthwhile to make improvements given the expected remaining life. In essence, the guidelines relate to periods that are short in comparison to the total design or operational life of the plant or the timescale of eventually returning the site to normal usage. Arguments during clean-up and decommissioning are also made against a fixed future date (and may include arguments about what that date should be) and so the guidance may be relevant to these situations also.

A2.3.2  These guidelines relate to assessment of safety cases either for a Periodic Safety Review or at any time when there appears to be a significant ageing phenomenon present. The need for re-analysis may result from ageing effects or the identification of previously unconsidered hazards, which indicate that the plant is less safe than previously believed. As well as the points listed under A2.2, the following should be considered:

(i)  The safety case should be updated to take account of any relevant new knowledge or experience and data appropriate to the current and predicted future state and mode of operation of the plant. Comparison with modern standards of engineering and operation and risk criteria should be undertaken.

(ii)  The revised risk assessment must show that the plant is tolerable for future operations. For example the numerical risk estimates should not be greater than BSLs (SAPs para 572). If the risk is deemed to be intolerable then the plant must shut down or improvements made to reduce the risk.

(iii)  Proposed limits on remaining lifetime may be invoked in making the ALARP demonstration, but this cannot be used to justify a plant operating in the intolerable region. A case not to make an improvement based largely on limited future lifetime would only be acceptable where the maximum extent of the future operational life is irrevocably fixed after the scheduled shutdown to provide a margin of safety. In cases where the planned lifetime is not irrevocably fixed, a minimum period of ten years (or the unavoidable necessary life of the plant, if longer) should be considered for the purposes of the ALARP demonstration (see SAP para 34).

(iv)  For cases addressing clean-up or decommissioning, the ALARP argument should be focussed on consideration of good practice. Cases arguing for an infinite delay by invoking CBA with significant discounted costs need to be guarded against. Concentration on removal of the hazard, or on decreasing its propensity to cause harm should be paramount. Arguments based simply on time at risk will not generally be sufficient.

Annex 3 – ALARP for new civil nuclear reactors

Summary of proposed approach:

In the context of the Generic Design Assessment (GDA) process for new reactor designs we have to judge whether the legal duty of controlling and reducing risks so far as is reasonably practicable (SFAIRP), usually referred to within HSE as ALARP (as low as reasonably practicable), has been met.   In the majority cases we currently deal with, the discussion of ALARP is primarily one of whether additional features should be implemented to an already existing reactor design.  Thus the position when a new reactor design is presented to us is novel in regard to the current HSE ALARP guidance. 

Although nominally at the design stage, all of the proposed designs are essentially complete in terms of the overall concept and major systems and have reached that stage after many years of development and optimisation in non-UK regulatory environments. However, the essence of the UK system is goal setting and the main objective is to see that the reactor designs represent an ALARP outcome rather than to examine the route by which that end was achieved. Similarly, we intend to look at the design holistically and be guided by overall safety rather than focussing on incremental changes (e.g. thickness of a concrete wall, or level of redundancy in a single system) to individual elements of the safety argument in isolation. Hence the intention is not to seek new, UK specific design features, but to see that the law is met. Furthermore we recognise there are safety benefits in standardisation, a wider pool of experience will inevitably provide better feedback for future improvement in safety and this must be taken in to account. It is also worth noting that the intent is judge whether the individual designs meet the requirement to demonstrate ALARP on their own merits, not to compare them.

For the overall ALARP demonstrations we expect the four main areas below to be addressed:

1  There is a clear conclusion that there are no further reasonable practicable improvements that could be implemented, and therefore the risk has been reduced ALARP.

Relevant good practice: This is the basic requirement of demonstrating that designs meet the law. The Requesting Party (RP) must set out the standards and codes used and justify them to the extent that we can ‘deem’ them Relevant Good Practice when viewed against our SAPs (see para 3.5, 5.1 and 5.5). This justification is expected to include a comparison with other international/ national standards. Clearly the standards and codes adopted by the RP must be shown to have been met.

Options: This will comprise two stages: Firstly an examination of the RP’s rationale for the evolution of the design, using its forerunners as a baseline, why certain features were selected and others rejected and that this process has resulted in an improved design from the safety aspect.  Secondly the Requesting Party needs to address the question “what more could be done?” and provide an argument of “why they can’t do it” (i.e. it is not reasonably practicable).  This second element could be done by postulating further options for improvement (previously discarded options may be suitable candidates) and evaluating them, or by showing that it is only worth spending trivial amounts of money (see para 5.21). Clearly if an option was shown to be Reasonably Practicable that option should have been taken or where it is found to be worth spending non trivial amounts to improve safety, then further avenues for risk reduction should be explored.

Risk assessment: The use of risk targets in isolation is not an acceptable means of demonstrating ALARP and we expect to see risk assessments used to identify potential engineering and/or operational improvements as well as confirming numerical levels of safety. The BSOs in the SAPs represent broadly acceptable levels below which we have said that we expect to confine ourselves to considering the validity of the arguments that the BSOs have actually been met. We have also made it clear that the way in which we apply these numerical targets will depend heavily on the views we form on the engineering (and at a later stage operational practices) and that meeting the BSOs is not a green light for requesting parties to forgo further ALARP considerations. Nevertheless, well supported numerical risk figures that show BSOs to be met can be an important element of support to the overall ALARP demonstration

In support of these 4 elements the following points may be helpful:

It would seem that we must start with some presumptions of what we expect from a regulatory standpoint.  These could include:

  • The level of safety must be no less than a comparable facility already working or being constructed in the UK or somewhere else in the world.
  • As evolutionary designs, which have been designed taking account of experience of earlier ones, the Requesting Party must show how the evolution has maintained or improved the design from the safety aspect
  • The demonstration should set out how known problem areas (eg from OEF and improved analysis, and improving standards) have been addressed and how and why the particular solution chosen was arrived at;
  • The Key Engineering Principles 1, 2 and 3 of SAPs should be seen as a hierarchy where, all else being equal, the higher up the list the better and cases where this is not so will need justification.
  • Likewise, the hierarchy within KEP 5 should be addressed in a similar manner.
  • There should be clarity of the reasons for the choice of design standards and demonstration that the chosen ones lead to  the safest reasonably practicable design;
  • The RP must provide evidence that they have used processes for making design decisions in which safety is clearly considered and has been given the appropriate priority;
  • Risk/CBA type arguments on their own must not be allowed to override established good practice where this results in degradation in safety.
  • In addition we might reasonably expect the RP to provide evidence of the following:
  • The RP should show how his process is compatible with the law: specifically how the comparison of sacrifice and risk averted is considered within the design process and what approach is used for determining “gross disproportion”;
  • Where risk based CBA type decision making has been used, the costings should be appropriate to UK conditions, gross disproportion factors justified (see para 4.2 part 9) and adequate sensitivity studies should be included to demonstrate a robust conclusion;
  • The design has been considered holistically so that whilst individual systems could be improved the impact on the overall risks makes the improvement not reasonably practicable;
  • There is a proper balancing of all risks, worker/public, normal operation/accident, radiological/conventional and the procedures used to ensure this should be clear and adequate;
  • If any numerical targets for risks are used as cut-offs these must be justified either as a whole or in individual applications;
  • In particular, where intermediate targets rather than the effects on people and the environment are used, the RP should (a) explain why such a target is used, (b) explain how it is used during design and optioneering, (c) justify the specific target, and (d) justify the levels of “gross disproportion” used.

Directgov - Business Link

Updated 20.10.11