Safety Case Toolkit

The Office for Nuclear Regulation (ONR) is the regulatory body for all aspects of nuclear safety within the UK. The UK generally operates a goal-setting regime rather than the more prescriptive regimes applied in other countries such as France and the USA.
Defence in depth requires that multiple layers of defence are provided via engineered features and management arrangements for preventing failures, and if prevention fails, limiting the consequences and prevention of evolution of events to more serious conditions.
While the safety case is a mandatory regulatory requirement, it’s primary purpose is to enable the Licensee to satisfy themselves that they have considered all potential risks associated with the activities on site, and have implanted suitable and sufficient measures to mitigate the risk of radiological consequences to their staff and the public to a level that is As Low As Reasonably Practicable (ALARP).
The Safety Case Process Diagram identifies the key building blocks and activities required to construct a Nuclear Power Plant (NPP) safety case.
Before presenting any guidance, tools or techniques that aid the development of good, high quality nuclear safety cases, it is necessary to have a common understanding of this constitutes.
It is common practice among UK licensees to produce a set of Nuclear Safety Principles (NSPs) for application in the assessment of the safety of their installations. While the specific content varies from one licensee to the next, the general intent is the same: to provide a high-level set of principles for reviewing the adequacy of their nuclear safety cases, taking due consideration of available international and regulatory guidance, such as the IAEA Fundamental Safety Principles and the Office for Nuclear Regulation (ONR) Safety Assessment Principles (SAPs).
A key part of the Safety Case process is being able to demonstrate that the organisation has an appropriate leadership and management structure that is focused on safety, as detailed in the International Atomic Energy Agency (IAEA) leadership and management guidance (IAEA Safety Standards GSR Part 2). This is commonly referred to within the UK civil nuclear industry as ‘developing a strong nuclear safety culture’.
In order to ensure that Operating Experience (OPEX) and best practices are shared across the nuclear industry, the World Association for Nuclear Operators(WANO) publishes Significant Operating Experience Reports (SOERs).
Throughout the lifecycle of a facility, from conception through to decommissioning, there are various key stages which require special consideration. The safety case for each stage should demonstrate the safety of that stage before it commences, and should be forward looking to subsequent stages aligned to Office for Nuclear Regulation (ONR) guidance (ONR NS-TAST-GD-051). For facilities under design or construction, the safety case at each stage should contain sufficient detail to give confidence that the safety intent will be achieved in subsequent stages.
The Safety Case Dataset identifies the key information that is used to construct the safety case and is linked to the building blocks described in the Safety Case Process Diagram.
Step 1 is the initiation Step where matters such as the scope and timescales are agreed, and ONR's knowledge of the design and the RP's safety and security cases increases. Importantly, this Step includes the RP identifying any immediate gaps in meeting regulatory expectations and proposing how these will be subsequently resolved.
Step 2 is the fundamental assessment of the generic safety and security cases, to identify any potential 'showstoppers' that may preclude deployment of the design.
The Design Assurance (DA) process is a formal, systematic process that augments the design effort and increases the probability of product design conformance to requirements and project needs.
A safety case is rarely a single document; it consists of the entirety of the body of evidence presented that demonstrates that the hazard presented by the Nuclear Power Plant (NPP) is adequately controlled and mitigated such that the risk to workers and the public is As Low As Reasonably Practicable (ALARP).
Model Based System Engineering (MBSE) is one of a number of applications that could be used to capture an Electronic Safety Case, or to map the key processes and information that are used to develop the safety case. Though the definition and purpose of MBSE is discussed in this document, the application of MBSE in the nuclear sector has been considered within a separate research task.
There is a requirement to explore ways of developing and presenting Nuclear Power Plant (NPP) safety cases more efficiently if targeted cost savings are to be met. The capabilities of current safety case tools and methods are being challenged by many factors, including the complexity of modern NPPs, regulatory requirements and advances in industry guidance, including fault and hazard studies. Many of these challenges relate to the ability to access, link, and update the information that forms the basis of the safety case.
In order to build and operate a Nuclear Power Plant (NPP) in the UK, the operator is required to obtain licences and permissions from a number of different bodies. These bodies include planning authorities, environmental regulators, and, importantly in the context of a nuclear safety case, the Office for Nuclear Regulation (ONR) which is responsible for granting a nuclear site licence. This is a legal document, issued for the full life cycle of the facility.
Licence Condition 23 (LC23) requires that the ‘adequate safety case’ that licensees must produce ‘in respect of any operation that may affect safety’ should ‘identify the conditions and limits necessary in the interests of safety’.
Licence Condition 24 (LC24) (Operating Instructions) requires that all operations which may affect safety are carried out in accordance with written instructions. Operating instructions include any instructions necessary to ensure that any operating rules are implemented.
Licence Condition 28 (LC28) (Examination, inspection, maintenance and testing) requires that the licensee shall make and implement adequate arrangements for the regular and systematic examination, inspection, maintenance and testing of all plant which may affect safety.
It is a legal responsibility for the licensee to maintain the overall safety risk presented to workers, the public and the environment, arising from any potential nuclear fault and accident, to be As Low As Reasonably Practicable (ALARP).
An accurate and comprehensive Engineering Schedule is an essential component of a safety case, the expectations of which are detailed in the Office for Nuclear Regulation (ONR) Safety Assessment Principles (SAPs).
There is a wealth of Standards and Guidance available via the various International and National advisory and regulating bodies.
For over 50 years the International Atomic Energy Agency (IAEA) has developed a safety standards programme. More than 200 safety standards have been published which reflect an international consensus on what constitutes a high level of safety for protecting people and the environment.
The Office for Nuclear Regulation (ONR) Safety Assessment Principles (SAPs), specifically principle EQU.1 Equipment Qualification (EQ), identifies the requirement for EQ procedures to confirm that Structures, Systems and Components (SSCs) will perform their allocated safety function(s) in all normal operational, fault and accident conditions identified in the safety case for the duration of their operational lives.
The Fault Schedule (FS) should be structured to allow each node of operation to be viewed separately and should match the nodal approach to hazard and fault identification, Deterministic Safety Assessment (DSA) and Probabilistic Safety Assessment (PSA).
The Deterministic Safety Assessment (DSA) comprises a combination of Design Basis Accident Analysis (DBAA), Beyond Design Basis Accident Analysis (BDBAA) and Severe Accident Analysis (SAA) which provides a demonstration of the integrity of a plant, utility or facility through sufficient Defence in Depth (DiD).
Beyond Design Basis Accident Analysis (BDBAA) is necessary to establish that there are adequate margins to the Design Basis Accident Analysis (DBAA) such that a Structure, System or Component (SSC) does not fail due to a small increase in the severity of a design basis cause, leading to a potentially catastrophic failure i.e. exhibit a cliff-edge effect.
Design Basis Accident Analysis (DBAA) may not include the full range of identified faults because it may not be reasonably practicable to make design provision against the more unlikely faults.
Once the significant faults and hazards have been identified the key safety functions can be determined to ensure that the plant design will be adequate to support safe construction, commissioning, operation, maintenance and decommissioning.
A Probabilistic Safety Assessment (PSA) complements the Deterministic Safety Analysis (DSA) of credible accident scenarios and enables an assessment against numerical risk criteria.
The Hazard and Operability (HAZOP) study technique is one of a number of techniques which may be used to undertake safety reviews. HAZOP is a widely recognised and well established method that is used as a technique for hazard identification in a wide range of industries, including process chemicals, oil and gas and nuclear.
The requirement to formally identify and assess hazards, identify control and protection features and demonstrate their suitability forms the basis of any safety justification. This concept originated in the nuclear industry and became incorporated in Health and Safety legislation via the Nuclear Installations Act (1965).
The Structured What-IF Technique (SWIFT) combines the use of checklists with a brainstorming ‘What if?’ approach and was originally developed for Hazard Identification (HAZID) in the chemical process industry.
Failure Modes and Effects Analysis (FMEA) is a “bottom-up” reliability analysis which considers the failure of component items (the causes) and then examines their effects on the system. Component failure modes are considered systematically, using a set of Guidewords to prompt thought on the possible modes / causes of failure.
The ONR’s expectations with respect to Human Factors Integration (HFI) are set out in the following SAPs, however there are a number of related SAPs (EHF.2 to EHF.12) that must be taken into consideration to ensure human factors are adequately represented in the nuclear safety case.
The expectations of the Office for Nuclear Regulation (ONR) with respect to Human Factors (HF) Task Analysis (TA) are set out in the Safety Assessment Principles (SAPs). In particular SAP EHF.5 must be considered to ensure human tasks are adequately represented in the nuclear safety case.
The expectations of Office of Nuclear Regulation (ONR) with respect to Training Needs Analysis (TNA) are set out in the Safety Assessment Principles (SAPs) at a total of ten locations. In particular SAPs EHF.5 and EHF.8 must be taken into consideration to ensure the training and assurance of personnel competence is adequately actioned and represented in the nuclear safety case.
The expectations of the Office for Nuclear Regulation (ONR) with respect to Human Reliability Analysis (HRA) are set out in the ONR Safety Assessment Principles (SAPs). In particular SAP EHF.10 must be considered to ensure human errors are adequately represented in the nuclear safety case.
The expectations of the Office for Nuclear Regulation (ONR) with respect to the Allocation of Function, also known as the Allocation of Safety Actions, Between Human and Engineered Systems, are set out in the Safety Assessment Principles (SAPs).
The expectations of the Office for Nuclear Regulation (ONR) with respect to Human Machine Interface (HMI) design, provision and assessment, are set out in the Safety Assessment Principles (SAPs). In particular SAP EHF.7 refers to User Interface.