Enhancing Safety Cases usability for Advanced Nuclear Power Reactors

– Guest Blog by Fidel Ilizastigui Perez from Todus Advisors –

Hazards 29 is Europe’s leading process safety forum. At this event, industry safety expert and CGE Risk partner, Fidel Ilizastigui Perez from Todus Advisors presented a poster with accompanying paper addressing the way bowties can be used to enhance the usability of safety cases for advanced nuclear power reactors. Starting from fault schedules, bowtie diagrams are constructed with input sought from licensee’s key end users of the safety case. The resultant Bowtie Fault Schedules (BFS) diagrams are then ‘operationalized’ and kept alive with the licensee’s operational experience. Some of the advantages of incorporating bowties into nuclear power plant safety cases are summarized in this blog.

Safety Cases – Usability is the key for the successful implementation

Shortcomings regarding the usability of nuclear safety cases are not new. They are deeply rooted in the way these documents are produced and implemented. This has resulted in documents that are technically sound, but at the same time too complex and therefore, not easily accessible, understood and ultimately used by persons responsible for ensuring safe operations; i.e. operations and maintenance staff who are in direct control of the plant as well as managers who are accountable for safety – the key end users.
A number of initiatives have been undertaken by the nuclear industry to make nuclear safety cases simpler, clearer and more readily understood by all stakeholders. Amongst these initiatives (some of which incorporate bowties) are:

  • Atomic Weapons Establishment (AWE): Safety Case on a Page (SCOAP)
  • Office for Nuclear Regulation (ONR): Right First Time Safety Cases (RFTSC)
  • UK Nuclear Safety Case Forum Guide: How to write a usable safety case (PSHAPED)

In the majority of cases, focus is put primarily on the safety case production process, affording it the same importance that is given to the final product – the documented safety case. This is because the successful implementation of the safety case as a risk management tool during reactor operation can only be the result of a sound production process with the active involvement of the licensee’s key end users.

From fault schedules to bowties

A fault schedule (sometimes known as a safety schedule or a fault and protection schedule) is regarded by the Office for Nuclear Regulation (ONR) as an important element within the safety case that shows how hazards are controlled by linking faults, fault sequences and safety measures (both technical and administrative) along with other information, presented in a Tabular format.
By supporting fault schedules with bowtie diagrams, critical information regarding the way fault scenarios are controlled by the existing safety measures (i.e. protection systems and/or operator actions) can be visually communicated in a manner that is easier for non-experts, workforce, engineers and managers to understand (see fig.1). Bowtie diagrams make it possible to meet the information needs of different audiences (e.g. operators, engineers, supervisors) by providing the right information to the right people in the right way – operationalizing the safety case.

Equally important is the fact that the bowtie building process itself ensures active workforce involvement with bowtie building rules, ‘forcing’ them to ‘think as actively as they can to reduce risks’ based on their first-hand knowledge and experience on how the plant is actually being operated.

Figure 1: A simplified Bowtie diagram for a generic ABWR, showing faults, fault sequences and safety measures grouped by generic safety functions (Not all inclusive).

Other important information related to the safety measures (barriers), which is contained in the fault schedule or elsewhere in the safety cases, can be also easily aggregated in the bowtie diagram as shown in fig. 2 below:

  • Barrier type (e.g. human, hardware/active, passive)
  • Barrier category (Emergency Core Cooling Systems (ECCS), containment systems)
  • Category of safety functions (e.g. A, B or C) and classification of SSCs (e.g. class 1,2 or 3)
  • Safety Functional Claims (SFCs)
  • Front line and support systems (dependencies)
  • Other information may include: applicable standards, safety property claims, etc.

Figure 2: Safety Measures corresponding to the primary and secondary means of core cooling for a generic ABWR with extra information.

Linking fault schedules with the management system

With bowties supporting the fault schedules, it is possible to link engineering and administrative safety measures with the licensee’s management system to:

  • Demonstrate the adequacy of the licensee’s management system in relation to the safety measures, via safety critical tasks (e.g. examination, maintenance, inspection and testing activities) that support the performance of safety measures.
  • Visualize the actual condition of the safety measures (e.g. available and effective, operating below intended functionality or not available) by providing a color code against which condition is assessed. This makes it possible for responsible persons to carry out a near-real time tracking of barrier condition and devise timely remedial actions.
  • Limiting Conditions of Operations (LCOs), to ensure that safety measures are operated within safety limits and that design requirements from the safety case are met during operations can also be accounted for in the Bowtie via degradation factors and controls.

Figure 3: Bowtie showing links between engineering safety measures and the management systems through safety critical tasks (SCTs) associated with examination, maintenance, inspection and testing) and administrative control of limiting conditions for safe operation (for primary means of core cooling).

Bowtie Fault Schedules and human factors

Layered bowties capturing a deeper range of human and organizational factors are built and reviewed with the licensee in human factors bowtie workshops for the most important safety critical tasks identified in the BFSs. These workshops are carried out in order to:

  • Agree on identified degradation factors and safeguards
  • Confirm the identified safeguards and their validity as being capable of preventing human error from happening and reducing risk of human error to ALARP.
  • Linking safeguards to responsible persons and rating the actual effectiveness of safeguards.

Making Bowtie Fault Schedules ‘living’ documents

With the advent of modern IT developments, Bowtie Fault Schedules can be easily incorporated into Electronic Safety Cases (ESCs), making it possible to review, update and monitor safety case critical information in an easy form. The safety case will no longer just ‘sit on the shelf’!

Managers will also have the possibility to monitor the ‘health’ of critical safety measures from a variety of handheld devices. This will enable them to verify that the right decisions are taken in a timely manner to address performance problems and restore the functionality of critical safety measures by responsible persons, or otherwise intervene quickly when this is not the case.

Start the Bowtie Fault Schedules – Download a full copy of the paper

Are you interested to learn more Bowtie Fault Schedules? Download the paper ‘Writing ‘usable’ Nuclear Power Plant (NPP) Safety Cases using Bowtie methodology’ for a more detailed explanation. Complete and submit the details below to receive a copy in your inbox right away.

© Fidel Ilizastigui Perez – TODUS Advisors. 2020 – The copyright of the content of this guest blog belongs to Fidel Ilizastigui Perez who has authorized CGE Risk to provide this content on its website.