Radiation Safety Analysis and radiation safety functions classification Different approaches for Public and Workers ESHAC meeting 11 April 2018 www.europeanspallationsource.se 30 June, 2019

Background Currently at ESS the framework/approach for radiation safety analysis and safety functions classification is the same for public and workers Concrete implementation of that framework can generate some inconsistencies with SSM conditions and unreasonable/unusual requirements on systems dedicated to manage only workers safety It seems that from: Swedish NPP & SSM practice on that matter Comments in SSM review reports There is a possibility to have 2 different approaches for public safety and workers safety that can solve this issue while keeping a proper safety level

Current approach : Safety functions and radiation safety analysis The facility generates radiological hazards and it is mandatory to protect people’s health and the environment from harmful effects of ionizing radiation. The protection level is defined through dose limits and reference values provided by the national regulation and SSM conditions. ESS-0000004 rev 5 (January 2017) Operating conditions Initiative event likelihood Workers limit (effective dose) Public limit Normal operation - H1 2 mSv/year (average) 10 mSv/year (max) 0.1 mSv/year (0.05 mSv/year GSO) Anticipated events - H2 F > 10-2 10 mSv/event 0.1 mSv/occurrence Unanticipated events - H3 10-4 < F < 10-2 20 mSv/event 1 mSv/occurrence Improbable events (DBA) – H4 10-6 < F < 10-4 20 mSv/occurrence Highly improbable events – H5 F < 10-6 250 mSv/event 100 mSv/occurrence The safety functions are the functions implemented to fulfil these requirements Made font bigger in the three side boxes and in the dose box Events and circumstances that affect the facility shall be divided in 5 event classes based on frequencies The safety functions are identified through the radiation safety analysis Safety principles applied : defence in depth and barriers/SF/CCF

Defence in Depth and safety functions grouping according to SSM Assessment of safety significance based on deterministic methods complemented if appropriate with probabilistic methods and engineering considerations The DiD shall be tailored to the activities and associated safety stakes A failure of one level shall not be able to propagate to a subsequent level DiD level 3 shall be independent of DiD level 1 and 2 DiD level 4 shall be independent of DiD level 1-3

ESS classification rules

Gaps with SSM conditions DiD L4 and L5 are not applicable for workers (on site people) Safe state and fundamental safety functions are not explicitly linked to workers safety Single failure and Common cause failure in deterministic assessment are applied to safety functions related to public safety H5 events are used for designing mitigation group dedicated to minimise emissions and protect public H5 has an open range which is not consistent with condition D5 chapter 4

Overall view on new approaches   Clarification of differences between Deterministic safety assessment vs Probabilistic Different approaches between Public vs Workers Deterministic approach required for Public & Facility Safe State Fundamental safety functions linked to Public & Facility Safe State Safety SSC with new approach only required for Public & Facility Safe State specifically in DiD level 3. Safety related allowed in other DiD levels. Workers allowed to consider all SSC and to apply “Probabilistic approach” Introduce Residual risk H5 specified as 10-6 – 10-7 per year, which means Residual risk < 10-7 per year for Public and Facility Safe State H5 not related to workers, which means Residual risk < 10-6 per year

Different approaches for Workers and Public Safety (Apply current framework and approach with clarification on the hazard analysis) Identification of fundamental safety functions Op. group - safety group –mitigation group DiD deterministic approach (single failure, common cause failure) Classification rules – categories 1 to 5 (classification package) Facility Safe state In order to reach and insure ESS-0000004 next revision Operating conditions Initiative event likelihood Public limit/ reference values (effective dose) Normal operation - H1 0.1 mSv/year (0.05 mSv/year GSO) Anticipated events - H2 F > 10-2 0.1 mSv/occurrence Unanticipated events - H3 10-4 < F < 10-2 1 mSv/occurrence Improbable events - H4 10-6 < F < 10-4 20 mSv/occurrence Highly improbable events – H5 10-7 < F < 10-6 100 mSv/occurrence Extremely improbable events F < 10-7 Excluded from further evaluation Acceptable residual risk In order to comply with Update ESS-0016468 “classification rules” to remove “workers safety” Update ESS-0041755 “guideline for radiological Hazard analysis” to clarify detailed implementation of deterministic approach Update on going safety analysis and classification outcome

Different approaches for Workers and Public Safety workers safety: (new approach) Identification of workers safety functions WSF Requirements on quality & reliability of the WSF No postulated single failure and common cause failure Based on “probabilistic approach” for availability of the SF in accident scenarios An event that could lead to a dose higher than 20 mSv shall have a likelihood < 10-6 DiD applied but not DiD L4 and L5 New ranking defined General design requirement (RFPD) from classification rules not mandatory Use of discipline classification package to be discussed, redefined or tailored for WSF ESS-0000004 next revision Operating conditions Initiative event likelihood workers limit/ dose limits (effective dose) Normal operation - H1 2 mSv/year (average) 10 mSv/year (max) Anticipated events - H2 F > 10-2 10 mSv/occurrence Unanticipated events - H3 10-4 < F < 10-2 20 mSv/occurrence Improbable events - H4 10-6 < F < 10-4 Highly improbable events – H5 F < 10-6 Excluded from further evaluation Acceptable residual risk In order to comply with

Additional points in favor of the approach Other Swedish facilities treat worker safety and public safety differently SKB has implemented graded approach to worker safety that is different from public safety (grade 4, grade 4* for worker safety) NPP consider facility safe state only with respect to public safety The same approach is used for probabilistic analysis of worker safety systems at similar facilities: Spallation facilities: ISIS applies 10-6, SNS applies 10-5 Other accelerator facilities: JLab applies 10-5, Diamond 10-6, SLAC 10-6

Performance based (probabilistic assessment) Severerity Probability 0.01 -0.1 0.1 -1 1 -20 20 -100 >100 mSv H1 Normal H2 Expected H3 Unexpected H4 Unlikely H5 Very unlikely RSF works Event When/if RSF fails Presented by Thomas Hansson 19th of March 2018 on Workshop for “Worker Safety”

Deterministic assessment The event is actually combined with an occurred independent single failure (or a CCF), on top of the “Event” and if you do not comply with the Hx-belonging mSv-value you need to re-design. Severerity Probability 0.01 -0.1 0.1 -1 1 -20 20 -100 >100 mSv H1 Normal H2 Expected H3 Unexpected H4 Unlikely H5 Very unlikely Toolbox: Redundancy Diversity Separation Event ESS-0084756 Presented 25th of February ESS-0084756 Thomas Hansson ESH

Safety assessments Probabilistic approach Deterministic approach SSC important to safety: SR = Safety-Related SSC S = Safety SSC RSF = Radiation Safety Functions Fundamental safety functions (SSC = Structures, Systems & Components) Deterministic approach used for facility design conservatism/uncertainties Probabilistic approach used for integrated performance identify dependencies demonstrate balanced risk profile realistic input F H1-Mitigation by SR function with expected H1 performance (On, Off, Flow, etc) PIE = H2 W P Thomas Hansson 2018-03-02

Safety assessments Probabilistic approach Deterministic approach SSC important to safety: SR = Safety-Related SSC S = Safety SSC RSF = Radiation Safety Functions Fundamental safety functions (SSC = Structures, Systems & Components) Deterministic approach used for facility design conservatism/uncertainties DiD 2 Probabilistic approach used for integrated performance identify dependencies demonstrate balanced risk profile realistic input F Unmitigated H2 Study possible undesignated SR H1 performance, ”operational modes”. H1-Mitigation by SR function with expected H1 performance (On, Off, Flow, etc) PIE = H2 W P Thomas Hansson 2018-03-02

Safety assessments Probabilistic approach Deterministic approach SSC important to safety: SR = Safety-Related SSC S = Safety SSC RSF = Radiation Safety Functions Fundamental safety functions (SSC = Structures, Systems & Components) Deterministic approach used for facility design conservatism/uncertainties DiD 2 Probabilistic approach used for integrated performance identify dependencies demonstrate balanced risk profile realistic input F Unmitigated H2 Study possible undesignated SR H1 performance, ”operational modes”. Even “worse” than excluding Fan. H1-Mitigation by SR function with expected H1 performance (On, Off, Flow, etc) PIE = H2 W P ON OFF W If W<10 mSv and P<0.1 mSv P Thomas Hansson 2018-03-02

Safety assessments Probabilistic approach Deterministic approach SSC important to safety: SR = Safety-Related SSC S = Safety SSC RSF = Radiation Safety Functions Fundamental safety functions (SSC = Structures, Systems & Components) Deterministic approach used for facility design conservatism/uncertainties DiD 2 Probabilistic approach used for integrated performance identify dependencies demonstrate balanced risk profile realistic input F Unmitigated H2 Study possible undesignated SR H1 performance, ”operational modes”. Even “worse” than excluding Fan. H1-Mitigation by SR function with expected H1 performance +H2 (On, Off, Flow, etc) PIE = H2 W P ON OFF W If W<10 mSv and P<0.1 mSv If W>10 mSv or P>0.1 mSv Mitigated by S function H2 P Thomas Hansson 2018-03-02

Safety assessments Probabilistic approach Deterministic approach SSC important to safety: SR = Safety-Related SSC S = Safety SSC RSF = Radiation Safety Functions Fundamental safety functions (SSC = Structures, Systems & Components) Deterministic approach used for facility design conservatism/uncertainties DiD 2 DiD 3 Probabilistic approach used for integrated performance identify dependencies demonstrate balanced risk profile realistic input F Unmitigated H2 Study possible undesignated SR H1 performance, ”operational modes”. Even “worse” than excluding Fan. H1-Mitigation by SR function with expected H1 performance +H2 (On, Off, Flow, etc) PIE = H2 W P ON OFF W If W<10 mSv and P<0.1 mSv If W>10 mSv or P>0.1 mSv Mitigated by S function H2 P Thomas Hansson 2018-03-02

Safety assessments Probabilistic approach Deterministic approach SSC important to safety: SR = Safety-Related SSC S = Safety SSC RSF = Radiation Safety Functions Fundamental safety functions (SSC = Structures, Systems & Components) Deterministic approach used for facility design conservatism/uncertainties DiD 2 DiD 3 Probabilistic approach used for integrated performance identify dependencies demonstrate balanced risk profile realistic input Doesn’t distinguish between SR and S. H2 x Likelihood for Fan failure. Compare mSv to new Hx. If not acceptable, add more SR or S or increased reliability of existing Fan. F Unmitigated H2 Study possible undesignated SR H1 performance, ”operational modes”. Even “worse” than excluding Fan. H1-Mitigation by SR function with expected H1 performance +H2 (On, Off, Flow, etc) PIE = H2 W P ON OFF W If W<10 mSv and P<0.1 mSv If W>10 mSv or P>0.1 mSv Mitigated by S function H2 P Thomas Hansson 2018-03-02

Thank You! Questions?

BACK UP

SSM definitions – SSM conditions chapter 1 and chapter 4 + guiding support document Defence in depth: application of several successive technical, organisational and administrative measures to prevent the occurrence and development of events and circumstances, and to maintain the effectiveness of the barriers placed between a radiation source and employees, the public and the environment. Safety function: a function that is of importance to the safety of a facility. Fundamental safety function: safety functions necessary to fulfil the facility’s safety requirements during all events and circumstances. Safe state: condition in which the fundamental safety functions can be ensured and maintained for a long period after all the events and circumstances in the event classes anticipated events, unanticipated events, improbable events, events with multiple failures and highly improbable events (H2-H5). Safety classification: All structures, systems and components important to safety shall be classified based on their function and safety significance. The assessment of the safety significance shall primarily be based on deterministic methods complemented, in cases where it may be considered appropriate, with probabilistic methods and engineering considerations.

Euratom directive 2013/59

Why is the current situation problematic? There are gaps in the specification of the ESS approach to safety analysis & design of systems for worker safety Ex. Lacking documented confirmation that applied design practices are official – without this g significant risk to buildability of systems We have difficulties applying a coherent approach to safety analysis & classification of systems. This leads to Confusion & questions on how to apply the existing approach for analysis and design of systems Difficulties in ability to implement existing approach Inconsistences in the execution of safety analyses & classification Inconsistencies in ESS documentation & safety case We are likely going beyond SSM expectations with respect to the application of the conditions to worker safety

Why is the current situation problematic? Recent questions related to SSM context, terminology, and expectations: Is the facility safe state with regard to the public only? Or workers? Are worker functions for radiation safety treated the same as public safety functions? Is it appropriate to apply the same defense in depth approach for worker safety as for public safety? Are worker safety functions safety or safety-related SSCs? Are we allowed to rely on safety-related SSCs for worker safety assessments? Do we apply the same approach for Single Failure and Common Cause Failure, for RPFD (Redundancy, Physical & Functional Separation, Diversity) for worker safety functions as for public safety functions? What is the probability goal for design of SSCs to handle worker safety functions? 10-6? Lower? Higher? Currently not specified. What is the frequency range for H5? (currently open-ended) How can we improve alignment between ESS documentation? A comprehensive and coherent approach is needed in order to collectively solve/answer these questions and improve the overall ESS safety case.

Issues with Applying Same Framework for Public and Workers (what we do now) Worker evacuation cannot be derived from the usual fundamental safety functions, which are connected to the safe state Ventilation primarily protects workers Entry protection in H2 becomes safety group from 10 mSv Applying redundancy (RPFD) is sometimes of questionable usefulness for workers

Highly improbable events General Safety Objectives Dose levels for different event classes Event Description Radiation workers Non-exposed workers Public   ERT * Non-ERT (effective dose, mSv) H1 Normal Operation < 2 per year < 0.05 per year H2 > 10-2 Anticipated events < 10 per event < 0.1 per event H3 10-4 – 10-2 Unanticipated events < 20 per event < 1 per event H4A 10-6 – 10-4 Improbable events H4B > 10-4 H2-H3 combined with CCF n/a H5 10-7 – 10-6 Highly improbable events < 250 per event Residual risk < 100 per event < 10-7 * ERT = Emergency Response Team, as defined in ESS-0001133 (Swedish original) and ESS-0092951 (English copy)