IAEA Workshop on the Application of the IAEA Methodology and Safety Assessment Framework (SAFRAN) Tool for the Safety Case (SC) and Safety Assessment (SA) for Predisposal Management of Disused Sealed Radioactive Sources (DSRS) Athens, GREECE June 2014 Rodolfo Avila Facilia, Sweden Definition, Role and Documentation of the Safety Case

IAEA Outline of the Presentation Preamble Overview of Safety Case Specific issues Evolution of the safety case; Graded approach; Defense in depth; Reliability; Expected lifetime of the facility; Long term storage; Summary and conclusions. 2

IAEA PREAMBLE 3

IAEA Definition of safety Safety is the state of being "safe" (from French sauf), the condition of being protected against physical, social, occupational, or other types or consequences of failure, damage, error, accidents or any other event which could be considered non-desirable. Safety can also be defined to be the control of recognized hazards to achieve an acceptable level of risk. It is important to realize that safety is relative. Eliminating all risk, if even possible, would be extremely difficult and very expensive. A safe situation is one where risks of injury or property damage are low and manageable. 4

IAEA Types of safety Normative safety is when a product or design meets applicable design standards and protection. Substantive safety or objective safety occurs when the real-world safety history is favorable, whether or not standards are met. Perceived safety or subjective safety refers to the level of comfort of users. Low perceived safety can have costs. For example, after the 9/11/2001 attacks, many people chose to drive rather than fly, despite the fact that, even counting terrorist attacks, flying is safer than driving. 5

IAEA 6 What is a Safety Case? The collection of arguments and evidence, including the outcome of safety assessment, in support of the safety of a facility or activity The basis for the safety considerations in respect of sitting and locating facilities, construction, operation and decommissioning of the facility, including the justification for changes The basis for interaction and dialogue between the operating organization and the regulatory body 66

IAEA IAEA Requirements for Safety Case and Safety Assessment GSR Part 5, GSG-3: Safety Case A collection of arguments and evidence in support of the safety of a facility or activity. This will normally include the findings of a safety assessment and a statement of confidence in these findings. GSR Part 4, GSG-3: Safety Assessment 1. Assessment of all aspects of a practice that are relevant to protection and safety; includes sitting, design & operation of the facility. This normally includes risk assessment and probabilistic SA. 2. Analysis to predict the performance of an overall system and its impact, where the performance measure is the radiological impact or some other global measure of the impact on safety. 7

IAEA 8 1. Government responsibilities 2. National Policy & Strategy 3. Regulatory Responsibilities 4. Operator Responsibilities 5. Safety/Security 6. Interdependences 7. Management systems 8. Waste minimization 9. Characterization and classification 10. Waste treatment 11. Waste storage 12. Waste acceptance for processing, storage and/or disposal 13. Prepare safety case and supporting safety assessment 14. Safety case scope and regulatory compliance 15. Safety case documentation 16. Periodic safety review 17. Facilities location and design 18. Facility construction and commissioning 19. Facilities operation, maintenance, emergency preparedness 20. Decommissioning 21. Nuclear safeguards 22. Existing facilities GSR Part 5, Safety Requirements for Predisposal Management of RW 1.Introduction 2.Protection of Human Health & Environment 3.Responsibilities 4.Steps in the Predisposal Management of RW 5.Development and Operation of RWM Facilities & Activities

IAEA Safety requirements for SA and SC The safety case (SC) shall: Include a description of how all the safety aspects of the site, the design, operation, shutdown and decommissioning of the facility, and the managerial controls satisfy the regulatory requirements Demonstrate the level of protection provided and shall provide assurance to the regulatory body that safety requirements will be met Include arguments justifying the approaches taken in the safety case on the basis of information that is traceable Document the arguments at a level of detail and to a quality sufficient to demonstrate safety 9

IAEA 10 GSG-3: Safety Guide for SC and SA Stakeholder and Regulatory Involvement Application of Management System C. System Description D. Safety Assessment G. Limits, Controls and Conditions H. Integration of Safety Arguments E. Iteration and Design Optimization F. Management of Uncertainty A. Safety Case Context B. Safety Case Strategy

IAEA 11 GSG-3: Safety Guide for SC and SA 1.Introduction 2.Demonstrating the Safety of RW Management 3.Objectives and Development of the Safety Case 4.Safety Assessment 5.Specific Issues Evolution of the SC Graded Approach Defence in Depth Reliability Expected Facility Lifetime Long Term Storage 6.Documention and Use of the Safety Case 7.Regulatory Review Process

IAEA Preparation and review of SC and SA Systematic methodology Supports appropriate waste management decisions Demonstrate compliance with applicable safety requirements and criteria for the lifecycle of the facility Ensure confidence in the safety of the facility or activity Guidance on SC and SA (GSG-3) 12

IAEA Specific issues (GSG-3) Evolution of SC Graded approach Defence in depth Reliability Expected facility lifetime and activity duration Long term storage 13

IAEA OVERVIEW OF THE SAFETY CASE 14

IAEA Purpose of safety case Demonstrate that all planned activities can be carried out in a safe manner The SC concept will be of particular importance for large predisposal waste management facilities such as national centres for the processing and storage of radioactive waste. Provide guidance for the design, engineering and planning of operations to ensure safety Input to regulatory process, including evidence of compliance and arguments for confidence building International Course on Management of Waste, Clausthal-Zellerfeld, Germany, 6-15 October

IAEA Objectives and Roles of SC and SA (GSG-3) Integrating scientific and other information Demonstrating safety (incl. uncertainties) Demonstrating compatibilities with next waste management steps (e.g. disposal) Aiding decision making on the authorisation/ licensing of the facilities Other information and arguments that support continued development, use or eventual decommissioning of the facility 16

IAEA Development and content of SC and SA Some countries do not use the term SC in a formal way, but the approaches and processes to demonstrate safety similar The operator shall prepare a safety case and a supporting safety assessment. In the event of a step by step development or in the event of the modification of the facility or activity, the SC and its supporting SA shall be reviewed and updated as necessary. Regulatory body is responsible to derive and document in a clear and unambiguous manner the criteria on which the regulatory decision making process is based 17

IAEA Safety Case content Waste types and the rationale for the chosen/proposed waste management options Facilities and the site, based on traceable information Managerial and regulatory controls over the facilities Plans regarding the development, operation and shutdown and decommissioning of the facilities Safety assessment (SA) Other information and arguments supporting the development, use or decommissioning of a facility 18

IAEA Scope of the safety case for predisposal Relevant facilities / activities:  Processing of radioactive waste  Clearance and Discharges  Storage facilities  Transport  Intervention situations (e.g. old storage facilities) All types of wastes  low level to high level waste  disused sealed sources  NORM International Course on Management of Waste, Clausthal-Zellerfeld, Germany, 6-15 October

IAEA SPECIFIC ISSUES: - Evolution of the safety case - Graded approach - Defense in depth - Reliability - Expected lifetime of the facility - Long term storage 20

IAEA Introduction During facility lifecycle, the safety case will evolve in five main stages: Concept and siting; Design; Construction and commissioning; Operation and modifications; Shutdown and decommissioning. 21

IAEA Concept and sitting The first step in the pre-operational phase addresses concept and design development; At this stage it will not be possible to provide a detailed description and assessment of the facility or activity; However, key aspects related to the safety strategy and to the description of the design concept have to be addressed; 22

IAEA Concept and sitting (cont.) The output of the safety case at this stage of development is justification that the facility or activity should, in principle, be undertaken and that it appears safe to do so. 23

IAEA Concept and sitting (cont.) The safety case for this step should present the safety strategy and the way it will be met: In the absence of any quantitative demonstration, qualitative justifications have to be provided; Safety case should address the design concept and explain how the characteristics and properties of each component of the system are intended to provide for the allocated safety functions and how this will evolve with time; 24

IAEA Concept and sitting (cont.) This should be supported by: An overview of the technical feasibility of the proposed design options, identifying aspects that rely on already proven techniques and those that are new and need future confirmation through experimental tests; An overview of the level of knowledge on the ability of each component of the system to fulfil its expected role under anticipated conditions and accounting for the possibility of key perturbations that have already been identified; An assessment how the components of the system will function together in a complementary manner to ensure that there is adequate defense in depth and that safety is not unduly dependant on a single safety function. 25

IAEA Concept and sitting (cont.) Radiological impact assessments can only be very preliminary at the conceptualization step; Nevertheless, it is desirable to carry out such preliminary assessment: to provide a broad order of magnitude estimate of possible impacts, based on generic considerations of site performances; to begin to identify the features of the facility and environment that are likely to be important to safety. 26

IAEA Concept and sitting (cont.) Siting should consider the affect the facility or activity will have on: Other activities on the site; On any neighboring populations. Consideration needs to be given to: Effects of other activities or facilities on the proposed facility or activity; Management, predisposal, discharges or clearance of any wastes generated. 27

IAEA Concept and sitting (cont.) The safety case should also contain information about the management systems: Organizational structure; Required resources to undertake the project; Programme for the project planning; Information management system. It is also necessary to develop and implement plans for regulatory and stakeholder dialogue. 28

IAEA Design During the design development and construction, the safety case will be further developed to provide a mature assessment of the engineering and of the impact of the facility or activity; The safety case should demonstrate that: Likelihood of a component of the system failing is low, In the event of degradation, the loss of a safety function of one component does not jeopardize the safety of the whole system. 29

IAEA Design (cont.) The output of design stage of the safety case development is justification that the facility or activity, as designed, can be safely constructed and operated. 30

IAEA Design (cont.) The design of any waste management facility should consider that the facility eventually will be shutdown and decommissioned. From the very earliest stage of the safety case development decommissioning must be addressed to justify its safety. The justification should be based upon techniques that are currently available and commensurate with the level of resources likely to be available at the time of closure. 31

IAEA Construction and commissioning During commissioning, specific attention should be paid to the performance of structures, systems and components important to safety. A safety commissioning schedule should be prepared, detailing: Test to be undertaken, Results expected to ensure, that all aspects of the facility important to safety are adequately tested. 32

IAEA Construction and commissioning (cont.) The safety case at this stage should demonstrate that the as constructed facility meets the safety requirements specified in the final design. This should include the impact of any modifications to the design, which have been implemented during the construction stage. 33

IAEA Construction and commissioning (cont.) It is possible that separate safety cases and safety commissioning schedules will be required for in- active and active commissioning: The aim of the in-active commissioning safety case is to justify that the as built facility is safe to operate; The aim of the active commissioning safety case is to justify the safety of the facility to accept radioactive material. 34

IAEA Construction and commissioning (cont.) The safety case should update information about the management system with emphasis on: Organization and procedures that are in place to assure the quality of the work performed, Linkage of designs to the outcome of research and development activities and safety assessment work, Keeping of records on the basis for design or operational decisions, Design basis information including information on design modifications, The expertise available to carry out tests and operate the facility or activity. 35

IAEA Operation Any significant differences between the actual and predicted performance of the facility or activity should be identified and the reasons investigated. All discrepancies should be justified. If there are safety implications, then a re-examination of the related structures, systems and components important to safety should be carried out. 36

IAEA Operation (cont.) The aim of the operational safety case is to justify that the facility can be operated safely for a specific period and can then be safely decommissioned. 37

IAEA Operation (cont.) The safety case should update information about the management system with particular emphasis on: Organization and procedures that are in place to assure the safety of operations, Record keeping and tracking system covering data, information and the records of decision, That there is sufficient expertise to operate the facility or activity, Interdependencies. 38

IAEA Operation (cont.) During the operational life of a facility there may be a need to modify some aspect. Where the modifications have a potential impact on safety, an appropriate safety assessment should be conducted or the current assessment updated before implementation of modification to assure continuing compliance with established safety requirements. 39

IAEA Operation (cont.) There may be time dependent processes and events both internal and external, which will eventually modify certain assumptions, parameters and boundary conditions; Processes and events may be gradual or may occur at unpredictable times; Operational safety case should be reviewed periodically in order to detect significant changes to the underlying assumptions, parameters and boundary conditions. If necessary, the safety case should be revised accordingly. 40

IAEA Operation (cont.) Periodic review should be mandatory at periods determined by the regulatory body; Periodic safety reviews may also be required to justify: Life extension of the facility beyond its original design life, Changes in the ownership or management of a facility, Changes in regulations. 41

IAEA Operation (cont.) The updating of the safety assessment should take account of operating experience including data relating to anticipated operational occurrences, accident conditions and accident precursors both from: Facility or activity itself, Other similar facilities or activities. 42

IAEA Operation (cont.) The safety case should justify that the facility can be safely decommissioned; Where a treatment facility is developed for all decommissioning waste then it should be recognized that the treatment facility will also generate decommissioning waste that will need some sort of treatment facility. 43

IAEA SPECIFIC ISSUES: - Evolution of the safety case - Graded approach - Defense in depth - Reliability - Expected lifetime of the facility - Long term storage 44

IAEA Introduction Predisposal waste management includes a wide range of facilities or activities, and characteristics of waste processed, which may pose different degrees of hazard and risk; A graded approach to safety assessment should be used, therefore, which recognizes these different levels of hazard and risk. 45

IAEA Graded approach The scope and level of detail of the safety assessment carried out for any particular facility or activity shall be consistent with the magnitude of the possible radiation risks arising from the facility or activity. It could be expected that greater levels of effort should be put into developing safety cases and safety assessments for a large treatment facility than for a small low-level waste storage facility. 46

IAEA Graded approach: Criteria When undertaking a safety assessment, it is necessary to ensure that: Assessment is based on an appropriate level of understanding of the system and its potential behavior, All safety relevant issues are considered and addressed. The degree of detail required in the safety assessments should be determined by first undertaking relatively simple safety assessments that provide an indication of the potential levels of risk. 47

IAEA Graded approach: Criteria (cont.) Various criteria may be used to help in determining the level of understanding that should be expected for a particular facility or activity; Criteria may be: Safety significance, Complexity, Maturity. 48

IAEA Safety significance Safety significance will usually be the most important criterion; Use of this criterion will necessitate consideration of facility or activity performance in terms of: Releases from normal operation, Potential consequences of anticipated operational occurrences and reasonably foreseeable accidents, Potential significance of low probability events with potentially high consequences. 49

IAEA Complexity A complex facility or activity might suggest the need for a correspondingly complex representation of the design in safety assessment: Development of a safety case for a comparatively simple waste management facility such as a storage facility in a hospital may require only a few weeks of time and may be conducted using a checklist approach. Development of a safety case for a large centralized waste processing facility may require a large team with several different specializations and require several years of work. 50

IAEA Maturity The use of proven practices and procedures, proven designs, data on operational performance of similar facilities or activities, experienced manufacturers and constructors, typically require less consideration than with the use of novel approaches. 51

IAEA SPECIFIC ISSUES: - Evolution of the safety case - Graded approach - Defense in depth - Reliability - Expected lifetime of the facility - Long term storage 52

IAEA Defense in depth: Concept The defense in depth concept is centered on several levels of protection including successive barriers and other safety functions preventing the release of radioactive material to the environment and minimizing exposures; The concept includes: Maintaining the effectiveness of the barriers by averting damage to the facility and to the barriers themselves; Further measures to protect the public and the environment in case of unexpected malfunction or degradation of barriers. 53

IAEA Defense in depth: Approach The most important safety functions are usually fulfilled by means of passive barriers the physical or chemical property of conditioned waste, the waste package, or process piping. Active controls can also provide safety functions but these should not be relied on as the primary component of defense in depth; Consideration should be given to combining physical barriers and administrative controls into an effective defense in depth strategy. 54

IAEA Defense in depth: Justification Justification of levels of defense in depth can be made by: Identifying barriers and other safety functions; Explaining the diversity of such barriers and other safety functions; Explaining the resilience of such barriers and other safety functions under normal and abnormal conditions; If appropriate, making a quantitative estimate of their contribution to the margin of safety; Showing that if any single safety barrier fails then the safety of the facility is not unacceptably compromised. 55

IAEA Defense in depth: Justification (cont.) Special attention should be pay to internal and external hazards which could have the potential to adversely affect more than one barrier. 56

IAEA SPECIFIC ISSUES: - Evolution of the safety case - Graded approach - Defense in depth - Reliability - Expected lifetime of the facility - Long term storage 57

IAEA Reliability When selecting components for use in a facility it is important to know their reliability; Safety case should justify the level of reliability demanded of component; Demanded level of reliability will depend upon Safety demands made of the component, Defense offered by other components in the system. 58

IAEA Reliability (cont.) Consideration needs to be given to the reliability of the component over the lifetime of the facility: Components should be designed to have a lifetime commensurate with the demands that will be placed upon them; This should be complemented by an appropriate maintenance regime to ensure the continued reliability of the component:  Older components may well have lower levels of reliability, unless they have been well maintained. 59

IAEA SPECIFIC ISSUES: - Evolution of the safety case - Graded approach - Defense in depth - Reliability - Expected lifetime of the facility - Long term storage 60

IAEA Expected lifetime The expected lifetime of the facility needs to be sufficient for the activity being undertaken; For storage facility this lifetime may need to include some contingency i.e. for unloading of the wastes or for delay in the availability of disposal facilities. For facilities or activities with long lifetimes it will be necessary to use well-proven and well documented materials so that there is confidence that they will last for the duration of the facility or activity life. 61

IAEA Expected lifetime (cont.) For facilities planning for extensions beyond their original planned lifetime expectancy, it is necessary to update the safety case (including the safety assessment) to consider the potential impacts on safety. The update should: Consider the degradation of barriers or components, Be performed well in advance of the end of the original license to facilitate regulatory review. 62

IAEA SPECIFIC ISSUES: - Evolution of the safety case - Graded approach - Defense in depth - Reliability - Expected lifetime of the facility - Long term storage 63

IAEA Definition Long-term storage (facility or activities), involves a period of time which: Exceeds the normal design life of civil structures, Have implications for the choice of: Materials, Operating methods, Quality assurance, Quality control requirements, etc. 64

IAEA Definition (cont.) Long term storage in the context of predisposal waste management is considered to be storage beyond approximately fifty years; Long term storage is not expected to last more than approximately one hundred years. This timeframe is based on technical experience with civil construction. 65

IAEA Specific issues Specific issues that require special consideration in the safety case for long term storage include: Time frame of the storage facility or activity, Importance of passive safety features, Retrievability, Management systems. An ageing management programme should be set up to deal with ageing related degradation; The programme should specify the monitoring necessary for early detection of any deficiency. 66

IAEA Time frame The assessment time frame should be defined taking into account: National regulations and regulatory guidance; Characteristics of the long-term storage facility or activity; Characteristics of the site; Characteristics of the waste to be stored. 67

IAEA Time frame (cont.) Other factors to consider: Safety assessment calculations should cover a period that is sufficient to determine the maximum, or peak, dose or risk associated with the facility or activity; Return period of natural external hazards such as extreme meteorological events or earthquakes; Factors, that can significantly affect safety assessment results may change with time. Assessments may consider several scenarios to reflect different evolution paths of long-term storage facility; Habits and characteristics of the receptor group, as well as the conditions in which they are located, may change over time. 68

IAEA Passive safety The assessment of long-term safety should account for the degradation of passive barriers over time; The complementary performance of the different safety functions should be tested over different time periods; Each safety function should be as independent as possible from the others to ensure that they are complementary and cannot fail through a single failure mode; The safety case should explain and justify the functions provided by each barrier and identify: the time periods over which barriers are expected to perform their various safety functions, and also the alternative or additional safety functions that operate if a barrier does not fully perform. 69

IAEA Retrievability The intention in storing waste is that the waste can be retrieved for clearance, processing, transportation and/or disposal at a later time, or in the case of effluent for authorized discharge; The safety case should: Consider a plan for safe handling of the waste following long-term storage; Assess the potential effects of degradation of containment on the ability to retrieve and handle the waste. 70

IAEA Management systems Because of the long time frames, the safety case should: Include provisions for the regular surveillance, inspection and maintenance of the waste and the storage facility; Consider a plan for adequate record keeping. Periodically, the safety case should be reviewed to consider: Adequacy of the storage capacity, with account taken of the predicted waste arising, both for normal operation and for possible incidents, Expected lifetime of the storage facility and availability of disposal options. 71

IAEA SUMMARY AND CONCLUSIONS 72

IAEA Summary During facility lifecycle, the safety case will evolve in several stages, starting from concept development and siting, and ending with shutdown and decommissioning; Different stage will put its specific to the context and outputs of the safety case; Predisposal waste management includes a wide range of facilities or activities, and characteristics of waste processed, which may pose different degrees of hazard and risk; Criteria such as safety significance, complexity and maturity may help to recognize different levels of hazard and risk, and assists in application of the graded approach; 73

IAEA Summary Consideration should be given to combining physical barriers and administrative controls into an effective defense in depth strategy; The most important safety functions are usually fulfilled by means of passive barriers. The level of reliability demanded of any component will depend upon the safety demands made of the component and the defense offered by other components in the system; The expected lifetime of the facility needs to be sufficient for the activity being undertaken and may need to include some contingency; 74

IAEA Summary Special consideration needs to be given to long term storage; This includes issues on the storage time frame, importance of passive safety features, waste retrievability and management systems. 75

IAEA 76 Thank you for your attention!