e-learning view The Manual here
DEFENCE IN DEPTH
Defence in depth: facilities

FIGURE 10, PAGE 151

 

If the facility safety justification has recognized that the event is likely to occur at least once over the life of the plant (for example loss of off-site power)

OR

If the operability of all the safety provisions was within operational limits and conditions,

 

such events should have a basic rating of Level 0—it is almost 'normal operation'.

To avoid working through numbers of safety layers, maximum consequences, etc., for simplicity, the flowchart bypasses the how big/how close questions and says that the basic rating is Level 0. This is explained in the first two items of section 6.2.3.1 on page 110 of the Manual.

6.2.3.1. The rating process

Having identified the maximum potential consequences and the number of effective safety layers, the basic rating should be determined as follows:

  1. The safety analysis for the facility will identify a wide range of events that have been taken into account in the design. It will recognize that a subset of these could reasonably be “expected” to occur over the life of the facility (i.e. they will have a frequency greater that 1/N per year, where N is the facility life). If the challenge to the safety provisions that occurred in the event was such an “expected” event, and the safety systems provided to cope with that event were fully available before the event and behave as expected, the basic rating of the event should be Below Scale/ Level 0.
  2. Similarly, if no actual challenge to the safety provisions occurred, but they were discovered to be degraded, the basic rating of the event should be Below Scale/Level 0 if the degraded operability of the safety provisions was still within authorized limits
  3. For all other situations, Table 11 should be used to determine the basic rating.
    1. If only one safety layer remains, but that safety layer meets all the requirements of a high integrity safety layer (Section 6.2.2.3) or the long time available provides a highly reliable safety layer (Section 6.2.2.4), a basic rating of Below Scale/Level 018 would be more appropriate.
    2. If the period of unavailability of a safety layer was very short compared to the interval between tests of the components of the safety layer (e.g. a couple of hours for a component with a monthly test period), consideration should be given to reducing the basic rating of the event

 

TABLE 11. RATING OF EVENTS USING THE SAFETY LAYERS APPROACH

 

Number of remaining
safety layers

Maximum potential consequences

(1)
Level
5, 6, 7

(2)
Level
3, 4

(3)
Level
2 or 1

A

More than 3

0 0 0

B

3

1 0 0

C

2

2 1 0

D

1 or 0

3 2 1

 

This approach inevitably requires some judgement, but Section 6.3 gives guidance for specific types of events, and Section 6.4 provides some worked examples of the use of the safety layers approach.