e-learning view The Manual here
DEFENCE IN DEPTH
Defence in depth: reactors

TABLE FOR RATING EVENTS

 

This table (Table 10) shows the basic rating of the event, where there was no initiator, depending on the initiator frequency and safety function operability.

Without a real initiator

Initiator frequency

Safety function operability

(1)
Expected

(2)
Possible

(3)
Unlikely

A Full

B Minimum required by OL&C

C Adequate

D Inadequate

Let’s look at some of the examples.

Click on the panels for more information

 

For the first two rows, there has been no initiator and all the safety systems are within operational limits and conditions. That would not be deemed an event in many cases, and is almost, 'normal operation', hence a rating of Level 0.

 

If we found the safety function to be inadequate, the only thing that stopped an accident was that the initiator did not occur. If the likelihood of that initiator was 'expected', i.e. > 1 in a 100, we were one step away from an accident; hence Level 3. 

 

If the initiators are less likely, a lower rating is appropriate, hence Level 2 and 1. 

 

We need to fill in row C with a rating that lies between that for row B and D. In box C3 we have put Level 1. This is because any event where the Technical Specifications are not complied with would be rated at Level 1 based on safety culture. It is important to remember the basis for the rating, and not increase it further when additional factors are considered.

 

There is a choice in box C1. That choice should depend on the extent of redundancy and diversity still remaining. If the operability is just adequate, Level 2 would be appropriate.

The basic rating here takes no direct account of how long the systems may have been unavailable. Clearly, if it is a very short time, the chance that the initiator could have occurred is much less. For this reason, the Manual does say that if the period of unavailability is very short, a lower rating may be appropriate. If you want to know how 'very short' is defined, have a look at item 3 on page 79. You may like to read 5.1.4.1 and 5.1.4.2 of the Manual, which also explains how to rate events with no initiator and gives some additional information.

(3) The event rating should be determined from Table 10.

If the period of inoperability was very short compared to the interval between tests of the components of the safety system (e.g. a couple of hours for a component with a monthly test period), consideration should be given to reducing the basic rating of the event.

5.1.4.1. Basis of rating

The appropriate ratings for events without a real initiator are given in Table 10. The basis of the values given in the table is as follows.

The rating of an event will depend on the extent to which the safety functions are degraded and on the likelihood of the initiator for which they are provided. Strictly speaking, it is the likelihood of the initiator occurring during the period of safety function degradation, but in general, the methodology does not take account of the time period. However, if the period of degradation is very short, a level lower than that provided in Table 10 may be appropriate (see Section 5.1.4.2).

If the operability of a safety function is inadequate, then an accident was only prevented because an initiator did not occur. For such an event, if the safety function is required for expected initiators, Level 3 is appropriate. If the inadequate safety function is only required for possible or unlikely initiators, a lower level is clearly appropriate because the likelihood of an accident is much lower. For this reason, Table 10 shows Level 2 for possible initiators and Level 1 for unlikely initiators.

The level chosen should clearly be less when the safety function is adequate than when it is inadequate. Thus, if the function is required for expected initiators, and the operability is just adequate, Level 2 is appropriate. However, in a number of cases, the safety function operability may be considerably greater than just adequate, but not within the Operational Limits and Conditions. This is because the minimum operability required by Operational Limits and Conditions will often still incorporate redundancy and/or diversity against some expected initiators. In such situations, Level 1 would be more appropriate. Thus, Table 10 shows a choice of Level 1 or 2. The appropriate value should be chosen depending on the remaining redundancy and/or diversity.

If the safety function is required for possible or unlikely initiators, then reduction by one from the level derived above for an inadequate system gives Level 1 for possible initiators and Below scale/Level 0 for unlikely initiators. However, it is not considered appropriate to categorize at Below Scale/Level 0 a reduction in safety system operability below that required by the OL&C. Thus, Level 1 is shown in Table 10 for both possible and unlikely initiators.

If the safety function operability is full or within OL&C, the plant has remained within its safe operating envelope, and Below Scale/Level 0 is appropriate for all frequencies of initiators. Thus, Table 10 shows Below Scale/ Level 0 for each cell of rows A and B.

5.1.4.2. Rating procedure

With the background described in the previous section, events should be rated using the following procedure:

  1. Determine the category of safety function operability.
    1. If the operability is just adequate but still within OL&C, operability category B should be used as the plant has remained within its safe operating envelope.
    2. In practice, safety systems or components may be in a state not fully described by any of the four categories. The operability of the safety function may be less than full but more than the minimum required by OL&C, or a complete system may be available but degraded by loss of indications. In such cases, the relevant categories should be used to give the possible range of the rating, and judgement used to determine the appropriate rating.
  2. Determine the category of frequency of the initiator for which the safety function is required.
    1. If there is more than one relevant initiator, then each must be considered, and the one giving the highest rating should be used.
    2. If the frequency lies on the boundary between two categories, both categories can be used to give the possible range of the rating, and then some judgement will need to be applied.
    3. For systems specifically provided for protection against hazards, the hazard should be considered as the initiator.
  3. The event rating should be determined from Table 10.
    1. If the period of inoperability was very short compared to the interval between tests of the components of the safety system (e.g. a couple of hours for a component with a monthly test period), consideration should be given to reducing the basic rating of the event.
    2. In cell C1 of the table, where choice of rating is given, the choice should be based on whether the operability is just adequate or whether redundancy and/or diversity still exist for the initiator being considered.

Beyond design initiators are not included specifically in Table 10. If the operability of the affected safety function is less than the minimum required by OL&C, Level 1 is appropriate. If the operability is within the requirements of OL&C, or the OL&C do not provide any limitations on the system operability, Below Scale/Level 0 is appropriate.