Hazard management of a nuclear facility

Author : Stephen Ball, Project Engineering Manager Evaporator D, Sellafield Ltd

09 March 2011

The design and operation of nuclear facilities is always taken seriously, but when the building of new plant is adjacent to the Highly Active Liquid Effluent Storage (HALES) facility, processing concentrated radioactive liquors, nothing is left to chance as we design robust plant to allow safe operation whilst ensuring safe construction in very constrained locations.

However as with any industry, large or small, high hazard or not, the approach to managing hazards is based on the same principle – identify, assess and then eliminate. As we live in the real world elimination is not always possible and as such the nuclear industry has established a means by which the relative risks can be quantified to ensure control of residual risks.

These measures include the production of a deterministic safety case.

“A deterministic safety case would be made by the provision of design features which passively prevent any harm to the public / workers even if a fault occurs or hazardous condition is present”.

An example would be waste containers which generate heat due to the radiogenic materials contained within are cooled not by pumped or forced ventilation but by a naturally induced air flow from a stack or other passive building feature.

Within the nuclear sector, as with all high hazard industries, the principles of managing the hazards associated with the construction and operation of active plant are built into design from the earliest concept to the final fully developed plant with each phase requiring a safety case to document the risks identified. This process is undertaken with iterations of the safety case each one unique but built upon the information contained within the previous version. In this way as the design is developed the knowledge of the risks and hazards is increased and design solutions provided.

Within Sellafield Ltd a four stage system is used. Preliminary; pre-construction; pre-inactive commissioning and pre-active commissioning safety cases provide the platform for the specification and assessment of the hazards. At every stage formal hazard/operability (Hazop) and hazard in construction (Hazcon) studies support the safety case production, all of which are subject to endorsement both internally and externally by regulatory bodies.

The Plant

When nuclear fuel is reprocessed waste is produced some in a solid form and other in liquid form. Facilities to store and treat such wastes are located in the UK on the Sellafield Site. The site is licensed under the Nuclear Installations Act of 1965 for the purpose of installing and operating nuclear installations. As part of these operations liquid wastes know as Highly Active Liquor (HAL) are generated and pose a significant radiological hazard if not properly managed. Therefore it is very important to make sure that the equipment in the facility, as well as the facility itself, meets stringent standards.

A new facility, known as Evaporator D, is being built on the Sellafield Site, which, when operational, will provide additional capacity to manage HAL.

The liquors processed within Evaporator D are heat generating and need to be cooled, as excess heat can lead to enhanced corrosion within vessels containing the liquors and seriously affect the life of the plant. Such liquors pose a direct radiological hazard if released out of the primary containment vessels and pipework.

Following the deterministic safety case principles it would be preferred to passively cool the heat generating liquors (145Kw/hr). But this was impracticable given other design constraints, predominant of which was the need to prevent any liquid or aerial releases of activity from the primary/secondary containment over the plant’s 25 years operational life. This meant that passive ventilation direct to the environment could not be utilised.

Therefore the principles adopted looked at alternative means by which safety features could be provided to reduce the potential for activity release to very low level such that the residual risk is tolerable. These systems can be assigned values from known or derived data and when calculated in a fault tree (essentially lines of dominos representing activities or events) the limiting value for all such features when laid out in this manner and taken as a whole should be targeted again a limit of 10-6 or better.

The final design employs closed circuit pumped systems with multiple control measures with diversity provided by two totally independent cooling circuits in discrete cells, each of which included a high integrity primary cooling water circuit, providing positive separation to external secondary circuits via intermediate heat exchangers. In this way a pressure gradient towards the active process is maintained from secondary to primary cooling systems. The primary circuit was placed within biological shielding to protect the workforce and contain any radiological leaks within a safe environment. The separate cooling circuits prevent activity migrating to the secondary circuit which passes cooling water through external cooling towers. The primary circuit also has passive air and pressure trip systems which maintain a positive pressure to prevent activity leaking into the circuit. These together with appropriate radiological monitoring allow for control of residual risks allowing the design to meet the stringent demands of the safety case, and demonstrate the design to be “As Low as Reasonably Practicable” (ALARP).

In a fault tree the frequency of the initiating event together with the probability of failure of the protective measures would be represented numerically to determine that the risk associated with offsite and worker dose consequences are tolerable.

Managing the location - Small Site, High-Risk Neighbours

Due to the proximity of the construction site to other facilities any activities that could impinge on current nuclear (or for that matter, chemical) operations needed to be considered.

The decision on where the building is located is based on what it will do (i.e. process HAL) not where it is easiest to build. An overview of the risks involved in construction and operation of the plant was made, this took into account the risk during construction and weighed it against the feasibility and risk of transferring HAL via pipebridge over large distances if an ‘easier construction location’ could be found.

Evaporator D is being built on a relatively small plot of land near to existing facilities, which is also situated adjacent to a main internal rail line and one of the main roads on the Sellafield Site.

Building at Sellafield Site is traditionally carried out in situ, with the construction sequence and size of installed equipment historically driven by the remote location and constrained road access. However, other industries (notably oil and gas) use off-site fabrication of large modules and transport these to required locations in the largest size possible.

To evaluate the pros and cons of each approach, a Multi Attribute Decision Analysis (MADA) process was performed on the construction method. A useful tool to aid decision-making, MADA takes into account a number of pertinent factors (e.g. time, radiological safety, environmental impact and cost) and places a weighting on each factor based on perceived importance. Each factor is then scored for the construction options and the factors and weightings are used to derive an overall score for each option – the higher the score the ‘better’ the option.

The best and chosen option from the analysis uses large modules (the largest is approximately 500 tonnes with dimensions of 27m high by 7m by 13m) and transports them to Sellafield site by sea. A concrete cell structure is being constructed at the Evaporator D site and the modules are then slotted into their final location. Floors and some internal walls will then be cast in situ prior to the next module being installed.

This approach addresses a number of issues:

 The safety of the construction workforce is improved by reducing the number of people required to work on this small site. A significant amount of work will now be off-site in a workshop as opposed to on a construction site. High-risk tasks, such as working at height, will be substantially reduced.
 With the amount of on-site work minimised, the potential for this work to have an effect on adjacent facilities (equipment or plant damage, interruptions to supplies) has been decreased.
 Project timescales are improved by enabling the parallel programming of offsite fabrication and onsite construction activities

A number of additional benefits have directly arisen from adopting this option, namely:
 With the majority of the plant equipment being fabricated off-site within a controlled workshop environment, fabrication quality levels will be easier and quicker to achieve.
 Commissioning tests can be carried out on assembled systems at the fabricators, reducing the number of traditional in-situ performance tests and thereby accelerating programme.

Knock-on Effects

In order to choose off site fabrication as an option, two key issues had to be reviewed:

1. The modules exceed the road and rail capability to the Sellafield site hence delivery by sea was the only feasible transportation option.

Detailed plans for sea deliveries to Sellafield site were developed with a variety of stakeholders; including local government; regulators and landowners (some 30 in total) needing to be consulted. Other factors had to be considered for landing large modules on site such as protection of fragile ecologies (such as Natterjack Toad); environmental impact of any temporary works and traversing the main Carlisle to Barrow rail line.

2. Installation of the modules requires a gantry system to move them from their transporter into the final resting position.

The operation of heavy lifting equipment close to the current evaporator fleet and chemical storage facility clearly poses some risk. However, cranage will be required irrespective of the construction method and the number of crane lifts required will be significantly reduced with a large module approach – the modules being handled by an inherently safer gantry system. Therefore the off-site fabrication method actually leads to safer on-site lifting conditions and a corresponding reduction in risk, with less lifting operations both crane collapse and conventional safety assessments proving easier to make.

Building the Building

Fabricating large modules and slotting them into a concrete cell structure reduces but does not eliminate the need for cranes to be used during construction, to move incoming supplies and assist in handling equipment. In investigating different options for the cranes the project team identified the potential to use two self-erecting tower cranes as opposed to the ‘traditional’ tower cranes commonly used at Sellafield site.

The ballast on self-erecting tower cranes remain close to ground level, thus reducing the consequence of any impact on an adjacent building in the unlikely event of a crane collapse. In addition, stringent lifting requirements have been imposed (including wirelessly connected anti-collision and zoning systems) to minimise the consequence on adjacent facilities from dropped loads or clashing. The majority of lifts are limited to 2 tonnes however in some instances managed lifts of upto 4.8 tonnes are permitted.

As the decision to build large modules off-site brought new risks to manage in terms of module transport, the decision to use self-erecting tower cranes with restricted lifting capacity led to a review of how to manage the casting of the concrete structure.

These limits on lifting using the self-erecting tower cranes meant that a different approach to shuttering for the structure had to be found. Again learning from others was investigated and an approach used in high-rise applications, a self-climbing formwork system, is being used.

A simple worked example

Due to the proximity of construction activities to other existing facilities the next stage was to consider how the construction could impinge on these targets and what the ‘worst case’ consequence was on that facility and how damage could occur. This led to a developing series of construction assessments which identified the significance of individual fault scenarios and identified the protective measures available to prevent/minimize the impact of each fault. Collapse radius drawings were developed for different cranes in different set-up positions which when used in conjunction with data on crane lifting capacities allowed for the identification of optimum (least risk) construction methods.

To stop the event in the first place the ‘normal’ controls of training, competence assessment, supervision, maintenance etc. were developed further by the use of audits and inspections to ensure what is ‘claimed’ is, in fact working. Physical controls, such as slew protection and testing of the ground conditions for the location each of the cranes (together with robustness of the crane bases and outriggers) are additional ‘strong’ controls. Lifting plans and schedules, checked against crane capability (which is de-rated to ensure extra margins of control) provide additional controls.

By continually working on the premise that all controls can fail then the potential consequence of any failure can be minimised. By designing out Tower Cranes (where the counterweight is located at the top of the crane) and using Self-Erecting Tower Cranes (where counterweights are at ground level) means that the consequence of any crane collapse is limited to the weight of the jib and crane tower itself and not the counterweight.

Summary

Although over-simplified (this actual process took a large number of months and involved safety specialists as well as construction and operational experts) this provides a flavor of the overall processes used on the project. Hazard management is not a simple once only pass at ‘identify, assess and (if you can’t eliminate) control’. The controls developed to manage the high hazards will most often cause other issues to be raised and a second, third or even fourth iteration will be needed.