JAERI - Conf 2003 - 019 JP0450020

ALARP Considerations in Criticality Safety Assessments

Russell L. BOWDEN, Andrew BARNES, Peter R. THORNE and Jack VENNER

Nuclear Technologies p1c, Chadwick House, Birchwood, Warrington, WA 3 6AE,
United Kingdom
Tel 44 1925 855421
russell.bowdenknuclear co. uk

Demonstrating that the risk to the public and workers is As Low As

Reasonably Practicable (ALARP) is a fundamental requirement of safety cases
for nuclear facilities in the United Kingdom. This is embodied in the Safety
Assessment Principles (SAPs) published by the Regulator, the essence of which
is incorporated within the safety assessment processes of the various nuclear site
licensees. The concept of ALARP within criticality safety assessments has
taken some time to establish in the United Kingdom. In principle, the licensee is
obliged to search for a deterministic criticality safety solution, such as safe
geometry vessels and passive control features, rather than placing reliance on
active measurement devices and plant administrative controls.

This paper presents a consideration of some ALARP issues in relation to the

development of criticality safety cases. The paper utilises some idealised
examples covering a range of issues facing the criticality safety assessor,
including new plant design, operational plant and decommissioning activities.
These examples are used to outline the elements of the criticality safety cases
and present a discussion of ALARP in the context of criticality safety
assessments.

KEYWORDS. Criticality, ALARP

1. Introduction operation of the plant, such as routine

The practice of criticality safety assessment
within the United Kingdom is long established.
As in most nations with nuclear industries,
criticality safety case methodology has
developed considerably over time, including a
concerted effort in recent years to modemise
nuclear plant safety cases in order to provide
defence-in-depth and to substantiate the claimed
performance of safety measures relied upon by
the safety case.
operational dose, contaminated wounds and
inhalation via aerial releases, but there is no
distinction made between them - they may all
present a significant risk to the public and the
plant workers. Indeed, there is no distinction
made in addressing these risks within the SAPs.
Consequently, in that sense the requirement to
demonstrate that the risk of criticality is
ALARP is equally valid.
2. Overview of the ALARP Principle

As part of these ongoing developments, it is a As the operator of industrial plant, nuclear

fundamental requirement of modem plant safety
cases that the risk to both the public and
workers is shown to be As Low As Reasonably
Practicable (ALARP). This requirement is
embodied within the Safety Assessment
Principles (SAPs)') published by the UK
regulator, HM Nuclear Installations
Inspectorate NII). The essence of the SAPs is
incorporated within the safety assessment
processes of the various nuclear site licensees.
Criticality safety assessments are simply one
component of the overall plant safety case.
There may be other risks associated with
site licensees in the United Kingdom must
conform to the general health and safety
standards laid down in the Health and Safety at
Work etc. Act 1974. In particular, the licensee
is obligated to conduct it's operations in such a
way as to ensure that all measures necessary to
avert risk must be taken until the cost of these
measures is disproportionate to the risk which
would thereby be averted. In short, the risk
must be reduced to a level which is As Low As
Reasonable Practicable (ALARP).
In addition, the UK nuclear industry is also
governed by the Nuclear Installations Act 1965

- 83 -
 JAERI-Conf 2003-019
which applies specific regulatory controls on
the operation of nuclear sites. The ALARP
principle has a central role in the demonstration
of a robust operational safety case for nuclear
plants. The acceptability of risk can be
conveniently summarised as follows:
a) for any operation, there is a level of risk
so great that the operation cannot be
allowed;
b) even when the risk is tolerable, it must be
reduced to a level which is ALARP;
c) a point is eventually reached at which the
risk is so small that no further precaution
is necessary.
2.1 Safety Limits and Objectives
The concept of an upper limit of tolerable risk
outlined above has been translated into a Basic
Safety Limit (BSL) for the risks from normal
and accident conditions. Any proposed plant or
operation must satisfy the BSL in order to be
acceptable. Having satisfied the BSL, the
ALARP principle is then central to
demonstrating that the risk is acceptable. The
concept of a Basic Safety Objective (BSO) has
been introduced as a first pass at defining the
point at which no ftirther improvements are
necessary. In some cases, it may be such that
consideration of ALARP justifies the licensee
presenting a safety case that does not reach the
BSO, particularly for older facilities. However,
it can be seen that if it is reasonably practicable
to achieve further reductions in risk beyond the
BSO level, then the licensee is obliged to do so.
The SAPs define the following BSLs and
BSOs, which are broadly consistent with the
targets applied to the frequency of criticality on
operational plants:
BSL BSO
Risk of Death 10-4 Y'l 10-6 Y-1
Frequency of Criticality 10-3 Yl 10-4 YI
2.2 Hierarchy of Controls
The other issue of iportance in the
consideration of ALARP is often referred to as
the hierarchy of control. In summary, this is
based upon the premise that the incorporation of
inherent, engineered safety into plant design or
operations is preferable to the use of safety
measures that require active intervention or
human agency in order to maintain control.
- 84 -
It is helpful to visualise this hierarchy concept
as follows:
Passive Engineered AL
Preferred
Active Engineered Safety Measures
Administrative
In the context of criticality safety assessment,
we reach the well-established conclusion that
engineered safety, such as geometrically safe
vessels, is preferable to the use of
administrative operator control. Whilst the
hierarchy of control does not tell us anything
new, there is a clear link to the demonstration of
ALARP, since the licensee should be seeking to
provide engineered safety measures if they are
reasonably practicable.
The ipact of this consideration of ALARP
clearly depends upon the stage of plant design
or operational state. For example, it is far easier
to incorporate engineered safety features into a
new plant design and to demonstrate that all
reasonable steps have been taken to eliminate
the criticality hazard. On operational plants,
there may be less flexibility with respect to
enhancing the means of criticality control on the
plant and indeed other hazards may require
carefid consideration in ensuring that the
optimum process is identified that provides the
lowest overall risk to the public and the plant
workers. Decommissioning operations are
potentially a more extreme case, since there
may be little information concerning the nature
and hold-up of fissile material, or the plant may
be in a poor state such that there are other
significant risks that necessitate early
decommissioning. In this case, the overall
design solution should again seek to provide the
best overall balance of risk.
2.3 ALARP in Criticality Safety Assessment
It is useful at this stage to emphasise that the
consideration of ALARP is not a 'bolt on' or an
afterthought in the criticality safety analysis. It
is our view that a robust demonstration of
ALARP is fundamental to the safety case. All
plants handling fissile material must have a
criticality safety case. The primary objective is
to demonstrate that the risk satisfies the BSL
(and aims towards the BSO), and in this sense
all criticality safety cases have the same goal,
since the plant design or proposed operations
are not satisfactory unless this basic level of
safety is achieved. As explained previously,
however, it is the consideration of ALARP that
 JAERI-Conf 2003-019
provides the robust justification for the level of
safety associated with the plant or operations.
3. Case Studies of ALARP
In order to provide a useful discussion of
ALARP issues in criticality safety assessments,
we have used some idealised examples to
illustrate the considerations that might be made
in demonstrating that the risk of criticality is
ALARP. The intention of these case studies is
to provide a brief overview of the elements of
the criticality safety case and then proceed to
outline the issues that might prevail in the
ALARP analysis. The examples chosen are not
meant as an exhaustive ALARP demonstration,
but simply to provide some consideration and
explanation of the incorporation of ALARP
within the criticality safety assessment process.
Moreover, they are intended to cover a range of
plant design and operational states, from new
plant design through to decommissioning. In
each example, it is assumed that it is necessary
for the operations to be perfon-ned. The 'do
nothing' option does not exist in any case,
although it is recognised that such an option, if
it was viable, could have no associated risk of
criticality.
3.1 New Plant Design
The design process for a new plant handling
fissile material provides the most
straightforward ALARP study, since the design
optioneering can incorporate criticality design
features from the outset. The auditable trail of
decision making throughout the design can
provide clear evidence that the selected design
is ALARP. The selection of the criticality
design features must acknowledge the hierarchy
of control discussed earlier; in essence, if it is
reasonable and practicable to provide
engineered safety features, such as safe
geometry vessels, then this should be a key
feature of the plant design.
So how might the consideration of ALARP
figure in the development of a new plant
design? Let's consider the design of a spent
fuel dissolver in a plant that reprocesses light
water reactor fuel. On the first pass, we might
contemplate the use of a safe geometry vessel
design or perhaps utilising mass control over
the fuel loading in the dissolver batch. Even for
low enriched uranium fuel, it would soon be
evident that this approach is not compatible
with the concept of a plant that reprocesses
large quantities of ftiel. The operational costs
would be prohibitive with the Rely result that
- 8 -
the plant would not be commercially viable. In
addition, the risks associated with prolonged
pond storage of the fuel might be significant.
Overall, there could be a robust argument for
providing an industrial scale dissolution process,
perhaps involving dissolver batches containing
tonnes of spent fuel.
In this case (assuming a single dissolver
vessel), then some neutron poisoning is
evidently required, with the choice between
fixed poisons and the use of a soluble poison in
the dissolver acid. If we consider the hierarchy
of controls, then the fixed poison option is
preferable, since it provides a passive
engineered safety feature. However, it is
conceivable that the fixed poison could not be
designed to withstand the aggressive chemical
conditions within the vessel and so it would be
difficult to prove the ongoing efficacy of the
criticality control. It can also be imagined that
an arrangement of fixed poison regions within
the dissolver would present operational
difficulties, with sheared fuel pieces potentially
becoming lodged in the dissolver.
Although the soluble poison does provide a
physical means of criticality control, it is
effectively an administrative control since the
dissolver acid make-up requires confirmation of
the poison concentration prior to the
commencement of fuel dissolution. It is
recognised that active engineering could be
introduced to prevent operation in the event that
insufficient poison is present, but the
construction of a robust criticality safety case
might introduce several safety measures
concerning control and verification of the
poison content. In addition, the decision to
adopt soluble neutron poisons may present
additional risk, since there could be some
impact associated with the presence of the
chosen poison in the process waste products.
Both sides of the risk balance need to be
carefully assessed in arriving at the final plant
and process design.
In summary, whilst it is recognised that the
use of a soluble neutron poison is not the ideal
solution from a criticality control perspective, it
is likely that this might present the optimum
solution in terms of ALARP.
3.2 Operational Plant
As is common around the world, some
nuclear facilities have operated for a number of
years. It is evident that the standard of plant
safety cases has improved with time, and
 JAERI-Conf 2003-019
consequently the reappraisal of criticality safety
cases on ageing operational plants provides
another challenge to the criticality safety
assessor. What considerations need to be made
in assessing the ongoing criticality safety of the
plant? How can the extant safety measures,
which might have been in place since the start-
up of the plant, be demonstrated as reducing the
risk of criticality and satisfying the
requirements of ALARP?
Let's use a spent fuel reprocessing plant
application to contemplate this type of problem.
Specifically, we will consider a large mixer-
settler vessel that is used in the initial separation
of uranium and plutonium from the highly
active fission products and higher actinides.
Historically, the plant has relied upon
monitoring equipment to infer the fissile
concentration at specific stages of the process,
such as raffinate streams. These have provided
protection against the identified fault conditions
but are clearly administrative criticality controls,
since they rely upon the plant operator's
response to their alarm. What considerations
need to be made in assessing whether or not the
criticality risk is ALARP?
Given that we are concerned with an
operational plant, then we should be able to
readily dismiss the option of safe geometry
vessels, as it would involve major capital cost
and re-engineering of the plant. Consideration
of the highly active process would also indicate
a potentially significant risk detriment from the
increased collective operator dose associated
with the implementation. Similarly, there might
be sizeable risk detriments from the provision
of engineering to stop the active feed flow upon
alarm. So what options remain?
Depending on the exact nature of the process,
the existing monitoring equipment might not be
ideally located from the perspective of
immediately identifying the fault condition. For
example, fissile concentrations within the vessel
may have risen significantly before the alarm
level is reached by the monitor, which might be
positioned at one specific stage of the vessel or
even on the raffinate or product streams.
The first question is whether an earlier
recognition of the fault scenario would provide
any advantage to the criticality safety case; if so,
consideration might be given to the movement
of the monitor or even the introduction of
additional equipment to cover other vessel
stages. However, it is possible that positioning
monitors elsewhere on the vessel could be
- 86 -
impracticable due to the high radiation
background.
As an alternative, there could be some benefit
in reducing the alarm settings to provide greater
response time before the safe limit is reached.
This obviously depends on the progression of
the fault and the timescale over which the safe
fissile concentration would be attained. Clearly,
reducing the alarm settings should also
minimise the risk of regularly reaching the
alarm level and thereby compromising the
efficient operation of the plant.
The final comment on this example relates to
the operating culture that exists on the plant.
Certainly where a plant has operated
successfully and safely for a number of years,
then a sound culture has been established
concerning the criticality safety of the plant.
The operators will be used to controlling the
process and in responding to the various alarms
and other indications as to the plant state. It
might be argued that wholesale changes to the
criticality control philosophy would have a
detrimental effect on safety, since it could
undermine the previous successful operator
input and introduce some uncertainty in
exercising criticality control.
3.3 Decommissioning - Example
As discussed previously, decommissioning
operations present an interesting challenge to
the criticality safety assessor in the
consideration of ALARP. The specific plant
conditions are a key element of the analysis,
since there may be significant risks other than
criticality, the management of which provides
the incentive for early decommissioning. From
the criticality safety perspective, it might be that
there are poor or incomplete operating records
for the plant and that there is little information
concerning the nature and hold-up of fissile
material in the plant. In addition, it might be
that the mechanical integrity of any engineered
safety features, such as storage racks, is
uncertain. The extant state of the plant might
also preclude any substantial engineering works
in support of the decommissioning operations.
As a first example, let us consider a pit below
ground level, which has been used for the
disposal of various waste items. The facility
has been used over a number of years and has
been subject to water ingress via groundwater
flow. Although it was not originally conceived
that the waste would be removed, the presence
of other risks, such as fire and explosion, now
 JAERI-Conf 2003-019
provides an operational incentive to retrieve the
waste and package it for above ground storage
under modem standards and conditions.
The fissile inventory of the pit is large,
containing many critical masses of fissile
material. The condition of the waste items is
unknown and there is no information
concerning the distribution of fissile material
within the pit. So where does the criticality
safety assessor begin in developing a robust
criticality safety case for such a facility?
The first goal must be to achieve control from
a criticality perspective as soon as possible in
the retrieval process. Although it might be clear
that the pit has never achieved criticality, the
lack of knowledge concerning the fissile
material distribution and conditions within the
pit is such that ascertaining the true subcritical
margin would be difficult. Any fissile assay
prior to intrusive operations would be of benefit
in determining the fissile content and
distribution. In this case, however, with the pit
being below ground level, it might be judged
that in-situ fissile assay would be impracticable
or even physically impossible. It might also be
that the waste varies widely, so that monitoring
the fissile material at the surface would be
infeasible. It might also be that representative
sampling would be difficult to achieve, given
the lack of information concerning the
characteristics of the waste matrix and the
fissile distribution.
In the absence of any fissile assay
information, the search for an engineered design
solution might push the assessor towards a
maximum safely subcritical volume approach.
Such a method would be extremely restrictive
and might only result in a few litres of waste
being removed at a time, but would provide a
deterministic criticality safety solution. Even
trying to account for other materials present in
the waste matrix, might only result in small
increases in the permitted retrieval volume.
However, waste retrieval on this basis would be
challenging, both in terms of the engineering
and the overall programme duration, and
thereby might increase other risks associated
with the plant.
So, whilst the deterministic approach might
be desirable from a criticality perspective, it is
clear that it might not be a viable solution for
the management of all risks associated with
waste retrieval. In other words, it might be that
the risk benefit gained through a deterministic
approach is outweighed by the risk detriment
- 87 -
from all other factors. In this simple case study,
the risks might be represented by:
Benefit Detriment
Averted Increased operational cost
criticality
Increased collective operator
dose
Enhanced risk from other
hazards (e.g. explosion, fire,
conventional, environmental)
Stakeholder perception
(although this may appear as a
risk benefit in some cases)
Having identified the pertinent benefits and
detriments, we need to assess the overall risk
balance in deciding if the proposed retrieval
method is ALARP. The risk benefit gained
from the deterministic approach can be
compared with an alternative non-deterministic
approach, where the risks are essentially the
product of the operational lifetime, the
consequences and the frequency of criticality.
We can arrive at a conservative upper estimate
of the risk benefit by setting the frequency of
criticality at the BSL for the alternative
approach (i.e. non-deterministic) and setting the
frequency of criticality to zero for the
deterministic approach. This will provide us
with an estimate of the number of stochastic
deaths avoided by adopting the deterministic
approach.
On the risk detriment side, we can simply
sum the risks from the other factors. Again, we
can estimate the number of stochastic deaths
incurred from the proposed design and use the
overall balance of risk to make the judgement as
to whether or not the risk associated with the
design is ALARP. In line with the accepted
approach to accident ALARP, if the risk benefit
is grossly disproportionate to the risk detriment,
it can be assumed that the optimum design
solution has not been identified.
It is worth noting that the presence of
significant bulk shielding can be a key factor in
the risk balance, due to the lower consequences
of criticality than for an unshielded facility.
The idealised example above assumes that the
retrieval operations are conducted remotely,
with significant bulk shielding present due to
the routine radiation source associated with the
waste. This simplifies the risk balance
judgement, as the consequences of criticality in
 JAERI-Conf 2003-019
this case would probably be below the threshold
of any deterministic (i.e. non-stochastic) effects
(generally accepted as 0niG Y2)) and hence the
risk benefit element can be considered in terms
of averted stochastic deaths.
3.4 Decommissioning - Example 2
The second example of a plant undergoing
decornmissioning concerns a spent fuel storage
pond containing various forms of fissile
material that has been held in storage for a long
period of time. Although an export route was
originally provided, this is no longer safely
available in view of the overall state of the plant.
Underwater surveys have indicated corrosion
and damage of some of the skips containing the
fuel storage cans, as well as some of the cans
themselves. The problem for the criticality
safety assessor is how the fuel can be removed
safely and with regards to the ALARP principle.
The principal consideration is to maintain the
existing criticality controls (e.g. safe diameter
cans and safe spacing) during the retrieval
process. The age of the plant and the difficulty
of substantiating its structural integrity are such
that any substantial engineering works would be
difficult to justify and may be prohibitively
expensive. Additionally, the state of the plant
and fuel is such that radiological haza ds
present a significant risk to the public and the
workers. These factors are likely to have an
influence on the final design for removing the
fuel from the pond.
From the criticality safety perspective, a
robust criticality safety case can be constructed
which introduces simple, practicable steps in
reducing the risk of criticality, as well as
mitigating the potential consequences of a
criticality incident. As an example, the dubious
condition of the fuel skips and storage cans
indicates that reliance upon the integrity of
these items should be minimised as much as is
reasonably practicable. The intention of the
retrieval process should be to achieve criticality
control as soon as possible. Ideally, this would
involve removing a fuel storage can from a skip
and immediately placing it into an engineered
container for safe movement and removal from
the pond.
Where it is necessary to move skips
containing ftiel, this could be undertaken at the
minimum achievable height above the pond
floor, having first completed an underwater
survey to confirm that the removal route is clear
of obstructions. This simple step would help to
8 -
reduce the risk of criticality from dropping or
tipping the fel skip, but also maintains the
maximum practicable water depth above the
fuel and therefore reduces the potential dose
consequences in the event of criticality. Other
steps, such as prohibiting the transfer of skips
and cans over other fissile material, are also
readily achievable, practicable measures that
will enhance the criticality safety of the fuel
removal operations.
Historically, criticality safety considerations
have tended to drive the design of many
assessments for decommissioning and retrievals
projects. However, this has often been
accompanied by a tendency for the criticality
safety cases to be conservative and striving to
achieve deterministic safety. This has
sometimes proven to be excessively restrictive
in real terms, leading to operational difficulties
as well as incurring increased operator doses.
In other words, seeking the ideal criticality
safety solution can introduce risk detriments
that must be assessed carefully in order that the
optimum design solution is achieved with
respect to ALARP.
4. Conclusions
The case studies discussed above have
illustrated the various considerations that can be
made in demonstrating that the risk to the public
and workers is ALARP. It has been shown that
criticality is generally only one of the risks
associated with the design, operation or
decommissioning of a nuclear plant. In the
opinion of the authors, the optimum design
solution must take due account of all of the
conceivable risks. We have discussed the
concept of an overall risk balance, which
recognises the risk benefits and detriments
associated with a chosen design solution. It is
proposed in the chosen examples that there are
often sound reasons for not adopting the ideal,
deterministic criticality safety solution.
References
1. Health and Safety Executive, "Safety
Assessment Principles for Nuclear Plants",
(1992).
2. ICRP Publication 60, 111990
Recommendations of the International
Commission on Radiological Protection",
Annals of the ICRP 2 , No. 13 199 1).