The demonstration of incredibility of failure in structural integrity safety cases

A safety case must be produced to justify the operation of nuclear plant. Wherever possible, such cases seek to demonstrate that sufficient physical layers of protection exist to ensure the safety of plant operators and the public. This is the principle of Defence in Depth. However, there are some components, notably pressure vessels and other pressure boundary components, where the provision of multiple physical layers is not possible. For these components, safety cases seek to justify that failure of the component is an ‘Incredible’ event with a frequency of occurrence of less than 10 −7 per year. This frequency is two orders of magnitude lower than the demonstrated failure frequency (10 −5) of conventional pressure vessels. This paper presents the findings of The Technical Advisory Group on the Structural Integrity of Nuclear Plant (TAGSI), who have considered what key principles should be employed in producing an ‘Incredibility of Failure’ safety case. TAGSI favour the multi-legged, multi-element graphical structure, with legs chosen so that they contain conceptually different arguments, and elements making up the discrete arguments in each leg. A properly constructed safety case will exhibit ‘Conceptual Defence in Depth’, with each leg providing a conceptually different contribution to the whole. The provision of Conceptual Defence in Depth is necessary to demonstrate the low failure frequency of nuclear pressure vessels. The quantitative assessment of the overall failure frequency, or the probability of failure per year, requires, firstly, that separate estimates are made of the probability of failure of each leg using only the information provided in the leg, and, secondly, the combination of these separate estimates into an overall value. Assessments can be made quantitatively through a probabilistic assessment, but it is more usual for a deterministic assessment to be carried out — e.g. using partial safety factors to ensure a high safety margin. The concept of ‘Worth’ provides one method of assessing the ‘strength’ of each leg in the context of the whole safety case. The strength of the overall case can be gauged by adding up the separate values of Worth. A value of Worth of more than seven would correspond to a failure frequency less than 10 −7 per year. Hence, it would demonstrate Incredibility of Failure.