RE: [sc] Who applies Risk Acceptance Principles (50126-2, 8.1.1)

RE: [sc] Who applies Risk Acceptance Principles (50126-2, 8.1.1)

From: Loebl, Andy <loeblas_at_xxxxxx>
Date: Mon, 25 Jun 2012 11:53:28 -0400
Message-ID: <44AFFEAB8D18894C8529A1480C0CDAC813A0A1301F@xxxxxx>
Well, my information resulted from two projects I work on in 2009.  One was to review NUREG-6303 (Defense-in-Depth)  the goal of that project was to write a report on clarifying the NUREG so industry could address the movement of analog to digital control and safety systems of new electrical power production reactors.

The second was a review of GE and Mitsubishi to obtain NRC approval for the use of Mitsubishi existing digital systems for retrofitting old production reactors and outfitting new production reactors.  The rational from GE was that the systems have never had a problem so they could use that record of achievement and give benefit to NRC.

I was kicked off the project for showing the NRC that defense in depth would not improve the risk of failure any more than two independent or redundant systems improve the risk of failure, it merely increases the confidence that the probability of failure on demand is mitigated but does not lessen the probability.

The other reason was that GE objected to my insistence that the software match the requirements of the American systems.  Their entailed a new requirements analysis and that would have cost GE some money.  The NRC asked me if there was another way, since at that time, I said I knew of no better way to address software safety and software reliability, that they were distinct concepts.  The Commission members at that time wanted PRA implemented across NRC and most particularly in the deterioration of current reactor components, assemblies and critical safety systems. 
I apologize for not offering the lineage of my statements to give a better context.  I do know that the main thrust of life extension of aging reactors is PRA based relative to deterioration of components and complications therefrom.  That part was current as of the beginning of FY2012.


-----Original Message-----
From: safety-critical-request@xxxxxx [mailto:safety-critical-request@xxxxxx] On Behalf Of Nancy Leveson
Sent: Monday, June 25, 2012 10:32 AM
To: safety-critical@xxxxxx
Subject: Re: [sc] Who applies Risk Acceptance Principles (50126-2, 8.1.1)

Content-Type: multipart/mixed;
X-YCS-Spam-Score: 0.0 (/)


Content-Type: text/plain; charset=ISO-8859-1

Andy wrote:
  " In the US the following agencies are implementing PRA when that seems
to be the most direct and least costly method of determining what case
studies are even constructed.  The NRC is intent upon PRA with respect to
new nuclear power supply using software systems and indicators based on
those generation based stabilization actions."

I may be misinterpreting this statement, but I just taught a class where
two NRC employees were present. They told me that the NRC does not use PRA
to certify safety of nuclear power plants, particularly software, and they
have no plans to do so. Perhaps Andy was talking about something else with
respect to nuclear power?


On Mon, Jun 25, 2012 at 7:02 AM, Loebl, Andy <loeblas@xxxxxx> wrote:

> While I abhor PRA, there are many agencies in the US regulatory system
> that pursue PRA.  I think they do this as a matter of improving rigor and
> as a means to cut costs in up front evaluations.  As Nancy Leveson says in
> her new book, the actual risks and case studies usually favor the new
> endeavor and usually fail to take into account the risks that are likely to
> increase cost in construction and maintenance, including testing.  I
> understand Fuqushima was one such instance.  I also see that the
> complications of a safety case are usually limited to the very few direct
> factors directly associated with the safety and fail to properly combine
> safety factors and unlikely or not thought up combinations of simple
> factors that combine to make a failure more likely and more complex.
>  Bhopal is an example of a bunch of likely mistakes lead to a disaster of
> great proportion.  Also, I find that obvious protection failures are often
> ignored, this might be akin to the 3-mile island incident.  I also see a
> trend to a no-fault bias when operators are clearly in error due to their
> reaction which in 20/20 insight could have been analyzed.  I see this is
> SCADA models used in electricity flow compensatory factors.  Finally, I see
> many instances where operations response to an initiating event, while
> following stipulated procedure, complicates response if followed in rote.
>  The US Northeast blackout is an example here.  Further, there seems to be
> a certain lack of innovative thinking with respect to response to an
> incident which are assumed to follow one cause yet due to lack of customary
> engineering skepticism of conventional wisdom, results in failure.  Again
> the Northeast blackout in the US and Canada  is an example.  In this latter
> case, the conventional assumption is that control of the grid and local
> electrical distribution system operators is that by controlling electrical
> generation, failure of the grid, even locally, is unaccounted for.  An
> example of this is the failure of the electricity distribution system to
> account for wildly swinging in the damand for electricity has a negative
> effect on overall distribution and grid balance.  Loop flow effects are
> uncontrollable, I believe, to a failure to control demand fluctuations
> affecting distribution and grid level balance which I believe are a major
> contributing factor to the Northeast blackout spread.  This will become
> more acute as the smart metering of electrical use moves towards automatic
> generation changes as a result of massive, collective, full use of the data
> in a smart environment thus affecting quality of electrical supply.
> In the US the following agencies are implementing PRA when that seems to
> be the most direct and least costly method of determining what case studies
> are even constructed.  The NRC is intent upon PRA with respect to new
> nuclear power supply using software systems and indicators based on those
> generation based stabilization actions.  The Public Healthcare program of
> the US has also pronounced a PRA analysis with respect to costs of
> healthcare and the claims for reimbursement containing waste, fraud or
> abuse.
> The notion that a probability of failure is, basically deductive based on
> the expertise of the analyst even when the analyst has missed stating
> contributory factors to a failure.  Thus, PRA analyses are usually
> predicated on the engineering bias predominant due to accepted principles
> of operations even when those are used the case is too general to be
> meaningfully understood or fully specified.
> The whole concept of "safety" and "reliability" are used synonymously , as
> Levenson's book points out..  Again the PRA process is weak due to its
> reliance on conventional approaches to bias and causation relationships
> that are just not well founded.  PRA includes a guess or stated guidelines
> on failure rates and results in few more empirically defended probabilities
> numbers for many likely safety cases.  I think PRA is a means for
> bureaucrats to apply their own prejudice and bias to the analysis of safety
> cases for those cases and few cases are properly and exhaustively built.
> The short answer is that PRA is used extensively in the private and public
> sector in the US any time failure probability is addressed.  In this way a
> case can be made for ones' confidence that a failure is accounted for but
> there is no statistical evidence to show that confidence in the low
> probability of failure makes safety determination dependable.
> andy
> -----Original Message-----
> From: safety-critical-request@xxxxxx [mailto:
> safety-critical-request@xxxxxx] On Behalf Of M Mencke
> Sent: Monday, June 25, 2012 6:16 AM
> To: safety-critical@xxxxxx
> Subject: [sc] Who applies Risk Acceptance Principles (50126-2, 8.1.1)
> "
> Content-Type: multipart/mixed;
>        boundary="00248c6a66ba2f98ef04c34943dc
> "
> X-YCS-Spam-Score: 0.0 (/)
> --00248c6a66ba2f98ef04c34943dc
> Content-Type: text/plain; charset=windows-1252
> Content-Transfer-Encoding: quoted-printable
> I refer to ALARP, GAMAB or MEM.
> I understand the process, in short, is the following:
> New railway system to be installed with safety related functions.
> 1. The THR is determined by the Safety Regulatory Authority and/or National
> Regulatory Authority (SRA + RA).
> 2. The supplier (RSI, Railway Support Industry) provides evidence by means
> of a Safety Case that his product does not exceed the THR, i.e. the
> acceptable level of risk. The supplier provides evidence that he has
> applied risk mitigation and control measures.
> The THR (established during Risk Analysis) are the input to Hazard Analysis
> by the supplier (Global process overview, EN 50129).
> 2004/49/EC states:
> "*(e) =91common safety targets (CSTs)=92 means the safety levels that must
> =
> at
> least be reached by different parts of the rail system (such as the
> conventional rail system, the high speed rail system, long railway tunnels
> or lines solely used for freight transport) and by the system as a whole,
> expressed in risk acceptance criteria;*"
> "1.* **Infrastructure managers and railway undertakings shall establish
> their safety management systems to ensure that the railway system can
> achieve at least the CSTs, is in conformity with the national safety rules
> described in Article 8 and Annex II and with safety requirements laid down
> in the TSIs, and that the relevant **parts of CSMs are applied.*"
> The Risk Analysis can be a collaborative process between the supplier and
> the Railway Authority, what if it was left up to the supplier to perform
> most of the Risk Analysis? Is it then possible and/or meaningful for him to
> make recommendations regarding the RAP applied? Or should the RAP (and the
> THR derived) be decided by the SRA and/or RA (infrastructure managers,
> railway undertakings)? I guess it also depends on the country.
> Thanks, Myriam.
> --00248c6a66ba2f98ef04c34943dc
> Content-Type: text/plain
> X-Original-Content-Type: text/html; charset=windows-1252
> [The content of this part has been removed by the mailing list software]
> --00248c6a66ba2f98ef04c34943dc
> --

Dr. Nancy Leveson
Professor, Aeronautics and Astronautics
Professor, Engineering Systems


Content-Type: text/plain
X-Original-Content-Type: text/html; charset=ISO-8859-1

[The content of this part has been removed by the mailing list software]

Received on Mon 25 Jun 2012 - 16:53:36 BST