Go to top of page

Regulatory Guide - Periodic safety and security review of facilities (ARPANSA-GDE-1761WEB)

Last updated date: 
1 May 2020
Reason for update: 
Administration update – no change to content

A joint ARPANSA/ASNO publication

1. Introduction

The purpose of a Periodic Safety and Security Review (PSSR) is to verify, by means of a comprehensive evaluation against modern standards, that operation of the facility covered by the safety case is safe and secure. While the routine safety reviews and assessments ensure safety within the design basis, there is a need to take into account the cumulative effects of ageing, modifications, operating experience, changes in the standards and technical developments. Such tasks can be achieved by a dedicated systemic safety review against the current standards that takes all applicable factors into account at defined intervals. The PSSR also identifies whether phenomena such as ageing will have an effect on the facility that may compromise safety within the period before the next PSSR. 

Typically for research reactors, a PSSR is conducted every ten years. The review should cover all important aspects of safety and security. The requirement for a licence holder to conduct a PSSR is specified in the licence. 

Whilst it is acknowledged that periodic review of a facility requires substantial resources, the licence holder is encouraged to use judgment to avoid unnecessary costs. This guide promotes a graded approach, encourages the use of international best practice, and aims to minimise duplication between safety and security factors. It has been jointly developed by ARPANSA and the Australian Safeguards and Non-proliferation Office (ASNO) in an effort to streamline and coordinate review and reporting. 

2. International best practice

Under the Australian Government policy on ‘trusted international standards’, additional requirements should not be imposed beyond international best practice (IBP), unless it can be demonstrated that there is a good reason to do so. ARPANSA publishes IBP on its website

Current IBP on the periodic safety review of nuclear facilities apply only to power reactors, hence the justification for this document. The IAEA Safety Guide Periodic Safety Review of Nuclear Power Plants SSG-25 [1] and draft of the IAEA Safety Report Periodic Safety Review for Research Reactors are key reference documents. Although these documents have been developed for nuclear reactors, the principles and safety factors have been adapted to the size and nature of the Australian nuclear industry. 

In terms of periodic security review, the fundamental requirements and guidance in this document are consistent with ARPANSA’s Radiation Protection Series No. 11, Code of Practice for the Security of Radioactive Sources [2], IAEA Nuclear Security Series No.13 Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities [3] and Nuclear Security Series No.14 Nuclear Security Recommendations on Radioactive Material and Associated Facilities [4].

3. Purpose and scope

This document provides guidance for facility1 licence holders2 on the information ARPANSA and ASNO expect to be included in a PSSR of the ongoing operation of a facility. It will also be used by ARPANSA and ASNO in their assessment of the adequacy of a licence holder’s PSSR submission.

4. Rationale

The requirement for a periodic safety review comes from various IAEA documents, such as the IAEA’s Safety Assessment for Facilities and Activities, GSR Part 4 (Rev 1) [5]: “As a minimum, the safety assessment is to be updated in the periodic safety review carried out at predefined intervals in accordance with regulatory requirements…”  

Although operating facilities are subject to routine and special safety reviews, such reviews are generally not sufficiently comprehensive to meet this requirement. For example, such reviews do not typically take full account of safety and security improvements in safety standards and operating practices, the cumulative effect of plant ageing and modification, feedback from operating experience, and wider developments in science and technology or look forward to projected future operation. 
The requirement for a periodic security review can be derived from paragraphs 3.2, 3.21 and 3.27 of the IAEA’s Nuclear Security Recommendations on the Physical Protection of Nuclear Materials and Nuclear Facilities (NSS 13)

To sustain adequate nuclear and radiological security arrangements, periodic reviews of the threat environment and associated vulnerability of systems and measures should be undertaken. These reviews should also include the consequences of possible safety and security events. 

Because of the interdependencies between safety, security, and emergency preparedness and response, it is appropriate to conduct these comprehensive reviews collectively in a ‘global assessment’. ARPANSA and ASNO have mutual interests in the security of a facility containing nuclear material and for this reason, a joint Physical Protection and Security Working Group (PPSWG) has been established to coordinate regulatory activities.  

5. Objectives of a PSSR 

The objectives of the PSSR are to determine:

  1. The adequacy and effectiveness of the arrangements and the structures, systems and components (SSCs) in place to ensure plant safety until the next PSSR or the end of planned operation.
  2. The adequacy and effectiveness of the security systems and measures against the design basis threat. 
  3. The extent to which the plant conforms to current national and international safety and security standards and practices.
  4. The identification of safety and security improvements and risk informed time frames for their implementation.
  5. The continued validity of the safety and security documentation established during the licensing process. 

6. Responsibilities

The roles and responsibilities of the licence holder and the regulator are summarised below.

  1. The licence holder is responsible for conducting a PSSR of the facility. The PSSR itself may be carried out by external consultants. However, the Licence Holder is accountable for the quality of the PSSR report and must understand the content provided by the external contractor. 
  2. ARPANSA and ASNO are jointly responsible for ensuring the licence holder carries out a comprehensive PSSR and where required, implements suitable corrective actions/improvements identified in the PSSR report within agreed time frames. 
  3. The licence holder is responsible for submitting a PSSR report containing the outcome of the PSSR Review and an implementation plan identifying any suitable correction actions/improvements and a timeframe for implementing these actions and improvements.  
  4. ARPANSA is responsible for co-ordinating the review of the PSSR Report with ASNO and will act as a single point of contact for the licence holder in matters associated with the PSSR as a whole. ASNO and ARPANSA will be available for direct consultation on the PSSR consistent with their respective regulatory responsibilities. ARPANSA and ASNO will jointly identify the appropriate expertise to carry out the regulatory assessments and establish the assessment criteria. 
  5. ARPANSA and ASNO share responsibility for review of the PSSR outcomes and assessment of corrective actions and improvement programs including the approval of the implementation plan. Each will take licensing or permit action as needed. 

7. General recommendations 

It is reasonable to require a PSSR for a facility at intervals of approximately ten years. This period is considered appropriate in view of:

  • Changes in national and international standards, operating practices, technology, scientific research and analytical techniques
  • Potential for the cumulative effect of plant modifications or accessibility and usability of safety and security documentation
  • Ageing effects to structures, systems and components
  • Accumulation of operating experience
  • Changes in natural, industrial or demographic environment in the vicinity of the plant
  • Changes in the nuclear security environment 
  • Staffing changes and experience of staff 
  • Changes in management structure and operational procedures 

Prior to undertaking a PSSR, the licence holder should ensure that appropriate expertise and resources are available to undertake the task without undermining the safety or security of the facility.  

A PSSR should commence well in advance of the date when the PSSR report to ARPANSA and ASNO is due. The commencement date should be no less than three years from the due date of the report for a research reactor. This period may be excessive for a less complex facility and a graded approach should be applied in such a case. The PSSR will not be considered as complete until the ‘integrated implementation plan’ is approved by ARPANSA and ASNO.

Any security sensitive aspects of the PSSR report should be transmitted to ARPANSA via established secure communication channels in compliance with the Australian Government’s Protective Security Policy Framework (PSPF). ARPANSA will coordinate the review and assessment of the PSSR Report. 

The safety and security factors that subdivide a PSSR in this guide follow international best practice and are intended to cover all aspects important to the safety and security of an operating organisation. The PSSR should demonstrate that all nuclear and radiological safety and security aspects relevant to the facility have been assessed. In cases where the site-specific features or aspects of the facility require deviation from the standard safety and security factors and/or their grouping, the deviation should be justified and documented accordingly.  

The PSSR should assess the data and experience gathered over the period since the licence was first issued or the nominal time of the previous PSSR. Where appropriate, trend analyses of the findings should be carried out and may include a period predating the previous PSSR so that the actual status may be assessed in light of full historical data. Appropriate actions should be proposed or existing goals adapted to meet any anticipated future operation objectives.

The review should also address the period until the next PSSR, end of planned operation or to facility decommissioning. By projecting the operation into the future and considering anticipated changes, the licence holder should identify potential threats to safe and secure operation. If such threats are identified, appropriate actions should be taken to ensure that the licensing basis remains valid.

For the performance of the PSSR the availability of accurate documentation of the facility is necessary. The documentation of the facility has to be available to the PSSR project team at the beginning of the PSSR project and has to be made available to the regulatory body with the final PSR report. 

The information presented in the PSSR report should be supported by evidence. ARPANSA and ASNO regard the difference between statements of facts and technical judgement or opinion.  Statements of fact should be supported by evidence. Where there is no referenced evidence then it will be regarded as opinion and carry less weight in the regulatory assessment of the PSSR.

To integrate the results of reviews of individual safety and security factors, the licence holder should perform a global assessment. The global assessment should consider all findings from the review of safety and security factors, the combined effects and interfaces of all safety and security factors, corrective actions and proposed improvements. If conflicting relationships or overlaps are discovered, appropriate controls or measures should be identified and included. 

The documentation of the PSSR results has to cover all the parts of the PSSR including the introduction, a global assessment of overall safety and security status of the facility and an implementation plan for measures resulting from findings.
The documentation can be one document or split into single reports covering the different parts of the PSSR. If the latter is preferred, it is expected to be submitted for regulatory review together. It has to be consistent, if references to internal documents of the facility are used for supporting evidence. The operating organisation should prepare any referenced supporting evidence and provide it to the regulatory bodies on request. 

8. Graded approach

GSR Part 4 Safety Assessment for Facilities and Activities [5] requires a graded approach to the periodic safety review. The scope and level of detail of the safety assessment should be consistent with the magnitude of the possible radiation risks arising from the facility [6].

The graded approach may be applied to various aspects of the periodic review. Due to variety of facilities and risk associated, operational history, environmental conditions and many other attributes, a graded approach will involve a professional judgement. The level of grading should be determined on the case-by-case basis for each facility. It should be justified in the PSSR. This section includes suggestions for how the PSSR may be graded.

The PSSR should demonstrate that the level of detail adopted for each safety and security factor is appropriate. It is expected that the graded scope of the review will be described in the basis document during the PSSR preparation stage. This stage should be preceded by discussions between the licence holder and ARPANSA to establish the general scope and requirements. The applicable grading of the review is expected to be a major part of these discussions.

The licence holder is encouraged to employ a graded approach in applying limited resources for a PSSR. The use of expert judgment, for example, may underscore the need to divert focus from one factor to another. For example:

  • A relatively new facility need not expend significant resources reviewing facility ageing.
  • Facility other than research reactor is not expected to undertake assessment under safety factors Probabilistic Safety Analysis and Utilisation.
  • Safety factor Use of experience from other facilities may be merged with Operating Experience safety factor for non-reactor facilities.

The licence holder may wish to consider commonalities between safety and security factors. Although this guide addresses safety and security factors separately, the licence holder is encouraged to streamline its response whenever possible.

Examples might include:

  • Workplace culture has both safety and security aspects that the licence holder may be able to address in a consolidated fashion. Safety Factor 10 and Security Factor 7 are therefore closely related.  Access control is another common element.
  • The licence holder is expected to apply lessons learned from similar facilities to improve performance. For Australia in particular, this may mean learning from international experience. This is reflected in Safety Factor 9 and Security Factor 19. This relationship should be recognised and taken into account. 
  • Similarly, the licence holder’s safety emergency plan (Safety Factor 13) and security contingency plan (Security Factors 16 and 18) must work seamlessly together. Therefore, assessment of these factors in conjunction with each other should be considered.

The scope and detail of review of individual safety and security factors will be affected by the complexity and age of the facility, as well as maturity of the processes involved. It is expected that expert judgement will be used to determine the appropriate level of review. 

The graded approach could be applied to the number of safety and security factors to be reviewed. In some facilities, the number of the factors could be combined. For example, actual condition of structures, systems and components, equipment qualification, and ageing for non-reactor facilities may be reviewed together in a single factor. 

The graded approach could also be applied to level and details of the tasks undertaken under each factor, composition of the review teams, and details of the documentation.

Some aspects of safety and security are evaluated more regularly during operation than others. Assessments undertaken during a PSSR will consider the results of these evaluations. Therefore, the scope and level of detail of the PSSR may be graded. For example, the scope of Safety Factor 8: Operating experience may be adjusted based on evaluations from ongoing safety performance monitoring. Safety and security factors that have not been evaluated extensively since the previous PSSR are expected to be explored in greater depth.

Applying a graded approach to nuclear security systems is based on the possible proliferation and radiological consequences of a theft or sabotage event. For the design of physical protection against sabotage at nuclear facilities, the threshold for Unacceptable Radiological Exposures is recommended at 50 mSv, based on any one event [7]. This value is consistent with the annual occupational dose limit (maximum permissible within any five-year period) in planned exposure situations, and also with the national reference level for triggering offsite protective measures in an emergency exposure situation. Areas where unacceptable radiological exposures could arise require protection in a graded approach to prevent the potential consequences of sabotage [3]. Events of high radiological consequences are those for which public protective actions3 are expected to be taken under any circumstances (offsite) to avoid or minimise tissue reactions or acute effects in exposed individuals. Areas from which high radiological consequences could arise are regarded as ‘vital areas’ [3]. A more stringent set of equipment, systems or devices is needed to protect vital areas relative to protected areas. While applying the graded approach the review should take into account that some security factors can only be done collectively (e.g. Security Factors 7.1 – 7.4 are all related to risk and Security Factors 7.14 –7.16 are all elements of a nuclear security system).

9. Review strategy and general methodology

The licence holder should conduct a comprehensive review of the safety case, security strategies, policies, and arrangements. The review should take into account operating experience and operational events, plant modifications (hardware and operating practices) and their cumulative effect on the plant, ageing/obsolescence of the facility and the workforce, and the developments in industry practices, analytical techniques and standards. The PSSR should identify the extent to which the existing licensing basis remains valid, the adequacy of the plans and arrangements in place to maintain safety and security, and improvements to be implemented to resolve identified and anticipated issues.

The review should also include organisational aspects that may have significant impact of safety and security of the facility. For instance, processes for allocation of resources, supply of services or imposed policies have such implications.
A PSSR should be carried out in three stages: 

  1. Preparation for the PSSR: this should include ARPANSA’s & ASNO’s approval of the PSSR plan (basis document) covering, for example, graded scope, modified safety and security factors, and timing.
  2. Conduct of PSSR according to the basis document and submission the report to ARPANSA.
  3. Finalisation of the integrated implementation plan: this phase is carried out after the regulatory review of the PSSR Report is completed. Reasonable and practicable safety and security improvements should be identified to be implemented in a period agreed with ARPANSA and ASNO. 

Preparation for the PSSR 

The basis document is essentially a specification that governs the PSSR review. Therefore, it should: 

  • identify the PSSR scope,
  • include a project plan that identifies all the activities to be performed during the review and associated schedule, covering also project and quality management processes, 
  • include level of graded approach, 
  • include objectives, timelines; major milestones and cut-off dates,
  • define methodology to be used, 
  • include structure of the documentation
  • identify safety and security factors to be assessed,
  • identify applicable standards, codes and practices,
  • describe the process for categorising, prioritising and resolving findings. 

This basis document should be submitted to ARPANSA for approval during the preparation phase of the PSSR project. ARPANSA will then coordinate regulatory review with ASNO.
The PSSR should be against all relevant national safety and security standards and regulations. Relevant international safety and security standards, recommendations and practices should also be followed. Any deviation from such standards should be justified. 

The basis document should outline the project management and quality management processes to be followed during the PSSR to ensure a complete, comprehensive, consistent and systematic approach.
In order to ensure that the PSSR is completed in an effective and efficient way, training for the review team should be considered. As many safety factors are interrelated, close coordination among various review teams has to be maintained to avoid duplication or missing areas.

The PSSR schedule should take into account that the review of safety and security factors is an iterative process requiring communication between teams carrying out assessments of different factors. The outputs from the review of some safety and security factors may be relevant as inputs to the review of other safety or security factors. The schedule should be agreed between the licence holder, ARPANSA and ASNO.

A formal communication protocol should be established: 

  • within the licence holder’s PSSR project team to maintain consistency in the review and to avoid duplication of work,
  • with the consultants/contractors who are part of the PSSR team, and
  • between the PSSR management team of the licence holder and ARPANSA/ASNO.

Conducting the PSSR

If conducting a PSSR for several facilities on a site, some aspects, for example radiation protection, emergency planning and radiological impact on the environment may be covered in a common assessment.

Second and subsequent PSSRs should focus on changes in requirements, plant conditions, operating experience and new information, rather than repeating the activities of previous reviews. However, the subsequent PSSR report should explicitly state whether the earlier PSSR remains valid and justify why any aspects of the previous PSSR that have not changed do not require to be updated.

The PSSR should take account of ongoing processes such as configuration and ageing management. The results of trend analyses from these processes should be reviewed to evaluate their effectiveness so the operating organisation has continual knowledge of the physical configuration and operational methods to ensure the operations remain within the safety case. This should include for example, effectiveness of the configuration management program to keep safety and security related documentation up to date in light of modifications, changes to operating, maintenance and other practices should be evaluated. 

The PSSR report should explain the process and methodology used even if no safety or security significant outcomes were identified. Sources of information and statements should be clearly identified. The origin of all information should be referenced appropriately and explanation provided of how each reference has been used.

Each safety and security factor should be reviewed against current standards and practices for all relevant operating and accident conditions including design extension conditions using modern methods as identified in the basis document. The review should be systematic and be done in parallel with the ongoing regulatory oversight of the facility. The facility walk down inspections should be part of the PSSR. It is a good practice to take photographic records during the inspections. 

A critical assessment and analysis against the specific safety and security expectations should be conducted. The review should identify areas where current standards and approved practices are not met, or are exceeded; positive (strengths, good practices) and negative findings (deviations, shortcomings) should be noted. Corrective actions should be identified in case of negative findings. If a negative finding is identified for which there is no reasonable and practicable improvement, the full implications, included any impact to safety margins, should be evaluated and described including any consequential effects on the management of design extension conditions.

The safety and security significance of all findings should be evaluated using deterministic, probabilistic or if not feasible by empirical methods if appropriate. Any non-compliance with regulatory expectations should be investigated and reported to ARPANSA and/or ASNO as appropriate. 

If non-compliance with the current licensing basis is identified that poses an immediate and significant risk to health and/or safety, prompt reporting and rectification should occur. Corrective actions, including the establishment of new critical safety controls, should not be delayed until completion of the PSSR.

The global assessment should consider all findings of the PSSR, evaluate the overall level of safety and security, and identify corrective actions and/or safety improvements. 

The results of the PSSR should be documented and included in a PSSR Report to ARPANSA. The PSSR Report should include:

  • Review of each safety and security factor (that is, the specific objectives for each safety and security factor, methodology used, results of the review and their analyses, assessment of projected operation for the next PSSR period)
  • Global assessment 
  • Actions arising from the review with proposed timelines and priorities.

Global assessment

The global assessment is performed to arrive at a judgement whether the facility is suitable for continued operation based on a conservative review of both positive and negative findings from individual safety and security factors. It should take into consideration corrective actions or improvements arising from the findings.

The global assessment should be conducted by an interdisciplinary team with appropriate expertise in operation, design, safety and security at the facility, and an appropriate number of participants from the individual reviews. The team should also include members who are independent from the individual safety and security reviews.

In accordance with the basis document, prior to performing the global assessment, a method for assessing, categorising, ranking and prioritising safety and security improvements and actions to address negative findings should be established. The approach adopted could be based on deterministic analysis, Probabilistic Safety Assessment (PSA), expert judgement, cost benefit analysis and/or risk analysis or a combination thereof. 

The global assessment should:

  1. Analyse the interfaces, interactions, overlaps and omissions between various factors to ensure that issues are appropriately and fully addressed and determine whether proposed improvements are reasonable and practicable. Specifically, the interfaces between safety and security factors should be analysed.
  2. Analyse all findings considering flow-on effects. It should also examine the total effect of negative findings, improvements and positive findings identified using deterministic methods to ensure the overall safety and security of the facility is adequate. It is possible that a relative weakness in one factor can be compensated by a relative strength in another (e.g. administrative controls to compensate for a design weakness). This is particularly relevant for human and organisational factors.
  3. Clearly differentiate between corrective actions and safety and security improvements. Corrective actions relate exclusively to negative findings and carry greater safety and security significance than improvements. The improvements may also be associated with positive findings and they represent an opportunity to improve.
  4. Examine supporting information including documents on the agreed scope and methodology of the PSSR and associated regulatory requirements.  Compare the information with data submitted in previous PSSR documents, in particular issues raised by and feedback from the regulatory body, peer review missions, and any additional reference material.
  5. Consider the risks associated with negative findings and provide justification for continued operation. Operations both in the short term (prior to implementation of the identified safety and security improvements) and long term (particularly where it is concluded that some responses to negative findings are not reasonable or practicable to implement) should be addressed.
  6. Determine the time necessary for implementation of corrective actions and/or safety and security improvements. Consider the actual benefit to safety and security the proposed corrective action will achieve and the duration of the benefit (e.g. remaining life of the facility). Depending on the safety and security significance, adequate interim measures could be implemented. If a modification is necessary due to unacceptable risk, the relevant operation should be halted until the modification or adequate interim measures are in place.
  7. Consider supporting information not specifically included in any safety and security factor review, such as scope of the PSSR, methodology of the PSSR, regulatory requirements, and ARPANSA/ASNO comments on the previously submitted PSSR documents. 
  8. Consider the extent to which safety requirements relating to defence in depth and fundamental safety functions are fulfilled [8]. 
  9. Consider using the PSA to estimate the risks posed by the negative findings (as per Safety Factor 6). However, decision making exclusively using numerical risks should be avoided.
  10. Document overall conclusions and safety and security improvements considered to be reasonable and practicable in the final PSSR report. 
  11. Present corrective actions and/or safety and security related improvements in an integrated implementation plan for approval.

Integrated implementation plan

The completion of the global assessment results in a prioritised list of safety and security significant findings. From this list, appropriate corrective actions or safety and security improvements to address the issues are defined and an adequately resourced program is prepared for their implementation. The plan should also specify the time schedules for implementation of corrective actions and/or safety and security improvements and the necessary resources.

The integrated implementation plan should consider interactions between individual safety and security improvements and recognise the need to implement them as soon as reasonably practicable commensurate with risk. The plan should be subject to appropriate internal review and approval by the senior management before submission to ARPANSA and ASNO. 

The integrated implementation plan including the categorisation and prioritisation of the proposed corrective actions and safety and security improvements should be updated after the PSSR report has been assessed and approved by the regulatory bodies. 

Once approved by ARPANSA and ASNO, and updated based on the changes, it is expected that corrective actions and/or safety and security improvements will be implemented in accordance with the plan. The majority of corrective actions and improvements should be completed well before the next PSSR.

Post-review activities

Reasonable and practicable safety and security improvements should be implemented in a timely manner.  Arrangements should be developed and maintained to notify ARPANSA and ASNO of progress against the agreed schedule for completion. 

All PSSR documents should be stored to allow easy retrieval and examination. The information should include the final versions of the PSSR documents and lessons learned from the PSSR.

The outcomes of the PSSR should be reflected in updates to relevant documentation, including, the safety analysis report, procedures and instructions, emergency plans, various manuals, other licensing and security documentation.

10. Safety and security factors

Prior to commencing the review, the methods of assessment, categorisation, ranking and prioritisation of factors should be established and documented in the basis document. 

The methodology for reviewing each factor should be justified in the basis document. All relevant licence holder documents identified in the basis document plus any further documents identified during the PSSR process should be reviewed.  

The review should determine the status of each safety and security factor, and future safety at least until the next PSSR or end of planned operation. The review should consider the capability of the operating organisation to identify potential failures and either prevent them or mitigate their consequences before becoming a radiological incident. Ageing that could lead to failure of SSCs important to safety should be identified wherever possible. If there are no changes identified, this should also be stated. 

Negative findings should be divided into the following groups:

  1. Deviation for which no reasonable and practicable improvement can be identified. The reasons should be documented and issues revisited after a period of time to determine if a practicable solution is available.
  2. Deviations for which identified improvements are not considered necessary. The reasons should be documented.
  3. Deviations for which improvements are considered necessary. This includes updating the plant documentation/procedures. The findings should be categorised and prioritised based on their significance. The improvements should be included in the integrated implementation plan.

Findings that have an interface with other safety or security factors should be discussed immediately with the relevant review team(s).

This guide identifies 14 safety and 19 security factors which may be used to subdivide the PSSR. These safety and security factors, the individual objectives, scope and methodology are explained below.

Safety factors related to the facility

The SSC safety category determines the level of review required, so SSCs with a higher safety importance should undergo a more detailed review than those with a lower category. For example, the biological shielding of a hot cell is reviewed in more detail than a set of in-cell manipulators.  

Consideration should be given to subdividing the review into topics according to the facility systems e.g. cooling systems, instrumentation, electrical power systems, etc. 

If comparison of requirements and standards is carried out by a high level programmatic review, this should be clearly indicated in the basis document and where appropriate, should be agreed with ARPANSA.

Safety factor 1: Facility design

The facility and its SSCs important to safety should be appropriately designed and configured in such a way that there is a high degree of confidence that their safety and security functions will be performed according to specifications, will be safely decommissioned, and that their impact on the environment will be minimised.

REVIEW OBJECTIVE:
  • To determine the adequacy of the facility design and documentation by assessment against the current licensing basis and national and international standards, requirements and practices.  
SCOPE & METHODOLOGY:

The review should include: 

1. Verification that the licensing documentation, and SSC documentation preceding the licensing process which relates to the original and/or reconstituted design basis, is available, securely stored and updated to reflect all the modifications made since commissioning.

2.    Review of all current SSCs for completeness and adequacy, including all current SSC important to safety, their safety function and safety categorisation.

3.    Verification that the design and other characteristics are appropriate to meet the current requirements for facility safety, security and performance, for all facility conditions and stages of operation [8], including:

a)    Prevention and mitigation of events that could jeopardise safety,

b)    Appropriate application of defence in depth and engineered barriers for preventing dispersion of radioactive material (e.g. integrity of nuclear fuel, cooling circuit of a research reactor, or an active ventilation system forming a dynamic containment of a non-reactor facility),

c)    Safety requirements (e.g. on dependability, robustness, capability of SSCs important to safety),

d)    Security requirements,

e)    Design codes and standards.

4.    Assessment of design characteristics, arrangement and segregation, against modern standards for plant safety and performance, including prevention and mitigation of events that could jeopardise safety. A systematic comparison of the standards applied for the original facility design should be made with equivalent current applicable safety standards to identify significant changes that may impact the safety of the facility. In cases where relevant national and/or international requirements are established and applicable, a systematic clause-by-clause review should be carried out

5.    Identification of differences between the as-built design of SSC important to safety and the requirements of the current standards defined in the PSSR basis document and other applicable current supporting standards and codes. The safety significance of the differences should be determined. 

6.    Assessment of compliance with the facility design specifications. 

7.    Assessment of the adequacy of defence in depth in the facility design, including:

a)    The degree of independence of the levels of defence in depth,

b)    The adequacy of delivery of preventive and mitigating safety functions,

c)    Redundancy, separation and diversity of SSCs important to safety,

d)    Defence in depth in the design of SSCs (e.g. review of fuel integrity, cooling circuit and containment building).

8.    Examination of the cumulative effect of all modifications on the design over the period from the previous PSSR (or over the lifetime). This should also include the cumulative effect of consecutive SSCs modifications that were not individually categorised to be safety significant.

Safety factor 2: Actual condition of Structures, Systems and Components important to safety

Knowledge and thorough documenting of the condition of each SSC important to safety is imperative in a review of facility design. Knowledge of any existing or anticipated obsolescence of facility systems and equipment should be considered part of this safety factor.

REVIEW OBJECTIVES:
  • To determine the actual condition of SSCs important to safety and assess whether they are capable and adequate to meet design requirements, at least until the next PSSR,
  • to verify that the condition of SSCs important to safety is properly documented, 
  • review the ongoing maintenance, surveillance and in-service inspection programs, as applicable.
SCOPE & METHODOLOGY:

The review should cover: 

  1. The current state of SSCs considering both existing and anticipated ageing processes including obsolescence (e.g. unavailability of spares in the near future), the modification history, operating history (input to safety factor 4) and effect of operation on SSC conditions. Any ageing management program the licence holder has in place could be used as the input information for review of this safety factor.
  2. Performance in meeting Operational Limits and Conditions.
  3. Verification of the actual state against the design basis to confirm that the design basis assumptions have not been significantly challenged and will remain unchallenged at least by the next PSSR. Where consistency with the design basis has been significantly challenged, the impact on the facility operation should be assessed. Corrective actions (e.g. additional inspection, tests, and additional safety analysis) should be proposed and if necessary implemented in a timely manner. Note: The verification should include observations from any maintenance and walk down inspections of the SSCs, with emphasis on recent inspections.
  4. Validity of existing records to ensure they accurately represent the actual condition of the SSCs.
  5. Implications of changes to design requirements and standards on the actual condition of the SSCs since the facility was designed or the last PSSR (e.g. changes to standards on material properties).
  6. Adequacy of programs that support ongoing confidence in the condition of the SSCs.
  7. Maintenance, testing and inspection records.  
  8. Operational history and events since the last PSSR. 
  9. Significant findings from functional tests, results of inspections and physical examinations.
  10. Dependence on obsolescent equipment for which no substitute is available.
  11. Availability and suitability of data used for assessment of the SSCs actual condition.

Note: If additional data of the SSC actual condition is required this could be obtained by performing special tests, facility walk downs and inspections as necessary. If it is not possible to determine the actual conditions of SSCs important to safety due to, for example, the location or working condition preventing an inspection, safety significance of uncertainty in the true condition of the SSCs should be determined. The uncertainty may be reduced by considering relevant evidence from similar SSCs from other facilities that are subject to similar conditions. 

Safety factor 3: Equipment qualification

The facility SSCs and equipment important to safety should be properly qualified to ensure capability to perform safety functions under all relevant operational states and accident conditions. 

REVIEW OBJECTIVE:
  • To determine whether the facility SSCs and equipment important to safety have been properly qualified to perform its designated safety function.
  • To determine whether the qualification has been maintained through an adequate maintenance, testing and inspection program in spite of ageing to provide confidence in the delivery of the safety functions at least until the next PSSR. 
SCOPE & METHODOLOGY:

The review should include: 

1.    The effectiveness of the equipment qualification program. This program should ensure that the equipment (including cables) is capable of fulfilling its safety function until at least the next PSSR.

2.    Assessment of the qualification process to confirm that it is ongoing, documented and retained; including review procedures for updating and maintaining qualification throughout the service life of the equipment.

3.    Requirements for performing safety functions under the relevant environmental conditions for normal operation and predicted accident conditions. This should include consideration of seismic conditions, vibration, temperature, pressure, jet impingement, electromagnetic interference, irradiation, corrosive conditions, humidity, fire, and other anticipated conditions, and combination of these as applicable. Also, consider degradation due to ageing of the SSCs or other predicted conditions.

4.    Consideration of:

a)    Whether the installed equipment meets the qualification requirements,

b)    Adequacy of the records of the equipment qualification,

c)    Procedures for ensuring that modification and additions to SSCs important to safety do not compromise their qualification,

d)    Surveillance program and feedback procedures used to ensure that ageing degradation is characterised and remains insignificant,

e)    Monitoring methods of the important environmental conditions, including identification of ‘hot spots’ e.g. high dose rate or temperature, 

f)    Protection of qualified equipment from adverse environmental conditions,

g)    Changes in the equipment classification resulting from design modifications,

h)    Qualification for all designed environmental conditions,

i)    Availability of the equipment required to fulfil the safety functions,

j)    Quality management provisions that ensure that an effective qualification program is in place.

5.    Whether adequate assurance of the required equipment performance was initially provided.

6.    Whether current equipment qualification specification and procedures are still valid.

7.    Whether the required equipment performance has been maintained by ongoing measures such as scheduled maintenance, condition monitoring, testing and calibration and whether such programs have been appropriately documented.

8.    Results of relevant tests, inspections and physical examination, and other investigations conducted to assess the current conditions of installed qualified equipment (see factor 2). The review should strive to identify differences from the qualified configuration (e.g. missing bolts, damaged conduits).

9.    Physical examination and inspection to verify that the installed equipment complies with the required qualification described in the safety documentation. 

Safety factor 4: Ageing

Ageing affects all SSCs including those important to safety. Physical changes associated with ageing could eventually impair safety function and service life. Obsolescence management is also considered to be part of this safety factor.
Effective control of ageing degradation can be achieved by applying a systematic management process in accordance with international best practice described in Ref [9] & [10].

REVIEW OBJECTIVES:
  • To determine whether an effective ageing management program is in place to ensure that all required safety functions will be delivered on demand for the design lifetime of the facility or at least until the next PSSR.
  • To determine whether the ageing process affecting SSCs important to safety is effectively managed.
SCOPE AND METHODOLOGY:

The review should include:

  1. Determination and assessment of the physical condition of SSCs important to safety and any features that could limit the service life and/or affect their safety functions. 
  2. Identification and assessment of all ageing mechanisms of SSCs important to safety. Adequate measures should be taken to monitor, predict, trend and control the ageing degradation.
  3. Assessment of the comprehensiveness of the current program and whether it addresses all SSCs important to safety. A systematic and effective ageing program should be developed by the licence holder. SSCs that might affect the SSCs important to safety or adversely affect their safety functions should also be included in the review. The assessment should confirm that this program delivers its purpose.
  4. Consideration of relevant performance indicators, their validity and effectiveness. 
  5. Assessment of whether existing inspection and monitoring programs allow for timely detection and characterisation of any ageing degradation. It should focus on periodic inspections, testing programs and trends in safety important parameters.
  6. Assessment of measures for minimisation/mitigation of ageing degradation of SSCs.
  7. Effectiveness of existing operating and maintenance policies and procedures for managing the ageing of replaceable components.
  8. Record keeping and assessment of effectiveness of existing documenting practices (e.g. documenting of potential ageing degradations).
  9. Understanding of dominant ageing mechanisms and phenomena, and knowledge of associated safety margins.
  10. Understanding, evaluation and control of ageing of all materials (including consumables such as lubricants) and SSCs that could impair their safety functions.
  11. Availability of data for assessing ageing degradation, including baseline data and operational history.
  12. Obsolescence management, including technologies used in the facility.

Safety factor 5: Utilisation (specific only to reactors)

The safety of the reactor utilisation, including experiments and experimental devices is an important aspect of the overall requirements for facility safety and performance. Design and safety provisions for utilisation should be subject of an effective management system. Ref [11]

REVIEW OBJECTIVES:
  • To determine whether the existing arrangements are adequate to ensure safety of utilisation and experiments and their effect on reactor safety,
  • To determine whether the changes in the utilisation are adequately addressed.
SCOPE AND METHODOLOGY:

The review should include:

  1. Adequacy of arrangements for use and control of utilisation activities, ongoing utilisation and foreseeable changes, and applicable operational limits and conditions. This should include assessment of influence of utilisation on the reactor safety.
  2. Adequacy and quality of existing procedures for utilisation, and changes in the facility documentation with respect to utilisation.
  3. The internal approval process for use and control of utilisation activities
  4. Changes to the facility affecting utilisation of the reactor, including whether the effects on the reactor safety have been assessed, the changes categorised and appropriately documented.
  5. Ageing management of utilisation devices and equipment.
  6. Qualification and training of the relevant personnel, training requirements and needs.
  7. Assessment of adequacy of utilisation equipment qualification, specifications and procedures.
  8. Assessment of ongoing maintenance of the utilisation equipment and devices, their condition monitoring, testing, calibration. Adequacy of the level of documentation should also be included.
  9. Storage conditions and disposal of experimental devices, tools and equipment.

Safety factors related to safety analysis

Safety factor 6: Deterministic safety analysis

The deterministic safety analysis should be conducted for each facility to confirm the design basis for SSCs important to safety and to evaluate the facility behaviour for postulated initiating events. 

NOTE: Safety requirements for deterministic safety analysis are outlined for research reactors in Ref [12]. 

REVIEW OBJECTIVE:
  • To determine the completeness and validity of the existing deterministic safety analysis,
  • To determine the adequacy of the identified postulated initiating events (PIEs), including internal and external hazards, with account taken of the facility design and site characteristics for the period covered by the PSSR, and current analytical methods (modern, validated computer codes), safety standards and knowledge,
  • To determine the adequacy of the as-built design of the facility considering the modification of SSCs, current operating modes, facility utilisation, and applicable standards and knowledge,
  • To determine adequacy of safety margins and uncertainties.
SCOPE & METHODOLOGY:

The review should include:

  1. Assessment of existing deterministic safety analysis for completeness of the PIEs constituting the design basis in the light of feedback from the operating experience both from the facility and outside the organisation. The review should be conducted against the current national and international requirements, standards and good practices.
  2. Validity of assumptions made for the current deterministic safety analysis considering the actual condition of the facility. 
  3. Assessment of facility behaviour for PIEs that considers current regulations, national and international standards and practices. 
  4. Assessment of functional adequacy and reliability of SSCs, the impact on safety of internal and external events, equipment failures and human errors, the adequacy and effectiveness of engineering and administrative provisions to prevent and mitigate accidents.
  5. Systematic comparison of analytical methods, assumptions, guidelines and computer codes used in the existing deterministic safety analysis with current national and international requirements, standards and good practices to verify that the design basis for SSCs important to safety is correct. If the safety analysis needs to be repeated, consideration should be given to using modern analytical methods and computer codes. If the original methods are still to be used, the review should explicitly verify their validity, the degree of conservatism applied and inherent uncertainties used. If new analytical methodology, techniques or computer codes were used, the review should include discussion and assessment of variations in assumptions, modelling, outcomes and other differences between the old and new approach.
  6. The analytical methods have to account for the facility design, site characteristics, the condition of SSCs important to safety (both at present and predicted for the end of the period covered by the PSSR) and relevant international practice. Amongst other things, changes in facility design, changes in site characteristics such as additional nuclear and non–nuclear facilities, the prevailing climate, the potential for floods and earthquakes, transport and industrial activities, and their combinations near the site is expected to be considered.
  7. How operating experience feedback, new knowledge and changes in analytical and modelling techniques affect safety at the facility. 
  8. Lessons learnt and experience gained from actual events, in particular those that have occurred at research reactors. Any experience from managing such events (for example, external floods, seismic events and tornadoes) including design extension conditions and combination of such external events should also be used to improve the existing safety at the facility.
  9. Assessment of the operational limits and conditions for their continued validity as derived from the updated safety analysis.
  10. Whether the actual operating conditions meet the acceptance criteria for the design basis.
  11. Whether the emergency operating procedures and the facility accident management program have been based on appropriate deterministic methods.
  12. Whether calculated radiation doses and releases of radioactive material in normal and accident conditions meet the regulatory requirements and expectations.
  13. Identification and assessment of any major weaknesses and strengths of the facility design in relation to defence in depth and evaluation of the importance of existing systems and measures for preventing or controlling accidents.
  14. Verification that the capabilities of the facility in its current state, or where relevant with account of planned improvements, is within regulatory requirements and expectations for both normal operation and accident conditions.

Safety factor 7: Probabilistic safety assessment (relevant only to reactor facility)

If the probabilistic safety assessment (PSA) forms part of the facility safety case, it should be up to date considering current standards and good practices. The review should be conducted to identify weaknesses in the design and operation of the facility and, as part of the global assessment, to evaluate and compare proposed safety improvements.

REVIEW OBJECTIVES:
  • To determine the extent to which the existing PSA remains valid.
  • To determine whether the scope, methodologies and extent of the PSA are sufficient and in accordance with current national and international standards and good practices.
SCOPE & METHODOLOGY:

The review should include:

  • The scope and level of application of the existing PSA, the assumptions used, fault schedule, representations of operators’ actions and common cause events, modelled configuration and consistency with other aspects of the safety case.
  • Assessment of whether accident management programs for design basis accident conditions are consistent with PSA models and results.
  • Verification that analytical methods, computer codes and validation standards used remain appropriate. If old methods were used, their validity, degree of conservatism applied and inherent uncertainties should be explicitly verified. If new methodology, technique or computer codes were used, the variations in assumptions, modelling, outcomes and other differences between the old and new approach should be discussed and assessed.
  • Verification that the risks arising from the PSA are sufficiently low and well balanced for all postulated initiating events and operational states, and meet the relevant probabilistic criteria.
  • Assessment of the implications of the PSA outcomes.
  • Confirmation that modelling reflects the current design and operating features, takes into account all operating experience, in all modes of operation. 
  • Assessment of completeness of the postulated initiating events and hazards.
  • The extent to which the hazards are represented in the PSA to verify that omissions are based on site specific justifications and that these omissions do not weaken the overall risk assessment for the facility.
  • Assessment of the human reliability analysis to ensure that actions are modelled on a facility specific and scenario dependent basis and current methods are applied.
  • Comparison of the result of the PSA with relevant probabilistic safety criteria (e.g. system reliability, core damage, release of radioactive material) defined for the facility or set by ARPANSA in Ref [13] & [14].
  • Confirmation that the update history adequately reflects changes if the PSA has been updated since the last PSSR or licensing process.

Safety factors related to operating experience

Safety factor 8: Operating experience

Safety performance of the facility is determined from assessment of operating experience, which includes operation, maintenance, surveillance, ageing and radiation protection. It should include safety related events, records of unavailability of safety systems, radiation dose records, radiological releases, waste management and other safety performance indicators. 

REVIEW OBJECTIVE:
  • To determine whether there is a need for corrective actions or safety improvements arising from the facility’s safety performance and operating experience, which includes root cause analysis of facility events,
  • To determine the adequacy of the program for the collection and analysis of operating experience. 
SCOPE & METHODOLOGY:

The review should include:

1.    Evaluation of the development and adequacy of the existing processes for routine recording, and safety related operating experience, including:

a)    Safety related incidents, low level events and near misses.

b)    Safety related operational data.

c)    Maintenance, inspection and testing.

d)    Replacement of SSCs important to safety owing to failure or obsolescence.

e)    Modifications, both temporary and permanent, to SSCs important to safety.

f)    Unavailability of safety systems.

g)    Compliance with regulatory requirements.

2.    Analysis of events related to safety and investigation findings to identify common contributors and trends. Actions arising from the findings or justification for not taking any actions should also be included.

3.    Systematic examination of safety performance indicators, where available.

4.    Examination of all other records of operating experience relevant to safety not covered by the safety performance indicators.

5.    Assessment of the facility’s safety performance methodologies and processes, considering:

a)    Identification and classification of safety related events.

b)    Root cause and contributing cause analysis of events including feedback of results.

c)    Methods for the selection and recording of safety related operational data, including maintenance, testing and inspection.

d)    Trend analysis of safety related operational data.

e)    Trend analysis regarding SSCs replacement.

f)    Feedback of the safety related analysis data to the operation.

g)    Qualification of workers.

h)    Quality of the relevant procedures and results.

i)    Compliance with regulatory requirements.

j)    System in place for implementation of corrective actions following events.

6.    Effects of any changes in operation on safety performance. Specifically, evaluation of the relevance of existing indicators and other safety performance methods in the context of current and future operations.

7.    Effectiveness of the process in place for routine evaluation of operating experience. For the purpose of global assessment and use of other safety factors, it may be useful to summarise the results of the routine evaluation to provide an overall assessment of the facility safety performance for each year. 

Safety factor 9: Use of experience from other facilities and research findings

The operating experience from other similar facilities and recent research findings may reveal previously unknown safety weaknesses and can assist in solving existing problems. 

REVIEW OBJECTIVE:
  • To determine the adequacy of the process to collect and use relevant experience from other similar facilities and research findings to introduce practicable safety improvements.  
SCOPE & METHODOLOGY:

The review should include:

  1. Effectiveness of arrangements established for the timely identification of relevant operating experience from similar facilities and research findings in Australia and overseas. For research reactors, this should also include review of the process for receiving, analysing and acting upon operating experience presented in the Incident Reporting System for Research Reactors administered by the IAEA.
  2. Arrangements to share operating experience with other facilities in Australia and overseas.
  3. Whether relevant operating and research information is properly considered, the potential effects on the facility are assessed and appropriate actions taken where safety improvements are identified.

Safety factors related to organisational effectiveness

Safety factor 10: Organisation, the management system and safety culture

The operating organisation should have in place a management system that ensures policies and objectives are implemented in a safe, efficient and effective manner. The organisation’s healthy safety culture should drive individuals to carry out tasks important to safety correctly, thoughtfully, with a sound judgement and proper sense of accountability.

REVIEW OBJECTIVE:

•    To determine the effectiveness of the operating organisation in ensuring safe operation of the facility.
•    To determine the adequacy of the safety management system.
•    To determine the adequacy of safety culture for producing the desired human behaviour with appropriate attention to safety.

SCOPE & METHODOLOGY:

The review should include:

1.    Evaluation of the operating organisation and management system, including:

a)    Policy statements of the operating organisation. The policy should clearly states that safety takes precedence over the facility’s other commitments.

b)    Documentation of the management system.

c)    Adequacy of arrangements for managing and retaining responsibility for any outsourced activities or processes important to safety (e.g. maintenance, engineering services).

d)    Roles and responsibilities of individuals involved in safety related activities, at all levels including senior management. The safety responsibilities and authority should be clearly defined and understood.

e)    Processes and support information that explain how work is to be specified, prepared, reviewed, performed, recorded, assessed and improved.

f)    Adequacy of processes for managing organisational change.

g)    Systems to develop effective leaders and further improve leadership skills and competencies.

h)    Process for evaluation of safety culture and implementation of remedial actions. 

2.    Verification of:

a)    Effective implementation of safety policy. The goals and objectives of the operating organisation should be aligned with the safety policy. 

b)    The extent to which a questioning attitude and a conservative decision-making exists in the organisation.

c)    Existence of a strong drive to ensure that all events with lesson to be learned are reported, investigated, root and contributing causes are identified, and timely remedial actions are taken.

d)    Human resources management that ensures adequate and qualified human resources are available. This should include succession planning.

e)    Arrangements to deploy qualified internal and external personnel.

f)    Appropriate and adequate control of documents, products and records and that the information is readily available to personnel.

g)    Adequacy of processes to ensure quality of the management systems of suppliers of safety relevant equipment and services. 

h)    Adequacy of communication processes.

i)    Appropriate and adequate training and programs including safety culture for the staff at all levels. This should include verification of suitability of training facilities.

j)    Interval of regular management system reviews to address safety issues, non-conformances, and lessons learned.

k)    Adequacy of processes for feedback of operating experience to staff.

l)    Suitable arrangements for maintaining configuration and change control of the facility and associated documentation. 

3.    Adequacy and effectiveness of independent audits or self-assessment.

4.    Assessment of safety culture characteristics so weaknesses are identified, evaluated and remedied in a timely manner. If regular management system reviews have not covered all aspect of safety culture as outlined in ARPANSA’s Holistic Safety Guidelines [15], omitted tasks should be included in the PSSR. 

Safety factor 11: Procedure management 

Procedures and instructions relevant to safety should be comprehensive, validated, formally reviewed and approved, appropriately distributed and subject to appropriate management control. They should reflect current operating practices and due consideration should be given to human factor aspects. 

REVIEW OBJECTIVE:
  • To determine the adequacy and effectiveness of the process for developing and implementing procedures and instructions, and the process for managing compliance.
SCOPE & METHODOLOGY:

The review should cover:

1.    Operating procedures and instructions for normal and abnormal conditions, including:

a)    Anticipated operational occurrences, design basis accident conditions and post-accident conditions.

b)    Emergency procedures and instructions including design extension conditions.

c)    Maintenance, testing and inspection procedures and instructions.

d)    Procedures and instructions for issuing work permits.

e)    Change control procedures and instructions, which includes hardware as well as documentation change.

f)    Procedures and instructions for controlling operating configuration.

g)    Procedures and instructions for radiation protection, including on-site transport of radioactive material.

h)    Procedures and instructions for management of radioactive effluents and waste.

2.    Effectiveness of the process for formal documentation and approval of safety related procedures.

3.    Verification that there is a formal system for development, review and modification of procedures related to safety that includes a tracking capability and change management. This includes comparison of these arrangements against good practice.

4.    Evaluation of audits, self-assessment, safety performance and events to determine whether there is adequate understanding and acceptance of these procedures by managers and staff.

5.    Verification that human factors (e.g. envisaged human errors, human-machine interface, user friendliness, clarity, implementation) are considered in the development of procedures and instructions. 

6.    User involvement in the development of procedures and instructions.

Safety factor 12: Human factors

Human factors influence all safety aspects at nuclear or radiation facilities. Therefore, the operating organisation should ensure that their effect does not represent an unacceptable contribution to risk.
NOTE: Assessment of human factors is outlined in ARPANSA’s Holistic Safety Guidelines [15].

REVIEW OBJECTIVE:
  • To determine whether human factors within the operating organisation are evaluated and addressed in a manner that corresponds with accepted good practice, and their contribution to risk is acceptable.
  • To determine how various human factors could affect the safe operation of the facility.
  • To identify reasonable and practicable corrective actions or improvements.

The review should be carried out with the assistance of properly qualified personnel or at least personnel with experience in human factors.  Deficiencies arising from the review and representing potentially significant adverse contribution to risk should be considered in the global assessment.

SCOPE & METHODOLOGY:

The review should include:

  1. Adequacy of staffing levels to operate the facility (accounting for absences, overtime restrictions, etc.).
  2. Verification that resources devoted to safety are adequate.
  3. The process for selecting and maintaining suitable qualified personnel and whether it adequately considers requirements for safety and security. This should include consideration of ageing of facility personnel and succession management.
  4. Competency requirements for operating, maintenance, technical, managerial, and security staff.
  5. Verification that assessments of skills and competencies are undertaken for positions that have safety and security functions.
  6. Verification that human factors considered for maintenance activities assist with the prevention of errors in execution of work. 
  7. Verification that the management practices, system of rewards and sanctions, and communication with individuals motivates the staff, and develops good attitudes among staff members and fosters a strong safety culture.
  8. Adequacy of training programs, including initial training, refresher training, and upgrading training.
  9. Verification that operator actions needed for safe operations have been assessed to confirm that assumptions and claims made in the safety analysis are valid.
  10. Confirmation that equipment and machine design, process design, operational environment design and operations account for human factors. Relevant procedures are in place to support it. 
  11. The review of the human–machine interface by examining the actual condition of the facility using, for example, facility walk downs by specialists.
  12. Consideration of recognised national and international good practice.
  13. The key human performance indicators, including the indicator analysis results, trends, suitability of existing human performance indicators.
  14. Identification/confirmation of safety related activities susceptible to operational drift.

Safety factor 13: Emergency planning

The design and operation of a facility should prevent or otherwise minimise radiation risks to workers, the public and the environment. Emergency planning to mitigate the consequences of accident conditions, including design extension conditions for research reactors, is a prudent and necessary measure for the operating organisation, as well as local and national authorities. 

NOTE: Emergency planning requirements are published in the IAEA Preparedness and Response for a Nuclear or Radiological Emergency GSR Part 7 [16].

REVIEW OBJECTIVE:
  • To determine whether adequate plans, staff, facilities and equipment are available for dealing with emergencies.
  • To determine whether the arrangements have been adequately coordinated with local and national authorities and are regularly exercised.
SCOPE & METHODOLOGY:

The review should include:

  1. Verification that the on-site plans are sufficiently comprehensive and maintained in accordance with the current safety analysis, accident mitigation studies, and national and international guidelines.
  2. Consideration of changes within the facility, organisational changes, changes with respect to emergency response, and development on site (outside the facility), including projection of anticipated future operation and development until the next PSSR.
  3. Consideration of the effects of recent agriculture, residential and recreational development around the site.
  4. Adequacy of on-site equipment, support centres, on-site and off-site emergency facilities and their locations, including physical inspection. It should be verified that emergency equipment is appropriately stored, maintained in operable conditions and it is accessible in design extension conditions.
  5. Content and effectiveness of emergency training and exercises, including frequency, records and results, and actions taken in case of deficiencies.  
  6. Evaluation of the adequacy of the emergency response organisation structure and the clarity of shared responsibilities for various response tasks, e.g. evaluation of interactions with relevant off-site organisations such as the police, ambulance, fire departments, regulatory bodies, local authorities, government, etc.
  7. In the case of a multi-facility site, evaluation of both the local (facility) as well as organisational (site) emergency arrangements. 
  8. Verification of effectiveness and efficiency of arrangements in place to regularly review and update the emergency plans and procedures.

Safety factors related to the environment

Safety factor 14: Operational radiation protection

The operational radiation protection program should be established to ensure monitoring of the radiation dose to workers, radiation and contamination levels in and around the facility, and the discharge of radioactive effluents as well as the generation of radioactive waste in the facility.

NOTE: Radiation protection requirements are published in the IAEA Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards GSR Part 3 [17].

REVIEW OBJECTIVE:
  • To determine the adequacy and effectiveness of the operational radiation protection program, current procedures and practices,
  • To determine if radiation risk, doses to workers and releases to the environment are as low as reasonably achievable, including waste management at the facility
SCOPE & METHODOLOGY:

The review should include:

1.    Evaluation of the operational radiation protection program, including:

a)    Policies on operational radiation protection, and radioactive waste management.

b)    The radiation protection and on–site monitoring program, including instrumentation and equipment, radiological monitoring and surveys, and decontamination. Availability of adequate radiation protection equipment such as radiation monitors, stack monitors, portable monitors, contamination monitors and their maintenance to be included.

c)    Potential sources of radiological exposure and other radiological impacts such as shielding, hot spots, and the categorisation of premises,

d)    The applicable limits and reference levels for exposures and emissions against current national and applicable international standards and good practices,

e)    Radiation doses to predefined groups of personnel, users, visitors and contractors including dose constraints. The review should determine whether the doses are within prescribed limits, as low as reasonably practicable and adequately managed.

f)    Trend analysis of radiation doses (collective and individual) and discharges to the environment,

g)    Trend analysis of effluent discharges to the environment and their optimisation,

h)    On–site and Off–site contamination and radiation levels,

i)    Data on the generation of radioactive waste to determine whether operation of the facility is optimised and the quantities of waste being generated and accumulated is minimised, taking into account the national policy on radioactive discharges and international treaties, standards and criteria.

j)    Generation and interim storage of radioactive waste.

k)    Adequacy of the waste storage capacity at the facility taking into account changes in the background levels, hot spots, and necessity of additional shielding.

Safety factor 15: Radiological impact on the environment

The operating organisation should have in place an established and effective program that provides data on the radiological impact of the facility on its surroundings and the environment. 

REVIEW OBJECTIVE:
  • To determine whether the program in place is effective for monitoring the radiological impact of the facility on the environment to ensure that emissions are appropriately controlled and are as low as reasonably achievable.
SCOPE & METHODOLOGY:

The review should include:

1.    Evaluation of whether the existing monitoring program is appropriate and sufficiently comprehensive. Trending analysis of current data compared to historical records should be carried out to identify the actual facility impact on the environment since the last PSSR or facility licensing process.

2.    Verification of the following for both current and future operations:

a)    The program includes monitoring of concentrations of radionuclides in air, water (river, sea and groundwater), soil, agricultural and marine products and animals, whichever is applicable.

b)    Potential new sources of radiological impact that have been recognised by the operating organisation.

c)    Sampling and measurement methods are consistent with current standards.

d)    System is in place for various discharge effluents so that discharges can be effectively monitored and trended. Appropriate actions are taken to remain within the discharge limits and keep discharges as low as reasonably achievable.

e)    On-site monitoring is undertaken, and monitoring locations and methods used have a high probability to detect a release of radioactive material to the environment.

f)    The off-site monitoring system for contamination and radiation levels is adequate. Actions are taken to keep such levels as low as reasonably possible.

g)    Alarm systems to respond to unplanned releases of radioactive material are suitably designed, currently available and maintained.

h)    Suitability of calculation methodology (including computer programs) used to assess doses due to releases.

3.    Consideration of projected facility and site operations and surrounding land use plans in the development of monitoring programs and for anticipating on-site and off-site monitoring system capability requirements.

4.    Actions are taken to quarantine contaminated areas and clean up contamination where practicable. 

Security factors related to analysis

Security Factor 1: Threat assessments

Licence Holders should use the current Design Basis Threat (DBT) issued by the competent authority ASNO at the latest threat assessment to inform the status of the protective security system. 

REVIEW OBJECTIVE:
  • To determine whether the current DBT has been used to inform the development of security policies and objectives.
SCOPE & METHODOLOGY:

The review should include: 

  1. Evaluation of whether all existing and postulated threats described in the current DBT are appropriately addressed.
  2. Confirmation that the current security plan is being implemented.
  3. Review of the ability of the licence holder to increase its security posture during periods of elevated threat.

Security Factor 2: Vulnerability assessments

Vulnerability assessments should be undertaken periodically to verify that the security systems continue to effectively reduce the probability of success by an adversary attempting theft, sabotage or other criminal act as described within the DBT.

REVIEW OBJECTIVE:
  • To determine whether vulnerability assessments have been performed periodically and against threats described in the DBT.
SCOPE & METHODOLOGY:

The review should include: 

  1. Evidence of the conduct and the results of vulnerability assessments for all threats described in the DBT. 
  2. Confirmation that the vulnerability assessment adequately addresses the threats. An analysis of adversary sequence diagrams, supported by exercises and testing of the security systems, for both physical and electronic threats to highlight the weakest paths should be undertaken. 
  3. An explanation and a plan to address any shortfalls, should gaps be identified. 

Security Factor 3: Consequence assessments

Consequence assessments should be performed against threats identified within the DBT in order to inform the radiological consequences of malicious acts.

REVIEW OBJECTIVE:
  • To determine whether adequate consequence assessments have been performed against threats described in the DBT.
SCOPE & METHODOLOGY:

The review should include:

  1. Re-evaluation of the results of consequence assessments for relevant threats described in the DBT.  
  2. Evidence that the licence holder has adequately addressed the threats. 
  3. Confirmation that international best practice modelling techniques have been used for radiological dispersal to inform the assessment of radiological consequences caused by acts of sabotage, and dose reconstruction to inform potential exposures due to other malicious or criminal acts have been conducted. If not, an explanation should be provided.

Security Factor 4: Risk assessments

Risk assessments are performed and are informed by the current threat assessment, the DBT, vulnerability assessments and radiological consequence assessments.

REVIEW OBJECTIVE:
  • To determine whether an adequate risk assessment has been performed against a facility DBT, which acknowledges the current threat environment, considers the security vulnerabilities, and analyses the potential radiological consequences associated with malicious acts.
SCOPE & METHODOLOGY:

The review should include: 

  1. Confirmation that a comprehensive risk assessment has been conducted. The risk assessments should combine the review of relevant threats described in the DBT and any relevant changes in the current threat environment, be coupled with an analysis of vulnerability assessments for malicious acts, and be informed by relevant radiological consequence assessments.
  2. Confirmation that the analysis performed in Security Factor 1, Security Factor 2 and Security Factor 3 are combined in a systematic approach for the overall risk assessment.
  3. Evaluation of the risk assessment against the organisation’s risk tolerance thresholds (sometimes referred to as risk appetite). A plan to address any identified gaps should be presented and explained.

Security factors related to management

Security Factor 5: Security policies and objectives 

Overarching policies and objectives for security are clearly defined.

REVIEW OBJECTIVE:

•    To determine whether security policies and objectives are adequately captured in the strategic goals of the organisation and are integrated into the overall operational safety and security practices of the licence holder. 

SCOPE & METHODOLOGY:

The review should include: 

1.    Assessment of the security policies and objectives to verify that the following strategic and operational goals are incorporated:

a)    Protection against unauthorised removal of nuclear and other radioactive materials and sabotage to facilities.

b)    Recovery of missing, lost or stolen nuclear and other radioactive materials.

c)    Mitigation and minimisation of the effects of sabotage.

2.    Confirmation that the security policies and objectives demonstrate:

a)    That the promotion and application of the policies and objectives are understood and driven by the CEO and senior management.

b)    That the policies and objectives are communicated and understood by all staff.

c)    How security will be maintained and sustained.

d)    How the negative and positive impacts that security systems may place on safety systems will be managed.

e)    The system in place to monitor, review and amend the security policies and objectives.

Security Factor 6: Consistency with security frameworks

The security system in place should be consistent with national and international security principles, policies, treaties and guidance.

REVIEW OBJECTIVE:
  • To determine whether security arrangements are consistent with the relevant national and international security principles, policies, treaties and guidance. 
SCOPE & METHODOLOGY: 

The review should include: 

1.    Assessment of the security policies and objectives to ensure consistency or compliance with the relevant parts of the following (where appropriate):

a)    Amended Convention on the Physical Protection of Nuclear Material [18]

b)    IAEA Nuclear Security Series No. 13 [3]

c)    IAEA Nuclear Security Series No. 14 [4]

d)    Attorney General’s Protective Security Policy Framework [19]

e)    Australian Signals Directorate’s Information Security Manual [20]

f)    IAEA Code of Conduct on the Safety and Security of Radioactive Material [21]

Security Factor 7: Security culture

The Licence Holder should foster a strong security culture which encourages vigilance, probity and a non-punitive approach to the reporting of incidents. 

REVIEW OBJECTIVE:
  • To determine the health of the security culture across the organisation. 
SCOPE & METHODOLOGY: 

The review should include:

  1. An assessment of the licensee’s nuclear security culture.
  2. An assessment of security incident reporting, including an analysis of the root cause of incidents, taking into consideration what the impact of security culture has had on incidents.
  3. Examination of the effectiveness of processes that ensure lessons are learnt and improvements implemented.

Security Factor 8: Access controls

The licence holder should maintain adequate access control arrangements.

REVIEW OBJECTIVE:
  • To determine the adequacy of access control arrangements.
SCOPE & METHODOLOGY:

The review should include: 

  1. Adequacy of policies and procedures covering access control, the physical or electronic systems and measures used to administer the procedures, and any security incidents that have been caused by unauthorised access. 
  2. Examination of the system used to manage unescorted access.

Security Factor 9: Trustworthiness

The licence holder should develop and follow an effective system that assesses and maintains trustworthiness of individuals undertaking a conduct or dealing with nuclear or other radiological materials, or the facilities and systems used to control them.

REVIEW OBJECTIVE:
  • To determine the effectiveness of the systems in place to establish the trustworthiness of individuals within the organisation. 
SCOPE & METHODOLOGY:

The review should include:

  1. Assessment of the adequacy of policies and procedures for trustworthiness checks.
  2. Assessment of any security incidents that have been caused by a trusted insider.

Security Factor 10: Information & CYBER security

The licence holder has developed and maintains the information management system that protects and keeps the sensitive information secure.

REVIEW OBJECTIVE:

To determine the adequacy of policies, procedures, systems and measures to protect security sensitive information. 

SCOPE AND TASKS:

The review should include:

  1. Effectiveness of the process adopted to identify information that should be protected.
  2. Effectiveness of the process that ensures relevant information is being protected, including physical protection arrangements and administrative controls for access to information.
  3. Effectiveness of the system in place to monitor, maintain and check the controls.
  4. Assessment of any information security incidents.

Security Factor 11: Accounting, inventory and records

Nuclear and other radioactive materials are adequately accounted for and recorded in an effective system maintained by the licence holder.

REVIEW OBJECTIVE:
  • To determine the effectiveness of the policies, procedures, systems and measures to account for nuclear and other radioactive materials. 
SCOPE & METHODOLOGY:

The review should include:

  1. Effectiveness of the process to maintain, update and verify inventory records.
  2. Effectiveness of the protection systems for records and inventories against accidental or deliberate modification.
  3. Adequacy of the policies, procedures, systems and measures surrounding accounting, inventory and records.
  4. Assessment of any accounting events that have occurred.

Security Factor 12: Security event reporting

The licence holder should develop and maintain a security event reporting system that is effectively used to improve security.

REVIEW OBJECTIVE:
  • To determine effectiveness of the process used to report, record and investigate security events so lessons are adequately learnt and the security system improved. 
SCOPE & METHODOLOGY:

The review should include:

  1. Effectiveness of the system to report a security event in a timely fashion, accurately record the event details and track the event throughout the investigation to corrective action implementation, including:
  • Thresholds for security event reporting.
  • The organisational capacity and capability to manage reporting on security events.
  • The processes by which security events are reported, assessed and investigated and security improvements identified.
  • The processes used for incorporating the lessons learned into existing policies, procedures and practices.
  • Whether reporting processes for security are integrated with safety reporting, where appropriate.
  • Comparison of current policies, procedures, systems and measures against the process actually followed.
  • Assessment of user friendliness of the system and users’ access to the system.
  • Prioritisation process and timeliness of implementation for actions arising from event investigation.

Security Factor 13: Transfer and transport security

The licence holder should carry out transfers and transport of nuclear and other radioactive materials securely.

REVIEW OBJECTIVE:
  • To assess adequacy and effectiveness of policies, procedures, systems and measures to maintain security for internal and external transfers, including on-site and off-site transport of nuclear and other radioactive materials. 
SCOPE & METHODOLOGY:

The review should include:

1.    Assessment of protocols used to transfer nuclear and other radioactive materials within and outside of the organisation. This should include:

a)    Process of authorising, recording and documenting of internal and external transfers

b)    Methods used to secure nuclear and other radioactive materials for transport

c)    The process applied to assigning responsibilities and announcements of notification

2.    Effectiveness of the process in place to ensure that protocols are maintained. 

Security factors related to protective security

Security Factor 14: Detection and assessment measures

The licence holder should effectively implement measures to detect and assess malicious acts (unauthorised removal and sabotage of nuclear and other radioactive materials).

REVIEW OBJECTIVE:
  • To assess completeness and effectiveness of the policies, procedures, systems and measures to detect and assess a malicious act. 
SCOPE & METHODOLOGY:

The review should include:

1.    The effectiveness of measures implemented to detect and assess unauthorised access to nuclear and other radioactive materials, including as relevant:

a)    Visual observation measures

b)    Electronic sensors

c)    Accountancy records

d)    Seals and other tamper indicating devices

e)    Process monitoring systems

f)    Physical checks of nuclear and other radioactive materials and the systems by which they are controlled

2.    Adequacy of the detection measures as part of the overall security system to address identified vulnerabilities to mitigate risk.

3.    Assessment of the processes by which particular detection measures are selected to ensure the costs and effectiveness of the implementation are commensurate with the identified risks.

4.    Analysis of how detection and surveillance will be used to confirm (assess) that unauthorised access has occurred or is being attempted.

Security Factor 15: Delay measures

The licence holder should implement and maintain effective measures in place to delay a malicious act (unauthorised removal and sabotage of nuclear and other radiological materials).

REVIEW OBJECTIVE:
  • To assess effectiveness of the policies, procedures, systems and measures to delay a malicious act. 
SCOPE & METHODOLOGY:

The review should include:

1.    Evaluation of the physical, electronic or administrative measures implemented to delay unauthorised access to nuclear and other radioactive materials, including:

  • Walls
  • Interlocks
  • Fences
  • Bunkers
  • Doors
  • Secure fixings

2.    Effectiveness of the delay systems against defined performance objectives.  

Security Factor 16: Response measures

Responses to a potential or actual malicious act (unauthorised removal and sabotage of nuclear and other radiological materials) should be prepared and practiced regularly.

REVIEW OBJECTIVE:
  • To determine whether the prepared and exercised contingency plan for responding to malicious acts is effective and meets defined performance objectives. 
SCOPE & METHODOLOGY:

The review should include:

  1. Effectiveness, currency and completeness of the security contingency plan.
  2. How the security contingency plan is proportional to the threat.
  3. Effectiveness of the process used to notify the regulatory bodies and other authorities of the activation of the contingency plan in a timely manner.
  4. Adequacy of measures to be used, and any limitations, to interrupt the malicious act.
  5. Adequacy and effectiveness of arrangements to request timely off-site support. 
  6. Adequacy and effectiveness of measures to be taken, in conjunction with supporting organisations, to locate and recover lost, stolen or missing sources.
  7. Adequacy and effectiveness of measures to be taken, in conjunction with supporting organisations, to mitigate or minimise the radiological consequences from sabotage.
  8. Evaluation of the type, scope and frequency of the relevant drill and exercises (see Security Factor 18)
  9. Comparison of the contingency plan against periodic security response exercises to validate and determine the performance and effectiveness of the response measures.

Security Factor 17: Security performance analysis

Security performance assessment of the facility should take into account operating experience, which should include security related events, records of unavailability of security systems and other security performance indicators. 

REVIEW OBJECTIVE:
  • To determine whether the facility’s security performance indicators show any need for improvement. 
SCOPE & METHODOLOGY:

The review should include:

1.    Adequacy of the existing processes for routine reporting, recording and evaluation of security related operating experience, which should include:

a)    Lessons learnt from security related incidents, low level events and near misses

b)    Security related operational data

c)    Maintenance, inspection and testing of security systems

d)    Modifications, both temporary and permanent, to systems important to security

e)    Unavailability of security systems

f)    Compliance with regulatory requirements

2.    Adequacy and effectiveness of security performance indicators.

3.    Trend analyses based on the current security performance indicators and also to investigate trends in security related event root causes. Any adverse trends should be explained and justified, and appropriate action taken.

Security Factor 18: Contingency plan drills, training and exercising

A sustained program of contingency plan drills, training and exercising is maintained which addresses the threats contained within the DBT and considers beyond DBT threats.

REVIEW OBJECTIVE:
  • To determine whether the facility’s contingency plan and the associated drills, training and exercise regime is adequately sustained, maintained and routinely exercised against defined performance objectives for DBT and beyond DBT threats.
SCOPE & METHODOLOGY:
  1. Assessment of the effectiveness and sustainability of the physical, electronic and cyber threats for which the contingency plan is developed and executed, to include:

a)    The nature and scale of the threats defined within the DBT and consideration for beyond DBT threats

b)    The development of explicitly defined roles, responsibilities, capability thresholds and expectations for supporting response organisations

c)    The effectiveness of preparation, conduct and independent-evaluation materials during exercises

d)    The effectiveness of the interoperability between response organisations

e)    The effectiveness of command, control, coordination and communications between response organisations

f)    Notification, activation and escalation arrangements

g)    De-escalation and termination arrangements

h)    Post activity review, reporting and processes to implement lessons learned

Security Factor 19: Use of international experience

The operating experience from other similar facilities and recent research findings may reveal previously unknown security vulnerabilities. 

REVIEW OBJECTIVE:
  • To determine whether feedback of relevant experience from other similar facilities and research where possible, is used to introduce practicable security improvements in the facility or operating organisation. 
SCOPE & METHODOLOGY:

The review should include:

  1. Arrangements for dissemination of operating experience with other nuclear facilities in Australia and overseas.
  2. Methodology for evaluating applicability and implementation of research findings and operating experience relevant to security from other facilities.

1 The term ‘facility’ in this guide context means a nuclear installation facility and prescribed radiation facility.

2 Throughout this document reference to a ‘Licence Holder’ that is regulated by ARPANSA is understood to also refer to a ‘Permit Holder’ that is regulated by ASNO.

3 In accordance with the description of high radiological consequences contained with ARPANSA Emergency Exposure Guide (draft 2018).

 

[1] IAEA (2013). Periodic Safety Review of Nuclear Power Plants, Specific Safety Guide No. SSG-25 Safety Standards Series

[2] ARPANSA (2007). Radiation Protection Series No. 11, Code of Practice for the Security of Radioactive Sources

[3] IAEA (2011). Nuclear Security Series No.13 Nuclear Security Recommendations on Physical Protection of Nuclear Material and Nuclear Facilities

[4] IAEA (2011). Nuclear Security Series No. 14 Nuclear Security Recommendations on Radioactive Material and Associated Facilities

[5] IAEA (2016). Safety Assessment for Facilities and Activities, General Safety Requirements No. GSR Part 4 (Rev 1), Safety Standard Series 

[6] IAEA (2012). Use of a Graded Approach in the Application of the Safety Requirements for Research Reactors, Specific Safety Guide SSG-22, Safety Standard Series

[7] ARPANSA (2016). Radiation Protection in Planned Exposure Situations, Radiation Protection Series C-1

[8] IAEA (1996). Defence in Depth in Nuclear Safety, International Nuclear Safety Advisory Group (INSAG), INSAG-10

[9] IAEA (2010). Ageing Management for Research Reactors, Specific Safety Guide No. SSG-10, Safety Standard Series

[10] IAEA (2006). Maintenance, Periodic Testing and Inspection of Research Reactors, Specific Safety Guide No. NS-G-4.2, Safety Standard Series

[11] IAEA (2012). Safety in the Utilization and Modification of Research Reactors, Specific Safety Guide No. SSG-24, Safety Standard Series

[12] IAEA (2012). Safety Assessment for Research Reactors and Preparation of the Safety Analysis Report, Specific Safety Guide No. SSG-20, Safety Standard Series

[13] ARPANSA (2001). Regulatory Assessment Criteria for the Design of New Controlled Facilities and Modifications to Existing Facilities, Regulatory Guideline RG-5, RB-STD-43-00 Rev 1

[14] ARPANSA (2001). Regulatory Assessment Principles for the Controlled Facilities, Regulatory Guideline RB-STD-42-00 Rev 1

[15] ARPANSA (2017). Holistic Safety Guidelines v1.1, Regulatory guide REG-LA-SUP-240U v1.1

[16] IAEA (2014). Preparedness and Response for a Nuclear or Radiological Emergency, IAEA Safety Standards Series No. GSR Part 7, General Safety Requirements

[17] IAEA (2014). Radiation Protection and Safety of Radiation Sources: International Basic Safety Standards, IAEA Safety Standards Series No. GSR Part 3, General Safety Requirements

[18] IAEA (1980). The Convention on the Physical Protection of Nuclear Material, Information Circular, IAEA-INFCIRC/274/Rev 1

[19] Australian Government, Attorney-General’s Department. Protective Security Policy Framework

[20] Australian Government, Department of Defence

[21] IAEA (2004). Code of Conduct on the Safety and Security of Radioactive Sources