The Sellafield site comprises a significant number of separate facilities, which are supported by a number of interfacing functions (e.g. site systems, infrastructure and operations).
The focus of ONR’s regulatory activity will always be upon facilities that have the potential to deliver a significant off-site consequence. As such, it may not always recognise the functions which support and underpin those facilities.
However, the current ONR regulatory strategy for Sellafield is focussed on stimulating, facilitating and expediting hazard and risk reduction.
The purpose of ‘essential operations’ inspections is, for a function that underpins hazard and risk reduction activities at the Sellafield site, to identify any potential shortfalls in the reliability and resilience of that function (and thus the potential impact on sustained operations) which would merit proportionate remedial action by the licensee or others. This understanding is fundamental to delivery of the ONR strategy and therefore of strategic importance.
This was a pilot inspection of a limited scope in order to achieve the following objectives:
The scope of this pilot inspection was the Sellafield communication systems. It was specifically limited to the site communications systems (and associated requirements, functions and claims) that are essential to sustain site operations and facilitate hazard and risk reduction (i.e. normal operations). In particular, I sought to gain practical confirmation of the availability, reliability, maintenance and testing of these systems.
The inspection was undertaken at the Sellafield site from 12 – 13 March 2015. I was supported by an ONR Site Inspector and an AMEC control and instrumentation specialist.
This was not a system based inspection.
The evidence presented during the inspection, and the challenge provided by scenario testing, supports our judgement that the licensee has multiple redundant and diverse communications systems in place to support continued hazard and risk reduction operations. Weaknesses in, and limitations of the communications systems discussed during the inspection had already been recognised by the licensee; improvement plans are in place to address some of these concerns.
The ISO Service Management Team is proactively engaging with site operational facilities to ensure that telephone communications vital to their continued safe operation are correctly identified, and that additional resilience measures are established where required.
A key sub-system within the telephone system presents the largest single point of failure for hardwired communications. As such, its functionality is vital to sustain hazard and risk reduction operations. Consequently we would expect the licensee to fully understand the arrangements in place to ensure continued availability of the facility, a position that the licensee could only partly demonstrate at the time of the inspection.
We judged that the testing and exercising of the communications systems sampled did not always allow the licensee to demonstrate the required confidence in the claims made regarding resilience and availability of supply.
A successful manual switchover intervention is imperative to the continued availability of the hardwired telephone system should the central exchange fail. The licensee has not yet put in place the required guidance and training to give sufficient confidence that this will be achieved when required. ONR will take the opportunity, while on site during April 2015, to verify that this has been completed.
Recognising that a third party is used for a significant proportion of all site communications support, we judged that there was sufficient evidence to suggest that the licensee’s intelligent customer role could be improved. In particular, the reporting did not sufficiently identify trends and related system failures, and so was of limited use to the licensee in terms of facilitating effective learning. In addition we would expect the licensee to use their own mature reporting and trending arrangements to ensure that any issues are identified and addressed.
I judge that the reliability of the site communications systems is suitable and sufficient to support continued hazard and risk reduction operations. However, the inspection identified a number of areas where the resilience of the systems could be further improved. This report has been shared with relevant ONR Inspectors in support of future intervention planning.
Overall, based on the findings of a critical review, both we and SL concurred that there is future value to both parties in undertaking further essential operations inspections targeted on the functions underpinning hazard and risk reduction activities on the site.