Argument A1.2 Robot is adequately safe (tolerable and ALARP) to operate in the environment defined by the assumptions and if the prerequisites are met, to provide pond mapping without operator intervention because...

• Supports Claim: C1 Robot is adequately safe (tolerable and ALARP) to operate in the environment defined by the assumptions and if the prerequisites are met, to provide pond mapping without operator intervention

Child nodes:

• Has subclaim Claim: C1.2.3 The standards used are equivalent to or better than the nuclear sector standards
• Has subclaim Claim: C1.2.4 There have been no deviations from RGP that have not been justified
• Has subclaim Claim: C1.2.1 The justification for the operations and the option selection (including those operations associated with the use of Robotics systems) in the specified application are justified, the option(s) selected (including those associated with the use of Robotics systems) are the most reasonably practicable options for the application
• Has support Argument: A1.2.2 All relevant safety requirements have been identified, the robot meets them and it can be safely operated

An application level optioneering study has been performed based on a task description from which the use of an autonomous robot has been chosen for the following reasons:

1. The robot has the capability of surveying the pond to a depth of <nnn> across the whole width and length of the pond which is not possible by any other means. e.g. a camera suspended from a crane into the pond does not have the capability, on its own, due to sediment in the pond. The use of LIDAR, sonar and a camera with image classification enhances survey. <Needs some metrics here to quantify how much better>. It can identify <nnn> and <nnn> in the pond and therefore knowing this it will allow a safer remediation exercise. The additional safety is achieved by reducing the time at risk for workers around the pond during the remediation work, because they can target the most significant locations.
2. Autonomy allows the operator to leave the immediate area of the pond reducing time at risk.

The disbenefits were found to be:

1. This is a first research deployment of the robot and therefore may not provide the data which would be necessary to facilitate the benefits described above. However, this is a mission enabling technology which is expected to deliver wide ranging benefits <detail the benefits>
2. If the robot should fail it could become radiologically contaminated waste itself.
3. The robot could collide with the pond sides and has a potential to cause an escape of pond liquor which is an additional hazard which would not exist if entering the pond directly with a crane suspended gripper. Conversely, the crane gripper could cause similar damage and without the survey will spend significantly more time retrieving spent fuel.
4. The robot could collide with the contents of the pond. This is deemed to be a minor issue as a crane suspended gripper, unaware of the location of the material in the pond, could result in similar if not worse damage.
5. The robot's propellers could splash pond liquor upto a meter outside the ponds perimeter.

In addition, optioneering has been carried out on the designs of the SIFs and are shown to be the most appropriate solution to achieve this particular mission and also to enable the wider mission.

This safety case shows how items 2, 3, 4 and 5 have been addressed and, along with the SIFs can be considered tolerable ALARP and this is summarised here.

The hazards have been identified and fully understood, as far as is reasonably practicable (AFAIRP), by use of high level principles and recognised good practice (RGP). The Hazard Log contains the all identified hazards, a link to their analysis, how each has been sentenced and where necessary their mitigation and safe states.

Functional and non-functional safety requirements have been derived from the Hazard Log and are traceably to it.

The robot is shown to meet its functional and non-functional safety requirements safety requirements when operated within an adequate safety management system.

The risk is tolerable as, once mitigated, it lies in the Cat C, low severity region in the risk graphs below.

The risk is ALARP because the optioneering studies have considered all solutions (AFAIRP) and shown that any further mitigation would be disproportionately expensive (financially and on time. NB. it has shown that the additional time would be better remediating the contents of the pond to mitigate hazards which are latent there-in.

The risks have been considered in the context of a bow tie diagram and AFAIRP post accident mitigations have been implemented.

Probabilistic:

[NB. No account has been taken of other activities or ageing processes which could add to the total frequency of demand on the safety function. In a 'real' safety case this should be done.]

The conservative consequence of an accident from either hazard (collision or splash) progressing to an accident is 0 mSv for the general public and <2 mSv for a local on-site worker. Assuming that the liquor is only from the top 5 cm of the surface of the pond.

The general public would be entirely unaffected because the hazards would involve relatively small volumes of pond liquor which, in the case of the liquor is contained by a pond bund and for the splash would be < 20 mL.

Method 1: The unmitigated failure rate of the robot has been shown to be <2 pdfy for each of the 2 hazards  (i.e. total 4 pdfy) and it is argued that this is acceptable (blue circle in the diagram below)

SIL4 components (switches and relays) have been used in a 1oo4 architecture.

The diverse, independent and partially segregated SIF has a failure rate of 1E-4 pfd.

NB. This SIF failure rate is considered to be difficult to attain; even with SIL 4 components and a 1oo4 architecture. Therefore, a challenge could be mitigated with an additional SIF constructed from a (analogue) sonar sensor formed to be short range and only in the direction of motion. On detecting an obstacle in its path the propeller power would be cut.

Consequently, the residual likelihood of the hazard progressing to an accident is 4E-4 pdfy (green circle in the diagram below)

Method 2: The unmitigated failure rate of the robot has been shown to be <2 pdfy for each of the 2 hazards  (i.e. total 4 pdfy) and it is argued that this is acceptable (blue circle in the diagram below). This is driven by the failure rate of the image classifier.

The robot does not have an entirely diverse, independent and segregated SIF. A diverse and independent sensor is used with a safe failure rate of 1E-4 pfd (deterministic - process based claim) when operating on its target hardware. The collision avoidance decision is taken by the symbolic AI which has been formally verified and has diverse runtime monitors for which we claim 1E-4 pdfy (deterministic - process based claim) when operating on its target hardware. Therefore, conservatively the SIF has a safe failure rate of 3E-4 pdfy.

Consequently, the residual likelihood of the hazard progressing to an accident is 1.2E-3 pdfy (green circle in the diagram below).

NB. If the consequence of this hazard were >2 mSv (and <20 mSv as there is no consideration of a consequence above the BSL) then one or both of the following may be needed:

1. A timer instigated by the 1oo2 voting from the Image Classifier and independent collision sensor which removes power from the propellers if the AI has not avoided the collision before it times out.
2. Method 1 alongside Method 2. It is also possible that the ONR would see Method 1 as a 'practicable' addition which would contribute to the ALARP claim even with a consequence of <2 mSv.

Deterministic:

The identified safety functions have been Categorised and the SSCs forming the SIFs Classified according to IEC 61226 (TAG 094).

The Categorisation for both hazards is Cat C and as the SSCs form the principle means of fulfilling the Cat C functions, they have been classified as Class 3 according to the standard.

The standards used throughout have been shown to be commensurate with the nuclear standards for Class 3 SSC and RGP has been applied and any deviations justified.