Guidance

Engineering: generic developed principles

Updated 2 May 2024

Applies to England

In this document we describe the standards we expect an operator to use when designing and operating its plant – the engineering developed principles (ENDPs).

These cover matters such as the design and commissioning of a plant, its mechanical and electrical parts and its control systems and monitoring instrumentation. In these matters we expect the operator to use what are the established, recognised, good standards across the industry – ‘relevant good practice’ or ‘best available techniques’ (BAT) – and to achieve a high degree of performance and reliability.

The engineering principles are based on those in the Office for Nuclear Regulation (ONR) safety assessment principles (SAPs) but are focused on environment protection.

The principles are intended to be applicable to all the nuclear and non-nuclear facilities that we regulate as radioactive substances activities, but the level of detail in which facilities should be expected to comply depends on the scale of radioactive substances operations.

For example, at nuclear facilities many or all the considerations will apply but at small laboratories fewer will be relevant. We expect that our assessments of compliance with the engineering principles will be able to be carried out largely through examination of documentation prepared by operators for other purposes (for example for submission to other regulators) rather than by requiring operators to prepare documents specifically to meet our expectations.

ENDP1 – inherent environmental protection

The underpinning environmental aim for any facility should be that the design inherently protects people and the environment, consistent with the operational purpose of the facility.

Considerations

An inherently safe environmental design is one that avoids radiological hazards to people and the environment rather than controlling them.

The principle applies to both routine operations and emergency situations.

ENDP2 – avoidance and minimisation of impacts

Radiological impacts to people and the environment should be avoided and where that is not practicable minimised commensurate with the operations being carried out.

Considerations

BAT should be employed to avoid, and where this is not practicable minimise, radiological impacts to people and the environment, either as a consequence of routine discharges or for those discharges resulting from an emergency (accident) situation.

The inventory of radiologically harmful substances should be reduced to the minimum necessary while still maintaining the required function of the facility.

The physical state of radiologically harmful substances should be controlled and managed to minimise their potential impacts to people and the environment.

ENDP3 – defence in depth

A facility should be designed as to allow for defence in depth against the occurrence of radiological impacts to people and the environment.

Considerations

During any normally permissible state of a facility no single random failure should prevent the delivery of an environment protection function.

Environment protection measures should be independent of each other, and the number of levels of protection should depend on the consequences of failure and the magnitude of the radiological impacts to people and the environment.

Redundancy, diversity and segregation should be incorporated as appropriate within the design of environment protection measures.

Common cause failure (CCF) should be explicitly addressed where an environment protection measure employs redundant or diverse components, measurements or actions to provide high reliability.

Where required reliabilities cannot be achieved due to CCF considerations, the required environment protection function should be delivered taking account of the concepts of diversity and segregation, and by providing at least two independent environment protection measures.

ENDP4 – environment protection functions and measures

Environment protection functions under normal and fault conditions should be identified, and it should be demonstrated that adequate environment protection measures are in place to deliver these functions.

Considerations

An environment protection function is a function that is necessary to a facility for the avoidance or minimisation (or both) of radiological impacts to people and the environment. Examples of environment protection functions are:

  • minimisation of gaseous discharges of radioactive wastes from vessel x during normal operations
  • prevention of liquid releases of radioactive waste during fault condition y

The identification of environment protection functions should be based on an analysis of all potential events (faults) which could lead to radiological impacts to people and the environment, and consider all planned routine releases of radioactive waste to the environment and the release points.

Support services and facilities necessary for the delivery of an environment protection function should be designed and routed such that, in the event of an incident there is sufficient capability to maintain their performance.

Environment protection measures that are employed to deliver each environment protection function should be identified. Examples of environment protection measures are particulate filters in gaseous discharge lines and liquid effluent treatment plants.

Environment protection measures should be included for both accidental and routine releases.

The availability and reliability of the environment protection measures should be commensurate with the significance of the radiological impact to people and the environment to be managed.

Unauthorised access to or interference with environment protection measures and with related structures and components, should be prevented.

The introduction of administrative environment protection measures should also be considered where appropriate.

There should be measures in place to mitigate the consequences of any fault where radioactivity is released to the environment from its intended containment, but these measures should not be regarded as a substitute for fault prevention.

The method for assessing environment protection measures should take into account the:

  • consequence of failing to deliver the appropriate environment function
  • extent to which the function is required, either directly or indirectly, to prevent, protect against or mitigate the consequences of initiating faults
  • potential for a functional failure to initiate a fault or exacerbate the consequences of an existing fault
  • likelihood that the measure will be called upon
  • time following any initiating fault at which, or the period throughout which, it will be called upon to operate

Passive environment protection measures that do not rely on control systems, active systems or human intervention are preferable to active measures.

Automatically initiated active engineered environment protection measures are preferable to manually initiated measures.

Environment protection measures that need to be manually brought into service should be considered only if passive or automatic measures are impractical.

There should be substantiation that environment protection measures deliver environment protection functions. Where appropriate this should be carried out by setting limits or levels and demonstrating compliance with them.

ENDP5 – human factors

Human actions should be taken into account in the design of a facility and in operating procedures.

Considerations

A systematic approach should be taken to identifying human actions that can impact on the delivery of an environment protection function.

When designing measures to deliver an environment protection function, the allocation of actions between humans and technology should be substantiated and dependence on human action to maintain a benign state should be minimised.

The actions of personnel responsible for monitoring and controlling the facility both in normal operations and responding to faults, and of personnel carrying out maintenance, testing and calibration activities, should be defined. This includes consideration of the impacts of engineers, analysts, managers and other staff who may not interact directly with plant and equipment.

Administrative controls used to deliver an environment protection function should be systematically identified. The design of these controls should be such that the requirements for action by personnel are clearly identified and unambiguous to those responsible for their implementation.

An analysis should be carried out of tasks important to delivering an environment protection function to determine demands on personnel in terms of perception, decision making and action.

The workload of personnel required to fulfil environment protection functions should be analysed and demonstrated to be reasonably achievable.

User interfaces, comprising controls, indications, recording instrumentation and alarms should be provided at appropriate locations and should be suitable and sufficient to support effective monitoring and control of the facility during all facility states.

The user interface should:

  • enable the operator to determine facility states and the availability and status of equipment, and provide conspicuous early warning of any changes in facility state
  • provide the means of confirming environmental challenges and identifying, initiating and confirming necessary actions
  • support effective diagnosis of deviations
  • enable the operator to determine and execute appropriate system actions, including actions to overcome failures of automated systems or to reset a system after its operation

Procedures should be produced to support reliable human performance during activities that could impact on the delivery of an environment protection function.

ENDP6 – engineering codes and standards

Environment protection measures should be designed, manufactured, constructed, installed, commissioned, quality assured, maintained, tested and inspected to the appropriate standards.

Considerations

The standards should reflect the reliability requirements of structures, systems and components and be commensurate with their environment protection function.

Appropriate national or international codes and standards should be adopted for structures, systems and components, with a preference for international standards where available.

The codes and standards should be evaluated to determine their applicability, adequacy and sufficiency and should be supplemented or modified as necessary to a level commensurate with the importance of the environment protection function(s) being performed.

Where there are no appropriate established codes or standards, an approach derived from existing codes or standards for similar equipment, in applications with similar significance, may be applied. Alternatively, the statistical results of experience, tests, analysis, or a combination thereof, should be applied to demonstrate that the item will perform its environment function(s) to an appropriate level.

ENDP7 – reliability

A facility should be so designed and operated that the environment protection measures are reliable.

Considerations

The reliability claimed for any environment protection measure in preventing or minimising radiological impacts to people and the environment should take into account its novelty, the experience relevant to its proposed environment, and the uncertainties in operating and fault conditions, physical data and design methods.

Adequate reliability and availability for environment protection measures should be demonstrated by suitable analysis and data.

Where reliability data is unavailable, the demonstration should be based on a case-by-case analysis and include a:

  • comprehensive examination of all the relevant scientific and technical issues
  • review of precedents set under comparable circumstances
  • periodic review of further developments in technical information, precedent and best practice

Where data are shown to be inadequate, appropriate steps should be taken to ensure that the onset of failure of any environment protection measure can be detected, and that the consequences of failure are minimised. This may include replacing the component after a fixed lifetime, or dependent on inspection results.

ENDP8 – ageing and degradation

The working life of an environment protection measure that is intended to deliver an environment protection function should be assessed to ensure that the measure will be effective during its intended lifetime.

Considerations

Particular attention should be given to the evaluation of those components that are judged to be difficult or impracticable to replace.

There should be an adequate margin between the intended operational life and the predicted working life of such structures, systems and components.

Programmes for monitoring, inspection, sampling, surveillance and testing, to detect and monitor ageing and degradation processes, should be used to verify assumptions and assess whether the margins will be adequate for the remaining life of the structure, system or component.

ENDP9 – fault sensitivity

The sensitivity of the facility to potential faults that could have radiological impacts to people and the environment should be minimised.

Considerations

Ideally, environment protection measures should have no unsafe failure modes.

Any failure, process perturbation or mal-operation in a facility should ideally produce a change in facility state towards a benign condition, or produce no significant response.

If the change is to a less benign condition, then systems should have long time constants such that key parameters deviate only slowly from their desired values.

ENDP10 – quantification of discharges

Facilities should be designed and equipped so that best available techniques are used to quantify the gaseous and liquid radioactive discharges produced by each major source on a site.

Considerations

Discharge routes should be provided with suitable means to measure any release of radioactive substances from the facility to the environment, whether the release is routine or accidental.

Wherever practicable, discharge monitoring should occur prior to release into the environment.

Where several discharge routes come together before the point of release to the environment there should be means of monitoring or assessing each route so that the contributions from various sources to discharges to the environment can be quantified.

Within each facility there should be means to provide early warning of states that could lead to discharges above normal levels for that facility.

ENDP11 – maintenance, inspection and testing

Structures, systems and components that are, or comprise part of, environment protection measures should receive regular and systematic examination, inspection, maintenance and testing.

Considerations

Requirements for in-service testing, inspection and maintenance procedures for environment protection measures, and the frequencies of these, should be identified prior to initial operation, and at regular intervals thereafter.

Appropriate facilities and locations should be provided within the facility to conduct any required maintenance, tests or inspections.

Radioactive waste management procedures should be put in place to deal with the expected arisings of waste during maintenance operations.

For components of particular concern and where it is not possible to confirm the ability to operate under the most onerous design conditions, reference data from commissioning or rig testing should be established for comparison against in-service test results.

Commissioning and in-service inspection and test procedures should be adopted that ensure initial and continuing quality and reliability.

Inspection should be of sufficient extent and frequency to give adequate confidence that degradation will be detected before loss of the environment protection function.

Where test equipment, or other engineered means, are claimed as part of in-service or periodic testing, maintenance, monitoring and inspection provisions, the extent to which they reveal failures affecting environment protection functions should be justified. The test equipment, or other engineered means, should be tested at intervals sufficient to uphold the reliability claims of the equipment within which it is claimed to reveal faults.

Where practicable maintenance, inspection and testing should be carried out as part of normal operations and it must be possible to carry out these tests without the loss of any environment protection function.

Structures, systems and components that are, or comprise part of, environment protection measures, should be inspected or re-validated (or both) after any internal or external event that might have challenged their design basis.

ENDP12 – commissioning

Before operating any facility or process, commissioning tests should be defined and carried out to demonstrate that, as built, the facility or process will be capable of delivering the environment protection functions.

Considerations

Radioactive substances should not be generated on the facility, or brought onto the facility, unless and until sufficient and suitable arrangements are available for their containment and management.

Commissioning tests should endeavour to identify any errors made during the design, manufacture, or construction/installation stages.

Commissioning tests and inspections should:

  • confirm the facility’s design assumptions and predicted performance in relation to the environment protection functions
  • characterise the facility as a basis for evaluating its behaviour during its operational life – analysis should be reviewed in the light of the results of the commissioning programme and of any modifications made to the design or intended operating procedures since the commencement of construction

The tests should be divided into stages such as to complete as much inactive testing before the introduction of any radioactive substances. Inactive testing should demonstrate that the facility has been constructed, manufactured, and installed correctly.

Inactive testing should also be used to confirm the operational features of the facility and to develop the operating instructions, which should then be confirmed as adequate during active commissioning.

ENDP13 – external and internal hazards

External and internal hazards that could affect the delivery of an environment protection function should be identified and the best available techniques used to avoid or reduce any impact.

Considerations

For each type of external hazard, either facility specific (or if this is not appropriate, best available relevant), data should be used to determine the relationship between event magnitudes and their frequencies.

For each internal or external hazard that cannot be excluded on the basis of either low frequency or insignificant consequence, a design basis event should be derived.

Analyses should take into account that:

  • certain internal or external hazards may occur simultaneously or in a combination that can reasonably be expected
  • an internal or external hazard may occur simultaneously with a facility fault, or when the facility is not available due to maintenance
  • where there is a significant potential for internal or external hazards to act as initiators of common cause failure, including loss of off-site power and other services
  • internal and external hazards which have the potential to threaten more than one level of defence in depth at once
  • internal hazards (for example, fire) which could arise as a consequence of faults internal or external to the site and which should therefore be included in the relevant fault sequences
  • the severity of the effects of the internal or external hazard experienced by the facility may be affected by facility layout, interaction, and building size and shape

The on-site use, storage or generation of radioactive substances should be controlled and located so that any accident to, or release of, the substances will not jeopardise delivery of an environment protection function.

Sources that could give rise to hazards such as fire, explosion or missiles, for example, should be identified, specified quantitatively, and their potential as a source of radiological impact to people and the environment assessed. This identification should take into account:

  • projects and planned future developments on and off the site
  • the adequacy of protection of the environment from the effects of any incident in an installation, means of transport, pipeline, power supplies or water supplies either inside or outside the facility
  • that sources could be either on or off the site

ENDP14 – control and instrumentation – environment protection systems

Best available techniques should be used for the control and measurement of plant parameters and releases to the environment, and for assessing the effects of such releases in the environment.

Considerations

Environment protection systems should be established to ensure, during normal and fault conditions, that environment protection measures are operating correctly. An environment protection system is any integrated system of environment protection measures, associated instrumentation and controls, communications, and relevant instructions and computer software.

Adequate provisions should be made to enable the monitoring of the facility state in relation to protection of people and the environment, and to enable the taking of any necessary actions.

Adequate provisions should be made to enable environmental monitoring (to measure the impact of facility discharges).

Variables used to initiate an environment protection system action should be identified and shown to be sufficient for the purpose of avoiding or minimising radiological impacts to people and the environment. The limiting conditions for those variables for which the environment protection system has been established should be specified. The system should be designed to respond such that these limiting conditions are not transgressed.

The system should employ diversity in the detection of fault sequences, preferably by the use of different variables, and in the initiation of the environment protection system.

An environment protection system should be automatically initiated and, normally, no human intervention should be necessary following the start of a requirement for protective action. Where human intervention is necessary, then the time before such intervention is required should be demonstrated to be sufficient.

The capability of an environment protection system, and of each of its constituent sub-systems and components, should be defined. The capability should exceed by a clear margin the maximum service requirement(s). The selected margin should make due allowance not only for uncertainties in facility characteristics, but also for the effects of foreseeable degradation mechanisms.

Adequate provision should be made to prevent the infringement of any service requirement of an environment protection system, its sub-systems and components.

Environment protection system actions and associated alarms should not be self-resetting, irrespective of the subsequent state of the initiating fault.

An appropriate alarm philosophy should be applied such that where large numbers of alarms are generated by an event, alarm masking and flooding is avoided.

No means should be provided, or be readily available, by which the configuration of an environment protection system, its operational logic or the associated data may be altered, other than by specifically engineered and adequately secured maintenance/testing provisions used under strict administrative control.

The interfaces required between an environment protection system and the facility to detect a fault sequence and bring about a benign facility state should be engineered by means that have a direct, known, timely and unambiguous relationship with facility behaviour.

Where practicable, the design of an environment protection system should avoid complexity, apply a fail-safe approach and incorporate a means of revealing internal faults from the time of their occurrence.

An environment protection system should avoid spurious operation at a frequency that might directly or indirectly degrade its performance.

In determining environment protection system provisions, allowance should be made for the unavailability of equipment. The minimum amount of operational environment protection system equipment for which any specified facility operation will be permitted should be defined and shown to meet the (no) single failure principle.

The vetoing or the taking out of service of any environment protection system should be avoided. Where such action is proposed, each need should be justified and the adequacy of its implementation demonstrated. In an environment protection system comprising several redundant or diverse sub-systems no single action should affect more than one sub-system.

Where the system reliability is significantly dependent upon the performance of computer software, the establishment of and compliance with appropriate standards and practices throughout the software development life-cycle should be made, commensurate with the level of reliability required, by a demonstration of ‘production excellence’ and ‘confidence-building’ measures.

Suitable and sufficient environment protection system control and instrumentation should be available to the facility operator at appropriate locations within the facility.

The reliability, accuracy, stability, response time, range and, where appropriate, the readability of instrumentation should be adequate for its required service.

Adequate and reliable controls should be provided to maintain variables within specified ranges.

The minimum control and instrumentation for which facility operation may be permitted should be specified and its adequacy substantiated.

Environment protection system control and instrumentation should be operated from power supplies for which reliabilities and availabilities are consistent with the functions being performed.

Adequate communications systems should be provided to enable information and instructions to be transmitted between locations and to provide external communications with auxiliary services and such other organisations as may be required.

Control systems should respond in a timely and stable manner to normal facility disturbances without causing demands on environment protection systems.

ENDP15 – mechanical containment systems for liquids and gases

Best available techniques should be used to prevent or minimise (or both) releases of radioactive substances to the environment, either under routine or accident conditions.

Considerations

The primary means of confining radioactive substances should be by the provision of passive sealed containment systems in preference to the use of active dynamic systems and components.

Where appropriate, containment design should:

  • define the containment boundaries with means of isolating the boundary
  • establish a set of limits for the containment systems and for individual structures and components within each system
  • define the requirements for the performance of the containment in the event of a severe accident as a result of internal or external hazards, including its structural integrity and stability
  • include provision for maintaining the facility in a benign state following any incident involving the accidental release of radioactive substances within or from a containment, including equipment to allow decontamination and post-incident re-entry to be safely carried out
  • minimise the size and number of service penetrations in the containment boundary, which should be adequately sealed to reduce the possibility of radioactive substances escaping from containment via routes installed for other purposes
  • avoid the use of ducts that need to be sealed by isolating valves under accident conditions. Where isolating valves and devices are provided for the isolation of containment penetrations, their performance should be consistent with the required containment duties and should not prejudice adequate containment performance
  • provide discharge routes, including pressure relief systems, with treatment system(s) to minimise releases of radioactive substances. There should be appropriate treatment or containment of the fluid contained within it, before or after its released from the system
  • define the performance requirements of containment systems to support maintenance activities
  • demonstrate that the loss of electrical supplies, air supplies and other services does not lead to a loss of containment nor the delivery of its environment function
  • demonstrate the control methods and timescales for re-establishing the containment conditions where access to the containment is temporarily open (for example, during maintenance work)

Containment systems should be designed such as to make provision for the segregation of different waste streams. This applies to vessel inputs as well as the vessels themselves.

Should a pressure relief system operate, the performance of the containment should not be degraded.

Where the environmental challenge dictates, waste storage vessels, process vessels, piping, ducting and drains (including those that may serve as routes for escape or leakage from containment) and other items that act as containment for radioactive substances, should be provided with further containment barrier(s) that have sufficient capacity to deal safely with the leakage resulting from any fault.

Suitable monitoring devices with alarms, and provisions for sampling, should be provided to detect and assess changes (for example, level, volume, concentration) in the stored radioactive substances.

Appropriate sampling and monitoring systems and other provisions should be provided outside the containment to detect, locate, quantify and monitor leakages of radioactive substances from the containment boundaries under normal and accident conditions.

Where provisions are required for the import or export of radioactive substances into or from the facility containments, the number of such provisions should be minimised.

ENDP16 – ventilation systems

Best available techniques should be used in the design of ventilation systems.

Considerations

Where a ventilation system is deemed necessary, it should include appropriate treatment systems to remove and collect airborne radioactive substances prior to discharge of the cleaned gas stream to the environment. Such systems may include particulate filtration, scrubbers and cyclones where appropriate.

Where appropriate, ventilation systems should include the following:

  • means for control of the dispersal, and reduction of the concentration, of airborne activity within the process plant and in aerial discharges
  • segregation and isolation to protect against internal and external hazards and to prevent the mixing of ventilation streams of different hazard potentials, for example, explosive, toxic and radioactive – such hazards should be managed to avoid compounding the harm potential
  • facilitating, where appropriate, permanent or temporary access to facility zones without impairing the performance of the ventilation system
  • accounting for effects of wind velocity and potential air pressure fluctuations caused by nearby structures, discharges from other facilities and extreme weather conditions
  • facilities enabling removal and reinstatement of ventilation equipment for maintenance and replacement purposes
  • qualification of ventilation systems in terms of their environment function and appropriate selection of materials and equipment for the required design life
  • minimising the total airflow through the system from inlet to discharge to reduce the requirement for disposal of filters, while retaining a safe atmosphere, airflow velocities, pressure differences and other features of the design

The location of ventilation filters should minimise the dose rates to the general public.

The design should provide for monitoring and testing of ventilation systems and associated filters and gas treatment systems to ensure that they continue to meet the design requirements. This should include provision of appropriate alarm/control systems on key facility parameters.

ENDP17 – civil engineering

It should be demonstrated that structures which are, or comprise part of, environment protection measures are sufficiently free of defects such that the relevant environment function(s) is not compromised, that identified defects are tolerable, and that the existence of defects that could compromise the environment protection function can be established throughout their life-cycle.

Considerations

Consideration should be given to groundwater conditions, contamination conditions and soil dynamic properties at the design stage of a facility.

The design of embankments, natural and excavated slopes, river levees and sea defences close to a facility should be such so as to prevent or minimise the release of radioactive substances to the environment.

The design should be such that the facility remains stable against possible changes in the groundwater conditions.

The design should take account of the possible presence of underground structures such as tunnels, trenches and basements.

ENDP18 – essential services

Best available techniques should be used to ensure that loss of essential services does not lead to radiological impacts to people or the environment.

Considerations

Services need to be provided for a sufficient period of time to allow the facility to be brought to a benign state and maintained in that state until such time as the normal supply is restored.

Where a service is obtained from a source external to the facility, that service should also be obtainable from a back-up source within the facility. Each back-up source should have the capacity, duration, availability and reliability to meet the maximum requirements of its dependent systems.

Where essential services are shared with other facilities on a multi-facility site, the effect of the sharing should be taken into account in assessing the adequacy of the supply.

Protection devices provided for essential service components or systems should be limited to those that are necessary and that are consistent with facility requirements.

Where a source external to the facility is employed as the only source of the essential services needed to provide adequate protection then, where practicable, the specification, availability and reliability should be the same as for an internal source.

Essential services should be designed such that the simultaneous loss of both normal and back-up services will not lead to radiological impacts in the environment.