Risk-Based Analysis of Electrical Hazard

Contents

• Introduction
• Notice Summary
• Applicability
• Risk-Based Approach
• Analysis of an Electrical Hazard Incident
• Conclusions
• References
• Notices Previously Issued

Introduction

This notice is one in a series of publications issued by the Office of Nuclear and Facility Safety to share nuclear safety information throughout the Department of Energy complex. For more information, contact Richard L. Trevillian, Office of Operating Experience Analysis and Feedback, Office of Nuclear and Facility Safety, U.S. Department of Energy, Washington, DC 20585, telephone (301) 903-3074. This Safety Notice should be processed as an external source of lessons- learned information as described in DOE-STD-7501-95, Development of DOE Lessons-Learned Programs.

Safety Notices are distributed to U.S. Department of Energy Program Offices, Field Offices, and contractors who have responsibility for the operation and maintenance of nuclear and related facilities, and to other organizations involved in nuclear safety. Written requests to be added to or deleted from the distribution of Safety Notices should be sent to: Christine Crow, RPI, 20251 Century Blvd., Germantown, MD 20874 or by fax, (301) 540-2499.

The ESH Office of Information Management maintains a file of Safety Notices and supporting information. Copies can be obtained by contacting the Office of Information Management at (301) 903-0449 or by writing to the Office of Information Management, U.S. Department of Energy, EH-72/Suite 100, CXXI/3, Washington, DC 20585.

Notice Summary

Office of Nuclear and Facility Safety (NFS) engineers have developed an approach for risk-based analysis of operating events at Department of Energy (DOE) facilities. This Safety Notice presents this method and its application to a non-radiological, industrial hazard. A similar analysis of a radiological event was presented in a previous Safety Notice.¹ The event used in this Notice was reported in the Occurrence Reporting and Processing System (ORPS), and preliminary analysis of the event has been presented in the Operating Experience Weekly Summary.² The risk-based approach provides a risk measure for an event. The measure shows risk implications of an event, allows risk-appropriate responses to the event, and provides a means for comparing the safety significance of dissimilar events at different facilities.

Applicability

This Safety Notice is applicable to the conduct of operations at facilities owned or operated by DOE. NFS advises operators of these facilities to become familiar with the techniques of risk-based analysis and apply them to improve facility safety. No specific action or response is required as a result of this notice. NFS recommends processing this Notice in accordance with DOE-STD-7501-95, "Development of DOE Lessons Learned Programs."³

Risk-Based Approach

An overview of the approach is shown in Figure 1. First, given an operating event, possible undesirable consequences (such as fatality or injury to employees or the public, property damage, and impact on the environment) are identified. Next, qualitative estimates are made of the magnitude of the undesirable consequence and the conditional probability that it will occur.

The undesirable consequence is assessed as high if the potential exists for fatality or property damage (including environmental remediation expenses) of more than $1,000,000, medium if there is potential for severe injury or property damage of more than $100,000, and low otherwise. The term "severe injury" is used in this context as one that would lead to the termination of employment as a result of this event alone or hospitalization of a member of the public. The qualitative estimate of the conditional probability is performed using the residual protection. This is determined by the number and types of remaining barriers that provide protection from the undesirable consequence. Barriers may be either equipment or human actions. If two independent barriers of good quality remain, the conditional probability is assessed as medium. Less than two barriers result in a high conditional probability, while more barriers result in an estimate of low conditional probability.

Figure 1. - Overview of Risk-Based Approach

Qualitative assessment of conditional probability and of consequence allows an assessment of the conditional risk from the event. If this risk is less than medium-medium, no further analysis is necessary, and the results of the qualitative assessment are documented. If conditional risk is medium-medium or higher, the following additional steps are necessary.

Determine a semi-quantitative estimate of the conditional probability using a simplified event or fault tree that incorporates the barriers. Base failure frequencies on facility-specific data if available, generic data, or informed estimates.

Similarly, determine a semi-quantitative estimate of the magnitude of the consequence. For industrial hazards, the consequence is usually self-evident. For radiological and chemical hazards, use an accident analysis approach similar to that developed in DOE Defense Programs to estimate the consequence.⁴ Because most events with a conditional risk of medium-medium or higher have some likelihood of personnel fatality, it is convenient to use the risk of fatality from the event as a measure to categorize the event. Use this risk measure to assess the safety significance of the event and help decide the appropriate level of response to the event. Possible responses to the event may include improvements in equipment or procedures. A cost-benefit analysis of such improvements may be necessary. Before engaging in these additional analyses, justify them by the level of risk. Compare a risk measure of the event (the risk of fatality) to a reference value. If the risk of fatality is less than this reference value, then a risk- appropriate response to the event need not include corrective actions. In this case, further analysis of the event is unnecessary. Document the results of the analysis performed thus far.

If the risk of fatality of the event exceeds the reference risk value or is comparable to it, take the following additional steps.

Refine the existing risk estimates. This is achieved in a number of ways. Re-examine and refine any assumptions used in the analysis if better information is available. Interview facility operational personnel to modify or refine failure frequencies used earlier in the process. If dependent failure modes are likely and have not been considered, make appropriate allowances for them at this time.

Consider in more detail the function and efficacy of the systems, components, structures, and procedures that played a preventive or mitigating role during the event, particularly those that are likely candidates for upgrading to corrective measures.

Finally, perform a cost-benefit analysis of possible systems and procedure modifications. Calculate the benefit of corrective actions that could prevent a similar event. The benefit is the averted cost of the consequences times the reduction in the conditional probability.

Assume the averted cost of each fatality is $1,000,000 and the averted cost of each severe injury is $100,000. These costs are in accordance with numbers used by DOE/EH/1570- H5.⁵ Take the cost of damage to property into account in a straight-forward manner. Estimate the averted environmental damage cost from the cost of necessary remedial actions.

Some benefits of corrective actions, such as the time cost of money and avoiding facility downtime, may be difficult to estimate quantitatively but can be taken into account in a qualitative fashion. Include hardware and labor in costs of corrective actions. If a corrective action involves augmenting a procedure, include costs associated with the augmented procedure. These include increased efforts, training costs, and material costs. If a corrective action has a significant risk of not preventing future similar events, factor that risk into the cost-benefit analysis.

The cost-benefit analysis of corrective actions provides one input to the decision to implement. Considerations other than the cost-benefit analysis may reinforce or override conclusions of the analysis.

This analytical approach is applied to an electrical hazard event at a composite materials technology facility under construction. It demonstrates the applicability of the methodology to incidents involving non-radiological industrial hazards. Some aspects of the events, such as communication, supervision, training, procedures, execution, and configuration control, were not covered in detail or were omitted in this Notice. However, care was taken to provide the facts of the incident with as little alteration as possible by assumptions and simplifications inherent in the analysis.

Analysis of an Electrical Hazard Incident

In June 1994, an electrician working on a 480-volt main distribution panel in a composite materials technology facility at the Oak Ridge Y-12 Plant received serious flash burns from an electrical arc blast. An electrical fault caused by contact between a ground wire being installed and exposed parts of energized incoming connections caused the arc blast. The energized connections were to the main breaker, which had been turned off.⁶ A DOE Type A accident investigation of the incident was conducted.⁷ The following event scenario was established for the analysis.

After the electrician removes the protective cabinet enclosure covering a distribution panel, several barriers exist to protect him from electrical hazards. The first is a work plan that acquaints him with the hazards involved and provides him with instructions on how to safely execute the task. A second barrier is a procedure for electrical energy isolation and control (lockout/tagout). Protective equipment, such as insulating blankets and safety glasses, provide a third barrier. In this event, the first barrier failed and, consequently, the second and third failed as well.

The conditional probability of a severe injury was judged to be high because of the crucial role played by the first barrier and the dependent nature of the subsequent barriers on the first barrier. Because the potential for severe injury or fatality existed, the consequence was also judged as high, leading to a "high- high" categorization for the conditional risk. Figure 2 (Please refer to hard copy) is a simplified event tree for the incident. The barriers constitute nodes of the event tree. A work plan was generated for the activity, but it was deficient in several respects. The task was categorized as low risk, as required by section 18.1 of DOE 4330.4B,⁸ based on considerations of the safety and health of the public, not risk to the electrician. The work plan also did not require a high-voltage lockout/tagout to completely de-energize the panel. Although the work plan referenced plant procedures, it neither identified protective equipment required for the work nor made provisions for providing the equipment.

The deficiencies in the work plan were caused by human error. Human error belongs to the category of initiator actions, including slips and mistakes, that cause initiating events. This category of human error has probabilities in the range of 10-2 to 10-4. The probability may be an order of magnitude higher if a need exists for systems knowledge or for interpreting indirect information, as existed in this case. The probability of an inadequate work plan was, therefore, established as 10-1. Because the work plan failed to specify a high-voltage lockout/tagout and protective equipment, these barriers were as likely as not to be implemented. The conditional probability for a severe injury was, therefore, estimated at 0.1 x 0.5 x 0.5, or 2.5 x 10-2. The ratio of occurrence of death to disabling injuries in U. S. industries was 1.5 x 10-3 in 1994.⁹ The ratio was higher if only incidents with the potential for fatality were considered. For example, for motor vehicle injuries, the ratio was 2.2 x 10-2. For collisions between motor vehicles and pedestrians, the ratio was 9.2 x 10-2. Considering that fatal injuries are about an order of magnitude less frequent than severe injuries, the conditional probability of fatality may be estimated at 2.5 x 10-3, which is also the risk of fatality from the event.

If the work plan had been adequate, the likelihood of either of the other two barriers (lockout/tagout or use of protective equipment) not being implemented is equal to the nominal human error probability of 10-2 for this category of errors, and the conditional probability of severe injury is reduced to about 10-4. By defining the event as the electrician removing the cabinet enclosure after having been inadequately directed by the work plan, the risk of fatality becomes an order of magnitude higher (2.5 x 10-2). This value is used in the event analysis.

Figure 3. Risk of fatality from Electrical Hazard Incident

Figure 3 compares the risk of fatality or severe injury from the event to the average lifetime accidental risk of fatality in U. S. industries, and also to the glovebox fire analyzed in another Safety Notice. Clearly, the risk of fatality from this event is greater than the average lifetime accidental risk of fatality in U. S. industries. Action is necessary to reduce those risks. The following are general observations regarding the risks associated with this event and benefits of reducing these risks. The event occurred because of human errors at two levels: (1) an inadequate work plan and (2) failure of the electrician to use appropriate equipment and safe work practices. See Type A Report, pages 67 and 68.7 Action to ensure that work plans take into account personnel risks as well as public health and safety concerns is crucial to reducing the frequency of similar incidents. Training personnel to take responsibility for their safety and to use appropriate safety equipment and safe work practices will also reduce the frequency and consequences of such incidents.

Benefits of corrective actions to prevent similar incidents are estimated using averted costs of a fatal injury. The averted cost is $1,000,000 x 2.5 x 10-2, or $25,000. This estimate of the averted cost is based on the assumption that the corrective action is always successful. As long as the likelihood of success of the corrective action is nearly unity, this estimate of the averted cost will be valid. If the likelihood of success is not close to unity, the estimate of the averted cost should be prorated by the likelihood of success of the corrective measure. Adding other indirect benefits to this would probably elevate cost savings to the medium category. The corrective actions discussed are expected to be effective in reducing both the frequency and the consequences of similar incidents. Additional costs associated with (1) ensuring adequate work plans for electrical work and (2) encouraging workers to take responsibility for their personal safety should be low in relation to the medium categorization of averted costs. This is especially true because these measures fall within the scope of existing procedures and safe work practices.

Conclusions

This Safety Notice presents a procedural approach to review operating events for safety and risk significance. The risk-based approach allows a quick determination of the appropriate level of response to the event and the cost- benefit aspects of any contemplated corrective action. Reference risk values were suggested for comparison to risks from individual events. Comparison of the risk level of events with these or other appropriate benchmarks allows informed decisions on whether corrective actions are necessary or unnecessary. This comparison also indicates the extent of cost-effective corrective actions. Additionally, calculation of a quantitative risk measure such as a risk of fatality associated with events allows a meaningful comparison of the safety and risk significance of dissimilar events. Although this Notice is restricted to a specific event, the method can be extended to examine the risk significance of a class of events. By analyzing a class of operating events, it is possible to examine the risk implications of an underlying safety issue.

References

1. DOE/EH-0500, "Decision Analysis Techniques," August 1995.
2. OEWS 95-42, article 6, "Risk-Based Decision Analysis Applied to an Electrical Hazard Incident," 13 - 19 October 1995.
3. DOE-STD-7501-95, Development of DOE Lessons Learned Programs.
4. DOE-HDBK-3010-1994, "Airborne Release Fractions/Rates and Respirable Fractions for Non-Reactor Nuclear Facilities," December 1994.
5. DOE/EH/01570-H5, "Occupational Injury and Property Damage Summary," January to June 1994.
6. ORPS Update Report ORO-MMES-Y12SITE-1994-0025, "Electrical Burn to Employee," 27 July 1994.
7. "Type A Accident Investigation Board Report of the June 17, 1994 Electrical Arc Blast at Building 9725 Resulting in an Injury at the Department of Energy Oak Ridge Reservation," August 1994.
8. DOE 4330.4B, Maintenance Management Program.
9. Accident Facts, National Safety Council, 1995.

Notices Previously Issued

• Technical Notice 94-01, "Guidelines For Valves in Tritium Service," September 1994.
• Safety Notice 91-1, "Criticality Safety Moderator Hazards," September 1991.
• Safety Notice 92-1, "Criticality Safety Hazards Associated With Large Vessels," February 1992.
• Safety Notice 92-2, "Radiation Streaming at Hot Cells," August 1992.
• Safety Notice 92-3, "Explosion Hazards of Uranium-Zirconium Alloys," August 1992.
• Safety Notice 92-4, "Facility Logs and Records," September 1992.
• Safety Notice 92-5, "Discharge of Fire Water Into a Critical Mass Lab," October 1992.
• Safety Notice 92-6, "Estimated Critical Positions (ECPs)," November 1992.
• Safety Notice 93-1, "Fire, Explosion, and High-Pressure Hazards Associated with Drums and Containers," February 1993.
• Safety Notice 93-02, "Control of Temporary Modifications," September 1993.
• Safety Notice 94-01, "Contamination of Emergency Diesel Generator Fuel Supplies," July 1994.
• Safety Notice 94-02, "High-Efficiency Particulate Air Filters," August 1994.
• Safety Notice 94-03, "Events Involving Undetected Spread of Contamination," September 1994.
• Safety Notice 94-04, "Uninterruptible Power Supplies," November 1994.
• Safety Notice 95-01, "Decision Analysis Techniques," August 1995.
• Safety Notice 95-02, "Independent Verification and Self- Checking," September 1995.
• Safety Notice 95-03, "Lessons Learned Programs," October 1995.
• Safety Notice 95-04, "Post-Maintenance Test Programs," December 1995.
• Safety Notice 95-05, "Department of Transportation Non- Conformances by Vendor Shippers," December 1995.
• Safety Notice 96-01, "Chemical Spills During Loading," April 1996.