4. Safety assessment methodology (NTB 24-10)

Safety assessment is, in the present context, defined by Nagra as the process of gathering the evidence and arguments and carrying out analyses regarding the safety of the disposal system during the post-closure phase and is the means by which the safety case is developed.

The methodology described here is a high-level summary of the workflow carried out for the safety assessment of a geological repository for both HLW and L/ILW in support of the general licence application, which is described in greater detail in NTB 24‑19 (Nagra 2024t).

Nagra’s safety assessment methodology has been developed in line with international guidance, advances, and publications. Based on these and on Nagra’s own experience, the following principles and objectives for the safety assessment have been identified:

• A systematic approach to information gathering and integration – The assessment relies on a systematic approach to information gathering and integration to assemble the assessment basis, the main elements of which are summarised in Chapter ‎5.

• Rigorous consideration and treatment of uncertainty – As far as possible, all potential sources of uncertainty and the various sources of bias must be considered and recognised when conducting and interpreting the analyses. Uncertainty management is described in general terms in Section ‎4.4 and is a feature of all the processes within the safety assessment methodology.

• Assurance of completeness – All reasonably foreseeable possibilities for the characteristics and evolution of the disposal system are considered in developing safety case arguments. The assurance of comprehensiveness, i.e., the minimisation of “completeness uncertainty” is discussed further in Section ‎4.5.

• Validation and verification of models and databases – Appropriate quality assurance and control measures are adopted to ensure that the models and databases developed and applied in the analyses are suitable for their intended purpose. Each computer code used to perform analyses must be verified. Model abstractions, including the use of simplifications and conservatism in modelling, must be justified.

• Use of stylised approaches – Stylised approaches⁸ are adopted for the modelling of the biosphere and the nature of future human behaviour and actions, on account of the largely irreducible, poorly quantifiable or unquantifiable uncertainties associated with predictions regarding these aspects, even over relatively short timescales.

• Multiple lines of argument for safety – Claims related to the performance and safety of the disposal system are supported, as far as possible, by multiple lines of argument and wide-ranging evidence. The development of arguments and evidence supporting a set of high-level claims is a key element of the performance assessment methodology (see Chapter ‎6). The multiple lines of argument underpinning the overall safety case are brought together in Chapter ‎10.

• Internal and external reviews – All relevant aspects within the safety assessment are subject to internal and/or external review.

The safety assessment, which provides the safety case for the repository as defined by the provisional design and implementation plan, consists of four main processes and is illustrated in dark blue boxes on the right-hand side of Fig. ‎4‑1.

Fig. ‎4‑1:Workflow for the post-closure safety case, with the four main processes of safety assessment shown in dark blue boxes on the right-hand side of the figure

Performance assessment (see Chapter ‎6) develops arguments and presents evidence to show that the safety functions of the repository are upheld and that the system will evolve as expected in most reasonably foreseeable situations, as described in detail in NAB 24‑20 Rev. 1 (Nagra 2024m). Performance assessment also identifies uncertain and potentially detrimental phenomena and other uncertainties that could degrade the functionality of the components of the disposal system or of the overall disposal system, as input to safety scenario development.

Based on the knowledge provided by the assessment basis and the findings of performance assessment, safety scenario development (see Chapter ‎7) defines a set of safety scenarios that capture the broad ways in which the repository system could fulfil its safety functions over time, as well as additional hypothetical “what-if?” cases, which are aimed at further demonstrating the robustness of the disposal system. Safety scenarios and “what-if?” cases can contain several variants and most of them are, via a set of calculation cases, carried through to the analysis of radiological consequences. There, radionuclide release, retention and transport are modelled, and dose assessments are carried out. Some variants, however, can be handled by qualitative argumentation. These are also identified within the scope of scenario development.

The analysis of radiological consequences (see Chapter ‎8) uses quantitative models to evaluate annual individual dose rates or risks and complementary safety indicators. Suitable conceptualisations are formulated for the calculation cases that are propagated from scenario development. Both deterministic calculations and probabilistic uncertainty and sensitivity analyses are performed, and the impact of uncertainty is evaluated systematically (see Section ‎4.4). The results are compared with the regulatory protection criteria and the safety margin for each calculation case is determined. The output of the radiological consequence analysis also includes complementary safety indicators, such as radionuclide fluxes and concentrations, which are described in Chapter 9.

Demonstration of post-closure safety (see Chapter ‎10) is achieved by bringing the results of the three previous steps in safety assessment together with other information supporting the quality of the safety assessment, the safety and robustness of the repository system, and the strength of the stepwise repository siting, design and implementation processes, in the safety case. The calculated safety margins provide a key line of argument for the overall demonstration of safety in the safety case. As explained in Chapter ‎9, however, this line of argument is complemented and strengthened by additional lines of argument that address, e.g., the quality of the system.

Regulatory guidance in ENSI Guideline G03 (ENSI 2023) states that a period of up to one million years shall be considered by the safety case, and that the temporal development of the radiological hazard potential of the emplaced waste and the predictability of the long-term geological evolution must be taken into account⁹. In NTB 08‑05 (Nagra 2008), by considering the decrease in radiotoxicity that occurs over time, the time period for assessment (referred to in the context of site comparison as the time period under consideration) was defined as extending up to 100,000 years for an L/ILW repository and up to one million years for an HLW repository. These time frames are also adopted for SGT-E3 when considering separate HLW and L/ILW repositories (see NAB 24‑05 (Nagra 2024a) for details). The shorter period considered for the L/ILW repository, based on considerations of radiotoxicity, is also consistent with guidance from ENSI in ENSI 33/649 (ENSI 2018)¹⁰.

For a geological repository for both HLW and L/ILW, a one-million-year time period for assessment is considered, although the time frame specific to the assessment of certain processes or phenomena (e.g., heat production from HLW) can be significantly shorter. In case of the calculations of radionuclide release, retention and transport carried out for the analysis of radiological consequences, ENSI Guideline G03 lists the additional requirement that the dose calculations shall be performed up to the time of the maximum radiological impact of the deep geological repository¹¹. To meet this requirement, dose calculations are carried out up to the maximum radiological impact time, extending to 10⁷ years for HLW and 10⁶ years for L/ILW releases. Analyses for volatile radionuclides, which focus on ¹⁴C with a 5,700-year half-life, are carried out for a 10⁵-year period. After this time period, ¹⁴C will have decayed to activities that are insignificant.

Beyond the time period for assessment, ENSI Guideline G03 requires determination of the range of potential impacts by considering uncertainties and scenarios involving geological processes. Notably, glacial and non-glacial (fluviatile) erosion, impacting the repository barrier system, is addressed in the dedicated report NAB 24‑08 Rev. 1 (Nagra 2024q), taking into account time frames well beyond the time period for assessment.

For a complex problem, such as analysing the future evolution, performance and safety of a deep geological repository and its environment, it is impossible to make exact predictions. Some level of uncertainty can, however, be accepted, provided the uncertainties do not compromise the demonstration of safety. As explained in Section ‎4.1, rigor in the consideration and treatment of uncertainty is one of the basic principles underlying the safety assessment methodology. Furthermore, ENSI Guideline G03 (ENSI 2023) states that, for the safety case, data, processes, and model concepts shall be used that are in accordance with the state-of-the-art in science and technology, and that their uncertainties shall be identified¹².

Uncertainty management in safety assessment is discussed at length in Chapter 3 of NTB 24‑19 (Nagra 2024t) and includes the following particular aspects.

• Types of uncertainty

In line with common practice, the safety assessment categorises uncertainty based on its source as data uncertainty (also termed parameter uncertainty), model uncertainty (also termed conceptual uncertainty), and uncertainty in the broad evolution of the safety functions (sometimes termed scenario uncertainty). In some instances, uncertainty may also be classified by its nature as epistemic (caused by deficiencies in knowledge) or aleatory (due to the apparent randomness of relevant phenomena). In principle, the former relates to uncertainty that can be avoided, reduced, or eliminated and the latter relates to uncertainty that cannot be reduced or eliminated. In practice, it can be difficult to make a clear distinction between the aleatory and epistemic uncertainties.

• Management of uncertainty in the assessment basis

The assessment basis, i.e., the evidence, knowledge, assessment tools, and methodologies developed or acquired by Nagra in support of the safety assessment, is described in Chapter ‎5. The body of information that is contained within the assessment basis includes information gathered from a variety of sources, and the associated uncertainty represents a mixture of epistemic and aleatory types. Epistemic uncertainty is reduced, as far as reasonably possible, e.g., by site characterisation, research, and design considerations. Remaining uncertainties are then identified and, if possible, quantified, e.g., by specifying either likely values and ranges or probability density functions (PDFs) for associated parameters. Where different types or sources of information are available, an ensemble of information, possibly with different representations of uncertainty, is integrated to provide, as far as possible, a coherent, logical, realistic, and defensible description of the disposal system and its environment, including statements of uncertainty.

• Uncertainty in the broad evolution of the repository system and its components and how they contribute to the safety functions

Uncertainty in the broad evolution is handled in performance assessment and safety scenario development (Chapters ‎6 and ‎7), resulting in a set of safety scenarios, namely the reference safety scenario, a set of alternative safety scenarios and a set of future human action (FHA) safety scenarios. The latter consider potential future actions undertaken by human society that could impact the repository and are treated as a separate class of safety scenarios, due to their particularly speculative nature. Furthermore, “what-if?” cases, which involve extreme and hypothetical assumptions and primarily aim at demonstrating the robustness of the repository system, contribute to bounding the consequences of uncertainty in the broad evolution (see also Section ‎4.5).

• Management of uncertainty in modelling studies of performance assessment and analysis of radiological consequences

All models used in safety assessment incorporate a substantial degree of simplification. Simplification is needed because of the complexity of the disposal system, the impossibility of complete system characterisation, and the limited understanding that is available of some processes. Simplification can include, for example, the omission of some less well characterised phenomena. Moreover, where omission of a phenomenon cannot be justified, the approach is often to incorporate the complex or poorly understood phenomenon in a relatively simple form in the mathematical models and codes, while applying relatively pessi­mistic ranges to the parameter values to address the resulting uncertainty. Simplifications and assumptions that are subject to uncertainty can be justified on the grounds that they either have a negligible impact on the calculation endpoints (e.g., performance and safety indica­tors), or that they are conservative. Uncertainty in model output arises from the uncertainty in input data as well as from the model uncertainties handled as described above. Two complementary techniques are employed to quantify the uncertainty in model output due to the uncertainty in the input data. The first is called deterministic uncertainty analysis, in which uncertainty in model output is explored by defining and testing specific input parameter values. The second is probabilistic uncertainty analysis, where the selection of input data is carried out based on the probabilities assigned to the data (e.g., using the Monte-Carlo method), and the model output is analysed using standard graphical and statistical methods. Finally, there are irreducible, poorly quantifiable or unquantifiable uncertainties associated with the evolution of the biosphere and future human lifestyles and actions, and stylised approaches are adopted to deal with these. For example, for the purpose of the assessment, possible future human actions that could affect the repository are constrained to those that are possible using present-day technology or moderate developments thereof.

• Quality assurance and control

The possibility of human error in applying the methodologies presented in this report repre­sents an additional source of uncertainty. To minimise this type of uncertainty, measures of quality assurance and control must be applied to all activities that use or produce models and data. Specific measures to ensure that the models and databases used in safety assessment are fit for purpose, that the mathematical models are implemented correctly in computational models, that the computational models are reliable and that they are applied correctly and without error are presented in underlying reports (Nagra 2024s, Nagra 2024u, Nagra 2024k, Nagra 2024o, Nagra 2024p). These include a comparison of model outputs with the results of experiments covering a range of spatial and temporal scales and with observations of natural systems and the verification of numerical codes, e.g., by benchmarking against analytical solutions and against other codes that can address the same or similar problems.

The potential for human error during the construction, operation, and closure of the repository cannot be entirely ruled out. While implementing appropriate quality assurance and control measures is foreseen, uncertainties – such as those arising from failure to meet design requirements – remain a concern. These uncertainties are currently mainly covered by the definition and analysis of “what-if?” cases that assume a hypothetical degraded performance for each of the main repository barriers (see Section ‎7.4). To enhance safety and reliability, these aspects may be more thoroughly evaluated in future assessments, contributing to the ongoing development and revision of design requirements.

Although it is impossible to prove beyond all possible doubt the completeness of a safety assessment, measures are taken to ensure the inclusion of a comprehensive set of potentially relevant phenomena and, of equal importance, to ensure that the safety-relevant phenomena have been represented appropriately in the safety scenarios and analyses carried out within safety assessment.

An assessment basis has been developed that includes all identified and relevant phenomena and processes, as outlined in Chapter ‎5. As part of this assessment basis, understanding of the initial state and post-closure evolution of the repository, which forms the basis for performance assess­ment, safety scenario development, and analysis of radiological consequences, is synthesised in NAB 24‑20 Rev. 1 (Nagra 2024m), while the characteristics and evolution of the site are detailed in NTB 24‑17 (Nagra 2024i). These descriptions have undergone iterative development over many years, with each version being subjected to peer review and taking into account Nagra’s extensive RD&D programme documented in NTB 21‑02 (Nagra 2021a). The comprehensiveness of these descriptions is further enhanced by effective information exchange among safety assessors, technical experts within Nagra, and the broader scientific community.

The assessment basis also includes a comprehensive catalogue of features, events and processes (FEPs), which has also been developed over many years, benefiting from reviews by both internal and external experts, and comparisons with similar international databases. A FEP audit has been conducted to verify the inclusion of all relevant FEPs in the safety assessment and to justify the omission of others. The audit evaluates whether all FEPs in the catalogue are adequately addressed in the safety assessment, either through inclusion in safety scenarios or via explicit or implicit consideration in performance assessment models and in the models used for the analysis of radiological consequences and dose assessment. It is ensured that the exclusion of any FEPs is justified by showing them to be either outside the assessment scope or irrelevant to safety. This process, documented alongside the phenomenological evolution of the repository in a supplemen­tary volume of NAB 24‑20 Rev. 1 Nagra 2024l), , guarantees a thorough assessment and justifi­cation for FEP inclusion or exclusion. Similar audits have been conducted in Project Entsorgungs­nachweis (demonstration of disposal feasibility, NTB 02-23, Nagra 2003), ensuring consistency and reliability across safety assessments. More details are also provided in Section ‎5.5.

Finally, as noted in Section ‎4.2 and discussed further in Section ‎7.4, “what-if?” cases are defined and analysed as part of the safety assessment. These “what-if?” cases involve extreme and hypo­thetical assumptions, primarily aimed at demonstrating the robustness of the repository system. Such analyses may also pre-empt potential criticism that the selected ranges of parameter values are too narrow or that some detrimental FEPs are either unknown or have been overlooked.