main content

Risk and Safety Assessments

As noted in the nuclear safety policy section, the Company, as an owner and operator of commercial nuclear power plant, is responsible for the safety of its employees and the public and aims to minimise risks arising from normal operation and from any nuclear accident arising from its installations and from natural events (e.g. flooding, earthquakes, extreme winds, climate change, human error, fires, loss of coolant, loss of power) to an acceptable level in line with national and international standards and industry best practice. The nuclear safety case therefore includes risk assessment of:

  • Plant based faults, e.g. loss of coolant
  • Internal hazards, e.g. steam release
  • External hazards, e.g. climate change, flooding, earthquakes.


There is a fundamental legal requirement for risks to be ALARP (As Low As Reasonably Practicable). This responsibility is fully recognised by the Company and leads it to continuously improve the maintenance of nuclear safety standards in its nuclear power plants. The safety cases for plant based faults, internal hazards and external hazards all minimise consequences and drive risks as low as reasonably practicable.

Reviews of the nuclear safety case and risk assessment

The nuclear power stations were constructed to the best contemporary advice, including national and international standards and guidelines, and each entered service with a single document summarising its safety case which included assessment of risks i.e. plant based, internal and external hazards such as climate change, flooding, earthquakes. The stations are expected to operate for a number of decades, during which guidelines will change. In addition there will be numerous changes to plant and procedures at each station, each of which is separately documented and represents a small change in the safety case.

The entire safety case, including risk assessments of plant based, internal and external hazards, is therefore reviewed at intervals against current national and international standards which set industry best practices e.g. IAEA. The review also encompasses operating experience gained within the company, the global nuclear industry e.g. Fukushima and through global high hazard industry events. The review process, which is referred to as Periodic Safety Review, is carried out at intervals of approximately 10 years, and is one of the conditions of the Nuclear Site Licence. The review is submitted to Office for Nuclear Regulation (ONR), an agency of the Health and Safety Executive (HSE) for their consideration and, if appropriate, agreement to any proposed changes to the safety case. These reviews may identify shortfalls with respect to current guidelines. All reasonably practicable improvements identified by the review are implemented, to bring the stations within the current guidelines.

Less comprehensive reviews of the station safety case, including risk assessments, are also undertaken at intervals of two to three years. Typically each Advance Gas-cooled Reactor (AGR) is shutdown for statutory maintenance every three years (two years on some AGR stations at present); the Pressurised Water Reactor (PWR) interval is currently 18 months. Following each statutory maintenance outage, the findings are presented to the ONR, who must approve the return to service for the next maintenance period.

Regulation

Each nuclear power station is subject to a Nuclear Site Licence, which is issued by the ONR. The licence has 36 conditions, which govern all aspects of safe operation of the station. The ONR monitors the performance of the power station operator, and appoints a site inspector for each station. All significant changes to the plant or to its operating procedures are subject to approval by ONR.

Although subject to monitoring by the ONR, the licensee, EDF Energy Nuclear Generation Ltd is self regulating. It has an independent internal safety and oversight department. All proposals for changes to plant or operating conditions are referred to these departments for Independent Nuclear Safety Assessment before they are put into effect. Each station has a Nuclear Safety Committee which advises on safety matters and which is required to approve all significant changes to the safety case before they are submitted to the ONR. The membership of the Nuclear Safety Committee consists of the Station Director, senior safety officers of the company, and independent safety experts.

Design philosophy

Nuclear power stations are designed so that failures and malfunctions can be tolerated without the risk of a release of radioactivity. The objective of the safety case is to assess risks and demonstrate that, in the event of any credible accident; the reactor can be shut down and cooled without the risk of failure of the fuel cans. The reliability of safety systems is secured by the design principles of redundancy, diversity and segregation.

Redundancy is the provision of duplicate plant items, in excess of the number which can be foreseen as necessary. Redundancy enables safety systems to perform satisfactorily even if individual plant items fail to perform on demand. It also allows items to be taken out of service for maintenance.

Redundancy may not however be sufficient if there is a common failure mode. A row of pumps which rely on a common electrical supply would be of no use if that supply were to fail. Even if they have electrical supplies from a variety of sources, there may be an unforeseen fault, for instance a substandard batch of bearings, which might conceivably cause breakdowns at a critical time. Important safety systems are therefore provided with diversity: they are duplicated by alternatives of a different type or design. All the nuclear power stations have diverse trip, diverse shutdown systems and diverse post trip cooling systems.

Redundant and diverse systems located within the same area may still be subject to a common form of mechanical damage, for instance fire or flooding. The final stage in securing reliability is therefore segregation. Diverse systems are kept apart, or if this is not possible, are separated by suitable barriers.

Detailed consideration has been given to hazards which might damage the plant. Appropriate protective measures have been incorporated such that the worst damage which might potentially be inflicted by each hazard would not prevent safe reactor trip, shutdown and post trip cooling. The more significant of the hazards originating from outside the station include flooding, earthquakes and extreme winds. Aircraft impact is treated differently, because it is not practicable to consider all possible effects in detail. A probabilistic argument is therefore used instead. It is shown that the probability of a crash causing damage leading to a release is acceptably low, and is within guidelines drawn up by the HSE. The more significant of the hazards originating from within the plant include fire, steam release, hot gas release (AGRs), and loads dropped from cranes.

The safe operating envelope

The reactor operating parameters are restricted at all times such that no credible accident will cause any fuel cans to melt, or to fail through any other mechanism. Limits are determined by means of fault studies. A fault study is a simulation of the events following a postulated initial accident, or fault. It determines the changes with time of temperature, pressure, neutron flux and other relevant parameters in the affected part of the reactor. From these it deduces the time at which the guardline initiates the reactor trip. Allowing for the time delays while the control rods are released, and the time for them to fall under gravity, it calculates the peak temperature in the hottest fuel can. It then adds appropriate allowances for random variations and uncertainties in the data, and compares the resulting temperature with the melt temperature of the can. It repeats this process for a range of reactor operating conditions, thereby establishing which reactor conditions are safe with respect to that particular accident.

A list of credible faults is maintained, and is referred to as the Fault Schedule. Fault studies are undertaken for each fault on the schedule. The reactor is operated within a set of conditions which are safe with respect to all faults on the Fault Schedule. This set of conditions is referred to as the Safe Operating Envelope.

Our primary focus is to ensure nuclear safety through positive control of reactivity, core cooling and containment of the contents of the core and all by-products of nuclear power plant operations whether in reactor, during movement, disposal or storage.

Safe nuclear operation is achieved by:

  • Plant that is well designed, well operated and well maintained;
  • Processes that are robust and focused on problem identification and resolution;
  • People who are well trained, follow procedures, demonstrate a questioning attitude, uphold the highest standards and who coach each other to improve those standards;
  • A learning organisation that strives for excellence by continuous improvement;
  • An organisation that has a positive Nuclear Safety Culture.


The safety of the Company's nuclear power stations was determined prior to construction through use of best contemporary advice, including national and international standards and guidelines and is also assessed as issues arise, and periodically there is additionally a systematic review, known as the Periodic Safety Review, of all the constituent parts of the nuclear safety case. The main objectives in the reviews are to risk assess potential faults arising within the reactor and reactor support systems and compare the results against Nuclear Safety Principles in order to:

  • confirm that the installation is adequately safe for continued operation within the current safety case/safety assessment;
  • identify and evaluate any factors which may limit the safe operation of the plant in the foreseeable future;
  • identify any safety enhancements which are reasonably practicable.


The assessment encompasses not only all radiological risks from the reactor, but also considerations of criticality safety, the fuel route and radioactive waste treatment plant. The assessment covers plant based faults, internal hazards such as steam release and external hazards such as seismic, high winds, climate change leading to rising sea levels and flooding amongst others. The assessment encompasses current national and international standards which set industry best practices e.g. IAEA. The review also considers operating experience gained within the company, the global nuclear industry e.g. Fukushima and through global high hazard industry events.

The term 'safety enhancements' referred to in the above paragraph can apply to:

  • Developments in the safety arguments, e.g. by additional analysis
  • Improved operating or emergency procedures
  • Implementation of plant safety modifications
  • Or a combination of some or all of these features.


The Nuclear Safety Principles have been defined taking into account the document issued by the Health and Safety Executive (HSE) entitled 'The Tolerability of Risk from Nuclear Power Stations' (TOR) and subsequently developed further in ‘Reducing Risks, Protecting People’ (R2P2), which reflects current thinking on tolerable levels of risk, both to individuals and to society as a whole. In common with TOR and R2P2, the concept of reasonable practicability is also an important feature of the Nuclear Safety Principles.

Nuclear safety reviews employ:

  1. Expert assessment of the design and system of operation including all relevant scientific, technical and human factors, good engineering practice, and take into consideration accepted precedents and recognised codes and standards.
  2. Structured safety arguments demonstrating the acceptability of the topic under review by assessment against Deterministic Principles and, where relevant, against the Probabilistic Principles, the Doses to Workers Principle, and Methods for Supporting Safety Case Claims.
  3. Appropriate quality assurance arrangements for the design, procurement, construction, installation, commissioning, and operation of structures, systems and components. Similarly, appropriate arrangements are required for the production of nuclear safety documentation of adequate quality.


Maintain Design Integrity policy

The Maintain Design Integrity policy ensures that the design intent is met and that, where changes are made to the design, this is done in a controlled manner and rigorous configuration control is maintained over the reference plant documentation.

Plant changes may result for a number of reasons, including: self modification (ageing), obsolescence, operating experience, periodic reviews (e.g. safety system reviews or Periodic Safety Reviews) or enhancements.

Design changes may arise in a number of other company processes, including: asset management, risk management, outage management, emergency preparedness, procurement and materials management, waste management, environmental management, operational experience, security, radiation protection, human performance, industrial safety or corrective action.

Some plant design changes are identified and scheduled well in advance of the work whereas other plant changes result in plant breakdown requiring urgent action. Irrespective of the motivation for the work, any change to plant and/or safety case will be subject to the Maintain Design Integrity Process.

The key processes included within the Maintain Design Integrity are summarised below:

Modifications

The Modification Process (nuclear site licence condition 22) s used to control changes to the plant and/or safety case, subject to the following overriding principles:

  • All changes identified as being design and/or safety case changes will be subject to the modifications process
  • Design and/or safety case changes which potentially modify the design intent will be subject to the agreement of the Design Authority
  • Users of the modification process shall meet prescribed standards of training and experience, and satisfactory performance will be subject to ongoing review
  • Risks associated with the modification process are identified and managed through use of a barrier model which provides a framework for use in future investigations in the event of process failure and provides a framework for risk assessment when operating the process. The barriers include verification, independent assessment and oversight.


Periodic Safety Review

The Periodic Safety Review (nuclear site licence condition 15) process is a periodic holistic review of the condition of the plant and of any changes to standards that is used to justify continued operation. The review encompasses not only all radiological risks from the reactor, but also considerations of criticality safety, the fuel route and radioactive waste treatment plant. The assessment covers plant based faults, internal hazards such as steam release and external hazards such as seismic, high winds, climate change leading to rising sea levels and flooding amongst others. The assessment encompasses current national and international standards which set industry best practices e.g. IAEA. The review also considers operating experience gained within the company, the global nuclear industry e.g. Fukushima and through global high hazard industry events. Part of the benefit of the review is that it confirms that the aggregate effect of minor design changes has not become significant. It also acts as a check that plant documentation is up to date and accurately reflects the plant design.

The PSR is carried out on approximately ten-yearly intervals. The reviews identify issues to be addressed, grading of their significance and priority and addressed through systematic business processes. The PSR is provided to the Government’s nuclear regulator who accept the findings and monitor progress of the identified improvements

It should be noted that there are other processes which complement the Periodic Safety Review process, but which differ in scope and have increased frequency, for example the System Health Review process. The Periodic Safety Review and complementary processes provide inputs to the Modifications Process.

Nuclear Safety Committee (NSC) process

The NSC process (nuclear site licence condition 13) sets out the arrangements for the compliance with Licence Condition 13. The most significant design changes and other significant safety matters are referred to the NSC for advice.

Strategic programme

The strategic programme process consists of the arrangements used to manage the strategic programme. The programme is made up of many separate activities, which have been selected to mitigate specific technological risks and as such they develop new knowledge that may be required to ensure plant integrity can be maintained into the future.

Maintain standards

The Maintain Standards process consists of the arrangements used to ensure that standards are periodically reviewed and updated as appropriate. This process deals directly with some standards but interfaces with Technical Governance for those standards controlled by Engineering Systems Health.

Oversight Arrangements

The Oversight Arrangements process consists of the arrangements that Design Authority uses to ensure that the Maintain Design Integrity process is effective, to report on the health of the process, and to identify and drive opportunities for improvement. These arrangements consist of collating information gathered across the organisation to provide insight into the effectiveness of the Maintain Design Integrity process across the fleet and at relevant corporate functions.

Engineering Change Training and Accreditation

All safety case role holders will meet specified levels of training and accreditation as defined by this process. Capability is the subject of ongoing review and re-accreditation.

The main supporting processes for Maintain Design Integrity are summarised below:

Work Management

This process provides the systematic framework for implementation of plant modifications. As such, it ensures that the modification is safely and effectively implemented to the specification.

Document Control

This process provides the means to control changes to documents that describe the safety case and design intent.

Records Management

This process ensures that any records generated by the Maintain Design Integrity process are retained.

System Health

This process provides the vital link to activities that ensure that plant and safety case remain aligned or identify situations where this is not the case and initiate remediation. This link to the stewardship of the plant is essential support to the Maintain Design Integrity process.

Technical Governance

This process ensures that appropriate engineering policies, codes and standards are provided and applied.

DESIGN AND SAFETY ASSESSMENT

Engineering principles

If a fault occurs at a nuclear power station the installed safety systems are required to operate and fulfil their safety function. An example of a safety function might be the supply of cooling water to the boilers following a reactor trip. It may be that one running pump is sufficient for this purpose. However, if this one pump failed, cooling would be lost. The situation can be improved by adding a further pump in parallel with the first. The addition of items of plant over and above what is required in foreseeable circumstances is known as redundancy. The concept of redundancy is built in to the design of safety systems installed at nuclear power stations. For example, there are many more control rods than are needed to shutdown the reactor, there are more pumps to supply water to the boilers / steam generators than are needed to fulfil the safety function of removing the decay heat from the primary coolant.

To take an example, suppose it is required to have a probability of less than one in one million of there being no cooling water for the boilers after a reactor trip. Suppose one pump on its own can supply sufficient water to the boilers to remove the decay heat, but that the pump has a probability of failure of one in 100; with three pumps the probability that all three will fail randomly is one in one million and hence a 3-pump system should meet the reliability target.

However, it is unwise to assume that the three pumps will only be subject to random failures. They may all suffer from a common fault, in which case the probability that all three might fail simultaneously could be much higher than is calculated on the basis of random failures. For example, in cold weather they may all have a tendency to stall, or they may all possess a weak component which may fail under a particular operating condition. Such potential failure mechanisms are known as common cause or common mode failures.

To overcome this problem, it is necessary to build diversity into the systems providing each safety function. In the example of the pumps above, this may mean introducing a different type of pump made by a different manufacturer.

Merely providing further types of pumps does not in itself eliminate all sources of common cause failure. In the event of a fire, or a loss of electrical supplies, all pumps at the same location and fed from the same power source could be affected. It is therefore necessary to introduce segregation. This can be provided by locating pumps and any supporting auxiliary equipment in different buildings and by supplying them with power along different cable routes and from different electrical distribution boards. It is particularly important to provide adequate segregation when considering the defences against hazards, such as fires, dropped loads and earthquakes.

The principles of redundancy, diversity and segregation are built into nuclear power station design. These are examples of deterministic (engineering) safety provisions. A further important safety provision is the single failure criterion. This requires that no single random failure within a safety system should be able to cause the loss of a safety function.

Common mode cut-off

Common mode failures may be difficult to identify. It is therefore assumed that, however much redundancy a system possesses, its reliability is limited to one failure per 10,000 demands, or in exceptional circumstances one in 100,000.

Protection requirements for frequent and infrequent faults

Faults which are expected to occur more than once every 1000 years are classified as frequent. Infrequent faults are ones that have a lower frequency of occurrence than this.

The implication of the common mode cut-off is that a single line of protection is insufficient for a frequent fault. The dose-frequency staircase effectively requires that the frequency of a fault, multiplied by the probability that it results in a major release, must be no more than 10-7 per year ( one in ten million). Taking into account the common mode cut-off, the combined frequency of a frequent event (for example at 10-2 per annum) followed by a failure of the protection (at 10‑4 per demand) would be more than 10-7 and therefore does not meet the requirements. Hence a diverse line of protection (trip, shutdown and post trip cooling) is provided.

For infrequent faults, however, a single line of protection will suffice, provided it is sufficiently reliable.

For all faults, one line of trip, shutdown and post cooling is provided. The provision of additional reactor protection is considered in an ALARP framework. In reality two lines of protection are provided for most frequent faults.

Hazards

A hazard to a plant item is defined as anything outside that item which could cause it to fail. Hazards are classified as external or internal. An external hazard is something imposed on the station site from outside, such as an extreme wind or an earthquake. An internal hazard is something caused by a plant failure within the site, such as fire, flooding caused by the breach of a water pipe or a major steam release. Hazards constitute potential common causes of multiple plant failures.

At first sight it might appear consistent to seek to justify the survival of a line of protection against the worst external hazards expected to occur at a one in ten million per year frequency. This is not however practicable, since quantified data for external hazards, such as weather or seismic disturbances, is only available over the last 100 to 200 years. This is insufficient for a statistical determination of the one in ten million per year event. The Office for Nuclear Regulation’s Safety Assessment Principles accept that the uncertainty of data may prevent reasonable prediction of events for frequencies less than once in 10,000 years. The required approach is therefore to demonstrate that there are comfortable margins to survival of each relevant hazard at the one in 10,000 year level for a single line of protection. An additional line of protection is justified for less severe hazards at the one in 1000 year (frequent) level.

Frequencies for internal hazards are easier to quantify, since data are available for the reliability of items such as pipes and valves.

Appropriate measures are in place to limit the potential effects of hazards to an acceptable level. Maintenance procedures are also biased towards plant which poses a hazard to safety related items.

There are some safety functions for which redundancy and diversity of protection is not possible. For example there is only one concrete pressure vessel surrounding an AGR reactor. In such cases failure of the component has to be made so low that it is essentially regarded as incredible. In order to sustain a claim of incredibility of failure, particularly high standards of design, construction and inspection are needed.

Beyond design basis faults

It is recognised that there are certain extreme fault conditions for which there is no specific design provision. These are termed beyond design basis faults. There are also unlikely combinations, or sequences, associated with design basis faults that fall into this category.

An example of the first type of fault would be major failure of the primary coolant circuit. The frequency of such faults is so low that it is unnecessary to study their consequences in detail. This is true also of some hazard conditions such as major flooding caused by failure of the sea wall defence. In this situation the redundancy, diversity and segregation in the station design will provide a degree of protection.

The second type of beyond design basis faults are those in which post trip cooling plant has failed, and the assumed minimum cooling requirements for a particular fault have not been met. In all such cases for AGRs there is a long time available before fuel pins began to fail. For example, in a pressurised fault the reactor and boiler structures (and the fuel pins) will survive several hours with no external cooling at all. In most cases long term integrity is assured under natural circulation conditions. This is because of the large thermal capacity of the core, boilers and supporting steelwork. Even in the event of a depressurisation with loss of cooling, fuel pins would not fail in significant numbers for one or two hours after the trip.

Such situations have been analysed to confirm that there are large margins available within the design basis fault studies. In particular, it has been shown that there are no “cliff edges” which would result in the fuel safety limits being exceeded in the majority of beyond design basis situations analysed. Therefore even though specific studies have not been carried out for all possible events, scoping studies have shown the plant to be capable of maintaining safe conditions.

It is very difficult to provide detailed instructions to the Reactor Desk Operator covering all the different extreme situations which may arise at very low levels of probability. The types of actions which would be most beneficial in these remote circumstances have nevertheless been considered, and this has resulted in the issue of two sets of additional instruction known as Symptom Based Emergency Response Guidelines (SBERGs) and Severe Accident Guidance (SAG).

The SBERGs give advice in a developing fault situation, for which the normal instructions are not valid. This advice concentrates on the symptoms of the fault rather than on specific failures in any one plant system. The SBERGs supply guidance on the most appropriate actions which would be needed to preserve and reinforce the critical safety functions, such as reactor cooling.

The SAG advises on the management of the reactor after a severe fault. They concentrate on actions to establish the critical safety functions and to minimise the release of radioactivity from the core and plant.