Plant faults are those which might arise due to fail­ures or malfunction of the plant itself. They include those which can affect the reactor, the reactor pri­mary and secondary coolant systems, and also those which can affect new and irradiated fuel and radio­active effluent treatment plants. An outline of a few such faults is given in Section 3.5 of this chapter (Fault studies).

Internal hazards are on-site events which have the potential to cause damage to unrelated equipment around the point of origin, or beyond. Those con­sidered include:

• Fire, missiles, turbine disintegration, dropped loads, explosive and toxic gases, and failure of pressurised systems. Failure of pressurised systems could, for example, result in pipe whip, flying fragments, jet impingement and local flooding.

By comparison with natural and other external hazards it is more often possible to place an upper limit on the level of interna! hazard, for example, the magni­tude of a dropped load.

The design approach to demonstrate the safety of the plant against internal hazards depends on the particular hazard under consideration, but the main features of the approach are:

• To reduce the probability of the hazard occurring through a high standard of design, construction and operation.

• To limit the consequences of hazards through se­gregation, protection and layout features.

• To ensure that the reactor can be taken to a hot shutdown condition in the event of the hazard oc­curring. Some repair, temporary connections (for example, cabling), or local manual operation may be required to establish cold shutdown capability. Maintenance requirements and the single failure criterion are taken into account when assessing the adequacy of the plant proposals.

External hazards are events originating outside the site but which could affect plant safety and include both natural and man-made events. Those considered for the PWR for instance include:

• Ground settlement and subsidence, precipitation, lightning, wind, flooding, extreme ambient tempera­tures, industrial activity off-site, gas clouds, earth­quakes, aircraft impact.

Where possible, the criteria for hazards is to ensure that the combination of the frequency of the hazard and the probability of subsequent failure to control the reactor is consistent with the design safety criteria for large uncontrolled releases to the environment. On this basis, the external hazard design criteria have in general been set at a level of frequency of 10“4 per year and the probability of failure to cool and shutdown the reactor in the event of the hazard set at less than 10 ~3 per demand.

Thus, in the case of earthquakes for example, an earthquake with a peak horizontal acceleration of 0.25 g has been adopted for design purposes. This exceeds the 10 ~4 per year level at all currently planned sites; it is above the UK average and would be conservative for most UK locations. This has associated with it a ground motion spectrum which characterises the fre­quency content of the various possible earthquakes which could have a peak acceleration, of 0.25 g. The station and plant design has to be such that the re­actor can be safely shutdown with requisite reliability in the event of such an earthquake, and is known as the safe shutdown earthquake (SSE). It will be noted that earthquakes which exceed this design level are possible. However, in practice the plant will safely withstand more severe hazards than that specified be­cause plant and structures built to normal conservative design codes have a considerable margin of reserve strength between the design limits and the point of collapse or total failure. Sensitivity studies are carried out to show that there is no sudden reduction in safety for events more severe than the SSE.

As in the case of the SSE, the design wind speed is set at a level such that the frequency of its being exceeded is less than 10“4 per year. On this basis, the extreme wind speed arrived at for the design of safety — related buildings and plant is 58.8 m/s {132 mph).

Aircraft crash exemplifies an external hazard for which a modified approach is adopted to establish the acceptability of the design. A different approach is possible because sufficient data for aircraft crashes exist to enable the frequency of both civil and mili­tary aircraft crashes to be predicted for the site. This, together with an evaluation to identify those areas of the site which, if hit, have the potential for signifi­cant radioactive release, leads to a predicted frequency of crash onto potentially vulnerable areas. Because of the inherent strength of some of the buildings, it is possible to discount any hazard arising from impact of light aircraft and some helicopters. Although the arguments are further complicated by consideration of consequential fires due, for example, to spillage of aviation fuel, it is possible from this type of assess­ment to show that major radioactive release from an aircraft crash is of the order of 10“7 per year and therefore considered an acceptably low risk.

For some hazards a probabilistic approach is not appropriate or, because of lack of data, not possible. In the case of precipitation, for example, normal UK practice is used; this is regarded as adequate when taking into consideration the segregation, redundancy and diversity in the plant. For sea flooding, as an­other example, a maximum credible sea level has been evaluated.