Fault studies are carried out to investigate the behav­iour of a nuclear power station under abnormal or accident conditions.

The studies, which are carried out during the con­ceptual and design stage, examine the temperature of fuel and any other sensitive components under fault conditions and the effectiveness of the various pro­tective devices in limiting the consequences of the fault. They also examine the capability of the essential plant required to maintain the reactor in a safe state after the shutdown has occurred, and the effective­ness of any long term remedial actions which the operator may take.

The studies form the basis for defining the safety limits to which the plant must be operated, the var­ious settings of the protection equipment and indicate the minimum amount of essential plant which must be available for use post-trip. The object is to ensure that for all credible accident conditions, the risk of a release of radioactive material to the environment is acceptably low.

For the latest stations, the acceptable release for any accidents is related to the estimated frequency of occurrence.

Table 4.13 shows the guidelines for the accidental releases of radioactivity. Releases of greater than 1 ERL are only acceptable at a frequency of the order of 10“fi per year.

Single faults with a calculated frequency lower than about 10“ per year are considered to be sufficiently unlikely not to warrant any detailed study of the con­sequences. These are termed incredible’ or ‘beyond design base’ faults.

For the earlier stations, the approach was less for­malised and the division between ‘credible’ and ‘incre­dible’ faults was based very largely upon engineering judgement, statistical analyses to estimate the frequen­cy of each fault were only rarely carried out. It is a requirement for all faults that there are two separate lines of protection via the safety circuits capable of causing the reactor to be safely shut down. These lines of protection should, if possible, be diverse in terms of the particular parameter being monitored. For example, one line of protection may detect a fault from the transient increase in neutron flux whilst the other detects the fault from the increase in channel gas outlet temperature. If diversity cannot be achieved and there are a large number of sensors, only a few of which are required to detect a fault, it may be possible to claim redundancy. Hence, channel gas out­let thermocouples may input into both lines of pro­tection on the grounds that only, say, three or four out of a few dozen need see the fault to cause the reactor to be shut down in safety. The studies establish which of these lines is the least effective and bases the operating limit on the assumption that the most effective line fails to function.

The types of fault considered for the three designs of reactor to be discussed here are very similar, al­though the inherent differences in the design of the plant result in difference in the treatment and in the consequences of particular events.