April 2012
Page 1 of 65
Draft 1.1
November 2011
Final Report to ONR on the application of the
ENSREG Stress Tests to the Sellafield Site
All Sellafield Limited Sites
Excellence in
Safe
Operations
Site
Resilience
Excellence in
Emergency
Preparedness
Excellence in
Security
April 2012
Page 2 of 65
Glossary of Terms
A
AC
ACP
AGR
ALARP
BRE
BSI
BSL
BWR
C
CCTV
CHP
cm
CF&R
CNC
CO2
COSR
CSF
DA
DB
DBA
DBE
DBF
DC
DMV
EIM&T
ENSREG
ENW
EPD
ESI
ESP
ESS
EU
fdSC
ft
GI
GMT
GNI
GT
GTG
Ha
HAL
HAST
HAZOP
HVAC
Hz
ICC
Amperes
alternating current
Access Control Point
Advanced Gas-cooled Reactor
As Low As Reasonably Practicable
Building Research Establishment
British Standards Institute
Basic Safety Level
Boiling Water Reactor
Celsius
Close Circuit Television
Combined Heat and Power
centimetre
Cumbria Fire and Rescue
Civil Nuclear Constabulary
carbon dioxide
Continued Operations Safety Report
Critical Safety Function
Diesel Alternator
Design Basis
Design Basis Analysis
Design Basis Earthquake
Design Basis Flood
direct current
District Monitoring Vehicle
Examination, Inspection, Maintenance and Testing
European Nuclear Safety Regulators Group
Electricity North West
Essential Power Distribution
Electricity Supply Industry
ElectroStatic Precipitator
Emergency Switching Schedule
European Union
fully developed Safety Case
feet
Guaranteed Interruptible
Greenwich Mean Time
Guaranteed Non-Interruptible
Grid Transformer
Gas Turbine Generator
Hectare
Highly Active Liquor
High Active Storage Tank
HAZard and OPerability study
High Volume Air Conditioning
Hertz
Incident Control Centre
April 2012
Page 3 of 65
IFP
km
kW
LFE
LFL
LLW
LLWR
LN2
LTPR
m
m3
mAOD
MDA
MSML
mm
mph
mSv
MW
NDA
NIA65
NMP
NPP
NRE
NSLC
ONR
PCM
pga
PMS
PSA
PSR
PWR
REPPIR
RESEP
S&SSM
SAA
SAMS
SBO
SEC
SECC
SED
SEI
SEMP
SMC
SF&R
SL
SLM
SLMS
SLP
SLCP
Insoluble Fission Products
kilometre
kiloWatt
Learning from Experience
Lower Flammable Level
Low Level Waste
Low Level Waste Repository
liquid nitrogen
Long Term Periodic Review
metre
cubic metres
metres above Ordnance Datum
Mobile Diesel Alternator
Minimum Safety Manning Level
millimetre
miles per hour
milliSievert
MegaWatt
Nuclear Decommissioning Authority
Nuclear Installations Act 1965 (as amended)
Nuclear Management Partners
Nuclear Power Plant
National Resilience Extranet
Nuclear Site Licence Condition
Office of Nuclear Regulation
Plutonium Contaminated Material
peak ground acceleration
Plant Maintenance Schedule
Probabilistic Safety Analysis
Periodic Safety Review
Pressurised Water Reactor
Radiation (Emergency Preparedness and Public Information) Regulations
REsilience Evaluation Process
Safety and Site Shift Manager
Severe Accident Analysis
Severe Accident Management Strategy
Site Black Out
Site Emergency Controller
Site Emergency Control Centre
Safety and Environment Detriment
Site Emergency Instruction
Site Emergency Monitoring Point
Strategic Management Centre
Sellafield Fire and Rescue
Sellafield Ltd
Sellafield Ltd Manual
Sellafield Ltd Management System
Sellafield Ltd Procedure
Sellafield Ltd Code of Practice
April 2012
Page 4 of 65
SLSP
SOER
SPMS
SQEP
SSC
SSG
te
UHF
UHS
UK
UPS
UU
W
WANO
WCECC
Sellafield Ltd Supporting Practice
Significant Operating Experience Report
Site Perimeter Monitoring System
Suitably Qualified and Experienced Person
Structures, Systems and Components
Sherwood Sandstone Group
tonne
Ultra High Frequency
Ultimate Heat Sink
United Kingdom
Uninterruptible Power Supply
United Utilities
Watt
World Association of Nuclear Operators
West Cumbria Emergency Control Centre
April 2012
Page 5 of 65
Table of Contents
Glossary of Terms ............................................................................................................... 2
Executive Summary ............................................................................................................ 6
Background ......................................................................................................................... 7
1
Introduction.................................................................................................................10
2
Systems for providing or supporting main safety functions ...................................14
3
Regulatory framework, license compliance and probabilistic safety assessment 23
4
Earthquake ..................................................................................................................28
5
Flooding ......................................................................................................................38
6
Extreme weather conditions ......................................................................................44
7
Loss of electrical power and loss of ultimate heat sink...........................................49
8
Severe Accident Management ...................................................................................52
9
Summary .....................................................................................................................62
April 2012
Page 6 of 65
Executive Summary
The Tohuku earthquake on 11 March 2011 and subsequent events have prompted
fundamental reviews of the resilience of nuclear power plants against a variety of extreme
situations such as those that occurred at the Fukushima Dai-ichi Nuclear Power Plant, i.e.
 an earthquake and/or flooding as an initiating event;
 the consequence(s) of loss of safety functions from any initiating event at the site
such as loss of electrical power, including Site Black Out (SBO), loss of ultimate
heat sink (UHS) and/or a combination of both; and
 severe accident management issues such as means to protect from and manage
loss of cooling and/or containment integrity.
This has required the establishment of a climate wherein nuclear professionals can
engage constructively with scenarios that they routinely strive to avoid in the course of
’normal’ operations and then progressively ’dismantle’ all of the support that they have
come to depend on before determining how resilient they truly are.
Sellafield Ltd (SL) has therefore developed the RESilience Evaluation Process (RESEP).
This report details the application of RESEP to plants at Sellafield which could generate
significant off-site radiological consequences so as to respond to the European Nuclear
Safety Regulators Group (ENSREG) questions as requested by the Office of Nuclear
Regulation (ONR). In doing so it makes a full response - for a diverse and complex
nuclear fuel cycle site – to questions designed for Nuclear Power Plants (NPPs).
On the basis of the current state of knowledge –
 A number of older plants will be adversely affected by a greater than design basis
earthquake (DBE).
 The site has adequate protection against both tidal and river flooding with the only
significant risk being that of an extreme rainfall event which could result in some shortterm surface water ponding.
 There is a high degree of diversity and redundancy for both on and off-site electricity
and water supplies.
 There are sufficient fuel stocks for Sellafield site to be self-sufficient for a seven day
loss of electricity supply from the national grid.
 The site has robust arrangements for a seven day loss of Ultimate Heat Sink (UHS)
which, in a Sellafield context, relates principally to diverse means for cooling Highly
Active Liquor (HAL), for keeping fuels wetted and for ventilation.
 Fuel ponds are unaffected by a seven day loss of cooling water make-up and relatively
robust to a Design Basis Accident.
 Local plant arrangements, which are designed to prevent a reasonably foreseeable
event arising, are robust.
 Existing site emergency arrangements, which are designed primarily to respond to a
reasonably foreseeable event in a single plant, would soon be strained by requests for
support to multiple plants as a consequence of an event with simultaneous site-wide
effects.
 There are opportunities to improve the emergency infrastructure in support of a
response to an extreme event such as those identified within this report.
These preliminary findings are brought together in a number of “considerations” to be
developed further as the basis for action by the Company.
The work undertaken to date, as detailed within this report, has identified no potential
deviations from the licensing basis.
April 2012
Page 7 of 65
Background
A Purpose and Scope
Following the Tohuku earthquake on 11 March 2011 and subsequent events at the
Fukushima Dai-ichi Nuclear Power Plant, the European Council on 24 and 25 March
declared that “the safety of all EU nuclear plants should be reviewed, on the basis of a
comprehensive and transparent risk assessment (“stress tests”)”. On 25 May 2011 the
European Commission and the European Nuclear Safety Regulators Group (ENSREG)
produced a joint specification for a three stage process of this “targeted reassessment of
the safety margins of nuclear power plants”. These “stress tests” are intended to highlight
the self-reliance of a nuclear power plant (NPP) against a variety of extreme situations
such as those that occurred at Fukushima, i.e.
 an earthquake and/or flooding as an initiating event;
 the consequence(s) of loss of safety functions from any initiating event conceivable
at the site such as loss of electrical power, including Site Black Out (SBO), loss of
Ultimate Heat Sink (UHS) and/or a combination of both; and
 severe accident management issues such as means to protect from and manage
loss of cooling and/or containment integrity.
On 1 June 2011 the Office for Nuclear Regulation (ONR) issued a request to all UK
nuclear operators, including Sellafield Limited (SL), to provide responses based on the
ENSREG “stress tests” for each of their sites. This has necessarily required a structured
interpretation by SL of many of the ENSREG “stress tests”, due to the radical differences
between an NPP and a complex and diverse multi-plant nuclear chemical processing site.
It has also required a clear definition of the Sellafield plants and supporting functions to
which they would be applied.
SL operates the Sellafield site (including Windscale), the Calder Hall nuclear power plant
and also the Capenhurst site, owned by the Nuclear Decommissioning Authority (NDA).
This paper represents the final report for the Sellafield site plants as of 30 June 2011.
Many of the scenarios set out in this report can only result from extreme events, i.e. those
involving the failure of multiple safety systems, prolonged (days rather than hours) loss of
utilities and services and the absence of assistance from outside of the site. Such
scenarios are often beyond, and in many cases significantly beyond, the current design
basis of for the plants and this RESEP analysis has yielded new insights.
B
Context
SL has established a Resilience Programme to deliver the totality of the company’s
response to the events at the Fukushima Dai-ichi NPP, including the recommendations
arising from the ONR Chief Inspector’s (”Weightman”) interim and final reports [1] [2]
which have several issues in common with the ENSREG “stress tests”. The Programme
comprises the following workstreams  assessment of current site resilience and definition of future resilience architecture;
 support to Japan; and
 stakeholder engagement.
April 2012
Page 8 of 65
C Sellafield response to ENSREG
C.1 Scope for radiological consequences
The ENSREG “stress tests” require evaluation of the resilience of a large number of
facilities on the Sellafield site and the integrated site as a whole. Sellafield has an
existing set of safety cases which are subject to regular review and update.
To provide a proportionate basis for applying the ENSREG “stress tests” it was necessary
to focus on significant plants. Accordingly all safety cases were reviewed for significant
potential fault sequences with an off-site consequence threshold of 10 mSv to the critical
group. This choice of 10 mSv threshold had already been used by SL as the starting
point for Severe Accident Analysis studies. In addition, the 10 mSv dose threshold is
broadly equivalent to that required for the Radiation (Emergency Preparedness and
Public Information) Regulations (REPPIR).
As a cross check an alternative method was also used. The Safety and Environment
Detriment (SED) Score is a prioritisation methodology used throughout the NDA estate. It
uses a combination of harm potential (essentially magnitude of inventory), form factors
(i.e. the physical state of the material – gas, liquid or solid), passivity and containment
condition. The integrated toxic potential and form factors were reviewed to identify a
number of facilities which may have the potential to give rise to significant offsite
consequences from an equivalent inventory standpoint (with a SED cut off value of
1x1010). This allowed a wider range of plants to be included, especially those more
modern facilities with more highly-engineered safety systems.
The combination of these criteria allowed a list of plants to be generated which were then
appropriately grouped to RESEP studies.
However it is important to note that these off-site consequences to the critical group and
the SED scores, and hence the RESEP screening criteria, are based on assumptions
which themselves are intended to support conservative decision making. Hence the offsite consequences of any release may be lower than predicted with the time to respond
somewhat longer.
D.2 The RESilience Evaluation Process (RESEP)
The RESEP process has been developed as a structured and consistent approach to
resilience assessment for the Sellafield site that satisfies the requirements of the
ENSREG stress tests. Additionally, ENSREG set the background scenarios as being, “the
most unfavourable operational states that are permitted under plant technical
specifications” for plants configured and operated as at 30 June 2011 with all plants being
supposed to be simultaneously affected and offsite power assumed to be lost for several
days, the site isolated from delivery of heavy material for seventy two hours and portable
lightweight equipment for twenty four hours.
The RESEP process was a staged assessment which included a screening process to
identify those requiring further consideration due to their inventory and those plants that
could not give rise to a significant off site consequence (greater than 10 mSv to the critical
group) either because their inventory is low or non-mobile. The process  allows for progression of events from individual plant to whole site, including
‘domino’ effects;
 searches for ‘cliff edge’ effects and enables development of timelines for critical
mitigating response actions;
 assesses infrastructure requirements both on- and off-site to identify opportunities
for resilience enhancement; and
April 2012
Page 9 of 65

provides a key focus for damage control teams.
Summaries of the RESEP reports were considered by the relevant Management Safety
Committee(s) and the resultant recommendations will be included in phase 2 of the Site
Resilience Programme commencing in 2012.
The RESEP approach will also be applied to significant changes in configuration of
existing plants or introduction of new plants following the ENSREG ‘cut off’ date (i.e. 30
June 2011) as the site continues to develop.
Discussions are ongoing with both ONR and other licensees regarding the use of the
ALARP process for determining the implementation of improvements within the Site
Resilience Programme. The following principles (agreed at an ONR-industry workshop on
24 August 2011) will be observed as part of the decision making process in consideration
of significant improvement opportunities  the ALARP framework is appropriate;
 cost benefit analysis is of very limited value;
 qualitative judgement is key;
 balanced judgement is informed by “relevant good practice and LFE”;
 implementation must be credible in an accident situation;
 simple flexible solutions are preferred; and
 actions should be informed by the residual plant life (or time at risk).
Options will be exposed to appropriate internal challenge and peer review as part of
making any capital investment decisions at Sellafield.
April 2012
Page 10 of 65
1
Introduction
1.1
Brief description of the Sellafield site
The Sellafield nuclear licensed site is owned on behalf of Her Majesty’s Government
(HMG), by the Nuclear Decommissioning Authority (NDA), and is operated by
Sellafield Ltd. (SL; the Site Licence Company) under the shareholding of Nuclear
Management Partners (NMP; the Parent Body Organisation) (see Figure 1.1).
Regulatory bodies inc Office for Nuclear Regulation,
Health and Safety Executive, Environment Agency
Figure 1.1 Management arrangements for the Sellafield site
The Sellafield site has been operational since the 1940s when it was used as a Royal
Ordnance factory supporting the war effort. The site is also home to the world’s first
commercial scale nuclear power station, Calder Hall, which operated successfully from
1956 to 2003.
Today the site comprises a wide range of nuclear facilities, including seven reactors all
of which are shutdown and undergoing defuelling/decommissioning, as well as
operating facilities associated with the Magnox reprocessing programme, the Thermal
Oxide Reprocessing Plant (THORP) and a range of waste treatment plants.
Decommissioning and clean-up
 Legacy Ponds and Silos are historic facilities which contain Magnox fuel and
reactor fuel from the Windscale Pile reactors, and cladding swarf from early
reprocessing operations on the site. Work is ongoing to retrieve and treat the
material held in these facilities so that the facilities can be decommissioned.
 Primary Separation Plant was Sellafield’s first reprocessing facility which began
operations in 1952 and was used to process reactor fuel and support initial
efforts in oxide reprocessing in the early 1970s. The facility is currently
undergoing decommissioning.
 Pile 1 and Pile 2 were the first nuclear reactors at Sellafield; both were shut
down following the 1957 fire in Pile 1. Work is ongoing to decommission both
piles.
 Windscale Advanced Gas-Cooled Reactor was a small prototype reactor which
was the forerunner to the UK’s second generation of nuclear power plants.
Having ceased operations in 1981, it is now effectively decommissioned.
 Calder Hall was the world’s first commercial scale nuclear power plant which
was officially opened in 1956. The four-unit plant ceased generating electricity
in 2003 and is currently undergoing de-fuelling.
April 2012
Page 11 of 65
Commercial operations
 Fuel Handling Plant receives Magnox and AGR spent fuel and stores it in
ponds for a predetermined period prior to being conditioned for reprocessing
and transfer to the Magnox and THORP plants respectively.
 Magnox Reprocessing Plant is used to reprocess Magnox fuel from throughout
the UK.
 Thermal Oxide Reprocessing Plant (THORP) is used to receive, store and
reprocess Oxide fuel from both UK and overseas.
 Sellafield MOx Plant was used to manufacture Mixed Oxide fuel for overseas
customers. It ceased operation in 2011 and is currently undergoing run-down
and POCO activities.
Nuclear waste treatment/processing
 Highly Active Liquor Evaporation and Storage uses evaporators to concentrate
Highly Active Liquor (HAL) prior to being processed in WVP. HA liquor
operations commenced in the early 1950s.
 Waste Vitrification Plant (WVP) processes HAL into solid form by incorporating
it into glass, followed by a period of on-site storage. This process dates from
the 1980s.
 Effluent and Encapsulation Plant facilities process intermediate level solid
waste and liquid effluents generated across the Sellafield site prior to final
encapsulation or discharge/disposal to the environment within appropriate
permit conditions and limits (including application of Best Available Techniques
to minimise discharge/disposal).
Waste and product storage facilities
 Sellafield Product and Residue Store provides safe storage for materials
produced as a result of reprocessing operations at Sellafield.
 Encapsulated Product Stores are drum stores for Intermediate Level Wastes.
 Residue Export Facility is used to load canisters of vitrified high active waste
into flasks for export back to overseas customers.
The site also has a wide range of support buildings including, but not limited to, offices,
workshops, flask maintenance, utilities, analytical laboratories, emergency
management, fire and rescue, Occupational Health etc. as well as an on-site rail
network and the Fellside Combined Heat and Power Plant.
Hence, as previously discussed, there are significant differences between NPPs, for
which the ENSREG “stress tests” were originally intended, and the Sellafield site. In
the case of NPPs the consequences of a significant fault may be quickly apparent,
whereas, at Sellafield the processes are at comparatively lower temperatures and
pressures with relatively lower rates of change due to loss of cooling. Consequences
of a significant fault at Sellafield are more directly related to the large inventories of
radioactive materials and the conditions of storage.
1.2
Geography and topography
The Sellafield site, which employs ~10,000 full-time equivalent staff, is located on the
West Cumbrian coast adjacent to the Irish Sea on the western outskirts of the Lake
District National Park (see Figure 1.2) and within the catchments of the rivers Calder
and Ehen. The site licensed boundary encompasses an approximate area of 276 Ha
and is located at 54N, 3W. The site is mainly in the Parish of St Bridget Beckermet,
within the Copeland District of the County of Cumbria. The major local towns of
April 2012
Page 12 of 65
Whitehaven, Workington and Barrow are approximately 14 km to the north, 25 km to
the north and 38 km to the southeast respectively. There are about 200 people living
within 2 km of the site: the nearest settlement of any size is Seascale 2.5 km distant,
with a population of about 1800 [4].
The nearest main road is the A595 single carriageway which passes within ~1.5 km of
the Sellafield site to the east. Smaller approach roads to Sellafield site are used by
Sellafield traffic with access via four principal pedestrian/vehicle gates. The Network
Rail line from Whitehaven to Barrow passes close to the Sellafield site. A branch line
onto Sellafield site is used to receive spent reactor fuel from power stations, bulk
chemicals and to export Low Level Waste (LLW) to LLWR and High Level Waste
(HLW) to overseas customers.
The site topographical range is +9.00 to +48.00 metres Above Ordnance Datum
(mAOD).
The approximate linear distances from the site in kilometres to other nearby
installations and their approximate orientation with respect to Sellafield are Low Level Waste Repository (LLWR)
Heysham Nuclear Power Stations
Chapelcross Nuclear Power Station (ceased operations in 2004)
Westinghouse Springfields (fuel manufacturing)
5 km SE
60km SE
70 km N
80 km SE
The countryside immediately around the Sellafield site is mainly utilised for farming or
residential purposes. There are no significant industrial establishments within 5 km of
the Sellafield site; the nearest significant establishment in the chemical and allied
industries is a contract manufacturer and processor of custom chemicals at
Workington (32 km north). The gas platforms in Morecambe Bay are, at nearest, 50
km away and gas from the field is landed at Barrow (38 km southeast). The nearest
military site is a firing range at Eskmeals (15 km south).
The volume of aircraft traffic in the Sellafield area is low. The nearest airports are at
Carlisle (70 km north) and Barrow (40 km south) neither of which presently represents
significant commercial activity locations. All aircraft (commercial, military and general)
are restricted from flying at a height of less than 2200 ft within a circle of radius 3.7 km
around the Sellafield site.
April 2012
Page 13 of 65
SELLAFIELD
Figure 1.2 Sellafield location
1.3
Site radiological inventory
Detailed inventories of all radioactive materials and wastes are published every three
years. The most recent - UK Radioactive Waste Inventory Report 2010 - is available
on the NDA website [5].
April 2012
Page 14 of 65
2
Systems for providing or supporting main safety functions
Nuclear safety is a key aspect of all operations (see Figure 1.3) on the Sellafield site.
Safe operating conditions are ensured by keeping all nuclear materials contained and
controlled at all times, i.e.
 maintaining containment;
 maintaining cooling;
 preventing criticality with fissile materials;
 controlling chemical reactions that could challenge containment; and
 controlling discharges;
and personal behaviours in which it is incumbent on all personnel to make high
quality, safe decisions when faced with uncertain operating conditions.
Improved Safety
Margins achieved
through Operational
Nuclear Safety Focus
Noncompliance
Safe Operating
Envelope as defined
by Operating Rules
Figure 1.3 The Operating Envelope Model
Defence in depth is maintained through multiple barriers each of which must be treated as
if it were the only one, i.e.
 prevention
o design of facilities/equipment, e.g. geometrically safe fissile material vessels;
 protection
o provision of engineered protective systems, e.g. hardwired trips and interlocks;
o provision of operational controls, e.g. visual monitoring and operating instructions;
and
 mitigation
o provision of mitigating systems, e.g. ventilation systems and air monitoring.
April 2012
Page 15 of 65
2.1.1
Reactivity control
Reactivity control, i.e. the avoidance of a criticality in a Sellafield nuclear context, is
ensured by the safe geometry, safe mass and spacing or moderator content. The
potential loss of any one of these controls is compensated for by application of the
‘defence in depth’ approach in basic design. In general, an on-site criticality cannot
lead directly to an off-site dose to the critical group in excess of 5 mSv although it is
noted that the much higher on-site doses would inevitably place significant demands
on site emergency arrangements and significantly impede some recovery options.
CONSIDERATION 1: provide local neutron inhibiting materials
for emergency deployment to prevent/halt a potential criticality
excursion
2.1.2
Heat transfer from reactor to the ultimate heat sink
Although there are no operational reactors at Sellafield, for which heat transfer from
reactor to the ultimate heat sink (UHS) is directly relevant, it is noted that there are a
number of plants which rely, because of the self-heating properties of the materials
handled, on some type of forced water/air cooling so as to prevent an off-site release
of radioactive material.
High Active Liquors
High Active Liquors (HAL) in High Active Storage Tanks (HASTs) and process vessels
are cooled by in-situ cooling coils and jackets supplied by diverse cooling water
networks.
Each HAST contains several internal cooling coils, both horizontal and vertical (see
Figure 1.4). Heat from liquor stored in any of these tanks is removed by circulating
cooling water between the operational cooling tower through the coils and back to the
tower.
To prevent activity breakthrough into the cooling water system, cooling components
(other than evaporator coils and jackets during heating/cooling changeover) are
operated with waterside pressure higher than the maximum process side pressure.
Each HAST has more than one monitoring pot and a monitoring pot alarm system
which is set to trigger the auto valves to close on alarm. All monitoring pots and their
alarm systems must have a constant cooling water flow through them.
The water flowing through the coils, as indicated by flowmeters, is maintained at
flowrates which regulate the liquor temperature such that it is above the crystallisation
temperature and below the upper limit requirements. A working limit for the tank liquor
temperature is imposed in order to give a margin of safety between normal operating
temperature and the maximum permitted temperature.
CONSIDERATION 2: review the arrangements for providing
alternative sources of cooling water to HASTs in extreme
circumstances
April 2012
Page 16 of 65
Figure 1.4 Photograph illustrating internals of HAST
Magnox fuel
Magnox fuel in loaded flasks, skips and magazines is either kept immersed in water or,
when exposed, kept wetted using installed water sprays within the process cells.
Oxide fuel
Oxide fuel fines in process vessels are kept wetted by the process liquors.
Product and residues
Canned product and residues are cooled via either forced or passive (i.e. reliant on
natural convection) ventilation depending on the design of the store.
Any such
ventilation can often be re-configured as necessary, i.e. via dampers or removal of
plugs, or else supplemented by local fans. However the off-site consequences of a
prolonged loss of cooling are much less than 10 mSv to the critical group therefore
product and residue cans are not discussed further in this report
2.1.3
Heat transfer from spent fuel pools to the ultimate heat sink (UHS)
Sellafield has seven fuel storage ponds; five ponds are operational and two ponds are
non-operational legacy facilities but still contain fuel inventories. Studies undertaken
to identify fuel pond dependency on utilities, such as power, cooling, steam etc., have
established that four of the ponds have no requirement for cooling due to either a very
low fuel heat loading and/or very long term (greater than twenty years) cooled fuel.
The remaining three ponds have pumped cooling water circulation.
Bounding calculations undertaken to consider fuel heat loadings and the associated
thermal challenge to the pond have established that, in a ‘loss of cooling water’
scenario, it is possible for the residual heat loading (range 1.2 to 1.7 MW) of the fuel to
heat the pond to boiling point. However it is concluded that in practice, with the
current inventories, the ponds will not reach 100 C. On this basis evaporative losses
will reduce water levels relatively slowly (i.e. over several weeks).
Therefore maintaining fuel cooling is only likely to be an issue if there was a significant
loss of water resulting from a breach of the pond floor or walls. Hence there are no offsite consequences resulting from a loss of pond cooling for at least seven days
provided that water cover can be maintained.
April 2012
Page 17 of 65
2.1.4
AC power supply
2.1.4.1 Off-site power supply
The Sellafield site is a node connection point on the 132 kV District Network electrical
grid in West Cumbria and benefits from several supply connections to the national grid
network. These lines are configured in pairs with each pair supplied from an
independent grid supply and using different pylon routings. Any single 132 kV grid
connection can supply the entire site electrical load.
Additional lines deliver power to Sellafield from the adjacent Fellside Combined Heat
and Power (CHP) plant. However Fellside is not self-sufficient; it requires at least one
of the 132kV grid connection lines to start-up and/or to continue to operate. Therefore
Sellafield cannot operate in an “island” mode with supplies from Fellside alone.
Off-site supply routes are to standard District Network design. The diverse sources of
the lines ensure that grid disturbances are unlikely to affect all of the lines and it is
policy never to have more than two of these feeder lines out of service at any one time
for planned maintenance.
Off-site power can fail for a number of reasons and sufficient operational history exists
to evaluate the likelihood of such failures. There is no history of extreme seismic or
weather events envisaged by these stress tests.
Operational experience from sixty years of Sellafield operations shows no
simultaneous failure of all electrical feeds to site.
2.1.4.2 Power distribution inside the plant
On site a 132 kV substation feeds separately located pairs of 132/11 kV transformers,
configured in segregated dual circuits, any one of which has the capacity to support
essential site loads. The main feeds into site from the 132 kV substation are stepped
down to 11 kV for site distribution in grid transformers (GTs); two GTs supply
redundantly each of the on-site primary substations and 12 MVA interconnectors allow
cross-connection of these primary substations such that any grid transformer can
supply all essential site loads. Connections from the substations supply all other toplevel 11 kV substations.
The Sellafield distribution system, which is therefore best described as two firm
networks with interconnect ability, includes many substations, each employing two
11kV:415V transformers and associated connection cables (separated by at least 2 m,
or physically protected/shielded, to protect against common damage from fire or
excavation). The system incorporates more than 100 km of high-voltage cable.
A duty Telecontrol computer monitors distribution system conditions, operates
individual switchgear under operator direction and operates switchgear throughout the
system using operator-selectable, pre-programmed schedules for a wide variety of
distribution system operations. Telecontrol drives standby panels that compose a
communications system to signal site status and electrical plant actions. A standby
Telecontrol computer mimics the duty one and can take control in case of failures
(error conditions) in the duty unit.
The 132 kV system is not seismically qualified. Since the early 1980s all new 11kV
substations have been designed to be operable following a design basis earthquake
(0.25g) and are located above the design basis flood level (132 kV substation +26.1
mAOD; primary 11 kV substations +23.3 and +20.9 mAOD).
April 2012
Page 18 of 65
The distribution system uses protection systems that discriminate between faults so
that they do not propagate to other parts of the system. Most protection schemes
follow old CEGB schemes; generally the system uses circuit breakers for 400 A and
higher circuits and fuse switches for lower power circuits, although some fuse switches
are used in circuits up to 800A and some oil-filled breakers remain. Local solid-state
rectifiers at each substation provide DC control power for breakers located at that
substation.
Separate battery-backed DC power systems are provided for control and switching of
the 11 kV Substations, for the 415V distribution substations and for the
switchgear/load centers in the process plants (see Figure 1.5). Within a substation, 11
kV is stepped down to 415V to the Level 1 boards and fuse switches connect the Level
1 boards to the essential power distribution (EPD) boards, where battery chargers
provide DC control voltage through additional fuse switches to the DC loads.
Figure 1.5 DC control power standard supply arrangement
2.1.4.3 Main ordinary on-site source for back-up power supply
Normal AC power could be lost to the entire site, affecting all facilities, by the loss of
off-site power or multiple failures in the incoming substation or to an individual process
plant by selected failures within the on-site distribution network. Therefore regular
reviews of standby power generation requirements are undertaken.
In the highly unlikely (yet possible) event of zero national grid supply/connections
being available, the site has adequate fixed emergency 11 kV electrical generation, in
the form of diesel alternators (DA) and gas turbine generators (GTG), to satisfy safety
demands.
A few on-site facilities also have fixed emergency generators installed for the same
purpose.
The DAs and GTGs are directly connected to the on-site electrical distribution system
and are designed to feed essential plant distribution systems in each of the sensitive
facilities across the site. These generators are tested regularly at full load and the
arrangements to re-establish essential power supplies to all sensitive Sellafield plants
were exercised successfully (as far as possible without exposing the site to
unnecessary risks) in April 2011.
April 2012
Page 19 of 65
The PRISMIC computers control any combination of DAs and GTGs. The operator
can select the priority for starting the standby generators and can set a differential
between what is running and current electrical load or else demand that all of the
generators run.
During loss-of-grid events, the duty Telecontrol distribution management computer and
the duty PRISMIC power management computer assist the operators in restoring
electrical power to site, i.e. the former signals plant standby control panels that the grid
has been lost and runs Emergency Switching Schedules (ESS) and the latter then
primes and runs up the DAs. Telecontrol then uses fixed software schedules to ensure
early restoration to important loads, to geographically spread restoration and to take
credible steps to increase load and ensure the stability of restoration. The approach
provides some diversity and can be revised as site priorities change.
The general order for restoration of loads is to site utilities (as they provide fixed loads
and are needed by all plants), to highest-risk priority systems and then to additional
loads in priority order. Currently one or more of the site air compressors are normally
used as the base load when starting the standby generators. In reality all plants
requiring emergency power from central generation should have their electricity back
in a timely manner thereby allowing UPS etc. to recharge and instruments to reboot
before the individual plant instruction to start a large load.
The DAs and the GTGs are housed in separate locations; it is unlikely that a single
incident would disable all DAs and/or GTGs.
The DAs are ‘black start’ design, i.e. self-reliant for initial start-up. The DAs require
compressed air to start, cooling water, fuel (gas oil) and 50 V DC supply to the control
instruments to operate –
 each DA has an air receiver which holds sufficient air for multiple starts;
 cooling water is normally fed from the ring main; there is an emergency cooling
water tank that can feed all four DAs;
 each DA has a dedicated ‘day tank’ to supply gas oil; and
 the 50 V DC supply is battery-backed.
The DAs will power the primary 11 kV substation which will then feed other substations
as per the agreed ‘Standby Power schedule’.
The GTGs need power to start, i.e. they cannot ‘black start’, and operate. This is
normally supplied from the primary 11 kV substation which is powered by the DAs. If
this is not available then the GTGs can be powered by a mobile diesel alternator
(MDA). In this scenario the GTGs would be configured to power the primary 11 kV
substation. The GTGs do not require cooling water but they do require fuel (gas oil) to
operate.
Both the DAs and GTGs could be adversely affected by very high concentrations of
atmospheric particulates.
Each of the fixed DAs and GTGs will operate for several hours from their local reserve
tanks without replenishment.
However, even if sufficient DAs and GTGs start and accept load, power to process
plants will have been interrupted and any electric-powered process equipment not
powered from an Uninterruptable Power Supply (UPS) will stop. Essential safety,
control and security systems are supplied from locally-based battery back-up UPS,
designed to maintain this essential functionality until the site emergency power supply
is re-established.
April 2012
Page 20 of 65
On grid failure there are significant fuel supplies in on-site storage tanks to last for
several days. Under normal circumstances the fuel supply contractor can respond with
a tanker delivery within forty eight hours (i.e. well within the duration of the on-site
reserves) with further deliveries being required daily thereafter.
There are further significant potential fuel supplies at the Fellside CHP plant.
CONSIDERATION 3: review the arrangements for management
of site fuel stocks
CONSIDERATION 4: procure a bowser/road tanker capable of
transferring fuel efficiently around the site
2.1.4.4 Diverse permanently installed on-site sources for back-up power
supply
Fellside CHP
Fellside CHP plant provides both high and low pressure steam and ~170 MW
electricity supply to both Sellafield and the national grid. However Fellside CHP plant
was never designed to operate independently; it is not self-sufficient and requires at
least one of the 132 kV grid connection lines to start-up and/or to continue to operate.
Therefore Sellafield cannot operate in an ’island’ mode with supplies from Fellside
alone. It would not in any case be practicable to operate the CHP plant independent
of the grid with only Sellafield as its electrical load.
The Fellside CHP site includes on-site fuel storage. At times of national grid failure
CHP gas turbines would not be operating and the CHP auxiliary boiler does not
operate on fuel oil. In future this fuel stock would be the back-up fuel for the Fellside
boiler park following loss of the CHP gas supply. The CHP fuel stocks could therefore
also be used to supplement site supplies and provide a few weeks of fuel supply.
Mobile Diesel Alternators
in the unlikely event that the highly redundant and diverse normal and standby power
systems fail, Sellafield also maintains a fleet of mobile, trailer-mounted, 415 V diesel
generators (MDAs), ranging from 50 kW up to 1 MW capacity, some of which have
synchroscopes and are hence capable of synchronising to live circuits.
The MDAs are housed in diverse locations across the site, all of which have been
assessed as able to withstand a 0.25g seismic event.
The MDAs can be connected to engineered input points clearly-labelled and located
on the outside wall of a plant and these external connectors are wired to an in-plant
EPD via fuse switches (see Figure 1.6).
MDAs are managed by Site Utilities with the capability to deploy an MDA in a timely
manner, allowing for the discovery of power failure, transport and hook up of the MDA
itself. However this specifically does not recognise simultaneous and competing
demands for the same personnel arising from an SBO, the need to deploy several
MDAs and/or unfavourable transport conditions arising from a severe event and/or
severe weather conditions. Further resourcing would also be required to ensure
maintaining adequate levels of diesel fuel in MDAs and fixed generators and boilers.
April 2012
Page 21 of 65
Figure 1.6 Arrangement for attaching MDA to site buildings
CONSIDERATION 5: review the manning levels required to
respond to prioritized site demands during a major event
The MDA connection points on primary buildings are inspected frequently and have
recently had identification and phase labeling renewed. Some plants have completed
a full deployment and connection of an MDA to the EPD. MDAs are started weekly
and periodically tested on load.
CONSIDERATION 6: develop a programme to deploy, connect
and test MDAs to EPD connection points routinely on safety
significant plants
2.1.5
Batteries for DC power supply
Within the process plants, important loads are protected against power interruptions by
’Guaranteed Interruptible’ (GI), ’Guaranteed Non-Interruptible’ (GNI) and
’Uninterruptible Power Supplies’ (UPS) –
GI power supplies are derived from EPD and essential low-voltage distribution
switchboards/distribution boards. GI power supplies provide good reliability, with a
firm supply basis, and are guaranteed (by design and practice) to be restored within a
few hours of total power supply failure.
GNI power supplies are derived from a UPS (see Figure 1.7) and provide the best
reliability. They are designed to see no power interruption resulting from power dips or
loss of the main supply. They depend on the battery back-up time and whether the
UPS is connected to an EPD switchboard (GI supply) or a ’normal’ power supply.
Each critical plant has UPS within the facility and their own safety cases define the
required battery capacity.
Local UPS battery banks are stored in engineered racks in dedicated ventilated plant
rooms located so as to provide protection from both internal and external hazards.
The 415 V 50 Hz ‘A’ essential supply feeds a local charger which in turn charges the
battery strings which comprise each battery bank. Mains back-up is provided by
Reserve ‘B’ supply. Alternative means of recharging would necessitate a locallydeployed MDA.
April 2012
Page 22 of 65
Figure 1.7 Typical UPS design in Sellafield process plants
UPS supplies provide back-up supply to essential instrumentation (for control and/or
monitoring purposes), as defined within plant safety cases, in the event of mains
supply ‘A’ failure. Any additional dependencies are specified within plant safety cases
on an individual basis.
The only additional UPS functionality of relevance to these “stress tests” is that
associated with the battery-backed fans to maintain ventilation for the wet storage of
Magnox wastes. In the case of this additional ventilation UPS, a dedicated installed
diesel alternator (DA) must be started if the fans are expected to operate from the
battery supply so as to keep the batteries charged.
April 2012
Page 23 of 65
3
3.1
Regulatory framework, license compliance and safety assessment
Regulatory framework
SL, like its counterparts in other industries and places of work in general, is required
to comply with the Health and Safety at Work etc Act 1974 (HSW Act). The HSW Act
places a fundamental duty on employers to ensure, so far as is reasonably
practicable, the health, safety and welfare at work of all their employees. It also
imposes a duty to ensure, so far as is reasonably practicable, that persons not in their
employment are not exposed to risks to their health or safety as a result of the
activities undertaken.
In determining whether any measures are necessary to reduce risk and achieve
compliance with the HSW Act, employers must compare the sacrifice involved,
whether in money, time or trouble, and the risk which would be averted by their
implementation. Such measures should be implemented unless the sacrifice is
grossly disproportionate to the risk that would be averted, i.e. risks must be reduced
to a level that is as low as reasonably practicable (ALARP) [6] [7].
SL must also comply with the Nuclear Installations Act 1965 (as amended) (NIA65)
which requires the licensing of sites for an indefinite term; each nuclear site licence is
unique to its site. NIA65 allows ONR to attach to each nuclear site licence such
conditions as it considers necessary or desirable in the interests of safety or with
respect to the handling, treatment or disposal of nuclear materials. ONR also has
power to add, vary or revoke conditions, so providing scope for the licence to be
tailored to specific circumstances and the phase of the installation’s life.
ONR has developed a standard set of 36 conditions [8] which are attached to all
nuclear site licences. The licence conditions provide the basis for regulation by ONR.
They do not relieve the licensee of the responsibility for safety. They are nonprescriptive and set goals that the licensee is responsible for meeting, amongst other
things, by applying detailed safety standards and safe procedures for the facility. The
arrangements, which a licensee develops to meet the requirements of the licence
conditions, constitute elements of a nuclear safety management system. ONR
reviews the licensee’s licence condition compliance arrangements to see they are
clear and unambiguous and address the main safety issues adequately. Procedures
which comply with site licence conditions are likely to satisfy other requirements
under the HSW Act which relate to nuclear safety hazards, e.g. the Management of
Heath and Safety at Work Regulations.
Furthermore the Radiation (Emergency Preparedness and Public Information)
Regulations (REPPIR) establish a framework of emergency preparedness measures
to ensure that the population local to the site is informed and prepared, in advance,
about what to do in the unlikely event of a radiation emergency occurring and
provided with information if a radiation emergency actually occurs.
REPPIR places obligations on the licensee to produce an emergency plan for dealing
with any reasonably foreseeable radiation emergency, as well as providing prior
information to the population around the site. REPPIR also places duties on the local
authority in whose area the site is based, to prepare (and if necessary, implement) an
offsite emergency plan for dealing with the consequences of any reasonably
foreseeable radiation emergency in an area determined by ONR. The local authority
is also required to ensure that relevant information is supplied to the affected
population in the event that a radiation emergency should occur.
April 2012
Page 24 of 65
Other relevant legislation is contained in the Management of Health and Safety at
Work Regulations that require, among other things, a suitable and sufficient risk
assessment, and in the other regulations made under the HSW Act, e.g. Provision
and Use of Work Equipment Regulations; Lifting Operations and Lifting Equipment
Regulations; Personal Protective Equipment at Work Regulations; Pressure Systems
Safety Regulations; Control of Major Accident Hazards Regulations (as amended)
and Dangerous Substances and Explosive Atmospheres Regulations. SL must
comply with these regulations in the same way as any other employer, and the codes
of practice associated with these regulations will often contain relevant good practice
that can be used in safety cases when demonstrating what is reasonably practicable.
Not all relevant legislation is covered by the HSW Act. Other examples include the
Anti-Terrorism, Crime and Security Act 2001 and its subordinate Nuclear Industry
Security Regulations, the Electricity Act 1989, the Environmental Protection Act 1990,
the Radioactive Substances Act 1993, various planning acts and the Building Act
1984 and its subordinate Building Regulations.
3.2
Compliance of Sellafield with its current licensing basis
Nuclear Site Licence Condition (NSLC) 14 requires “adequate arrangements for the
production and assessment of safety cases consisting of documentation to justify
safety during the design, construction, manufacture, commissioning, operation and
decommissioning phases of the installation.” The Safety Case covers all activities on
the site, the hazards associated with these and the safety measures, whether
engineered or procedural, necessary to protect against or mitigate these hazards. The
Safety Case defines “conditions and limits necessary in the interests of safety” on
plant operation; these form the Operating Rules (NSLC 23) which are implemented in
accordance with operating instructions (NSLC 24). By operating within these limits
and conditions, the so-called ‘safe operating envelope’, it is shown that risks are
adequately controlled and that safety significant issues have been addressed.
NSLC 28 requires “adequate arrangements for the regular and systematic
examination, inspection, maintenance and testing of all plant which may affect safety”,
i.e. safety systems and components designated within the Safety Case, so as to
ensure that they remain available and able provide their claimed safety function. All
such plant are registered within Plant Maintenance Schedules (PMS) which both
prompt and retain adequate records (in accordance with NSLC 25) of the EIM&T; civil
structural inspections are carried out in accordance with defined asset care schedules.
NSLC 12 requires “adequate arrangements to ensure that only suitably qualified and
experienced persons perform any duties which may affect the safety of operations on
the site” and “the appointment, in appropriate cases, of duly authorised persons to
control and supervise operations which may affect plant safety.” Such persons will be
suitably trained in accordance with NSLC 10.
NSLC 11 requires “adequate arrangements for dealing with any accident or
emergency arising on the site and their effects.” Such arrangements also encompass
the specific requirements of REPPIR.
NSLC 22 requires “adequate arrangements to control any modification or experiment
carried out on any part of the existing plant or processes which may affect safety.”
Such modifications must be classified according to their safety significance.
NSLC 15 requires “adequate arrangements for the periodic and systematic review and
reassessment of safety cases” to ensure that the cumulative effects of operating
experience, plant modifications and plant ageing, are considered in totality. Such
April 2012
Page 25 of 65
Periodic Safety Reviews are undertaken on a ten-yearly cycle and present an
opportunity to re-evaluate existing plants against modern design standards (e.g.
seismic) as well as to review estimates of external hazards (e.g. magnitude frequency
values, data and methodological developments and consideration of climate change)
and their impact over the remaining lifetime of the facilities.
L99 are a set of “understandings” between SL and ONR, established since the joint
Licensee/Regulator initiative which commenced in 1995 (commonly referred to as
‘Winter Seminar’), which are “binding on both parties” and provide guidance on
specific aspects of safety and engineering analysis required to produce an adequate
safety case in accordance with NSLCs 14 and 15.
The Sellafield Ltd. Management System (SLMS), underpinned by the SLMS
Compliance framework, details the arrangements for compliance with these
requirements.
3.3
Potential deviations from the licensing basis and actions to address those
deviations
SL use ‘Mandatory Assessments’ to investigate potential safety shortfalls resulting
from on-site or off-site operating experience feedback and initiate appropriate actions
to address such shortfalls.
Furthermore, as a member of WANO, SL responds to Significant Operating
Experience Reports (SOERs). Following the Tohuku earthquake, SL has provided
specific responses to  WANO SOER 2011-2
Fukushima Daiichi Nuclear Station Fuel Damage
Caused by Earthquake and Tsunami; and
 WANO SOER 2011-3
Fukushima Daiichi Nuclear Station Spent Fuel
Pool/Pond Loss of Cooling and Makeup
SL is currently considering its response to  WANO SOER 2011-4 (draft) Extended Loss of All AC Power Actions in
Response to the Fukushima Daiichi Event.
The work undertaken to date, as detailed within this report, has identified no
potential deviations from the licensing basis.
3.4
Scope and main results of Probabilistic Safety Assessments
In order to develop a safety case(s) for nuclear operations it is necessary to undertake
safety analysis. Such analysis is key in identifying initiating events and event
sequences that might contribute significantly to risk, providing realistic quantitative
measures of the likelihood of the risk contributors, providing a realistic evaluation of
the potential consequences associated with hypothetical accident sequences and
providing a reasonable risk-based framework for making decisions regarding siting,
design and operation.
Three forms of analysis can be used to establish a safety case for fault and accident
conditions: design basis analysis (DBA), probabilistic safety analysis (PSA) and severe
accident analysis (SAA) –
 DBA is focused on the key safety measures for those initiating faults that are
most significant in terms of frequency and unmitigated potential consequences;
 PSA looks at the full range of fault sequences and allows full incorporation of
the reliability and failure probability of the safety measures and other features of
the design and operations; and
April 2012
Page 26 of 65

SAA considers significant but unlikely accidents and provides information on
their progression, both within the facility and also beyond the site boundary.
For many years SL used PSA, and comparisons with a set of radiological risk criteria,
as the principal means for demonstrating the adequacy of safety of non-reactor
nuclear plant. The relevant radiological risk criteria were defined essentially in such a
way that the overall risk from a plant, if the criteria were satisfied, would be at the
‘broadly acceptable’ level; there was in addition, an overriding obligation to
demonstrate that any residual risk was ALARP. For operational plants the outcomes
of these assessments were reported in fully developed Safety Cases (fdSCs).
Whilst there had always been an element of deterministic assessment of safety, this
had not been by use of any formal analysis technique. However, in the late 1990s, the
requirement to demonstrate the adequacy of safety by means of a formal, structured,
deterministic method (in addition to the use of PSA) highlighted some degree of noncompatibility between the deterministic and probabilistic approaches and identified the
need for changes to the method in use for the design of safety measures. For
operational plants, the outcomes of these assessments were reported in Continued
Operation Safety Reports (COSRs).
Fault modelling and risk analysis is an important contributor to safety cases for nuclear
chemical plant. A wide variety of hazard identification techniques are well established
in the nuclear and chemical industries. Plants design, assessment of continued
operations, plant modifications and decommissioning studies all extensively utilise
HAZOPs (HAZard and OPerability studies) as a key part of the safety assessment
process.
Risk analysis is then undertaken leading to the identification and
determination of fault sequences utilising the initiating events identified by HAZOP to
potential outcomes. Consequences are determined using data from plant inventories
and release fraction models. Fault frequencies are estimated using both site specific
and generic reliability data using fault and event trees as appropriate. The safety
assessment process includes the identification of safety measures or barriers to the
fault progression. Design-basis and probabilistic analysis is required to demonstrate
that deterministic and risk criteria are met. Data and tools are needed for fault analysis
include initiating event frequency data, failure probability data for safety systems, fault
and event tree analysis, dependent failures analysis and human reliability analysis.
These tools and techniques have been developed by SL over a twenty year period.
Nuclear facility safety cases must also demonstrate adequate robustness against both
natural and man-made external hazards. The most significant hazards are considered
to be earthquake, extreme weather (especially wind and flooding) and aircraft crash.
SL currently uses sophisticated, largely deterministic, methods to analyse plants for
the effects of external hazards.
Natural phenomena more extreme than those experienced on a day-to-day basis have
the potential to challenge safety systems protecting against radiological (and other)
consequences and so generate risk (see Table 1.1). SL standards require that their
effect on the safety of plants and processes is assessed and that the risks are shown
to be tolerable, ALARP and not disproportionate against risk from other sources. An
important aspect of natural hazards is that unlike man-made hazards and plantinitiated faults, they can affect a whole site and the surrounding district at the same
time.
April 2012
Page 27 of 65
Hazards that could sensibly affect the site fall into two distinct categories –

Sudden energetic hazards (e.g. earthquake, extreme wind, flooding and
precipitation) capable of inflicting severe damage on structures and potentially
leading to radioactivity release in a time-frame too short to allow significant
operator intervention. These may require some measure of numerical or
probabilistic assessment.

Slower acting extreme natural effects (e.g. extreme temperature and snowfall)
that do not act in a dynamic fashion but which could cause failures leading to
radioactive consequences if a plant had insufficient engineering safeguards or if
pre-defined operational intervention to counter the hazard was not carried out.
These require consideration of the deterministic adequacy of engineering
provisions and the possibility of control of consequences by operational means
(i.e. responding to weather forecasts).
Hazards requiring full
treatment in all safety
cases
Generic Hazards affecting the Site but not uniformly
(Consider in individual plant safety cases as appropriate)
Natural
Earthquake shaking,
Extreme wind,
Extreme high and low
temperature,
Snow loading,
Aircraft crash,
Failure of adjacent
structures.
Flooding (rainfall),
Flooding (river),
Flooding (marine),
Snow, hail, ice, frost.
Man-made
On-site transportation, storage and
handling of hazardous substances,
On-site missiles, projectiles,
On-site fire/explosion,
Vehicle impacts,
Flooding from man-made sources.
Low Significance Hazard: do not require to be
considered in individual plant assessments
Acceptably remote, nonprobabilistic or prevented by
design or operational measures
Tsunami,
Seiche (oscillation of waterbody),
Seismically induced changes in
river or ground water flow,
Landslide/ avalanche,
Soil shrink/swell,
Off-site fire,
Meteorites,
Coastal erosion,
Drought,
Natural methane,
Off-site transportation, storage
and handling of hazardous
substances,
Off-site missiles/projectiles,
Military activity,
Mining, quarrying, tunnelling,
Agricultural activity,
Pollution of water supplies.
Hazards Prevented by
Engineering Safeguards
and Operational
Arrangements
Not credible
Volcanic activity,
Glaciation/ice cover,
High/low sea
temperature,
Seaweed, fish,
Marine pollutants.
Construction activities,
Electro-magnetic
interference,
Lightning,
Fog, humidity,
Water table,
Insects, birds, rodents,
other animals,
Sandstorm,
Coastal atmosphere,
Aquatic debris.
Table 1.1 Potential external hazards for Sellafield
Whilst for existing plants that pre-date extreme hazards design, tolerability may be
judged against a 1 in 1,000 year event, the primary level of intensity hazard against
which assessment is required is that corresponding to an annual probability of
exceedance of 1x10-4, i.e. the intensity with a 10,000 year return period. This applies
regardless of the original design basis of the plant. This return period is adopted as
the deterministic design basis, against which tolerability can be judged, because of the
difficulty of predicting the relationship between probability and intensity for more
remote events. The possibility of disproportionate risk from more severe events is
addressed by searching for ‘cliff edge’ effects beyond the design basis level; a margin
earthquake of 0.35g (3.4x10-5 per year level) is used for such ‘cliff edge’ analysis. Prior
to the Tohuku earthquake, SL was already developing a better way to take account of
beyond design basis earthquakes than this margin earthquake and will continue to do
so.
All Sellafield Limited Sites
Excellence in
Safe
Operations
Site
Resilience
Excellence in
Security
April 2012
Page 28 of 65
Excellence in
Emergency
Preparedness
4
Design basis
Geological information on site
The geological sequence at the Sellafield site comprises made ground deposits,
quaternary fluvial-glacial deposits and bedrock (see Figure 2.1).
Made ground – comprising disturbed, mixed and re-deposited natural ground and a
proportion of building debris (e.g. brick, concrete, tarmac, wood, wire, plastic etc.) in a
layer (ranging from less than 1 m to over 5 m) across the majority of the Sellafield site
arising from a long history of repeated excavation, construction, backfilling and
landscaping works.
Quaternary deposits (drift) – comprising a sequence of unconsolidated gravels, sands,
silts and clays which are very variable in thickness (maximum thickness of 74 m) and
lithology from predominantly glacial and fluvial origins.
Bedrock – comprising the Triassic Calder and Ormskirk sandstone formations of the
Sherwood Sandstone Group (SSG); the deeper Permian, Carboniferous and
Ordovician formations are not considered relevant. The SSG strata beneath the
Sellafield area ranges in thickness between 650 m and 1150 m, (averaging at about
800m thickness) and dips towards the southwest with an average inclination of 25.
Figure 2.1 Geological description of the Sellafield region
April 2012
Page 29 of 65
4.1
Design basis earthquake (DBE)
The extent of seismic qualification depends upon the type of plant or structure and its
required performance. To determine how a plant will respond to a particular seismic
event requires engineering parameters to be derived from seismological data such as
earthquake magnitude, distance from the epicentre and ground motion prediction
equations.
Since about 1980, new plants built at Sellafield have followed company standards in
respect of the seismic hazard. These currently require plants to be seismically
qualified, i.e. designed to prevent earthquake-induced failures where such failure
would otherwise lead to specified radiological consequence thresholds being
exceeded. At present the DBE is one with a conservatively determined 1 in 10,000
annual probability of exceedance (equivalent to a ground acceleration of 0.25g);
before 1983 it was 0.125g, and prior to that it was a quasi-static force of 0.1g.
The oldest plants, which predate any seismic standards, were subjected to Seismic
Damage Assessment (SDA) between 1985 and 1990 and this has indicated the likely
extent of damage from earthquakes; the damage was estimated with a confidence
level varying from the conservative side of mean and tending towards a 95%
confidence in a 5% probability of not being exceeded.
Some buildings that have been modified or extended therefore conform to a mixture of
seismic standards.
4.2
Methodology used to evaluate the DBE
Statistical analysis of historical data and expected frequency of DBE
An appraisal of British earthquakes [9] concluded that seismic activity varied
considerably from one area to another within Great Britain. This prompted a site
specific study to quantify the seismic hazard at the Sellafield site which concluded that
the Sellafield site is situated in one of the more seismic regions of Great Britain (see
Figures 2.2 and 2.3).
Figure 2.2 Seismicity (since 1650) within 100km of Sellafield
April 2012
Page 30 of 65
Figure 2.3 Seismicity (since 1650) within 50km of Sellafield
Further studies determined the confidence levels on the acceleration levels (see Table
2.1).
Confidence levels
50%
Best estimate (~ 70%)
75%
90%
95%
British average
0.175g
0.186g
0.192g
0.212g
0.225g
Sellafield site
0.227g
0.241g
0.248g
0.269g
0.283g
Table 2.1 Confidence levels on seismic acceleration levels
Calculations show that most of the risk results from moderate shallow-near field
earthquakes close to the site. The annual probabilities of exceedance for various peak
ground accelerations calculated based on several historical earthquakes considered
for the Sellafield area are presented in Table 2.2.
Peak Ground Acceleration
Annual Probability of Exceedance
0.125g
1.1 x 10
0.24g
1 x 10
0.25g
0.87 x 10
0.35g
3.4 x 10
-3
-4
-4
-5
Table 2.2 Annual Probabilities of Exceedance for seismic events in the
Sellafield area
Therefore the adopted site seismic hazard levels conservatively adopted for Sellafield
are as presented in Table 2.3.
April 2012
Page 31 of 65
Description
Intensity (pga)
Return period
Comments
Operating
Basis
Earthquake
0.05g
1 in 50 years
Plants must shutdown and carry
out and inspection before
restart.
Old Plant
design
criteria
0.125g
1 in 1000 years
Design criteria used for relevant
plants which pre-date the New
Plant design criteria.
New Plant
design
criteria
0.25g
1 in 10,000 years
Design criteria used for relevant
plants from the early 1980s
onwards. This also requires
assessment against a 0.35g
‘cliff edge’ event to demonstrate
robust design.
Table 2.3 Sellafield Site seismic hazard levels
These design parameters are further illustrated and contextualised in Figure 2.4.
There have been a range of seismic hazard studies at the Sellafield site over the last
20 years with the most recent being the detailed studies for the possible construction
of the then (1998) new-build NPP and the NIREX Repository. These reaffirm that it
remains appropriate to use 0.25g peak ground acceleration as a 10 -4 per annum
hazard; this conclusion was endorsed in an independent assessment for ONR.
Further confidence is provided by the fact that these levels are equal to the highest
levels for the design of UK dams [10].
Studies initiated shortly prior to the Tohuku earthquake show that there is an arbitrary
and unnecessary conservativism between SL’s design spectra and the design spectra
corresponding to a 10-5 per annum probability of unacceptable performance. The
conservatism varies between 1.2 and 2.0 over the response frequency 1 to 12 Hz that
is most likely to cause structural damage. An outcome of this work is that the facilities
designed to SL’s current standards have less than a 10-5 per annum probability of
failing to meet their specified seismic performance criteria. This gives confidence that
both modern and older facilities could in reality withstand earthquakes significantly
beyond the levels herein specified.
April 2012
Page 32 of 65
Figure 2.4 Earthquakes – a guide to size, examples, effects and design parameters.
April 2012
Page 33 of 65
4.2.1
Provisions to protect the plant against the DBE
Studies of the predicted seismic performance of the Sellafield site concluded that a
number of buildings would be subject to varying degrees of failure during a severe
seismic event. However recent analysis indicated that the majority of plants would
either be able to achieve a safe shutdown state in the event of a DBE or else result in
off-site consequences below the RESEP threshold of 10 mSv to the critical group.
Significant work is already being undertaken to reduce the risk for high-hazard plants –
 processing and/or transferring of materials into more seismically-robust
wasteforms and/or stores; and
 improved containment, encapsulation and seismically-qualified liquor recovery
systems.
The safety case process requires that key structures, systems and components (SSC)
are identified and their safety functionality substantiated to the required level of
confidence. Discussion of all SSC across Sellafield plants that are required for
achieving safe shutdown state is therefore inappropriate within this report. Instead
discussion is limited to the following materials wherein the associated plants have SSC
that are required for achieving a safe shutdown state and for which their loss during an
earthquake would result in off-site consequences greater than 10 mSv to the critical
group.
Magnox waste
Magnox waste in wet storage evolves hydrogen as it corrodes and hence hydrogen
must be continually dispersed via forced ventilation systems. Following loss of
ventilation a build-up of hydrogen to explosive levels and subsequent deflagrations
could defeat the integrity of primary containment and lead to loss of liquor to the
environment.
A 0.25g earthquake would almost certainly result in failure of SSCs relating to
ventilation systems as well as potential damage to the fans themselves and associated
battery-back-ups. Furthermore, although it is anticipated that any breaches in primary
containment will be within the capacity of the existing recovery systems, there is an
implicit reliance on the availability of such systems.
CONSIDERATION 7: enhance the robustness of the forced
ventilation system for Magnox wastes to a severe seismic
event
CONSIDERATION 8: review the potential for trapped hydrogen
with the Magnox waste matrix being liberated as a result of a
severe seismic event
High Active Liquors
High Active Liquors (HAL) within storage tanks (HASTs) are cooled by in-situ cooling
coils and jackets which can be fed from a number of diverse sources including the
River Calder. Under normal operating conditions cooling water is circulated via one of
several cooling towers.
The limited seismic response of some ancilliary plant and its likely collapse during a
0.25g earthquake (potentially damaging adjacent plant) would adversely affect the
distribution of water, steam, compressed air and electricity necessary to maintain
cooling to the HASTs.
April 2012
Page 34 of 65
Magnox fuel
Significant remedial work has already been carried out within the earliest Magnox fuel
storage pond to ensure that breached pipework in the pond release material into a
drain trench from which both water and sludge is then automatically detected and
recovered to pond; all related pumps and generators are seismically-qualified. Water
arising from smaller leaks could be returned to pond via compressed air sandpiper
pumps. Therefore, although the pond walls will likely develop significant cracking
sufficient to cause substantial leakage of water, this is extremely unlikely to result in a
pond dry-out especially since the pond base lies below ground level, approximately
equivalent to single skip stack height and bulk sludge levels in the main pond.
Solid Waste
Disturbance of sealed containers containing uranium or sodium within the waste could
result in a local fire which could then spread and, if allowed to burn for several days,
could lead to loss of containment and large aerial releases. To minimise this risk of a
fire, the waste is retained under an inert argon gas blanket so as to keep oxygen levels
below the lower flammable limit. The argon is supplied from independent systems
which could remain self-sufficient for several weeks even at minimum argon stock
levels.
4.2.2
Main operating contingencies in case of damage that could be caused
by an earthquake and could threaten achieving safe shutdown state
The Sellafield site has installed two seismometers, with alarm thresholds set at the
Operating Basis Earthquake (i.e. 0.05g), that are linked to the British Geological
Survey national network. As part of the arrangements, the British Geological Survey
would inform Sellafield of all large distant events detected by the network. Hence, if
there were to be an event with the potential to affect the site, early advice would be
available to enable precautionary measures to be taken through modification of
existing arrangements for marine flooding.
Main operating contingencies in case of damage will vary according to plant and the
critical safety function and may include –
 temporary containment, e.g. bunds, windbreaks, overbuilding/cover (e.g. with
tarpaulin), sand/gravel, fixative sprays etc.
 temporary shielding, e.g. shield wall, earth, concrete etc.;
 criticality prevention, e.g. use of neutron inhibitor(s); and
 cooling, e.g. hosed water / local air ventilation as appropriate.
4.2.3
Protection against indirect effects of the earthquake
Spent fuel storage ponds
The most recent analysis indicates that spent fuel storage ponds would be expected to
remain intact albeit, with the exception of the Magnox fuel storage ponds, with some
new cracking and propagation of existing ones; any seepage would not be significant.
In the case of the earliest Magnox fuel storage pond, previous assessments have
considered the possible outcomes and there are already provisions for crack repair
using dedicated repair plates, water containment, and various pumping systems. The
success of these measures will then be dependent upon the position of the
cracks/breaches and the loss rate. It should be remembered however that this pond is
partially set below ground level and so leakage will be reduced somewhat as the level
falls to a point just covering a single array of fuel skips and sludge levels.
April 2012
Page 35 of 65
The later Magnox fuel storage pond was designed to prevailing seismic standards at
the time. Subsequently a number of shortfalls have been identified in its seismic
performance at 0.125g during COSR. These could result in leakage in the range 1100 m3/hour; from a 0.25g earthquake; a subjective assessment of potential leakage
might be 10 m3/hour from each pond. Although this will not result in an off-site
consequence greater than 10 mSv to the critical group it could potentially result in
significant localised flooding with contaminated water.
CONSIDERATION 9: obtain skid-mounted diesel pumps for
potential deployment in the later Magnox fuel storage pond
following a severe seismic event
CONSIDERATION 10: review the robustness of alternative
power supplies sufficient to allow timely crack repair (using
already available dedicated repair plates, water containment
and various pumping systems) following a severe seismic
event
Bridges
Studies of the seismic resilience of the bridges over the River Calder, which connect
the east and west sides of the Sellafield site, conclude that emergency vehicles and
personnel would be still be able to use the bridges following a seismic event and that
the bridge on the A595 at Calderbridge is also considered likely to be passable after
such an event. Those bridges that have required seismic qualification to fulfil their
safety functions have been assessed to an event with a return period of 1x10 -3
(0.125g) or 1x10-4 (0.25g).
The latest study concluded that the probability of complete collapse of the bridges was
very low, although some structural damage was likely (to lateral restraint guideplates,
stone facing on abutments, damage to waterproof seals on expansion joints & bridge
bearings).
CONSIDERATION 11: seismically enhance existing bridges
across the River Calder and develop the ability to deploy
temporary structures
4.2.4
Other indirect effects (e.g. fire or explosion)
4.2.4
Magnox fuel
The Magnox reprocessing dissolver is designed to shutdown safely under multiple
scenarios both with and without UPS. However in the event of plant damage the
resulting position of the dissolver, and hence its contents, is unknown and so the
possibility of a dissolver fuel fire, due to overheating of the partially dissolved fuel rods
following protracted exposure above liquor, cannot be discounted. Camera inspection,
thermal imaging or alternative methods would need to be deployed to identify the
condition of the dissolver and its contents; such methods would currently be
dependent on SF&R and the ability to deploy personnel trained in wearing selfcontained breathing apparatus.
Cooling water, from automatic gravity-fed supplies within the building, dry risers or via
an alternative source, can be used either to feed through the dissolver’s cooling jacket,
or to be applied directly into the dissolver from the Emergency Water Head Tank or
alternative supply. As the fuel load could theoretically be self-heating (unlikely to be an
issue at current batch sizes) this would have the added benefit of diluting the solution
April 2012
Page 36 of 65
and thereby reducing the risk of any such self-heating; however detailed calculations
on self-heating and quantities of water required are yet to be completed.
CONSIDERATION 12: confirm realistic rates of self-heating
within Magnox fuel undergoing reprocessing and the minimum
quantity of water required to prevent self-ignition on potential
loss of cooling
Solid waste
As discussed previously, disturbance of sealed containers potentially containing
uranium or sodium within the waste could result in a local fire which could then spread
and, if allowed to burn for several days, could lead to loss of containment and large
aerial releases. In the event of such a fire there are currently no specific contingency
plans in place to extinguish the fire partly because of the emphasis on fire prevention
and partly because of the difficulty in fighting such a fire were it to be allowed to
progress. This difficulty arises with respect to fire fighting media, as water or foam
may initiate a release of hydrogen and present an explosion hazard, nitrogen could
support combustion forming nitrides, and CO2 can be reduced by burning Magnox
which could then continue to burn in the absence of oxygen. Limiting/mitigating
actions may include cooling the waste facility walls, extinguishing the fire using
sand/concrete, preventing the fire from spreading using fire breaks or preventing
contamination spread by covering the waste facility with a heat resistant sheet.
CONSIDERATION 13: develop and substantiate specific
contingency plans to extinguish a fire within solid waste
facilities
4.2.5
Earthquake-induced flooding
4.2.5
Changes in river and ground water flows
A secondary effect of a significant earthquake could be the initiation of land slips on
unstable slopes above lakes or rivers upstream of site and alterations to ground water
flow patterns.
The closest major lake, Wastwater (~ 10 km due east of Sellafield) outflows along the
River Irt, which flows southwest before discharging to the Irish Sea at Ravenglass (~
10 km southeast of Sellafield); this route and the surrounding topography suggest that
any resulting flow would be very unlikely to reach the Sellafield site.
However the next closest major lake, Ennerdale, located ~20 km northeast of
Sellafield, outflows into the River Ehen before discharging to the Irish Sea at Sellafield
and therefore could conceivably affect the site if water were suddenly to be displaced
from lake to river although any such pulse would be greatly attenuated by the time it
approached the Sellafield site. The effects of abnormal water levels in the Ehen due to
intense rainfall are discussed in Section 5.
The River Calder runs, in parts of its higher course, in steeply-sided valleys and
lengths of gorge. Slope failures in these areas could conceivably block or restrict the
channel and lead to the hold-up of water behind potentially unstable barriers.
April 2012
Page 37 of 65
Tsunami
DEFRA concluded in 2005 [11] that the probability of a tsunami hitting the UK is
extremely low and therefore the risks from tsunami are considered insignificant; this
conclusion was reaffirmed in 2011 within the ONR ‘Weightman’ reports on the
response to the Japanese Earthquake and Tsunami [1] [2].
There are also a number of local features that give confidence that risk of inundation
of the Sellafield site by tsunamis is extremely low  The coastline in the vicinity of the site is open without marked inlets or bays
where local effects could interact with successive tsunami waves and amplify
their height.
 The Irish Sea is a fairly shallow area compared to the deep ocean to the north
and south. Therefore, any tsunami waves entering the Irish Sea would tend to
be slowed, increasing their height and the rate at which their energy is
dissipated as they travel through these shallower waters.
 A relatively deep channel exceeding 100 m in depth (with a maximum of 315 m)
runs through the west of the Irish Sea connecting to the Atlantic Ocean via St.
George’s Channel to the south and North Channel/Malin Shelf to the north. It is
considered that the main energy of any tsunami wave entering the Irish Sea
would tend to be focused along and through this channel. In contrast, the
waters in the eastern part of the Irish Sea are significantly shallower, being less
than 50 m deep in general.
 There are no submarine features, such as east-west running canyons, which
would tend to focus the tsunami energy towards Sellafield. Those canyon-like
features that do exist run parallel to the coast and are located several miles
offshore.
It is therefore concluded that there is a very low risk of inundation to safety-related
facilities at Sellafield for all credible sources of tsunami.
Seiche
The only water body whose overflow, caused by surface disturbance (i.e. a seiche),
could conceivably affect the Sellafield site is Ennerdale as discussed previously.
Nearer water bodies such as Brow Top Reservoir, Meadley Reservoir, Rowrah quarry
and Lingbeck (Ponsonby) Tarn are small and would not present a hazard to the site if
subject to a seiche.
April 2012
Page 38 of 65
5
Flooding
Hydrology
Sellafield is located within the surface water catchments of the Rivers Calder and
Ehen. The River Calder catchment, including its subsidiary stream, Newmill Beck, has
a total area of 55.5 km2, while the River Ehen catchment has a total area of 156.6 km 2.
The site is located at the down-gradient end of the River Calder catchment.
The River Calder flows through the site in a south-southwesterly direction and forms a
natural barrier separating the west and east areas of site. A section of the River
Calder was realigned in 1974-5 and was designed to convey a rate of flow of 310
m3/sec arising from a 10,000 year flood (as then assessed). Since its realignment, the
river has scoured out a deeper bed for itself, thus lowering the bed level by up to 1.5 m
and increasing in its flow capacity.
The River Ehen flows in a south-southeasterly direction along the southwestern site
boundary, where it merges with the River Calder before flowing across the beach to
discharge into the Irish Sea. Newmill Beck flows around the southeastern corner of
the site, where it has been culverted to divert its flow around a licensed landfill and
beneath the coastal railway line. Beyond the railway, it feeds two small ponds above
the high water mark at the beach before discharging, via another culvert, into the River
Calder. The site slopes gently from its inland boundary towards the coast with a
decrease in ground elevation from approximately +40 mAOD to +9 mAOD.
Two additional minor streams flow into the River Calder at Sellafield. Seaburn Beck
drains into the river from its western side and flows through the northern end of
Sellafield. The second is an unnamed stream that drains towards the river from its
eastern side and flows through the site, although it does not discharge directly into the
river. Instead it is intercepted and drains to the Irish Sea via an offshore pipeline.
Both streams are partly culverted within the site boundaries. The location of the
culverted section of Seaburn Beck has been modified several times since 1946.
Analysis of seasonal river flow hydrographs for the Rivers Calder and Ehen indicates
that they respond relatively rapidly to rainfall events due to the steep topography and
rapid surface runoff in the catchment headwaters. Consistent flow to the river channel
from groundwater is observed throughout the year, although baseflow indices are
likely to increase between catchments as a function of the proportion of sandstone
within that catchment.
Flows through the Calder and Ehen vary seasonally, but typical averages are
1.5  105 m3 per day based on 1930 mm rainfall per year for the Calder, and
5.2  105 m3 per day based on 1750 mm rainfall per year for the Ehen.
The coastline around Sellafield and further south comprises a sandy beach backed by
low sparsely vegetated sand dunes and silted inlets. To the north the coast rises to St
Bees Head where there are steep cliffs (about 100 m) of Triassic Sandstone.
Groundwater abstractions
Water is supplied to the Sellafield site from a variety of sources.
Tidal patterns
The maximum tidal range and tidal current are 8.4 m and 1.6 knots (0.82 ms -1, 3.0
km/hour) at spring tides and 3.3 m and 0.5 knots (0.26 ms -1, 0.93 km/hour) at neap
tides. Tidal currents in the vicinity are approximately parallel to the coast (i.e. northwest).
April 2012
Page 39 of 65
Normal tidal ranges are –
Mean Low Water Springs -3.40 mAOD
Mean Low Water Neaps
-1.75 mAOD
Mean High Water Neaps
+2.10 mAOD
Mean High Water Springs +4.00 mAOD
5.1 Design basis flood (DBF)
Flooding, from whatever source, and extreme precipitation (except very significant
snow accumulation) are generally unlikely to result in a structural failures due to
overloading (though this may be relevant in a very limited number of instances where
plant could be exposed to rapidly moving flood water and detritus). Normally the main
concern is water gaining access to SSCs and dispersing radioactivity, affecting nuclear
safety or interfering with the correct operation of CE&I systems. These issues are best
addressed on a deterministic basis by examining the adequacy of the plant design and
construction to resist the challenge presented by the extreme 1x10 -4 per year flooding
event. Again, any possibility of consequences arising from a somewhat larger ‘cliffedge’ event should become obvious during the analysis.
Work has been undertaken to determine which parts of the Sellafield site are at risk of
flooding from wave/tidal action, extreme flows in the Rivers Calder and Ehen and
extreme rainfall events on and local to the site. The site generally has adequate
protection against external flooding with the only significant risk arising from extreme
rainfall. However the nature of such occurrences are relatively low dynamic and
extremely unlikely to result in the additional mechanical damage which arises from
high dynamic events through the force of water and entrained debris.
Tidal
Estimated 10,000 year tides would be lower than the site topographical range (+9.00
to +48.00 mAOD) and therefore would not present a credible risk of flooding 10,000 year
7.39 mAOD
10,000 year + 1.5 m wave
8.89 mAOD
Climate change (10,000 year 8.06 mAOD tide + 1.67 m wave)
9.73 mAOD
River
The estimated 1 in 10,000 year flow in the River Calder would be approximately 326
m3/sec as compared with the original design of the straightened river for 310 m3/sec.
This presents a very slight but credible risk of fluvial flooding on the east bank at the
upstream end of the Calder Hall site. However the topography of River Calder north of
the site up to Calderbridge is likely to prevent any such flows through site.
CONSIDERATION 14: consider the need to engineer additional
flood defences alongside the River Calder
Rainfall
Following an extreme rainstorm with 0.01% probability of being exceeded in any year,
i.e. a return period of 1 in 10,000-years, it was concluded that –

The site slopes from north to south and surface runoff flows in this general
direction.
April 2012
Page 40 of 65

The major outflow points for the surface runoff are to the River Calder,
across the railway at the southern extent of the site to the River Ehen and
across the main road to Sellafield Tarn.

The network of service trenches and ducts has sufficient capacity to convey
the flow that they receive without any overtopping. However not all of these
‘ditches’ will be full and overland flow must occur before the water can enter
the ditch system. Thus this considerable volume will not prevent some
surface flooding but will provide significant storage.

The central built-up area contributes a large volume of surface runoff that is
in excess to the capacity of the dedicated drain water facility. Furthermore
the initial volume of water in the facility and the pumping rate are important
parameters in determining the timing and amount of surface run-off.

The ‘one-hour event’ produces a larger flood outline in the northern areas of the
site than the ‘two-hour event’. The flooding is generally deeper in the southern
areas of the site during the ‘two-hour event’ compared with the ‘one-hour event’.

The blockage of mesh fences up to a depth of 0.3 m by debris transported by
the floodwaters has an impact on the flow routes and the extent of flooding on
the site.
CONSIDERATION 15: undertake more detailed modeling of
surface run-off and drainage within built-up areas of the site
CONSIDERATION 16: review the resilience of the current
arrangements to pump out the central drainage water
collection and discharge system
CONSIDERATION 17: utilise the design of any future changes
to the site infrastructure to direct rainfall flood flows so as to
minimise ponding
CONSIDERATION 18: re-engineer applicable flood defences to
address very severe rainfall flooding
CONSIDERATION 19: take local actions to address potential
vulnerabilities to flooding of individual EPD boards and MDA
connection points
CONSIDERATION 20: consider the procurement of prefabricated flood barriers for local ad hoc deployment
5.2
Methodology used to evaluate the DBF
The rainfall totals were estimated using the Flood Estimation Handbook [12] and two
durations were considered, i.e. 124 mm and 148 mm rainfall depth for rainstorms of
one- and two-hour durations respectively (see Figures 3.1 and 3.2); sensitivity to
climate change was considered by increasing the estimates by 30% for each return
period in accordance with DEFRA guidance [13]. Although the rainfall depth is greater
for the longer storm the intensity of the shorter storm is much greater (35 mm h-1
compared to 24 mm h-1). These rainfall estimates, together with standard Summer
April 2012
Page 41 of 65
rainfall profiles, were used as inputs into models of the subsurface drainage of the
Sellafield site using proprietary software which was then used to show where the
capacity of the sub-surface drains is exceeded and surcharging of manholes or
culverts occurs. Such an intense storm with a return period of 1 in 10,000 years would
be more likely to be caused by summer convective rainfall centered on the Sellafield
site and this is in any case the recommended profile for generating design storms in
built-up areas. The volume of water coming out of, or unable to drain into, the subsurface system will flow over the site governed by general topography, buildings,
roads and other features such as the large surface ducts.
The pattern of flooding for the two storms is similar, with more widespread flooding
from the one-hour storm but increased depths predicted during the two-hour storm.
More widespread flooding from the one-hour storm is experienced because the
drainage system is less able to cope with the high intensity rain associated with the
shorter storm and a greater number of manholes surcharge across the site .
Figure 3.1 Rainfall depths and intensities of design storms
CC denotes climate change
Figure 3.2 Rainfall profiles for 1- and 2-hour duration storms with 10,000 year
return period
Parallel consideration of the river and tidal flood risk affecting the Sellafield site
provides the boundary conditions for the surface and sub-surface modelling by
determining whether the outfalls from the site were able to drain freely. A conservative
study of the River Calder found that a 1 in 10,000-year rainstorm which encompasses
the entire Calder catchment (see Figure 3.3) would likely prevent the free outflow at
several of the outfalls discharging from the site.
April 2012
Page 42 of 65
The river itself possesses a steep channel through the site and is relatively insensitive
to tide levels. The tidal flood study found that most of the Sellafield site is above
extreme tide levels and it is extremely improbable that a site-centered 10,000-year
rainstorm, which is likely to occur during the summer, would coincide with extreme tide
levels associated with winter storm surges; it could however coincide with a spring
tide.
Figure 3.3 Calder catchment area (red) and area of design storm (blue)
External man-made sources
The Brow Top Reservoirs are located ~2 km from the Sellafield site and at a higher
elevation. On sudden failure, the contents of ~5000 m3 would drain into a stream
which joins the River Ehen. The Meadley Reservoir above Cleator Moor would drain
into the higher reaches of the Ehen. Abnormal events affecting the Ehen do not have
the potential to affect the Sellafield site and therefore neither of these two reservoirs
presents a credible hazard to the site.
5.3
Provisions to protect the plant against the DBF
Localised flooding (due to failure of service lines, obstruction of surface water
drains/run offs) of a small number of facilities (ground level switch rooms) could result
in localised loss of power to safety systems and impede the connection of alternative
power supplies (e.g. MDAs).
Reference is made to current flood studies during new design and construction works
at Sellafield so as to identify potential flooding issues and mitigate them through siting,
finished floor levels and engineering of additional drainage works (e.g. a flood
channel). Where flood risks are identified to existing plants, as a result of Periodic
Safety Review and/or plant modifications, then such options are either no longer
possible (e.g. siting and finished floor levels) or else become increasingly impractical
(e.g. engineering of additional drainage works). Recourse would then be made to the
retrofitting of flood protection (e.g. flood protection doors).
April 2012
Page 43 of 65
Warnings of extremely high tidal surges or heavy rainfall which is likely to result in
localised flooding will be issued by the Environment Agency, Meteorological Office or
HM Coastguard to the S&SSM who will then relay the necessary warnings to building
managers (via SECC) who will then take appropriate local action, e.g. onward briefing
of personnel, closing of doors/louvres/windows, temporary bunding (using sandbags),
protection of switchgear from water ingress etc.
5.4
Situation outside the plant, including preventing or delaying access of
personnel and equipment to the site
Recent experience [14] has demonstrated the vulnerability of the off-site infrastructure
with severe damage to many roads (including the loss of significant road bridges) and
the inundation of others as drainage was overwhelmed and surface water run-off
flooded highways. This loss of functionality was soon compounded by traffic
congestion throughout the day and very long queues on the diversionary routes which
had insufficient capacity to accommodate the diverted traffic. It is therefore to be
expected that there would be significant delays in access of personnel and equipment
to the site. Such delays are anticipated within RESEP and form the basis of a
sensitivity analysis in the resulting timelines.
April 2012
Page 44 of 65
6
Extreme weather conditions
Meteorology
The site is adjacent to the Irish Sea on the southwest-facing stretch of the Cumbrian
coastline. The foot of the Cumbrian Mountains lies some 2 or 3 km to the northeast,
these mountains rising to a maximum height of 977 m on Scafell Pike, the highest
point in England, 19 km to the east. The site therefore receives no shelter from the
prevailing humid, often cloudy and rain-bearing, winds from the southwest but does
receive strong shelter from north-northeasterly through easterly to southeasterly
directions. As these are also the coldest wind directions in winter, this factor
combined with the relative winter warmth of the adjacent sea, results in the relatively
low incidence of frost and, particularly, snow.
The duration of bright sunshine is estimated to average about 1460 hours per year.
This is 33% of the maximum possible amount, December averaging 1.4 hours per
day and June 6.5 hours per day.
The annual average temperature in the period 1961-90 at Sellafield site was 9.4 C,
interpolated from the UK grid data-sets. The time-lagging influence of the Irish Sea
on the annual temperature cycle causes the warmest and coldest months to be
delayed. August has a mean temperature of 15.0 C, which is slightly warmer than
July, while February has a mean temperature of 4.4 C, which is slightly cooler than
January. The average daily maximum and minimum daily temperatures in August are
18 C and 12 C respectively. Annually the warmest day typically is 24 C, but 30 C
has been recorded with an estimated return period of about 30 years. The highest
summer temperatures are likely with easterly winds, which have a long land track
over both the Pennines and the Cumbrian Mountains. The average daily maximum
and minimum temperatures in February are 7 C and 2 C respectively, the coldest
night typically reaching as low as -4 C.
Sellafield has its own meteorological station just outside the site fence at National
Grid reference: NY02150455 which records wind speed and direction, daily maximum
and minimum temperature, rainfall amount and sunshine duration. The information
provided in this section is taken from data recorded at the Sellafield meteorological
station and provided in reports written by Westlakes Scientific Consulting.
Precipitation
The rainfall data presented in this report is taken from the Sellafield meteorological
station, 10 m above ground level.
The average annual rainfall between 1961 and 1990 is estimated to be 943 mm - a
high figure for a lowland area due to exposure to Atlantic and Irish Sea weather
systems. There is a marked annual cycle in rainfall; autumn months typically yielding
about twice as much rainfall as spring months (about 100 mm/month versus about
55 mm/month). The average annual number of ’rain-days’ (rainfall more than or
equal to 0.2 mm) is 186 days with 26 of these days exceeding 10 mm. The rate of
rainfall increases rapidly inland towards the mountains and exceeds 3000 mm/year
near Scafell.
Snow or sleet is estimated to fall on 18 or 19 days per year on average, but covers
more than half the ground at 0900 Greenwich Mean Time (GMT) on only four
mornings per year on average, mostly from December to March. Deep snow is rare;
the greatest recorded depth in the nine years (1988-96) being 70 mm, though much
greater depths exceeding 150 mm are possible on very rare occasions.
April 2012
Page 45 of 65
6.1 Design basis
Extreme weather hazards are assessed at a prescribed return frequency of 1 in
10,000 years in accordance with Safety Assessment Principle EHA.11 which states
that “nuclear facilities should withstand extreme weather conditions that meet the
design basis event criteria.”
Some of the external hazards which nuclear plants are designed against are
uncorrelated, i.e. they are independent of each other, whereas others (e.g. an
earthquake and tsunami) are highly correlated. Equally some of the extreme weather
hazards act in concert with each other, e.g. high wind and rain can often be seen to
be semi-correlated, as can wind and snow.
Energetic hazards
Extreme wind analysis should consider the ability of the external shell of the building
to withstand the wind-loading taking into account any dominant openings and, if the
external cladding is not expected to resist the extreme condition, any dominant
openings resulting from its failure. Depending on the outcome, the radiological
implications of any anticipated structural failure, or disturbance to ventilation patterns,
can be examined. The possibility of consequences from failures of nearby buildings
should also be considered, e.g. stacks, collapse of structures, wind-borne projectiles.
The assessment for extreme wind should be primarily based on 1x10 -4 per year
conditions if the safety case makes this requirement. The appropriateness of a ‘cliffedge’ assessment should be obvious according to the margin-to-failure at the 1x10-4
level. For instance, massive concrete structures should not be expected to be at risk
from any credible wind-loading whereas containment systems relying on clad
steelwork frames might be to some extent. Reasoned argument may be able to
provide a simpler but adequate demonstration of ALARP where margins to failure are
large. This would be the only reasonable approach for older structures where failures
were predicted for less extreme conditions than 1x10 -4 per year and the main
objective was to seek improvements against ALARP.
Slow-acting extreme hazards
Extreme values of temperature (high or low), snow, frost or drought would only be
reached at some time after the onset of abnormal weather, which in turn is unlikely to
occur without some warning. These time factors may allow operational safeguards to
be claimed against many of their consequences – protecting sensitive plant from heat
or cold, removing snow or ice as it builds up, arranging alternative water supplies.
This does not preclude the need to show, for instance by engineering analysis, that
imposed loads from extreme snow accumulation could be resisted by a structure.
Where safety-significant items are located inside the buildings where the thermal
inertia and insulation properties of a building provide protection, this may also be
claimed against the low temperature hazard. This may be relevant for instance in
consideration of indoor SSC or the fatigue life of steelwork.
6.2
Weather conditions used as design basis
Many of the identified weather conditions can occur in a variety of combinations. In
the majority of cases it has been conservatively assumed that each of the design basis
hazard levels can occur concurrently.
April 2012
Page 46 of 65
There are already arrangements in place (managed by the S&SSM) to monitor the
effects of extreme weather on the site in real time that provide assurance of the
generally acceptable response of plants to such conditions, i.e. sheltering and/or
evacuation via prescribed routes, conservation of resources etc.
Extreme winds, tornadoes and hurricanes
British Standards Codes of Practice are followed in the design and construction of
plant at Sellafield. These design codes [15] [16] provide graphical information that
can be used to determine the basic wind speed at any site when local records are not
suitable and give further factors to account for local variations in exposure, altitude,
height of structure, proximity of other buildings etc. For conventional design, a 50 year
return period wind is adopted (reflecting building lifetimes). However further probability
factors are given in the design codes to enable extreme wind speeds to be derived
where more stringent design is required.
The older design code [15], which determined the design of the majority of Sellafield
plants, uses a three-second gust as a basis, i.e. 47 ms-1 (105 mph) and 66 ms-1 (148
mph) for 1 in 50 and 1 in 10,000 year gusts respectively. The new design code [16] is
based on mean hourly wind speeds, i.e. 24 ms-1 (54 mph) and 30 ms-1 (67 mph) for 1
in 50 and 1 in 10,000 year gusts respectively. In both design codes, factors are given
to enable the overall loads on structures and localised pressures on external features
to be calculated and consideration to be given to dominant openings. SL often uses
models for design purposes to determine local pressure effects and to check the
validity and suitability of the design code approach on the heavily-developed Sellafield
site.
Site wind speed records are available for over fifty years at Sellafield and show a
maximum gust (as recorded at the Sellafield Meteorological Tower) of 46.1 ms -1 (103
mph) in 2005. These records and other data sets have been used to predict extreme
values for Sellafield but, for consistency with national practice, the BSI code data are
used for design and assessment purposes.
It should be noted that there is no history of major structural damage to plant due to
strong winds at Sellafield, although there have been a number of incidents involving
lesser damage to building cladding and construction sites.
Tornadoes have the potential to generate wind speeds higher than the extreme
conventional storms but are uncommon in the UK overall. A detailed study of 1,500
tornadoes in the UK [17] showed that events with localised wind speeds approaching
100 ms-1 (224 mph) have occurred and that the affected areas are relatively small, i.e.
a few square kilometres with paths a few hundred metres wide for the largest event. It
was therein concluded that the UK distribution of tornadoes is far from uniform
because of meterological and geographical factors and they are much less frequent in
northern England than further south.
A tornado with a wind speed equivalent to the Sellafield 1x10-4 per year mean hourly
wind has a probability of 5x10-6 per year; more intense events are increasingly less
likely even than this.
Lightning
British Standards [18] provide guidance on lightning protection. It is considered that
this hazard is primarily addressed by engineering standards and subsequent
substantiation during LTPRs.
April 2012
Page 47 of 65
Snow loading
Information on the design of buildings to resist snow loading is given in BRE guides
[19] and more recently BS6399 [16] which indicate a 50 year snowfall for Sellafield of
400 mm with a factor to convert this into a dead load. A multiplier (2.3) for estimating
the depth corresponding to 10,000 years is also given.
A further consideration is the susceptibility of drainage provisions to blockage by
melting snow/slush resulting in ponding above the depth at which rainwater would
escape.
The extent of the hazard is dependent on the extent to which it is operationally
practicable to clear accumulating snow from critical areas of structures. Note would
need to be taken of the personnel safety implications of attempting this in what would
clearly be extreme weather conditions.
High and low temperatures
Records of annual maximum and minimum temperatures from Sellafield since 1950
have been subject to several studies to predict extremes at long recurrence intervals.
A recent study of data from 1950 up until the mid 1980s recommended values of +43
C and -24 C for the 10,000 year case based on a Meteorological Office analysis
method. More recent assessments in support of Calder Hall/Chapelcross safety cases
and new build NPP, using a method developed for the Sizewell B safety case,
predicted 10,000 year extremes of +34 C and -16.2 C for Calder Hall. These may be
compared with measured maxima and minima at Sellafield of +30 C and -12 C
between 1950 and 1999;
The most recent minima temperatures are Year
Minimum
Temp (C)
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
-7.6
-4.6
-2.4
-3.7
-3.8
-3.4
-5.3
-3.5
-3.8
-4.7
-7.6
Some consideration of the duration of sub-zero temperatures was made in the safety
case for THORP where a 30 day average daily minimum temperature of -6.5 C was
predicted at a 1x10-4 per year level.
Climatic change may lead to an overall small increase in temperature but this is not
likely to be sufficient to affect this extreme hazard significantly.
Extreme temperatures may have implications for the behaviour of structural
components, for the properties of process materials and for the ability to provide
important heating or cooling as well as services/supplies. Extreme high temperature
could be associated with drought and extreme lows with other winter phenomena. A
further consideration for low temperature is the duration of abnormal conditions. Since
the effect on water and other supplies is likely to be determined as much by the time
below freezing point as by the actual minimum temperature reached during a cold
spell.
April 2012
Page 48 of 65
Extreme cold (and snow) may also have an effect on transportation and the safety of
operating personnel, factors that may be relevant to radiological risk in some
instances. However variations in indoor temperatures would be less extreme than
outdoors, depending on the effectiveness of insulation and high volume airconditioning (HVAC) provisions, and even outside the average daily temperatures
would be less than the daily maxima or minima. In any case, extreme temperatures
will not occur unexpectedly and should allow for the timely introduction of operational
safeguards.
CONSIDERATION 21: take local actions to address the
potential vulnerabilities of diesel stocks to protracted
extremely low temperatures
Drought
Despite the maritime climate of the UK, extended periods of dry (or freezing) weather
can occur and could lead to restrictions in supplies of water to the Sellafield site,
particularly as a result of reduced river flows in the Calder and Ehen. This issue has
been addressed in the past to ensure the adequacy of supply under drought conditions
with a diversity of supplies available to the site.
April 2012
Page 49 of 65
7
7.1
Loss of electrical power and loss of ultimate heat sink
Loss of electrical power
The diversity of supplies renders this scenario non-credible. Notwithstanding this,
studies are currently in progress with ENW to explore the feasibility of providing
equipment to effect a temporary direct connection of any one of the site 132/11 kV
Grid transformers to the 132 kV overhead pylon system, thus creating the possibility to
bypass many common mode and 132 kV node points of failure
Furthermore work is already underway to supplement/replace the existing back-up onsite electrical generation system, to provide increased diversity (location/point of
connection/control) and improved resilience to a range of external factors, thus
creating the possibility to bypass common mode and node points of failure.
7.2
Loss of the ultimate heat sink (UHS)
As discussed previously there are a number of plants at Sellafield which rely, because
of the self-heating of the products, on some type of forced water/air cooling.
High Active Liquors
High Active Liquor (HAL) in High Active Storage Tanks (HASTs) and process vessels
are cooled by in-situ cooling coils and jackets supplied by diverse cooling water
networks. Conservatisms in the current safety case are extremely pessimistic so there
are significant margins both in terms of time to respond to a total loss of cooling event
or loss of individual cooling components. The safety case has recently been re-aligned
to be based on this approach to spare cooling capacity.
Magnox fuel
Magnox fuel is self-heating and therefore the loaded flasks, skips and magazines must
be kept topped up with cooling water. Whilst both flasks and magazines are fitted with
engineered top-up points to which a water hose may be connected, the position of a
fuel flask/skip/magazine will determine the speed of response to an overheating
scenario. Fuel skips within inlet cells should be capable of being hand-wound to the
pond or else wetted using in-cell spray-rings/hoses whilst flasks in park positions will
already be appropriately positioned to allow manual addition of cooling water. Even
flasks in rail/road transit should be capable of being cooled via manual addition of
cooling water by SF&R.
Similarly, exposed fuel within a decanner cell must be kept wetted. Although each of
the cells has in-cell water sprays, the potential locations of some fuel/debris within the
cell could be such as to require repositioning for better visibility and water coverage.
CONSIDERATION 22: examine the potential to connect MDAs
to facilitate the lowering safely of suspended flasks, skips and
magazines in the event of a prolonged loss of electrical power
Oxide fuel
Oxide fines within the centrifuge bowl can contain self-heating, insoluble fission
products (IFP) which have the potential to boil off feed/wash liquors leading to the
drying out and decomposition of the cake, and the subsequent release of volatile
ruthenium, if left for prolonged periods.
April 2012
Page 50 of 65
On loss of power it may be possible, for the centrifuge, to use wash liquor to keep the
cake wetted, to flood the centrifuge and/or use a small diesel generator to supply the
wash pump.
CONSIDERATION 23: examine the means by which product
within the THORP centrifuge bowl can be kept wetted so as to
avoid subsequent decomposition
There are multiple water sources of varying quality capable of meeting the loss of
primary UHS. However all of them require electrical power to get the water to the site.
All of the declared back-ups require personnel to travel off-site and/or transport an
MDA along country roads which may prove challenging in this scenario. Alternatively
it would be possible to use the redundant River Calder Pumphouse, pump from River
Ehen and make a connection into the ring mains or backfeed the fire hydrants and
Water Treatment Plant water stocks.
It would of course be possible to pump from the sea and make a connection into the
ring mains or backfeed the fire hydrants and WTP water stocks. However this would
only be considered as a final resort due to the adverse impact of sea water on nuclear
plant. In any case the diversity of supplies renders this scenario essentially noncredible.
CONSIDERATION 24: review the resilience of the water
supplies to site in extreme circumstances
CONSIDERATION 25: increase the flexibility and use of the
existing water supply cells
CONSIDERATION 26: consider the reinstatement of the River
Calder pumphouse
CONSIDERATION 27: review the size, number and location of
emergency pumps
7.3 Spent fuel storage pools
As discussed previously, heat transfer is only likely to be an issue if there was a
significant loss of water resulting from a breach of the pond floor or walls. In the latter
case attempts would be made to contain the breach and use tarpaulin/sand bags to
create a temporary bunded area. Mobile pumps would then be used to return water
from either the sump or the improvised bund and/or supplement water supplies.
The only spent fuel storage pool for which loss of the UHS could result in off-site
consequences greater than 10 mSv to the critical group would be earliest Magnox fuel
storage pond for which significant remedial work has already been undertaken noting
that a significant proportion of the pond structure is below ground level such that
leakage will be reduced somewhat and a single array of fuel skips and the sludge
inventory would still be wetted in the event of a significant breach in pond wall.
CONSIDERATION 28: review the emergency responses for all
spent fuel storage ponds to identify commonality between
systems and equipment
April 2012
Page 51 of 65
CONSIDERATION 29: procure further portable bunds for
potential deployment around spent fuel storage ponds
CONSIDERATION 30: utilise the site deep water facility to test
both techniques and equipment and to carry out training and
emergency exercises
April 2012
Page 52 of 65
8
Severe Accident Management
Severe accident management at Sellafield is defined within the Sellafield and
Windscale Sites Emergency Arrangements – Emergency Plan (Issue 13, September
2009) and Handbook (Issue 41, June 2011) in accordance with NSLC 11. The
Emergency Plan and other components of the emergency arrangements are designed
to be compatible with the off-site Emergency Plan for Sellafield produced by the
Cumbria County Council Resilience Unit.
Command and control for severe accidents is managed at strategic, tactical and
operational levels (see Figure 6.1).
Plant
(Operational)
Site
(Tactical)
Incident
Plant
District
(Strategic)
Media
Emergency
Press
Office
Public
Monitoring
Access
Control
Point
Parliament
Cumbria
Police
SECC
HP
SMC
Emergency
Services
Incident
Control
Centre
National
Engineering:
services
equipment
MBC
NEBR
WCECC
Work
Force
External
Agencies
Centres
Other
countries
etc
Figure 6.1 SL command and control arrangements for severe accidents
8.1
Organisation and arrangements of the licensee to manage accidents
Tactical
The duty Site and Safety Shift Manager (S&SSM) is a suitably qualified and
experienced person (SQEP) to assume full emergency control while waiting for relief
by the duty Site Emergency Controller (SEC). Shift personnel will assume sufficient
manning of Site Emergency Control Centre (SECC) and associated roles to cope with
the initial impact of any emergency. The SECC is responsible for the tactical
management of the entire Sellafield site. The S&SSM and duty SEC have delegated
authority from the Head of Site to take action(s) necessary to respond to an incident
including, but not limited to, rationing of supplies, sheltering, mustering, roll call and
evacuation.
The critical safety functions of the SECC are  to establish and maintain command and control in the event of a severe
accident/event; and
 to establish and maintain internal and external information flow to key decision
makers in the event of a severe accident/event.
Loss of these critical safety functions could be caused by -
April 2012
Page 53 of 65


lack of manpower to adequately resource the key roles within the SECC or
other emergency buildings (access control points, emergency reception centres
etc.); and/or
degradation/unavailability/untenability of dedicated emergency buildings and
equipment (loss of services within the building, loss of communications, building
damage etc.).
The SECC is permanently manned by the S&SSM and is located in the same building
as the SF&R control room. During the day, the other SECC roles are filled by a team
of day workers and shift workers. With the exception of the S&SSM, the SECC team
members are volunteers who have a main work role and other safety related roles.
All duty team members are trained against role profiles (defined in the Site Emergency
Instructions, SEI) and are assessed as SQEP and appointed to their role.
Occupied buildings have trained Building Controllers present to manage the building in
an emergency situation. Groups of Building Controllers report to SECC via trained
Area Controllers.
Each of the key posts in the SMC and SECC is manned by nominated day staff who
are available throughout the 24 hour period according to a duty roster (comprising
eight teams) and who will be called in by telephone or pager as appropriate.
In silent hours the SECC on-call duty team are expected to respond within one hour for
key decision makers and three hours for technical support and backup. Dependent
upon the scale of the incident it may be that the SECC members could experience
significant difficulty in getting to site.
Exercises and walkdowns have demonstrated that some selected shift team manning
above minimum safety manning levels (MSML) is required to restore and then
maintain all site utility services following a SBO or multiple/domino ’beyond DB’
events.
CONSIDERATION 31: review the arrangements for personnel
undertaking emergency roles
CONSIDERATION 32: maintain a list of key plant parameters
within the SECC
Operational
Access Control Points (ACP) are set up to control access into and out of affected
areas. Incident Control Centres (ICCs) and are established to control actions within
the affected plants. Both the ACP and the ICC report up to the SECC (see Figure
6.1). The ACPs and the ICCs are manned by plant personnel. A number of the key
emergency people carry out associated roles which can be accommodated in
response to a single plant incident; however it is not clear that there are enough SQEP
emergency key role personnel to satisfy the CSF for command and control in a
multiple plant or side-wide incident. Additionally, a number of plants share ICCs and
again, whilst this is acceptable for a single plant incident, it would be impracticable in a
multiple plant incident.
CONSIDERATION 33: review ICC arrangements to ensure
sufficient diversity to facilitate response to a multi-plant event
April 2012
Page 54 of 65
Emergency services
Sellafield has a dedicated Fire and Rescue service (SF&R) with airport-style crash
tenders (deployed following the “9/11” terrorist attacks largely to respond to risk of an
aircraft crash), ‘standard’ fire tenders plus a number of pumps and strategically
positioned water bowsers around the site. SF&R own all breathing apparatus sets on
the site and are required to be in attendance for all breathing apparatus entries.
A number of the key plants at Sellafield rely on SF&R either to assist them with reentry into buildings or to deploy pumps to provide cooling or make-up water, dealing
with chemical spills, rescue of injured personnel and, of course, to attend fires.
SF&R is a rapid response unit, not a standalone service, and is backed up by Cumbria
Fire and Rescue (CF&R) to tackle site incidents. In a prolonged SBO or seismic
event it is considered unlikely that the CF&R would be available to attend on the basis
that the surrounding areas would also be affected. Furthermore the CF&R local to site
is manned by ‘retained’ fire crews and hence there is not a full time dedicated fire
service guaranteed to be available to assist SF&R.
CONSIDERATION 34: ensure that due cognisance is given to
the need to retain appropriate access for emergency services
during future changes to the site infrastructure
CONSIDERATION 35: review the arrangements for fire and
rescue response to a severe event
8.2
Use of off site technical support for accident management
Arrangements exist for the operators of other nuclear sites to provide assistance in the
event of a Site Incident or Sellafield Emergency.
Arrangements for support from both Regional & National capability, e.g. fire
tenders/pumping units, are in place but require regional & local transport infrastructure
to be available for successful deployment. The future staging of this capability will be
included as part of the Site Resilience Programme.
8.3
Training and Exercises
The following site emergency exercises are carried out annually  2 x Level 1 radiological exercises (ONR demonstration exercises);
 1 x security exercise (ONR demonstration exercise);
 1 x chemotoxic exercise (Environment Agency observation);
 1-2 x roll-call and communications exercises (full site exercises; no regulatory
observation); and
 8 x training exercises (minimum).
Furthermore each plant carries out a programme of exercises against an Emergency
Exercise Schedule endorsed by the appropriate Management Safety Committee.
The following site emergency exercises are carried out three-yearly  1 x Level 2 exercise to demonstrate the Sellafield Off Site Emergency Plan; and
 1 x radiation safety exercise to demonstrate the Transport Emergency Plan.
The site has a range of associated procedures to deal with such eventualities as
severe weather and/or loss of services.
April 2012
Page 55 of 65
Specific Severe Accident Management Strategies (SAMS) have not yet been included
in the scope of site emergency exercises to demonstrate that they are fully executable.
A current programme of SAA is being accelerated and a review of the site capability to
resource responses to multiple or domino ‘beyond DB’ events will be included as part
of the Site Resilience Programme.
8.4
Control infrastructure
The site has a primary and secondary SECC/SMC and twelve ICCs located on-site.
There is a tertiary SECC/SMC located off-site.
The primary and secondary
SECC/SMC are located at opposite ends of the Sellafield site and seismically-qualified
to 0.25g and 0.125g respectively.
Plant control rooms are not generally designed to be occupied during a severe
accident scenario with the notable exception of the main distribution control centre.
Although some modern adjoining plants have some degree of control room
redundancy, the usual plant response would be to evacuate and then make
subsequent re-entries, where safe and appropriate to do so, via an ACP.
CONSIDERATION 36: consider the construction of hardened
and sustainable physical control structures
8.5
Emergency equipment
Building emergency procedures require that suitable and sufficient equipment (e.g.
radiation protection instrumentation, respiratory protection equipment and protective
clothing) are readily available for use in emergency situations. Additional supplies of
such equipment are stored at strategic locations throughout the site. Mobile trailers
containing contingency emergency equipment are also available.
Site equipment designed for severe accident mitigation is routinely inspected and
checked although a full functional test/deployment is not included in regular testing.
Furthermore a supply of additional contingency equipment procured following the
reviews prompted by the “9/11” terrorist attacks has been inspected but again has not
been subjected routinely to a full functional test or detailed condition assessment. A
review of the current storage location and possible future dispersal of additional
contingency equipment will be included as part of the Site Resilience Programme.
Considerable engineering resources including, but not limited to, lifting devices,
shielding, raw materials etc. are also available on-site for deployment under the overall
control of Engineering Services.
Arrangements are in place for the supply of additional equipment, e.g. air
compressors, from off-site suppliers. However the time to deploy such external
equipment will be dependent on the off-site infrastructure. In any case the ENSREG
“stress tests” assume that the site will be isolated from the delivery of heavy
equipment for seventy two hours and portable lightweight equipment for twenty four
hours.
CONSIDERATION 37: procure temporary mobile units (and
possibly off-site air-transported deployable containers) for
provision of either welfare support or to augment the
management of emergencies
April 2012
Page 56 of 65
8.6
Communication and Information Systems (internal and external)
The site uses a number of diverse communication and information systems.
Site Warning Sirens
Site Warning Sirens are located across the site and are sounded on declaration of a
Sellafield Emergency (or a Site Incident where appropriate) so as to warn both the
workforce and the general public off-site to take shelter. The sirens are electrically
powered and are provided with individual UPS arrangements which can provide
continuous sounding for up to a day. The sirens communicate with each other by way
of a secure encoded network.
Pager system
The Pager System is used by the S&SSM, via a pager terminal in the SECC, to inform
members of the emergency teams of the action they are required to undertake.
Initiation by the S&SSM activates the chosen Group Code which can be sent to key
personnel within minutes.
The base stations (masts) for the pager system do not have battery back-up and the
pager system would be lost immediately on loss of power as the masts do not appear
on the standby power lists or have a MDA hook point.
Alternative back-ups to the paging system include landline telephones, mobile phones
and the alert cascade communication management system. However these back-ups
are time constrained to the length of the battery backup time and the battery back-up
times for the information kept in the data centres, such as the phone lists etc.
Telephones
Telephones, including mobile phones, are the principal medium for on- and off-site
communications. The site’s telephone network comprises a number of switches
although the majority of lines route through a single distribution frame. The site uses
more than one off-site exchange and all emergency telephones use copper rather than
voice over internet protocol lines to ensure maximum resilience.
On loss of power, all on-site exchanges have automatic battery back-up which will last
for several hours after which time most telecommunications will be lost and some
reconfiguration would be required.
Alternative backups to the telephone system would however include ‘general’ mobile
phones although, dependent upon the extent of the SBO, loss of power to the external
mobile masts could be anticipated. The emergency fax lines could also be used as
telephone lines by exchanging the plugged-in equipment. Additionally alternative
backups could include radios and runners although these would not be as effective
and may not be possible due to the site conditions at the time.
A voice message system with a sixty four line capacity and a number of prerecorded
messages can be operated from any SL internal telephone line.
Radio systems
Four radio systems are employed on the site. All radios are kept charged; however
the base stations are not battery backed and the radios will therefore only last as long
as the on board battery which will be dependent on usage. Most major plants also
have their own radio to radio system which can be used within plants to communicate
but cannot be used plant to plant or plant to SECC.
April 2012
Page 57 of 65
Fax machines
Fax machines are distributed widely across the site and are used, during an incident,
to provide written communications between the SECC, Area/Building Controllers and
external agencies. A dedicated thirty two line fax server is used by the SECC.
The switch for the emergency fax lines for the site is on an emergency power
distribution board and also has a hook-up point for an MDA.
CONSIDERATION 38: enhance
communications infrastructure
the
resilience
of
the
CONSIDERATION 39: review the provision of support to the
communications infrastructure during a severe event
Internet
The Safeguard Communications System is a web-based service and uses a
standalone PC and broadband connection. The system is used to provide voice
messages and warning notifications to off-site residents within the detail emergency
planning zone (DEPZ) and sensitive sites such as schools out to a radius of 6 km. The
system can also be activated using direct telephone notification to a call centre.
The National Resilience Extranet (NRE) system uses a standalone PC and
broadband connection to link to the NRE system that the Cumbria local resilience
community has adopted. The NRE is an information sharing application sponsored by
the UK Cabinet Office and intended to provide enhanced inter-operability and sharing.
This capability is provided at both SECCs and the WCECC.
8.7
Radiological accident management
Monitoring of releases
The Site Perimeter Monitoring System (SPMS) provides continuous read outs of
radiation/airborne contamination levels (and in some instances wind direction) and,
along with the Site Emergency Monitoring Points (SEMP), relays readings directly to
the SECC. These readings, along with any information from local stack monitoring,
would provide an initial indication of the scale of any radioactive release. Such initial
indications would then be confirmed by tactical deployment of the site District
Monitoring Vehicles (DMVs) to facilitate monitoring of the local environment.
Anemometers are installed a various heights at a weather station near the main gate.
These diverse sources of information would be used by SECC to decide on the
appropriate measures to be taken to limit the impact of the release on both the
workforce and local population.
SPMS would be affected by a prolonged site-wide loss of power. On loss of UPS there
are only a small number of portable petrol generators, dedicated solely for this
application, to be deployed and connected to the monitors by SF&R. Hence, during an
SBO, only selected SPMS monitoring points (determined by the SECC) would remain
in service. Furthermore transmission of the SPMS data to the SECC requires that
UPS back-up systems are maintained to power data servers together with power
supplies from other buildings to node point data routers comprising the site data
network.
April 2012
Page 58 of 65
SEMP are powered by adjacent buildings and are also reliant on the site data network
to transmit the readings. On loss of power SEMP would be lost immediately as it does
not have battery backup. Loss of power would also adversely affect local ventilation
systems and hence both local airborne activity and stack monitoring systems.
SL is obligated to monitor out to a forty mile radius limit and uses fully-equipped health
physics vehicles, i.e. DMVs, for this purpose. In an SBO event, Sellafield would be
very reliant on this resource to provide crucial radiological data to enable critical
decisions to be made and therefore a balance would have to be made between the
requirement and frequency of on-site information and the requirement and frequency
for off-site information.
The weather station would be lost in a prolonged SBO and although the Met Office
provides continuous weather forecasts and associated data on temperature, solar
radiation (atmospheric dispersion), wind speeds and wind direction through its
PACRAM procedure this is dependent on power at both transmitting and receiving
end. Clearly the provision of this data would be key to generating estimates of aerial
plume size and direction. There are no additional backups identified for this system;
hand-held anemometers could provide useful data but the eddying effect of the
buildings would have to be taken into consideration.
CONSIDERATION 40: review the resilience of the site data
network and the need to extend the period of monitoring and
data transmission to SECC
CONSIDERATION 41: consider the balance to be struck
between the deployment of DMVs on- and off-site and whether
current provision is suitable and sufficient
Dose control
Ongoing health physics monitoring and the use of electronic personal dosemeters
(subject to individual device battery lives) will allow response teams to perform
dynamic risk assessment so as to determine appropriate work practices and levels of
personal protective equipment and thereby ensure that any doses accrued are
ALARP.
Furthermore the site has an extensive network of cameras and a remote-operated
vehicle which may facilitate inspection of affected areas prior to entries.
In a severe accident it is likely that REPPIR doses would apply, i.e. to mitigate high offsite consequences (> 5 mSv), worker doses could exceed the limits set in the Ionising
Radiations Regulations). This effectively allows more operator-based intervention
than under normal operations although this would normally be limited to establishment
of local access control points, initial surveillance activities and activities to ’make safe’
materials. In these circumstances the SEC could authorise the accrual of doses of up
to 100 mSv by operators and the further accrual of doses of up to 500 mSv for
informed volunteers for specific tasks. Longer term recovery operations are likely to be
subject to normal dose controls and would be justified using normal safety assessment
techniques.
April 2012
Page 59 of 65
Containment
Radioactive inventories at Sellafield are stored within at least primary and secondary
containment. Design provisions for restricting releases after loss of such containment
integrity are primarily centered around sumps and associated pumps and the reconfiguration of ventilation systems (e.g. dampers).
Operational provisions will be dependent on the physical state of the radioactive
release with immediate actions being to bring to ground any aerial dust release (e.g.
via deployment of a water mist and/or foam) and keeping sludges and ground dusts
wetted to prevent drying out and subsequent dispersal. Temporary containment could
then be deployed, including bunds, windbreaks, overbuilding/cover (e.g. with
tarpaulin), sand/gravel, fixative sprays etc.
CONSIDERATION 42: consider the criticality implications of
using water sprays and/or foams to bring to ground potential
aerial releases
CONSIDERATION 43: determine practical means for deploying
safely widespread fixative agents to minimise potential spread
of airborne contamination
8.8
Feasibility and effectiveness of accident management measures under the
conditions of external hazards (earthquakes, floods)
The effectiveness of existing accident management measures will be dependent on –
 the availability and deployment of key resources, i.e. SECC, SF&R and utilities;
 access to site for both personnel and light/heavy equipment; and
 human factors (as noted in the ONR Chief Inspector’s (”Weightman”) reports).
These aspects will be subject to further evaluation as part of the Site Resilience
Programme.
In addition, protracted loss of power supply will restrict significantly analytical support
from on-site laboratories with only limited analytical instrumentation being batterybacked. Other sources of analytical support, i.e. National Nuclear Laboratory or
Geoffrey Schofield Laboratories, would be expected to be compromised by damage to
on- and off-site infrastructure.
Similarly, provision of medical, decontamination and welfare (e.g. emergency
reception centres) services would be affected adversely by a protracted SBO.
CONSIDERATION 44: review the resilience of key support
services likely to be necessary for ongoing plant control and/or
emergency response
On loss of plant instrumentation, temperature can readily be measured using a
resistance thermometer connected to a multi-meter and then using a relevant
conversion chart. Similarly levels for the smaller vessels and sumps could be
measured using a Druck-type instrument; however levels especially for larger vessels
would be more readily taken if a portable compressed air bottle/system was available
to provide a back pressure to measure. Pond levels could be visually checked.
Changes in differential pressures could be measured by setting up a simple
manometer from clear tubing.
April 2012
Page 60 of 65
8.9
Management of hydrogen risks
A number of plants have specific design provisions to manage the accumulations of
hydrogen resulting from radiochemical interactions. However the only plants for which
failure to manage hydrogen risks could then result in off-site consequences greater
than 10 mSv to the critical group are those required for the wet storage of Magnox
wastes and the storage of HAL.
Magnox waste
In the case of the wet storage of Magnox wastes, diverse provision of back-up
ventilation and inert gas capability is maintained. These include battery-backed fans
which start automatically on power failure and, in most instances, are backed up by
installed diesel alternators. Upon failure there is provision made for either nitrogen
flushing (although this has never been fully tested due to asphyxiation hazards and
radiological containment issues) or air ejectors which are run by a dedicated diesel
compressor. Recourse can also be made to natural ventilation via the stack effect
(weather dependent). Alternative back-up systems, as yet unproven, may include  widespread Nitrogen flushing;
 pressurised inerting (however the effectiveness of pressurised inerting using
nitrogen is unknown);
 an optimum combination of nitrogen flushing and pressurised inerting; and
 lifting some of the inspection plugs.
Mitigating actions could include stopping levels in the cavity from rising (using installed
pumps), pumping liquors back into compartments and/or sealing penetrations in the
secondary containment. Notwithstanding this it is evident that the current back-up
systems could be improved to deal with a prolonged power outage, without recourse to
site MDAs and ongoing fuel supplies.
CONSIDERATION 45: engage with the Hydrogen Working Party
to determine the minimum air displacement flows for the wet
storage of Magnox wastes so as to remain below the lower
flammable level
CONSIDERATION 46: determine, via simple modeling, whether
either or both ‘natural ventilation’ and/or ‘lifting plugs’ would
be effective as a back-up means for managing hydrogen during
wet storage of Magnox wastes
High Active Liquors
In the case of the storage of HAL, hydrogen evolves from the radiolysis of water and a
‘hydrogen purge’ is therefore used to maintain hydrogen levels in vessels below the
lower flammable level. This requires compressed air to operate pneumercators and jet
ballasts, HP steam to operate various ejectors for the fill/empty cycle and the vessel
ventilation system which in turn requires power and HP steam to operate the ESP inlet
and outlet seal vessels.
Within HASTs, on loss of power impacting loss of compressed air, established backups are bottled supplies or standby Atlas Copco compressors (powered by a site
MDA) each of which is capable of supplying all HAST needs; however these require
the ring main to be intact. Alternatively a portable start-up hydrogen suppression
compressor is available which has flexible hoses and therefore does not require the
April 2012
Page 61 of 65
ring main; however this compressor can only feed one HAST at a time. Furthermore it
may be possible to create emergency air connection points and mobile compressors
and to provide a diesel compressor for instrument air to replace bottles.
Mitigating actions, assuming that a hydrogen deflagration has caused plant damage
and HAL is on the cell floor, could include shutting the cell inlet and outlet dampers (to
contain HAL as much as possible) and to monitor the cell sump temperature with a
probe (to monitor time until HAL boiling).
On loss of power there would likely be sufficient mains pressure to empty immediately
the ESP seal pots as effectively as possible as per existing plant emergency
instructions. The ESP seal pots must be emptied to allow free flow of the ventilation
system which would prevent hydrogen purge and lead to possible pressurisation.
Current back-ups include four emergency steam boilers.
CONSIDERATION 47: review the resilience of both power and
steam supplies to HASTs in extreme circumstances
8.10
Accident management after uncovering of the top of fuel in the fuel pool
8.10Significant damage to pond structures could result in significant radiation doses on-site
from shine through any significant cracking and sky-shine from loss of pond water.
However recent seismic studies indicate that site ponds would, with the exception of
the Magnox fuel storage ponds, be expected to remain intact, albeit with some new
cracking and propagation of existing ones.
The principal means for restricting releases would be to ensure sufficient water cover
within the pond as this will provide both cooling (where required) and some
containment.
April 2012
Page 62 of 65
9
Summary
The Tohuku earthquake on 11 March 2011 and subsequent events at the Fukushima Daiichi Nuclear Power Plant have prompted fundamental reviews of the resilience of nuclear
power plants. European Commission and the European Nuclear Safety Regulators Group
(ENSREG) produced a joint specification for a three stage process of this “targeted
reassessment of the safety margins of nuclear power plants”. These “stress tests” are
intended to highlight a NPP’s self-reliance against a variety of extreme situations such as
those that occurred at Fukushima, i.e.
 an earthquake and/or flooding as an initiating event;
 the consequence(s) of loss of safety functions from any initiating event conceivable
at the site such as loss of electrical power, including Site Black Out (SBO), loss of
ultimate heat sink (UHS) and/or a combination of both; and
 severe accident management issues such as means to protect from and manage
loss of cooling and/or containment integrity.
Application of these “stress tests” to the Sellafield site, as requested by ONR, has
necessarily required a structured interpretation by SL of many of the ENSREG “stress
tests”, due to the radical differences between a NPP and a complex and diverse chemical
multi-plant site, as well as clear definition of the Sellafield plants and supporting functions
to which they would be applied.
An interim report for the Sellafield site was submitted on 15 October 2011. This paper
represents the public domain version of the final report for the Sellafield site based on
local interpretation of the ENSREG “stress test” requirements for plants configured and
operated as of 30 June 2011.
The RESilience Evaluation Process (RESEP) has been developed as a structured and
consistent approach to resilience assessment for the Sellafield site. Detailed assessment
of resilience has been applied to those facilities which are capable of generating fault
sequences that lead to off-site consequences exceeding 10 mSv to the critical group
and/or having a SED score greater than 1x1010. However it is important to note that these
off-site consequences, and hence the RESEP screening criteria, are based on bounding
safety case assumptions and plant flowsheets which themselves are extremely
pessimistic when compared with actual plant operations.
Hence the off-site
consequences of any release are likely to be much lower in reality.
The RESEP included key plants (i.e. those with a greater than 10 mSv off-site dose fault
sequence consequence to the critical group and/or having a SED score greater than
1x1010), utilities (electricity, water, compressed air and steam) and Site Emergency
Control Centre (SECC), Sellafield Fire and Rescue (SF&R) and communications.
On the basis of the current state of knowledge –
 A number of older plants will be adversely affected by a greater than design basis
earthquake (DBE).
 The site has adequate protection against both tidal and river flooding with the only
significant risk being that of an extreme rainfall event which could result in some shortterm surface water ponding.
 There is a high degree of diversity and redundancy for both on and off-site electricity
and water supplies.
 There are sufficient fuel stocks for Sellafield site to be self-sufficient for a seven day
loss of electricity supply from the national grid.
April 2012
Page 63 of 65





The site has robust arrangements for a seven day loss of Ultimate Heat Sink (UHS)
which, in a Sellafield context, relates principally to diverse means for cooling Highly
Active Liquor (HAL), for keeping fuels wetted and for ventilation.
Fuel ponds are unaffected by a seven day loss of cooling water make-up and relatively
robust to a Design Basis Accident.
Local plant arrangements, which are designed to prevent a reasonably foreseeable
event arising, are robust.
Existing site emergency arrangements, which are designed primarily to respond to a
reasonably foreseeable event in a single plant, would soon be strained by requests for
support to multiple plants as a consequence of an event with simultaneous site-wide
effects.
There are opportunities to improve the emergency infrastructure in support of a
response to an extreme event such as those identified within this report.
These preliminary findings have prompted a number of “considerations” as listed overleaf
to be developed further as the basis for action by the Company.
However these preliminary findings will inevitably evolve and prompt further
considerations as SL develops a deeper understanding of interactions and processes
across the site.
The work undertaken to date, as detailed within this report, has identified no potential
deviations from the licensing basis.
April 2012
Page 64 of 65
Considerations for enhancing the resilience of the Sellafield site to extreme events
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
provide local neutron inhibiting materials for emergency deployment to prevent/halt a potential criticality excursion
review the arrangements for providing alternative sources of cooling water to HASTs in extreme circumstances
review the arrangements for management of site fuel stocks
procure a bowser/road tanker capable of transferring fuel efficiently around the site
review the manning levels required to respond to prioritized site demands during a major event
develop a programme to deploy, connect and test MDAs to EPD connection points routinely on safety significant plants
enhance the robustness of the forced ventilation system for Magnox wastes to a severe seismic event
review the potential for trapped hydrogen with the Magnox waste matrix being liberated as a result of a severe seismic event
obtain skid-mounted diesel pumps for potential deployment in the later Magnox fuel storage pond following a severe seismic event
review the robustness of alternative power supplies sufficient to allow timely crack repair (using already available dedicated repair plates, water containment and various pumping systems) following a
severe seismic event
seismically enhance existing bridges across the River Calder and develop the ability to deploy temporary structures
confirm realistic rates of self-heating within Magnox fuel undergoing reprocessing and the minimum quantity of water required to prevent self-ignition on potential loss of cooling
develop and substantiate specific contingency plans to extinguish a fire within solid waste facilities
consider the need to engineer additional flood defences alongside the River Calder
undertake more detailed modeling of surface run-off and drainage within built-up areas of the site
review the resilience of the current arrangements to pump out the central drainage water collection and discharge system
utilise the design of any future changes to the site infrastructure to direct rainfall flood flows so as to minimise ponding
re-engineer applicable flood defences to address very severe rainfall flooding
take local actions to address potential vulnerabilities to flooding of individual EPD boards and MDA connection points
consider the procurement of pre-fabricated flood barriers for local ad hoc deployment
take local actions to address the potential vulnerabilities of diesel stocks to protracted extremely low temperatures
examine the potential to connect MDAs to facilitate the lowering safely of suspended flasks, skips and magazines in the event of a prolonged loss of electrical power
examine the means by which product within the THORP centrifuge bowl can be kept wetted so as to avoid subsequent decomposition
review the resilience of the water supplies to site in extreme circumstances
increase the flexibility and use of the existing water supply cells
consider the reinstatement of the River Calder pumphouse
review the size, number and location of emergency pumps
review the emergency responses for all spent fuel storage ponds to identify commonality between systems and equipment
procure further portable bunds for potential deployment around spent fuel storage ponds
utilise the site deep water facility to test both techniques and equipment and to carry out training and emergency exercises
review the arrangements for personnel undertaking emergency roles
maintain a list of key plant parameters within the SECC
review ICC arrangements to ensure sufficient diversity to facilitate response to a multi-plant event
ensure that due cognisance is given to the need to retain appropriate access for emergency services during future changes to the site infrastructure
review the arrangements for fire and rescue response to a severe event
consider the construction of hardened and sustainable physical control structures
procure temporary mobile units (and possibly off-site air-transported deployable containers) for provision of either welfare support or to augment the management of emergencies
enhance the resilience of the communications infrastructure
review the provision of support to the communications infrastructure during a severe event
review the resilience of the site data network and the need to extend the period of monitoring and data transmission to SECC
consider the balance to be struck between the deployment of DMVs on- and off-site and whether current provision is suitable and sufficient
consider the criticality implications of using water sprays and/or foams to bring to ground potential aerial releases
determine practical means for deploying safely widespread fixative agents to minimise potential spread of airborne contamination
review the resilience of key support services likely to be necessary for ongoing plant control and/or emergency response
engage with the Hydrogen Working Party to determine the minimum air displacement flows for the wet storage of Magnox wastes so as to remain below the lower flammable level
determine, via simple modeling, whether either or both ‘natural ventilation’ and/or ‘lifting plugs’ would be effective as a back-up means for managing hydrogen during wet storage of Magnox wastes
review the resilience of both power and steam supplies to HASTs in extreme circumstances
April 2012
Page 65 of 65
10 References
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
ONR. (2011). Japanese earthquake and tsunami: Implications for the UK nuclear
industry. Interim Report, ONR Report ONR-FR-REP-001 Revision 3
HM
Chief
Inspector
of
Nuclear
Installations,
May
2011.
HSE.
www.hse.gov.uk/nuclear/fukushima/interim-report.pdf
ONR. (2011). Japanese earthquake and tsunami: Implications for the UK nuclear
industry. Final Report, ONR Report ONR-FR-REP-002 Revision 2
HM Chief Inspector of Nuclear Installations, September 2011. HSE
www.hse.gov.uk/nuclear/fukushima/final-report.pdf
NII. (2006). Safety Assessment Principles for Nuclear Facilities, 2006 Edition
Revision 1. HMSO
http://www.statistics.gov.uk/neighbourhood/display
http://www.nda.gov.uk/ukinventory
HSE. (1992). The tolerability of risks from nuclear power stations (rev). HMSO
HSE. (2001). Reducing risks, protecting people. HMSO.
ONR. (2011). Licence Condition Handbook. HSE.
Principia Mechanica Limited (1982). British Earthquakes: an Assessment. Report
115/82
BRE. (1991). An Engineering Guide to Seismic Risks to Dams in the United
Kingdom. Building Research Establishment
DEFRA. (2005). The threat posed by tsunami to the UK.
Institute of Hydrology (1999). Flood Estimate Handbook (1st edition)
DEFRA. (2006). Flood and Coastal Defence Appraisal Guidance. FCDPAG3,
http://www.cumbriaobservatory.org.uk/elibrary/Content/Internet/536/671/4674/40267
17419.pdf
BSI. (1972). Code of Basic Data for the Design of Buildings Chapter V Part 2 – Wind
Loads (as amended). CP3
BSI. (1995). Loading for Buildings: Part 2 – Code of Practice for Wind Loads, BS
6399
Meaden, GT. (1985). A Study of Tornadoes in Britain with Assessments of the
General Tornado Risk Potential and the Specific Risk Potential at Particular
Regional Sites. Tornado and Storm Research Centre
BSI. (1992). Protection of Structures against Lightning. BS6651
BRE. (1984). Loads on Roofs from Snow Drifting against Vertical Obstructions and
in Valleys. BRE Digest 290