Title of document

ONR GUIDE

External Hazards

Document Type: Nuclear Safety Technical Assessment Guide

Unique Document ID and
NS-TAST-GD-013 Issue 8.1
Revision No:
Date Issued: December 2022 Review Date: October 2023
Principal Inspector
Prepared by:
Inspector
Approved by: Professional Lead CEEH
Record Reference: CM9 Folder 1.1.3.776 (2020/227479)
Rev 7: Full review

Rev 8: Updated Review Period

Revision commentary:
Issue 8.1: Minor update to remove extant URLs from the
document to mitigate potential configuration control issues
arising because of changes to third-party web domains.

© Office for Nuclear Regulation, 2022

If you wish to reuse this information visit www.onr.org.uk/copyright for details.
Published 12/22

NS-TAST-GD-013
TRIM Ref: 2020/227479 Page 1 of 84
Office for Nuclear Regulation

TABLE OF CONTENTS

LIST OF ABBREVIATIONS.......................................................................................................3
1 INTRODUCTION.........................................................................................................5
2 PURPOSE AND SCOPE.............................................................................................6
2.1 Documents Supporting TAG 13...................................................................................7
2.2 Definition and Major Features of External Hazards......................................................9
2.3 Scope of External Hazards Assessment....................................................................10
2.4 Characterising External Hazards...............................................................................12
2.5 Plant Response to External Hazards.........................................................................13
3 RELATIONSHIP TO LICENCE AND OTHER RELEVANT LEGISLATION................15
4 RELATIONSHIP TO SAPS, WENRA REFERENCE LEVELS AND IAEA SAFETY
STANDARDS............................................................................................................. 19
5 ADVICE TO INSPECTORS.......................................................................................23
5.1 Overview of External Hazards Analysis Tasks...........................................................23
5.2 Hazard Identification..................................................................................................23
5.3 Fault Identification (Fault Initiation) and External Hazards Screening........................24
5.4 Hazard Analysis.........................................................................................................25
5.5 Design Basis Analysis for External Hazards..............................................................26
5.6 Probabilistic Safety Analysis for External Hazards.....................................................37
5.7 Severe Accident Analysis for External Hazards.........................................................38
5.8 Special Considerations Relevant to Safety Analysis of External Hazards..................38
5.9 Emergency Preparedness.........................................................................................50
5.10 Post External Hazards Event Operations...................................................................51
6 REFERENCES.......................................................................................................... 52
TABLE 1 – CATEGORIES OF EXTERNAL HAZARDS...........................................................57
TABLE 2 – EXTERNAL HAZARDS RELEVANT TO NUCLEAR SITES IN THE UK*...............58
TABLE 3 – INTERFACES BETWEEN EXTERNAL HAZARDS AND OTHER DISCIPLINES. .60
TABLE 4 – COMPARISON WITH WENRA REFERENCE LEVELS........................................61
TABLE 5 – IAEA SAFETY GUIDES REFERENCED IN TAG 13.............................................68
TABLE 6 – EXAMPLE SCREENING CRITERIA FOR COMBINATIONS OF EXTERNAL
HAZARDS*................................................................................................................ 70
APPENDIX 1 – POST-FUKUSHIMA UPDATES TO THE SAPS AND RELEVANT GOOD
PRACTICE................................................................................................................. 71
APPENDIX 2 – ELECTROMAGNETIC INTERFERENCE AND SPACE WEATHER...............75
APPENDIX 3 – BIOLOGICAL HAZARDS................................................................................80
APPENDIX 4 – INDUSTRIAL HAZARDS................................................................................81
APPENDIX 5 – LANDSCAPE CHANGE..................................................................................83
APPENDIX 6 – EXTERNAL HAZARDS RESULTING FROM NATURALLY AND
ANTHROPOGENICALLY OCCURRING GASES......................................................84

ANNEX 1 – SEISMIC HAZARDS: Ref. [1]

ANNEX 2 – METEOROLOGICAL HAZARDS: Ref. [2]
ANNEX 3 – COASTAL FLOOD HAZARDS: Ref. [3]
ANNEX 4 – ACCIDENTAL AIRCRAFT CRASH HAZARD: Ref. [4]

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 2 of 84
Office for Nuclear Regulation

LIST OF ABBREVIATIONS

AFE Annual Frequency of Exceedance

ALARP As Low As Reasonably Practicable
BDB Beyond Design Basis
BDBA Beyond Design Basis Analysis
BGS British Geological Survey
CINIF Control & Instrumentation Nuclear Industry Forum
CME Coronal Mass Ejection
DBA Design Basis Analysis
DEC Design Extension Condition (WENRA)
DiD Defence-in-Depth
EA Environment Agency
EH External Hazard
EMI Electromagnetic Interference
EIMT Examination, Inspection, Maintenance and Testing
FR Final Recommendation (CNI Fukushima Report)
GDA Generic Design Assessment
GIC Geomagnetically Induced Current
GLE Ground Level Event
GNSS Global Navigation Satellite System
GPS Global Positioning System
GSE Generic Site Envelope
HSE Health and Safety Executive
IAEA International Atomic Energy Agency
IEF Initiating Event Frequency
IR Interim Recommendation (CNI Fukushima Report)
LC Licence Condition
LOOP Loss of off-site power
MCE Maximum Credible Event
NASA National Aeronautics and Space Administration (US)
OBE Operating Basis Earthquake
ONR Office for Nuclear Regulation
PCSR Pre-Construction Safety Report
PIE Postulated Initiating Event
PSA Probabilistic Safety Analysis
RFI Radio Frequency Interference
RGP Relevant Good Practice
RL Reference Level (WENRA)

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 3 of 84
Office for Nuclear Regulation

RP Requesting Party
SAA Severe Accident Analysis
SAMG Severe Accident Management Guideline
SAP Safety Assessment Principle(s)
SEE Single Event Effects
SFR Safety Functional Requirement
SHWP Seismic Hazard Working Party
SLA Site Licence Applicant
SSC Structure, System and Component
SSHAC Senior Seismic Hazard Analysis Committee
STF Stress Test Finding
TAG Technical Assessment Guide(s) (ONR)
UKMO UK Meteorological Office
USNRC US Nuclear Regulatory Commission
WENRA Western European Nuclear Regulators Association

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 4 of 84
Office for Nuclear Regulation

1 INTRODUCTION

1. The Office for Nuclear Regulation (ONR) has established its Safety Assessment
Principles (SAPs) [5], which apply to the assessment by ONR specialist inspectors of
safety cases produced for nuclear facilities by Licensees*. The principles presented in
the SAPs are supported by a suite of guides to further assist ONR inspectors make
regulatory judgements and decisions. This Technical Assessment Guide (TAG) is one
of these guides.

*
The term Licensee is used here generally to refer to all organisations that make safety submissions to
ONR for assessment. This includes; existing Licensees, License Applicants, Potential Licensees and
Requesting Parties to the Generic Design Assessment (GDA) process. Where parts of the TAG refer to
only one type of organisation, this is made explicit in the text. Note that the term Licensee as used here
also includes those responsibilities of a Duty Holder for conventional health and safety as stipulated in
the Health and Safety at Work etc Act 1974.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 5 of 84
Office for Nuclear Regulation

2 PURPOSE AND SCOPE

2. The SAPs require an effective process to be applied to identify and characterise all
external hazards (EHs) that could affect the safety of a facility. EHs should be
considered an integral part of demonstrating a facility’s nuclear safety capability. The
safety demonstration in relation to EHs should include analysis of the design basis and
beyond design basis (BDB) conditions† with the aim of defining protection
requirements to move the facility towards and maintain it in a safe state, and identify
opportunities for improvement.

3. EHs on nuclear facilities should be identified and considered in the Licensee’s safety
analysis. This guide explains the approach adopted by ONR in its assessment of
Licensees’ safety submissions where consideration of EHs is relevant to nuclear
safety. It covers the relevance of EHs to Licence Conditions (LCs), to other relevant
legislation, and to ONR’s internal guidance - SAPs and TAGs, and other relevant
standards, in particular guidance published by the International Atomic Energy Agency
(IAEA) and Western European Nuclear Regulators Association (WENRA).

4. This revision of TAG 13 (Rev. 7) is the first that has been able to take full advantage of
the learning arising from the events at Fukushima Dai-ichi on 11th March 2011. There
has been extensive development of standards by international bodies since that time
and comprehensive safety reviews have been performed by UK Licensees. The SAPs
were updated in 2014 to reflect this learning. The lessons most directly relevant to EH
are summarised in Appendix 1.

Application of the TAG 13 suite of documents

5. This TAG considers the SAPs in relation to EHs in detail, and forms the principal
interpretation of these principles by ONR. It contains guidance to advise and inform
ONR inspectors in the exercise of their professional regulatory judgement. As for the
SAPs, and to avoid repetition in this guide, the judgement is always subject to the As
Low As Reasonably Practicable (ALARP) requirement for risk assessment (SAPs [5]
paragraph 16). Not all the guidance applies to all assessments or all facilities, and
consideration of proportionality applies throughout. A number of issues concerning
application of this guidance are explained in more detail below:

 Application of the ALARP principle: Inspectors assessing Licensee safety cases

are primarily concerned with forming a judgement as to whether the risk arising
from the nuclear activity for which the case provides a safety justification is
ALARP. A case that demonstrates this is legally defined as “adequate” and is
suitable as a vehicle for supporting a permissioning decision by ONR. The SAPs
[5] summarise the legal position and the role played by ONR guidance in
paragraphs 3 and 9 et seq. SAPs paragraphs 11 and 15 provide useful links
between the ALARP principle and the importance of Relevant Good Practice
(RGP) in nuclear safety cases.

 Proportionality: This concept recognises that ONR regulates a wide variety of

nuclear plant and sites. Not all principles in the SAPs are appropriate to all sites
and plant activities, and an important consideration is that inspectors must be
proportionate in what they require from Licensee safety cases (SAPs [5]
paragraph 27 et seq.). An important consideration in this regard is that the SAPs,
and by implication this TAG, “should be applied in a manner that is commensurate
with the magnitude of the [radiological] hazard‡” (SAPs [5] paragraph 27).
†
Including severe accident scenarios if relevant.
‡
This guide uses the term “hazard” in two ways. Firstly, as a reference to an event that has the potential
to lead to an accident; this usage is consistent with that in health and safety generally. Secondly, as a
reference to radiological hazard, which is a usage common within the nuclear industry and represents
the consequential effects arising from a release of nuclear material. The SAPs take advantage of both

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 6 of 84
Office for Nuclear Regulation

 Use of RGP: The SAPs note in paragraph 11 “that meeting relevant good practice
in engineering and operational safety management is of prime importance”. There
is extensive discussion of RGP applicable to EH in this guide, especially in Section
4 and in the annexes.

Inspectors are referred to TAG 5 [6] Chapter 6 for a detailed discussion of the
importance and application of RGP to nuclear safety. RGP is defined as "… those
standards for controlling risk which have been judged and recognised by HSE§
[Health and Safety Executive] as satisfying the law when applied to a particular
relevant case in an appropriate manner. In nuclear safety applications, where the
potential consequences of accidents can be very serious, the best practice
identified as appropriate to the application would normally be required for new
designs” (TAG 5 [6] paragraph 6.1). For existing facilities paragraph 6.2 states that
RGP “is established by using the standards that would be applied to a new design
as a benchmark and then subjecting any shortfalls to the test of reasonable
practicability.” This latter point is noted above.

Licensees should select RGP most appropriate to their nuclear activities and
justify that their selection does indeed represent RGP (eg consists of widely
recognised relevant codes and standards) and drives out a design of plant /
structure, system and components (SSCs) that ensures that risk is ALARP.
Inspectors should judge the adequacy of this selection by reference to SAPs and
TAGs. This document suite captures those elements of RGP found from
inspectorial experience to be generally applicable to nuclear plant, especially
major radiological hazards plant. Licensees may choose to use alternative
selections of RGP if they lead to an equivalent outcome, in which case inspectors
should challenge the selection, in part, against the expectations of the RGP
provided in this TAG. It is reasonable for Licensees to apply proportionality when
selecting and applying RGP and inspectors should apply the same test when
judging the adequacy of any selection.

6. The SAPs and TAGs are intended for application to nuclear licensed sites and the
facilities on them that affect nuclear safety. With the advent of the new nuclear reactor
build programme in the UK, ONR now engages on non-site-specific assessment of
generic reactor designs through a number of Generic Design Assessment (GDA)
projects. These projects consider generic plant / SSC design features against EHs
defined in a Generic Site Envelope (GSE) only and specifically do not consider aspects
that are site-specific. For these projects, some of the SAPs, especially those in the ST
series relating to siting, and parts of this TAG do not apply. For example, consideration
of coastal flood hazard is not possible until a site has been selected. However,
inspectors’ can assess the extent to which the generic design assumes a siting
approach consistent with the IAEA dry site concept. Inspectors can assess, at the GDA
stage, the adequacy of BDB flood protection and mitigation arrangements, based on
the assumed siting approach. For further details on the expectations for new sites see
Section 5.8.6.

2.1 Documents Supporting TAG 13

7. This is the TAG 13 head document. It is supported by a number of hazard-specific

appendices, by four annexes covering the natural hazards generally considered to be
most significant to nuclear safety and accidental aircraft crash hazard, and by three
Expert Panel papers, as indicated in Figure 1**. Inspectors should be aware that other

forms of use. The text in this guide makes clear explicitly, or from the context, which form is intended.
§
The wording dates from a time before the legal separation of ONR from HSE. For HSE read ONR.
**
EHs specialist inspectors are supported by a panel of technical experts is seismic (and related
disciplines), meteorology and coastal flooding hazards. The latter two hazard areas are supported by
expertise in climate change.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 7 of 84
Office for Nuclear Regulation

hazards may be significant at particular sites depending on the activities taking place.
The annexes and Expert Panel papers are separate documents referenced from this
document.

Appendices
TAG 13 Main Document EMI & Space Weather
Biological Hazards
Industrial Hazards
Landscape Change
Gas Release Hazards

Annex 1 Annex 2 Annex 3 Annex 4

Seismic Hazards Meteorological Hazards Coastal Flood Hazards Accidental Aircraft
Crash Hazard

Expert Panel Paper Expert Panel Paper Expert Panel Paper ONR formal
Seismic Hazards Meteorological Hazards Coastal Flood Hazards advice

Not ONR
advice

Figure 1 – Overview of TAG 13 documentation

 Head document: This provides the overarching document for this suite of
references. It is written to the standard TAG format and provides general guidance
applicable to all EHs. Where hazard-specific information is noted, this is
referenced to the appendices or annexes as appropriate. It has been authored by
the ONR EH specialist inspectors. It is supported by a number of attached
appendices covering the minor EHs and four free-standing annexes covering the
major natural hazards and accidental aircraft crash hazard.

 Appendices 2-6: These provide guidance on EHs generally considered to be of

minor nuclear safety significance. They summarise RGP and are intended for use
by both the ONR inspectors for EHs and other inspectors whose disciplines
interface with EHs.

 Annexes: Refs. [1], [2], [3] & [4]. The annexes provide specific guidance for the
major natural hazards and accidental aircraft crash hazard. They have been
authored by ONR’s EH specialist inspectors. The annexes provide a reasonably
comprehensive discussion of RGP for the hazards they cover. The intent is that
they can be read and understood by ONR’s EHs specialist inspectors and, where
relevant, by other inspectors whose disciplines interface with EHs. They are
written to a standard format that is intended to support the head document.

 Expert Panel papers: Refs. [7], [8], [9]. The three natural hazard annexes are each
supported by an Expert Panel paper. These papers provide hazard-specific

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 8 of 84
Office for Nuclear Regulation

technical advice at a level of detail appropriate to someone with good technical

knowledge already. They are primarily intended for technical specialist inspectors
in ONR and specialist contractors providing support to them. They are also of
interest to other inspectors who require more in-depth information on aspects of
natural hazard analysis technology.

8. The description of RGP for natural hazards analysis is generally the preserve of
technical specialists and the Expert Panel papers capture a summary of those
significant examples of which ONR has had regulatory experience. These papers have
been authored by members of the ONR Expert Panel and reviewed by ONR. They do
not represent formal regulatory advice, but provide additional technical background to
the summaries of RGP provided by the annexes.

2.2 Definition and Major Features of External Hazards

9. The SAPs define EHs as those natural or man-made hazards to a site and facilities
that originate externally to both the site and its processes, in other words the Licensee
has limited, or no, control over the initiating event, SAP paragraph 228. This last point
is important because it undermines the Licensee’s ability to apply the first element in
the safety hierarchy of hazard control measures, namely, eliminate the hazard.

10. This differentiates external from internal hazards, such as fire arising inside the site
boundary, where, in principle, the operator has substantial control over the chance of
the hazard occurring.

11. A further difference is that EHs in many instances can simultaneously affect the whole
facility, including safety systems, safety-related systems and non-safety-related
systems alike. In addition, the potential for widespread failures and interference with
human intervention can occur. Furthermore, EHs may affect the surrounding off-site
infrastructure through common-cause effects, which may undermine the availability of
back-up supplies and affect emergency arrangements. For multi-facility sites this also
makes the generation of safety cases more complex, and requires appropriate
interface arrangements to deal with the potential secondary and consequential
(domino) effects.

12. Both internal hazards and EHs are differentiated from internal plant fault initiators,
which are defined as a random failure of part of the primary nuclear plant and its
processes, including human error. Whilst the SAPs definition of EHs indicates that EHs
generally originate off the licensed site this is not always the case, for example
subsidence and liquefaction occurring on-site are classed as EHs, as is fault
movement within the site boundary. However, only natural EHs can originate on-site,
man-made or industrial hazards that occur on-site are classed as internal hazards††.

13. A further delineation arises with EHs that are caused by natural processes, such as
weather‡‡ and earthquake, and those of man-made origin such as aircraft crash and
off-site explosion.

14. A final distinction is between man-made EHs that are accidental and those that arise
from malicious intent. The latter are typically criminal acts by third parties with malign

††
This definition implies that the Licensee has been responsible for all current and historical activities on
the site. Situations can arise (and have arisen in the UK) where a site has historically been used by
other organisations for other industrial activities. For example, some licensed sites were once military
sites and have a history of unexploded ordinance within the site boundary. Another example that can
occur is where chemical / radioactive materials have been transported, by groundwater movement say,
from nearby industrial sites and now resides under the licensed site in question. All these would be
classed as EHs.
‡‡
Weather and flood hazards are often referred to with the inclusion of the descriptor “extreme”. This
terminology is not generally used in this guide, except occasionally to provide emphasis.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 9 of 84
Office for Nuclear Regulation

intent, and the characteristics and protection measures associated with such events
are generally subject to national security considerations. For this reason, malicious
EHs are not covered in this TAG, but are assessed by ONR’s Civil Nuclear Security
Division using separate guidance [10].

15. Table 1 summarises the various categories of plant fault initiators, indicating which are
classed as EHs and of these, which are covered in the guide. Table 2 contains a
typical list of EHs that should be covered within Licensee’s safety submissions. The
identification of a comprehensive list of EHs is discussed further in paragraph 61. et
seq.

16. It should be noted that some man-made items, such as dams and human activities
such as gas extraction or water injection into geological structures (hydraulic
fracturing), may initiate additional hazards, or enhance the effects of natural hazards
already defined as credible at a site.

2.3 Scope of External Hazards Assessment

17. Analysis by a Licensee should demonstrate that threats to nuclear safety from EHs are
minimised or tolerated. This may be done by showing that safety-related SSCs and
equipment are designed to meet appropriate performance criteria against the
postulated EH, or by the provision of safety systems which mitigate the effects of fault
sequences, thereby demonstrating that the residual risk is ALARP.

18. A summary description of the high-level tasks the Licensee needs to undertake to
determine the effects of EHs on nuclear plant is given below:

i. Identify the EHs that can credibly affect nuclear safety and thus contribute to
nuclear risk.

ii. Analyse each of these hazards to characterise the nature and severity of the
challenge it makes to nuclear plant / SSCs. This is referred to as the site
challenge.

iii. Define a protection concept to determine the barriers required to satisfy the
relevant nuclear safety principles (eg defence-in-depth (DiD)).

iv. Analyse the response of the plant / SSCs to this challenge through fault analysis to
determine the resulting nuclear safety consequences and risks that could arise.

v. New nuclear sites: For new sites SAP ST.4 anticipates that the suitability of the
site to support safe operation will be assessed from an EHs viewpoint§§.

19. Further details on these tasks are provided in Section 5.

20. Safety submissions made by the Licensee should cover all the tasks listed above. The
role of EH specialist inspectors is primarily to assess the adequacy of submissions
covering the first two tasks, and in the case of new nuclear sites, task (v). Task (iii) is
covered by a combination of fault analysis and EH inspectors. Task (iv) is undertaken
by specialist inspectors in other disciplines covering SSCs affected by EHs. This
division of work creates a number of interfaces between EH specialist inspectors and
other disciplines within ONR. The most significant interfaces are listed in Table 3,
however EH assessors should be mindful that other interfaces may well exist for
particular projects.

§§
Note that the Government has pre-determined the location of potential new reactor build sites in the
UK [73]. These sites are subjected to detailed site-specific hazard analysis by the SLA and Licensee
subsequently in order to fully demonstrate site suitability.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 10 of 84
Office for Nuclear Regulation

Special considerations for new reactor sites

21. For each new reactor construction project, the expectation is that a GSE is defined by
the Requesting Party*** (RP) during the GDA [11], as a series of hazard-specific design
bases. For a given EH the GSE defines a benchmark hazard magnitude which the
nuclear facility will be designed to withstand. It should be noted that not all EHs are
normally represented in a GSE since some, most notably off-site flooding related
hazards, are generally considered as intrinsically site-specific and not amenable to
generalising for the purposes of generic design. For these hazards, protection and
mitigation measures will be bespoke to the site in question and form part of the site-
specific design process. The site-specific EH envelope should be based on screening
of all potential EHs to confirm that all credible hazards and combinations of hazards
have been identified for the site.

22. At the site licensing and subsequent permissioning stages, the site-specific EHs
defined in a manner consistent with the needs of the design process, see Section 5.4
(the site challenge), will be compared against this GSE, a visual example of this
comparison is shown in Figure 2. If the challenge from a proposed site is bounded by
the GSE, then the generic design is likely to meet the regulatory expectations of ONR
from the perspective of those EHs captured by the GSE. If any site-specific EH value
exceeds the GSE design basis value for that hazard, then the inspector should ensure
that the Licensee has provided an appropriately robust justification to demonstrate that
the proposed design remains suitable for that site [11].

23. Using Figure 2 as an example, the Wind Gust site-specific hazard value defined
conservatively at the 10-4/yr 84% confidence level, exceeds the GSE hazard value.
The Licensee in this example would therefore need to provide additional analysis to
demonstrate that the site is suitable, or the SSC design is sufficiently robust. The
Licensee may also be required to provide additional safety justification for hazards
where the site-specific hazard value is close to exceeding the GSE hazard value, as is
the case for Wind Hourly Average and High Air Temperature in Figure 2, to
demonstrate consistency with the expectations of EHA.4. When a design basis is
derived directly from a site-specific hazard analysis, inspectors should assure
themselves that sufficient margin is available over the mean site challenge to meet the
intent of EHA.4.

24. Where an EH has been screened out during the development of the GSE under the
GDA process but is found to be significant in the site-specific context, then the
Licensee will be required to provide additional safety justification and argument to
demonstrate that the design remains suitable for the site.

***
Requesting Party is the generic name given to nuclear reactor system vendors seeking an opportunity
to sell their design to a Site Licence Applicant (SLA). The SLA becomes the site Licensee once a site
licence has been granted.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 11 of 84
 Office for Nuclear Regulation

Earthquake - Ground Motion (g)

Extreme Sea Temperature Low (˚C) 200% Extreme Wind Gust (m/s)

Extreme Sea Temperature High (˚C) 100% Extreme Wind Hourly Average (m/s)

0%

Low Air Temperature 12 hr Average (˚C) Lightning (kA)

Low Air Temperature Instantaneous (˚C) Snow (kN/m²)

High Air Temperature 12 hr Average (˚C) High Air Temperature Instantaneous (˚C)

Generic Site Envelope values at 100%

Site-specific values as a percentage of the Generic Site Envelope values

Figure 2 – A radar diagram providing a visual example of how site-specific hazard

values (site challenge) can be directly compared with the GSE hazard values. The site-
specific hazard values are shown as a percentage of the GSE hazard values.

2.4 Characterising External Hazards

25. EHs can be classified as either discrete or non-discrete hazards.

2.4.1 Discrete hazards

26. Discrete EHs are those that can be defined as one or more discrete events in terms of
frequency of occurrence and severity (SAP paragraph 232). An example of a discrete
hazard defined by multiple events is accidental aircraft crash, where separate
categories of aircraft typically have different crash frequencies at a given location, but
a causal link connecting the statistics of different categories does not exist. The lack of
a causal link is what differentiates discrete from non-discrete hazards.

2.4.2 Non-discrete hazards

27. This is a term used in the SAPs for a number of natural hazards: weather, flood and
seismicity (SAP paragraph 233). Here, each hazard is (or in principle can be)
described by a hazard curve of frequency of exceedance versus severity, and a
special feature of the hazard curve is that the events it describes are related by the
physical processes that create them. For example, build-up of strain energy at points in
the earth’s crust can be released causing earthquakes with a range of magnitudes.
The magnitudes and their frequency of occurrence are modelled by the Gutenberg-

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 12 of 84
Office for Nuclear Regulation

Richter relationship. Weather similarly is governed by energy exchange processes that

imply a connection between storm severity and frequency.

28. The hazard curve concept is key to the understanding of the most significant natural
hazards. The “exceedance” in exceedance frequency means that at any given point on
the hazard curve, the frequency of the indicated hazard severity should be interpreted
as the frequency of realising an event of severity greater than the one indicated. This is
important in rationalising the need for beyond design basis analysis (BDBA) for these
hazards (see Section 5.5.3).

2.4.3 Maximum credible events

29. For some discrete hazards, usually man-made hazards, it may be possible to
characterise a worst-case event, called a Maximum Credible Event (MCE), that can be
used as a surrogate for the hazard as a whole. For example, the release of a toxic gas
from a nearby off-site tank farm will likely be limited by the maximum storage capacity
of the tanks. The MCE concept is useful for quickly estimating worst case scenarios
and is generally applied to hazards whose nuclear safety implications are minor. Quite
often, the Licensee is able to demonstrate in a straightforward way that, even at the
MCE level, the nuclear safety implications are negligible and therefore the hazard can
be screened out from further consideration. The MCE can also be useful in helping to
define a design basis event when probabilistic methods for the hazard in question
carry large uncertainties, and also provides a useful insight for BDBA.

30. In principle, it may also be possible to develop a MCE for a non-discrete hazard, eg if
the hazard curve is asymptotic to some upper value of severity, or if a relevant physical
limit can be defined that limits hazard severity.

31. Where hazards are not amenable to the derivation of a design basis event based on
frequency, a surrogate MCE, supported by scientific evidence, may be defined. The
severity of the surrogate MCE should be chosen and justified to reach an equivalent
level of safety (that is, it should be compatible with the principles of SAP FA.5).

2.5 Plant Response to External Hazards

32. The intent of this section is to provide a context within which the analysis of EHs is
undertaken. This analysis is driven primarily by the need to demonstrate safe operation
of nuclear plant. Such plant consists of systems, structures and components (SSCs)
for which safety functional requirements (SFRs) are stated. SFRs define the ability of
SSCs to withstand particular EHs and how the SSC fails in response to EH loading,
and form the basis of claims in safety cases.

33. The extent to which individual EHs are analysed to develop a site challenge should be
proportionate to the significance of the EH to plant risk. Nuclear (and other) plant /
SSC responds to the challenges presented by EHs in a number of ways. This section
gives a general overview of both typical features of SSC / personnel response and the
protection / mitigation measures that Licensees typically implement.

34. Assessment of safety submissions covering the effects of EHs on SSCs is primarily the
responsibility of other discipline areas, especially the engineering disciplines. The
discipline areas likely to be of most interest to EH specialists are:

 Civil Engineering
 Mechanical Engineering
 Electrical Engineering
 Human Factors
 Control & Instrumentation Engineering
 Structural Integrity of metal components

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 13 of 84
Office for Nuclear Regulation

 Internal Hazards
 Fault Studies & PSA

35. A list of interfaces is provided in Table 3.

36. The two most important features of EHs relevant to nuclear safety are the limited ability
to apply the hierarchy of safety principle and the common cause effect that is often
associated with the effects of EHs:

37. Limited ability to apply the Hierarchy of Safety principle: The Licensee has very little or
no control over the hazard’s likelihood of occurrence. The Licensee should however be
able to control the hazard’s potential to initiate faults on the plant. In hierarchy of safety
terms, eliminating the hazard at source is not an option, therefore protection and
mitigation measures should be employed to limit the effects of the EH. Typically, these
are:

 Passive / active engineered safety features

 Procedural control measures involving operator actions, sometimes in response to
warnings

38. Further guidance is provided in SAPs EKP.1 to EKP.3.

39. Common cause effect: The common cause effect of many EHs, especially natural
hazards, such as weather, flooding and seismicity, can affect the entire site at the
same time and often a substantial region off-site as well. Several features of this effect
are worthy of note:

 Such hazards have the potential to initiate a large number of SSC / plant faults
simultaneously.

 They can adversely affect the off-site infrastructure on which the site depends for
supplies of materials, energy and personnel. They can even affect the severity of
severe accident off-site consequences and the effectiveness of emergency
arrangements. Common cause effects should be considered as part of the design
basis, BDB and within the Licensee’s Severe Accident Management Guidelines
(SAMGs).

 Protection is generally provided by a combination of engineered SSC withstand,

engineered protection and procedural measures. Robust engineered withstand is
provided through the application of appropriate design codes using load
function(s) derived through conservatively evaluated design basis hazard
definition. Engineered protection measures are made to be diverse, redundant and
segregated wherever possible to minimise the potential for common cause faults.
This is particularly important for EHs that can simultaneously affect the whole
facility. In addition to this, protection measures should maximise DiD in terms of
the hierarchy of safety measures, particularly since the first level of defence –
prevention or elimination - is generally not possible for EHs. In all cases the
application of the single failure criterion is an important consideration (see Section
5.8.7).

40. A further important aspect of EHs is their ability to initiate or induce internal hazards
events as secondary or consequential hazards, eg fire, internal flood and gas release;
for further details consult TAG 14 [12].

41. The potential of EHs to challenge nuclear safety is discussed in the appendices (2-6)
and annexes (1-4) covering each individual hazard category.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 14 of 84
Office for Nuclear Regulation

3 RELATIONSHIP TO LICENCE AND OTHER RELEVANT LEGISLATION

42. LCs only apply at nuclear licensed sites and to nuclear related activities undertaken by
Licensees on those sites, although third parties working on behalf of the Licensee may
carry out these activities. LCs cover a large number of nuclear safety matters, but
those relevant to EHs are directly concerned with safety case production, the
management of safety case outputs (eg operating rules), maintenance of safety cases
and safety-related plant (including Periodic Safety Reviews), incidents on-site and
emergency arrangements. The Licensee has a duty to develop and maintain site
licence compliance arrangements and these should take full cognisance of the
requirements of EH safety cases. These may include their own nuclear safety
principles; if such principles exist, compliance with them should not lead to a shortfall
against the SAPs or TAG guidance without appropriate justification.

43. This section may also apply to information that is prepared by organisations that are
not Licensees, such as Requesting Parties, to the extent that they will prepare safety
submissions that may, in time, support licensable activities on a nuclear licensed site.

44. The majority of EHs could have an impact on the matters addressed by most of the
nuclear site LCs. However, the following are seen as being most relevant to the
specific threats posed by EHs on nuclear facilities:

a. Licence Condition 7: Incidents on the site – records should be kept of the

occurrence of relevant hazards where these affect personnel on-site or safety related
plant. Monitoring equipment should be provided to warn of the occurrence of EH
events that exceed a specified level. Following a severe external event, it is expected
that the Licensee would review the EH severity-frequency relationship assumed in the
safety case and the assumed effect on the site and plant, either immediately after the
event or as part of a subsequent PSR under LC 15.

b. Licence Condition 9: Instructions to persons on the site – the instructions

should provide explicit information on how to respond to EHs where reasonably
practicable and how site personnel are best protected. These instructions may require
cross-referencing to specific operating instructions and limits for some hazards, eg
flooding and temperature, where there may be a period before the event where it is
possible to prepare for developing hazards, eg by taking advantage of on-site EHs
monitoring data or third party weather and flood warnings. The SAPs specifically
identify the need for Licensees to define and take action in response to a pre-defined
magnitude of seismic event, called an Operating Basis Earthquake (OBE).

c. Licence Condition 10: Training – where the Licensee has provided deployable
defences against EHs – such as flood barriers around doors, suitable training should
be provided to ensure the actions can be carried out in a timely manner. It is important
that the training takes cognisance of the environmental conditions under which any
arrangements need to be implemented, such as during the build-up to a severe storm.
Training in relation to EHs is also relevant to LC 11 – Emergency arrangements.

d. Licence Condition 11: Emergency arrangements – EHs are one class of initiating
events for the instigation of the emergency arrangement procedures. It is important for
Licensees to establish the existence and nature of an EH event, if one occurs, that
could lead to the deployment of emergency arrangements. Licensees should have
access to sufficient sources of information to enable the site to respond to such events
in a timely manner. The following is a non-exhaustive list or information sources:

 Weather and flood warnings from services operated by, for example, the UK
Meteorological Office (UKMO) and the Environment Agency (EA).

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 15 of 84
Office for Nuclear Regulation

 Seismic hazard information service provided by, for example, the British
Geological Survey (BGS).

 Site monitoring equipment providing data on hazards at a site level such as: tide
and river levels, air and sea temperatures, wind speed, site and in-plant seismicity
levels, etc.

 Site monitoring equipment is assumed to be under the control of the Licensee and
it may be appropriate to provide annunciations and data readouts directly to the
site / plant control rooms, so that a site response can be initiated quickly.

 Where defence against EHs requires operational action to implement,

responsibility for this should be identified by the Licensee and appropriate training
provided to relevant personnel in accordance with compliance arrangements
under LC10.

 Post-event and post-accident recovery: The Licensee should put in place

procedures to recover from an EH event. These could include plant walkdowns,
inspections, testing and maintenance activities on susceptible equipment, etc. If an
EH event leads to an accidental release, then the Licensees will engage their
emergency arrangements and these should acknowledge the potential for EHs to
act as initiating events.

e. Licence Condition 14: Safety documentation – this condition requires

arrangements for the production of documentation in which EHs should be considered
as fault initiators. Systematic or repetitive problems with safety case documentation
could be indicative of inadequate arrangements.

f. Licence Condition 15: Periodic review – this condition requires EHs to be

considered as part of the periodic review process. Typically, this will involve a review of
on-site and relevant off-site events worldwide that have occurred since the last review,
including magnitude frequency values, data and methodological developments, and
operational feedback. The Licensee should take advantage of these data and the data
from EHs site monitoring equipment to test the adequacy of EHs assumptions made in
safety cases. This includes consideration of the effects of climate change since the last
review.

g. Licence Condition 19: Construction or installation of new plant, and Licence

Condition 20: Modification to design of plant under construction – these
conditions require that the design of plant under construction, or a modification to the
design is assessed in the context of faults including those initiated by credible EHs.

h. Licence Condition 22: Modification or experiment on an existing plant – this

condition requires that a modification or experiment on an existing plant is assessed in
the context of faults including those initiated by credible EHs.

i. Licence Condition 23: Operating rules – this condition requires that the Licensee
shall, in respect of any operation that may affect safety, produce an adequate safety
case to demonstrate the safety of that operation and to identify the limits and
conditions necessary in the interests of safety. Inspectors should refer to TAG 35 for
further details [13]. Limits and conditions relevant to EHs may include:

 Limitations on the state of the plant. The EHs protection mechanisms claimed in
the safety case must be available according to safety case requirements including
examination, inspection, maintenance and testing (EIMT) and when systems are
unavailable due to faults. For EHs that can be forecast, eg weather, a grace time
for establishing a safe plant configuration may be applicable. Inspectors should

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 16 of 84
Office for Nuclear Regulation

assure themselves that a route to a safe operating state without transgressing the
safe operating envelope is available.

 Limitations on activities during periods of extreme cold weather, high wind, or

possible flooding conditions (or warnings of such conditions). For example,
restrictions on activities / plant operations in areas that may be exposed to
extreme weather conditions.

 Limitations on activities that might breach an EH related safety case assumption,

eg overloading a structure or restraint beyond the point that the relevant safety
case has qualified its ability to withstand seismic or wind induced loads. For
example, extreme wind hazard might impose a restriction on the use of an
Overhead Travelling Crane.

 Inspection activities prompted by local seismic events greater than the OBE level,
or occurrence of any other type of EH that could challenge the design basis
assumptions in plant safety cases.

 Plant conditions for which no safety case justification is available, eg the use of
free-standing scaffolding or a temporary work platform close to safety-related
equipment, where the scaffolding or platform might respond to an EH event
causing interference with the safety function of the equipment.

 Plant conditions caused by maintenance activities that undermine the claimed EHs
withstand of safety-related plant and equipment, or undermine the functionality of
EHs monitoring equipment needed to discharge activities claimed in safety cases.

j. Licence Condition 27: Safety mechanisms, devices and circuits – this condition
requires Licensees to ensure that plant is not operated, inspected, maintained or
tested unless suitable and sufficient safety mechanisms, devices and circuits are
connected and in good working order. Generally, there are a large number of EHs
safety claims made on plant and equipment, especially in respect of seismic hazard.

Inspectors should be especially wary of situations where plant is operated when other
plant on which it depends to deliver safety claims is out of service. This can occur, for
example, when “other plant” comprises EHs monitoring equipment, which is either
undergoing maintenance or is in a failed state. The plant being protected should either
be operated in a way that removes the need for the safety claim(s), or substitute
monitoring equipment should be employed that delivers a similar functionality to that
which is out of service.

k. Licence Condition 28: Examination, inspection, maintenance and testing

(EIMT) – this condition requires that the Licensee makes and implement adequate
arrangements for the regular and systematic EIMT of all SSCs which may affect safety.
Generally (but not always), this will be plant and equipment upon which a safety case
claim is made. In the case of EHs, the protection is often provided by passive means,
eg sea walls or building structures. The Licensee should ensure that these safety
functions are recognised in the derivation of the EIMT requirements as this can often
be overlooked. The EIMT procedures and instruction applied to such plant and
equipment should:

 Explicitly identify relevant EHs safety claims, so that on return to service such
plant and equipment meets the intended EH functional and reliability claims made
on it.

 Include other plant and equipment that can cause damage to safety-related items
through secondary action following an EH event.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 17 of 84
Office for Nuclear Regulation

 Include systems installed to warn of EHs events, eg temperature and wind

monitoring, seismic detectors / alarms, and especially flood detection.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 18 of 84
Office for Nuclear Regulation

4 RELATIONSHIP TO SAPS, WENRA REFERENCE LEVELS AND IAEA SAFETY

STANDARDS

45. The specific EH SAPs are: EHA.1 to EHA.19, which cover the wide range of EHs and
the tasks needed for their identification and analysis.

46. There are a number of supporting and related SAPs, all of which are relevant to the
analysis of EHs and some of which make explicit reference to EHs. These are:

 SC.7 & paragraph 108: Safety Cases

 EKP.1 – EKP.5: Key Engineering Principles
 ST.1 – ST.6: Siting
 ECS.1 – ECS.5: Safety Classification and Standards
 EDR.1 – EDR.4: Design for Reliability
 ELO.1, ELO.4 & paragraphs 223 & 226: Layout
 EMC.7: Metal Components
 ENC.1 & paragraph 323: Non-Metal Components
 ECE.1, ECE.2, ECE.4, ECE.6, ECE.7, ECE.9, ECE.10, ECE.11, ECE.23 &
paragraphs 337, 344-345, 349-351, 363: Civil Engineering
 EGR.2, EGR.10 & paragraph 376: Graphite Reactor Cores
 ESS.18 & paragraphs 413: Safety Systems
 EHF.5 & paragraphs 450-451: Human Factors
 ECV.2, ECV.10 & paragraphs 524, 536: Containment and Ventilation
 FA.1 – FA.3, FA. 5, FA. 7, FA.10, FA.15 & paragraphs 647, 667: Fault Analysis
 AV.1 – AV.10 & paragraph 693: Assurance and Validity of Data and Models
 AM.1 & paragraphs 772-774: Accident Management

47. Due to the nature of EHs effects, this list could include virtually all other SAPs.
However, the shortened list above highlights those key SAPs that should be
considered in the first instance. In addition, it is worth noting that the following
paragraphs are also of relevance:

 9-18 ALARP
 33 Facilities Built to Earlier Standards
 35 Ageing
 42-43 Multi-facility sites

48. As stated below, benchmarking of the SAPs against the WENRA and IAEA standards
has been undertaken at a high level, the results of which in relation to EHs and
WENRA Reference Levels (RLs) can be seen in Table 4. It has shown that the SAPs
in respect of EHs meet the requirements of both organisations.

WENRA

49. The WENRA RLs most relevant to EHs are published in Refs. [14], [15], [16]. Ref. [14]
provides the head document for Issue T – Natural Hazards – and has subsequently
been supported by a further three documents that post-date publication of the head
document and cover meteorological, flooding (all forms) and seismic hazards
respectively: [17], [18], [19].

50. The guidance in this TAG is consistent with these WENRA RLs. Table 4 presents the
mapping between Reactor Harmonisation Working Group RLs and this TAG. The
guidance in this TAG has also been considered against the WENRA Waste and Spent
Fuel Safety RLs [20] and the Decommissioning Safety RLs [21]. These do not include
specific EHs levels. However they do state that EHs need to be considered as
postulated initiating events (PIEs), and the Decommissioning Safety RLs report
provides an example list of such events. The guidance in this TAG is consistent with
both documents.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 19 of 84
Office for Nuclear Regulation

51. It is acknowledged that a further WENRA publication is planned to cover man-made

EHs, as follows:

 Issue U: Human Induced Hazards.

IAEA

52. The 2006 SAPs were benchmarked against the IAEA Safety Series (requirements and
guidance) documents, especially [22], and their main principles are encompassed
within the SAPs. Specific IAEA guidance relevant to EH is referenced throughout this
TAG and in the hazard specific annexes attached to it, but IAEA Safety Guide NS-R-3
[23] provides a good overview. IAEA guidance referenced in this TAG is summarised
in Table 5.

53. This TAG reflects the IAEA guidance at its time of production. The guidance from IAEA
is recognised as representing RGP under the introduction to the 2014 SAPs [5].

54. In response to the Fukushima Dai-ichi event IAEA undertook a detailed investigation
into the causes and consequences of the accident [24]. As a result of this investigation
new technical standards have recently been published; others are in draft and
expected to become available between publication of this TAG revision and the next
scheduled review date. ONR have contributed to the production and review of these
new standards and regard them as RGP upon publication.

55. Standards already published before this investigation and relevant to external hazards
are summarised in Table 5. They include several relevant to seismic hazard analysis
[25], [26] and [27], and one relevant to meteorological and coastal flood hazard
analysis [28].

56. The following recently published standards are available now:

General

 IAEA TECDOC 1791: Considerations on the Application of the IAEA Safety

Requirements for the Design of Nuclear Power Plants [29].

This publication supports SSR-2/1 [22] and provides detailed guidance on general
design matters with the learning from Fuksushima, and specoifoc guidance on
establishing external hazards design bases and elements of BDBA.

 IAEA TECDOC 1834: Assessment of Vulnerabilities of Operating Nuclear

Power Plants to Extreme External Events [30].

This publication provides guidance on BDBA for existing nuclear power plants and
specifically responds to the expectations of post-Fukushima stress test expectations.

Site Selection

 IAEA SSG-35: Site Survey and Site Selection for Nuclear Installations [31].

This publication provides guidance specifically for the selection of new sites for new
nuclear power plants.

Seismic Hazard Analysis

 IAEA Safety Report 85: Ground Motion Simulation Based on Fault Rupture
Modelling for Seismic Hazard Assessment in Site Evaluation for Nuclear
Installations [32].

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 20 of 84
Office for Nuclear Regulation

This publication describes strong ground motion simulation methods and gives
introductions to simulations using fault rupture modelling.

 IAEA Safety Report 89: Diffuse Seismicity in Seismic Hazard Assessment for
Site Evaluation of Nuclear Installations [33].

This publication provides considerations on “diffuse seismicity” that refers to

earthquakes occurring in locations where no apparent correlation can be made with
any causative faults. This is typical of the UK environment.

 IAEA TECDOC 1767: The Contribution of Palaeoseismology to Seismic Hazard

Assessment in Site Evaluation for Nuclear Installations [34].

This publication provides the up-to-date knowledge and practices of palaeoseismology

to be used in establishing an earthquake database required for seismic hazard
assessment / reassessment.

 IAEA TECDOC 1796: Seismic Hazard Assessment in Site Evaluation for

Nuclear Installations: Ground Motion Prediction Equations and Site Response
[35].

This publication provides the state-of-the-art practice and detailed technical elements
related to ground motion evaluation by ground motion prediction equations and site
response in the context of seismic hazard assessments as recommended in IAEA
Safety Standards Series No. SSG-9 [27].

Volcanic Hazard Analysis

 IAEA TECDOC 1795: Volcanic Hazard Assessments for Nuclear Installations:

Methods and Examples in Site Evaluation [36].

TECDOC 1795 provides information on detailed methodologies and examples in the

application of volcanic hazard assessment to site evaluation for nuclear installations,
thereby addressing the recommendations in IAEA Safety Standards Series No. SSG-
21 [37].

Human Factors in External Hazards Analysis

 IAEA Safety Report 86: Safety Aspects of Nuclear Power Plants in Human
Induced External Events: General Considerations [38].

 IAEA Safety Report 87: Safety Aspects of Nuclear Power Plants in Human
Induced External Events: Assessment of Structures [39].

 IAEA Safety Report 88: Safety Aspects of Nuclear Power Plants in Human
Induced External Events: Margin Assessment [40].

These publications cover the human actions involved in responding to an EH event

and implement the lessons learned from Fukushima, but build on an earlier foundation
report NS-G-3.1 [41].

57. The following standards are in production by IAEA and are expected to be relevant to
this TAG. Inspectors using this TAG should familiarise themselves with the current
status of IAEA guidance relevant to their assessment work:

 Consideration of External Hazards In Probabilistic Safety Assessment For Single

Unit And Multi-Unit Nuclear Power Plants – Safety Report.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 21 of 84
Office for Nuclear Regulation

 Seismic Instrumentation System and its Use in Post-Earthquake Decision Making

at Nuclear Power Plants – TECDOC.

 Technical Approach for Multi-Unit Site Probabilistic Safety Assessment – Safety

Report.

 Seismic Isolation Systems for Nuclear Installations – TECDOC.

 Assessment of Hydrological (excluding Tsunami) and High Wind Hazards – Safety

Report.

 Benchmarking of Tsunami Hazard Modelling During Site Evaluation for Nuclear

Installations – TECDOC.

 Tsunami and Seiche Hazard Assessment in Site Evaluation for Nuclear

Installations – Safety Report.

 Considerations on Performing Integrated Risk Informed Decision Making –

TECDOC.

 Use of Probabilistic Safety Assessment Methodologies for the Design of Nuclear

Power Plants Against Tsunami – Safety Report.

 Seismic Probabilistic Safety Assessment for Seismic Events – TECDOC.

 Current Approaches to Design Extension Conditions’ Analysis – TECDOC.

 Methodologies for Seismic Safety Evaluation of Existing Nuclear Installations –

Safety Report.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 22 of 84
Office for Nuclear Regulation

5 ADVICE TO INSPECTORS

5.1 Overview of External Hazards Analysis Tasks

58. The analysis tasks that the Licensee (or the RP under the GDA process) should
undertake to determine the effects of EHs on nuclear plant have been described at
high level in paragraph 18., and as noted there, EH inspectors should concentrate their
assessment on points i, ii and if necessary, iv. Points i and ii are summarised in more
detail below, where point ii has been sub-divided into the different analysis streams
called for by the SAPs, plus a number of special considerations specific to EH and
emergency preparedness:

 Hazard identification
 Fault identification (fault initiation) and hazard screening
o Hazard grouping
o Hazard screening on low frequency (discrete hazards)
o Hazard screening on low consequence potential (discrete and non-discrete)
 Hazard analysis
 Design Basis Analysis (DBA) – specific EHs considerations
o Design bases for screened-in EHs
o Design bases for facilities with low unmitigated consequences
o BDBA for EHs
 “Cliff-edge” effects
 More severe BDB events
 Probabilistic Safety Analysis (PSA) of EHs
 Severe Accident Analysis (SAA) of EHs
 Special considerations relevant to EHs
o Combinations of EHs (includes consequential hazards / effects)
o Combining EHs loads with normal design loads
o Operating conditions
o Multi-facility sites
o Application of this guide to existing sites and facilities
o Application to new sites
o Single failure criterion
o Reliability, redundancy, diversity and segregation
o Sources of data
o Uncertainty
o Climate change
 Emergency preparedness
 Post EH event operations

59. Each of these topics is covered, section by section, below.

60. DBA, PSA and SAA are collectively known as fault analysis; FA.1 calls for all three of
these analysis streams to be undertaken to demonstrate that facility risks are ALARP.
FA.2 calls for all significant fault initiators to be identified and FA.3 states that fault
sequences should be developed for all initiating faults. EHs initiated faults are fully
embedded in all of these aspects.

5.2 Hazard Identification

61. The fundamental first step in addressing the threats from EHs is to identify those that
are relevant to the facility under consideration. All EHs and credible combinations that
might affect the site should be identified. SAP FA.2 and paragraph 618(c) state that
EHs should be considered as potential fault initiating events. EHA.1 further amplifies
this.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 23 of 84
Office for Nuclear Regulation

62. The Licensee should demonstrate that an effective systematic process has been
applied to identify all types of EHs relevant to a particular site, including reasonably
foreseeable independently occurring hazards, causally-related hazards and
consequential events (SAPs paragraph 234). Furthermore, EHs that threaten
neighbouring installations, which in turn threaten the plant, should be identified.

63. Table 2 contains a typical range of hazards that should be considered in the first
instance and is drawn from an ONR report [42] that summarises ONR and IAEA
guidance, augmented with recent experience from Licensee safety cases identifying
those EHs significant to nuclear safety; IAEA Safety Guide NS-R-3, NS-G-1.5 and
SSG-18 are particularly relevant [23], [43], [28]. A further list of IAEA guidance is
provided by WENRA at Ref. [16]. WENRA also provides further guidance for natural
hazards at Ref. [14] - Appendix 2, which has also been used in the construction of
Table 2 within this TAG†††. Table 2 should not however be seen as exhaustive, as local
site conditions and the plant design may be susceptible to further hazards. The
appendices and annexes to this TAG provide additional detail on specific hazard types.

64. The relevant parts of Table 2 are expanded as appropriate in each of the annexes to
provide a list (not comprehensive) of primary, secondary, correlated and consequential
site hazards associated with each type. This division of hazards into different
categories has been found useful for conveying the interdependencies of various
hazards (especially meteorological and coastal flooding hazards) on each other:

 Primary hazard: An EH generated directly by a physical process outside the

control of the site, for example, a storm event giving rise to wind and precipitation
hazards.

 Correlated hazard: An EH that can occur simultaneously with the primary hazard
because both depend on a common physical process, for example, a storm may
give rise to both rain and lightning hazards at the same time.

 Secondary hazard: An EH that is caused by and dependent on the occurrence of a

primary hazard, for example, wind-driven waves occur as a direct result of wind
effects on open water.

 Coincidental hazards: Realistic combinations of randomly occurring independent

EHs affecting the site simultaneously, for example, earthquake and air
temperature hazards. These hazards are not correlated through a physical
process.

 Consequential hazard / effects: Hazards (internal and external) that are the
derived effects of primary, correlated and secondary hazards and / or their typical
effects, leading to a direct challenge to site safety and / or site operations.

5.3 Fault Identification (Fault Initiation) and External Hazards Screening

65. The fault identification process should provide sufficient site-specific data to determine
each hazard’s potential for plant / SSC fault initiation and whether the hazard can be
screened out from further fault analysis / hazard analysis (including hazard
combinations and consequential events as noted in paragraph 62.). Fault sequences
should be developed to determine the potential radiological consequence.

66. External hazard grouping: EHs may be grouped together where they have common
features, or initiate similar fault sequences for example. However, inspectors should
confirm that such groupings faithfully reflect the number of hazards and faults collected

†††
A further recent report [48] prepared as part of a research project to extend the PSA methodology to
better accommodate EHs has provided what it claims is a comprehensive list of EHs to be considered
in a Level 1 EHs PSA.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 24 of 84
Office for Nuclear Regulation

in a group in terms of the accumulated frequency of fault initiation and consequential

effects.

5.3.1 Screening

67. Hazards can be screened from further consideration if they are shown by the fault
analysis to make no significant contribution to overall risks from a facility (SAP
EHA.19). A screening process consisting of defined screening criteria should be
applied to each identified hazard. Screening criteria (SAP paragraphs 235, 631 & 649)
can be defined in terms of very low frequency of occurrence (for discrete hazards less
than 10-7/yr)‡‡‡ or in terms of the potential consequences from associated fault
sequences if they are incapable of posing a significant threat to nuclear safety
(discrete and non-discrete hazards). It is important to note that the hazard screening
process can often be a major part of the hazard analysis. Apart from hazards that are
evidently not applicable to a particular site (for example, fluvial flooding if available
national generalised flood mapping indicates the site is not at risk§§§) it is necessary
first to characterise the hazard sufficiently to facilitate a meaningful screening analysis
(eg generate a hazard frequency versus severity curve). Secondly, in order to
determine whether the hazard severity has nuclear safety significance, an
understanding of how the hazard will impact on the plant / SSC and the plant or SSC
response is required. Where generic, rather than site-specific hazard data has been
used (which may pre-date any detailed site-specific hazard characterisation work) the
original assumptions should be justified by reasoned argument.

68. Care should be taken to ensure that combinations (see Section 5.8.1) including
internal faults and operational occurrences are included. Thus, fault sequence
analysis, including combination effects, need to be taken into account in the screening
process.

69. Screened-in hazards are considered as significant fault initiators under FA.2 and
should therefore be subject to DBA and PSA as appropriate. Non-discrete hazards in
particular may also be subject to SAA.

5.4 Hazard Analysis

70. Each credible EH should be assessed to establish its frequency and severity (in terms
of magnitude, duration, progression, spatial extent, relationship to other hazards, etc)
at the site. The hazard analysis is used not only for the purpose of defining the design
basis, but also to support BDBA, PSA and SAA. The characterisation of EHs will
depend on the type of analysis that is to be carried out and should be conservative for
the DBA, but best estimate for SAA and PSA. The hazard curves should extend down
to an appropriate frequency generally consistent with the fault screening frequency for
discrete hazards, see paragraph 67., since this represents a frequency at which risk is
considered negligible for a single class of accident, see SAP paragraph 749.

71. It should be noted that for EHs PSA, a range of frequencies and associated hazard
parameters is often required. All relevant characteristics need to be specified and the
rationale for their selection justified. For some EHs the ability to forecast the magnitude
and timing of the event, and the speed at which the event develops may be relevant
and should be considered. Several parameters could be relevant to characterise
severity and / or magnitude. A useful checklist of hazard analysis considerations is
provided in Ref. [16]. Further details are also provided within individual hazard
annexes and appendices in this guide.
‡‡‡
Note that the cut-off frequency may differ depending on the nature of analysis that is to be
undertaken. Where PSA is undertaken for example, the cut-off frequency needs to be low enough to
compare the EH internal plant fault risks.
§§§
https://flood-map-for-planning.service.gov.uk/

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 25 of 84
Office for Nuclear Regulation

72. For significant natural hazards, weather, flooding and earthquake, these often take the
form of complex computational analyses requiring specialist expertise to undertake for
nuclear sites with significant hazard potential. Where appropriate, a MCE may be
defined (see paragraph 30.). In all cases the analysis should use methods,
assumptions or arguments that are justified, take into account all relevant site and
regional data and contain sufficient information to enable a conservative design basis
to be defined.

73. Licensees should provide assurance that uncertainties and their impact have been
given adequate consideration and adequate margins have been included when
defining the design basis events. For sites where the unmitigated consequences
arising from an EH are low (SAP paragraph 241), hazard data from conventional
building codes may be acceptable. For the less significant natural hazards and for
industrial hazards, the complexity of the analysis depends on a number of factors that
are site-specific. Details of the analysis techniques and the degree of expertise
required for the assessment of site-specific analyses in support of nuclear safety cases
are provided as a series of appendices (for less significant hazards) and annexes (for
more significant hazards), as follows:

 Appendix 2 – Electromagnetic interference and space weather

 Appendix 3 – Biological hazards
 Appendix 4 – Industrial hazards
 Appendix 5 – Landscape change
 Appendix 6 – Naturally and anthropogenically occurring gases
 Annex 1 – Seismic hazards [1] and supporting Expert Panel paper [7]
 Annex 2 – Meteorological hazards [2] and supporting Expert Panel paper [8]
 Annex 3 – Coastal flood [3] and supporting Expert Panel paper [9]
 Annex 4 – Accidental aircraft crash hazard [4]

5.5 Design Basis Analysis for External Hazards

74. DBA is a robust demonstration of the fault tolerance of the facility, and of the
effectiveness of its safety measures. Its principal aims are to guide the engineering
requirements of the design and to determine limits and conditions to safe operation
(LC 23(1) Operating Rules), so that safety functions can be delivered reliably during all
modes of operation and under reasonably foreseeable faults. In DBA, uncertainties in
the fault progression and consequence analyses are addressed by the use of
appropriate conservatism. The adequacy of the design and the suitability and
sufficiency of the safety measures are assessed against deterministic rules (eg design
codes). These rules are derived from RGP and include the SAPs themselves.

75. The glossary in the SAPs provides the following definitions:

 Design basis – The range of conditions and events that should be explicitly taken
into account in the design of the facility, according to established criteria, such that
the facility can withstand them without exceeding authorised limits by the planned
operation of safety systems.

 Design basis fault – A fault (sequence) that the plant is designed to take or can be
shown to withstand without unacceptable consequence, by virtue of the facility’s
inherent characteristics or the safety systems.

76. These definitions are discussed further below with respect to EHs.

5.5.1 Design bases for screened-in external hazards

77. DBA for EHs is predicated on defining a design basis event for each EH screened in to
the fault analysis process (EHA.3). Additional design basis events may be defined to

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 26 of 84
Office for Nuclear Regulation

capture credible combinations of individual events. SAP EHA.4 refers to the design
basis event threshold for external events in terms of a return period (eg 1 in 10,000
years conservatively evaluated for natural EHs). This terminology is in common use in
the nuclear industry****. Note that the annual probability of exceedance of 10-4 is an
annualised value applicable over the lifetime of the facility††††.

78. SAP EHA.4 also defines the EH design basis event exceedance frequency in terms of
SAP FA.5 which defines the threshold frequencies for events to be included within
DBA. As noted in paragraph 60., EHs should be fully embedded into the DBA process.
SAP paragraph 628 identifies hazard initiating fault frequencies below which
application of DBA is unlikely to be proportionate to the radiological hazard. These
have been re-interpreted here as the frequency points at which the EHs design bases
should be established. The exceedance frequency for the EH design basis event
therefore corresponds to the threshold frequencies for events that should be included
within the DBA process. For non-discrete EHs characterised by a hazard curve, DBA is
expected to consider the EH at all exceedance frequencies on the hazard curve down
to the design basis event definition. For discrete EHs, the analysis is expected to
include consideration of hazards that might be grouped within the EH event definition,
in a similar way to plant initiated faults down to a threshold value of 10-5/yr on a best
estimate basis.

79. The EH event design basis exceedance frequencies, and threshold values for DBA are
summarised here: (The basis for these definitions is discussed at paragraph 86.)

Discrete hazards – For internal hazards and man-made EHs the design basis is
defined in one of two ways:

 Probabilistically, as a best estimate value of hazard severity and frequency of

occurrence down to about 10-5/yr (FA.5, paragraph 628(a)), or

 Deterministically, as a MCE (SAP paragraph 242) provided its frequency of

occurrence is compatible with the principles of FA.5.

Where a discrete hazard has a frequency of occurrence less than the design basis
threshold of 10-5/yr, but cannot be screened out as insignificant according to SAP
EHA.19 (paragraph 67.), the hazard will still need to be captured by the PSA or other
form of fault analysis, and needs to be considered as a beyond design basis event,
see paragraph 109..

Non-discrete hazards – For natural EHs defined by hazard curves, the design basis is
defined as follows:

 Probabilistically, as a conservative estimate of hazard severity at the 10-4/yr

frequency of exceedance point on the hazard curve‡‡‡‡ (EHA.4, FA.5 paragraph
628(c)). DBA is expected to cover the region of the hazard curve down to the 10-
4
/yr point.

80. Note that some Licensees use multiple design bases to describe hazards, with
different levels of protection and mitigation associated with faults analysed at the
****
The term “10,000 year return period” is shorthand for an event with an annual probability of
exceedance of 10-4 or 10-4/yr.
††††
A further common usage is to refer to probabilities as (statistical) frequencies. Use of this
terminology is widespread throughout the nuclear industry and is used also in the SAPs. At the low
probabilistic values of interest here, the numerical difference between probabilities and equivalent
frequencies is insignificant. The term “frequency” is used for convenience in this document and to be
consistent with the expectations of a nuclear audience.
‡‡‡‡
Inspectors should note that the conservative 10-4/yr value should be seen as commensurate with the
10-5/yr value used for discrete hazards (and other non-EH initiating events). The difference recognises
the difficulty in defining natural hazards at exceedance frequencies below 10 -4/yr.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 27 of 84
Office for Nuclear Regulation

different design bases. The demonstration of ALARP is more complex in these cases
and care is needed that the Licensee does not interpret such analyses as justifying an
ALARP position more lax than that intended by the SAPs in the use of DBA.

81. Note that the hazard screening criteria described in Section 5.3.1 are not the same as
the DBA criteria (paragraph 78.). The design basis event might not necessarily pose a
significant nuclear challenge and the subsequent load case may be bounded by other
design load cases. The DBA process should note the SFR to protect against otherwise
bounded design basis events.

The Use of Conservatism in the Definition of Design Bases for Non-Discrete External
Hazards

82. SAP EHA.4 makes a clear expectation that design bases for non-discrete hazards
should be conservatively defined, but provides no advice on how to define either the
level of overall conservatism, or the manner in which conservative assumptions are
applied to the hazard analysis process.

83. Historically, a range of different approaches has been undertaken for the development
of design basis events for UK Licensed sites, especially for sites where there was no
nuclear safety requirement associated with specific hazards (eg seismic) at the time of
construction. These approaches have been developed as a result of the state of
knowledge at the time of their derivation and the level of radiological hazard and / or
risk posed by the site. Inspectors should exercise caution when examining the
derivation of design basis hazards in isolation from the totality of the safety justification
for such facilities. Instead, an appreciation of the manner in which the Licensee has
demonstrated holistically that the risk from EHs events is ALARP is a more
proportionate approach in line with good regulatory practice.

84. The difficulty in deriving a conservative design basis definition is most notable for non-
discrete natural hazards (and has been a matter of considerable debate in respect of
seismic vibration design bases in particular) because the work involved in producing
an adequate safety case is generally greater for these hazards than for others. For
these hazards especially, inspectors should consider the following:

 As noted in paragraph 83., the most important aspect is that the Licensee should
demonstrate that the risk arising from EHs is ALARP. The need for a conservative
estimate of design basis hazard severity at the 10-4/yr frequency of exceedance
point on the hazard curve, is considered by ONR to be consistent with such a
demonstration, and is captured by EHA.4 and FA.5 paragraph 628(c).

 For a hazard analysis performed in line with modern RGP, a general expectation is
that for a hazard curve whose epistemic uncertainty§§§§ is defined by a normal
probability distribution, a good starting point is to consider the 84th percentile, ie
one standard deviation above the median. More commonly log-normal
distributions are used in which case an equivalent 84th percentile can be
determined, but in this case, the expectation is that this should be above the mean
value. This is generally the case except for highly skewed distributions.

 A number of further considerations should be borne in mind:

o The robustness of the underlying hazard derivation process is a consideration

in establishing whether the 84th percentile starting point is reasonable or not.
If the process is not fully in line with RGP, then a higher percentile, or
additional conservative assumptions in, say, the design or SSC capacity
analysis may be appropriate.
For additional discussion on uncertainty in hazard analyses and the role of epistemic uncertainty in
§§§§

particular, see Section 5.8.10.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 28 of 84
Office for Nuclear Regulation

o With regard to the shape of the hazard curve (or more specifically whether it
steepens or shallows), if there is significant shallowing between the Annual
Frequencies of Exceedance (AFEs) of 10-4/yr and 10-5/yr, additional
conservatism in the design basis may be necessary, or for the converse
situation it may be acceptable to reduce the level of conservatism*****.

o The level of conservatism selected for a design basis should have regard to
the characteristics of the hazard analysis that underpins it, with particular
regard for the quality and quantity of data used. Where the quality of the
hazard analysis at and around the 10-4/yr level varies with for example,
structural natural frequency in the case of a seismic design basis, or wave
height in the case of a sea level design basis, such uncertainties should be
reflected in the level of conservatism included in the design basis definition.

 Where uncertainties in the hazard analysis are qualitative or otherwise implicit in

the assumptions used to quantify the hazard at a site, inspectors should seek a
demonstration that the design basis definition includes a reasonable allowance or
recognition of these uncertainties, such that it can be expected to represent a
genuinely conservative estimate of hazard severity. An example would be a
seismic design basis defined in terms of an enveloping response spectrum, where
there is clear quantitative conservative margin above the mean calculated site-
specific hazard challenge. If the mean hazard challenge is claimed to be
“conservative” based on non-quantified assumptions in the analysis procedure, the
inspector should confirm that such margins are, at least by good engineering
judgment, large enough to account for uncertainties in the hazard analysis,
quantitative and qualitative, so that the design basis can confidently be supported
as a conservative estimate of the hazard consistent with the expectations of
EHA.4.

The use of sensitivity studies (SAP AV.6) can assist in identifying the parameters
or analysis aspects on which a design basis is very dependent. Where these
parameters or issues are also associated with a high degree of uncertainty, this
can indicate where refined data collection, analysis, or even further research is
needed.

 For existing plant where it may be difficult for the Licensee to demonstrate that a
hazard design basis is conservative in line with the expectations of EHA.4 and
modern RGP, possibly because the hazard analysis predates a modern
interpretation of RGP, the inspector should confirm that there is conservative
margin in the plant’s capacity to resist the hazard. In such cases, inspectors
should expect Licensee safety cases to make clear that this is where the elements
of conservatism exist and provide a reasoned argument as to why the overall risk
is ALARP.

85. Deciding on an appropriate level of conservatism can depend on many factors,

including the shape of the hazard curve around the 10-4/yr point, the hazard severity at
which SSC failure or loss of safety function occurs, and the significance of the hazard
itself to nuclear safety. The overall aim of the SAPs generally should be borne in mind,
that the Licensee is expected to demonstrate that plant operations are such as to
The issue here is that the design basis is defined at a particular AFE of 10 -4/yr and this provides a
*****

surrogate of the hazard for design and deterministic analysis purposes. However, selecting a single
point to represent a hazard that is best described by a 2-dimensional curve is problematic. A more
rigorous way of choosing an appropriate design basis value should therefore consider both the severity
of the hazard challenge at this point AND the way the hazard curve varies around it. If the hazard curve
shallows quickly with decreasing values of AFE, then the hazard severity at say 10 -5/yr, may not be
significantly more than at 10-4/yr and invite additional conservatism in the design basis definition.
Conversely, if the curve steepens then the hazard severity at 10 -5/yr may be substantially more and
invite a less conservative design basis value.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 29 of 84
Office for Nuclear Regulation

reduce risks ALARP and that individual hazards do not contribute significantly to
overall plant risk (SAPs [5] paragraph 646). Inspectors should assure themselves that
the level of conservatism selected facilitates this demonstration.

The Use of Design Basis Analysis to Support Overall Risk Targets

86. The success criteria for DBA are set out in SAP FA.7. The Licensee should define a
protection concept that describes the barriers required to protect against EH design
basis events (with due consideration of BDB events and severe accidents). Further
guidance on the protection concept for natural hazards is provided by WENRA [14].
The intent is that following a design basis event and successful operation of the
protection and mitigation measures, none of the physical barriers to prevent the
escape of a significant quantity of radioactive material should be breached, there
should be no release of radioactivity and no person should receive a significant dose of
radiation, see SAP paragraph 635. SAP paragraph 637 clarifies that a significant
escape of radioactive material is defined by the Basic Safety Objectives quoted in SAP
Target 4.

87. In order to meet this objective, design bases are often used as design withstand
criteria for SSCs, for example sea walls, or the seismic withstand of major safety-
related SSCs. Where a particular design basis is not used directly as a SSC withstand
criterion, DBA should be used to define the necessary additional protection and
mitigation requirements to demonstrate DiD, segregation etc, sufficient to meet the
intent of Target 4.

88. The intent of DBA is that, used in conjunction with good engineering principles as
described in the SAPs (eg EKP.1 to EKP.3), it guides the development of a plant
design that can meet risk targets, or otherwise a design where risk has been reduced
ALARP. The criterion for discrete EHs whose design bases are defined at the mean
10-5/yr frequency††††† is judged to be consistent with this intent.

89. Similarly, the use of good engineering principles applied to protect and mitigate
conservatively defined non-discrete EH initiated faults down to the 10-4/yr exceedance
frequency value is likely to produce a plant that can meet the risk targets, with
balanced risks from different classes of initiating event (EHA.18 paragraph 246(d) and
SAP paragraph 749), and whose risks are reduced ALARP.

90. The following factors are taken into consideration in reaching this conclusion:

 The design basis is evaluated on a conservative rather than best estimate basis.

 Where the design basis is used as a hazard withstand design criterion there is a
margin available from design codes, for example. In earthquake hazard terms for
some structural forms, the design basis loading condition could be matched to the
so called High Confidence Low Probability of Failure point of a SSC fragility curve.
This would normally result in a sizeable margin to loss of safety function defined
for example as the onset of inelastic behaviour, or structural collapse. A good
understanding of SSC SFRs and modes of failure is needed in this case, and
ONR’s expectation generally is that such failure modes will be gradual and
predictable, see for example SAP paragraph 345.

91. It is important that this assumption is verified by appropriate use of PSA or other
means (SAP FA.14 - use of PSA to inform the design process).

92. The design basis process should prevent EHs considered within the design basis from
initiating accidents that lead to core damage and fission product release for reactor

This is generally interpreted as any fault down to a mean frequency of 10 -5/yr. The SAPs will be
†††††

amended to clarify this point in future editions.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 30 of 84
Office for Nuclear Regulation

systems, or significant release for non-reactor systems. Natural hazards, however, are
described by hazard curves covering a wide range of frequencies, part of which
extends well below 10-4/yr, and therefore some consideration must also be given to
events at these very low frequencies. Such events may contribute significantly to
facility risk. For non-discrete hazards therefore, BDBA and PSA are very important and
often help to define the hazard severity at which plant failure occurs.

93. When the hazard analysis is complete and design basis events defined, the Licensee
should define relevant parameters to input to the plant / SSC design process or plant /
SSC withstand substantiation. This subject extends beyond the scope of this TAG, but
is discussed as appropriate within individual hazards appendices and annexes (see
also paragraph 18.).

5.5.2 Design bases for facilities with low unmitigated consequences

94. SAP paragraph 240 allows for consideration of a relaxation of the design basis criteria
for non-discrete hazards if the unmitigated potential consequence is low.

95. FA.5 and Target 4 define the frequency / consequence threshold where DBA is likely
to be proportionate to the radiological hazard or consequence potential. It is suggested
that the following guidelines provide the basis for definition of the EH design basis
event providing consistency between plant initiated faults and faults initiated by EHs.
These guidelines are illustrated in Figure 3.

96. For discrete EHs, SAP paragraph 628 (d) is considered applicable. That is, design
basis events should be defined for discrete EHs having an estimated frequency of
occurrence within the DBA region indicated on Figure 3.

97. For non-discrete EHs, the criteria in paragraphs a) to d) below are suggested for the
design basis hazard definition. In this case, DBA is expected to cover the region of the
hazard curve down to the frequency on the hazard curve described in paragraphs a) to
d) and illustrated on Figure 3. The DBA region for non-discrete hazards approximates
to that for plant faults and discrete EHs when the requirements for a conservatively
defined design basis event are taken into account (see paragraph 98.):

a) Facilities that could potentially give rise to unmitigated dose consequences greater
than 100mSv to any person off-site or 500mSv to a worker may have a design
basis event that conservatively has a predicted frequency of being exceeded no
more than 10-4/yr.

b) Facilities that could give rise to doses between 10mSv and 100mSv to any person
off-site or 200mSv to 500mSv to a worker may be designed against a design basis
event, defined on a sliding scale, that conservatively has a predicted frequency of
being exceeded from no more than 10-3/yr to no more than 10-4/yr.

c) Facilities that could give rise to doses between 1mSv and 10mSv to any person
off-site or 20mSv to 200mSv to a worker may be designed against a design basis
event, defined on a sliding scale, that conservatively has a predicted frequency of
being exceeded no more than 10-2/yr to no more than 10-3/yr. For some facilities,
the EH loads arising from application of normal industrial standards may provide
an appropriate design basis and compliance with Building Regulations may be
sufficient.

d) Facilities that cannot give rise to doses (evaluated on a conservative basis) as

high as 1mSv to any person off-site or 20mSv to a worker need not be subject to
formal DBA, provided this is justified and demonstrated. There should not be a
disproportionate increase in risk due to low consequence frequent hazards just

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 31 of 84
Office for Nuclear Regulation

outside the design basis. The Licensee should therefore demonstrate that these
risks are ALARP.

98. The above criteria are overlaid onto Figure 3 (the dotted line). It can be seen that the
design basis event definition and effective DBA threshold for natural hazards appears
to be less onerous than that defined for fault analysis. This is not the case because the
Initiating Event Frequencies (IEFs) for plant / SSC initiated faults are evaluated on a
best estimate basis, whereas exceedance frequencies for non-discrete EHs should be
evaluated on a conservative basis to allow for data uncertainty. For the reasons
discussed above (paragraph 82. et seq), this is considered appropriate.

Initiating
event 10-2
frequency
(/yr)
10-3

10-4

10-5 Target 4
(BSL)

1 10 100 Off-site Unmitigated Consequences

20 200 500 On-site (mSv)
 
 
Natural
hazards PSA DBA SAA
design
basis event
definition Natural hazards conservative baseline
(indicative)

Figure 3 – Design basis criterion for external hazards

99. Figure 3 indicates the natural EH design basis definition, allowing for conservatism and
uncertainty. As noted in paragraph 78., ONR’s expectation is that the level of
conservatism should generally correspond to approximately one standard deviation
above the median. Since the uncertainty distribution is dependent on the particular
hazard in question and the return period, it is not possible to define precisely the
evaluated design basis region on Figure 3, and the design basis region should be
viewed as indicative. Inspectors should assess the basis upon which Licensees’
consider their selection of non-discrete EH design bases to be conservative to ensure
it meets the intent set out in this section.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 32 of 84
Office for Nuclear Regulation

100. Whilst the approach detailed above is valid, care should be taken when reviewing
Licensee submissions, since for EHs the levels of uncertainty associated with defining
hazard severities can be large (and difficult to quantify). Efforts at extreme precision
should therefore be treated with caution, and the requirements of EHA.7 regarding cliff-
edge effects should also be considered. Alternative approaches based around the
DBA objectives laid out in SAP FA.7 could also be considered provided they can be
justified and the risks shown to be ALARP (see also SAP paragraph 599).

5.5.3 Beyond design basis analysis for external hazards

101. Consideration of plant response to EHs beyond the design basis has been an
established principle in the SAPs since 1992 and within some Licensee’s
arrangements before then, but its origins date back to development work by the US
Nuclear Regulatory Commission (USNRC) in the 1980s, see [44]‡‡‡‡‡. The response to
this principle by UK Licensees has primarily concentrated on seismic vibratory hazard
and has generally taken the form of an enhanced design basis approach, either calling
on known conservative assumptions in the design process itself, or extending the
design basis hazard severity by a known (but somewhat arbitrarily defined) factor.

102. BDBA is not restricted to the subject of EHs. However, because some EHs are
characterised as non-discrete (in contrast to plant initiated faults for example), they will
necessarily have a BDB component to consider as the site challenge can be computed
down to very low frequencies (albeit with increasing levels of uncertainty), well below
the design basis frequency. Events in this range are more severe than the design
basis and are all BDB events.

103. The accident at Fukushima in 2011 has generally been interpreted, in terms of plant
response, as a BDB event§§§§§. It raised serious concerns over the operator’s
knowledge of how the plant would respond to such an event and the lack of adequate
protection in place to mitigate the deleterious effects of consequential plant failures.

104. Subsequently, the role of BDBA has attracted significant interest worldwide. Of
particular interest to the UK are recently published standards by IAEA and WENRA,
see Section 4; the WENRA standards are referred to below. Of direct relevance is a
new SAP, EHA.18, and associated text revisions in the 2014 edition of the SAPs [5].
This section provides an explanation of the regulatory expectations that ONR has
developed in response to this recent work.

105. It is generally accepted that two levels of BDB events are relevant to non-discrete
hazards, one of which is primarily concerned with the potential for cliff-edge plant
failures for events marginally above the design basis. The second concerns more
extreme events that could severely challenge plant safety functions across the site.

106. The purpose of BDBA is two-fold:

 To demonstrate that the plant design is robust to uncertainties in the definition of

EH design bases and the plant design that flows from them. Traditionally, this is
known as a cliff-edge analysis and is covered by principles EHA.18, EHA.7 and

‡‡‡‡‡
This work derives from the USNRC’s Severe Accident Program set up in the aftermath of the Three
Mile Island accident. A major programme of Independent Plant Examinations was undertaken at all
existing US sites. In tandem a specific programme of Independent Plant Examinations for External
Events was undertaken to cover EH specifically. Ref. [44] provides the learning from that programme.
Subsequently, USNRC has undertaken extensive post-Fukushima development work that effectively
extends the IPEEE work, including re-examination of seismic and flood protection arrangements. At the
time of writing the USNRC is proposing new rulemaking on the mitigation of BDB events.
§§§§§
Although expert opinion now generally agrees that the tsunami that occurred should have been
considered within the design basis and specifically designed against.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 33 of 84
Office for Nuclear Regulation

associated paragraphs 246 (a) & 247. This is a success based analysis, where the
intent is to show that plant failure does not occur (Paragraphs 114. et seq).

 To demonstrate that for EH events significantly beyond the design basis, the
Licensee has an understanding of how nuclear safety significant plant / SSCs
responds, what failure modes can occur and how the ability of plant / SSCs and
operators to deliver safety functions is degraded. Principle EHA.18 applies
specifically with paragraphs 246 (b) & (e) and 248 (paragraphs 127. et seq).

107. As noted in paragraph 92., the use of good engineering practice applied to protect and
mitigate conservatively defined non-discrete faults initiated down to the 10-4/yr
exceedance frequency value, is likely to provide a level of risk control that will satisfy
the SAP risk targets. However, because non-discrete EHs are described by hazard
curves covering a wide range of frequencies, parts of which extend well below 10-4/yr
the BDB component may contribute significantly to facility risk. For non-discrete
hazards therefore, BDBA is important and can help to define the hazard severity at
which plant / SSC failure or loss of safety function occurs.

108. Where a design basis is established for a discrete EH and a hazard curve is not
defined, the possibility of an event more severe than the design basis may also need
consideration. This applies if the event initiation frequency is difficult to determine or if
the IEF is less than the design basis criterion. A possible approach to demonstrate
sufficient margin to loss of safety function for the former is to select one or more
hazard-specific loading values that are higher than the design basis event loads and
demonstrate that the safety functions are not endangered by these loads. The severity
of the loading values may be chosen to correspond to a safety margin that is
considered adequate. The use of a MCE for such analyses may also be useful, but
caution should be exercised if the selected MCE is very severe, since this might lead
to the conclusion that for such an event reasonably practicable plant improvements do
not exist. Selecting a more reasonable choice of BDB event may provide opportunities
for reasonably practicable plant improvements.

109. For the latter, where the hazard occurrence frequency is estimated to be below the
design basis criterion but above the EH screening criterion (Section 5.3.1) the fault
analysis guidance given in SAPs paragraph 609-610 is applicable. In this case it is
expected that assessment of the likely accident progression and potential
consequences should take place to allow consideration of reasonably practicable
means of protection or mitigation of the consequences such that the risks are ALARP
(see Section 5.6.2).

110. BDBA for hazards should:

 Identify plant / SSC vulnerabilities and potential measures to improve robustness.

 Demonstrate sufficient margin to avoid cliff-edge effects just beyond the design
basis (SAP EHA.7).

 For non-discrete hazards, identify the hazard level at which safety functions could
be lost, in other words determine the BDB margin.

 Provide an input to PSA to establish whether risk targets are met (see SAPs
paragraph 695 et seq).

 Ensure that safety is balanced so that no single class of hazard makes a

disproportionate contribution to overall risk (see also SAPs paragraph 749).

 Ensure that small changes to the design basis fault or event assumptions do not
lead to a disproportionate increase in radiological risk (SAP EHA.7).

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 34 of 84
Office for Nuclear Regulation

111. It has previously been accepted that one satisfactory approach to the demonstration of
absence of a disproportionate increase in consequences is via an EHs PSA. This has
the merit of exploring the response of the plant to a wide range of hazard levels and is
accepted internationally as a reasonable approach for EHs, but inspectors should
exercise caution in their interpretation of the absolute risk values themselves.

112. WENRA [15] has provided guidance on BDBA; they define two levels of Design
Extension Conditions (DEC) that can be broadly mapped to the advice in this guidance
as follows******:

 DEC “A” for which prevention of severe fuel damage in the core or in the spent fuel
storage can be achieved. This is broadly equivalent to the expectations expressed
in SAPs EHA.18 (part) and EHA.7 (cliff-edge effects).

 DEC “B” with postulated severe fuel damage. This is broadly equivalent to the
expectations regarding SAA expressed in ONR SAPs EHA.18 (part), FA.15
(Scope of SAA) FA.16 (Use of SAA) and FA.26 (Relationship to DBA and PSA).

113. Further guidance on identification of reasonably practicable improvements with regard

to natural hazards is provided by WENRA in [14].

Cliff-edge analysis

114. The analysis of cliff edge effects should seek to provide confidence that the plant
design and its operation are robust in the face of uncertainties to design basis
definition and the plant design process, and that SFRs if degraded, do so in a
predictable and gradual manner. Events relating to cliff edge effects just beyond the
design basis are broadly consistent with a WENRA DEC “A” event.

115. The objective is to demonstrate that the design remains fit-for-purpose despite these
uncertainties and there is a high degree of confidence that it will be able to deliver
design basis safety functions as intended.

116. A feature of hazard induced faults is that the loss of safety function may be subject to
so called “cliff-edge” effects, where small changes in the hazard severity, facility
response (eg rapid onset of a failure mode or loss of a SFR), or DBA assumptions /
modelling parameters could lead to a disproportionate increase in radiological
consequence. EHA.7 introduces the need to demonstrate that there will not be a
disproportionate increase in radiological consequences from an appropriate range of
events that are more severe than the design basis event.

117. The way in which this principle is satisfied may depend on the nature of the hazard
being addressed. For some non-discrete hazards, a point will be reached where there
is a step change in the effect on the installation. In the case of external flooding, for
example, the site defences may become overtopped by still-water flood height. In such
cases, it needs to be shown that there is a reasonable margin between the design
basis flood level and the height at which this step change would occur.

118. For other hazards, such as earthquake, the forces acting on the facility will continue to
increase progressively with increasing size of event. A demonstration is needed that
there will not be a step change in the response of the installation to the hazard (eg
collapse of a floor or wall) for an appropriate range of events more severe than the
design basis event. The response of a structure to earthquake loads beyond the
design basis can be enhanced considerably by adopting a ductile structural form and
incorporating ductile detailing. This is a preferred method of demonstrating no

See Table 4: Existing Reactor R T6.1, T6.2, T6.3 & New NPP Designs Position 6, Analysis
******

Considerations.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 35 of 84
Office for Nuclear Regulation

disproportionate increase in consequences for structures, unless structural collapse

can be argued as being of little consequence.

119. The accurate identification of critical failure modes and their nature (eg ductile or non-
ductile) is helpful since this can aid the identification of the actual threshold of failure.

120. In respect of safety related equipment, loss of safety function should not, where
practicable, lead to another fault condition, ie equipment should be designed, where
practicable, to fail safe following an EH.

121. Licensees should demonstrate the absence of cliff-edges, associated with both the
hazard severity and plant response. There should be a demonstrable margin between
the design basis and the loss of the design basis safety function that reflects the
known uncertainties in both hazard analysis, plant response analysis. This is
considered to represent good engineering practice.

122. The advice of SAPs ECE.2, ECE.6 and supporting paragraphs, in particular, are
relevant to the analysis of BDB response of civil structures.

123. Special considerations for non-discrete hazards: Where hazards are characterised by
a hazard curve, as noted in paragraph 28., hazard severity can increase significantly
beyond the design basis. To avoid cliff-edges therefore, it is important to establish that
the hazard varies gradually around the design basis frequency, and that the plant
response does not suddenly change in this region, say due to brittle structural failure or
still water overtopping of a flood barrier.

124. For non-discrete hazards the analysis of BDB events cannot generally be divorced
from consideration of the exceedance frequency of the events considered. ONR
considers that if a single BDB event is selected for the BDBA, a reasonable starting
position is to consider the 10-5/yr event (assuming this is more severe than the design
basis), and to examine whether the design basis defined conservatively (alone or in
combination with other design aspects such as response spectral damping ratios),
envelopes the mean 10-5/yr event on the hazard curve. Note that the design basis
hazard value may well be very much greater than the site-specific hazard analysis
value, implying a large in-built margin to the design basis hazard definition. Licensees
may wish to use this directly to support claims of absence of cliff edges.

125. Historically some Licensees have employed a 40% increase on the design basis for
BDBA of seismic vibratory hazard, coupled with removal of some of the inherent
conservatisms in the DBA, as a surrogate to represent no disproportionate increase in
risk. ONR has never considered that a pre-assigned numerical margin provides an
adequate response to the intent of EHA.7, without justification on a case-by-case
basis, and it is unlikely to meet the expectations of the SAPs more generally as a sole
response to the issue of BDBA, except possibly for low radiological hazard facilities.

126. Special considerations for discrete hazards: As noted in paragraph 108., discrete EHs
are free of the complications arising from hazard curves. It may be appropriate to
postulate an event of increased severity such that the design basis can be tested in
light of the uncertainties involved in both the design basis definition and the associated
plant design process, to ensure that safety functions can still be reliably delivered.

More severe beyond design basis events

127. The analysis for this higher level of BDB event applies inevitably to non-discrete
hazards because the site challenge can be computed in terms of a hazard curve that
extends to very low frequencies, consistent with those considered in SAA. It is also
applicable for discrete EHs having an estimated occurrence frequency below the
design basis criterion, but which cannot be screened out. The IEF itself can be

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 36 of 84
Office for Nuclear Regulation

numerically similar to risk targets defined in the SAPs. At these severe hazard levels, if
conditional plant / SSC failure probability is close to unity (ie loss of safety functions
definitely occurs), such EH events may contribute significantly to overall plant risks.
These events are consistent with WENRA DEC “B” events.

128. It is anticipated that the analysis of nuclear safety plant to EH events in this region will
be captured by an EH PSA, see Section 5.6. A further consideration is the need to
identify plant and SSC damage states arising from very severe EH events for input to
the SAA (Section 5.7) if these differ from those identified for other reasons. In this
regard, particular attention should be given to the potential for widespread common
cause effects and the likely islanding of the site from off-site services and supplies.
This latter effect should also be considered in developing the site’s emergency
arrangements, see Section 5.9.

129. The BDBA should, so far as reasonably practicable, identify the most resilient means
of ensuring that fundamental safety functions are maintained, and estimate the hazard
values at which loss of safety functions occur.

5.6 Probabilistic Safety Analysis for External Hazards

130. EHs PSA supports the DBA by quantifying the frequencies with which radiation doses
to both public and workers from EH faults could occur. This enables direct comparison
with risk targets SAP NT1 etc and provides quantitative support that for the design, risk
has been reduced to ALARP. As discussed in paragraph 91., EHs PSA can be used to
support the selected design basis definitions for non-discrete EHs (10-4 annual
probability of exceedance) as being sufficiently conservative (also see paragraph 98.
and Figure 3). Finally, the EH PSA can contribute to the wider PSA calculations to
show that a balanced design has been achieved such that reasonably practicable
protection is provided across all hazard and fault types (SAP paragraph 749).

131. PSA generally is covered by comprehensive guidance in NS-TAST-GD-030 [45],

including the expectation that such analyses include EHs initiated faults. There is
specific guidance on seismic hazard PSA but not on other hazards. This reflects the
greater maturity within the world-wide nuclear industry on undertaking seismic PSAs.
PSAs on meteorological and coastal flood hazards are less mature.

132. For major nuclear hazards plant, the expectation is that a Level 1 and 2 PSA will be
undertaken and this is reflected in the UK’s response to the Fukushima event as
Recommendation FR.4, [46]††††††. Note that if a Level 3 PSA is performed, extreme
environmental conditions may affect the transport of fission products and also
expectations regarding countermeasures. These possibilities should also be borne in
mind when interpreting the Level 2 PSA results.

133. For new facilities, it is anticipated that a PSA would include specific consideration of
EHs as initiating events (FA.14). Fragility data tends to be expressed as mean (best
estimate) SFR capability or withstands rather than conservatively as for deterministic
purposes, or the uncertainties are fully quantified as a probability distribution. However,
any withstand data should be developed from the same base information, subject to
relevant scale factors and uncertainties.

134. For existing facilities, the need for EH PSA also exists, however in the UK, Licensees
have adopted a pragmatic approach based on a qualitative appreciation of the EH
risks. The expectation of a quantified analysis of EH risks even for existing major

A major research project is currently underway in response to lessons arising from the Fukushima
††††††

event relevant to PSA, called Advanced Safety Assessment Methodologies: Extended PSA
(ASAMPSA-E). It is funded by a consortium of regulators, utilities and contractor organisations across
Europe, to develop EHs PSA methodology. This project has recently published progress in several
areas. For more details, see http://asampsa.eu/deliverables-library/.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 37 of 84
Office for Nuclear Regulation

nuclear hazards facilities has been promulgated by post Fukushima recommendations,

as noted in paragraph 132..

135. Development of fragilities against EHs is a potentially complex and time consuming
process, with large levels of uncertainty associated with it. Following completion of the
PSA, it is suggested that the results are interrogated and the relative importance of
plant, structures and equipment extracted. This will give an indication of those areas
where the inspector should focus his attention. Care should be taken in the use of
generic fragility data, especially when applied to bespoke SSCs or items of high
importance to safety.

136. As noted above, non-discrete EHs are characterised by a hazard curve extending well
below the design basis point. The risk potential of the hazard is likely to be adequately
controlled down to the design basis frequency, and the significant risk will likely be
attributable to BDB frequencies. Therefore, PSA is necessary to characterise the risk
from non-discrete EHs, ensuring the risks are ALARP and a balanced plant design is
achieved.

5.7 Severe Accident Analysis for External Hazards

137. Severe accidents are those where a postulated or unforeseen plant fault sequence has
left the nuclear facility in a degraded state (FA.15 & SAPs paragraph 610 and TAG 7
[47]) where significant nuclear safety functions have been severely challenged and the
intent of DBA expressed in FA.7 has not been met.

138. The potential for EH events to lead to severe accidents should be considered by the
Licensee. As noted in paragraph 127., severe accidents are most likely to apply to
non-discrete EHs; TAG 7 classifies severe accidents and the class most likely to apply
is “high consequence event of low frequency beyond the design basis”, see [47]
Section 5.2. The purpose of this (best estimate) analysis is to identify reasonably
practicable provisions that can be implemented for the prevention and / or mitigation of
severe accidents. Where severe accidents are postulated, the analysis should identify
reasonably practicable provisions to mitigate their consequences. In judging the
adequacy of safety cases, inspectors should especially consider the effects of very low
frequency events from non-discrete hazards, eg seismic events in the exceedance
frequency range 10-5/yr – 10-7/yr. If these can credibly lead to severe accident plant
states, they should be considered as part of the SAA. Further detailed analysis of an
event will not be necessary if it is shown that its occurrence can be considered with a
high degree of confidence to be extremely unlikely.

139. A particular aspect of EHs is that in addition to being a potential initiator of an accident
state, the hazard may also affect the consequences in terms of fission product
transportation (eg weather or flood conditions) and also the implementation of the
emergency preparedness arrangements.

140. A further important consideration is that natural EHs are significant common cause
fault initiators, and will also be expected to severely affect off-site areas.

5.8 Special Considerations Relevant to Safety Analysis of External Hazards

5.8.1 Combinations of external hazards

141. Licensees should take into account combinations of EHs that could reasonably be
expected to occur at a given site. Combinations of hazards should be identified and
considered as part of DBA, PSA and SAA.

142. Licensees should follow a systematic process to identify and categorise hazard
combinations and should then screen those hazards on the basis of plant effects and

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 38 of 84
Office for Nuclear Regulation

occurrence frequency.

Identification

143. The identification of combinations of EHs should start with the unscreened list of
individual EHs. The unscreened list should be used because individual hazards that
have been screened out based on plant effect may still have a significant impact in
combination with another hazard.

144. A matrix approach is often used to list and identify hazard combinations. A helpful
cross-correlation matrix has been included in a recent report by a European Union
funded project called ASAMPSA_E, as part of developing a revised EHs PSA
methodology [48].

145. The use of a matrix is beneficial, but care should be taken in its application. Applying a
2-dimensional matrix alone is not sufficient as a 2-dimensional matrix only considers
the combination of two hazards and can cause groups of more than two hazards in
combination to be overlooked. An example of a combination of three or more hazards
that should be considered is the combination of high tide, storm surge and waves.
However, consideration of every possible combination of three of more hazards is
likely to be an onerous task. A reasonable approach would be to apply a 2-dimensional
matrix and then supplement this with expert judgment to ensure that reasonably
foreseeable combinations of more than two hazards are considered. Inspectors should
assure themselves that where expert judgment has been used to identify multiple
hazard combinations, it has been used in a systematic manner as part of the
identification process, to ensure that all credible combinations have been identified, so
far as is reasonably practicable.

146. A possible approach taken by one Licensee to assist in avoiding missing important
combinations was to identify the most significant hazards first, seeking potential
combinations with those of equal and lesser significance. In this way the intent was to
present a cascade of possible combinations with those likely to be most significant
being identified early on.

147. Combinations of hazards is an area of current research. One example of a research

project that is on-going at the time of writing is being conducted by Lancaster
University to create “storm hazard curves.” Inspectors should look for evidence that
Licensees have reviewed such research as is available at the time of the safety
analysis, periodic safety review etc, to establish the state of RGP applying to hazard
combinations.

148. Further guidance specifically on combinations of hazards is available from the

following sources: [14], [48], [49] & [50].

Categorisation

149. The EH combination analysis requires an understanding of the types of hazard

combinations that exist. An illustrative categorisation scheme has been developed in
Section 5.2 (specifically paragraph 64.) as a way of logically relating different EHs one
to another; this could be adapted to the needs of a hazard combination analysis.
Recent work reported in [48] proposes a similar categorisation scheme.

150. The following combination effects should be considered:

 One or more hazards that affect the plant and occur as the result of a separate
event that also affects the plant. For example, an earthquake that causes a
tsunami.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 39 of 84
Office for Nuclear Regulation

 One or more hazards that affect the plant in the same time-frame due to
persistence or similar causal factors. For example, meteorological conditions such
as storms intrinsically involve the combination of several phenomena such as
rainfall, wind, and storm surge.

 One or more hazards may exacerbate other hazards. For example freezing
conditions, drought or persistent rain can affect drainage conditions during
subsequent rainfall.

 One or more sequential hazards that affect the plant. Hazard combinations can be
important when they occur sequentially, as the following example illustrates.
Consider the case where wind hazard causes damage to building cladding, part of
whose safety function is to provide a weather envelope to keep rainwater from
entering the building. Any rainfall occurring during the period before the cladding is
repaired and the safety function is restored will gain entry to the building and the
potential for internal flooding is heightened.

 Realistic combinations of randomly occurring independent events affecting the

plant simultaneously. For instance, there is no causal link between earthquake and
outside air temperature, and it would be overly conservative to consider extremes
of these EHs (ie frequencies of 10-4 per year or lower) occurring together.
However, the choice of certain parameters requires an assumption to be made
about air temperatures. Consideration should be given to the effects of a
combination of a design basis earthquake and an appropriate low or high air
temperature value consistent with those found in normal design codes, or that
might constitute the most onerous normal operational state of the plant, see
Section 5.8.3 et seq.

Screening

151. A complete consideration of all possible combinations would be an extremely onerous

task and is not necessary, since only those that pose a significant risk to nuclear safety
are needed to analyse the safety of plant. Therefore, an appropriate screening
methodology should be applied. Although there is no international consensus on a
screening methodology to apply, ONR considers it reasonable at this time to employ a
similar methodology to that applied for screening individual EHs.

152. Combinations can be screened out if they do not pose a significant risk to the plant, or
if the consequences of the combination do not exceed the consequences of one of the
elements of the combination. Combinations of hazards can potentially affect plant and
SSCs in different ways. Some combinations can affect plant by undermining the
diversity of systems – for example, an earthquake that causes loss of off-site power
(LOOP) combined with a tsunami that causes loss of battery power supply, as was the
case for the Fukushima Dai-ichi event. Other combinations of hazards can affect a
single system via the production of an additional load. An example of this would be an
extreme snow load on the roof of a building that must also resist loading from an
extreme wind event. The requirements for segregation, redundancy, separation and
diversity should be considered in light of both of these effects. If the widespread effect
of a combination has the potential to undermine the diversity strategy of the plant, then
this should be taken into account when considering whether or not to screen that
particular combination in to the safety analysis.

153. Many combinations can be screened out based on low frequency. This is likely to be
the case for the majority of coincidental hazards. When considering screening on the
basis of low frequency, both the duration of the hazards and the time to repair SSCs
should be taken into account.

154. An example set of screening criteria, taken from [49], is given in Table 6.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 40 of 84
Office for Nuclear Regulation

155. In addition to combinations of extremes, all EHs should be considered in combination

with normal engineered load combinations. For example a wind load with an
annualised frequency consistent with conventional building codes would be
reasonable. Further, this should be combined with the worst normal operational plant
state, see Section 5.8.2 et seq.

156. Inspectors should ensure that Licensees have developed a systematic method of
screening that is consistent with categorisation scheme that identifies individual EHs,
captures the inter-relationship between those EHs and consequential effects that are
significant to nuclear safety for their site. If a matrix approach has been used to identify
potential combinations of hazards, the matrix could then be reviewed against the
categorisation scheme.

Development of Design Bases and other safety analysis inputs for screened in EH
combinations

157. Once combinations have been identified, categorised, and screened, they provide
input for the next stage of safety analysis via the fault schedule, as well as providing
input into the PSA. The goal is to arrive at a plant that meets the risk targets and for
which risks are reduced ALARP. There are very few hard-and-fast rules that form RGP
at this time. Guidance to inspectors is as follows:

 Correlated and secondary hazards: These are hazards that have a tendency to
occur in combination. Licensees should analyse these combinations to
establish credible individual hazard severities to be used as combined design
bases for DBA. This could include at worst, assuming the full design basis level
for each individual hazard simultaneously, or deriving a combination effect that
collectively meets the design basis criteria in Section 5.5.1; eg wave and tide
combinations are routinely analysed to develop a composite 10-4/yr design
basis sea level.

 Coincidental hazards: These are random combinations and for these inspectors
should ensure that a pragmatic and reasonably conservative approach has
been taken by Licensees. For example, seismic hazard may be combined with
a wind hazard that might reasonably be expected during the life of the site,
typically covered by conventional building codes eg Eurocodes such as [51] at
2x10-2/yr (1/50yr). Combinations with other weather hazards should similarly be
justified on a pragmatic basis. Inspectors should ensure that significant
departure from this guidance is justified to ensure that the resulting safety
analysis demonstrates that risk is ALARP.

158. For all types of hazard combinations, it is the duration of the consequential effects of
each hazard that needs to be considered, rather than the duration of the hazard itself.
For example, a seismic event may last just a few tens of seconds, but the overall effect
on the plant could last several days or weeks. If a severe rainfall event were to occur
before damage from the seismic event had been repaired, the consequences of the
rainfall event could be more significant. This needs to be taken into account in the
safety analysis (see also correlated hazards at paragraph 157. above).

5.8.2 Combining external hazards with normal design loads

159. It is appropriate to assume best estimate live loadings apply with design basis wind or
seismic hazard loads. Judgment may be required as to whether a "normal" snow load
should apply with a wind loading etc, or whether wind is likely to remove all but the
hardest snow crust. Discretion may be applied to the application of normal wind load
with design basis seismic load. The effects are likely to be additive over at least part of
a structure, so consideration as to an appropriate wind load may be required.
However, inclusion of multiple wind directions considerably increases the number of

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 41 of 84
Office for Nuclear Regulation

seismic load cases, and the combined results make comprehension of the seismic
behaviour more obscure. There may also be a wide range of "normal" (non-EH)
loadings that might apply at any single time, such as crane position or load etc, and in
these the assumed combination should be such that all "normal" cases are shown to
be enveloped. However, the intent of SAP paragraph 631 should be borne in mind, in
particular that the “normal” loads assumed should be the most onerous consistent with
those allowed within Operating Rules established under LC23, but where each load in
the combination is considered on a best estimate basis, or consistent with RGP.

160. Where a wide range of “normal” loads exists or they combine in many ways,
distinguishing the most appropriate combinations from a nuclear safety perspective
can be difficult. In such cases, the use of sensitivity analysis can be helpful to
identifying the likely most onerous “normal” load cases for use in the DBA.

161. A difficulty regarding the use of design codes for EH design basis loads is that loads
due to normal operations will be those that relevant codes would expect as part of the
design process. In the case of the nuclear design basis for EHs, the exceedance
frequency of 10-4/yr may not be considered “normal”. Inspectors should confirm that
Licensees are not using unreasonably low factors of safety, less than unity for
example, on the assumption that the occurrence of a design basis event is an
exceptional event, or an accidental loading.

162. Sometimes a "time at risk" (SAP paragraph 759 et seq including NT2) argument is
proposed to limit the scope of combined load cases. Care should be taken for example
to ensure that short duration, but high risk operations are not automatically accepted
on a time at risk basis, without a thorough investigation into the options for reducing
the risk. T/AST/005 - ONR Guidance on the Demonstration of ALARP [6] provides
further guidance.

5.8.3 Operating conditions

163. The inspector should ensure that a reasonable combination of other relevant loads
(including fault loads where appropriate) is assumed to apply simultaneously with the
hazard of interest, see EHA.5. For plant operating loads, temperature, pressure,
availability etc, these should be taken as the extremes of the operating envelope,
which should be reflected in the limits placed in the Operating Rules or Technical
Specifications. Sensitivity studies may also be necessary to ensure that the chosen
values and combinations are conservative.

164. Natural hazards should also be considered potentially coincident with anticipated
operational occurrences, eg equipment outages or minimum manning levels, and
design basis accident conditions. However, as with un-correlated EHs, consideration
should be given to the combined likelihood of non-causally linked occurrences to avoid
undue conservatism.

5.8.4 Application of this guide to multi-facility sites

165. Many EHs such as wind, temperature, flooding and earthquake, have the potential to
challenge all facilities on a single site simultaneously. Furthermore, EHs may threaten
neighbouring installations that in turn threaten the plant under consideration. For
chemical plants and some Ministry of Defence related facilities the total risk targets
from SAP Target 3 are often divided among the facilities on the site in an approximate
way. Licensees may operate in such a way that the hazards presented to one facility
by others, especially if their purpose and processes are completely separate, may be
treated as EHs, yet simultaneously treated as internal hazards or internal plant faults in
the “other” facilities. For example, explosion from gaseous release from one plant may
be treated as an internal hazard in this plant, but an EH in a separate adjacent plant on
the same site.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 42 of 84
Office for Nuclear Regulation

166. Caution should be exercised if the SAP paragraph 241 approach for a less severe
hazard definition (as suggested in Section 5.5.2 above) is adopted for a multi-facility
site. In such cases, a cross-site summary of risk should be undertaken, eg in a high
level site safety case, in addition to the individual facility safety cases, (T/AST/051 -
Guidance on the Purpose, Scope and Content of Nuclear Safety Cases [52]) and
paragraphs 42-43 of the SAPs should also be taken into account.

167. The IAEA offers guidance on the safety analysis applied to multi-unit reactor sites.
Inspectors should consider IAEA SSR 2/1 [22] and especially Requirement 17
paragraph 5.15B reference to common cause effects, and Requirement 33 reference
to DECs, covered here as BDBA.

168. It should be noted that the GDA process is based on the assessment of a single
reactor unit. During the site licensing and subsequent construction permissioning
assessments, due account should be taken of the deployment of multiple units.

169. The overall analysis (DBA, BDBA, PSA and SAA) should consider the use of common
equipment or services and demonstrate that sufficient resources remain available.

5.8.5 Application of this guide to existing sites and facilities

170. This TAG and supporting annexes implicitly assume (unless explicitly stated) that the
site consists of plant containing significant nuclear hazard and is of modern design. In
these cases, this guidance, where relevant, should be by inspectors rigorously applied.
As stated in the SAPs paragraphs 31-33, the safety standards used in the design and
construction of older plants may differ from those used in more recently built facilities.
Whilst some hazards may not have been considered fully in the original design of
plants, in the re-evaluation under periodic safety reviews, they should be treated as an
integral part of the safety demonstration.

171. This may mean that for some older facilities it may be difficult to accommodate the
loading associated with a 10-4/yr event. SAP paragraph 33 provides the following
guidance: “For facilities designed and constructed to earlier standards, the issue of
whether suitable and sufficient measures are available to satisfy the ALARP principle
will need to be judged case by case.”

172. In these cases, it is necessary, firstly, to ensure that the risk arising from the hazard is
tolerable, and secondly to determine whether sufficient work is being done by the
Licensee to both ensure and demonstrate that the risk is ALARP. In reaching this
judgment the inspector should take into account the projected future life of the facility,
including the time needed to decommission the facility. In general, the longer the
period for which the plant is needed, the stronger is the case for it to comply with
modern standards. Further guidance on the ALARP principle can be found in
T/AST/005 - ONR Guidance on the Demonstration of ALARP [6].

173. In terms of EHs, inspectors should consider the following factors when judging the
extent to which this guidance applies:

 Design basis – Whilst it may not be practicable for older plant to accommodate the
needs of a design basis defined in accordance with EH.4, inspectors should
ensure that the design basis selected provides sufficient challenge to the plant to
ensure that important fault sequences have been identified and mitigated to the
extent needed to ensure risk is ALARP.

 Need for PSA and SAA – Many older facilities, even high nuclear hazard facilities,
either do not, or only have simplistic, EHs PSA and SAA analyses. Inspectors
should adopt a pragmatic approach in these cases and keep in mind that such
analyses are there to support the demonstration that risks are ALARP and that

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 43 of 84
Office for Nuclear Regulation

appropriate emergency arrangements and severe accident mitigation measures

are available.

174. It may be difficult to demonstrate that an older facility has an adequate balanced
design in risk terms. Inspectors should consider this aspect on a case-by-case basis,
and seek a response from Licensees that is proportionate.

5.8.6 Application of this guide to new sites

175. As stated above, this TAG and supporting annexes implicitly assume (unless explicitly
stated) that the site consists of plant containing significant nuclear hazard and is of
modern design. In these cases, this guidance, where relevant, should be rigorously
applied by inspectors. For new sites, ONR expectations are that the full application of
RGP is reasonably practicable.

Generic Design Assessment

176. New reactors intended for construction in the UK undergo GDA, which is a pre-
licensing process that provides RPs with the opportunity to demonstrate at an early
stage that the design is capable of meeting the legal requirements of the UK. It also
facilitates a robust ONR assessment of the proposed design. During GDA, the
intended site for the new reactor development may not yet be known, or there may be
several candidate new build sites. Therefore, RPs usually define a “Generic Site” with
characteristics typical of the UK. These characteristics should, as far as possible,
envelop or bound the characteristics of known potential sites in the UK so that reactors
of the proposed type could potentially be built at a number of suitable locations‡‡‡‡‡‡.
Further information on GDA is available in the document “Guidance to Requesting
Parties” [11]. For GDA, the EHs inspector should:

 Assess the scope of the GSE and its applicability to the UK context.

 Ensure that the RP has applied a robust process to ensure that the design meets
modern standards in accordance with RGP for EHs.

 Ensure that the RP has identified potential vulnerabilities of the design to EHs and
examined the possibility of cliff-edge effects.

 Assess the generic Pre-Construction Safety Report (PCSR) chapters relevant to

EHs.

177. The expectation is that RPs will define a generic design for GDA, including a GSE
complete with a range of EH design basis definitions. However a RP may pursue the
development of a site-specific design, or the subsequent Licensee may modify an
existing generic design to take advantage of, say, a particular site-specific hazard
challenge that is substantially lower than initial generic assumptions, offering
commercial advantages. Under these situations, the inspector should be confident that
site-specific design basis hazard definitions remain consistent with the expectations of
SAP EHA.4.

178. The inspector should also liaise with other specialist inspectors to ensure that
interfaces are taken into account, refer to paragraph 34. and Table 3. This is
particularly important when considering consequential hazards, where appropriate
expertise may lie in other disciplines, such as internal hazards, civil engineering, or
mechanical engineering.

New Reactor Licensing and Construction

This envelope is referred to in paragraph 21 et seq and Figure 2 as the Generic Site Envelope
‡‡‡‡‡‡

(GSE).

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 44 of 84
Office for Nuclear Regulation

179. Assessment of EHs for New Reactor Licensing and Construction is an iterative
process. One of the major milestones in the process is the assessment to support
licence granting. Other milestones and hold points will be decided as part of the
project.

180. New Reactor Site Licensing: During site licensing, the focus is on-site suitability and
future Licensees’ capability. Before granting a site licence, a Site Licence Applicant
(SLA) needs to demonstrate to ONR’s satisfaction that a particular site is suitable to
support safe nuclear operations. One of the main site suitability aspects that needs to
be demonstrated is that the nuclear facility will have robust defences against a range
of EHs. This is underpinned by SAP ST.4 and paragraph 131, which state:

"The suitability of the site to support safe nuclear operations should be assessed
prior to granting a new site licence. Such attention will normally focus on external
hazards and civil engineering issues. These should consider the potential
vulnerability of the site to external hazards and the extent to which construction of
new facilities can be safely accomplished."

181. The SLA should show that the site-specific EHs challenge is bounded by the GDA
envelope. Hazards having little or no margin between the GDA GSE and the site
challenge will need to be justified. Hazards not included within the GDA assessment
will need to be listed, quantified and their effects on nuclear safety analysed. A
statement on how these will be protected against will need to be made.

182. The SLA should also, as part of its licence application, set out a strategy for producing
adequate site-specific safety submissions.

183. New Reactor Construction: As part of the assessment process leading up to new
reactor construction, the EHs inspector should assess the following aspects of the
Licensee’s safety case. This will consist of the site-specific safety submission, normally
a PCSR, and underpinning technical reports on a sampling basis. The production of
site-specific safety submissions takes place in stages in accordance with
arrangements made against the LCs; see Section 3 for aspects relevant to EHs. The
inspector should be satisfied as to the adequacy of the following aspects of the safety
case:

 Identification and screening of EHs

 EHs DBA
 Design basis fault analysis
 Design basis claims
 BDBA claims
 EHs PSA and risk ALARP claims
 EHs SAA and emergency arrangements
 Closure of GDA findings related to EHs

184. Inspectors should be aware that experience has indicated the time between the GDA
project for a new reactor design and subsequent construction activities can be in the
order of 10 years or more – longer than the normal period between periodic safety
reviews required of operating sites under LC15. The definition of RGP adopted during
the GDA project may have changed in this time, potentially leading to the site-specific
safety case(s) being out-of-date by the time they are approved for use. Inspectors
should ensure Licensees address any such shortfalls in a pragmatic and proportionate
way so that such safety cases remain adequate and fit-for-purpose for the facility at the
point of start of operations.

5.8.7 Single failure criterion

185. The single failure - SAP EDR.4 states:

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 45 of 84
Office for Nuclear Regulation

 During any normally permissible state of plant or SSC availability, no single

random failure, assumed to occur anywhere within the systems provided to secure
a safety function, should prevent the performance of that safety function.

186. The single failure criterion is usually considered in relation to plant initiated faults
where the plant fault leads directly to a requirement for a safety system to operate in
order to restore, or provide a safety function. The safety system, which will probably
contain active components§§§§§§, should be single random failure tolerant. The failure is
random in the sense that the initial plant fault does not affect the safety system
reliability.

187. The single failure criterion is not normally a key issue in the context of EHs
assessment, but its applicability may be somewhat more complex than that for internal
plant faults. There are two basic ways in which protection may be provided against
EHs. Most commonly, protection is provided by virtue of structural or equipment
withstand capability against the EH. In other cases however, equipment may not be
resilient to the hazard and protection may be provided by back-up equipment. The two
cases are discussed below.

Protection by Structure or Equipment Withstand Capability

188. Where the primary protection against an EH is by virtue of the withstand capability of a
structure not involving active components (often referred to as massive and passive)
the application of the single failure criterion is generally not applicable (eg a sea wall to
protect against coastal flooding). The reliability of a structure or system is likely to be a
function of the hazard severity (often characterised by a fragility function). If the
structure / system does involve active components (although this is not common), the
safety function should still be single failure tolerant. In this case single random failure
(applied as appropriate to the active components) should be assumed to occur over
and above any failures relating the hazard impact. The inspector is advised to liaise
with fault studies specialist inspectors to clarify the application of the single failure
criterion to systems consisting of passive structures with active components.

189. Some barriers (eg flood barriers) will have openings for operational reasons and a high
reliability of these is usually required. However, it is not usually practicable to apply the
single failure criterion to these in the sense that there needs to be two openings in
series (like an air-lock with interlocks).

190. Where massive and passive structures are employed, the concept of single random
failure is not applicable. It is not reasonable to assume a massive or passive structure
may randomly fail in such a way that the safety function is lost. There may be a
possibility of a design shortfall or manufacture / material deficiency, but that is not a
random failure in the sense of the single failure criterion as it is a function of the hazard
impact. Such vulnerabilities should be accounted for in the assessment of the
structural reliability / fragility. Such considerations are not generally the preserve of
EHs specialists, instead reference should be made to the civil engineering discipline.

An active component is one that must be energised to perform its safety function. Electrical and
§§§§§§

mechanical components are typical examples.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 46 of 84
Office for Nuclear Regulation

Protection by Provision of Back-up Equipment

191. In some cases the single failure criterion applies to EHs in a similar way to that of
internal plant faults. Here an EH may cause a failure of a duty system and protection
against the hazard is secured through the deployment of a back-up system. For
example, electrical supplies could be vulnerable to flooding, and a back-up diesel
generator system may provide essential power supplies. The diesel generator group
would be expected to be single-failure tolerant*******. The concept of “random” failure is
not so straight forward if the hazard can also affect the reliability of the back-up
system. In principle though, the single failure criterion is still applicable as the back-up
system is likely to have active components that could be vulnerable to random failure.
As discussed above (see paragraph 188. in relation to withstand capability) the
inspector is advised to liaise with fault studies specialist inspectors to check that single
failure fault tolerance and system reliability claims are appropriate.

5.8.8 Reliability, redundancy, diversity and segregation

192. In assessing safety systems claimed to mitigate the effects of EHs, the inspector
should have due regard to SAPs EDR.1, 2 and 3. EHs may particularly give rise to
common mode or common cause failures. Good design against EHs makes use of
redundancy, diversity and segregation to mitigate the effects of common mode and
common cause effects. Inspectors should seek evidence of these features in new
facilities and seek a proportionate approach to the implementation of such features
through modification of existing facilities.

5.8.9 Sources of data for the analysis of natural external hazards

193. For many EHs the available data is sparse and requires specialist interpretation to
facilitate a probabilistic treatment; SAPs EHA.2, AV.3 and AV.7 provide high level
guidance on data collection and use. Although the SAPs intend both deterministic and
probabilistic EH initiated plant safety analyses to be undertaken, the deterministic
approach usually depends on a probabilistic definition of hazard loading, in other
words 10-4 annual frequency of exceedance for most natural EHs, see Section 5.5.1
and especially paragraphs 82. - 85.. Current RGP in respect of available data for
natural hazards is covered in detail in Annexes 1 – 3 and the Expert Panel papers that
support them.

194. For natural hazards, quantitative data is largely dependent on the availability of
instrumentally derived records. For seismic vibratory motion these are available in the
UK from about the 1980s; for meteorological hazards they are available from the
1950s for most areas of the UK; for coastal flooding, benefit can be taken from the long
history of naval activity in UK coastal waters, but even here good scientific quality data
is only available for the last 100 years or so. Short datasets like these can take
advantage of sophisticated statistical methods to estimate hazard parameter values
down to statistical frequencies of 10-4/yr and lower, but only with significant
uncertainty†††††††. In these cases, the way uncertainty is handled becomes an important
and sometimes dominating part in the overall hazard analysis.

This could be achieved by having a system consisting of DGs from diverse suppliers and located in
*******

segregated locations.
†††††††
A parameter dataset of N years’ duration can be used to estimate parameter values over longer
return periods (lower frequencies). This represents an extrapolation of the dataset and typically uses a
statistical technique called extreme value analysis. There is debate over the degree of extrapolation that
is reasonable, ranging from a (dataset duration) / (return period) ratio no less than 10%, to no less than
70%. The ratio typically applying to natural hazards when defining design basis hazard severity values
is of order 1% or less. This manifests itself in an increased uncertainty range associated with a specific
hazard value.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 47 of 84
Office for Nuclear Regulation

195. For seismic hazards, it is considered RGP to investigate instrumental data (dataset
duration of a few decades), historical data from cultural records (a few hundred years
depending on-site location) and geological data (millennia). Instrumental data have the
best quality, but the short duration over which they have been collected makes their
use of limited value. Geological data on the other hand, covers the required timescales
and are scientifically derived, but tend to be mainly qualitative and descriptive. The
most important data source for seismic vibratory hazard is the historical data derived
from cultural records such as newspaper accounts and church records. The quality of
such records is limited, but careful processing can deliver useful quantitative data on
the location, size and timing of historical earthquake events.

196. Meteorological and coastal flood hazard analyses have not typically, to date, made
similar detailed use of cultural records, so in this regard, the techniques developed for
seismic hazard analysis are much more mature than those used for other natural
hazards. There are opportunities for greater use of both historical and geologically
derived data in meteorological and coastal flood hazard analyses and this is an area of
active research at this time.

197. Inspectors should seek to assure themselves that Licensees have taken advantage of
all reasonable sources of data. For major hazards sites, inspectors should confirm that
Licensees have made an attempt to research all available relevant data sources,
consistent with the nuclear hazard potential from the site.

5.8.10 Addressing uncertainty in the analysis of natural external hazards

198. SAP EHA.1 calls for an effective process to identify and characterise all EH (and
internal hazards) that could affect the safety of a facility; SAPs AV.1 – AV.4 and AV.6
provide guidance collectively on the adequacy of site / plant models, calculation
methods, data and the uncertainties that surround them. The design basis criterion for
natural EHs (EHA.4) corresponds to a hazard severity having an annual exceedance
probability (or exceedance frequency), conservatively evaluated, of 10-4. Furthermore
SAP EHA.19 (screening) calls for an analysis of less frequent hazards than those
associated with the design basis, which could also affect nuclear safety. The
evaluation of hazard severities corresponding to such extreme probabilities is
particularly problematic for natural hazards due to a lack of suitable data, and also due
to an incomplete understanding of the underlying physical processes. These limitations
mean that there is significant uncertainty involved in hazard analysis.

199. Two types of uncertainty are quite widely used in general scientific literature:

 Aleatory variability (stochastic or irreducible uncertainty) – natural variability of the

process under consideration.

 Epistemic uncertainty – lack of knowledge of a physical process (data and

modelling).

200. Classifying uncertainty in this way may be seen as a convenient way of disentangling a
complex uncertainty problem into elements that can be treated analytically in different
ways.

 Aleatory variability is best understood as the normal statistical variability of data

and is the uncertainty that is represented by the probability density functions
describing the physical parameters entering the hazard analysis.

 Epistemic uncertainty covers those additional elements of the uncertainty problem

that account for lack of, or incomplete, knowledge of the physical processes or
relevant data. This normally results in a number of hazard curves each at a
different confidence level.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 48 of 84
Office for Nuclear Regulation

201. Generally, in determining the frequency of natural hazards, an extreme value analysis
with a probability distribution such as the Gumbel, Frechet or Weibull is used. These
techniques rely on extrapolating data from a limited number of years to predict hazards
having return periods typically of 10,000 years or more (exceedance frequencies <10-
4
/yr).

202. For natural hazards especially, EVA is often used to extrapolate limited data to very
low frequencies and the potential exists for such extrapolations to be physically
unrealistic. Inspectors should seek assurance that Licensees have sought to calibrate
any EVA predictions against physically plausible modelling, as far as is reasonably
practicable. More details of these methods can be found in Annex 2 [2] (meteorological
hazards) and the supporting Expert Panel paper [8].

203. Such assessment may be considered to address both aleatory and epistemic
uncertainty. However, some elements of epistemic uncertainty may not be captured in
this process. For example, the meteorological processes driving moderate events in
the dataset may not be entirely the same as those relevant to extreme events, yet a
statistical extrapolation implicitly assumes that they are. Secondly, the statistical
method selected may be one from a range of equally plausible methods, where the
analyst has made a judgment as to which to use, based on criteria (such as
experience) that do not form a visible part of the analysis itself.

204. For meteorological hazards, climate change is also a major source of uncertainty.
Although there is a near-universal consensus among scientists that the climate is
changing due to anthropogenic activities, there is a high level of uncertainty
surrounding the changes that can be expected. This uncertainty is due to natural
variability in the climate, incomplete understanding of climatic processes (eg positive
and negative feedback loops) and the inability to model them perfectly, and uncertainty
surrounding future anthropogenic caused emissions [53]. This applies over the lifetime
of the facility including decommissioning. One solution is to take the “managed
adaptive approach”, ensuring adaptability is built into the design (eg flood defences).
Uncertainty due to climate change may be considered largely epistemic in nature, but
RGP currently does not characterise the nature of the uncertainty as being aleatory or
epistemic.

205. The quantification of uncertainty in seismic vibratory hazard analysis takes a

substantially different approach; this is done in order to capture formally the use of
expert judgment in the hazard analysis. Since expert judgment is used in all EH
analyses, this approach is considered to have merit beyond its application to seismic
vibratory hazard analysis, and so the more detailed discussions of this aspect in Annex
1 [1] and the supporting Expert Panel paper [7] are brought forward and summarised
here.

206. Current RGP in uncertainty analysis for seismic hazard has been developed by the
United States Nuclear Regulatory Commission (USNRC) and is known as the Senior
Seismic Hazard Analysis Committee (SSHAC) approach where the aleatory variability
and epistemic uncertainty are treated separately and then combined to produce the
final analysis. The SSHAC approach [54] was developed because in the 1980s
different seismic hazard analysis teams in the US calculated equally valid, but
substantially different hazard values for the same sites in the central and eastern
US‡‡‡‡‡‡‡. The SSHAC developed an approach to epistemic uncertainty analysis that is

This occurred because of the differing methods used to capture knowledge related uncertainty in
‡‡‡‡‡‡‡

their hazard analyses. One approach to solving this problem would be to insist that each hazard
analysis team had on board sufficient expertise to cover every credible interpretation of data and
methodology. The SSHAC approach recognises that this is not practical and sought to develop an
approach to epistemic uncertainty that, if followed faithfully, would yield similar results, whatever the
composition of the team, so long as it contained a representative set of experts.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 49 of 84
Office for Nuclear Regulation

now considered to be RGP by the worldwide seismic hazard technical community. The
SSHAC explains that the goal of a good epistemic uncertainty analysis is:

“… to represent the center, the body, and the range [of hazard values] that the
larger informed technical community would have if they were to conduct the study”

207. The aleatory variability analysis invokes a series of traditional probability density
functions to describe the random variables that contribute to the hazard severity; the
output is a seismic hazard curve giving hazard severity against frequency of
exceedance. The epistemic uncertainty analysis identifies for these parameters a
range of possible calculation techniques, maximum / minimum values etc, that together
are seen to capture the extent of knowledge that applies to each parameter. These
aspects are typically captured in a logic tree and expressed in the hazard definition as
confidence levels. This gives the analyst the flexibility to take account of, for example,
uncertainty estimates derived from expert elicitation techniques.

208. The inspector should note that whilst SSHAC is seen as RGP, Licensee’s may opt for
an alternative methodology that provides an equivalent level of plant / site safety. The
rigour of the process selected should be shown to be proportionate to the nuclear
hazard present. For more details consult Annex 1 [1] and the supporting Expert Panel
paper [7].

209. Meteorological and coastal flood hazard analyses (as noted above) make
sophisticated use of statistical techniques to estimate uncertainty associated with
hazard parameter values, but generally do not make a distinction between aleatory
and epistemic uncertainties, and do not at this time attempt to incorporate epistemic
uncertainty explicitly into their hazard analyses. However, the incorporation of
epistemic uncertainty in to coastal flood hazard analyses has recently been trialled by
the USNRC [55].

210. The inspector should ensure that the methods adopted for uncertainty analysis are
reasonable, consistent with appropriate RGP, and also that the results are not
sensitive to specific assumptions, or if they are that this is well understood and does
not undermine the overall safety analysis. A specific range of sensitivity studies should
be considered; ERL.1 provides further guidance.

5.8.11 Climate change

211. It is generally accepted by the informed technical community that climate change is
being largely driven by anthropogenic activities and will affect both current and future
climate and associated weather. This in turn is expected to result in a gradual rise in
sea levels because of the anticipated warming associated with climate change and
associated melting of global ice-sheets, although there is much debate amongst the
informed technical community about how much and when. Consequently, inspectors
should be aware that climate change predictions are associated with substantial
uncertainty, see paragraph 204..

212. Due to the typical operating lifetime of a nuclear site (of the order >100 years);
changes to meteorological and coastal flooding hazards as a result of climate change
could be significant. Further details are provided in Annexes 2 [2] and 3 [3].

5.9 Emergency Preparedness

213. SAP AM.1 provides an overview of the requirements for emergency preparedness.
The potential effects of EHs should have been considered as part of the hazard
identification and analysis process, as discussed elsewhere in Section 5, and used to
inform the site’s emergency plan and arrangements under LC11. There are often

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 50 of 84
Office for Nuclear Regulation

specific requirements for EHs, which the inspector should be aware of. Typically, these
include:

 Availability of long-term weather forecasting and storm forecasts, and a process

for obtaining these data.

 Availability of equipment to prevent flood water access into buildings, use of

damboards etc.

 Availability of access routes onto / off site for essential equipment if local flood /
wind damage excludes normal routes.

 Availability of emergency equipment to repair damaged systems following a

severe EH.

 Availability of staff and workers that can be called upon in response to bad
weather warnings to complete any necessary hazard mitigation actions, before the
weather deteriorates to a level where worker safety becomes an issue.

 Protection of emergency control centres and access points and associated

equipment against EHs. Hardened access / escape routes in case of building
collapse etc.

 Requirement of a facility to maintain a degree of self-reliance during and following

EHs that affect the surrounding regions as well as the site. Typically, we would
expect a site to remain self-sufficient for a period of 72 hours.

 On-site instrumentation to provide input to Operating Rules relating to use of

facilities in given circumstances, eg anemometers.

214. The claims made against operator actions during and following severe EHs should be
reviewed carefully from a practical standpoint and, wherever possible, limited to a
small number through the use of automatic systems and fail safe devices.

5.10 Post External Hazards Event Operations

215. An EH event may occur which causes some degree of damage to a facility, but which
does not render the plant outside of its current safety case for that particular hazard.
The plant, however, may have a reduced capability to accommodate the effects of
other hazards until such times as repairs have been undertaken. Licensees should
have in place systems to rapidly assess any damage caused by EHs, assess any
potential undermining of any safety case claims and, if necessary, undertake repairs in
a timescale appropriate to the increase in risk posed. If repairs cannot be made
readily, then mitigation strategies should be developed to reduce the residual risk to
ALARP. At all times, however, the plant / SSCs must be operated within the conditions
of its Operating Rules. This is discussed further in paragraph 44.(i).

216. Examples of such events are earthquake events greater than the OBE, and the
occurrence of weather that may limit the Licensee’s ability to undertake normal
operations external to the plant.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 51 of 84
Office for Nuclear Regulation

6 REFERENCES

[1] ONR, “NS-TAST-GD-013 Annex 1, Rev.1: Seismic Hazards,” 2018.

[2] ONR, “NS-TAST-GD-013 Annex 2, Rev.1: Meteorological Hazards,” 2018.
[3] ONR, “NS-TAST-GD-013 Annex 3, Rev.1: Coastal Flood Hazards,” 2018.
[4] ONR, “NS-TAST-GD-013 Annex 4, Rev.1: Accidental Aircraft Crash Hazard,”
2018.
[5] ONR, “Safety Assessment Principles for Nuclear Facilities, 2014 Edition, Rev 0,”
November 2014, www.onr.org.uk/saps/saps2014.pdf.
[6] ONR, “NS-TAST-GD-005, Rev. 8, Nuclear Safety Technical Assessment Guide:
Guidance on the demonstration of ALARP (As Low As Reasonably
Practicable),” July 2017, www.onr.org.uk/operational/tech_asst_guides/ns-tast-
gd-005.pdf.
[7] ONR Expert Panel on Natural Hazards, “Analysis of Seismic Hazards for
Nuclear Sites,” Expert Panel Paper No: GEN-SH-EP-2016-1, 2018.
[8] ONR Expert Panel on Natural Hazards, “Analysis of Meteorological Hazards for
Nuclear Sites,” Expert Panel Paper No: GEN-MCFH-EP-2017-1, 2018.
[9] ONR Expert Panel on Natural Hazards, “Analysis of Coastal Flood Hazards for
Nuclear Sites,” Expert Panel Paper No: GEN-MCFH-EP-2017-2, 2018.
[10] ONR, “Security Assessment Principles for the Civil Nuclear Industry, 2017
Edition Version 0,”
http://vbtlap112/webdrawer/webdrawer.dll/webdrawer/rec/6418219/view/ONR
%20CNS%20-%20Policy%20-%20Security%20Assessment%20Principles
%20Signed%20PDF%20-%20Rev%200%20-%20March%202017.PDF.
[11] ONR, “ONR-GDA-GD-001, Rev. 3, Nuclear Safety Technical Assessment
Guide: New nuclear reactors: Generic Design Assessment Guidance to
Requesting Parties,” September 2016, www.onr.org.uk/new-reactors/ngn03.pdf.
[12] ONR, “NS-TAST-GD-014, Rev. 4, Nuclear Safety Technical Assessment Guide:
Internal Hazards,” September 2014.
[13] ONR, “NS-TAST-GD-035, Rev. 4, Nuclear Safety Technical Assessment Guide:
Limits and Conditions for Nuclear Safety (Operating Rules),” August 2014,
www.onr.org.uk/operational/tech_asst_guides/ns-tast-gd-035.pdf.
[14] WENRA RHWG, “Guidance Document Issue T: Natural Hazards Head
Document - Guidance for the WENRA Safety Reference Levels for Natural
Hazards Introduced as Lessons Learned from TEPCO Fukushima Dai-ichi
Accident,” 21 April 2015.
[15] WENRA RHWG, “Safety Reference Levels for Existing Reactors,” September
2014.
[16] WENRA RHWG, “Safety of New NPP Designs,” March 2013.
[17] WENRA RHWG, “Guidance Document Issue T: Natural Hazards - Guidance on
Extreme Weather Conditions,” 11 October 2016.
[18] WENRA RWHG, “Guidance Document Issue T: Natural Hazards - Guidance on
External Flooding,” 11 October 2016.
[19] WENRA RHWG, “Guidance Document Issue T: Natural Hazards - Guidance on
Seismic Events,” 11 October 2016,
[20] WENRA WGWD, “Waste and Spent Fuel Storage Safety Reference Levels,”
Version 2.2, April 2014.
[21] WENRA WGWD, “Decommissioning Safety Reference Levels,” Version 2.2,
April 2015,

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 52 of 84
Office for Nuclear Regulation

[22] IAEA, “SSR-2/1, Rev. 1, Safety of Nuclear Power Plants: Design,” 2016, www-
pub.iaea.org/MTCD/publications/PDF/Pub1715web-46541668.pdf.
[23] IAEA, “NS-R-3, Rev. 1, Site Evaluation for Nuclear Installations,” 2016, www-
pub.iaea.org/MTCD/publications/PDF/Pub1709web-84170892.pdf.
[24] IAEA, “The Fukushima Daiichi Accident, Report by the Director General,” 2016,
www-pub.iaea.org/books/IAEABooks/10962/The-Fukushima-Daiichi-Accident.
[25] IAEA, “Safety Guide No. NS-G-1.6, Seismic Design and Qualification for
Nuclear Power Plants,” 2003,
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1158_web.pdf.
[26] IAEA, “Safety Guide No. NS-G-2.13, Evaluation of Seismic Safety for Existing
Nuclear Installations,” 2009,
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1379_web.pdf.
[27] IAEA, “Specific Safety Guide No. SSG-9, Seismic Hazards in Site Evaluation for
Nuclear Installations,” 2010,
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1448_web.pdf.
[28] IAEA, “Specific Safety Guide No. SSG-18, Meteorological and Hydrological
Hazards in Site Evaluation for Nuclear Installations,” 2011,
www-pub.iaea.org/MTCD/publications/PDF/Pub1506 web.pdf.
[29] IAEA, “TECDOC-1791, Considerations on the Application of the IAEA Safety
Requirements for the Design of Nuclear Power Plants,” 2016, https://www-
pub.iaea.org/MTCD/Publications/PDF/TE-1791_web.pdf.
[30] IAEA, “TECDOC 1834, Assessment of Vulnerabilities of Operating Nuclear
Power Plants to Extreme External Events,” 2017,
https://www-pub.iaea.org/MTCD/Publications/PDF/TE1834_web.pdf.
[31] IAEA, “Specific Safety Guide No. SSG-35, Site Survey and Site Selection for
Nuclear Installations,” 2015,
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1690Web-41934783.pdf.
[32] IAEA, “Safety Report Series No. 85: Ground Motion Simulation Based on Fault
Rupture Modelling for Seismic Hazard Assessment in Site Evaluation for
Nuclear Installations,” 2015,
www-pub.iaea.org/books/IAEABooks/10832/Ground-Motion-Simulation-Based-
on-Fault-Rupture-Modelling-for-Seismic-Hazard-Assessment-in-Site-Evaluation-
for-Nuclear-Installations.
[33] IAEA, “Safety Report Series No. 89: Diffuse Seismicity in Seismic Hazard
Assessment for Site Evaluation of Nuclear Installations,” 2016, www-
pub.iaea.org/books/iaeabooks/10916/Diffuse-Seismicity-in-Seismic-Hazard-
Assessment-for-Site-Evaluation-of-Nuclear-Installations.
[34] IAEA, “TECDOC 1767: The Contribution of Palaeoseismology to Seismic
Hazard Assessment in Site Evaluation for Nuclear Installations,” 2015, www-
pub.iaea.org/books/IAEABooks/10887/The-Contribution-of-Palaeoseismology-
to-Seismic-Hazard-Assessment-in-Site-Evaluation-for-Nuclear-Installations.
[35] IAEA, “TECDOC 1796: Seismic Hazard Assessment in Site Evaluation for
Nuclear Installations: Ground Motion Prediction Equations and Site Response,”
2016, www-pub.iaea.org/books/iaeabooks/11067/Seismic-Hazard-Assessment-
in-Site-Evaluation-for-Nuclear-Installations-Ground-Motion-Prediction-
Equations-and-Site-Response.
[36] IAEA, “TECDOC 1795: Volcanic Hazard Assessments for Nuclear Installations:
Methods and Examples in Site Evaluation,” 2016,
www-pub.iaea.org/books/iaeabooks/11063/Volcanic-Hazard-Assessments-for-
Nuclear-Installations-Methods-and-Examples-in-Site-Evaluation.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 53 of 84
Office for Nuclear Regulation

[37] IAEA, “Specific Safety Guide No. SSG-21, Volcanic Hazards for Site Evaluation
for Nuclear Installations,” 2012,
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1552_web.pdf.
[38] IAEA, “Safety Report Series No. 86, Safety Aspects of Nuclear Power Plants in
Human Induced External Events: General Considerations,” 2017, www-
pub.iaea.org/MTCD/Publications/PDF/P1721_web.pdf.
[39] IAEA, “Safety Report Series No. 87, Safety Aspects of Nuclear Power Plants in
Human Induced External Events: Assessment of Structures,” 2018, https://www-
pub.iaea.org/MTCD/Publications/PDF/PUB1769_web.pdf.
[40] IAEA, “Safety Report Series No. 88, Safety Aspects of Nuclear Power Plants in
Human Induced External Events: Margin Assessment,” 2017, www-
pub.iaea.org/MTCD/Publications/PDF/P1723_web.pdf.
[41] IAEA, “Safety Guide No. NS-G-3.1, External Human Induced Events in Site
Evaluation for Nuclear Power Plants,” 2002,
www-pub.iaea.org/MTCD/Publications/PDF/Pub1126_scr.pdf.
[42] ONR, “The Identification Selection and Significance of External Hazards to
Nuclear Sites,” 2013, (2013/143209).
[43] IAEA, “NS-G-1.5, External Events Excluding Earthquakes in the Design of
Nuclear Power Plants,” 2003,
www-pub.iaea.org/MTCD/publications/PDF/Pub1159_web.pdf.
[44] USNRC, “Perspectives Gained From the Individual Plant Examination of
External Events (IPEEE) Program - Final Report, NUREG-1742, Vols. 1 & 2,”
April 2002, www.nrc.gov/docs/ML0212/ML021270070.pdf.
[45] ONR, “NS-TAST-GD-030, Rev. 5, Nuclear Safety Technical Assessment Guide:
Probabilistic Safety Analysis,” June 2016,
www.onr.org.uk/operational/tech_asst_guides/ns-tast-gd-030.pdf.
[46] ONR, “Japanese earthquake and tsunami: Implications for the UK nuclear
industry. Final Report. HM Chief Inspector of Nuclear Installations,” September
2011, www.onr.org.uk/fukushima/final-report.pdf.
[47] ONR, “NS-TAST-GD-007, Rev. 3, Nuclear Safety Technical Assessment Guide:
Severe Accident Analysis,” September 2017.
[48] Decker, K. and Brinkman, H., “List of external hazards to be considered in
ASAMPSA_E, EURATOM 7th Framework Prog. ASAPSA_E, Tech. Rpt.
ASAPSA_E/WP21/D21.2/2017-41,” February 2017, http://asampsa.eu/wp-
content/uploads/2014/10/ASAMPSA_E-D21.2_External_Hazard_List.pdf.
[49] Knochenhauer, M. and Louko, P., “Guidance for External Events Analysis, SKI
Report 02,” 27 February 2003.
[50] EPRI (Electric Power Research Institute), “Identification of External Hazards for
Analysis in Probabilistic Risk Assessment: Update of Report 1022997,” 29
October 2015, www.epri.com/#/pages/product/3002005287/.
[51] BSI, “BS EN 1991-1-4: 2005. Eurocode 1: Actions on Structures - Part 1-4:
General Actions – Wind Actions, European Committee for Standardisation,
Brussels,” 2005.
[52] ONR, “NS-TAST-GD-051, Rev. 4, Nuclear Safety Technical Assessment Guide:
Guidance on the Purpose, Scope and Content of Nuclear Safety Cases,” July
2016, www.onr.org.uk/operational/tech_asst_guides/ns-tast-gd-051.pdf.
[53] UK Met. Office, “UK Climate Projections (UKCP09),” 2009,
http://ukclimateprojections.defra.gov.uk/.
[54] USNRC, “Practical Implementation Guidelines for SSHAC Level 3 and 4 Hazard
Studies, NUREG-2117, Rev. 1,” April 2012, www.nrc.gov/reading-rm/doc-

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 54 of 84
Office for Nuclear Regulation

collections/nuregs/staff/sr2117/.
[55] Bensi, M. and Kanney, J., Development of a Framework for Probabilistic Storm
Surge Hazard Assessment for United States Nuclear Power Plants, Paper
submitted to Div. VII, SMiRT23 Conf., Manchester, UK, August 10-14, 2015.
[56] IAEA, “Safety Guide No. NS-G-3.6, Geotechnical Aspects of Site Evaluation and
Foundations for Nuclear Power Plants,” 2004,
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1195_web.pdf.
[57] IAEA, “Safety Guide No. NS-G-3.1, External Human Induced Events in Site
Evaluaiton for Nuclear Power Plants,” 2002,
https://www-pub.iaea.org/MTCD/publications/PDF/Pub1126_scr.pdf.
[58] ONR, “Japanese earthquake and tsunami: Implications for the UK Nuclear
Industry – Interim Report,” May 2011, www.onr.org.uk/fukushima/interim-
report.pdf.
[59] ENSREG, “European Council “Stress Tests” for UK nuclear power plants,
National Final Report,” December 2011, www.onr.org.uk/fukushima/european-
council-stress-tests.htm.
[60] HSE, “Safety Assessment Principles for Nuclear Facilities, Rev.1,” 2006,
www.onr.org.uk/saps/saps2006v1.pdf.
[61] IAEA, “Mission report - International Fact Finding Expert Mission of the
Fukushima Dai‐chi NPP Accident Following the Great East Japan Earthquake
and Tsunami,” 24 May 2011,
www-pub.iaea.org/MTCD/meetings/PDFplus/2011/cn200/documentation/cn200_
Final-Fukushima-Mission_Report.pdf.
[62] HSE, “Reducing risks, protecting people: HSE’s decision‐making process,”
2001, www.hse.gov.uk/risk/theory/r2p2.pdf.
[63] ONR, “NS-TAST-GD-015, Rev. 2, Nuclear Safety Technical Assessment Guide:
Electromagnetic Compatibility,” April 2015,
www.onr.org.uk/operational/tech_asst_guides/ns-tast-gd-015.pdf.
[64] Department for Business Innovation and Skills , “Space Weather Preparedness
Strategy, v2.1,” July 2015.
[65] Royal Academy of Engineering, “Extreme space weather: impacts on
engineered systems and infrastructure.,” February 2013,
www.raeng.org.uk/spaceweather.
[66] Executive Office of the President of the United States, “National space weather
strategy,” October 2015.
[67] University of Cambridge, “Solar Storm Emerging Risk Scenario”.
[68] National Research Council, “Severe Space Weather Events: Understanding
Societal and Economic Impacts: A Workshop Report,” Washington, DC: The
National Academies Press, 2008, https://doi.org/10.17226/12507.
[69] Cabinet Office, “National Risk Register of Civil Emergencies,” 2017,
www.gov.uk/government/uploads/system/uploads/attachment_data/file/
644968/UK_National_Risk_Register_2017.pdf.
[70] Oughton, E., Copic, J., Skelton, A., Kesaite, V., Yeo, Z.Y., Ruffle, S.J., Tuveson,
M., Coburn, A.W. and Ralph, D., “Helios Solar Storm Scenario,” Cambridge Risk
Framework series; Centre for Risk Studies, University of Cambridge, 2016.
[71] CL:AIRE, “Assessing risks associated with gases and vapours (INFO-RA2-4),”
17 May 2017,
www.claire.co.uk/information-centre/water-and-land-library-wall/41-water-and-
land-library-wall/212-assessing-risks-associated-with-gases-and-vapours-info-
ra2-4.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 55 of 84
Office for Nuclear Regulation

[72] ONR, “NS-TAST-GD-017, Rev. 3, Nuclear Safety Technical Assessment Guide:

Civil Engineering,” May 2013, www.onr.org.uk/operational/tech_asst_guides/ns-
tast-gd-017.pdf.
[73] Deptartment of Energy and Climate Change, “National Policy Statement for
Nuclear Power Generation (EN-6),” Vol. 1 or 2, ISBN: 9780108510823, 2011,
www.gov.uk/government/uploads/system/uploads/attachment_data/file/
47859/2009-nps-for-nuclear-volumeI.pdf.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 56 of 84
Office for Nuclear Regulation

TABLE 1 – CATEGORIES OF EXTERNAL HAZARDS

Plant fault initiator Comment Covered by

TAG 13
- Internal plant faults Man-made, internal to primary nuclear plant N
& process
- Internal hazards Man-made, external to primary nuclear plant N
& process, originates on-site
- External hazards All other plant initiating events not covered
above
- Natural hazards Generally originate off-site, but not always
- Discrete Hazard defined at one or more discrete Y
frequency / severity combinations
- Non-discrete Hazard defined by a hazard curve Y
- Man-made hazards
- Accidental Originates off-site Y
- Malicious Originates from malign intent either on or off- N
site

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 57 of 84
Office for Nuclear Regulation

TABLE 2 – EXTERNAL HAZARDS RELEVANT TO NUCLEAR SITES IN THE UK*

Hazard Category Primary Hazard

Seismic Earthquake
Ground rupture
Long period ground motion
Liquefaction
Flooding and Hydrological Rainfall
Tidal
Storm surge
Waves
Seiche
Tsunami
Dam failure
River
Ground run-off
Ground water
Meteorological Ambient air temperature
Humidity
Sea temperature
Snow
Icing – eg frazil, rime
Hail
Fog – cause of icing
Lightning
Drought
Wind (including tornado)
Biological Seaweed
Fish / jellyfish
Marine growth
Corrosion promoter
Geological Settlement
Landslide
Subsidence
Water erosion / deposition
Volcanic ash
Fire Forest fire, wildfire, burning of turf or peat
Man Made Aircraft impact (accidental and malicious+)
Hazards from nearby industrial sites – airborne

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 58 of 84
Office for Nuclear Regulation

Hazards from adjacent nuclear sites

Hazards from industrial activity – underground eg mining
Fires
Missiles
Hazards from local road, rail and marine transport
Electromagnetic interference
Hazards from local pipelines
Malicious activity+
Other Solar activity
Meteorite
EHs resulting from naturally occurring gases
* This is an indicative summary of EHs known at the time of publication likely to be relevant
to nuclear facilities. Other hazards may emerge in the future as knowledge of potential
hazards advances, or environmental conditions change.

+ These EHs refer to malicious activities and are not covered further in this guide, refer to
paragraph 14..

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 59 of 84
Office for Nuclear Regulation

TABLE 3 – INTERFACES BETWEEN EXTERNAL HAZARDS AND OTHER DISCIPLINES

External Hazards Interface technical issues relevant to External

interfaces with Hazards
Fault Studies Fault initiation / identification
Fault schedule
Fault sequence analysis
Plant model (common cause failures)
Protection concept (barrier requirements)
Internal hazards Common protection barriers / conflicting requirements
Segregation / separation
Severe Accident Analysis Non-discrete hazards – plant response to very low
frequency hazard events
PSA Fault schedule
Plant model
Discrete hazards – initiating event frequencies and plant
reliabilities
Non-discrete hazards – hazard and fragility curves
Engineering disciplines Design basis definitions
BDB definitions
Human factors Common cause effect
Damage to off-site as well as on-site infrastructure
Degraded access to import SSCs
Extended event timescale
Complex task analysis
Emergency arrangements Common cause effect, both on-site in terms of
widespread damage, and off-site – blue light services
unavailable.
Simultaneous damage to adjacent nuclear facilities
Degraded off-site infrastructure – islanded site in terms
of access to resources.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 60 of 84
Office for Nuclear Regulation

TABLE 4 – COMPARISON WITH WENRA REFERENCE LEVELS

WENRA Reference TAG 13

Existing Reactor Reference Levels - Issue E

Design Basis Envelope for existing reactors
E5.2 EHs shall be taken into account in the design of the plant. In Section 5.5.1
addition to natural hazards, human made EHs – including airplane Table 2
crash and other nearby transportation, industrial activities and site Appendices 2 – 6
area conditions which reasonably can cause fires, explosions or Annexes 1 – 4
other threats to the safety of the nuclear power plant – shall as a
minimum be taken into account in the design of the plant according
to site-specific conditions.
E6.1 Credible combinations of individual events, including internal Paragraph 62.
and EHs, that could lead to anticipated operational occurrences or Section 5.5.1
design basis accidents, shall be considered in the design. Section 5.8.1
Deterministic and probabilistic assessment as well as engineering
judgement can be used for the selection of the event combinations.
E8.2 The worst single failure shall be assumed in the analyses of Section 5.8.7
design basis events. However, it is not necessary to assume the
failure of a passive component, provided it is justified that a failure
of that component is very unlikely and its function remains
unaffected by the PIE.
E8.3 Only systems that are suitably safety classified can be Paragraph 44.i
credited to carry out a safety function. Non-safety classified
systems shall be assumed to operate only if they aggravate the
effect of the initiating event.
E8.5 The safety systems shall be assumed to operate at their Paragraph 44.i
performance level that is most penalising for the initiator.
E8.6 Any failure, occurring as a consequence of a PIE, shall be Section 5.8.7
regarded to be part of the original PIE.
E8.7 The safety analysis shall:
(a) rely on methods, assumptions or arguments which are justified Paragraph 70.
and conservative;
(b) provide assurance that uncertainties and their impact have been Paragraph 198. et seq
given adequate consideration;
(c) give evidence that adequate margins have been included when Paragraph 77. et seq
defining the design basis to ensure that all the design basis events
are covered.

Existing Reactor Reference Levels - Issue F ONR has not formally

Design extension of existing reactors adopted DECs for EHs, but
equivalent levels of safety
are demonstrated below.
F1.1 As part of DiD, analysis of DEC shall be undertaken with the Paragraph 101. et seq
purpose of further improving the safety of the nuclear power plant
by:
 enhancing the plant’s capability to withstand more
challenging events or conditions than those considered in
the design basis,
 minimising radioactive releases harmful to the public and
the environment as far as reasonably practicable, in such
events or conditions.
F1.2 There are two categories of DEC: Paragraph 101. et seq
 DEC A for which prevention of severe fuel damage in the
core or in the spent fuel storage can be achieved;
 DEC B with postulated severe fuel damage.

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 61 of 84
Office for Nuclear Regulation

The analysis shall identify reasonably practicable provisions that

can be implemented for the prevention of severe accidents.
F2.2 The selection process for DEC A shall start by considering Paragraph 101. et seq
those events and combinations of events, which cannot be
considered with a high degree of confidence to be extremely TAG 13 BDB does not just
unlikely to occur and which may lead to severe fuel damage in the include conditions which
core or in the spent fuel storage. It shall cover: could lead to core damage; it
 Events occurring during the defined operational states of includes anything that could
the plant; affect safety.
 Events resulting from internal or external hazards;
 Common cause failures.
F2.3 The set of category DEC B events shall be postulated and Paragraph 137.
justified to cover situations, where the capability of the plant to
prevent severe fuel damage is exceeded or where measures
provided are assumed not to function as intended, leading to
severe fuel damage.
Existing Reactor Reference Levels - Issue O
Probabilistic Safety Analysis (PSA)
O1.1 For each plant design, a specific PSA shall be developed for Paragraph 130.
level 1 and level 2, considering all relevant 58 operational states,
covering fuel in the core and in the spent fuel storage and all
relevant internal and external initiating events. EHs shall be
included in the PSA for level 1 and level 2 as far as practicable,
taking into account the current state of science and technology. If
not practicable, other justified methodologies shall be used to
evaluate the contribution of EHs to the overall risk profile of the
plant.
O3.3 PSA shall be used to assess the overall risk from the plant, to Paragraph 130. et seq
demonstrate that a balanced design has been achieved, and to Paragraph 137. et seq
provide confidence that there are no "cliff-edge effects" Cliff-edge effects are
considered primarily as part
of BDBA.
Existing Reactor Reference Levels - Issue T
Natural hazards
T1.1 Natural hazards shall be considered an integral part of the Section 5.4
safety demonstration of the plant (including spent fuel storage). Section 5.5
Threats from natural hazards shall be removed or minimised as far Section 5.5.3
as reasonably practicable for all operational plant states. The safety
The operator has little control
demonstration in relation to natural hazards shall include
assessments of the design basis and DECs with the aim to identify over the occurrence of EHs;
needs and opportunities for improvement. therefore, the focus is on
appropriate hazard analysis
and robust resilience.
T2.1 All natural hazards that might affect the site shall be identified, Section 5.2
including any related hazards (eg earthquake and tsunami). Section 5.3
Justification shall be provided that the compiled list of natural
hazards is complete and relevant to the site.
T2.2 Natural hazards shall include: Table 2
 Geological hazards Appendices 2 – 6
 Seismotectonic hazards Annexes 1 – 3
 Meteorological hazards Appendices 2 – 6 and
 Hydrological hazards Annexes 1 – 3 to this TAG
 Biological phenomena contains a non-exhaustive
 Forest fire compendium of individual
hazard types that can be
used as a starting point for
the identification of the

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 62 of 84
Office for Nuclear Regulation

natural hazards.
T3.1 Natural hazards identified as potentially affecting the site can Section 5.2
be screened out on the basis of being incapable of posing a Section 5.3.1
physical threat or being extremely unlikely with a high degree of Section 5.8.1
confidence. Care shall be taken not to exclude hazards which in
combination with other hazards have the potential to pose a threat
to the facility. The screening process shall be based on
conservative assumptions. The arguments in support of the
screening process shall be justified.
T3.2 For all natural hazards that have not been screened out, Section 5.4
hazard assessments shall be performed using deterministic and, as Section 5.5.1
far as practicable, probabilistic methods taking into account the Section 5.5.2
current state of science and technology. This shall take into Section 5.6
account all relevant available data, and produce a relationship Section 5.7
between the hazards severity (eg magnitude and duration) and
exceedance frequency, where practicable. The maximum credible
hazard severity shall be determined where this is practicable.
T3.3 The following shall apply to hazard assessments: Paragraph 44.f
 The hazard assessment shall be based on all relevant site Section 5.8.9
and regional data. Particular attention shall be given to Appendices 1 – 4
extending the data available to include events beyond Annexes 1 – 4
recorded and historical data.
 Special consideration shall be given to hazards whose
severity changes during the expected lifetime of the plant.
 The methods and assumptions used shall be justified.
Uncertainties affecting the results of the hazard
assessments shall be evaluated.
T4.1 Design basis events shall be defined based on the site- Section 5.4
specific hazard assessment. Appendices 2 – 6
Annexes 1 – 4
T4.2 The exceedance frequencies of design basis events shall be Section 5.5.1
low enough to ensure a high degree of protection with respect to Section 5.5.2
natural hazards. A common target value of frequency, not higher
than 10-4/yr, shall be used for each design basis event. Where it is
not possible to calculate these probabilities with an acceptable
degree of certainty, an event shall be chosen and justified to reach
an equivalent level of safety. For the specific case of seismic
loading, as a minimum, a horizontal peak ground acceleration value
of 0.1g (where ‘g’ is the acceleration due to gravity) shall be
applied, even if its exceedance frequency would be below the
common target value.
T4.3 The design basis events shall be compared to relevant Paragraphs – 22.
historical data to verify that historical extreme events are enveloped Section 5.8.9
by the design basis with a sufficient margin.
T4.4 Design basis parameters shall be defined for each design Appendices 2 – 6
basis event taking due consideration of the results of the hazard
assessment.
T4.5 Design basis parameters shall be defined for each design Section 5.4
basis event taking due consideration of the results of the hazard
assessment.
T5.1 Protection shall be provided for design basis events. A Paragraphs 18.(iii.) and 86.
protection concept shall be established to provide a basis for the Table 3
design of suitable protection measures.
T5.2 The protection concept shall be of sufficient reliability that the Paragraph 18., 85.
fundamental safety functions are conservatively ensured for any Section 5.5
direct and credible indirect effects of the design basis event. A Section 5.5.3
protection concept, as meant here, describes the overall strategy Section 5.6
followed to cope with natural hazards. It shall encompass the Section 5.7

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 63 of 84
Office for Nuclear Regulation

protection against design basis events, events exceeding the

design basis and the links into emergency operating procedures
and SAMGs.
T5.3 The protection concept shall:
(a) apply reasonable conservatism providing safety margins in the Paragraph 77. et seq
design;
(b) rely primarily on passive measures as far as reasonable Paragraph 37.
practicable;
(c) ensure that measures to cope with a design basis accident Section 5.5.1
remain effective during and following a design basis event;
(d) take into account the predictability and development of the Section 5.9
event over time;
(e) ensure that procedures and means are available to verify the Paragraph 39. & Section
plant condition during and following design basis events; 5.10
(f) consider that events could simultaneously challenge several Section 5.8.4
redundant or diverse trains of a safety system, multiple SSCs or
several units at multi-unit sites, site and regional infrastructure,
external supplies and other countermeasures;
(g) ensure that sufficient resources remain available at multi-unit Paragraph 39. & Sections
sites considering the use of common equipment or services; 5.8.4 & 5.8.8
(h) not adversely affect the protection against other design basis Paragraph 150. & Sections
events (not originating from natural hazards). 5.8.2 & 5.8.7
T5.4 For design basis events, SSCs identified as part of the Out of scope of TAG 13. See
protection concept with respect to natural hazards shall be Category and Class SAPs.
considered as important to safety.
T5.5 Monitoring and alert processes shall be available to support Paragraphs 37. & 44.(d)
the protection concept. Where appropriate, thresholds (intervention Section 5.10
values) shall be defined to facilitate the timely initiation of protection
measures. In addition, thresholds shall be identified to allow the
execution of pre-planned post-event actions (eg inspections).
T5.6 During long-lasting natural events, arrangements for the Not covered explicitly, not
replacement of personnel and supplies shall be available. EH specific.
T6.1 Events that are more severe than the design basis events Section 5.5.3
shall be identified as part of DEC analysis. Their selection shall be
justified. Further detailed analysis of an event will not be necessary,
if it is shown that its occurrence can be considered with a high
degree of confidence to be extremely unlikely.
T6.2 To support identification of events and assessment of their Section 5.5.1
effects, the hazards severity as a function of exceedance frequency
or other parameters related to the event shall be developed, when
practicable.
T6.3 When assessing the effects of natural hazards included in the
DEC analysis, and identifying reasonably practicable improvements
related to such events, analysis shall, as far as practicable, include:
(a) demonstration of sufficient margins to avoid “cliff-edge effects”
that would result in loss of a fundamental safety function; Paragraph 113. et seq
(b) identification and assessment of the most resilient means for
ensuring the fundamental safety functions; Section 5.5
(c) consideration that events could simultaneously challenge
several redundant or diverse trains of a safety system, multiple Paragraph 39. & Section
SSCs or several units at multi-unit sites, site and regional 5.8.8
infrastructure, external supplies and other countermeasures;
(d) demonstration that sufficient resources remain available at
multi-unit sites considering the use of common equipment or Paragraph 39. & Section
services; 5.8.8
(e) on-site verification (typically by walkdown methods).
Section 5.10
New NPP designs – Position 6

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 64 of 84
Office for Nuclear Regulation

External Hazards
Introduction Section 2.2
Here the EHs of concern are those natural or man-made hazards to
a site and facilities that originate externally to both the site and its
processes, ie the Licensee may have very little or no control over
the initiating event.
In contrast with almost all internal faults or hazards, EHs may
simultaneously affect the whole facility, including back-up safety
systems and non-safety systems alike. In addition, the potential for
widespread failures and hindrances to human intervention may
occur. For multi-facility sites this makes the generation of safety
cases more complex and requires appropriate interface
arrangements to deal with common equipment or services as well
as potential domino effects
Safety Expectation Paragraph 37.
The safety assessment for new reactors should demonstrate that Section 5.4
threats from EHs are either removed or minimised as far as
reasonably practicable.
This may be done by showing that all relevant safety SSCs
required to cope with an EH are designed and adequately qualified
to withstand the conditions related to that EHs.
EHs considered in the general design basis of the plant should not
lead to a core melt accident (Objective O2 ie level 3 DiD).
Accident sequences with core melt resulting from EHs which would
lead to early or large releases should be practically eliminated
(Objective O3 ie level 4 DiD). For that reason, rare and severe EHs,
which may be additional to the general design basis, unless
screened out (see “Screening of EHs” below), need to be taken into
account in the overall safety analysis.
Identification Section 4
See Safety Series Standards NS-R-3, NS-G-3.1, NS-G-3.3, NS-G- Section 5.2
3.6, NS-G-1.5, NS-G-1.6 and relevant events in SSG-3 and SSG- Table 2
18
Screening of External Hazards Section 5.3.1
Screening is used to select the EHs that should be analysed. As a
starting point, the screening process should take the complete list
discussed in the previous section. Each EH on the list should be
considered and selected for analysis if:
(a) It is physically capable of posing a threat to nuclear safety, and
(b) the frequency of occurrence of the EH is higher than pre-set
criteria.
The pre-set frequency criteria may differ depending on the nature of
the analysis that is to be undertaken. Typically for the general
design basis, where the analysis will be done using traditional
conservative methods, assumptions and data, the criterion will be
higher than the frequency criteria used for analyses of rare and
severe EHs or PSA that could employ realistic, best estimate
methods and data. Therefore, the screening process may lead to
separate, but compatible lists of EHs for the range of analyses to
be undertaken and there should be a clear and consistent rationale
for the differences in the lists.
In all cases the pre-set frequency criteria used should be stated
and justified taking into account the way the hazards are going to
be analysed in the safety demonstration.
The degree of confidence of the estimated frequency of occurrence
should be stated and justified taking into account the related
uncertainties according to the state of knowledge.
The screening process should explicitly consider correlated events
and combinations of events
Determination of hazard parameters Section 5.4

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 65 of 84
Office for Nuclear Regulation

All of the candidate EHs that are selected should be characterised Appendices 2 – 6
in terms of their severity and / or magnitude and duration. The Annexes 1 – 4
characterisation of the EH will depend on the type of analysis that is
to be carried out and shall be conservative for the general DBA and
could be realistic / best estimate for rare and severe EHs analysis
and PSA. It should be noted that for EHs PSA, a range of
frequencies and associated hazard parameters is often required. All
relevant characteristics need to be specified and the rationale for
their selection justified. For some EHs:
 the ability to forecast the magnitude and timing of the
event, and the speed at which the event develops may be
relevant and should be considered;
 several parameters could be relevant to characterise
severity and / or magnitude.
Analysis considerations Section 5.4
The EHs analysis includes the design of SSCs which are relevant Section 5.5.3
to ensuring that the fundamental safety functions are fulfilled, Section 5.8.4
development of probabilistic models where necessary, and the
consideration of rare and severe EHs.
The following should be considered when undertaking this analysis:
 Minimising the risk from EHs by initial siting of the facility
 Designing plant layout to minimise impact of EHs (this is
particularly important for multi-unit facilities – also where
units are of different generation)
 Justification of the lists of identified EHs
 Justification of any hazard screening
 Combinations of EHs that can occur simultaneously or
successively within a given period of time 26 including
correlated hazards and those combinations which occur
randomly
 Consideration of consequential events, such as fire or
flooding following a seismic event
 EH induced multiple failure of safety systems and / or their
support systems
 Cliff-edge effects – where a small change in a parameter
leads to a disproportionate increase in consequence.
 In addition to considering the impact of EHs on the systems
and components, the reliability of the buildings and
structures responding to an EHs should be taken into
account
The PSA for EHs should include consideration of building and
structural reliability as well as system and component fragilities and Section 5.6
should take account of the potential for human response to be
affected by the external event.
 Impact of climate change and other potential time related
changes that might affect the site should be considered Section 5.8.11
 Consideration should also be given to the impact of EHs on
the ability to support (emergency services) the site Section 5.9
damaged by that external event (relevant to DiD).
 The design of the plant should reflect the EHs analyses.
Similarly, the operating and maintenance procedures as Paragraph 44.(k)
well as the training etc should take account of the EHs
analyses.
 Care must be taken where the definition of the hazard
levels is imprecise, and claims are made based on the Sections 5.8.9 & 5.8.10
accuracy of calculations which have an accumulation of
assumptions and conservatisms (or lack of)
 A clear methodology is important, along with an
understanding of the associated uncertainties, both
epistemic and aleatory. This is particularly important where
the work also supports numerical PSA based approaches

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 66 of 84
Office for Nuclear Regulation

and where it is used to screen out hazards.

 The use of generic fragilities should be treated with care,
as failure mechanisms may not be similar for similar types Paragraph 134. & Section
of plant, despite appearances 5.6
 Large uncertainties in characterisation of the general
design basis hazards need to be addressed as part of “cliff-
edge” considerations Section 5.5.3
 Multiple unit sites may need additional consideration for
common plant areas and mitigation
Section 5.8.4

NS-TAST-GD-013
CM9 Ref: 2020/227479 Page 67 of 84
Office for Nuclear Regulation

TABLE 5 – IAEA SAFETY GUIDES REFERENCED IN TAG 13

Report No. Reference Title

General
SSR-2/1 [22] Safety of Nuclear Power Plants: Design
NS-R-3 [23] Site Evaluation for Nuclear Installations

NS-G-1.5 [43] External Events Excluding Earthquakes in the Design of

Nuclear Power Plants
NS-G-3.1 [41] External Human Induced Events in Site Evaluation for Nuclear
Power Plants
NS-G-3.6 [56] Geotechnical Aspects of Site Evaluation and Foundaitons for
Nuclear Power Plants
TECDOC 1791 [29] Considerations on the Application of the IAEA Safety
Requirements for the Design of Nuclear Power Plants
TECDOC 1834 [30] Assessment of Vulnerabilities of Operating Nuclear Power
Plants to Extreme External Events
Site Selection
SSG-35 [31] Site Survey and Site Selection for Nuclear Installations
Seismic Analysis
NS-G-1.6 [25] Seismic Design and Qualification

NS-G-2.13 [26] Evaluation of Seismic Safety for Existing Nuclear Installations

Seismic Hazard Analysis
SSG-9 [27] Seismic Hazards in Site Evaluaiton for Nuclear Installations

Safety Report 85 [32] Ground Motion Simulation Based on Fault Rupture Modelling
for Seismic Hazard Assessment in Site Evaluation for Nuclear
Installations
Safety Report 89 [33] Diffuse Seismicity in Seismic Hazard Assessment for Site
Evaluation of Nuclear Installations
TECDOC 1767 [34] The Contribution of Palaeoseismology to Seismic Hazard
Assessment in Site Evaluation for Nuclear Installations
TECDOC 1796 [35] Seismic Hazard Assessment in Site Evaluation for Nuclear
Installations: Ground Motion Prediction Equations and Site
Response
Meteorology & Coastal Flood Hazard Analysis
SSG-18 [28] Meteorological and Hydrological Hazards in Site Evaluation for
Nuclear Installations
Volcanic Hazard Analysis
SSG-21 [37] Volcanic Hazards for Site Evaluation for Nuclear Installations
TECDOC 1795 [36] Volcanic Hazard Assessments for Nuclear Installations:
Methods and Examples in Site Evaluation
Human Factors in External Hazards Analysis
NS-G-3.1 [57] External Human Induced Events in Site Evaluaiton for Nuclear
Power Plants
Safety Report 86 [38] Safety Aspects of Nuclear Power Plants in Human Induced

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 68 of 84
Office for Nuclear Regulation

External Events: General Considerations

Safety Report 87 [39] Safety Aspects of Nuclear Power Plants in Human Induced
External Events: Assessment of Structures
Safety Report 88 [40] Safety Aspects of Nuclear Power Plants in Human Induced
External Events: Margin Assessment

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 69 of 84
Office for Nuclear Regulation

TABLE 6 – EXAMPLE SCREENING CRITERIA FOR COMBINATIONS OF EXTERNAL

HAZARDS*

M1 / Independence M2 / Definition M3 / Impact Single event screening

criteria
The events occur The events do not occur The events do not occur Single external events
independently of each independently in time independently in time criteria are relevant also
other in time for multiple events.
AND AND
AND
Multiple events The events affect the
The probability of included in definition of same plant safety
simultaneous a single event, which is function.
occurrence is low. analysed for the plant.
AND
The combined effect on
the safety function is not
greater than the effect
from most severe of the
single events involved
* from [49]

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 70 of 84
Office for Nuclear Regulation

APPENDIX 1 – POST-FUKUSHIMA UPDATES TO THE SAPS AND RELEVANT GOOD

PRACTICE

1. Following the earthquake and tsunami which severely damaged the Fukushima Dai-
ichi and Dai-ini nuclear power plants in Japan in March 2011, ONR’s HM Chief
Inspector produced a set of reports for the UK Government on the events at
Fukushima [58] & [46]. The reports made a number of Final Recommendations (FRs)
and Interim Recommendations (IRs) to ensure appropriate lessons were learnt and
implemented from the Fukushima event by nuclear operators. Nuclear operators
across Europe were also tasked with responding to the Stress Test Findings (STFs)
generated from a separate EU review of the Fukushima event [59].

2. The FRs, IRs and STFs most directly relevant to EHs are below, but others, eg
relevant to emergency arrangements, are also relevant:

Recommendation IR‐8: The UK nuclear industry should review the dependency of

nuclear safety on off‐site infrastructure in extreme conditions, and consider whether
enhancements are necessary to sites’ self-sufficiency given for the reliability of the grid
under such extreme circumstances.

Recommendation IR‐11: The UK nuclear industry should ensure that safety cases for
new sites for multiple reactors adequately demonstrate the capability for dealing with
multiple serious concurrent events induced by extreme off‐site hazards.

Recommendation IR 10: The UK nuclear industry should initiate a review of flooding

studies, including from tsunamis, in light of the Japanese experience, to confirm the
design basis and margins for flooding at UK nuclear sites, and whether there is a need
to improve further site-specific flood risk assessments as part of the periodic safety
review programme, and for any new reactors. This should include sea-level protection.

Recommendation IR 13: The UK nuclear industry should review the plant and site
layouts of existing plants and any proposed new designs to ensure that safety systems
and their essential supplies and controls have adequate robustness against severe
flooding and other extreme external events.

Recommendation FR 2: The UK nuclear industry should ensure that structures,

systems and components needed for managing and controlling actions in response to
an accident, including plant control rooms, on‐site emergency control centres and off‐
site emergency centres, are adequately protected against hazards that could affect
several simultaneously.

Recommendation FR 3: Structures, systems and components needed for managing

and controlling actions in response to an accident, including plant control rooms, on‐
site emergency control centres and off‐site emergency centres, should be capable of
operating adequately in the conditions, and for the duration, for which they could be
needed, including possible severe accident conditions.

Recommendation FR 4: The nuclear industry should ensure that adequate Level 2

Probabilistic Safety Analyses (PSA) are provided for all nuclear facilities that could
have accidents with significant off‐site consequences and use the results to inform
further consideration of severe accident management measures. The PSAs should
consider a full range of external events including “beyond design basis” events and
extended mission times.

Stress Test Finding STF-2: The nuclear industry should establish a research
programme to review the Seismic Hazard Working Party (SHWP) methodology against
the latest approaches. This should include a gap analysis comparing the SHWP

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 71 of 84
Office for Nuclear Regulation

methodology with more recent approaches such as those developed by the Senior
Seismic Hazard Analysis Committee (SSHAC).

Stress Test Finding STF-3: Licensees should undertake a further review of the totality
of the required actions from operators when they are claimed in mitigation within
external hazards safety cases. This should also extend into beyond design basis
events as appropriate.

Stress Test Finding STF-4: Licensees should undertake a further systematic review
of the potential for seismically‐induced fire which may disrupt the availability of safety‐
significant structures, systems and components (SSC) in the seismic safety case and
access to plant areas.

Stress Test Finding STF-5: Licensees should further review the margins for all safety
significant structures, systems and components (SSC), including cooling ponds, in a
structured systematic and comprehensive manner to understand the beyond design
basis sequence of failure and any cliff-edges that apply for all external hazards.

Stress Test Finding STF-7: Licensees should undertake a more structured and
systematic study of the potential for floodwater entry to buildings containing safety-
significant structures, systems and components (SSC) from extreme rainfall and / or
overtopping of sea defences.

3. ONR’s expectation is that the recommendations and findings that arose from the post-
Fukushima lessons learnt should be incorporated into safety cases for EHs, as
appropriate, as part of normal business. The expectations set out in the post-
Fukushima Recommendations and Findings are now considered RGP in the UK, and
all licensees, potential licensees and requesting parties should ensure they are met in
accordance with their lifecycle positions.

Update to ONR SAPs relevant to External Hazards

4. ONR’s SAPs were updated in 2014 to incorporate these expectations. The SAPs were
reviewed post-Fukushima after ONR’s Chief Nuclear Inspector’s report on the
Implications of the Fukushima events on the GB nuclear industry was published. That
report concluded that there were no significant gaps in the SAPs but recommended a
review to ensure lessons learnt were incorporated. The review resulted in a number of
changes to the SAPs which were reissued in 2014.

5. A number of significant enhancements were made:

 Screening: New principle EHA.19 added.

 BDB events: New principle EHA.18 added and links added to EHA.7 and to
PSA and SAA.

 Flooding: Greater emphasis placed on flood protection – discussed below.

 Extreme weather: EHA.11 updated to clearly include BDB weather hazards and
the requirement to have forewarning systems in place (but see below on the
hierarchy of safety measures).

 Discrete & non-discrete external hazards: SAPs paragraph 235 added to bring
out the difference between EHs defined as discrete frequency / severity events
and those defined by hazard curves. This facilitates a better understanding of
the implications of non-discrete hazards on BDBA.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 72 of 84
Office for Nuclear Regulation

 Uncertainty analysis: Improved clarity on the links from the EH section of the
SAPs to the principles covering uncertainty analysis, SAPs paragraph 238.

 Analysis of design basis events: improved clarity on the requirements to apply

an appropriate combination of engineering, deterministic and probabilistic,
SAPs paragraph 243 and 244. See below.

6. Hierarchy of Safety Measures & Independence, Redundancy, Diversity and

Segregation: The Fukushima event reinforced the importance of considering the ability
of plant systems to withstand EHs in terms of the hierarchy of safety concept, and the
concepts of independence, redundancy, diversity and segregation together with DiD.
These concepts should be examined within the context of the overall design.

Cliff-Edge and Beyond Design Basis Analysis

7. SAP EHA.7- Cliff-edge effects has also been updated and SAP EHA.18 – BDB events
has been added as part of the post-Fukushima updates. The main point behind these
two SAPs is to clarify the expectation that explicit margins assessments should be
performed to examine the potential effects of BDB flooding as set out in STFs 5 and 7
for external flooding for example. ONR expects that the analysis of external flooding
should identify the margins beyond the design basis to the point(s) where safety
functions would no longer be achieved, as a function of increasing hazard severity.
This analysis should confirm the absence of ‘cliff-edge’ effects just beyond the design
basis and should provide an input into PSA and SAA.

Coastal Flood Hazard

8. SAP EHA.12 is the most relevant Principle relating to external flooding, and it has been
enhanced significantly since the 2006 version [60] of the SAPs. Previously, the SAP
said simply that “nuclear facilities should withstand flooding conditions that meet the
design basis event criteria.” It now states that “facilities should be shown to withstand
flooding conditions up to and including the design basis event. Severe accidents
involving flooding should also be analysed.” The changes reflect the increased
importance on the analysis of extreme flooding events post-Fukushima, including the
consideration of BDB flooding.

9. The explanatory paragraphs following the SAP itself have also been greatly expanded.
These paragraphs now refer explicitly to the “dry site” concept and say that “facilities
should be protected against a design basis flood by adopting a layout based on
maintaining the ‘dry site concept’. In the dry site concept, all vulnerable structures,
systems and components should be located above the level of the design basis flood,
together with an appropriate margin…” In the next paragraph, the SAPs then go on to
say that, “where it is not practicable to adopt the dry site concept, the design should
include permanent external barriers such as levees, sea walls and bulkheads…” and
that “the design parameters for these barriers may need to be more onerous than
those derived from the design basis flooding event.”

10. This update stems from the lessons described in the report from the IAEA’s fact-finding
mission to Japan that took place post-Fukushima. The IAEA conducted this fact-finding
mission by agreement with the government of Japan, and ONR’s Chief Inspector was
asked by IAEA to lead this mission, which was undertaken in 2011. The resulting
mission report [61] states that “plant layout should be based on maintaining a ‘dry site
concept’, where practicable” which, it goes on to state in Finding Number A1-02 of the
report, is “preferred in many Member States to the alternative solution of permanent
external barriers such as levees, sea walls and bulkheads.” The IAEA Director
General’s report [24] on Fukushima, in Technical Volume II, considered the “dry site
concept” further. It states that “the dry site concept is considered a key measure
against site flooding hazards that may affect safety.” The report explains that “in many

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 73 of 84
Office for Nuclear Regulation

member states, this concept is preferred to the alternative solution of permanent

external protective barriers.” In the UK, as stated above, this preference is now
expressed in the SAPs. During the licensing process for any new site, a robust ALARP
demonstration would be required were the dry site concept not to be adopted.

11. Uncertainty in flood hazard analysis: A high degree of uncertainty is present in the
analysis of external flooding. The following factors should be taken into account to
ensure that the uncertainty is mitigated and risks reduced ALARP:

12. When faced with significant uncertainty, the precautionary principle (Referred to as the
“precautionary approach” in the SAPs.) means it is necessary to err on the side of
safety and to ensure that safety measures are adequate [62].

13. Generally speaking, the precautionary principle is invoked for two key reasons – either
due to the potential for serious harm as an outcome, or due to levels of uncertainty so
high that the outcomes are highly divergent. For external flooding, uncertainty is high
so a wide range of scenarios should be examined and potential mitigations and
resilience enhancements identified. These should then subjected to ALARP
considerations in accordance with guidance in TAG 5 [6]. The concept of reducing
risks ALARP takes into account gross disproportionality, and clearly what is reasonably
practicable for a site at greater risk of flooding is different from one where an external
flood is not credible. Inspectors should ensure that ALARP considerations have been
applied in accordance with the risk that could arise from external flooding in
accordance with a site’s vulnerability to flooding and lifecycle position.

14. Hierarchy of Safety Measures: In order of preference, safety measures should be:

 Passive withstand capability

 Automatically initiated preventative engineered measures
 Manually initiated preventative engineered measures
 Administrative arrangements
 Mitigating the effects of failure

15. Safety measures should be ranked in order of importance by making use of the
hierarchy of safety concept. Passive measures (such as waterproofing around doors
and cable penetrations into buildings) or automatically initiated preventative
engineered measures (such as activation of fail-safe cooling systems), if adequately
conceived and executed, should provide robust reassurance that unacceptable
consequences will not be realised in case an extreme flood event occurs.
Administrative measures, such as responding to weather forecasts, should be treated
with a degree of caution, since potential for human error exists both in the forecasts
themselves, and any operator actions on-site being taken in response. Manually
initiated engineering measures to prevent EH-induced failures are typically less reliable
than passive or automatically initiated measures.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 74 of 84
Office for Nuclear Regulation

APPENDIX 2 – ELECTROMAGNETIC INTERFERENCE AND SPACE WEATHER

Electromagnetic Interference

1. Electromagnetic interference (EMI) (also called radio frequency interference or RFI) is

a disturbance that affects an electrical circuit due to electromagnetic radiation emitted
from an external source. The disturbance may interrupt, obstruct, or otherwise degrade
or limit the effective performance of the circuit. The source may be any object, artificial
or natural, that carries rapidly changing electrical currents, such as: an electrical circuit,
radar, communication systems, electrical storms, or from an extra-terrestrial source,
typically the Sun.

14. The potential for EMI to instrumentation and control equipment should be considered.
Guidance on the assessment of EMI is set out in T/AST/015 on electromagnetic
compatibility [63], which also includes references and sources of further information.
Depending on whether the hazard can be adequately controlled, the Licensee may
need to provide screening to protect equipment from EMI or install instrumentation and
control equipment of a proven electromagnetic compatibility.

2. Sources of EMI local to the site should be identified and characterised. External
sources of EMI may vary in power with time and may be manually controlled and
directional. These variations should be considered when characterising the EMI EH.

Space Weather

3. Space weather is a term which describes variations in the Sun, solar wind,
magnetosphere, ionosphere and thermosphere, which can influence the performance
and reliability of space based and ground based technological systems.

4. The Sun is a source of EMI and other radiation at the Earth’s surface. This radiation
has a multitude of effects on the earth, not least in determining the earth’s weather
systems. This appendix is however only concerned with electromagnetic and radiation
effects on engineered systems. The Sun has an approximately 11 year magnetic
activity cycle during which its magnetic field grows and diminishes in strength and
reverses in polarity. This cycle is observed through changes in the sun spot activity on
the Sun’s surface.

5. In addition to the continually varying interplanetary magnetic and particle flux, which is
referred to as the solar wind, a related phenomenon, termed solar storm, has the
additional potential to affect engineered systems.

6. Space weather (or more specifically solar storms) has been identified as a threat to
infrastructure nationally. It is monitored as part of the UK natural hazards partnership,
with the UKMO being the lead agency. Space weather is also considered in the USA,
with NASA being the lead agency. The threat to UK and USA infrastructure from space
weather has been studied in order to advise policy [64], [65], [66], [67]. Nuclear
facilities are not specifically highlighted, but the vulnerability of electric grid and other
infrastructure is highlighted.

7. This appendix is focused on the hazard potential associated with solar storms. Note
however that this is generally referred to as space weather within the wider scientific
community.

Solar Storms

8. Solar storms are a particular aspect of space weather associated with the sudden
brightening of solar active regions known as sunspots and may be characterised in
terms of three phenomena; solar flares, solar energetic particles and coronal mass
ejections.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 75 of 84
Office for Nuclear Regulation

9. A solar flare is loosely defined as a sudden release of energy from the sun in the form
of X-rays, extreme UV and gamma-rays which take about 8 minutes to reach Earth
(speed of light) and persist in a timeframe of minutes to hours. A solar flare may also
be the precursor for the ejection of solar energetic particles (SEP) and subsequent
coronal mass ejections (CME).

10. SEPs are highly energetic solar particles (protons and ions) travelling at relativistic
speeds which may take the order of 15 minutes to 24 hrs to reach earth and persist for
several days. A particle cascade can be created by solar particles at high energies
interacting with the upper atmosphere. The particle cascade can be composed of
neutrons, protons, muons, pi-mesons, gamma rays and electrons. These particles are
typically observed at high elevation in satellite and aviation systems but also have the
potential to create ground-level particle fluxes of neutrons and muons. These events
are referred to as ground level events (GLE).

11. A CME is an eruption of electrical plasma and magnetic fields from the solar corona as
a plasma ‘bubble’ which may take typically 1 to 4 days to reach earth and persist for
typically 1-2 days. CMEs interact with the Earth’s geomagnetic field, with the impact
accentuated when the magnetic field of the CME is oppositely aligned to the direction
of the geomagnetic field. In such a configuration CME energy and plasma is efficiently
directed into the Earth’s environment, including the radiation belts, ionosphere,
atmosphere and ground.

Space weather impact at ground level: GIC

12. The interaction between an appropriately magnetically-aligned CME or fast stream of

solar wind and the geomagnetic field induces a secondary magnetic field and a surface
electric field in the Earth. The consequence of this electric (‘telluric’) field is a
Geomagnetically Induced Current (GIC), which can enter any ground-based network
through the earthing points.

13. Given the physical dimensions of CMEs and the geomagnetic field (both many Earth
diameters wide), the impact of space weather is generally global in extent, though it is
stronger towards both poles where the geomagnetic field is more readily magnetically
connected to the solar wind. However regional (few hundred km to continental scale)
impacts do occur, depending on the local time, with impacts stronger on the night side
of the Earth.

14. Ground level infrastructure affected by GIC includes electrical power transmission
systems, pipelines and railways. These systems are affected by the GIC due to their
large span.

Space weather impact at ground level: GLE

15. Space weather is known to affect man-made satellites and the aviation industry. The
electronics within man-made satellites can be disrupted by the particle flux, giving the
potential for reducing the reliability of signals and data. This includes man-made
satellites providing Global Navigation Satellite Systems (GNSS)§§§§§§§ . Where ground
level infrastructure also relies on GNSS (position and/or timing), satellite
communications, mobile or HF communications, or contain electronic hardware
sensitive to ionising radiation then there are additional space weather risks [65], [68].

15. GLE are relevant to Control and Instrumentation (C&I) systems, with certain materials
being particularly susceptible to particle fluxes creating false signals.

§§§§§§§
Often referred to as Global Positioning System (GPS), although this is one of a series of systems.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 76 of 84
Office for Nuclear Regulation

Forecasting

16. The correlation between sunspot activity and the occurrence rate of solar storms is not
well established, with the correlation becoming weaker for more severe solar storms.
Sunspots are a manifestation of the magnetic cycle of the Sun, a dynamo process, for
which no agreed physical model currently exists capable of explaining the periodicities.
However, comparable ‘star spot’ records suggest the Sun is not atypical. Indeed Sun-
like stars are observed for which spots are rare or cover a substantial fraction of the
surface, suggesting that a wide range of activities are possible, if not yet observed, in
solar sunspot data.

17. Warning and detection systems are in place for space weather. Space based
instruments in orbit between Earth and the Sun can detect CME and provide a 15 to 60
minute warning, depending on the speed of the CME. Terrestrial monitoring systems
are also in place in the form of the INTERMAGNET network. These provide monitoring
for geomagnetic storms and GIC.

18. Due to the near relativistic speed of SEP, there is little scope for the development of
warning systems against GLE. As noted above, there may be only a few minutes delay
between the observation of a significant solar flare and the first arrival of SEP at Earth.

Characterisation

19. The UK National Risk Register [69] classes severe space weather as a low probability
(1 in 20 years or less********) but potentially high impact event. There are continuous
ground-level geomagnetic records, dating back some 170 years, to substantiate the
impact of space weather, as well as evidence from space-based measurements of
solar activity for the last 50 years. The sunspot record itself dates back 400 years and
provides some broader indication of past solar behaviour. Work is ongoing to try to
establish a longer record of solar activity from isotopic analysis of polar ice cores; there
is not wide consensus on the validity of the methodology.

20. As part of the UK preparedness for space weather events, a single hypothetical event
was modelled and the consequences for UK infrastructure and industry estimated [70].

21. The “Carrington Event” of 1859, which has become a benchmark for extreme space
weather events has been extensively studied. Of particular note are: the fast travel
time of the CME (17.6 hours to Earth from first observation of a related solar flare at
the Sun by Carrington); observation of the Aurora Borealis at low latitudes and mis-
operation and fires in telegraph systems. The latter impact is particularly relevant as a
benchmark for the potential effects of a Carrington-like event today on grounded
infrastructures. Telegraph systems of the time used batteries, and operators found that
the system could work without the batteries, ‘powered by the aurora’, as GIC flowed to
and from the ground into the network due to the enhanced surface electric field driven
by the storm. The Carrington Event has been used to estimate the frequency of
extreme events, but as a single event the results are very dependent upon
methodology and do not have a consensus in the scientific community.

22. The characterisation of GLEs is difficult as they have only been detectable since the
mid-20th century, e.g. no GLE data is available for the Carrington Event. Frequency
and severity are therefore difficult to determine.

23. Since the publication of a report by the Royal Academy of Engineering [65], which
estimated that a solar storm having magnitude similar to the Carrington event is
thought to have a return period of around 100 years, the nuclear industry, supported

The difference in expectation of hazard return frequency between the UK national risk register and
********

the SAPs should be noted when qualifying language such as “low probability” is used instead of
numerical values.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 77 of 84
Office for Nuclear Regulation

CINIF (Control & Instrumentation Nuclear Industry Forum) has undertaken research to
characterise the potential hazard posed by severe space weather. Work carried out by
the National Physical Laboratory estimated neutron fluxes at ground level
corresponding to return periods of 100, 1000, and 10,000 years. The work is however
supported by little actual data, so there is insufficient information for these fluxes to be
used to design engineered protection. However, the flux magnitudes at return periods
of 1000 years - 10,000 years are such that the hazard posed by SEP cannot be
ignored.

24. Unsung the flux estimates established by NPL, the nuclear industry undertook further
work through CINIF to consider the effects of neutron irradiation on the electronic
components used within ground-level control and instrumentation (C&I) electronics in
the nuclear industry. Radiation effects in general were reviewed but the major focus
was on single event effects (SEE) whereby individual particles of ionising radiation can
trigger soft, firm or hard failures in modern microelectronics. In the absence of
mitigating factors such as shielding and de-rating, certain microelectronic technologies
will suffer significant effects in the case of extreme GLEs. Older C&I equipment
incorporating similar component families is also a concern since SEE vulnerability
dates back thirty years or more. On the other hand certain other technologies such as
the simpler forms of flash memory appear considerably more robust based on current
evidence and would thus suffer minimal impact.

25. Due to the uncertainties associated with space weather and the immaturity of an
engineered response it is difficult to protect SSCs against space weather. Lessons can
be learnt from systems which are subject to harsher space weather environments,
including aircraft and satellite systems. Satellites are currently designed to withstand or
detect and react to space weather. The particle and magnetic fluxes experienced by
satellites is clearly much larger than that for ground based systems, it is therefore not
expected that ground-based systems should necessarily replicate the engineering
solutions such as multiple detectors used in these systems, but this example does
illustrate that engineered protection against space weather has matured in other
industries.

26. Research is ongoing to consider suitable mitigation strategies such as the use of less
vulnerable components, operating high voltage devices below rated values, shielding,
error detection/correction and radiation alert monitoring to reduce the likelihood of
inappropriate reaction to system anomalies.

Hazard combinations

27. Space weather EH analysis should consider the combined and consequential hazards
and faults and the multiple ground-level phenomena from a space weather event.

28. For example, a significant GIC is generally considered to be a frequent event, and is
likely to result in Loss of Offsite Power (LOOP). Whilst LOOP (without a solar storm) is
covered in nuclear safety cases as a frequent event, the combined effect of LOOP and
GIC and GLE should be considered. Depending on the severity of the solar storm,
offsite power may be unavailable for some time due to the potential for damage to
transformers within the off-site power supply network, and there is likely to be
disruption to communications and transport networks. Furthermore, damage to
microelectronic C&I systems may be expected for severe solar storms.

ONR expectations

29. It is acknowledged that the science of space weather as an EH is immature in terms of

the event and the engineered response. It is therefore not possible to identify detailed
RGP. The expectations for duty holders’ substantiation against space weather are
therefore different to those of more mature EHs. This does not alter requirements of

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 78 of 84
Office for Nuclear Regulation

the SAPs for EHs to be identified and the vulnerability of SSCs to be assessed.
Inspectors should expect licensees to have considered the implications of the latest
research as outlined above and to have developed an appropriate protection strategy.
The strategy should identify whether there are any vulnerable components, what the
impact is on nuclear safety and any practicable mitigation or protection measures. The
strategy should take into account the level of uncertainty associated with the hazard
characterisation and its effect on components in order to ensure a proportionate and
balanced response to space weather hazard. The strategy should be updated as more
information becomes available.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 79 of 84
Office for Nuclear Regulation

APPENDIX 3 – BIOLOGICAL HAZARDS

1. Biological hazards cover a wide range of potential issues. There is no specific SAP
that refers specifically to biological hazards, however they should be considered as
part of the general need to cover all credible hazards (EHA.1).

2. Typical hazards that need to be considered are as follows.

 Marine
o Jellyfish
o Seaweed
o Fish
 Land
o Infestation from mice, rats, rabbits etc
o Biological debris such as fallen leaves
 Air
o Swarms of insects / birds

3. Marine hazards can create a blockage or flow restriction on the intakes for sea or river
cooling water systems. This has led in the past to reactor trips and must therefore be
considered as a fault. In some cases, severe damage to drum screens has ensued,
and material has passed into the seaward side of coolers within the plant itself. This
has led in a number of cases to reactor trips. Where there is a high reliance on cooling
systems that have secondary cooling from river or sea, the sensitivity of the plant to
interruptions of supply should be well understood.

4. There are some techniques such as sonar and bubble curtains that can limit / deter the
influx of marine creatures. However, against organisms that can be dispersed and
spread (such as seaweed through wave action for example) it is preferable to rely on
more physical means to prevent ingress.

5. Infestation of mice etc is primarily prevented through the use of high quality doors and
sealing arrangements to buildings and service trenches etc, and by management
arrangements to deter animals from entering buildings.

6. Insect swarms can pose a threat to intakes, to heating, ventilation and air conditioning
or back-up diesel plant by restricting air flow and limiting their operability. It is therefore
useful to ensure that this hazard is considered as part of the design, and measures are
in place to allow a bypass or back-up system to provide support.

7. Fallen leaves and similar debris can block drains and gullies, especially in autumn or
after severe storms. Protection is normally provided by routine inspection/maintenance
activities to ensure drainage systems remain operational.

8. It is common to find a high reliance on operator intervention either to prevent any

biological hazard from developing unduly, or in recovery of the situation. It is therefore
recommended that an inspection of operating instructions and training are undertaken
as part of a review of these hazards.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 80 of 84
Office for Nuclear Regulation

APPENDIX 4 – INDUSTRIAL HAZARDS

1. These hazards arise either due to the conveyance of hazardous materials on adjacent
transport routes (eg pipeline, rail, road and sea) or adjacent permanent facilities (eg
quarries, tank farms etc). Typical hazards that can arise from industrial plants may be
from; stored gas, fuel, explosives, pressure vessels or turbine disintegration. Useful
data and references are available on some of these aspects in a variety of Licensee
specific documents, in particular, the reactor Licensees have developed a
comprehensive methodology for assessing missile damage. EHs analyses should
consider all potential sources of external missiles and explosion.

Explosion / missiles

2. Inspectors should ensure that, where appropriate, the following have been considered:

 Sources of possible explosions / missiles should be identified, the possible

magnitude of explosions, blast waves and the likely size, (pressure and impulse,
including thermal reflection effects), ground effects, frequency and trajectory of
missiles estimated, and their effects on safety-related plant and structures
assessed. Note: stores of fuel / chemicals within the site boundary should be dealt
with as internal hazards, but may be susceptible to EH initiators.

 The results of a hazard analysis in conjunction with the Licensee’s acceptance

criteria should be used to verify the adequacy of protection provided by spatial
segregation, protective barriers, and redundancy in safety-related plant and safety
systems.

 Possible causes of explosions to be considered include the ignition of flammable

gas, vapour or oil-mist clouds, exothermic reactions, pyrophoric materials, failure
of pressure parts, and explosions associated with switchgear, high-energy
transformers, electrical batteries, terminal boxes and power cables. Also leaks
from underground gas supplies, or other sources, that could (if heavier than air)
accumulate in building basements and drains.

 Consequential effects should also be considered, ie domino effects following fire /

explosion and generation of secondary fragments.

 Where high reliance on containment is required, particular attention to the effects

of missiles should be given. Special consideration should be given to containment
structures with fragile structural elements, eg roofs.

 Examples of industrial facilities examined for their potential threats to nuclear

facilities include:

o Refineries
o Liquid petroleum gas pipelines
o Wind Turbines
o Explosive-handling facilities
o Dockyards

Toxic, corrosive and cryogenic materials and gases

3. Inspectors should ensure that, where appropriate, the following have been considered:

 Toxic, corrosive and cryogenic materials and gases have the potential to disable
both personnel and safety-related plant. Therefore, the safety case should provide
a demonstration that the range of materials that if released could either disable,

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 81 of 84
Office for Nuclear Regulation

impair or cause the asphyxiation of personnel, or may disable safety-related plant

and equipment.

Hazards from adjacent nuclear sites

4. Adjacent or nearby nuclear sites have the potential under accident conditions to
release nuclear and other types of radioactive materials that could affect the site being
assessed. This is in addition to the conventional industrial hazards that might arise,
such as missiles from turbine disintegration and hazardous gas release (eg carbon
dioxide). Also, EHs affecting the site being assessed have the potential to affect
nearby nuclear sites through the common cause effect.

5. It is likely that any hazard arising from an adjacent nuclear site would prompt the
implementation of emergency arrangements on that site and, if severe enough, invoke
the off-site emergency plan. In both cases, the response of the site being assessed will
likely be governed by its own emergency arrangements and its contribution to the local
authority off-site plan. EHs inspectors should assure themselves that provision has
been made in the site’s emergency arrangements to accommodate the effects of EHs
on nearby nuclear sites.

Other considerations

6. A number of situations can arise that may provide the potential either directly or
indirectly, to create hazards. For example:

 Tenants may exist on a licensed site, whose operations are not under the direct
control of the Licensee. In such cases the tenancy arrangements with the
Licensee should positively identify the potential hazards arising from the
tenants activities.
 Third party activities may take place near the licensed site that could affect the
effectiveness of eg sea defences, or the potential for transport accidents.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 82 of 84
Office for Nuclear Regulation

APPENDIX 5 – LANDSCAPE CHANGE

1. Landscape change is not a particular EH itself. However, the processes that drive it
are clearly related to EHs. The processes themselves may well be gradual in nature,
(although significant change could arise from a single EH event such as a severe
storm winds or strong wave action impacting on the local coastline). However, over
time they may undermine the protection against the more extreme design basis and
BDB events.

2. The key processes involved are:

 Wind induced erosion

 Water induced erosion / ground movement

3. Other effects such as glacial rebound are of minimal practical interest for the 100-year
timeframe generally under consideration.

4. The more detailed effects that result from the above are listed below:

 Wind (aeolian) induced

o Wind-blown sand and dune movement
 Water induced
o Coastal erosion
o Longshore drift
o Shingle mounding
o Sediment deposition
o Water-course erosion
o Water-course path change
o Water-table movements resulting in settlement / heave

5. The gradual nature of these processes mean that in most case, a monitoring regime
(by inspection) is appropriate to ensure that significant changes are identified in a
timely manner, so that management actions can be implemented to prevent or mitigate
the effects of landscape change hazards. Inspectors should confirm that the monitoring
system is appropriate, such that after a storm surge event, there is a requirement to
inspect those areas of sea defence that may have been damaged, and to have
arrangements in place to ensure that repairs can be undertaken in a suitable
timeframe. Clearly, this should be linked to any weather warning arrangements that
may be in place.

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 83 of 84
Office for Nuclear Regulation

APPENDIX 6 – EXTERNAL HAZARDS RESULTING FROM NATURALLY AND

ANTHROPOGENICALLY OCCURRING GASES

1. Naturally and anthropogenically occurring ground gases that could present a threat to
nuclear and conventional safety can be generated by the natural lithology of a nuclear
installation site, putrescible constituents of made ground and the degradation of
organic materials and contaminants in soils and / or groundwater. Ground gases of
concern typically comprise carbon dioxide (an asphyxiant) and methane (explosive),
though in some cases other gases such as hydrogen sulphide or carbon monoxide
(poisons) or radon (radioactive) could be present.

2. The risk of naturally occurring gases should be determined at the siting stage of a
nuclear facility including new sites and new facilities on an existing site. The suitability
of a site is covered by SAP ST.4 which requires that the suitability of the site to support
safe nuclear operations should be assessed prior to granting a new site licence. The
risk should be identified and evaluated according to the significance for the safe
operation of the nuclear installation and any important natural phenomena that could
lead to potential hazards should be investigated.

3. The possibility of generation of naturally occurring gases should be considered during

site characterisation and geotechnical and hydrogeological investigation. While this will
principally be a civil engineering activity, EHs inspectors should view this as a cross
cutting activity that may also involve liaison with internal hazards.

4. The following are common natural and anthropogenic sources of gas and their typical
products:

 Peat bogs and mosslands (methane, carbon dioxide)

 Uranium and thorium bearing rocks such as granites (radon)
 Carbonate rocks such as limestone and chalk (carbon dioxide)
 Organic rich rocks such as coal measures (methane, carbon dioxide, carbon
monoxide, hydrogen sulphide)
 Marine, river and lake sediments (methane, carbon dioxide, hydrogen
sulphide)
 Made ground (consisting of natural or man-made materials) (methane, carbon
dioxide, hydrogen sulphide, volatile organic compounds and others)
 Farmland (methane, carbon dioxide, hydrogen sulphide)
 Sewers (methane, carbon dioxide, hydrogen sulphide)

5. In order to prevent the collection of gases that could pose a threat to the health and
safety of personnel, limit access to areas that could affect nuclear safety or prevent
operators from carrying out safety related tasks, civil engineering design SAP ECE.11
states that “The design should take account of the possible presence of naturally
occurring explosive, asphyxiant or toxic gases or vapours in underground structures
such as tunnels, trenches and basements”. Plant areas such as cooling water intake
tunnels, drum screens and forebays may allow the collection of organic material (eg
seaweed and jellyfish) that could decompose with the risk of gas generation and gas
may be dissolved in water.

6. A list of useful references relating to guidance, standards and risk assessment of

naturally occurring gases is given at Ref. [71]. Civil engineering advice is available in
NS-TAST-GD-017 [72].

NS-TAST-GD-013 Revision 7
TRIM Ref: 2018/315641 Page 84 of 84