Defence-in-Depth

The defence in depth (DiD) is the main concept that provides an overall strategy for safety measures and features for nuclear installations. The safe design and operation of an NF lies in this concept as Safety Fundamentals paragraph 3.31 states:

“The primary means of preventing and mitigating the consequences of accidents is ‘defence in depth’ … it is implemented primarily through the combination of a number of consecutive and independent levels of protection that would have to fail before harmful effects could be caused to people or to the environment.” (IAEA 2006a, 13)

“If one level of protection or barrier were to fail, the subsequent level or barrier would be available … when properly implemented no single technical, human, or organizational failure could lead to harmful effects, and that the combinations of failures that could give rise to significant harmful effects are of very low probability.” (IAEA 2006a, 13)

“The independent effectiveness of the different levels of defence is a necessary element of defence in depth.” (IAEA 2006a, 13)

IAEA SSR-2/1 (Safety of Nuclear Power Plant: Design) and SSR-4 (Safety of Nuclear Fuel Cycle Facilities) both state the same requirements (no. 7 and 10) for the application of DiD concept in design:

“The design of a nuclear power plant/nuclear fuel cycle facility shall incorporate defence in depth. The levels of defence in depth shall be independent as far as is practicable.” (IAEA 2016a, 14; IAEA 2017, 36)

The essential feature of the DiD concept is to isolate radioactive materials from the environment and confine them by using multiple physical barriers. This structural DiD is achieved, in the case of a light water reactor (LWR), by four physical barriers: the fuel matrix, the fuel rod cladding, the reactor coolant pressure boundary (RCPB), and the containment system. The aim of the DiD is to provide for multiple functional defence levels to protect the integrity of structural barriers and mitigate the radioactive releases in case of a failure (the first 4 levels) and to implement successful off-site emergency response in the event of a significant radioactive release (the 5th level). The main priority is to prevent accidents and, if prevention fails, to mitigate and limit potential consequences to prevent possible evolution to more severe conditions. An updated version of traditional INSAG DiD levels proposed by WENRA is shown in figure 3. (INSAG 1996, 4, 8).

Figure 3. DiD levels proposed by WENRA (modified from WENRA 2009, 23).

The objective of the first level of defence is to prevent deviations from Normal Operation (NO) and the failures of items important to safety. This leads to a broad range of requirements that the NPP or any NF be rigorously and conservatively sited, designed, constructed, maintained, and operated. Importance must be given to quality in any activity or process during the lifecycle of the plant (e.g., manufacturing, analyses, design codes and engineering practices, construction, maintenance). Provisions to prevent deviations from the NO state can be seen as more effective and predictable than measures aimed at mitigation of such a departure, thus every aspect having importance to safety in any phase of the lifecycle must considered. (IAEA 2016a, 7; IAEA 2017, 11; INSAG 1996, 4).

The second level of defence is intended to ensure that abnormal operation states, in case of anticipated operational occurrences (AOOs) or equipment failures, are controlled and the NO state is restored. The objective is to prevent plant deviations from escalating to ACs by detection and control. Provisions of control, limiting and protection systems, and other surveillance features are implemented in design with confirmed effectiveness and rigorously established operational procedures. Inherent plant features, such as thermal inertia and core stability, are credited as regarding the design. (IAEA 2016a, 7; IAEA 2017, 11; INSAG 1996, 9).

The third level is responsible for the defence if the AOOs or certain postulated initiating events (PIEs) propagate into accidents. The design of an NPP or other NF has taken into consideration such Design Basis Accidents (DBAs). The requirement for this level of defence is to provide for inherent and/or engineered safety features, Safety Systems, fail-safe design, and procedures to prevent core damage or release of radioactive material requiring off-site protection. The objective is to control the consequences of such an accident, to prevent extensive damage to the facility, to prevent significant off-site radioactive releases, and return the NPP/NF to a safe state. (IAEA 2016a, 8; IAEA 2017, 12).

The fourth level provides measures for Design Extension Conditions (DECs) in case of multiple failures or if an accident event propagates towards severe conditions, namely, core melt. The purpose is to prevent the progression of events to severe accidents and to mitigate consequences arising from a severe accident. The objective in case of a severe accident is that only protective actions that are limited in lengths of time and areas of application would be considered necessary. The protection of the containment system is important since it would be necessary to avoid or at least minimize off-site consequences. It is required that event sequences leading to a large radioactive release, or an early radioactive release would be ‘practically eliminated’. (IAEA 2016a, 8; IAEA 2017, 12; INSAG 1996, 11).

The fifth level takes into consideration the off-site response in case of potential radioactive release that could result from failure to mitigate severe ACs. The objective is to mitigate off-site radiological consequences to the public in cooperation with the regulator and off-off-site organizations involved. The emergency plans and adequately equipped emergency response facilities must be provided. Emergency procedures for off-site and on-site emergency response must be developed and exercised periodically. (IAEA 2016a, 8: IAEA 2017, 12, INSAG 1996, 12).

The DiD levels must remain available when in operation. When any relaxation is considered for a specific operational state, it must be justified as it is stated in SSR-1/2:

“All levels of defence in depth shall be kept available at all times and any relaxations shall be justified for specific modes of operation.” (IAEA 2016a, 14)

The DiD must be implemented in design so that challenges to barriers and their failures are taken into consideration as IAEA SSR-2/1 paragraph 4.12 and SSR-4 paragraph 6.22 both state for NPP and any Nuclear Fuel Cycle Facility (NFCF) (e.g., spent fuel storage facility):

“To ensure that the concept of defence in depth is maintained, the design shall prevent, as far as is practicable:” (IAEA 2016a, 15; IAEA 2017, 37)

a) Challenges to the integrity of physical barriers.

b) Failure of one or more barriers.

c) Failure of a barrier as a consequence of the failure of another barrier.

d) The possibility of harmful consequences of errors in operation and maintenance.

‘Challenges’ are defined as general mechanisms, processes, or conditions that may affect the performance of Safety Functions (SFs). ‘Mechanisms’ can be understood as more specific processes or situations consequences of which might evolve to challenges. By using

‘provisions’ such as system design features, inherent safety characteristics, operational procedures, safety margins, the performance of SFs can be enhanced so that mechanisms would be prevented. The interrelation between these for a defence level can be presented by an objective tree (figure 4). (IAEA 2005a, 9).

Figure 4. The interrelation between SFs, challenges, and provisions for a level of defence (IAEA 2005a, 9).